The Samba-Bugzilla – Attachment 12158 Details for
Bug 11933
After upgrading to 4.3.9 lost possibility to login to NetApp using Kerberos
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
edited ascii export of tcpdump
bug11933_tcpdump.txt (text/plain), 167.73 KB, created by
void
on 2016-06-02 07:14:44 UTC
(
hide
)
Description:
edited ascii export of tcpdump
Filename:
MIME Type:
Creator:
void
Created:
2016-06-02 07:14:44 UTC
Size:
167.73 KB
patch
obsolete
>No. Time Source Destination Protocol Length Info > 1 0.000000 10.9.*.* 10.96.*.* TCP 74 57892â445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=264084587 TSecr=0 WS=128 > >Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.408602000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.408602000 seconds > [Time delta from previous captured frame: 0.000000000 seconds] > [Time delta from previous displayed frame: 0.000000000 seconds] > [Time since reference or first frame: 0.000000000 seconds] > Frame Number: 1 > Frame Length: 74 bytes (592 bits) > Capture Length: 74 bytes (592 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP SYN/FIN] > [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 60 > Identification: 0x9524 (38180) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8abf [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 0, Len: 0 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 0] > Sequence number: 0 (relative sequence number) > Acknowledgment number: 0 > Header Length: 40 bytes > .... 0000 0000 0010 = Flags: 0x002 (SYN) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...0 .... = Acknowledgment: Not set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..1. = Syn: Set > [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 445] > [Connection establish request (SYN): server port 445] > [Severity level: Chat] > [Group: Sequence] > .... .... ...0 = Fin: Not set > Window size value: 29200 > [Calculated window size: 29200] > Checksum: 0x7024 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale > Maximum segment size: 1460 bytes > Kind: Maximum Segment Size (2) > Length: 4 > MSS Value: 1460 > TCP SACK Permitted Option: True > Kind: SACK Permitted (4) > Length: 2 > Timestamps: TSval 264084587, TSecr 0 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264084587 > Timestamp echo reply: 0 > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Window scale: 7 (multiply by 128) > Kind: Window Scale (3) > Length: 3 > Shift count: 7 > [Multiplier: 128] > >No. Time Source Destination Protocol Length Info > 2 0.000345 10.96.*.* 10.9.*.* TCP 78 445â57892 [SYN, ACK] Seq=0 Ack=1 Win=33580 Len=0 MSS=1460 SACK_PERM=1 WS=128 TSval=4136500699 TSecr=264084587 > >Frame 2: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.408947000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.408947000 seconds > [Time delta from previous captured frame: 0.000345000 seconds] > [Time delta from previous displayed frame: 0.000345000 seconds] > [Time since reference or first frame: 0.000345000 seconds] > Frame Number: 2 > Frame Length: 78 bytes (624 bits) > Capture Length: 78 bytes (624 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP SYN/FIN] > [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1] >Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) > Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 64 > Identification: 0x2f01 (12033) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 62 > Protocol: TCP (6) > Header checksum: 0xf2de [validation disabled] > [Good: False] > [Bad: False] > Source: 10.96.*.* (10.96.*.*) > Destination: 10.9.*.* (10.9.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 0, Ack: 1, Len: 0 > Source Port: 445 (445) > Destination Port: 57892 (57892) > [Stream index: 0] > [TCP Segment Len: 0] > Sequence number: 0 (relative sequence number) > Acknowledgment number: 1 (relative ack number) > Header Length: 44 bytes > .... 0000 0001 0010 = Flags: 0x012 (SYN, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..1. = Syn: Set > [Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port 445] > [Connection establish acknowledge (SYN+ACK): server port 445] > [Severity level: Chat] > [Group: Sequence] > .... .... ...0 = Fin: Not set > Window size value: 33580 > [Calculated window size: 33580] > Checksum: 0x9db5 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (24 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), Timestamps > Maximum segment size: 1460 bytes > Kind: Maximum Segment Size (2) > Length: 4 > MSS Value: 1460 > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > TCP SACK Permitted Option: True > Kind: SACK Permitted (4) > Length: 2 > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Window scale: 7 (multiply by 128) > Kind: Window Scale (3) > Length: 3 > Shift count: 7 > [Multiplier: 128] > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 4136500699, TSecr 264084587 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 4136500699 > Timestamp echo reply: 264084587 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 1] > [The RTT to ACK the segment was: 0.000345000 seconds] > [iRTT: 0.000378000 seconds] > >No. Time Source Destination Protocol Length Info > 3 0.000378 10.9.*.* 10.96.*.* TCP 66 57892â445 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=264084588 TSecr=4136500699 > >Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.408980000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.408980000 seconds > [Time delta from previous captured frame: 0.000033000 seconds] > [Time delta from previous displayed frame: 0.000033000 seconds] > [Time since reference or first frame: 0.000378000 seconds] > Frame Number: 3 > Frame Length: 66 bytes (528 bits) > Capture Length: 66 bytes (528 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP] > [Coloring Rule String: tcp] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 52 > Identification: 0x9525 (38181) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8ac6 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 1, Ack: 1, Len: 0 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 0] > Sequence number: 1 (relative sequence number) > Acknowledgment number: 1 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 0000 = Flags: 0x010 (ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 229 > [Calculated window size: 29312] > [Window size scaling factor: 128] > Checksum: 0x60ce [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264084588, TSecr 4136500699 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264084588 > Timestamp echo reply: 4136500699 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 2] > [The RTT to ACK the segment was: 0.000033000 seconds] > [iRTT: 0.000378000 seconds] > >No. Time Source Destination Protocol Length Info > 4 0.000551 10.9.*.* 10.96.*.* SMB 282 Negotiate Protocol Request > >Frame 4: 282 bytes on wire (2256 bits), 282 bytes captured (2256 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.409153000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.409153000 seconds > [Time delta from previous captured frame: 0.000173000 seconds] > [Time delta from previous displayed frame: 0.000173000 seconds] > [Time since reference or first frame: 0.000551000 seconds] > Frame Number: 4 > Frame Length: 282 bytes (2256 bits) > Capture Length: 282 bytes (2256 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 268 > Identification: 0x9526 (38182) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x89ed [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 1, Ack: 1, Len: 216 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 216] > Sequence number: 1 (relative sequence number) > [Next sequence number: 217 (relative sequence number)] > Acknowledgment number: 1 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 229 > [Calculated window size: 29312] > [Window size scaling factor: 128] > Checksum: 0xefd7 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264084588, TSecr 4136500699 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264084588 > Timestamp echo reply: 4136500699 > [SEQ/ACK analysis] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 216] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 212 >SMB (Server Message Block Protocol) > SMB Header > Server Component: SMB > SMB Command: Negotiate Protocol (0x72) > NT Status: STATUS_SUCCESS (0x00000000) > Flags: 0x18 > 0... .... = Request/Response: Message is a request to the server > .0.. .... = Notify: Notify client only on open > ..0. .... = Oplocks: OpLock not requested/granted > ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized > .... 1... = Case Sensitivity: Path names are caseless > .... ..0. = Receive Buffer Posted: Receive buffer has not been posted > .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported > Flags2: 0xc843 > 1... .... .... .... = Unicode Strings: Strings are Unicode > .1.. .... .... .... = Error Code Type: Error codes are NT error codes > ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only > ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs > .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported > .... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path > .... .... .1.. .... = Long Names Used: Path names in request are long file names > .... .... ...0 .... = Security Signatures Required: Security signatures are not required > .... .... .... 0... = Compressed: Compression is not requested > .... .... .... .0.. = Security Signatures: Security signatures are not supported > .... .... .... ..1. = Extended Attributes: Extended attributes are supported > .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response > Process ID High: 0 > Signature: ******************************** > Reserved: 0000 > Tree ID: 0 > Process ID: 65534 > User ID: 0 > Multiplex ID: 0 > Negotiate Protocol Request (0x72) > Word Count (WCT): 0 > Byte Count (BCC): 177 > Requested Dialects > Dialect: PC NETWORK PROGRAM 1.0 > Buffer Format: Dialect (2) > Name: PC NETWORK PROGRAM 1.0 > Dialect: MICROSOFT NETWORKS 1.03 > Buffer Format: Dialect (2) > Name: MICROSOFT NETWORKS 1.03 > Dialect: MICROSOFT NETWORKS 3.0 > Buffer Format: Dialect (2) > Name: MICROSOFT NETWORKS 3.0 > Dialect: LANMAN1.0 > Buffer Format: Dialect (2) > Name: LANMAN1.0 > Dialect: LM1.2X002 > Buffer Format: Dialect (2) > Name: LM1.2X002 > Dialect: DOS LANMAN2.1 > Buffer Format: Dialect (2) > Name: DOS LANMAN2.1 > Dialect: LANMAN2.1 > Buffer Format: Dialect (2) > Name: LANMAN2.1 > Dialect: Samba > Buffer Format: Dialect (2) > Name: Samba > Dialect: NT LANMAN 1.0 > Buffer Format: Dialect (2) > Name: NT LANMAN 1.0 > Dialect: NT LM 0.12 > Buffer Format: Dialect (2) > Name: NT LM 0.12 > Dialect: SMB 2.002 > Buffer Format: Dialect (2) > Name: SMB 2.002 > Dialect: SMB 2.??? > Buffer Format: Dialect (2) > Name: SMB 2.??? > >No. Time Source Destination Protocol Length Info > 5 0.001051 10.96.*.* 10.9.*.* SMB2 320 Negotiate Protocol Response > >Frame 5: 320 bytes on wire (2560 bits), 320 bytes captured (2560 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.409653000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.409653000 seconds > [Time delta from previous captured frame: 0.000500000 seconds] > [Time delta from previous displayed frame: 0.000500000 seconds] > [Time since reference or first frame: 0.001051000 seconds] > Frame Number: 5 > Frame Length: 320 bytes (2560 bits) > Capture Length: 320 bytes (2560 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2:gss-api:spnego] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) > Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 306 > Identification: 0x4f98 (20376) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 62 > Protocol: TCP (6) > Header checksum: 0xd155 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.96.*.* (10.96.*.*) > Destination: 10.9.*.* (10.9.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 1, Ack: 217, Len: 254 > Source Port: 445 (445) > Destination Port: 57892 (57892) > [Stream index: 0] > [TCP Segment Len: 254] > Sequence number: 1 (relative sequence number) > [Next sequence number: 255 (relative sequence number)] > Acknowledgment number: 217 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 262 > [Calculated window size: 33536] > [Window size scaling factor: 128] > Checksum: 0xa067 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 4136500700, TSecr 264084588 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 4136500700 > Timestamp echo reply: 264084588 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 4] > [The RTT to ACK the segment was: 0.000500000 seconds] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 254] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 250 >SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Server Component: SMB2 > Header Length: 64 > Credit Charge: 0 > NT Status: STATUS_SUCCESS (0x00000000) > Command: Negotiate Protocol (0) > Credits granted: 1 > Flags: 0x00000001 > .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE > .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command > .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command > .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed > ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation > ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation > Chain Offset: 0x00000000 > Message ID: 0 > Process Id: 0x00000000 > Tree Id: 0x00000000 > Session Id: 0x0000000000000000 > Signature: ******************************** > Negotiate Protocol Response (0x00) > StructureSize: 0x0041 > 0000 0000 0100 000. = Fixed Part Length: 64 > .... .... .... ...1 = Dynamic Part: True > Security mode: 0x01 > .... ...1 = Signing enabled: True > .... ..0. = Signing required: False > Dialect: 0x02ff > Server Guid: 11111111-1111-1111-1111-111111111111 > Capabilities: 0x00000003 > .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS > .... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING > .... .... .... .... .... .... .... .0.. = LARGE MTU: This host does NOT support LARGE_MTU > .... .... .... .... .... .... .... 0... = MULTI CHANNEL: This host does NOT support MULTI CHANNEL > .... .... .... .... .... .... ...0 .... = PERSISTENT HANDLES: This host does NOT support PERSISTENT HANDLES > .... .... .... .... .... .... ..0. .... = DIRECTORY LEASING: This host does NOT support DIRECTORY LEASING > .... .... .... .... .... .... .0.. .... = ENCRYPTION: This host does NOT support ENCRYPTION > Max Transaction Size: 65536 > Max Read Size: 65536 > Max Write Size: 65536 > Current Time: Jun 2, 2016 08:35:31.409494000 CEST > Boot Time: Apr 15, 2016 11:33:41.142700000 CEST > Security Blob: ************************* > Offset: 0x00000080 > Length: 122 > GSS-API Generic Security Service Application Program Interface > OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) > Simple Protected Negotiation > negTokenInit > mechTypes: 3 items > MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) > MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) > MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) > negHints > hintName: not_defined_in_RFC4178@please_ignore > >No. Time Source Destination Protocol Length Info > 6 0.001072 10.9.*.* 10.96.*.* TCP 66 57892â445 [ACK] Seq=217 Ack=255 Win=30336 Len=0 TSval=264084588 TSecr=4136500700 > >Frame 6: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.409674000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.409674000 seconds > [Time delta from previous captured frame: 0.000021000 seconds] > [Time delta from previous displayed frame: 0.000021000 seconds] > [Time since reference or first frame: 0.001072000 seconds] > Frame Number: 6 > Frame Length: 66 bytes (528 bits) > Capture Length: 66 bytes (528 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP] > [Coloring Rule String: tcp] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 52 > Identification: 0x9527 (38183) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8ac4 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 217, Ack: 255, Len: 0 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 0] > Sequence number: 217 (relative sequence number) > Acknowledgment number: 255 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 0000 = Flags: 0x010 (ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 237 > [Calculated window size: 30336] > [Window size scaling factor: 128] > Checksum: 0x5eef [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264084588, TSecr 4136500700 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264084588 > Timestamp echo reply: 4136500700 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 5] > [The RTT to ACK the segment was: 0.000021000 seconds] > [iRTT: 0.000378000 seconds] > >No. Time Source Destination Protocol Length Info > 7 0.001206 10.9.*.* 10.96.*.* SMB2 252 Negotiate Protocol Request > >Frame 7: 252 bytes on wire (2016 bits), 252 bytes captured (2016 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.409808000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.409808000 seconds > [Time delta from previous captured frame: 0.000134000 seconds] > [Time delta from previous displayed frame: 0.000134000 seconds] > [Time since reference or first frame: 0.001206000 seconds] > Frame Number: 7 > Frame Length: 252 bytes (2016 bits) > Capture Length: 252 bytes (2016 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 238 > Identification: 0x9528 (38184) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8a09 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 217, Ack: 255, Len: 186 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 186] > Sequence number: 217 (relative sequence number) > [Next sequence number: 403 (relative sequence number)] > Acknowledgment number: 255 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 237 > [Calculated window size: 30336] > [Window size scaling factor: 128] > Checksum: 0xd2c7 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264084589, TSecr 4136500700 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264084589 > Timestamp echo reply: 4136500700 > [SEQ/ACK analysis] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 186] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 182 >SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Server Component: SMB2 > Header Length: 64 > Credit Charge: 0 > Channel Sequence: 0 > Reserved: 0000 > Command: Negotiate Protocol (0) > Credits requested: 0 > Flags: 0x00000000 > .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST > .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command > .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command > .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed > ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation > ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation > Chain Offset: 0x00000000 > Message ID: 1 > Process Id: 0x00000000 > Tree Id: 0x00000000 > Session Id: 0x0000000000000000 > Signature: ******************************** > [Response in: 8] > Negotiate Protocol Request (0x00) > StructureSize: 0x0024 > 0000 0000 0010 010. = Fixed Part Length: 36 > .... .... .... ...0 = Dynamic Part: False > Dialect count: 8 > Security mode: 0x01 > .... ...1 = Signing enabled: True > .... ..0. = Signing required: False > Capabilities: 0x0000007f > .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS > .... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING > .... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU > .... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL > .... .... .... .... .... .... ...1 .... = PERSISTENT HANDLES: This host supports PERSISTENT HANDLES > .... .... .... .... .... .... ..1. .... = DIRECTORY LEASING: This host supports DIRECTORY LEASING > .... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION > Client Guid: 00000000-0000-0000-0000-000000000000 > Boot Time: Jan 1, 1601 01:07:46.993471200 LMT > Dialect: 0x0202 > Dialect: 0x0210 > Dialect: 0x0222 > Dialect: 0x0224 > Dialect: 0x0300 > Dialect: 0x0302 > Dialect: 0x0310 > Dialect: 0x0311 > >No. Time Source Destination Protocol Length Info > 8 0.001674 10.96.*.* 10.9.*.* SMB2 320 Negotiate Protocol Response > >Frame 8: 320 bytes on wire (2560 bits), 320 bytes captured (2560 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.410276000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.410276000 seconds > [Time delta from previous captured frame: 0.000468000 seconds] > [Time delta from previous displayed frame: 0.000468000 seconds] > [Time since reference or first frame: 0.001674000 seconds] > Frame Number: 8 > Frame Length: 320 bytes (2560 bits) > Capture Length: 320 bytes (2560 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2:gss-api:spnego] > [Number of per-protocol-data: 1] > [Simple Protected Negotiation, key 0] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) > Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 306 > Identification: 0x5098 (20632) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 62 > Protocol: TCP (6) > Header checksum: 0xd055 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.96.*.* (10.96.*.*) > Destination: 10.9.*.* (10.9.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 255, Ack: 403, Len: 254 > Source Port: 445 (445) > Destination Port: 57892 (57892) > [Stream index: 0] > [TCP Segment Len: 254] > Sequence number: 255 (relative sequence number) > [Next sequence number: 509 (relative sequence number)] > Acknowledgment number: 403 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 262 > [Calculated window size: 33536] > [Window size scaling factor: 128] > Checksum: 0x3286 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 4136500701, TSecr 264084589 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 4136500701 > Timestamp echo reply: 264084589 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 7] > [The RTT to ACK the segment was: 0.000468000 seconds] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 254] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 250 >SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Server Component: SMB2 > Header Length: 64 > Credit Charge: 0 > NT Status: STATUS_SUCCESS (0x00000000) > Command: Negotiate Protocol (0) > Credits granted: 1 > Flags: 0x00000001 > .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE > .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command > .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command > .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed > ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation > ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation > Chain Offset: 0x00000000 > Message ID: 1 > Process Id: 0x00000000 > Tree Id: 0x00000000 > Session Id: 0x0000000000000000 > Signature: ******************************** > [Response to: 7] > [Time from request: 0.000468000 seconds] > Negotiate Protocol Response (0x00) > StructureSize: 0x0041 > 0000 0000 0100 000. = Fixed Part Length: 64 > .... .... .... ...1 = Dynamic Part: True > Security mode: 0x01 > .... ...1 = Signing enabled: True > .... ..0. = Signing required: False > Dialect: 0x0300 > Server Guid: 11111111-1111-1111-1111-111111111111 > Capabilities: 0x00000053 > .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS > .... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING > .... .... .... .... .... .... .... .0.. = LARGE MTU: This host does NOT support LARGE_MTU > .... .... .... .... .... .... .... 0... = MULTI CHANNEL: This host does NOT support MULTI CHANNEL > .... .... .... .... .... .... ...1 .... = PERSISTENT HANDLES: This host supports PERSISTENT HANDLES > .... .... .... .... .... .... ..0. .... = DIRECTORY LEASING: This host does NOT support DIRECTORY LEASING > .... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION > Max Transaction Size: 65536 > Max Read Size: 65536 > Max Write Size: 65536 > Current Time: Jun 2, 2016 08:35:31.410495000 CEST > Boot Time: Apr 15, 2016 11:33:41.142700000 CEST > Security Blob: ************************* > Offset: 0x00000080 > Length: 122 > GSS-API Generic Security Service Application Program Interface > OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) > Simple Protected Negotiation > negTokenInit > mechTypes: 3 items > MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) > MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) > MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) > negHints > hintName: not_defined_in_RFC4178@please_ignore > >No. Time Source Destination Protocol Length Info > 9 0.041189 10.9.*.* 10.96.*.* TCP 66 57892â445 [ACK] Seq=403 Ack=509 Win=31360 Len=0 TSval=264084629 TSecr=4136500701 > >Frame 9: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.449791000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.449791000 seconds > [Time delta from previous captured frame: 0.039515000 seconds] > [Time delta from previous displayed frame: 0.039515000 seconds] > [Time since reference or first frame: 0.041189000 seconds] > Frame Number: 9 > Frame Length: 66 bytes (528 bits) > Capture Length: 66 bytes (528 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP] > [Coloring Rule String: tcp] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 52 > Identification: 0x9529 (38185) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8ac2 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 403, Ack: 509, Len: 0 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 0] > Sequence number: 403 (relative sequence number) > Acknowledgment number: 509 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 0000 = Flags: 0x010 (ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 245 > [Calculated window size: 31360] > [Window size scaling factor: 128] > Checksum: 0x5d05 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264084629, TSecr 4136500701 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264084629 > Timestamp echo reply: 4136500701 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 8] > [The RTT to ACK the segment was: 0.039515000 seconds] > [iRTT: 0.000378000 seconds] > >No. Time Source Destination Protocol Length Info > 10 0.425756 10.9.*.* 10.96.*.* TCP 1514 [TCP segment of a reassembled PDU] > >Frame 10: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.834358000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.834358000 seconds > [Time delta from previous captured frame: 0.384567000 seconds] > [Time delta from previous displayed frame: 0.384567000 seconds] > [Time since reference or first frame: 0.425756000 seconds] > Frame Number: 10 > Frame Length: 1514 bytes (12112 bits) > Capture Length: 1514 bytes (12112 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP] > [Coloring Rule String: tcp] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 1500 > Identification: 0x952a (38186) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8519 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 403, Ack: 509, Len: 1448 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 1448] > Sequence number: 403 (relative sequence number) > [Next sequence number: 1851 (relative sequence number)] > Acknowledgment number: 509 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 0000 = Flags: 0x010 (ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 245 > [Calculated window size: 31360] > [Window size scaling factor: 128] > Checksum: 0x6b0b [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264085013, TSecr 4136500701 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264085013 > Timestamp echo reply: 4136500701 > [SEQ/ACK analysis] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 1448] > TCP segment data (1448 bytes) > >No. Time Source Destination Protocol Length Info > 11 0.425769 10.9.*.* 10.96.*.* TCP 1514 [TCP segment of a reassembled PDU] > >Frame 11: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.834371000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.834371000 seconds > [Time delta from previous captured frame: 0.000013000 seconds] > [Time delta from previous displayed frame: 0.000013000 seconds] > [Time since reference or first frame: 0.425769000 seconds] > Frame Number: 11 > Frame Length: 1514 bytes (12112 bits) > Capture Length: 1514 bytes (12112 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP] > [Coloring Rule String: tcp] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 1500 > Identification: 0x952b (38187) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8518 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 1851, Ack: 509, Len: 1448 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 1448] > Sequence number: 1851 (relative sequence number) > [Next sequence number: 3299 (relative sequence number)] > Acknowledgment number: 509 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 0000 = Flags: 0x010 (ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 245 > [Calculated window size: 31360] > [Window size scaling factor: 128] > Checksum: 0x4541 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264085013, TSecr 4136500701 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264085013 > Timestamp echo reply: 4136500701 > [SEQ/ACK analysis] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 2896] > [Reassembled PDU in frame: 12] > TCP segment data (1448 bytes) > >No. Time Source Destination Protocol Length Info > 12 0.426039 10.9.*.* 10.96.*.* SMB2 179 Session Setup Request > >Frame 12: 179 bytes on wire (1432 bits), 179 bytes captured (1432 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.834641000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.834641000 seconds > [Time delta from previous captured frame: 0.000270000 seconds] > [Time delta from previous displayed frame: 0.000270000 seconds] > [Time since reference or first frame: 0.426039000 seconds] > Frame Number: 12 > Frame Length: 179 bytes (1432 bits) > Capture Length: 179 bytes (1432 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2:gss-api:spnego:spnego-krb5] > [Number of per-protocol-data: 1] > [Simple Protected Negotiation, key 0] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 165 > Identification: 0x952c (38188) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8a4e [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 3299, Ack: 509, Len: 113 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 113] > Sequence number: 3299 (relative sequence number) > [Next sequence number: 3412 (relative sequence number)] > Acknowledgment number: 509 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 245 > [Calculated window size: 31360] > [Window size scaling factor: 128] > Checksum: 0x58f2 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264085013, TSecr 4136500701 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264085013 > Timestamp echo reply: 4136500701 > [SEQ/ACK analysis] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 3009] > TCP segment data (113 bytes) >[3 Reassembled TCP Segments (3009 bytes): #10(1448), #11(1448), #12(113)] > [Frame: 10, payload: 0-1447 (1448 bytes)] > [Frame: 11, payload: 1448-2895 (1448 bytes)] > [Frame: 12, payload: 2896-3008 (113 bytes)] > [Segment count: 3] > [Reassembled TCP length: 3009] > [Reassembled TCP Data: 00000bbdfe534d4240000000000000000100002000000000...] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 3005 >SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Server Component: SMB2 > Header Length: 64 > Credit Charge: 0 > Channel Sequence: 0 > Reserved: 0000 > Command: Session Setup (1) > Credits requested: 8192 > Flags: 0x00000000 > .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST > .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command > .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command > .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed > ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation > ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation > Chain Offset: 0x00000000 > Message ID: 2 > Process Id: 0x00000000 > Tree Id: 0x00000000 > Session Id: 0x0000000000000000 > Signature: ******************************** > [Response in: 15] > Session Setup Request (0x01) > StructureSize: 0x0019 > 0000 0000 0001 100. = Fixed Part Length: 24 > .... .... .... ...1 = Dynamic Part: True > Flags: 0 > .... ...0 = Session Binding Request: False > Security mode: 0x01 > .... ...1 = Signing enabled: True > .... ..0. = Signing required: False > Capabilities: 0x00000001 > .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS > .... .... .... .... .... .... .... ..0. = LEASING: This host does NOT support LEASING > .... .... .... .... .... .... .... .0.. = LARGE MTU: This host does NOT support LARGE_MTU > .... .... .... .... .... .... .... 0... = MULTI CHANNEL: This host does NOT support MULTI CHANNEL > .... .... .... .... .... .... ...0 .... = PERSISTENT HANDLES: This host does NOT support PERSISTENT HANDLES > .... .... .... .... .... .... ..0. .... = DIRECTORY LEASING: This host does NOT support DIRECTORY LEASING > .... .... .... .... .... .... .0.. .... = ENCRYPTION: This host does NOT support ENCRYPTION > Channel: None (0x00000000) > Previous Session Id: 0x0000000000000000 > Security Blob: ************************* > Offset: 0x00000058 > Length: 2917 > GSS-API Generic Security Service Application Program Interface > OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) > Simple Protected Negotiation > negTokenInit > mechTypes: 2 items > MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) > MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) > mechToken: 60820b2b06092a864886f71201020201006e820b1a30820b... > krb5_blob: *******************... > KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) > krb5_tok_id: KRB5_AP_REQ (0x0001) > Kerberos > ap-req > pvno: 5 > msg-type: krb-ap-req (14) > Padding: 0 > ap-options: 20000000 (mutual-required) > 0... .... = reserved: False > .0.. .... = use-session-key: False > ..1. .... = mutual-required: True > ticket > tkt-vno: 5 > realm: AD.TLE.INTERN > sname > name-type: kRB5-NT-PRINCIPAL (1) > name-string: 2 items > KerberosString: cifs > KerberosString: fileserver.fqdn > enc-part > etype: eTYPE-ARCFOUR-HMAC-MD5 (23) > kvno: 4 > cipher: *******************... > authenticator > etype: eTYPE-ARCFOUR-HMAC-MD5 (23) > cipher: *******************... > >No. Time Source Destination Protocol Length Info > 13 0.426467 10.96.*.* 10.9.*.* TCP 66 445â57892 [ACK] Seq=509 Ack=3299 Win=30592 Len=0 TSval=4136501125 TSecr=264085013 > >Frame 13: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.835069000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.835069000 seconds > [Time delta from previous captured frame: 0.000428000 seconds] > [Time delta from previous displayed frame: 0.000428000 seconds] > [Time since reference or first frame: 0.426467000 seconds] > Frame Number: 13 > Frame Length: 66 bytes (528 bits) > Capture Length: 66 bytes (528 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP] > [Coloring Rule String: tcp] >Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) > Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 52 > Identification: 0x3201 (12801) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 62 > Protocol: TCP (6) > Header checksum: 0xefea [validation disabled] > [Good: False] > [Bad: False] > Source: 10.96.*.* (10.96.*.*) > Destination: 10.9.*.* (10.9.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 509, Ack: 3299, Len: 0 > Source Port: 445 (445) > Destination Port: 57892 (57892) > [Stream index: 0] > [TCP Segment Len: 0] > Sequence number: 509 (relative sequence number) > Acknowledgment number: 3299 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 0000 = Flags: 0x010 (ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 239 > [Calculated window size: 30592] > [Window size scaling factor: 128] > Checksum: 0x4e93 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 4136501125, TSecr 264085013 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 4136501125 > Timestamp echo reply: 264085013 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 11] > [The RTT to ACK the segment was: 0.000698000 seconds] > [iRTT: 0.000378000 seconds] > >No. Time Source Destination Protocol Length Info > 14 0.426656 10.96.*.* 10.9.*.* TCP 66 445â57892 [ACK] Seq=509 Ack=3412 Win=33536 Len=0 TSval=4136501126 TSecr=264085013 > >Frame 14: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.835258000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.835258000 seconds > [Time delta from previous captured frame: 0.000189000 seconds] > [Time delta from previous displayed frame: 0.000189000 seconds] > [Time since reference or first frame: 0.426656000 seconds] > Frame Number: 14 > Frame Length: 66 bytes (528 bits) > Capture Length: 66 bytes (528 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP] > [Coloring Rule String: tcp] >Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) > Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 52 > Identification: 0x3301 (13057) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 62 > Protocol: TCP (6) > Header checksum: 0xeeea [validation disabled] > [Good: False] > [Bad: False] > Source: 10.96.*.* (10.96.*.*) > Destination: 10.9.*.* (10.9.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 509, Ack: 3412, Len: 0 > Source Port: 445 (445) > Destination Port: 57892 (57892) > [Stream index: 0] > [TCP Segment Len: 0] > Sequence number: 509 (relative sequence number) > Acknowledgment number: 3412 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 0000 = Flags: 0x010 (ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 262 > [Calculated window size: 33536] > [Window size scaling factor: 128] > Checksum: 0x4e0a [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 4136501126, TSecr 264085013 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 4136501126 > Timestamp echo reply: 264085013 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 12] > [The RTT to ACK the segment was: 0.000617000 seconds] > [iRTT: 0.000378000 seconds] > >No. Time Source Destination Protocol Length Info > 15 0.434381 10.96.*.* 10.9.*.* SMB2 334 Session Setup Response > >Frame 15: 334 bytes on wire (2672 bits), 334 bytes captured (2672 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.842983000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.842983000 seconds > [Time delta from previous captured frame: 0.007725000 seconds] > [Time delta from previous displayed frame: 0.007725000 seconds] > [Time since reference or first frame: 0.434381000 seconds] > Frame Number: 15 > Frame Length: 334 bytes (2672 bits) > Capture Length: 334 bytes (2672 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2:gss-api:spnego:spnego-krb5] > [Number of per-protocol-data: 2] > [GSS-API Generic Security Service Application Program Interface, key 0] > [Simple Protected Negotiation, key 0] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) > Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 320 > Identification: 0x3401 (13313) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 62 > Protocol: TCP (6) > Header checksum: 0xecde [validation disabled] > [Good: False] > [Bad: False] > Source: 10.96.*.* (10.96.*.*) > Destination: 10.9.*.* (10.9.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 509, Ack: 3412, Len: 268 > Source Port: 445 (445) > Destination Port: 57892 (57892) > [Stream index: 0] > [TCP Segment Len: 268] > Sequence number: 509 (relative sequence number) > [Next sequence number: 777 (relative sequence number)] > Acknowledgment number: 3412 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 262 > [Calculated window size: 33536] > [Window size scaling factor: 128] > Checksum: 0x0d9f [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 4136501133, TSecr 264085013 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 4136501133 > Timestamp echo reply: 264085013 > [SEQ/ACK analysis] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 268] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 264 >SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Server Component: SMB2 > Header Length: 64 > Credit Charge: 0 > NT Status: STATUS_SUCCESS (0x00000000) > Command: Session Setup (1) > Credits granted: 8192 > Flags: 0x00000001 > .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE > .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command > .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command > .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed > ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation > ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation > Chain Offset: 0x00000000 > Message ID: 2 > Process Id: 0x00000000 > Tree Id: 0x00000000 > Session Id: 0x8df3ec9a00000001 > Signature: ******************************** > [Response to: 12] > [Time from request: 0.008342000 seconds] > Session Setup Response (0x01) > StructureSize: 0x0009 > 0000 0000 0000 100. = Fixed Part Length: 8 > .... .... .... ...1 = Dynamic Part: True > Session Flags: 0x0000 > .... .... .... ...0 = Guest: False > .... .... .... ..0. = Null: False > Security Blob: ************************* > Offset: 0x00000048 > Length: 192 > GSS-API Generic Security Service Application Program Interface > Simple Protected Negotiation > negTokenTarg > negResult: accept-completed (0) > supportedMech: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) > responseToken: *******************... > krb5_blob: *******************... > KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) > krb5_tok_id: KRB5_AP_REP (0x0002) > Kerberos > ap-rep > pvno: 5 > msg-type: krb-ap-rep (15) > enc-part > etype: eTYPE-ARCFOUR-HMAC-MD5 (23) > cipher: *******************... > >No. Time Source Destination Protocol Length Info > 16 0.434414 10.9.*.* 10.96.*.* TCP 66 57892â445 [ACK] Seq=3412 Ack=777 Win=32512 Len=0 TSval=264085022 TSecr=4136501133 > >Frame 16: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.843016000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.843016000 seconds > [Time delta from previous captured frame: 0.000033000 seconds] > [Time delta from previous displayed frame: 0.000033000 seconds] > [Time since reference or first frame: 0.434414000 seconds] > Frame Number: 16 > Frame Length: 66 bytes (528 bits) > Capture Length: 66 bytes (528 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP] > [Coloring Rule String: tcp] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 52 > Identification: 0x952d (38189) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8abe [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 3412, Ack: 777, Len: 0 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 0] > Sequence number: 3412 (relative sequence number) > Acknowledgment number: 777 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 0000 = Flags: 0x010 (ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 254 > [Calculated window size: 32512] > [Window size scaling factor: 128] > Checksum: 0x4cf6 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264085022, TSecr 4136501133 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264085022 > Timestamp echo reply: 4136501133 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 15] > [The RTT to ACK the segment was: 0.000033000 seconds] > [iRTT: 0.000378000 seconds] > >No. Time Source Destination Protocol Length Info > 17 0.434804 10.9.*.* 10.96.*.* SMB2 196 Tree Connect Request Tree: \\fileserver.fqdn\IPC$ > >Frame 17: 196 bytes on wire (1568 bits), 196 bytes captured (1568 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.843406000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.843406000 seconds > [Time delta from previous captured frame: 0.000390000 seconds] > [Time delta from previous displayed frame: 0.000390000 seconds] > [Time since reference or first frame: 0.434804000 seconds] > Frame Number: 17 > Frame Length: 196 bytes (1568 bits) > Capture Length: 196 bytes (1568 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 182 > Identification: 0x952e (38190) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8a3b [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 3412, Ack: 777, Len: 130 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 130] > Sequence number: 3412 (relative sequence number) > [Next sequence number: 3542 (relative sequence number)] > Acknowledgment number: 777 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 254 > [Calculated window size: 32512] > [Window size scaling factor: 128] > Checksum: 0x1c35 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264085022, TSecr 4136501133 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264085022 > Timestamp echo reply: 4136501133 > [SEQ/ACK analysis] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 130] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 126 >SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Server Component: SMB2 > Header Length: 64 > Credit Charge: 0 > Channel Sequence: 0 > Reserved: 0000 > Command: Tree Connect (3) > Credits requested: 1 > Flags: 0x00000008 > .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST > .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command > .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command > .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED > ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation > ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation > Chain Offset: 0x00000000 > Message ID: 3 > Process Id: 0x00000000 > Tree Id: 0x00000000 > Session Id: 0x8df3ec9a00000001 > Signature: ******************************** > [Response in: 18] > Tree Connect Request (0x03) > StructureSize: 0x0009 > 0000 0000 0000 100. = Fixed Part Length: 8 > .... .... .... ...1 = Dynamic Part: True > Tree: \\fileserver.fqdn\IPC$ > Offset: 0x00000048 > Length: 54 > >No. Time Source Destination Protocol Length Info > 18 0.435292 10.96.*.* 10.9.*.* SMB2 150 Tree Connect Response > >Frame 18: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.843894000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.843894000 seconds > [Time delta from previous captured frame: 0.000488000 seconds] > [Time delta from previous displayed frame: 0.000488000 seconds] > [Time since reference or first frame: 0.435292000 seconds] > Frame Number: 18 > Frame Length: 150 bytes (1200 bits) > Capture Length: 150 bytes (1200 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) > Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 136 > Identification: 0x3501 (13569) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 62 > Protocol: TCP (6) > Header checksum: 0xec96 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.96.*.* (10.96.*.*) > Destination: 10.9.*.* (10.9.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 777, Ack: 3542, Len: 84 > Source Port: 445 (445) > Destination Port: 57892 (57892) > [Stream index: 0] > [TCP Segment Len: 84] > Sequence number: 777 (relative sequence number) > [Next sequence number: 861 (relative sequence number)] > Acknowledgment number: 3542 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 262 > [Calculated window size: 33536] > [Window size scaling factor: 128] > Checksum: 0x92bb [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 4136501134, TSecr 264085022 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 4136501134 > Timestamp echo reply: 264085022 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 17] > [The RTT to ACK the segment was: 0.000488000 seconds] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 84] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 80 >SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Server Component: SMB2 > Header Length: 64 > Credit Charge: 0 > NT Status: STATUS_SUCCESS (0x00000000) > Command: Tree Connect (3) > Credits granted: 1 > Flags: 0x00000009 > .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE > .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command > .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command > .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED > ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation > ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation > Chain Offset: 0x00000000 > Message ID: 3 > Process Id: 0x00000000 > Tree Id: 0x00000001 \\fileserver.fqdn\IPC$ > [Tree: \\fileserver.fqdn\IPC$] > [Share Type: Named pipe (0x02)] > [Connected in Frame: 18] > Session Id: 0x8df3ec9a00000001 > Signature: ******************************** > [Response to: 17] > [Time from request: 0.000488000 seconds] > Tree Connect Response (0x03) > StructureSize: 0x0010 > 0000 0000 0001 000. = Fixed Part Length: 16 > .... .... .... ...0 = Dynamic Part: False > Share Type: Named pipe (0x02) > Share flags: 0x00000000 > .... .... .... .... .... .... .... ...0 = DFS: False > .... .... .... .... .... .... .... ..0. = DFS root: False > .... .... .... .... .... ...0 .... .... = Restrict exclusive opens: False > .... .... .... .... .... ..0. .... .... = Force shared delete: False > .... .... .... .... .... .0.. .... .... = Allow namepsace caching: False > .... .... .... .... .... 0... .... .... = Access based directory enum: False > .... .... .... .... ...0 .... .... .... = Force level II oplock: False > .... .... .... .... ..0. .... .... .... = Enable hash V1: False > .... .... .... .... .0.. .... .... .... = Enable hash V2: False > .... .... .... .... 0... .... .... .... = Encrypted data required: False > Caching policy: Manual caching (00000000) > Share Capabilities: 0x00000000 > .... .... .... .... .... .... .... 0... = DFS: False > .... .... .... .... .... .... ...0 .... = CONTINUOUS AVAILABILITY: False > .... .... .... .... .... .... ..0. .... = SCALEOUT: False > .... .... .... .... .... .... .0.. .... = CLUSTER: False > Access Mask: 0x001f01ff > .... .... .... .... .... .... .... ...1 = Read: READ access > .... .... .... .... .... .... .... ..1. = Write: WRITE access > .... .... .... .... .... .... .... .1.. = Append: APPEND access > .... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access > .... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access > .... .... .... .... .... .... ..1. .... = Execute: EXECUTE access > .... .... .... .... .... .... .1.. .... = Delete Child: DELETE CHILD access > .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access > .... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access > .... .... .... ...1 .... .... .... .... = Delete: DELETE access > .... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID > .... .... .... .1.. .... .... .... .... = Write DAC: OWNER may WRITE the DAC > .... .... .... 1... .... .... .... .... = Write Owner: Can WRITE OWNER (take ownership) > .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O > .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set > .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set > ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set > ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set > .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set > 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set > >No. Time Source Destination Protocol Length Info > 19 0.435372 10.9.*.* 10.96.*.* SMB2 230 Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO > >Frame 19: 230 bytes on wire (1840 bits), 230 bytes captured (1840 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.843974000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.843974000 seconds > [Time delta from previous captured frame: 0.000080000 seconds] > [Time delta from previous displayed frame: 0.000080000 seconds] > [Time since reference or first frame: 0.435372000 seconds] > Frame Number: 19 > Frame Length: 230 bytes (1840 bits) > Capture Length: 230 bytes (1840 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 216 > Identification: 0x952f (38191) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8a18 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 3542, Ack: 861, Len: 164 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 164] > Sequence number: 3542 (relative sequence number) > [Next sequence number: 3706 (relative sequence number)] > Acknowledgment number: 861 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 254 > [Calculated window size: 32512] > [Window size scaling factor: 128] > Checksum: 0xb8c9 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264085023, TSecr 4136501134 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264085023 > Timestamp echo reply: 4136501134 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 18] > [The RTT to ACK the segment was: 0.000080000 seconds] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 164] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 160 >SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Server Component: SMB2 > Header Length: 64 > Credit Charge: 0 > Channel Sequence: 0 > Reserved: 0000 > Command: Ioctl (11) > Credits requested: 1 > Flags: 0x00000008 > .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST > .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command > .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command > .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED > ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation > ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation > Chain Offset: 0x00000000 > Message ID: 4 > Process Id: 0x00000000 > Tree Id: 0x00000001 \\fileserver.fqdn\IPC$ > [Tree: \\fileserver.fqdn\IPC$] > [Share Type: Named pipe (0x02)] > [Connected in Frame: 18] > Session Id: 0x8df3ec9a00000001 > Signature: ******************************** > [Response in: 20] > Ioctl Request (0x0b) > StructureSize: 0x0039 > 0000 0000 0011 100. = Fixed Part Length: 56 > .... .... .... ...1 = Dynamic Part: True > Function: FSCTL_VALIDATE_NEGOTIATE_INFO (0x00140204) > 0000 0000 0001 0100 .... .... .... .... = Device: NETWORK_FILE_SYSTEM (0x00000014) > .... .... .... .... 00.. .... .... .... = Access: FILE_ANY_ACCESS (0x00000000) > .... .... .... .... ..00 0010 0000 01.. = Function: 0x00000081 > .... .... .... .... .... .... .... ..00 = Method: METHOD_BUFFERED (0x00000000) > GUID handle > File Id: ffffffff-ffff-ffff-ffff-ffffffffffff > Max Ioctl In Size: 0 > Max Ioctl Out Size: 24 > Flags: 0x00000001 > .... .... .... .... .... .... .... ...1 = Is FSCTL: True > In Data > Offset: 0x00000078 > Length: 40 > Capabilities: 0x0000007f > .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS > .... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING > .... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU > .... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL > .... .... .... .... .... .... ...1 .... = PERSISTENT HANDLES: This host supports PERSISTENT HANDLES > .... .... .... .... .... .... ..1. .... = DIRECTORY LEASING: This host supports DIRECTORY LEASING > .... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION > Client Guid: 00000000-0000-0000-0000-000000000000 > Security mode: 0x01 > .... ...1 = Signing enabled: True > .... ..0. = Signing required: False > Dialect count: 8 > Dialect: 0x0202 > Dialect: 0x0210 > Dialect: 0x0222 > Dialect: 0x0224 > Dialect: 0x0300 > Dialect: 0x0302 > Dialect: 0x0310 > Dialect: 0x0311 > Out Data: NO DATA > Offset: 0x00000078 > Length: 0 > >No. Time Source Destination Protocol Length Info > 20 0.435903 10.96.*.* 10.9.*.* SMB2 143 Ioctl Response, Error: STATUS_NOT_SUPPORTED > >Frame 20: 143 bytes on wire (1144 bits), 143 bytes captured (1144 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.844505000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.844505000 seconds > [Time delta from previous captured frame: 0.000531000 seconds] > [Time delta from previous displayed frame: 0.000531000 seconds] > [Time since reference or first frame: 0.435903000 seconds] > Frame Number: 20 > Frame Length: 143 bytes (1144 bits) > Capture Length: 143 bytes (1144 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) > Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 129 > Identification: 0x3601 (13825) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 62 > Protocol: TCP (6) > Header checksum: 0xeb9d [validation disabled] > [Good: False] > [Bad: False] > Source: 10.96.*.* (10.96.*.*) > Destination: 10.9.*.* (10.9.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 861, Ack: 3706, Len: 77 > Source Port: 445 (445) > Destination Port: 57892 (57892) > [Stream index: 0] > [TCP Segment Len: 77] > Sequence number: 861 (relative sequence number) > [Next sequence number: 938 (relative sequence number)] > Acknowledgment number: 3706 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 262 > [Calculated window size: 33536] > [Window size scaling factor: 128] > Checksum: 0x5e39 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 4136501135, TSecr 264085023 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 4136501135 > Timestamp echo reply: 264085023 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 19] > [The RTT to ACK the segment was: 0.000531000 seconds] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 77] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 73 >SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Server Component: SMB2 > Header Length: 64 > Credit Charge: 0 > NT Status: STATUS_NOT_SUPPORTED (0xc00000bb) > Command: Ioctl (11) > Credits granted: 1 > Flags: 0x00000009 > .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE > .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command > .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command > .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED > ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation > ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation > Chain Offset: 0x00000000 > Message ID: 4 > Process Id: 0x00000000 > Tree Id: 0x00000001 \\fileserver.fqdn\IPC$ > [Tree: \\fileserver.fqdn\IPC$] > [Share Type: Named pipe (0x02)] > [Connected in Frame: 18] > Session Id: 0x8df3ec9a00000001 > Signature: ******************************** > [Response to: 19] > [Time from request: 0.000531000 seconds] > Ioctl Response (0x0b) > StructureSize: 0x0009 > 0000 0000 0000 100. = Fixed Part Length: 8 > .... .... .... ...1 = Dynamic Part: True > Reserved: 0x0000 > Byte Count: 0 > Error Data: 00 > >No. Time Source Destination Protocol Length Info > 21 0.436042 10.9.*.* 10.96.*.* SMB2 210 Tree Connect Request Tree: \\fileserver.fqdn\Folder > >Frame 21: 210 bytes on wire (1680 bits), 210 bytes captured (1680 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.844644000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.844644000 seconds > [Time delta from previous captured frame: 0.000139000 seconds] > [Time delta from previous displayed frame: 0.000139000 seconds] > [Time since reference or first frame: 0.436042000 seconds] > Frame Number: 21 > Frame Length: 210 bytes (1680 bits) > Capture Length: 210 bytes (1680 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 196 > Identification: 0x9530 (38192) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8a2b [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 3706, Ack: 938, Len: 144 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 144] > Sequence number: 3706 (relative sequence number) > [Next sequence number: 3850 (relative sequence number)] > Acknowledgment number: 938 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 254 > [Calculated window size: 32512] > [Window size scaling factor: 128] > Checksum: 0xa97e [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264085023, TSecr 4136501135 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264085023 > Timestamp echo reply: 4136501135 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 20] > [The RTT to ACK the segment was: 0.000139000 seconds] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 144] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 140 >SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Server Component: SMB2 > Header Length: 64 > Credit Charge: 0 > Channel Sequence: 0 > Reserved: 0000 > Command: Tree Connect (3) > Credits requested: 1 > Flags: 0x00000008 > .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST > .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command > .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command > .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED > ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation > ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation > Chain Offset: 0x00000000 > Message ID: 5 > Process Id: 0x00000000 > Tree Id: 0x00000000 > Session Id: 0x8df3ec9a00000001 > Signature: ******************************** > [Response in: 22] > Tree Connect Request (0x03) > StructureSize: 0x0009 > 0000 0000 0000 100. = Fixed Part Length: 8 > .... .... .... ...1 = Dynamic Part: True > Tree: \\fileserver.fqdn\Folder > Offset: 0x00000048 > Length: 68 > >No. Time Source Destination Protocol Length Info > 22 0.436755 10.96.*.* 10.9.*.* SMB2 150 Tree Connect Response > >Frame 22: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.845357000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.845357000 seconds > [Time delta from previous captured frame: 0.000713000 seconds] > [Time delta from previous displayed frame: 0.000713000 seconds] > [Time since reference or first frame: 0.436755000 seconds] > Frame Number: 22 > Frame Length: 150 bytes (1200 bits) > Capture Length: 150 bytes (1200 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) > Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 136 > Identification: 0x3701 (14081) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 62 > Protocol: TCP (6) > Header checksum: 0xea96 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.96.*.* (10.96.*.*) > Destination: 10.9.*.* (10.9.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 938, Ack: 3850, Len: 84 > Source Port: 445 (445) > Destination Port: 57892 (57892) > [Stream index: 0] > [TCP Segment Len: 84] > Sequence number: 938 (relative sequence number) > [Next sequence number: 1022 (relative sequence number)] > Acknowledgment number: 3850 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 262 > [Calculated window size: 33536] > [Window size scaling factor: 128] > Checksum: 0xc25b [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 4136501136, TSecr 264085023 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 4136501136 > Timestamp echo reply: 264085023 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 21] > [The RTT to ACK the segment was: 0.000713000 seconds] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 84] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 80 >SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Server Component: SMB2 > Header Length: 64 > Credit Charge: 0 > NT Status: STATUS_SUCCESS (0x00000000) > Command: Tree Connect (3) > Credits granted: 1 > Flags: 0x00000009 > .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE > .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command > .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command > .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED > ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation > ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation > Chain Offset: 0x00000000 > Message ID: 5 > Process Id: 0x00000000 > Tree Id: 0x00000002 \\fileserver.fqdn\Folder > [Tree: \\fileserver.fqdn\Folder] > [Share Type: Physical disk (0x01)] > [Connected in Frame: 22] > Session Id: 0x8df3ec9a00000001 > Signature: ******************************** > [Response to: 21] > [Time from request: 0.000713000 seconds] > Tree Connect Response (0x03) > StructureSize: 0x0010 > 0000 0000 0001 000. = Fixed Part Length: 16 > .... .... .... ...0 = Dynamic Part: False > Share Type: Physical disk (0x01) > Share flags: 0x00000800, Access based directory enum > .... .... .... .... .... .... .... ...0 = DFS: False > .... .... .... .... .... .... .... ..0. = DFS root: False > .... .... .... .... .... ...0 .... .... = Restrict exclusive opens: False > .... .... .... .... .... ..0. .... .... = Force shared delete: False > .... .... .... .... .... .0.. .... .... = Allow namepsace caching: False > .... .... .... .... .... 1... .... .... = Access based directory enum: True > .... .... .... .... ...0 .... .... .... = Force level II oplock: False > .... .... .... .... ..0. .... .... .... = Enable hash V1: False > .... .... .... .... .0.. .... .... .... = Enable hash V2: False > .... .... .... .... 0... .... .... .... = Encrypted data required: False > Caching policy: Manual caching (00000000) > Share Capabilities: 0x00000008, DFS > .... .... .... .... .... .... .... 1... = DFS: True > .... .... .... .... .... .... ...0 .... = CONTINUOUS AVAILABILITY: False > .... .... .... .... .... .... ..0. .... = SCALEOUT: False > .... .... .... .... .... .... .0.. .... = CLUSTER: False > Access Mask: 0x001200a9 > .... .... .... .... .... .... .... ...1 = Read: READ access > .... .... .... .... .... .... .... ..0. = Write: NO write access > .... .... .... .... .... .... .... .0.. = Append: NO append access > .... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access > .... .... .... .... .... .... ...0 .... = Write EA: NO write extended attributes access > .... .... .... .... .... .... ..1. .... = Execute: EXECUTE access > .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access > .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access > .... .... .... .... .... ...0 .... .... = Write Attributes: NO write attributes access > .... .... .... ...0 .... .... .... .... = Delete: NO delete access > .... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID > .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC > .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership) > .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O > .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set > .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set > ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set > ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set > .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set > 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set > >No. Time Source Destination Protocol Length Info > 23 0.436866 10.9.*.* 10.96.*.* SMB2 230 Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO > >Frame 23: 230 bytes on wire (1840 bits), 230 bytes captured (1840 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.845468000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.845468000 seconds > [Time delta from previous captured frame: 0.000111000 seconds] > [Time delta from previous displayed frame: 0.000111000 seconds] > [Time since reference or first frame: 0.436866000 seconds] > Frame Number: 23 > Frame Length: 230 bytes (1840 bits) > Capture Length: 230 bytes (1840 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 216 > Identification: 0x9531 (38193) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8a16 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 3850, Ack: 1022, Len: 164 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 164] > Sequence number: 3850 (relative sequence number) > [Next sequence number: 4014 (relative sequence number)] > Acknowledgment number: 1022 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 254 > [Calculated window size: 32512] > [Window size scaling factor: 128] > Checksum: 0x1393 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264085024, TSecr 4136501136 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264085024 > Timestamp echo reply: 4136501136 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 22] > [The RTT to ACK the segment was: 0.000111000 seconds] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 164] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 160 >SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Server Component: SMB2 > Header Length: 64 > Credit Charge: 0 > Channel Sequence: 0 > Reserved: 0000 > Command: Ioctl (11) > Credits requested: 1 > Flags: 0x00000008 > .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST > .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command > .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command > .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED > ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation > ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation > Chain Offset: 0x00000000 > Message ID: 6 > Process Id: 0x00000000 > Tree Id: 0x00000002 \\fileserver.fqdn\Folder > [Tree: \\fileserver.fqdn\Folder] > [Share Type: Physical disk (0x01)] > [Connected in Frame: 22] > Session Id: 0x8df3ec9a00000001 > Signature: ******************************** > [Response in: 24] > Ioctl Request (0x0b) > StructureSize: 0x0039 > 0000 0000 0011 100. = Fixed Part Length: 56 > .... .... .... ...1 = Dynamic Part: True > Function: FSCTL_VALIDATE_NEGOTIATE_INFO (0x00140204) > 0000 0000 0001 0100 .... .... .... .... = Device: NETWORK_FILE_SYSTEM (0x00000014) > .... .... .... .... 00.. .... .... .... = Access: FILE_ANY_ACCESS (0x00000000) > .... .... .... .... ..00 0010 0000 01.. = Function: 0x00000081 > .... .... .... .... .... .... .... ..00 = Method: METHOD_BUFFERED (0x00000000) > GUID handle > File Id: ffffffff-ffff-ffff-ffff-ffffffffffff > Max Ioctl In Size: 0 > Max Ioctl Out Size: 24 > Flags: 0x00000001 > .... .... .... .... .... .... .... ...1 = Is FSCTL: True > In Data > Offset: 0x00000078 > Length: 40 > Capabilities: 0x0000007f > .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS > .... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING > .... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU > .... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL > .... .... .... .... .... .... ...1 .... = PERSISTENT HANDLES: This host supports PERSISTENT HANDLES > .... .... .... .... .... .... ..1. .... = DIRECTORY LEASING: This host supports DIRECTORY LEASING > .... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION > Client Guid: 00000000-0000-0000-0000-000000000000 > Security mode: 0x01 > .... ...1 = Signing enabled: True > .... ..0. = Signing required: False > Dialect count: 8 > Dialect: 0x0202 > Dialect: 0x0210 > Dialect: 0x0222 > Dialect: 0x0224 > Dialect: 0x0300 > Dialect: 0x0302 > Dialect: 0x0310 > Dialect: 0x0311 > Out Data: NO DATA > Offset: 0x00000078 > Length: 0 > >No. Time Source Destination Protocol Length Info > 24 0.437296 10.96.*.* 10.9.*.* SMB2 143 Ioctl Response, Error: STATUS_NOT_SUPPORTED > >Frame 24: 143 bytes on wire (1144 bits), 143 bytes captured (1144 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.845898000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.845898000 seconds > [Time delta from previous captured frame: 0.000430000 seconds] > [Time delta from previous displayed frame: 0.000430000 seconds] > [Time since reference or first frame: 0.437296000 seconds] > Frame Number: 24 > Frame Length: 143 bytes (1144 bits) > Capture Length: 143 bytes (1144 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] > [Coloring Rule Name: SMB] > [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] >Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) > Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 129 > Identification: 0x5298 (21144) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 62 > Protocol: TCP (6) > Header checksum: 0xcf06 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.96.*.* (10.96.*.*) > Destination: 10.9.*.* (10.9.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 1022, Ack: 4014, Len: 77 > Source Port: 445 (445) > Destination Port: 57892 (57892) > [Stream index: 0] > [TCP Segment Len: 77] > Sequence number: 1022 (relative sequence number) > [Next sequence number: 1099 (relative sequence number)] > Acknowledgment number: 4014 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 1... = Push: Set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 262 > [Calculated window size: 33536] > [Window size scaling factor: 128] > Checksum: 0x7896 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 4136501136, TSecr 264085024 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 4136501136 > Timestamp echo reply: 264085024 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 23] > [The RTT to ACK the segment was: 0.000430000 seconds] > [iRTT: 0.000378000 seconds] > [Bytes in flight: 77] >NetBIOS Session Service > Message Type: Session message (0x00) > Length: 73 >SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Server Component: SMB2 > Header Length: 64 > Credit Charge: 0 > NT Status: STATUS_NOT_SUPPORTED (0xc00000bb) > Command: Ioctl (11) > Credits granted: 1 > Flags: 0x00000009 > .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE > .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command > .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command > .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED > ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation > ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation > Chain Offset: 0x00000000 > Message ID: 6 > Process Id: 0x00000000 > Tree Id: 0x00000002 \\fileserver.fqdn\Folder > [Tree: \\fileserver.fqdn\Folder] > [Share Type: Physical disk (0x01)] > [Connected in Frame: 22] > Session Id: 0x8df3ec9a00000001 > Signature: ******************************** > [Response to: 23] > [Time from request: 0.000430000 seconds] > Ioctl Response (0x0b) > StructureSize: 0x0009 > 0000 0000 0000 100. = Fixed Part Length: 8 > .... .... .... ...1 = Dynamic Part: True > Reserved: 0x0000 > Byte Count: 0 > Error Data: 00 > >No. Time Source Destination Protocol Length Info > 25 0.437418 10.9.*.* 10.96.*.* TCP 66 57892â445 [FIN, ACK] Seq=4014 Ack=1099 Win=32512 Len=0 TSval=264085025 TSecr=4136501136 > >Frame 25: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.846020000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.846020000 seconds > [Time delta from previous captured frame: 0.000122000 seconds] > [Time delta from previous displayed frame: 0.000122000 seconds] > [Time since reference or first frame: 0.437418000 seconds] > Frame Number: 25 > Frame Length: 66 bytes (528 bits) > Capture Length: 66 bytes (528 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP SYN/FIN] > [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 52 > Identification: 0x9532 (38194) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x8ab9 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 4014, Ack: 1099, Len: 0 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 0] > Sequence number: 4014 (relative sequence number) > Acknowledgment number: 1099 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 0001 = Flags: 0x011 (FIN, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...1 = Fin: Set > [Expert Info (Chat/Sequence): Connection finish (FIN)] > [Connection finish (FIN)] > [Severity level: Chat] > [Group: Sequence] > Window size value: 254 > [Calculated window size: 32512] > [Window size scaling factor: 128] > Checksum: 0x4953 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264085025, TSecr 4136501136 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264085025 > Timestamp echo reply: 4136501136 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 24] > [The RTT to ACK the segment was: 0.000122000 seconds] > [iRTT: 0.000378000 seconds] > >No. Time Source Destination Protocol Length Info > 26 0.437639 10.96.*.* 10.9.*.* TCP 66 445â57892 [ACK] Seq=1099 Ack=4015 Win=33536 Len=0 TSval=4136501137 TSecr=264085025 > >Frame 26: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.846241000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.846241000 seconds > [Time delta from previous captured frame: 0.000221000 seconds] > [Time delta from previous displayed frame: 0.000221000 seconds] > [Time since reference or first frame: 0.437639000 seconds] > Frame Number: 26 > Frame Length: 66 bytes (528 bits) > Capture Length: 66 bytes (528 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP] > [Coloring Rule String: tcp] >Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) > Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 52 > Identification: 0x3801 (14337) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 62 > Protocol: TCP (6) > Header checksum: 0xe9ea [validation disabled] > [Good: False] > [Bad: False] > Source: 10.96.*.* (10.96.*.*) > Destination: 10.9.*.* (10.9.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 1099, Ack: 4015, Len: 0 > Source Port: 445 (445) > Destination Port: 57892 (57892) > [Stream index: 0] > [TCP Segment Len: 0] > Sequence number: 1099 (relative sequence number) > Acknowledgment number: 4015 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 0000 = Flags: 0x010 (ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 262 > [Calculated window size: 33536] > [Window size scaling factor: 128] > Checksum: 0x494a [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 4136501137, TSecr 264085025 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 4136501137 > Timestamp echo reply: 264085025 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 25] > [The RTT to ACK the segment was: 0.000221000 seconds] > [iRTT: 0.000378000 seconds] > >No. Time Source Destination Protocol Length Info > 27 0.437743 10.96.*.* 10.9.*.* TCP 66 445â57892 [FIN, ACK] Seq=1099 Ack=4015 Win=33536 Len=0 TSval=4136501137 TSecr=264085025 > >Frame 27: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.846345000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.846345000 seconds > [Time delta from previous captured frame: 0.000104000 seconds] > [Time delta from previous displayed frame: 0.000104000 seconds] > [Time since reference or first frame: 0.437743000 seconds] > Frame Number: 27 > Frame Length: 66 bytes (528 bits) > Capture Length: 66 bytes (528 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP SYN/FIN] > [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1] >Ethernet II, Src: Manufacturer2_11:11:11 (11:11:11:11:11:11), Dst: Manufacturer_00:00:00 (00:00:00:00:00:00) > Destination: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.96.*.* (10.96.*.*), Dst: 10.9.*.* (10.9.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 52 > Identification: 0x25a2 (9634) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 62 > Protocol: TCP (6) > Header checksum: 0xfc49 [validation disabled] > [Good: False] > [Bad: False] > Source: 10.96.*.* (10.96.*.*) > Destination: 10.9.*.* (10.9.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 445 (445), Dst Port: 57892 (57892), Seq: 1099, Ack: 4015, Len: 0 > Source Port: 445 (445) > Destination Port: 57892 (57892) > [Stream index: 0] > [TCP Segment Len: 0] > Sequence number: 1099 (relative sequence number) > Acknowledgment number: 4015 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 0001 = Flags: 0x011 (FIN, ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...1 = Fin: Set > [Expert Info (Chat/Sequence): Connection finish (FIN)] > [Connection finish (FIN)] > [Severity level: Chat] > [Group: Sequence] > Window size value: 262 > [Calculated window size: 33536] > [Window size scaling factor: 128] > Checksum: 0x4949 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 4136501137, TSecr 264085025 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 4136501137 > Timestamp echo reply: 264085025 > >No. Time Source Destination Protocol Length Info > 28 0.437762 10.9.*.* 10.96.*.* TCP 66 57892â445 [ACK] Seq=4015 Ack=1100 Win=32512 Len=0 TSval=264085025 TSecr=4136501137 > >Frame 28: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) > Encapsulation type: Ethernet (1) > Arrival Time: Jun 2, 2016 08:35:31.846364000 CEST > [Time shift for this packet: 0.000000000 seconds] > Epoch Time: 1464849331.846364000 seconds > [Time delta from previous captured frame: 0.000019000 seconds] > [Time delta from previous displayed frame: 0.000019000 seconds] > [Time since reference or first frame: 0.437762000 seconds] > Frame Number: 28 > Frame Length: 66 bytes (528 bits) > Capture Length: 66 bytes (528 bits) > [Frame is marked: False] > [Frame is ignored: False] > [Protocols in frame: eth:ethertype:ip:tcp] > [Coloring Rule Name: TCP] > [Coloring Rule String: tcp] >Ethernet II, Src: Manufacturer_00:00:00 (00:00:00:00:00:00), Dst: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Destination: Manufacturer2_11:11:11 (11:11:11:11:11:11) > Address: Manufacturer2_11:11:11 (11:11:11:11:11:11) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Source: Manufacturer_00:00:00 (00:00:00:00:00:00) > Address: Manufacturer_00:00:00 (00:00:00:00:00:00) > .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > Type: IP (0x0800) >Internet Protocol Version 4, Src: 10.9.*.* (10.9.*.*), Dst: 10.96.*.* (10.96.*.*) > Version: 4 > Header Length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) > Total Length: 52 > Identification: 0x804c (32844) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: TCP (6) > Header checksum: 0x9f9f [validation disabled] > [Good: False] > [Bad: False] > Source: 10.9.*.* (10.9.*.*) > Destination: 10.96.*.* (10.96.*.*) > [Source GeoIP: Unknown] > [Destination GeoIP: Unknown] >Transmission Control Protocol, Src Port: 57892 (57892), Dst Port: 445 (445), Seq: 4015, Ack: 1100, Len: 0 > Source Port: 57892 (57892) > Destination Port: 445 (445) > [Stream index: 0] > [TCP Segment Len: 0] > Sequence number: 4015 (relative sequence number) > Acknowledgment number: 1100 (relative ack number) > Header Length: 32 bytes > .... 0000 0001 0000 = Flags: 0x010 (ACK) > 000. .... .... = Reserved: Not set > ...0 .... .... = Nonce: Not set > .... 0... .... = Congestion Window Reduced (CWR): Not set > .... .0.. .... = ECN-Echo: Not set > .... ..0. .... = Urgent: Not set > .... ...1 .... = Acknowledgment: Set > .... .... 0... = Push: Not set > .... .... .0.. = Reset: Not set > .... .... ..0. = Syn: Not set > .... .... ...0 = Fin: Not set > Window size value: 254 > [Calculated window size: 32512] > [Window size scaling factor: 128] > Checksum: 0x4951 [validation disabled] > [Good Checksum: False] > [Bad Checksum: False] > Urgent pointer: 0 > Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > No-Operation (NOP) > Type: 1 > 0... .... = Copy on fragmentation: No > .00. .... = Class: Control (0) > ...0 0001 = Number: No-Operation (NOP) (1) > Timestamps: TSval 264085025, TSecr 4136501137 > Kind: Time Stamp Option (8) > Length: 10 > Timestamp value: 264085025 > Timestamp echo reply: 4136501137 > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: 27] > [The RTT to ACK the segment was: 0.000019000 seconds] > [iRTT: 0.000378000 seconds]
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 11933
:
12129
| 12158