No. Time Source Destination Protocol Length Info 1 0.000000 10.9.*.* 10.96.*.* TCP 74 57892→445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=264084587 TSecr=0 WS=128 Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.408602000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.408602000 seconds [Time delta from previous captured frame: 0.000000000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds] Frame Number: 1 Frame Length: 74 bytes (592 bits) Capture Length: 74 bytes (592 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP SYN/FIN] [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 60 Identification: 0x9524 (38180) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8abf [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 0, Len: 0 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 0] Sequence number: 0 (relative sequence number) Acknowledgment number: 0 Header Length: 40 bytes .... 0000 0000 0010 = Flags: 0x002 (SYN) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...0 .... = Acknowledgment: Not set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 445] [Connection establish request (SYN): server port 445] [Severity level: Chat] [Group: Sequence] .... .... ...0 = Fin: Not set Window size value: 29200 [Calculated window size: 29200] Checksum: 0x7024 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale Maximum segment size: 1460 bytes Kind: Maximum Segment Size (2) Length: 4 MSS Value: 1460 TCP SACK Permitted Option: True Kind: SACK Permitted (4) Length: 2 Timestamps: TSval 264084587, TSecr 0 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264084587 Timestamp echo reply: 0 No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Window scale: 7 (multiply by 128) Kind: Window Scale (3) Length: 3 Shift count: 7 [Multiplier: 128] No. Time Source Destination Protocol Length Info 2 0.000345 10.96.*.* 10.9.*.* TCP 78 445→57892 [SYN, ACK] Seq=0 Ack=1 Win=33580 Len=0 MSS=1460 SACK_PERM=1 WS=128 TSval=4136500699 TSecr=264084587 Frame 2: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.408947000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.408947000 seconds [Time delta from previous captured frame: 0.000345000 seconds] [Time delta from previous displayed frame: 0.000345000 seconds] [Time since reference or first frame: 0.000345000 seconds] Frame Number: 2 Frame Length: 78 bytes (624 bits) Capture Length: 78 bytes (624 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP SYN/FIN] [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1] Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 64 Identification: 0x2f01 (12033) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 62 Protocol: TCP (6) Header checksum: 0xf2de [validation disabled] [Good: False] [Bad: False] Source: 10.96.*.* (10.96.*.*) Destination: 10.9.*.* (10.9.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 0, Ack: 1, Len: 0 Source Port: 445 (445) Destination Port: 57892 (57892) [Stream index: 0] [TCP Segment Len: 0] Sequence number: 0 (relative sequence number) Acknowledgment number: 1 (relative ack number) Header Length: 44 bytes .... 0000 0001 0010 = Flags: 0x012 (SYN, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port 445] [Connection establish acknowledge (SYN+ACK): server port 445] [Severity level: Chat] [Group: Sequence] .... .... ...0 = Fin: Not set Window size value: 33580 [Calculated window size: 33580] Checksum: 0x9db5 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (24 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), Timestamps Maximum segment size: 1460 bytes Kind: Maximum Segment Size (2) Length: 4 MSS Value: 1460 No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) TCP SACK Permitted Option: True Kind: SACK Permitted (4) Length: 2 No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Window scale: 7 (multiply by 128) Kind: Window Scale (3) Length: 3 Shift count: 7 [Multiplier: 128] No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 4136500699, TSecr 264084587 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 4136500699 Timestamp echo reply: 264084587 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 1] [The RTT to ACK the segment was: 0.000345000 seconds] [iRTT: 0.000378000 seconds] No. Time Source Destination Protocol Length Info 3 0.000378 10.9.*.* 10.96.*.* TCP 66 57892→445 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=264084588 TSecr=4136500699 Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.408980000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.408980000 seconds [Time delta from previous captured frame: 0.000033000 seconds] [Time delta from previous displayed frame: 0.000033000 seconds] [Time since reference or first frame: 0.000378000 seconds] Frame Number: 3 Frame Length: 66 bytes (528 bits) Capture Length: 66 bytes (528 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 52 Identification: 0x9525 (38181) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8ac6 [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 1, Ack: 1, Len: 0 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 0] Sequence number: 1 (relative sequence number) Acknowledgment number: 1 (relative ack number) Header Length: 32 bytes .... 0000 0001 0000 = Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 229 [Calculated window size: 29312] [Window size scaling factor: 128] Checksum: 0x60ce [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264084588, TSecr 4136500699 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264084588 Timestamp echo reply: 4136500699 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 2] [The RTT to ACK the segment was: 0.000033000 seconds] [iRTT: 0.000378000 seconds] No. Time Source Destination Protocol Length Info 4 0.000551 10.9.*.* 10.96.*.* SMB 282 Negotiate Protocol Request Frame 4: 282 bytes on wire (2256 bits), 282 bytes captured (2256 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.409153000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.409153000 seconds [Time delta from previous captured frame: 0.000173000 seconds] [Time delta from previous displayed frame: 0.000173000 seconds] [Time since reference or first frame: 0.000551000 seconds] Frame Number: 4 Frame Length: 282 bytes (2256 bits) Capture Length: 282 bytes (2256 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 268 Identification: 0x9526 (38182) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x89ed [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 1, Ack: 1, Len: 216 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 216] Sequence number: 1 (relative sequence number) [Next sequence number: 217 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 229 [Calculated window size: 29312] [Window size scaling factor: 128] Checksum: 0xefd7 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264084588, TSecr 4136500699 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264084588 Timestamp echo reply: 4136500699 [SEQ/ACK analysis] [iRTT: 0.000378000 seconds] [Bytes in flight: 216] NetBIOS Session Service Message Type: Session message (0x00) Length: 212 SMB (Server Message Block Protocol) SMB Header Server Component: SMB SMB Command: Negotiate Protocol (0x72) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc843 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path .... .... .1.. .... = Long Names Used: Path names in request are long file names .... .... ...0 .... = Security Signatures Required: Security signatures are not required .... .... .... 0... = Compressed: Compression is not requested .... .... .... .0.. = Security Signatures: Security signatures are not supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: ******************************** Reserved: 0000 Tree ID: 0 Process ID: 65534 User ID: 0 Multiplex ID: 0 Negotiate Protocol Request (0x72) Word Count (WCT): 0 Byte Count (BCC): 177 Requested Dialects Dialect: PC NETWORK PROGRAM 1.0 Buffer Format: Dialect (2) Name: PC NETWORK PROGRAM 1.0 Dialect: MICROSOFT NETWORKS 1.03 Buffer Format: Dialect (2) Name: MICROSOFT NETWORKS 1.03 Dialect: MICROSOFT NETWORKS 3.0 Buffer Format: Dialect (2) Name: MICROSOFT NETWORKS 3.0 Dialect: LANMAN1.0 Buffer Format: Dialect (2) Name: LANMAN1.0 Dialect: LM1.2X002 Buffer Format: Dialect (2) Name: LM1.2X002 Dialect: DOS LANMAN2.1 Buffer Format: Dialect (2) Name: DOS LANMAN2.1 Dialect: LANMAN2.1 Buffer Format: Dialect (2) Name: LANMAN2.1 Dialect: Samba Buffer Format: Dialect (2) Name: Samba Dialect: NT LANMAN 1.0 Buffer Format: Dialect (2) Name: NT LANMAN 1.0 Dialect: NT LM 0.12 Buffer Format: Dialect (2) Name: NT LM 0.12 Dialect: SMB 2.002 Buffer Format: Dialect (2) Name: SMB 2.002 Dialect: SMB 2.??? Buffer Format: Dialect (2) Name: SMB 2.??? No. Time Source Destination Protocol Length Info 5 0.001051 10.96.*.* 10.9.*.* SMB2 320 Negotiate Protocol Response Frame 5: 320 bytes on wire (2560 bits), 320 bytes captured (2560 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.409653000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.409653000 seconds [Time delta from previous captured frame: 0.000500000 seconds] [Time delta from previous displayed frame: 0.000500000 seconds] [Time since reference or first frame: 0.001051000 seconds] Frame Number: 5 Frame Length: 320 bytes (2560 bits) Capture Length: 320 bytes (2560 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2:gss-api:spnego] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 306 Identification: 0x4f98 (20376) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 62 Protocol: TCP (6) Header checksum: 0xd155 [validation disabled] [Good: False] [Bad: False] Source: 10.96.*.* (10.96.*.*) Destination: 10.9.*.* (10.9.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 1, Ack: 217, Len: 254 Source Port: 445 (445) Destination Port: 57892 (57892) [Stream index: 0] [TCP Segment Len: 254] Sequence number: 1 (relative sequence number) [Next sequence number: 255 (relative sequence number)] Acknowledgment number: 217 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 262 [Calculated window size: 33536] [Window size scaling factor: 128] Checksum: 0xa067 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 4136500700, TSecr 264084588 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 4136500700 Timestamp echo reply: 264084588 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 4] [The RTT to ACK the segment was: 0.000500000 seconds] [iRTT: 0.000378000 seconds] [Bytes in flight: 254] NetBIOS Session Service Message Type: Session message (0x00) Length: 250 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 NT Status: STATUS_SUCCESS (0x00000000) Command: Negotiate Protocol (0) Credits granted: 1 Flags: 0x00000001 .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 0 Process Id: 0x00000000 Tree Id: 0x00000000 Session Id: 0x0000000000000000 Signature: ******************************** Negotiate Protocol Response (0x00) StructureSize: 0x0041 0000 0000 0100 000. = Fixed Part Length: 64 .... .... .... ...1 = Dynamic Part: True Security mode: 0x01 .... ...1 = Signing enabled: True .... ..0. = Signing required: False Dialect: 0x02ff Server Guid: 11111111-1111-1111-1111-111111111111 Capabilities: 0x00000003 .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS .... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING .... .... .... .... .... .... .... .0.. = LARGE MTU: This host does NOT support LARGE_MTU .... .... .... .... .... .... .... 0... = MULTI CHANNEL: This host does NOT support MULTI CHANNEL .... .... .... .... .... .... ...0 .... = PERSISTENT HANDLES: This host does NOT support PERSISTENT HANDLES .... .... .... .... .... .... ..0. .... = DIRECTORY LEASING: This host does NOT support DIRECTORY LEASING .... .... .... .... .... .... .0.. .... = ENCRYPTION: This host does NOT support ENCRYPTION Max Transaction Size: 65536 Max Read Size: 65536 Max Write Size: 65536 Current Time: Jun 2, 2016 08:35:31.409494000 CEST Boot Time: Apr 15, 2016 11:33:41.142700000 CEST Security Blob: ************************* Offset: 0x00000080 Length: 122 GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 3 items MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) negHints hintName: not_defined_in_RFC4178@please_ignore No. Time Source Destination Protocol Length Info 6 0.001072 10.9.*.* 10.96.*.* TCP 66 57892→445 [ACK] Seq=217 Ack=255 Win=30336 Len=0 TSval=264084588 TSecr=4136500700 Frame 6: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.409674000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.409674000 seconds [Time delta from previous captured frame: 0.000021000 seconds] [Time delta from previous displayed frame: 0.000021000 seconds] [Time since reference or first frame: 0.001072000 seconds] Frame Number: 6 Frame Length: 66 bytes (528 bits) Capture Length: 66 bytes (528 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 52 Identification: 0x9527 (38183) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8ac4 [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 217, Ack: 255, Len: 0 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 0] Sequence number: 217 (relative sequence number) Acknowledgment number: 255 (relative ack number) Header Length: 32 bytes .... 0000 0001 0000 = Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 237 [Calculated window size: 30336] [Window size scaling factor: 128] Checksum: 0x5eef [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264084588, TSecr 4136500700 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264084588 Timestamp echo reply: 4136500700 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 5] [The RTT to ACK the segment was: 0.000021000 seconds] [iRTT: 0.000378000 seconds] No. Time Source Destination Protocol Length Info 7 0.001206 10.9.*.* 10.96.*.* SMB2 252 Negotiate Protocol Request Frame 7: 252 bytes on wire (2016 bits), 252 bytes captured (2016 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.409808000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.409808000 seconds [Time delta from previous captured frame: 0.000134000 seconds] [Time delta from previous displayed frame: 0.000134000 seconds] [Time since reference or first frame: 0.001206000 seconds] Frame Number: 7 Frame Length: 252 bytes (2016 bits) Capture Length: 252 bytes (2016 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 238 Identification: 0x9528 (38184) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8a09 [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 217, Ack: 255, Len: 186 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 186] Sequence number: 217 (relative sequence number) [Next sequence number: 403 (relative sequence number)] Acknowledgment number: 255 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 237 [Calculated window size: 30336] [Window size scaling factor: 128] Checksum: 0xd2c7 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264084589, TSecr 4136500700 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264084589 Timestamp echo reply: 4136500700 [SEQ/ACK analysis] [iRTT: 0.000378000 seconds] [Bytes in flight: 186] NetBIOS Session Service Message Type: Session message (0x00) Length: 182 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 Channel Sequence: 0 Reserved: 0000 Command: Negotiate Protocol (0) Credits requested: 0 Flags: 0x00000000 .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 1 Process Id: 0x00000000 Tree Id: 0x00000000 Session Id: 0x0000000000000000 Signature: ******************************** [Response in: 8] Negotiate Protocol Request (0x00) StructureSize: 0x0024 0000 0000 0010 010. = Fixed Part Length: 36 .... .... .... ...0 = Dynamic Part: False Dialect count: 8 Security mode: 0x01 .... ...1 = Signing enabled: True .... ..0. = Signing required: False Capabilities: 0x0000007f .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS .... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING .... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU .... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL .... .... .... .... .... .... ...1 .... = PERSISTENT HANDLES: This host supports PERSISTENT HANDLES .... .... .... .... .... .... ..1. .... = DIRECTORY LEASING: This host supports DIRECTORY LEASING .... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION Client Guid: 00000000-0000-0000-0000-000000000000 Boot Time: Jan 1, 1601 01:07:46.993471200 LMT Dialect: 0x0202 Dialect: 0x0210 Dialect: 0x0222 Dialect: 0x0224 Dialect: 0x0300 Dialect: 0x0302 Dialect: 0x0310 Dialect: 0x0311 No. Time Source Destination Protocol Length Info 8 0.001674 10.96.*.* 10.9.*.* SMB2 320 Negotiate Protocol Response Frame 8: 320 bytes on wire (2560 bits), 320 bytes captured (2560 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.410276000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.410276000 seconds [Time delta from previous captured frame: 0.000468000 seconds] [Time delta from previous displayed frame: 0.000468000 seconds] [Time since reference or first frame: 0.001674000 seconds] Frame Number: 8 Frame Length: 320 bytes (2560 bits) Capture Length: 320 bytes (2560 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2:gss-api:spnego] [Number of per-protocol-data: 1] [Simple Protected Negotiation, key 0] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 306 Identification: 0x5098 (20632) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 62 Protocol: TCP (6) Header checksum: 0xd055 [validation disabled] [Good: False] [Bad: False] Source: 10.96.*.* (10.96.*.*) Destination: 10.9.*.* (10.9.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 255, Ack: 403, Len: 254 Source Port: 445 (445) Destination Port: 57892 (57892) [Stream index: 0] [TCP Segment Len: 254] Sequence number: 255 (relative sequence number) [Next sequence number: 509 (relative sequence number)] Acknowledgment number: 403 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 262 [Calculated window size: 33536] [Window size scaling factor: 128] Checksum: 0x3286 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 4136500701, TSecr 264084589 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 4136500701 Timestamp echo reply: 264084589 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 7] [The RTT to ACK the segment was: 0.000468000 seconds] [iRTT: 0.000378000 seconds] [Bytes in flight: 254] NetBIOS Session Service Message Type: Session message (0x00) Length: 250 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 NT Status: STATUS_SUCCESS (0x00000000) Command: Negotiate Protocol (0) Credits granted: 1 Flags: 0x00000001 .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 1 Process Id: 0x00000000 Tree Id: 0x00000000 Session Id: 0x0000000000000000 Signature: ******************************** [Response to: 7] [Time from request: 0.000468000 seconds] Negotiate Protocol Response (0x00) StructureSize: 0x0041 0000 0000 0100 000. = Fixed Part Length: 64 .... .... .... ...1 = Dynamic Part: True Security mode: 0x01 .... ...1 = Signing enabled: True .... ..0. = Signing required: False Dialect: 0x0300 Server Guid: 11111111-1111-1111-1111-111111111111 Capabilities: 0x00000053 .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS .... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING .... .... .... .... .... .... .... .0.. = LARGE MTU: This host does NOT support LARGE_MTU .... .... .... .... .... .... .... 0... = MULTI CHANNEL: This host does NOT support MULTI CHANNEL .... .... .... .... .... .... ...1 .... = PERSISTENT HANDLES: This host supports PERSISTENT HANDLES .... .... .... .... .... .... ..0. .... = DIRECTORY LEASING: This host does NOT support DIRECTORY LEASING .... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION Max Transaction Size: 65536 Max Read Size: 65536 Max Write Size: 65536 Current Time: Jun 2, 2016 08:35:31.410495000 CEST Boot Time: Apr 15, 2016 11:33:41.142700000 CEST Security Blob: ************************* Offset: 0x00000080 Length: 122 GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 3 items MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) negHints hintName: not_defined_in_RFC4178@please_ignore No. Time Source Destination Protocol Length Info 9 0.041189 10.9.*.* 10.96.*.* TCP 66 57892→445 [ACK] Seq=403 Ack=509 Win=31360 Len=0 TSval=264084629 TSecr=4136500701 Frame 9: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.449791000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.449791000 seconds [Time delta from previous captured frame: 0.039515000 seconds] [Time delta from previous displayed frame: 0.039515000 seconds] [Time since reference or first frame: 0.041189000 seconds] Frame Number: 9 Frame Length: 66 bytes (528 bits) Capture Length: 66 bytes (528 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 52 Identification: 0x9529 (38185) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8ac2 [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 403, Ack: 509, Len: 0 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 0] Sequence number: 403 (relative sequence number) Acknowledgment number: 509 (relative ack number) Header Length: 32 bytes .... 0000 0001 0000 = Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 245 [Calculated window size: 31360] [Window size scaling factor: 128] Checksum: 0x5d05 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264084629, TSecr 4136500701 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264084629 Timestamp echo reply: 4136500701 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 8] [The RTT to ACK the segment was: 0.039515000 seconds] [iRTT: 0.000378000 seconds] No. Time Source Destination Protocol Length Info 10 0.425756 10.9.*.* 10.96.*.* TCP 1514 [TCP segment of a reassembled PDU] Frame 10: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.834358000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.834358000 seconds [Time delta from previous captured frame: 0.384567000 seconds] [Time delta from previous displayed frame: 0.384567000 seconds] [Time since reference or first frame: 0.425756000 seconds] Frame Number: 10 Frame Length: 1514 bytes (12112 bits) Capture Length: 1514 bytes (12112 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 1500 Identification: 0x952a (38186) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8519 [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 403, Ack: 509, Len: 1448 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 1448] Sequence number: 403 (relative sequence number) [Next sequence number: 1851 (relative sequence number)] Acknowledgment number: 509 (relative ack number) Header Length: 32 bytes .... 0000 0001 0000 = Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 245 [Calculated window size: 31360] [Window size scaling factor: 128] Checksum: 0x6b0b [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264085013, TSecr 4136500701 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264085013 Timestamp echo reply: 4136500701 [SEQ/ACK analysis] [iRTT: 0.000378000 seconds] [Bytes in flight: 1448] TCP segment data (1448 bytes) No. Time Source Destination Protocol Length Info 11 0.425769 10.9.*.* 10.96.*.* TCP 1514 [TCP segment of a reassembled PDU] Frame 11: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.834371000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.834371000 seconds [Time delta from previous captured frame: 0.000013000 seconds] [Time delta from previous displayed frame: 0.000013000 seconds] [Time since reference or first frame: 0.425769000 seconds] Frame Number: 11 Frame Length: 1514 bytes (12112 bits) Capture Length: 1514 bytes (12112 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 1500 Identification: 0x952b (38187) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8518 [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 1851, Ack: 509, Len: 1448 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 1448] Sequence number: 1851 (relative sequence number) [Next sequence number: 3299 (relative sequence number)] Acknowledgment number: 509 (relative ack number) Header Length: 32 bytes .... 0000 0001 0000 = Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 245 [Calculated window size: 31360] [Window size scaling factor: 128] Checksum: 0x4541 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264085013, TSecr 4136500701 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264085013 Timestamp echo reply: 4136500701 [SEQ/ACK analysis] [iRTT: 0.000378000 seconds] [Bytes in flight: 2896] [Reassembled PDU in frame: 12] TCP segment data (1448 bytes) No. Time Source Destination Protocol Length Info 12 0.426039 10.9.*.* 10.96.*.* SMB2 179 Session Setup Request Frame 12: 179 bytes on wire (1432 bits), 179 bytes captured (1432 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.834641000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.834641000 seconds [Time delta from previous captured frame: 0.000270000 seconds] [Time delta from previous displayed frame: 0.000270000 seconds] [Time since reference or first frame: 0.426039000 seconds] Frame Number: 12 Frame Length: 179 bytes (1432 bits) Capture Length: 179 bytes (1432 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2:gss-api:spnego:spnego-krb5] [Number of per-protocol-data: 1] [Simple Protected Negotiation, key 0] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 165 Identification: 0x952c (38188) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8a4e [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 3299, Ack: 509, Len: 113 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 113] Sequence number: 3299 (relative sequence number) [Next sequence number: 3412 (relative sequence number)] Acknowledgment number: 509 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 245 [Calculated window size: 31360] [Window size scaling factor: 128] Checksum: 0x58f2 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264085013, TSecr 4136500701 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264085013 Timestamp echo reply: 4136500701 [SEQ/ACK analysis] [iRTT: 0.000378000 seconds] [Bytes in flight: 3009] TCP segment data (113 bytes) [3 Reassembled TCP Segments (3009 bytes): #10(1448), #11(1448), #12(113)] [Frame: 10, payload: 0-1447 (1448 bytes)] [Frame: 11, payload: 1448-2895 (1448 bytes)] [Frame: 12, payload: 2896-3008 (113 bytes)] [Segment count: 3] [Reassembled TCP length: 3009] [Reassembled TCP Data: 00000bbdfe534d4240000000000000000100002000000000...] NetBIOS Session Service Message Type: Session message (0x00) Length: 3005 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 Channel Sequence: 0 Reserved: 0000 Command: Session Setup (1) Credits requested: 8192 Flags: 0x00000000 .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 2 Process Id: 0x00000000 Tree Id: 0x00000000 Session Id: 0x0000000000000000 Signature: ******************************** [Response in: 15] Session Setup Request (0x01) StructureSize: 0x0019 0000 0000 0001 100. = Fixed Part Length: 24 .... .... .... ...1 = Dynamic Part: True Flags: 0 .... ...0 = Session Binding Request: False Security mode: 0x01 .... ...1 = Signing enabled: True .... ..0. = Signing required: False Capabilities: 0x00000001 .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS .... .... .... .... .... .... .... ..0. = LEASING: This host does NOT support LEASING .... .... .... .... .... .... .... .0.. = LARGE MTU: This host does NOT support LARGE_MTU .... .... .... .... .... .... .... 0... = MULTI CHANNEL: This host does NOT support MULTI CHANNEL .... .... .... .... .... .... ...0 .... = PERSISTENT HANDLES: This host does NOT support PERSISTENT HANDLES .... .... .... .... .... .... ..0. .... = DIRECTORY LEASING: This host does NOT support DIRECTORY LEASING .... .... .... .... .... .... .0.. .... = ENCRYPTION: This host does NOT support ENCRYPTION Channel: None (0x00000000) Previous Session Id: 0x0000000000000000 Security Blob: ************************* Offset: 0x00000058 Length: 2917 GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 2 items MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) mechToken: 60820b2b06092a864886f71201020201006e820b1a30820b... krb5_blob: *******************... KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) krb5_tok_id: KRB5_AP_REQ (0x0001) Kerberos ap-req pvno: 5 msg-type: krb-ap-req (14) Padding: 0 ap-options: 20000000 (mutual-required) 0... .... = reserved: False .0.. .... = use-session-key: False ..1. .... = mutual-required: True ticket tkt-vno: 5 realm: AD.TLE.INTERN sname name-type: kRB5-NT-PRINCIPAL (1) name-string: 2 items KerberosString: cifs KerberosString: fileserver.fqdn enc-part etype: eTYPE-ARCFOUR-HMAC-MD5 (23) kvno: 4 cipher: *******************... authenticator etype: eTYPE-ARCFOUR-HMAC-MD5 (23) cipher: *******************... No. Time Source Destination Protocol Length Info 13 0.426467 10.96.*.* 10.9.*.* TCP 66 445→57892 [ACK] Seq=509 Ack=3299 Win=30592 Len=0 TSval=4136501125 TSecr=264085013 Frame 13: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.835069000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.835069000 seconds [Time delta from previous captured frame: 0.000428000 seconds] [Time delta from previous displayed frame: 0.000428000 seconds] [Time since reference or first frame: 0.426467000 seconds] Frame Number: 13 Frame Length: 66 bytes (528 bits) Capture Length: 66 bytes (528 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 52 Identification: 0x3201 (12801) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 62 Protocol: TCP (6) Header checksum: 0xefea [validation disabled] [Good: False] [Bad: False] Source: 10.96.*.* (10.96.*.*) Destination: 10.9.*.* (10.9.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 509, Ack: 3299, Len: 0 Source Port: 445 (445) Destination Port: 57892 (57892) [Stream index: 0] [TCP Segment Len: 0] Sequence number: 509 (relative sequence number) Acknowledgment number: 3299 (relative ack number) Header Length: 32 bytes .... 0000 0001 0000 = Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 239 [Calculated window size: 30592] [Window size scaling factor: 128] Checksum: 0x4e93 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 4136501125, TSecr 264085013 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 4136501125 Timestamp echo reply: 264085013 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 11] [The RTT to ACK the segment was: 0.000698000 seconds] [iRTT: 0.000378000 seconds] No. Time Source Destination Protocol Length Info 14 0.426656 10.96.*.* 10.9.*.* TCP 66 445→57892 [ACK] Seq=509 Ack=3412 Win=33536 Len=0 TSval=4136501126 TSecr=264085013 Frame 14: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.835258000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.835258000 seconds [Time delta from previous captured frame: 0.000189000 seconds] [Time delta from previous displayed frame: 0.000189000 seconds] [Time since reference or first frame: 0.426656000 seconds] Frame Number: 14 Frame Length: 66 bytes (528 bits) Capture Length: 66 bytes (528 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 52 Identification: 0x3301 (13057) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 62 Protocol: TCP (6) Header checksum: 0xeeea [validation disabled] [Good: False] [Bad: False] Source: 10.96.*.* (10.96.*.*) Destination: 10.9.*.* (10.9.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 509, Ack: 3412, Len: 0 Source Port: 445 (445) Destination Port: 57892 (57892) [Stream index: 0] [TCP Segment Len: 0] Sequence number: 509 (relative sequence number) Acknowledgment number: 3412 (relative ack number) Header Length: 32 bytes .... 0000 0001 0000 = Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 262 [Calculated window size: 33536] [Window size scaling factor: 128] Checksum: 0x4e0a [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 4136501126, TSecr 264085013 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 4136501126 Timestamp echo reply: 264085013 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 12] [The RTT to ACK the segment was: 0.000617000 seconds] [iRTT: 0.000378000 seconds] No. Time Source Destination Protocol Length Info 15 0.434381 10.96.*.* 10.9.*.* SMB2 334 Session Setup Response Frame 15: 334 bytes on wire (2672 bits), 334 bytes captured (2672 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.842983000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.842983000 seconds [Time delta from previous captured frame: 0.007725000 seconds] [Time delta from previous displayed frame: 0.007725000 seconds] [Time since reference or first frame: 0.434381000 seconds] Frame Number: 15 Frame Length: 334 bytes (2672 bits) Capture Length: 334 bytes (2672 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2:gss-api:spnego:spnego-krb5] [Number of per-protocol-data: 2] [GSS-API Generic Security Service Application Program Interface, key 0] [Simple Protected Negotiation, key 0] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 320 Identification: 0x3401 (13313) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 62 Protocol: TCP (6) Header checksum: 0xecde [validation disabled] [Good: False] [Bad: False] Source: 10.96.*.* (10.96.*.*) Destination: 10.9.*.* (10.9.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 509, Ack: 3412, Len: 268 Source Port: 445 (445) Destination Port: 57892 (57892) [Stream index: 0] [TCP Segment Len: 268] Sequence number: 509 (relative sequence number) [Next sequence number: 777 (relative sequence number)] Acknowledgment number: 3412 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 262 [Calculated window size: 33536] [Window size scaling factor: 128] Checksum: 0x0d9f [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 4136501133, TSecr 264085013 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 4136501133 Timestamp echo reply: 264085013 [SEQ/ACK analysis] [iRTT: 0.000378000 seconds] [Bytes in flight: 268] NetBIOS Session Service Message Type: Session message (0x00) Length: 264 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 NT Status: STATUS_SUCCESS (0x00000000) Command: Session Setup (1) Credits granted: 8192 Flags: 0x00000001 .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 2 Process Id: 0x00000000 Tree Id: 0x00000000 Session Id: 0x8df3ec9a00000001 Signature: ******************************** [Response to: 12] [Time from request: 0.008342000 seconds] Session Setup Response (0x01) StructureSize: 0x0009 0000 0000 0000 100. = Fixed Part Length: 8 .... .... .... ...1 = Dynamic Part: True Session Flags: 0x0000 .... .... .... ...0 = Guest: False .... .... .... ..0. = Null: False Security Blob: ************************* Offset: 0x00000048 Length: 192 GSS-API Generic Security Service Application Program Interface Simple Protected Negotiation negTokenTarg negResult: accept-completed (0) supportedMech: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) responseToken: *******************... krb5_blob: *******************... KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) krb5_tok_id: KRB5_AP_REP (0x0002) Kerberos ap-rep pvno: 5 msg-type: krb-ap-rep (15) enc-part etype: eTYPE-ARCFOUR-HMAC-MD5 (23) cipher: *******************... No. Time Source Destination Protocol Length Info 16 0.434414 10.9.*.* 10.96.*.* TCP 66 57892→445 [ACK] Seq=3412 Ack=777 Win=32512 Len=0 TSval=264085022 TSecr=4136501133 Frame 16: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.843016000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.843016000 seconds [Time delta from previous captured frame: 0.000033000 seconds] [Time delta from previous displayed frame: 0.000033000 seconds] [Time since reference or first frame: 0.434414000 seconds] Frame Number: 16 Frame Length: 66 bytes (528 bits) Capture Length: 66 bytes (528 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 52 Identification: 0x952d (38189) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8abe [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 3412, Ack: 777, Len: 0 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 0] Sequence number: 3412 (relative sequence number) Acknowledgment number: 777 (relative ack number) Header Length: 32 bytes .... 0000 0001 0000 = Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 254 [Calculated window size: 32512] [Window size scaling factor: 128] Checksum: 0x4cf6 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264085022, TSecr 4136501133 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264085022 Timestamp echo reply: 4136501133 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 15] [The RTT to ACK the segment was: 0.000033000 seconds] [iRTT: 0.000378000 seconds] No. Time Source Destination Protocol Length Info 17 0.434804 10.9.*.* 10.96.*.* SMB2 196 Tree Connect Request Tree: \\fileserver.fqdn\IPC$ Frame 17: 196 bytes on wire (1568 bits), 196 bytes captured (1568 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.843406000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.843406000 seconds [Time delta from previous captured frame: 0.000390000 seconds] [Time delta from previous displayed frame: 0.000390000 seconds] [Time since reference or first frame: 0.434804000 seconds] Frame Number: 17 Frame Length: 196 bytes (1568 bits) Capture Length: 196 bytes (1568 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 182 Identification: 0x952e (38190) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8a3b [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 3412, Ack: 777, Len: 130 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 130] Sequence number: 3412 (relative sequence number) [Next sequence number: 3542 (relative sequence number)] Acknowledgment number: 777 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 254 [Calculated window size: 32512] [Window size scaling factor: 128] Checksum: 0x1c35 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264085022, TSecr 4136501133 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264085022 Timestamp echo reply: 4136501133 [SEQ/ACK analysis] [iRTT: 0.000378000 seconds] [Bytes in flight: 130] NetBIOS Session Service Message Type: Session message (0x00) Length: 126 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 Channel Sequence: 0 Reserved: 0000 Command: Tree Connect (3) Credits requested: 1 Flags: 0x00000008 .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 3 Process Id: 0x00000000 Tree Id: 0x00000000 Session Id: 0x8df3ec9a00000001 Signature: ******************************** [Response in: 18] Tree Connect Request (0x03) StructureSize: 0x0009 0000 0000 0000 100. = Fixed Part Length: 8 .... .... .... ...1 = Dynamic Part: True Tree: \\fileserver.fqdn\IPC$ Offset: 0x00000048 Length: 54 No. Time Source Destination Protocol Length Info 18 0.435292 10.96.*.* 10.9.*.* SMB2 150 Tree Connect Response Frame 18: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.843894000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.843894000 seconds [Time delta from previous captured frame: 0.000488000 seconds] [Time delta from previous displayed frame: 0.000488000 seconds] [Time since reference or first frame: 0.435292000 seconds] Frame Number: 18 Frame Length: 150 bytes (1200 bits) Capture Length: 150 bytes (1200 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 136 Identification: 0x3501 (13569) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 62 Protocol: TCP (6) Header checksum: 0xec96 [validation disabled] [Good: False] [Bad: False] Source: 10.96.*.* (10.96.*.*) Destination: 10.9.*.* (10.9.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 777, Ack: 3542, Len: 84 Source Port: 445 (445) Destination Port: 57892 (57892) [Stream index: 0] [TCP Segment Len: 84] Sequence number: 777 (relative sequence number) [Next sequence number: 861 (relative sequence number)] Acknowledgment number: 3542 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 262 [Calculated window size: 33536] [Window size scaling factor: 128] Checksum: 0x92bb [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 4136501134, TSecr 264085022 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 4136501134 Timestamp echo reply: 264085022 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 17] [The RTT to ACK the segment was: 0.000488000 seconds] [iRTT: 0.000378000 seconds] [Bytes in flight: 84] NetBIOS Session Service Message Type: Session message (0x00) Length: 80 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 NT Status: STATUS_SUCCESS (0x00000000) Command: Tree Connect (3) Credits granted: 1 Flags: 0x00000009 .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 3 Process Id: 0x00000000 Tree Id: 0x00000001 \\fileserver.fqdn\IPC$ [Tree: \\fileserver.fqdn\IPC$] [Share Type: Named pipe (0x02)] [Connected in Frame: 18] Session Id: 0x8df3ec9a00000001 Signature: ******************************** [Response to: 17] [Time from request: 0.000488000 seconds] Tree Connect Response (0x03) StructureSize: 0x0010 0000 0000 0001 000. = Fixed Part Length: 16 .... .... .... ...0 = Dynamic Part: False Share Type: Named pipe (0x02) Share flags: 0x00000000 .... .... .... .... .... .... .... ...0 = DFS: False .... .... .... .... .... .... .... ..0. = DFS root: False .... .... .... .... .... ...0 .... .... = Restrict exclusive opens: False .... .... .... .... .... ..0. .... .... = Force shared delete: False .... .... .... .... .... .0.. .... .... = Allow namepsace caching: False .... .... .... .... .... 0... .... .... = Access based directory enum: False .... .... .... .... ...0 .... .... .... = Force level II oplock: False .... .... .... .... ..0. .... .... .... = Enable hash V1: False .... .... .... .... .0.. .... .... .... = Enable hash V2: False .... .... .... .... 0... .... .... .... = Encrypted data required: False Caching policy: Manual caching (00000000) Share Capabilities: 0x00000000 .... .... .... .... .... .... .... 0... = DFS: False .... .... .... .... .... .... ...0 .... = CONTINUOUS AVAILABILITY: False .... .... .... .... .... .... ..0. .... = SCALEOUT: False .... .... .... .... .... .... .0.. .... = CLUSTER: False Access Mask: 0x001f01ff .... .... .... .... .... .... .... ...1 = Read: READ access .... .... .... .... .... .... .... ..1. = Write: WRITE access .... .... .... .... .... .... .... .1.. = Append: APPEND access .... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access .... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access .... .... .... .... .... .... ..1. .... = Execute: EXECUTE access .... .... .... .... .... .... .1.. .... = Delete Child: DELETE CHILD access .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access .... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access .... .... .... ...1 .... .... .... .... = Delete: DELETE access .... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID .... .... .... .1.. .... .... .... .... = Write DAC: OWNER may WRITE the DAC .... .... .... 1... .... .... .... .... = Write Owner: Can WRITE OWNER (take ownership) .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set No. Time Source Destination Protocol Length Info 19 0.435372 10.9.*.* 10.96.*.* SMB2 230 Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO Frame 19: 230 bytes on wire (1840 bits), 230 bytes captured (1840 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.843974000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.843974000 seconds [Time delta from previous captured frame: 0.000080000 seconds] [Time delta from previous displayed frame: 0.000080000 seconds] [Time since reference or first frame: 0.435372000 seconds] Frame Number: 19 Frame Length: 230 bytes (1840 bits) Capture Length: 230 bytes (1840 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 216 Identification: 0x952f (38191) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8a18 [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 3542, Ack: 861, Len: 164 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 164] Sequence number: 3542 (relative sequence number) [Next sequence number: 3706 (relative sequence number)] Acknowledgment number: 861 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 254 [Calculated window size: 32512] [Window size scaling factor: 128] Checksum: 0xb8c9 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264085023, TSecr 4136501134 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264085023 Timestamp echo reply: 4136501134 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 18] [The RTT to ACK the segment was: 0.000080000 seconds] [iRTT: 0.000378000 seconds] [Bytes in flight: 164] NetBIOS Session Service Message Type: Session message (0x00) Length: 160 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 Channel Sequence: 0 Reserved: 0000 Command: Ioctl (11) Credits requested: 1 Flags: 0x00000008 .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 4 Process Id: 0x00000000 Tree Id: 0x00000001 \\fileserver.fqdn\IPC$ [Tree: \\fileserver.fqdn\IPC$] [Share Type: Named pipe (0x02)] [Connected in Frame: 18] Session Id: 0x8df3ec9a00000001 Signature: ******************************** [Response in: 20] Ioctl Request (0x0b) StructureSize: 0x0039 0000 0000 0011 100. = Fixed Part Length: 56 .... .... .... ...1 = Dynamic Part: True Function: FSCTL_VALIDATE_NEGOTIATE_INFO (0x00140204) 0000 0000 0001 0100 .... .... .... .... = Device: NETWORK_FILE_SYSTEM (0x00000014) .... .... .... .... 00.. .... .... .... = Access: FILE_ANY_ACCESS (0x00000000) .... .... .... .... ..00 0010 0000 01.. = Function: 0x00000081 .... .... .... .... .... .... .... ..00 = Method: METHOD_BUFFERED (0x00000000) GUID handle File Id: ffffffff-ffff-ffff-ffff-ffffffffffff Max Ioctl In Size: 0 Max Ioctl Out Size: 24 Flags: 0x00000001 .... .... .... .... .... .... .... ...1 = Is FSCTL: True In Data Offset: 0x00000078 Length: 40 Capabilities: 0x0000007f .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS .... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING .... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU .... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL .... .... .... .... .... .... ...1 .... = PERSISTENT HANDLES: This host supports PERSISTENT HANDLES .... .... .... .... .... .... ..1. .... = DIRECTORY LEASING: This host supports DIRECTORY LEASING .... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION Client Guid: 00000000-0000-0000-0000-000000000000 Security mode: 0x01 .... ...1 = Signing enabled: True .... ..0. = Signing required: False Dialect count: 8 Dialect: 0x0202 Dialect: 0x0210 Dialect: 0x0222 Dialect: 0x0224 Dialect: 0x0300 Dialect: 0x0302 Dialect: 0x0310 Dialect: 0x0311 Out Data: NO DATA Offset: 0x00000078 Length: 0 No. Time Source Destination Protocol Length Info 20 0.435903 10.96.*.* 10.9.*.* SMB2 143 Ioctl Response, Error: STATUS_NOT_SUPPORTED Frame 20: 143 bytes on wire (1144 bits), 143 bytes captured (1144 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.844505000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.844505000 seconds [Time delta from previous captured frame: 0.000531000 seconds] [Time delta from previous displayed frame: 0.000531000 seconds] [Time since reference or first frame: 0.435903000 seconds] Frame Number: 20 Frame Length: 143 bytes (1144 bits) Capture Length: 143 bytes (1144 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 129 Identification: 0x3601 (13825) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 62 Protocol: TCP (6) Header checksum: 0xeb9d [validation disabled] [Good: False] [Bad: False] Source: 10.96.*.* (10.96.*.*) Destination: 10.9.*.* (10.9.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 861, Ack: 3706, Len: 77 Source Port: 445 (445) Destination Port: 57892 (57892) [Stream index: 0] [TCP Segment Len: 77] Sequence number: 861 (relative sequence number) [Next sequence number: 938 (relative sequence number)] Acknowledgment number: 3706 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 262 [Calculated window size: 33536] [Window size scaling factor: 128] Checksum: 0x5e39 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 4136501135, TSecr 264085023 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 4136501135 Timestamp echo reply: 264085023 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 19] [The RTT to ACK the segment was: 0.000531000 seconds] [iRTT: 0.000378000 seconds] [Bytes in flight: 77] NetBIOS Session Service Message Type: Session message (0x00) Length: 73 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 NT Status: STATUS_NOT_SUPPORTED (0xc00000bb) Command: Ioctl (11) Credits granted: 1 Flags: 0x00000009 .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 4 Process Id: 0x00000000 Tree Id: 0x00000001 \\fileserver.fqdn\IPC$ [Tree: \\fileserver.fqdn\IPC$] [Share Type: Named pipe (0x02)] [Connected in Frame: 18] Session Id: 0x8df3ec9a00000001 Signature: ******************************** [Response to: 19] [Time from request: 0.000531000 seconds] Ioctl Response (0x0b) StructureSize: 0x0009 0000 0000 0000 100. = Fixed Part Length: 8 .... .... .... ...1 = Dynamic Part: True Reserved: 0x0000 Byte Count: 0 Error Data: 00 No. Time Source Destination Protocol Length Info 21 0.436042 10.9.*.* 10.96.*.* SMB2 210 Tree Connect Request Tree: \\fileserver.fqdn\Folder Frame 21: 210 bytes on wire (1680 bits), 210 bytes captured (1680 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.844644000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.844644000 seconds [Time delta from previous captured frame: 0.000139000 seconds] [Time delta from previous displayed frame: 0.000139000 seconds] [Time since reference or first frame: 0.436042000 seconds] Frame Number: 21 Frame Length: 210 bytes (1680 bits) Capture Length: 210 bytes (1680 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 196 Identification: 0x9530 (38192) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8a2b [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 3706, Ack: 938, Len: 144 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 144] Sequence number: 3706 (relative sequence number) [Next sequence number: 3850 (relative sequence number)] Acknowledgment number: 938 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 254 [Calculated window size: 32512] [Window size scaling factor: 128] Checksum: 0xa97e [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264085023, TSecr 4136501135 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264085023 Timestamp echo reply: 4136501135 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 20] [The RTT to ACK the segment was: 0.000139000 seconds] [iRTT: 0.000378000 seconds] [Bytes in flight: 144] NetBIOS Session Service Message Type: Session message (0x00) Length: 140 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 Channel Sequence: 0 Reserved: 0000 Command: Tree Connect (3) Credits requested: 1 Flags: 0x00000008 .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 5 Process Id: 0x00000000 Tree Id: 0x00000000 Session Id: 0x8df3ec9a00000001 Signature: ******************************** [Response in: 22] Tree Connect Request (0x03) StructureSize: 0x0009 0000 0000 0000 100. = Fixed Part Length: 8 .... .... .... ...1 = Dynamic Part: True Tree: \\fileserver.fqdn\Folder Offset: 0x00000048 Length: 68 No. Time Source Destination Protocol Length Info 22 0.436755 10.96.*.* 10.9.*.* SMB2 150 Tree Connect Response Frame 22: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.845357000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.845357000 seconds [Time delta from previous captured frame: 0.000713000 seconds] [Time delta from previous displayed frame: 0.000713000 seconds] [Time since reference or first frame: 0.436755000 seconds] Frame Number: 22 Frame Length: 150 bytes (1200 bits) Capture Length: 150 bytes (1200 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 136 Identification: 0x3701 (14081) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 62 Protocol: TCP (6) Header checksum: 0xea96 [validation disabled] [Good: False] [Bad: False] Source: 10.96.*.* (10.96.*.*) Destination: 10.9.*.* (10.9.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 938, Ack: 3850, Len: 84 Source Port: 445 (445) Destination Port: 57892 (57892) [Stream index: 0] [TCP Segment Len: 84] Sequence number: 938 (relative sequence number) [Next sequence number: 1022 (relative sequence number)] Acknowledgment number: 3850 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 262 [Calculated window size: 33536] [Window size scaling factor: 128] Checksum: 0xc25b [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 4136501136, TSecr 264085023 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 4136501136 Timestamp echo reply: 264085023 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 21] [The RTT to ACK the segment was: 0.000713000 seconds] [iRTT: 0.000378000 seconds] [Bytes in flight: 84] NetBIOS Session Service Message Type: Session message (0x00) Length: 80 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 NT Status: STATUS_SUCCESS (0x00000000) Command: Tree Connect (3) Credits granted: 1 Flags: 0x00000009 .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 5 Process Id: 0x00000000 Tree Id: 0x00000002 \\fileserver.fqdn\Folder [Tree: \\fileserver.fqdn\Folder] [Share Type: Physical disk (0x01)] [Connected in Frame: 22] Session Id: 0x8df3ec9a00000001 Signature: ******************************** [Response to: 21] [Time from request: 0.000713000 seconds] Tree Connect Response (0x03) StructureSize: 0x0010 0000 0000 0001 000. = Fixed Part Length: 16 .... .... .... ...0 = Dynamic Part: False Share Type: Physical disk (0x01) Share flags: 0x00000800, Access based directory enum .... .... .... .... .... .... .... ...0 = DFS: False .... .... .... .... .... .... .... ..0. = DFS root: False .... .... .... .... .... ...0 .... .... = Restrict exclusive opens: False .... .... .... .... .... ..0. .... .... = Force shared delete: False .... .... .... .... .... .0.. .... .... = Allow namepsace caching: False .... .... .... .... .... 1... .... .... = Access based directory enum: True .... .... .... .... ...0 .... .... .... = Force level II oplock: False .... .... .... .... ..0. .... .... .... = Enable hash V1: False .... .... .... .... .0.. .... .... .... = Enable hash V2: False .... .... .... .... 0... .... .... .... = Encrypted data required: False Caching policy: Manual caching (00000000) Share Capabilities: 0x00000008, DFS .... .... .... .... .... .... .... 1... = DFS: True .... .... .... .... .... .... ...0 .... = CONTINUOUS AVAILABILITY: False .... .... .... .... .... .... ..0. .... = SCALEOUT: False .... .... .... .... .... .... .0.. .... = CLUSTER: False Access Mask: 0x001200a9 .... .... .... .... .... .... .... ...1 = Read: READ access .... .... .... .... .... .... .... ..0. = Write: NO write access .... .... .... .... .... .... .... .0.. = Append: NO append access .... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access .... .... .... .... .... .... ...0 .... = Write EA: NO write extended attributes access .... .... .... .... .... .... ..1. .... = Execute: EXECUTE access .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access .... .... .... .... .... ...0 .... .... = Write Attributes: NO write attributes access .... .... .... ...0 .... .... .... .... = Delete: NO delete access .... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership) .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set No. Time Source Destination Protocol Length Info 23 0.436866 10.9.*.* 10.96.*.* SMB2 230 Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO Frame 23: 230 bytes on wire (1840 bits), 230 bytes captured (1840 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.845468000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.845468000 seconds [Time delta from previous captured frame: 0.000111000 seconds] [Time delta from previous displayed frame: 0.000111000 seconds] [Time since reference or first frame: 0.436866000 seconds] Frame Number: 23 Frame Length: 230 bytes (1840 bits) Capture Length: 230 bytes (1840 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 216 Identification: 0x9531 (38193) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8a16 [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 3850, Ack: 1022, Len: 164 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 164] Sequence number: 3850 (relative sequence number) [Next sequence number: 4014 (relative sequence number)] Acknowledgment number: 1022 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 254 [Calculated window size: 32512] [Window size scaling factor: 128] Checksum: 0x1393 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264085024, TSecr 4136501136 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264085024 Timestamp echo reply: 4136501136 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 22] [The RTT to ACK the segment was: 0.000111000 seconds] [iRTT: 0.000378000 seconds] [Bytes in flight: 164] NetBIOS Session Service Message Type: Session message (0x00) Length: 160 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 Channel Sequence: 0 Reserved: 0000 Command: Ioctl (11) Credits requested: 1 Flags: 0x00000008 .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 6 Process Id: 0x00000000 Tree Id: 0x00000002 \\fileserver.fqdn\Folder [Tree: \\fileserver.fqdn\Folder] [Share Type: Physical disk (0x01)] [Connected in Frame: 22] Session Id: 0x8df3ec9a00000001 Signature: ******************************** [Response in: 24] Ioctl Request (0x0b) StructureSize: 0x0039 0000 0000 0011 100. = Fixed Part Length: 56 .... .... .... ...1 = Dynamic Part: True Function: FSCTL_VALIDATE_NEGOTIATE_INFO (0x00140204) 0000 0000 0001 0100 .... .... .... .... = Device: NETWORK_FILE_SYSTEM (0x00000014) .... .... .... .... 00.. .... .... .... = Access: FILE_ANY_ACCESS (0x00000000) .... .... .... .... ..00 0010 0000 01.. = Function: 0x00000081 .... .... .... .... .... .... .... ..00 = Method: METHOD_BUFFERED (0x00000000) GUID handle File Id: ffffffff-ffff-ffff-ffff-ffffffffffff Max Ioctl In Size: 0 Max Ioctl Out Size: 24 Flags: 0x00000001 .... .... .... .... .... .... .... ...1 = Is FSCTL: True In Data Offset: 0x00000078 Length: 40 Capabilities: 0x0000007f .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS .... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING .... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU .... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL .... .... .... .... .... .... ...1 .... = PERSISTENT HANDLES: This host supports PERSISTENT HANDLES .... .... .... .... .... .... ..1. .... = DIRECTORY LEASING: This host supports DIRECTORY LEASING .... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION Client Guid: 00000000-0000-0000-0000-000000000000 Security mode: 0x01 .... ...1 = Signing enabled: True .... ..0. = Signing required: False Dialect count: 8 Dialect: 0x0202 Dialect: 0x0210 Dialect: 0x0222 Dialect: 0x0224 Dialect: 0x0300 Dialect: 0x0302 Dialect: 0x0310 Dialect: 0x0311 Out Data: NO DATA Offset: 0x00000078 Length: 0 No. Time Source Destination Protocol Length Info 24 0.437296 10.96.*.* 10.9.*.* SMB2 143 Ioctl Response, Error: STATUS_NOT_SUPPORTED Frame 24: 143 bytes on wire (1144 bits), 143 bytes captured (1144 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.845898000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.845898000 seconds [Time delta from previous captured frame: 0.000430000 seconds] [Time delta from previous displayed frame: 0.000430000 seconds] [Time since reference or first frame: 0.437296000 seconds] Frame Number: 24 Frame Length: 143 bytes (1144 bits) Capture Length: 143 bytes (1144 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 129 Identification: 0x5298 (21144) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 62 Protocol: TCP (6) Header checksum: 0xcf06 [validation disabled] [Good: False] [Bad: False] Source: 10.96.*.* (10.96.*.*) Destination: 10.9.*.* (10.9.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 1022, Ack: 4014, Len: 77 Source Port: 445 (445) Destination Port: 57892 (57892) [Stream index: 0] [TCP Segment Len: 77] Sequence number: 1022 (relative sequence number) [Next sequence number: 1099 (relative sequence number)] Acknowledgment number: 4014 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 262 [Calculated window size: 33536] [Window size scaling factor: 128] Checksum: 0x7896 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 4136501136, TSecr 264085024 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 4136501136 Timestamp echo reply: 264085024 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 23] [The RTT to ACK the segment was: 0.000430000 seconds] [iRTT: 0.000378000 seconds] [Bytes in flight: 77] NetBIOS Session Service Message Type: Session message (0x00) Length: 73 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 NT Status: STATUS_NOT_SUPPORTED (0xc00000bb) Command: Ioctl (11) Credits granted: 1 Flags: 0x00000009 .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 6 Process Id: 0x00000000 Tree Id: 0x00000002 \\fileserver.fqdn\Folder [Tree: \\fileserver.fqdn\Folder] [Share Type: Physical disk (0x01)] [Connected in Frame: 22] Session Id: 0x8df3ec9a00000001 Signature: ******************************** [Response to: 23] [Time from request: 0.000430000 seconds] Ioctl Response (0x0b) StructureSize: 0x0009 0000 0000 0000 100. = Fixed Part Length: 8 .... .... .... ...1 = Dynamic Part: True Reserved: 0x0000 Byte Count: 0 Error Data: 00 No. Time Source Destination Protocol Length Info 25 0.437418 10.9.*.* 10.96.*.* TCP 66 57892→445 [FIN, ACK] Seq=4014 Ack=1099 Win=32512 Len=0 TSval=264085025 TSecr=4136501136 Frame 25: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.846020000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.846020000 seconds [Time delta from previous captured frame: 0.000122000 seconds] [Time delta from previous displayed frame: 0.000122000 seconds] [Time since reference or first frame: 0.437418000 seconds] Frame Number: 25 Frame Length: 66 bytes (528 bits) Capture Length: 66 bytes (528 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP SYN/FIN] [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 52 Identification: 0x9532 (38194) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x8ab9 [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 4014, Ack: 1099, Len: 0 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 0] Sequence number: 4014 (relative sequence number) Acknowledgment number: 1099 (relative ack number) Header Length: 32 bytes .... 0000 0001 0001 = Flags: 0x011 (FIN, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...1 = Fin: Set [Expert Info (Chat/Sequence): Connection finish (FIN)] [Connection finish (FIN)] [Severity level: Chat] [Group: Sequence] Window size value: 254 [Calculated window size: 32512] [Window size scaling factor: 128] Checksum: 0x4953 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264085025, TSecr 4136501136 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264085025 Timestamp echo reply: 4136501136 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 24] [The RTT to ACK the segment was: 0.000122000 seconds] [iRTT: 0.000378000 seconds] No. Time Source Destination Protocol Length Info 26 0.437639 10.96.*.* 10.9.*.* TCP 66 445→57892 [ACK] Seq=1099 Ack=4015 Win=33536 Len=0 TSval=4136501137 TSecr=264085025 Frame 26: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.846241000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.846241000 seconds [Time delta from previous captured frame: 0.000221000 seconds] [Time delta from previous displayed frame: 0.000221000 seconds] [Time since reference or first frame: 0.437639000 seconds] Frame Number: 26 Frame Length: 66 bytes (528 bits) Capture Length: 66 bytes (528 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 52 Identification: 0x3801 (14337) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 62 Protocol: TCP (6) Header checksum: 0xe9ea [validation disabled] [Good: False] [Bad: False] Source: 10.96.*.* (10.96.*.*) Destination: 10.9.*.* (10.9.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 1099, Ack: 4015, Len: 0 Source Port: 445 (445) Destination Port: 57892 (57892) [Stream index: 0] [TCP Segment Len: 0] Sequence number: 1099 (relative sequence number) Acknowledgment number: 4015 (relative ack number) Header Length: 32 bytes .... 0000 0001 0000 = Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 262 [Calculated window size: 33536] [Window size scaling factor: 128] Checksum: 0x494a [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 4136501137, TSecr 264085025 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 4136501137 Timestamp echo reply: 264085025 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 25] [The RTT to ACK the segment was: 0.000221000 seconds] [iRTT: 0.000378000 seconds] No. Time Source Destination Protocol Length Info 27 0.437743 10.96.*.* 10.9.*.* TCP 66 445→57892 [FIN, ACK] Seq=1099 Ack=4015 Win=33536 Len=0 TSval=4136501137 TSecr=264085025 Frame 27: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.846345000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.846345000 seconds [Time delta from previous captured frame: 0.000104000 seconds] [Time delta from previous displayed frame: 0.000104000 seconds] [Time since reference or first frame: 0.437743000 seconds] Frame Number: 27 Frame Length: 66 bytes (528 bits) Capture Length: 66 bytes (528 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP SYN/FIN] [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1] Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 52 Identification: 0x25a2 (9634) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 62 Protocol: TCP (6) Header checksum: 0xfc49 [validation disabled] [Good: False] [Bad: False] Source: 10.96.*.* (10.96.*.*) Destination: 10.9.*.* (10.9.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 1099, Ack: 4015, Len: 0 Source Port: 445 (445) Destination Port: 57892 (57892) [Stream index: 0] [TCP Segment Len: 0] Sequence number: 1099 (relative sequence number) Acknowledgment number: 4015 (relative ack number) Header Length: 32 bytes .... 0000 0001 0001 = Flags: 0x011 (FIN, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...1 = Fin: Set [Expert Info (Chat/Sequence): Connection finish (FIN)] [Connection finish (FIN)] [Severity level: Chat] [Group: Sequence] Window size value: 262 [Calculated window size: 33536] [Window size scaling factor: 128] Checksum: 0x4949 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 4136501137, TSecr 264085025 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 4136501137 Timestamp echo reply: 264085025 No. Time Source Destination Protocol Length Info 28 0.437762 10.9.*.* 10.96.*.* TCP 66 57892→445 [ACK] Seq=4015 Ack=1100 Win=32512 Len=0 TSval=264085025 TSecr=4136501137 Frame 28: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Encapsulation type: Ethernet (1) Arrival Time: Jun 2, 2016 08:35:31.846364000 CEST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1464849331.846364000 seconds [Time delta from previous captured frame: 0.000019000 seconds] [Time delta from previous displayed frame: 0.000019000 seconds] [Time since reference or first frame: 0.437762000 seconds] Frame Number: 28 Frame Length: 66 bytes (528 bits) Capture Length: 66 bytes (528 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Manufacturer_00:00:00 (00:00:00:00:00:00) Address: Manufacturer_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 52 Identification: 0x804c (32844) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x9f9f [validation disabled] [Good: False] [Bad: False] Source: 10.9.*.* (10.9.*.*) Destination: 10.96.*.* (10.96.*.*) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 4015, Ack: 1100, Len: 0 Source Port: 57892 (57892) Destination Port: 445 (445) [Stream index: 0] [TCP Segment Len: 0] Sequence number: 4015 (relative sequence number) Acknowledgment number: 1100 (relative ack number) Header Length: 32 bytes .... 0000 0001 0000 = Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 254 [Calculated window size: 32512] [Window size scaling factor: 128] Checksum: 0x4951 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 264085025, TSecr 4136501137 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 264085025 Timestamp echo reply: 4136501137 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 27] [The RTT to ACK the segment was: 0.000019000 seconds] [iRTT: 0.000378000 seconds]