Frame 9694 (252 bytes on wire, 252 bytes captured) Arrival Time: Oct 26, 2005 11:10:35.419072000 Time delta from previous packet: 0.001635000 seconds Time since reference or first frame: 44.311261000 seconds Frame Number: 9694 Packet Length: 252 bytes Capture Length: 252 bytes Protocols in frame: eth:ip:tcp:nbss:smb Ethernet II, Src: Ibm_5d:92:37 (00:11:25:5d:92:37), Dst: AsustekC_55:55:d0 (00:e0:18:55:55:d0) Destination: AsustekC_55:55:d0 (00:e0:18:55:55:d0) Source: Ibm_5d:92:37 (00:11:25:5d:92:37) Type: IP (0x0800) Internet Protocol, Src: 192.168.0.54 (192.168.0.54), Dst: 192.168.0.252 (192.168.0.252) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 238 Identification: 0xae03 (44547) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0xc983 [correct] Source: 192.168.0.54 (192.168.0.54) Destination: 192.168.0.252 (192.168.0.252) Transmission Control Protocol, Src Port: 1268 (1268), Dst Port: netbios-ssn (139), Seq: 17680, Ack: 10406, Len: 198 Source port: 1268 (1268) Destination port: netbios-ssn (139) Sequence number: 17680 (relative sequence number) Next sequence number: 17878 (relative sequence number) Acknowledgement number: 10406 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 65200 Checksum: 0x8f64 [correct] SEQ/ACK analysis This is an ACK to the segment in frame: 9693 The RTT to ACK the segment was: 0.001635000 seconds NetBIOS Session Service Message Type: Session message Flags: 0x00 .... ...0 = Add 0 to length Length: 194 SMB (Server Message Block Protocol) SMB Header Server Component: SMB SMB Command: NT Create AndX (0xa2) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: E1BFDCD80757ADF7 Reserved: 0000 Tree ID: 51204 Process ID: 3696 User ID: 51200 Multiplex ID: 42690 NT Create AndX Request (0xa2) Word Count (WCT): 24 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 57054 Reserved: 00 File Name Len: 108 Create Flags: 0x00000016 .... .... .... .... .... .... ...1 .... = Extended Response: Extended responses required .... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file .... .... .... .... .... .... .... .1.. = Batch Oplock: Requesting BATCH OPLOCK .... .... .... .... .... .... .... ..1. = Exclusive Oplock: Requesting OPLOCK Root FID: 0x00000000 Access Mask: 0x00020189 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set .... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership) .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC .... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID .... .... .... ...0 .... .... .... .... = Delete: NO delete access .... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access .... .... .... .... .... .... ..0. .... = Execute: NO execute access .... .... .... .... .... .... ...0 .... = Write EA: NO write extended attributes access .... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access .... .... .... .... .... .... .... .0.. = Append: NO append access .... .... .... .... .... .... .... ..0. = Write: NO write access .... .... .... .... .... .... .... ...1 = Read: READ access Allocation Size: 0 File Attributes: 0x00000080 .... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file .... .... .... .... ..0. .... .... .... = Content Indexed: This file MAY be indexed by the content indexing service .... .... .... .... ...0 .... .... .... = Offline: This file is NOT offline .... .... .... .... .... 0... .... .... = Compressed: This is NOT a compressed file .... .... .... .... .... .0.. .... .... = Reparse Point: This file does NOT have an associated reparse point .... .... .... .... .... ..0. .... .... = Sparse: This is NOT a sparse file .... .... .... .... .... ...0 .... .... = Temporary: This is NOT a temporary file .... .... .... .... .... .... 1... .... = Normal: This file is an ordinary file .... .... .... .... .... .... .0.. .... = Device: This is NOT a device .... .... .... .... .... .... ..0. .... = Archive: This file has NOT been modified since last archive .... .... .... .... .... .... ...0 .... = Directory: This is NOT a directory .... .... .... .... .... .... .... 0... = Volume ID: This is NOT a volume ID .... .... .... .... .... .... .... .0.. = System: This is NOT a system file .... .... .... .... .... .... .... ..0. = Hidden: This is NOT a hidden file .... .... .... .... .... .... .... ...0 = Read Only: This file is NOT read only Share Access: 0x00000007 .... .... .... .... .... .... .... .1.. = Delete: Object can be shared for DELETE .... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE .... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ Disposition: Open (if file exists open it, else fail) (1) Create Options: 0x00000940 .... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory .... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing .... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially .... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous .... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous .... .... .... .... .... .... .1.. .... = Non-Directory: File being created/opened must not be a directory .... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes .... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names .... .... .... .... .... 1... .... .... = Random Access: The file will be accessed randomly .... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed Impersonation: Impersonation (2) Security Flags: 0x00 .... ...0 = Context Tracking: Security tracking mode is STATIC .... ..0. = Effective Only: ALL aspects of the client's security context are available Byte Count (BCC): 111 File Name: \wha-quickbooks\Westside Housing - General Account.QBW Frame 9695 (109 bytes on wire, 109 bytes captured) Arrival Time: Oct 26, 2005 11:10:35.419851000 Time delta from previous packet: 0.000779000 seconds Time since reference or first frame: 44.312040000 seconds Frame Number: 9695 Packet Length: 109 bytes Capture Length: 109 bytes Protocols in frame: eth:ip:tcp:nbss:smb Ethernet II, Src: AsustekC_55:55:d0 (00:e0:18:55:55:d0), Dst: AcctonTe_c7:cf:74 (00:10:b5:c7:cf:74) Destination: AcctonTe_c7:cf:74 (00:10:b5:c7:cf:74) Source: AsustekC_55:55:d0 (00:e0:18:55:55:d0) Type: IP (0x0800) Internet Protocol, Src: 192.168.0.252 (192.168.0.252), Dst: 192.168.0.120 (192.168.0.120) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 95 Identification: 0x5cb9 (23737) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0x1b1b [correct] Source: 192.168.0.252 (192.168.0.252) Destination: 192.168.0.120 (192.168.0.120) Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 1070 (1070), Seq: 6641874, Ack: 728697, Len: 55 Source port: microsoft-ds (445) Destination port: 1070 (1070) Sequence number: 6641874 (relative sequence number) Next sequence number: 6641929 (relative sequence number) Acknowledgement number: 728697 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 17520 Checksum: 0xafd6 [correct] NetBIOS Session Service Message Type: Session message Length: 51 SMB (Server Message Block Protocol) SMB Header Server Component: SMB SMB Command: Locking AndX (0x24) Error Class: Success (0x00) Reserved: 00 Error Code: No Error Flags: 0x00 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized .... 0... = Case Sensitivity: Path names are case sensitive .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0x0000 0... .... .... .... = Unicode Strings: Strings are ASCII .0.. .... .... .... = Error Code Type: Error codes are DOS error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .0.. = Security Signatures: Security signatures are not supported .... .... .... ..0. = Extended Attributes: Extended attributes are not supported .... .... .... ...0 = Long Names Allowed: Long file names are not allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 4101 Process ID: 65535 User ID: 0 Multiplex ID: 65535 Locking AndX Request (0x24) Word Count (WCT): 8 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 0 FID: 0xc003 Lock Type: 0x02 ...0 .... = Large Files: Large file locking format not requested .... 0... = Cancel: Don't cancel outstanding lock request .... .0.. = Change: Don't change lock type .... ..1. = Oplock Break: This is an oplock break notification/response .... ...0 = Shared: This is an exclusive lock Oplock Level: Level 2 oplock currently held by client (1) Timeout: Return immediately (0) Number of Unlocks: 0 Number of Locks: 0 Byte Count (BCC): 0 Frame 9696 (129 bytes on wire, 129 bytes captured) Arrival Time: Oct 26, 2005 11:10:35.420460000 Time delta from previous packet: 0.000609000 seconds Time since reference or first frame: 44.312649000 seconds Frame Number: 9696 Packet Length: 129 bytes Capture Length: 129 bytes Protocols in frame: eth:ip:tcp:nbss:smb Ethernet II, Src: AcctonTe_c7:cf:74 (00:10:b5:c7:cf:74), Dst: AsustekC_55:55:d0 (00:e0:18:55:55:d0) Destination: AsustekC_55:55:d0 (00:e0:18:55:55:d0) Source: AcctonTe_c7:cf:74 (00:10:b5:c7:cf:74) Type: IP (0x0800) Internet Protocol, Src: 192.168.0.120 (192.168.0.120), Dst: 192.168.0.252 (192.168.0.252) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 115 Identification: 0x6c27 (27687) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0x0b99 [correct] Source: 192.168.0.120 (192.168.0.120) Destination: 192.168.0.252 (192.168.0.252) Transmission Control Protocol, Src Port: 1070 (1070), Dst Port: microsoft-ds (445), Seq: 728697, Ack: 6641929, Len: 75 Source port: 1070 (1070) Destination port: microsoft-ds (445) Sequence number: 728697 (relative sequence number) Next sequence number: 728772 (relative sequence number) Acknowledgement number: 6641929 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 64240 Checksum: 0x254e [correct] SEQ/ACK analysis This is an ACK to the segment in frame: 9695 The RTT to ACK the segment was: 0.000609000 seconds NetBIOS Session Service Message Type: Session message Length: 71 SMB (Server Message Block Protocol) SMB Header Server Component: SMB SMB Command: Locking AndX (0x24) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: B8F1D4CD91E94B18 Reserved: 0000 Tree ID: 4101 Process ID: 65279 User ID: 8193 Multiplex ID: 45696 Locking AndX Request (0x24) Word Count (WCT): 8 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 57054 FID: 0xc003 Lock Type: 0x10 ...1 .... = Large Files: Large file locking format requested .... 0... = Cancel: Don't cancel outstanding lock request .... .0.. = Change: Don't change lock type .... ..0. = Oplock Break: This is not an oplock break notification/response .... ...0 = Shared: This is an exclusive lock Oplock Level: Client is not holding oplock on this file (0) Timeout: Wait indefinitely (-1) Number of Unlocks: 0 Number of Locks: 1 Byte Count (BCC): 20 Locks Lock Process ID: 65279 Reserved: 0000 Offset: 563 Length: 1 Frame 9697 (100 bytes on wire, 100 bytes captured) Arrival Time: Oct 26, 2005 11:10:35.420541000 Time delta from previous packet: 0.000081000 seconds Time since reference or first frame: 44.312730000 seconds Frame Number: 9697 Packet Length: 100 bytes Capture Length: 100 bytes Protocols in frame: eth:ip:tcp:nbss:smb Ethernet II, Src: AsustekC_55:55:d0 (00:e0:18:55:55:d0), Dst: AcctonTe_c7:cf:74 (00:10:b5:c7:cf:74) Destination: AcctonTe_c7:cf:74 (00:10:b5:c7:cf:74) Source: AsustekC_55:55:d0 (00:e0:18:55:55:d0) Type: IP (0x0800) Internet Protocol, Src: 192.168.0.252 (192.168.0.252), Dst: 192.168.0.120 (192.168.0.120) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 86 Identification: 0x5cba (23738) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0x1b23 [correct] Source: 192.168.0.252 (192.168.0.252) Destination: 192.168.0.120 (192.168.0.120) Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 1070 (1070), Seq: 6641929, Ack: 728772, Len: 46 Source port: microsoft-ds (445) Destination port: 1070 (1070) Sequence number: 6641929 (relative sequence number) Next sequence number: 6641975 (relative sequence number) Acknowledgement number: 728772 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 17445 Checksum: 0x71e4 [correct] SEQ/ACK analysis This is an ACK to the segment in frame: 9696 The RTT to ACK the segment was: 0.000081000 seconds NetBIOS Session Service Message Type: Session message Length: 42 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response to: 9696 Time from request: 0.000081000 seconds SMB Command: Locking AndX (0x24) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x98 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: E54F0C71A28CE62C Reserved: 0000 Tree ID: 4101 Process ID: 65279 User ID: 8193 Multiplex ID: 45696 Locking AndX Response (0x24) Word Count (WCT): 2 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 39 Byte Count (BCC): 0 Frame 9698 (109 bytes on wire, 109 bytes captured) Arrival Time: Oct 26, 2005 11:10:35.420850000 Time delta from previous packet: 0.000309000 seconds Time since reference or first frame: 44.313039000 seconds Frame Number: 9698 Packet Length: 109 bytes Capture Length: 109 bytes Protocols in frame: eth:ip:tcp:nbss:smb Ethernet II, Src: AcctonTe_c7:cf:74 (00:10:b5:c7:cf:74), Dst: AsustekC_55:55:d0 (00:e0:18:55:55:d0) Destination: AsustekC_55:55:d0 (00:e0:18:55:55:d0) Source: AcctonTe_c7:cf:74 (00:10:b5:c7:cf:74) Type: IP (0x0800) Internet Protocol, Src: 192.168.0.120 (192.168.0.120), Dst: 192.168.0.252 (192.168.0.252) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 95 Identification: 0x6c28 (27688) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0x0bac [correct] Source: 192.168.0.120 (192.168.0.120) Destination: 192.168.0.252 (192.168.0.252) Transmission Control Protocol, Src Port: 1070 (1070), Dst Port: microsoft-ds (445), Seq: 728772, Ack: 6641975, Len: 55 Source port: 1070 (1070) Destination port: microsoft-ds (445) Sequence number: 728772 (relative sequence number) Next sequence number: 728827 (relative sequence number) Acknowledgement number: 6641975 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 64194 Checksum: 0x1c15 [correct] SEQ/ACK analysis This is an ACK to the segment in frame: 9697 The RTT to ACK the segment was: 0.000309000 seconds NetBIOS Session Service Message Type: Session message Length: 51 SMB (Server Message Block Protocol) SMB Header Server Component: SMB SMB Command: Locking AndX (0x24) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0C120099CB071D1E Reserved: 0000 Tree ID: 4101 Process ID: 65279 User ID: 8193 Multiplex ID: 65535 Locking AndX Request (0x24) Word Count (WCT): 8 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 57054 FID: 0xc003 Lock Type: 0x12 ...1 .... = Large Files: Large file locking format requested .... 0... = Cancel: Don't cancel outstanding lock request .... .0.. = Change: Don't change lock type .... ..1. = Oplock Break: This is an oplock break notification/response .... ...0 = Shared: This is an exclusive lock Oplock Level: Level 2 oplock currently held by client (1) Timeout: Wait indefinitely (-1) Number of Unlocks: 0 Number of Locks: 0 Byte Count (BCC): 0 Frame 9699 (193 bytes on wire, 193 bytes captured) Arrival Time: Oct 26, 2005 11:10:35.421068000 Time delta from previous packet: 0.000218000 seconds Time since reference or first frame: 44.313257000 seconds Frame Number: 9699 Packet Length: 193 bytes Capture Length: 193 bytes Protocols in frame: eth:ip:tcp:nbss:smb Ethernet II, Src: AsustekC_55:55:d0 (00:e0:18:55:55:d0), Dst: Ibm_5d:92:37 (00:11:25:5d:92:37) Destination: Ibm_5d:92:37 (00:11:25:5d:92:37) Source: AsustekC_55:55:d0 (00:e0:18:55:55:d0) Type: IP (0x0800) Internet Protocol, Src: 192.168.0.252 (192.168.0.252), Dst: 192.168.0.54 (192.168.0.54) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 179 Identification: 0x5cbb (23739) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0x1b07 [correct] Source: 192.168.0.252 (192.168.0.252) Destination: 192.168.0.54 (192.168.0.54) Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port: 1268 (1268), Seq: 10406, Ack: 17878, Len: 139 Source port: netbios-ssn (139) Destination port: 1268 (1268) Sequence number: 10406 (relative sequence number) Next sequence number: 10545 (relative sequence number) Acknowledgement number: 17878 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 16133 Checksum: 0x902e [correct] SEQ/ACK analysis This is an ACK to the segment in frame: 9694 The RTT to ACK the segment was: 0.001996000 seconds NetBIOS Session Service Message Type: Session message Flags: 0x00 .... ...0 = Add 0 to length Length: 135 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response to: 9694 Time from request: 0.001996000 seconds SMB Command: NT Create AndX (0xa2) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x98 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: EFF90705619D9322 Reserved: 0000 Tree ID: 51204 Process ID: 3696 User ID: 51200 Multiplex ID: 42690 NT Create AndX Response (0xa2) Word Count (WCT): 42 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 135 Oplock level: No oplock granted (0) FID: 0xc003 Create action: The file existed and was opened (1) Created: Oct 26, 2005 10:00:45.396696800 Last Access: Oct 26, 2005 11:10:20.747015600 Last Write: Oct 26, 2005 11:10:20.747015600 Change: Oct 26, 2005 11:10:20.747015600 File Attributes: 0x00000020 .... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file .... .... .... .... ..0. .... .... .... = Content Indexed: This file MAY be indexed by the content indexing service .... .... .... .... ...0 .... .... .... = Offline: This file is NOT offline .... .... .... .... .... 0... .... .... = Compressed: This is NOT a compressed file .... .... .... .... .... .0.. .... .... = Reparse Point: This file does NOT have an associated reparse point .... .... .... .... .... ..0. .... .... = Sparse: This is NOT a sparse file .... .... .... .... .... ...0 .... .... = Temporary: This is NOT a temporary file .... .... .... .... .... .... 0... .... = Normal: This file has some attribute set .... .... .... .... .... .... .0.. .... = Device: This is NOT a device .... .... .... .... .... .... ..1. .... = Archive: This file has been modified since last ARCHIVE .... .... .... .... .... .... ...0 .... = Directory: This is NOT a directory .... .... .... .... .... .... .... 0... = Volume ID: This is NOT a volume ID .... .... .... .... .... .... .... .0.. = System: This is NOT a system file .... .... .... .... .... .... .... ..0. = Hidden: This is NOT a hidden file .... .... .... .... .... .... .... ...0 = Read Only: This file is NOT read only Allocation Size: 17776640 End Of File: 17774592 File Type: Disk file or directory (0) IPC State: 0x0007 0... .... .... .... = Nonblocking: Reads/writes block if no data available .0.. .... .... .... = Endpoint: Consumer end of pipe (0) .... 00.. .... .... = Pipe Type: Byte stream pipe (0) .... ..00 .... .... = Read Mode: Read pipe as a byte stream (0) .... .... 0000 0111 = Icount: 7 Is Directory: This is NOT a directory (0) Byte Count (BCC): 0