Frame 5245: Packet, 274 bytes on wire (2192 bits), 274 bytes captured (2192 bits) Encapsulation type: Ethernet (1) Arrival Time: Mar 19, 2019 02:09:57.537138000 UTC UTC Arrival Time: Mar 19, 2019 02:09:57.537138000 UTC Epoch Arrival Time: 1552961397.537138000 [Time shift for this packet: 0.000000000 seconds] [Time delta from previous captured frame: 191.438000 milliseconds] [Time since reference or first frame: 25 minutes, 1.900372000 seconds] Frame Number: 5245 Frame Length: 274 bytes (2192 bits) Capture Length: 274 bytes (2192 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2] Character encoding: ASCII (0) Ethernet II, Src: Intel_57:2b:42 (64:32:a8:57:2b:42), Dst: Dell_c2:09:6a (a4:1f:72:c2:09:6a) Destination: Dell_c2:09:6a (a4:1f:72:c2:09:6a) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Intel_57:2b:42 (64:32:a8:57:2b:42) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) [Stream index: 1] Internet Protocol Version 4, Src: 10.0.90.215, Dst: 10.0.90.9 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 260 Identification: 0x07c1 (1985) 010. .... = Flags: 0x2, Don't fragment 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set ...0 0000 0000 0000 = Fragment Offset: 0 Time to Live: 128 Protocol: TCP (6) Header Checksum: 0xb5a3 [validation disabled] [Header checksum status: Unverified] Source Address: 10.0.90.215 Destination Address: 10.0.90.9 [Stream index: 1] Transmission Control Protocol, Src Port: 49227, Dst Port: 445, Seq: 3803, Ack: 758, Len: 220 Source Port: 49227 Destination Port: 445 [Stream index: 71] [Stream Packet Number: 18] [Conversation completeness: Incomplete, DATA (15)] ..0. .... = RST: Absent ...0 .... = FIN: Absent .... 1... = Data: Present .... .1.. = ACK: Present .... ..1. = SYN-ACK: Present .... ...1 = SYN: Present [Completeness Flags: ··DASS] [TCP Segment Len: 220] Sequence Number: 3803 (relative sequence number) Sequence Number (raw): 963028962 [Next Sequence Number: 4023 (relative sequence number)] Acknowledgment Number: 758 (relative ack number) Acknowledgment number (raw): 2901749756 0101 .... = Header Length: 20 bytes (5) Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Accurate ECN: Not set .... 0... .... = Congestion Window Reduced: Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······AP···] Window: 253 [Calculated window size: 64768] [Window size scaling factor: 256] Checksum: 0x6f08 [unverified] [Checksum Status: Unverified] Urgent Pointer: 0 [Timestamps] [Time since first frame in this TCP stream: 507.474000 milliseconds] [Time since previous frame in this TCP stream: 191.438000 milliseconds] [SEQ/ACK analysis] [iRTT: 606.000 microseconds] [Bytes in flight: 220] [Bytes sent since last PSH flag: 220] [Client Contiguous Streams: 1] [Server Contiguous Streams: 1] TCP payload (220 bytes) NetBIOS Session Service Message Type: Session message (0x00) Length: 216 SMB2 (Server Message Block Protocol version 2), Create Request, MessageId 5 SMB2 Header ProtocolId: 0xfe534d42 Header Length: 64 Credit Charge: 1 Channel Sequence: 0 Reserved: 0000 Command: Create (5) Credits requested: 1 Flags: 0x00000008, Signing .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: 5 Reserved: 0x0000feff Tree Id: 0x00000005 \\LittleTigers-DC\Shared [Tree: \\LittleTigers-DC\Shared] [Share Type: Physical disk (0x01)] [Connected in Frame: 5240] [Disconnected in Frame: 0] Session Id: 0x0000040008000049 [Authenticated in Frame: 5234] Signature: 89ebfac5f3254ed2b69405134740c6e9 Create Request (0x05) StructureSize: 0x0039 0000 0000 0011 100. = Fixed Part Length: 28 .... .... .... ...1 = Dynamic Part: True Oplock: No oplock (0x00) Impersonation level: Impersonation (2) Create Flags: 0x0000000000000000 Reserved: 0000000000000000 Access Mask: 0x00000080 .... .... .... .... .... .... .... ...0 = Read: NO read access .... .... .... .... .... .... .... ..0. = Write: NO write access .... .... .... .... .... .... .... .0.. = Append: NO append access .... .... .... .... .... .... .... 0... = Read EA: NO read extended attributes access .... .... .... .... .... .... ...0 .... = Write EA: NO write extended attributes access .... .... .... .... .... .... ..0. .... = Execute: NO execute access .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access .... .... .... .... .... ...0 .... .... = Write Attributes: NO write attributes access .... .... .... ...0 .... .... .... .... = Delete: NO delete access .... .... .... ..0. .... .... .... .... = Read Control: Read access is NOT granted to owner, group and ACL of the SID .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership) .... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set File Attributes: 0x00000000 .... .... .... .... .... .... .... ...0 = Read Only: No .... .... .... .... .... .... .... ..0. = Hidden: No .... .... .... .... .... .... .... .0.. = System: No .... .... .... .... .... .... ...0 .... = Directory: No .... .... .... .... .... .... ..0. .... = Requires archived: No .... .... .... .... .... .... 0... .... = Normal: No .... .... .... .... .... ...0 .... .... = Temporary: No .... .... .... .... .... ..0. .... .... = Sparse: No .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point .... .... .... .... .... 0... .... .... = Compressed: Uncompressed .... .... .... .... ...0 .... .... .... = Offline: Online .... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed by the content indexing service .... .... .... .... .0.. .... .... .... = Encrypted: No .... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have Integrity Support .... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded from the data integrity scan .... .... .... .0.. .... .... .... .... = Recall on open: When OPENED, remote file should NOT be fetched from remote storage .... .... .... 0... .... .... .... .... = Pinned: File/dir should NOT be kept locally when unused .... .... ...0 .... .... .... .... .... = Unpinned: File/dir should be fully kept locally when accessed .... .... .0.. .... .... .... .... .... = Recall on data access: When accessed remote content of file/dir should NOT be fetched Share Access: 0x00000007, Read, Write, Delete .... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ .... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE .... .... .... .... .... .... .... .1.. = Delete: Object can be shared for DELETE Disposition: Open (if file exists open it, else fail) (1) Create Options: 0x00200000 .... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory .... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing .... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially .... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed .... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous .... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous .... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory .... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set .... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set .... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes .... .... .... .... .... .0.. .... .... = Opened for recovery: The file is not being opened for recovery .... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly .... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed .... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set .... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create .... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create .... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set .... .... ..1. .... .... .... .... .... = Open Reparse Point: Open a Reparse Point .... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set .... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query Blob Offset: 0x00000080 Blob Length: 88 ExtraInfo SMB2_CREATE_DURABLE_HANDLE_REQUEST SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_QUERY_ON_DISK_ID Chain Element: SMB2_CREATE_DURABLE_HANDLE_REQUEST "DHnQ" Chain Offset: 0x00000028 Tag: DHnQ Blob Offset: 0x00000010 Blob Length: 4 Blob Offset: 0x00000018 Blob Length: 16 Data GUID handle File Id: 00000000-0000-0000-0000-000000000000 Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc" Chain Offset: 0x00000018 Tag: MxAc Blob Offset: 0x00000010 Blob Length: 4 Blob Offset: 0x00000018 Blob Length: 0 Data: NO DATA Chain Element: SMB2_CREATE_QUERY_ON_DISK_ID "QFid" Chain Offset: 0x00000000 Tag: QFid Blob Offset: 0x00000010 Blob Length: 4 Blob Offset: 0x00000018 Blob Length: 0 Data: NO DATA