0000 ff ff ff ff ff ff 52 54 00 ff db ad 08 00 45 00 ......RT......E. 0010 00 e5 78 9f 00 00 80 11 4a a6 c0 a8 7a 72 c0 a8 ..x.....J...zr.. 0020 7a ff 00 8a 00 8a 00 d1 b3 87 11 02 82 ba c0 a8 z............... 0030 7a 72 00 8a 00 bb 00 00 20 46 48 45 4a 45 4f 44 zr...... FHEJEOD 0040 48 46 47 45 4e 43 41 43 41 43 41 43 41 43 41 43 HFGENCACACACACAC 0050 41 43 41 43 41 43 41 43 41 00 20 46 48 45 50 46 ACACACACA. FHEPF 0060 43 45 4c 45 48 46 43 45 50 46 46 46 41 43 41 43 CELEHFCEPFFFACAC 0070 41 43 41 43 41 43 41 43 41 42 4f 00 ff 53 4d 42 ACACACACABO..SMB 0080 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 %............... 0090 00 00 00 00 00 00 00 00 00 00 00 00 11 00 00 21 ...............! 00a0 00 00 00 00 00 00 00 00 00 e8 03 00 00 00 00 00 ................ 00b0 00 00 00 21 00 56 00 03 00 01 00 00 00 02 00 32 ...!.V.........2 00c0 00 5c 4d 41 49 4c 53 4c 4f 54 5c 42 52 4f 57 53 .\MAILSLOT\BROWS 00d0 45 00 0f 00 80 fc 0a 00 57 49 4e 37 56 4d 00 00 E.......WIN7VM.. 00e0 00 00 00 00 00 00 00 00 06 01 03 10 05 00 0f 01 ................ 00f0 55 aa 00 U.. No. Time Source Destination Protocol Length Info 711 362.926417292 192.168.122.1 192.168.122.2 SMB 105 Negotiate Protocol Request Frame 711: 105 bytes on wire (840 bits), 105 bytes captured (840 bits) on interface 0 Interface id: 0 (virbr0) Encapsulation type: Ethernet (1) Arrival Time: May 20, 2018 17:18:48.078034372 BST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1526833128.078034372 seconds [Time delta from previous captured frame: 0.002629141 seconds] [Time delta from previous displayed frame: 362.926417292 seconds] [Time since reference or first frame: 424.130064592 seconds] Frame Number: 711 Frame Length: 105 bytes (840 bits) Capture Length: 105 bytes (840 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: RealtekU_74:a0:d7 (52:54:00:74:a0:d7), Dst: RealtekU_f1:30:56 (52:54:00:f1:30:56) Destination: RealtekU_f1:30:56 (52:54:00:f1:30:56) Address: RealtekU_f1:30:56 (52:54:00:f1:30:56) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) Address: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 192.168.122.1, Dst: 192.168.122.2 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 91 Identification: 0x9331 (37681) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x3217 [correct] [Header checksum status: Good] [Calculated Checksum: 0x3217] Source: 192.168.122.1 Destination: 192.168.122.2 [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 35832, Dst Port: 445, Seq: 1, Ack: 1, Len: 51 Source Port: 35832 Destination Port: 445 [Stream index: 5] [TCP Segment Len: 51] Sequence number: 1 (relative sequence number) [Next sequence number: 52 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Header Length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······AP···] Window size value: 229 [Calculated window size: 29312] [Window size scaling factor: 128] Checksum: 0x75a2 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 [SEQ/ACK analysis] [iRTT: 0.000223920 seconds] [Bytes in flight: 51] [Bytes sent since last PSH flag: 51] NetBIOS Session Service Message Type: Session message (0x00) Length: 47 SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response in: 714] SMB Command: Negotiate Protocol (0x72) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18, Canonicalized Pathnames, Case Sensitivity 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc803, Unicode Strings, Error Code Type, Extended Security Negotiation, Extended Attributes, Long Names Allowed 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... ...0 .... = Security Signatures Required: Security signatures are not required .... .... .... 0... = Compressed: Compression is not requested .... .... .... .0.. = Security Signatures: Security signatures are not supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 0 Process ID: 53123 User ID: 0 Multiplex ID: 1 Negotiate Protocol Request (0x72) Word Count (WCT): 0 Byte Count (BCC): 12 Requested Dialects Dialect: NT LM 0.12 Buffer Format: Dialect (2) Name: NT LM 0.12 0000 52 54 00 f1 30 56 52 54 00 74 a0 d7 08 00 45 00 RT..0VRT.t....E. 0010 00 5b 93 31 40 00 40 06 32 17 c0 a8 7a 01 c0 a8 .[.1@.@.2...z... 0020 7a 02 8b f8 01 bd 1a f0 0f 65 9a 87 bc 5f 50 18 z........e..._P. 0030 00 e5 75 a2 00 00 00 00 00 2f ff 53 4d 42 72 00 ..u....../.SMBr. 0040 00 00 00 18 03 c8 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 83 cf 00 00 01 00 00 0c 00 02 4e 54 ..............NT 0060 20 4c 4d 20 30 2e 31 32 00 LM 0.12. No. Time Source Destination Protocol Length Info 714 0.043813305 192.168.122.2 192.168.122.1 SMB 155 Negotiate Protocol Response Frame 714: 155 bytes on wire (1240 bits), 155 bytes captured (1240 bits) on interface 0 Interface id: 0 (virbr0) Encapsulation type: Ethernet (1) Arrival Time: May 20, 2018 17:18:48.121847677 BST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1526833128.121847677 seconds [Time delta from previous captured frame: 0.000108209 seconds] [Time delta from previous displayed frame: 0.043813305 seconds] [Time since reference or first frame: 424.173877897 seconds] Frame Number: 714 Frame Length: 155 bytes (1240 bits) Capture Length: 155 bytes (1240 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: RealtekU_f1:30:56 (52:54:00:f1:30:56), Dst: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) Destination: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) Address: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: RealtekU_f1:30:56 (52:54:00:f1:30:56) Address: RealtekU_f1:30:56 (52:54:00:f1:30:56) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 192.168.122.2, Dst: 192.168.122.1 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 141 Identification: 0x5352 (21330) Flags: 0x00 0... .... = Reserved bit: Not set .0.. .... = Don't fragment: Not set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 255 Protocol: TCP (6) Header checksum: 0xf2c3 [correct] [Header checksum status: Good] [Calculated Checksum: 0xf2c3] Source: 192.168.122.2 Destination: 192.168.122.1 [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445, Dst Port: 35832, Seq: 1, Ack: 52, Len: 101 Source Port: 445 Destination Port: 35832 [Stream index: 5] [TCP Segment Len: 101] Sequence number: 1 (relative sequence number) [Next sequence number: 102 (relative sequence number)] Acknowledgment number: 52 (relative ack number) Header Length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······AP···] Window size value: 65535 [Calculated window size: 1048560] [Window size scaling factor: 16] Checksum: 0x5ff6 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 [SEQ/ACK analysis] [iRTT: 0.000223920 seconds] [Bytes in flight: 101] [Bytes sent since last PSH flag: 101] NetBIOS Session Service Message Type: Session message (0x00) Length: 97 SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response to: 711] [Time from request: 0.043813305 seconds] SMB Command: Negotiate Protocol (0x72) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x98, Request/Response, Canonicalized Pathnames, Case Sensitivity 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc041, Unicode Strings, Error Code Type, Long Names Used, Long Names Allowed 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported .... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path .... .... .1.. .... = Long Names Used: Path names in request are long file names .... .... ...0 .... = Security Signatures Required: Security signatures are not required .... .... .... 0... = Compressed: Compression is not requested .... .... .... .0.. = Security Signatures: Security signatures are not supported .... .... .... ..0. = Extended Attributes: Extended attributes are not supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 0 Process ID: 53123 User ID: 0 Multiplex ID: 1 Negotiate Protocol Response (0x72) Word Count (WCT): 17 Selected Index: 0: NT LM 0.12 Security Mode: 0x03, Mode, Password .... ...1 = Mode: USER security mode .... ..1. = Password: ENCRYPTED password. Use challenge/response .... .0.. = Signatures: Security signatures NOT enabled .... 0... = Sig Req: Security signatures NOT required Max Mpx Count: 50 Max VCs: 1 Max Buffer Size: 32768 Max Raw Buffer: 65536 Session Key: 0x00000fcf Capabilities: 0x0000025c, Unicode, Large Files, NT SMBs, NT Status Codes, NT Find .... .... .... .... .... .... .... ...0 = Raw Mode: Read Raw and Write Raw are not supported .... .... .... .... .... .... .... ..0. = MPX Mode: Read Mpx and Write Mpx are not supported .... .... .... .... .... .... .... .1.. = Unicode: Unicode strings are supported .... .... .... .... .... .... .... 1... = Large Files: Large files are supported .... .... .... .... .... .... ...1 .... = NT SMBs: NT SMBs are supported .... .... .... .... .... .... ..0. .... = RPC Remote APIs: RPC remote APIs are not supported .... .... .... .... .... .... .1.. .... = NT Status Codes: NT status codes are supported .... .... .... .... .... .... 0... .... = Level 2 Oplocks: Level 2 oplocks are not supported .... .... .... .... .... ...0 .... .... = Lock and Read: Lock and Read is not supported .... .... .... .... .... ..1. .... .... = NT Find: NT Find is supported .... .... .... .... ...0 .... .... .... = Dfs: Dfs is not supported .... .... .... .... ..0. .... .... .... = Infolevel Passthru: NT information level request passthrough is not supported .... .... .... .... .0.. .... .... .... = Large ReadX: Large Read andX is not supported .... .... .... .... 0... .... .... .... = Large WriteX: Large Write andX is not supported .... .... .... ...0 .... .... .... .... = LWIO: LWIO ioctl/fsctl is not supported .... .... 0... .... .... .... .... .... = UNIX: UNIX extensions are not supported .... ..0. .... .... .... .... .... .... = Compressed Data: Compressed data transfer is not supported ..0. .... .... .... .... .... .... .... = Dynamic Reauth: Dynamic Reauth is not supported 0... .... .... .... .... .... .... .... = Extended Security: Extended security exchanges are not supported System Time: May 20, 2018 17:18:48.000000000 BST Server Time Zone: 0 min from UTC Challenge Length: 8 Byte Count (BCC): 28 Challenge: f915b211cb864e70 Primary Domain: WORKGROUP 0000 52 54 00 74 a0 d7 52 54 00 f1 30 56 08 00 45 00 RT.t..RT..0V..E. 0010 00 8d 53 52 00 00 ff 06 f2 c3 c0 a8 7a 02 c0 a8 ..SR........z... 0020 7a 01 01 bd 8b f8 9a 87 bc 5f 1a f0 0f 98 50 18 z........_....P. 0030 ff ff 5f f6 00 00 00 00 00 61 ff 53 4d 42 72 00 .._......a.SMBr. 0040 00 00 00 98 41 c0 00 00 00 00 00 00 00 00 00 00 ....A........... 0050 00 00 00 00 83 cf 00 00 01 00 11 00 00 03 32 00 ..............2. 0060 01 00 00 80 00 00 00 00 01 00 cf 0f 00 00 5c 02 ..............\. 0070 00 00 00 64 80 3b 56 f0 d3 01 00 00 08 1c 00 f9 ...d.;V......... 0080 15 b2 11 cb 86 4e 70 57 00 4f 00 52 00 4b 00 47 .....NpW.O.R.K.G 0090 00 52 00 4f 00 55 00 50 00 00 00 .R.O.U.P... No. Time Source Destination Protocol Length Info 716 0.016228824 192.168.122.1 192.168.122.2 SMB 246 Session Setup AndX Request, User: ?\GUEST; Tree Connect AndX, Path: \\192.168.122.2\LOCAL Frame 716: 246 bytes on wire (1968 bits), 246 bytes captured (1968 bits) on interface 0 Interface id: 0 (virbr0) Encapsulation type: Ethernet (1) Arrival Time: May 20, 2018 17:18:48.138076501 BST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1526833128.138076501 seconds [Time delta from previous captured frame: 0.016216707 seconds] [Time delta from previous displayed frame: 0.016228824 seconds] [Time since reference or first frame: 424.190106721 seconds] Frame Number: 716 Frame Length: 246 bytes (1968 bits) Capture Length: 246 bytes (1968 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: RealtekU_74:a0:d7 (52:54:00:74:a0:d7), Dst: RealtekU_f1:30:56 (52:54:00:f1:30:56) Destination: RealtekU_f1:30:56 (52:54:00:f1:30:56) Address: RealtekU_f1:30:56 (52:54:00:f1:30:56) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) Address: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 192.168.122.1, Dst: 192.168.122.2 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 232 Identification: 0x9333 (37683) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x3188 [correct] [Header checksum status: Good] [Calculated Checksum: 0x3188] Source: 192.168.122.1 Destination: 192.168.122.2 [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 35832, Dst Port: 445, Seq: 52, Ack: 102, Len: 192 Source Port: 35832 Destination Port: 445 [Stream index: 5] [TCP Segment Len: 192] Sequence number: 52 (relative sequence number) [Next sequence number: 244 (relative sequence number)] Acknowledgment number: 102 (relative ack number) Header Length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······AP···] Window size value: 229 [Calculated window size: 29312] [Window size scaling factor: 128] Checksum: 0x762f [unverified] [Checksum Status: Unverified] Urgent pointer: 0 [SEQ/ACK analysis] [iRTT: 0.000223920 seconds] [Bytes in flight: 192] [Bytes sent since last PSH flag: 192] NetBIOS Session Service Message Type: Session message (0x00) Length: 188 SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response in: 717] SMB Command: Session Setup AndX (0x73) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18, Canonicalized Pathnames, Case Sensitivity 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc803, Unicode Strings, Error Code Type, Extended Security Negotiation, Extended Attributes, Long Names Allowed 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... ...0 .... = Security Signatures Required: Security signatures are not required .... .... .... 0... = Compressed: Compression is not requested .... .... .... .0.. = Security Signatures: Security signatures are not supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 0 Process ID: 53123 User ID: 0 Multiplex ID: 2 Session Setup AndX Request (0x73) Word Count (WCT): 13 AndXCommand: Tree Connect AndX (0x75) Reserved: 00 AndXOffset: 126 Max Buffer: 16644 Max Mpx Count: 10 VC Number: 1 Session Key: 0x00000000 ANSI Password Length: 24 Unicode Password Length: 0 Reserved: 00000000 Capabilities: 0x00000054, Unicode, NT SMBs, NT Status Codes .... .... .... .... .... .... .... ...0 = Raw Mode: Read Raw and Write Raw are not supported .... .... .... .... .... .... .... ..0. = MPX Mode: Read Mpx and Write Mpx are not supported .... .... .... .... .... .... .... .1.. = Unicode: Unicode strings are supported .... .... .... .... .... .... .... 0... = Large Files: Large files are not supported .... .... .... .... .... .... ...1 .... = NT SMBs: NT SMBs are supported .... .... .... .... .... .... ..0. .... = RPC Remote APIs: RPC remote APIs are not supported .... .... .... .... .... .... .1.. .... = NT Status Codes: NT status codes are supported .... .... .... .... .... .... 0... .... = Level 2 Oplocks: Level 2 oplocks are not supported .... .... .... .... .... ...0 .... .... = Lock and Read: Lock and Read is not supported .... .... .... .... .... ..0. .... .... = NT Find: NT Find is not supported .... .... .... .... ...0 .... .... .... = Dfs: Dfs is not supported .... .... .... .... ..0. .... .... .... = Infolevel Passthru: NT information level request passthrough is not supported .... .... .... .... .0.. .... .... .... = Large ReadX: Large Read andX is not supported .... .... .... .... 0... .... .... .... = Large WriteX: Large Write andX is not supported .... .... .... ...0 .... .... .... .... = LWIO: LWIO ioctl/fsctl is not supported .... .... 0... .... .... .... .... .... = UNIX: UNIX extensions are not supported .... ..0. .... .... .... .... .... .... = Compressed Data: Compressed data transfer is not supported ..0. .... .... .... .... .... .... .... = Dynamic Reauth: Dynamic Reauth is not supported 0... .... .... .... .... .... .... .... = Extended Security: Extended security exchanges are not supported Byte Count (BCC): 65 ANSI Password: 0f59ccd921e0806f376bd1f728cac368a71612c1c15fe19e Account: GUEST Primary Domain: ? Native OS: Linux Native LAN Manager: jCIFS Tree Connect AndX Request (0x75) Word Count (WCT): 4 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 57054 Flags: 0x0000 .... .... .... ...0 = Disconnect TID: Do NOT disconnect TID .... .... .... .0.. = Extended Signature: NOT Extended Signature .... .... .... 0... = Extended Response: NOT Extended Response Password Length: 1 Byte Count (BCC): 51 Password: 00 Path: \\192.168.122.2\LOCAL Service: ????? 0000 52 54 00 f1 30 56 52 54 00 74 a0 d7 08 00 45 00 RT..0VRT.t....E. 0010 00 e8 93 33 40 00 40 06 31 88 c0 a8 7a 01 c0 a8 ...3@.@.1...z... 0020 7a 02 8b f8 01 bd 1a f0 0f 98 9a 87 bc c4 50 18 z.............P. 0030 00 e5 76 2f 00 00 00 00 00 bc ff 53 4d 42 73 00 ..v/.......SMBs. 0040 00 00 00 18 03 c8 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 83 cf 00 00 02 00 0d 75 00 7e 00 04 ...........u.~.. 0060 41 0a 00 01 00 00 00 00 00 18 00 00 00 00 00 00 A............... 0070 00 54 00 00 00 41 00 0f 59 cc d9 21 e0 80 6f 37 .T...A..Y..!..o7 0080 6b d1 f7 28 ca c3 68 a7 16 12 c1 c1 5f e1 9e 00 k..(..h....._... 0090 47 00 55 00 45 00 53 00 54 00 00 00 3f 00 00 00 G.U.E.S.T...?... 00a0 4c 00 69 00 6e 00 75 00 78 00 00 00 6a 00 43 00 L.i.n.u.x...j.C. 00b0 49 00 46 00 53 00 00 00 04 ff 00 de de 00 00 01 I.F.S........... 00c0 00 33 00 00 5c 00 5c 00 31 00 39 00 32 00 2e 00 .3..\.\.1.9.2... 00d0 31 00 36 00 38 00 2e 00 31 00 32 00 32 00 2e 00 1.6.8...1.2.2... 00e0 32 00 5c 00 4c 00 4f 00 43 00 41 00 4c 00 00 00 2.\.L.O.C.A.L... 00f0 3f 3f 3f 3f 3f 00 ?????. No. Time Source Destination Protocol Length Info 717 0.000926530 192.168.122.2 192.168.122.1 SMB 93 Session Setup AndX Response, Error: STATUS_LOGON_FAILURE Frame 717: 93 bytes on wire (744 bits), 93 bytes captured (744 bits) on interface 0 Interface id: 0 (virbr0) Encapsulation type: Ethernet (1) Arrival Time: May 20, 2018 17:18:48.139003031 BST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1526833128.139003031 seconds [Time delta from previous captured frame: 0.000926530 seconds] [Time delta from previous displayed frame: 0.000926530 seconds] [Time since reference or first frame: 424.191033251 seconds] Frame Number: 717 Frame Length: 93 bytes (744 bits) Capture Length: 93 bytes (744 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: RealtekU_f1:30:56 (52:54:00:f1:30:56), Dst: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) Destination: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) Address: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: RealtekU_f1:30:56 (52:54:00:f1:30:56) Address: RealtekU_f1:30:56 (52:54:00:f1:30:56) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 192.168.122.2, Dst: 192.168.122.1 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 79 Identification: 0x5357 (21335) Flags: 0x00 0... .... = Reserved bit: Not set .0.. .... = Don't fragment: Not set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 255 Protocol: TCP (6) Header checksum: 0xf2fc [correct] [Header checksum status: Good] [Calculated Checksum: 0xf2fc] Source: 192.168.122.2 Destination: 192.168.122.1 [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445, Dst Port: 35832, Seq: 102, Ack: 244, Len: 39 Source Port: 445 Destination Port: 35832 [Stream index: 5] [TCP Segment Len: 39] Sequence number: 102 (relative sequence number) [Next sequence number: 141 (relative sequence number)] Acknowledgment number: 244 (relative ack number) Header Length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······AP···] Window size value: 65535 [Calculated window size: 1048560] [Window size scaling factor: 16] Checksum: 0x5c82 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 716] [The RTT to ACK the segment was: 0.000926530 seconds] [iRTT: 0.000223920 seconds] [Bytes in flight: 39] [Bytes sent since last PSH flag: 39] NetBIOS Session Service Message Type: Session message (0x00) Length: 35 SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response to: 716] [Time from request: 0.000926530 seconds] SMB Command: Session Setup AndX (0x73) NT Status: STATUS_LOGON_FAILURE (0xc000006d) Flags: 0x98, Request/Response, Canonicalized Pathnames, Case Sensitivity 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc041, Unicode Strings, Error Code Type, Long Names Used, Long Names Allowed 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported .... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path .... .... .1.. .... = Long Names Used: Path names in request are long file names .... .... ...0 .... = Security Signatures Required: Security signatures are not required .... .... .... 0... = Compressed: Compression is not requested .... .... .... .0.. = Security Signatures: Security signatures are not supported .... .... .... ..0. = Extended Attributes: Extended attributes are not supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 0 Process ID: 53123 User ID: 13701 Multiplex ID: 2 Session Setup AndX Response (0x73) Word Count (WCT): 0 Byte Count (BCC): 0 0000 52 54 00 74 a0 d7 52 54 00 f1 30 56 08 00 45 00 RT.t..RT..0V..E. 0010 00 4f 53 57 00 00 ff 06 f2 fc c0 a8 7a 02 c0 a8 .OSW........z... 0020 7a 01 01 bd 8b f8 9a 87 bc c4 1a f0 10 58 50 18 z............XP. 0030 ff ff 5c 82 00 00 00 00 00 23 ff 53 4d 42 73 6d ..\......#.SMBsm 0040 00 00 c0 98 41 c0 00 00 00 00 00 00 00 00 00 00 ....A........... 0050 00 00 00 00 83 cf 85 35 02 00 00 00 00 .......5..... No. Time Source Destination Protocol Length Info 721 4.144715130 192.168.122.1 192.168.122.2 SMB 248 Session Setup AndX Request, User: ?\glenda; Tree Connect AndX, Path: \\192.168.122.2\LOCAL Frame 721: 248 bytes on wire (1984 bits), 248 bytes captured (1984 bits) on interface 0 Interface id: 0 (virbr0) Encapsulation type: Ethernet (1) Arrival Time: May 20, 2018 17:18:52.283718161 BST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1526833132.283718161 seconds [Time delta from previous captured frame: 1.943355396 seconds] [Time delta from previous displayed frame: 4.144715130 seconds] [Time since reference or first frame: 428.335748381 seconds] Frame Number: 721 Frame Length: 248 bytes (1984 bits) Capture Length: 248 bytes (1984 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: RealtekU_74:a0:d7 (52:54:00:74:a0:d7), Dst: RealtekU_f1:30:56 (52:54:00:f1:30:56) Destination: RealtekU_f1:30:56 (52:54:00:f1:30:56) Address: RealtekU_f1:30:56 (52:54:00:f1:30:56) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) Address: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 192.168.122.1, Dst: 192.168.122.2 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 234 Identification: 0x9335 (37685) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x3184 [correct] [Header checksum status: Good] [Calculated Checksum: 0x3184] Source: 192.168.122.1 Destination: 192.168.122.2 [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 35832, Dst Port: 445, Seq: 244, Ack: 141, Len: 194 Source Port: 35832 Destination Port: 445 [Stream index: 5] [TCP Segment Len: 194] Sequence number: 244 (relative sequence number) [Next sequence number: 438 (relative sequence number)] Acknowledgment number: 141 (relative ack number) Header Length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······AP···] Window size value: 229 [Calculated window size: 29312] [Window size scaling factor: 128] Checksum: 0x7631 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 [SEQ/ACK analysis] [iRTT: 0.000223920 seconds] [Bytes in flight: 194] [Bytes sent since last PSH flag: 194] NetBIOS Session Service Message Type: Session message (0x00) Length: 190 SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response in: 722] SMB Command: Session Setup AndX (0x73) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18, Canonicalized Pathnames, Case Sensitivity 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc803, Unicode Strings, Error Code Type, Extended Security Negotiation, Extended Attributes, Long Names Allowed 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... ...0 .... = Security Signatures Required: Security signatures are not required .... .... .... 0... = Compressed: Compression is not requested .... .... .... .0.. = Security Signatures: Security signatures are not supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 0 Process ID: 53123 User ID: 0 Multiplex ID: 3 Session Setup AndX Request (0x73) Word Count (WCT): 13 AndXCommand: Tree Connect AndX (0x75) Reserved: 00 AndXOffset: 128 Max Buffer: 16644 Max Mpx Count: 10 VC Number: 1 Session Key: 0x00000000 ANSI Password Length: 24 Unicode Password Length: 0 Reserved: 00000000 Capabilities: 0x00000054, Unicode, NT SMBs, NT Status Codes .... .... .... .... .... .... .... ...0 = Raw Mode: Read Raw and Write Raw are not supported .... .... .... .... .... .... .... ..0. = MPX Mode: Read Mpx and Write Mpx are not supported .... .... .... .... .... .... .... .1.. = Unicode: Unicode strings are supported .... .... .... .... .... .... .... 0... = Large Files: Large files are not supported .... .... .... .... .... .... ...1 .... = NT SMBs: NT SMBs are supported .... .... .... .... .... .... ..0. .... = RPC Remote APIs: RPC remote APIs are not supported .... .... .... .... .... .... .1.. .... = NT Status Codes: NT status codes are supported .... .... .... .... .... .... 0... .... = Level 2 Oplocks: Level 2 oplocks are not supported .... .... .... .... .... ...0 .... .... = Lock and Read: Lock and Read is not supported .... .... .... .... .... ..0. .... .... = NT Find: NT Find is not supported .... .... .... .... ...0 .... .... .... = Dfs: Dfs is not supported .... .... .... .... ..0. .... .... .... = Infolevel Passthru: NT information level request passthrough is not supported .... .... .... .... .0.. .... .... .... = Large ReadX: Large Read andX is not supported .... .... .... .... 0... .... .... .... = Large WriteX: Large Write andX is not supported .... .... .... ...0 .... .... .... .... = LWIO: LWIO ioctl/fsctl is not supported .... .... 0... .... .... .... .... .... = UNIX: UNIX extensions are not supported .... ..0. .... .... .... .... .... .... = Compressed Data: Compressed data transfer is not supported ..0. .... .... .... .... .... .... .... = Dynamic Reauth: Dynamic Reauth is not supported 0... .... .... .... .... .... .... .... = Extended Security: Extended security exchanges are not supported Byte Count (BCC): 67 ANSI Password: 86784a399991c2a7fc0390f5bfbc4fb7e354edc726153f7e Account: glenda Primary Domain: ? Native OS: Linux Native LAN Manager: jCIFS Tree Connect AndX Request (0x75) Word Count (WCT): 4 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 57054 Flags: 0x0000 .... .... .... ...0 = Disconnect TID: Do NOT disconnect TID .... .... .... .0.. = Extended Signature: NOT Extended Signature .... .... .... 0... = Extended Response: NOT Extended Response Password Length: 1 Byte Count (BCC): 51 Password: 00 Path: \\192.168.122.2\LOCAL Service: ????? 0000 52 54 00 f1 30 56 52 54 00 74 a0 d7 08 00 45 00 RT..0VRT.t....E. 0010 00 ea 93 35 40 00 40 06 31 84 c0 a8 7a 01 c0 a8 ...5@.@.1...z... 0020 7a 02 8b f8 01 bd 1a f0 10 58 9a 87 bc eb 50 18 z........X....P. 0030 00 e5 76 31 00 00 00 00 00 be ff 53 4d 42 73 00 ..v1.......SMBs. 0040 00 00 00 18 03 c8 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 83 cf 00 00 03 00 0d 75 00 80 00 04 ...........u.... 0060 41 0a 00 01 00 00 00 00 00 18 00 00 00 00 00 00 A............... 0070 00 54 00 00 00 43 00 86 78 4a 39 99 91 c2 a7 fc .T...C..xJ9..... 0080 03 90 f5 bf bc 4f b7 e3 54 ed c7 26 15 3f 7e 00 .....O..T..&.?~. 0090 67 00 6c 00 65 00 6e 00 64 00 61 00 00 00 3f 00 g.l.e.n.d.a...?. 00a0 00 00 4c 00 69 00 6e 00 75 00 78 00 00 00 6a 00 ..L.i.n.u.x...j. 00b0 43 00 49 00 46 00 53 00 00 00 04 ff 00 de de 00 C.I.F.S......... 00c0 00 01 00 33 00 00 5c 00 5c 00 31 00 39 00 32 00 ...3..\.\.1.9.2. 00d0 2e 00 31 00 36 00 38 00 2e 00 31 00 32 00 32 00 ..1.6.8...1.2.2. 00e0 2e 00 32 00 5c 00 4c 00 4f 00 43 00 41 00 4c 00 ..2.\.L.O.C.A.L. 00f0 00 00 3f 3f 3f 3f 3f 00 ..?????. No. Time Source Destination Protocol Length Info 722 0.000927170 192.168.122.2 192.168.122.1 SMB 93 Session Setup AndX Response, Error: STATUS_LOGON_FAILURE Frame 722: 93 bytes on wire (744 bits), 93 bytes captured (744 bits) on interface 0 Interface id: 0 (virbr0) Encapsulation type: Ethernet (1) Arrival Time: May 20, 2018 17:18:52.284645331 BST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1526833132.284645331 seconds [Time delta from previous captured frame: 0.000927170 seconds] [Time delta from previous displayed frame: 0.000927170 seconds] [Time since reference or first frame: 428.336675551 seconds] Frame Number: 722 Frame Length: 93 bytes (744 bits) Capture Length: 93 bytes (744 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: RealtekU_f1:30:56 (52:54:00:f1:30:56), Dst: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) Destination: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) Address: RealtekU_74:a0:d7 (52:54:00:74:a0:d7) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: RealtekU_f1:30:56 (52:54:00:f1:30:56) Address: RealtekU_f1:30:56 (52:54:00:f1:30:56) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 192.168.122.2, Dst: 192.168.122.1 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 79 Identification: 0x535a (21338) Flags: 0x00 0... .... = Reserved bit: Not set .0.. .... = Don't fragment: Not set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 255 Protocol: TCP (6) Header checksum: 0xf2f9 [correct] [Header checksum status: Good] [Calculated Checksum: 0xf2f9] Source: 192.168.122.2 Destination: 192.168.122.1 [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 445, Dst Port: 35832, Seq: 141, Ack: 438, Len: 39 Source Port: 445 Destination Port: 35832 [Stream index: 5] [TCP Segment Len: 39] Sequence number: 141 (relative sequence number) [Next sequence number: 180 (relative sequence number)] Acknowledgment number: 438 (relative ack number) Header Length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······AP···] Window size value: 65535 [Calculated window size: 1048560] [Window size scaling factor: 16] Checksum: 0x5a99 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 721] [The RTT to ACK the segment was: 0.000927170 seconds] [iRTT: 0.000223920 seconds] [Bytes in flight: 39] [Bytes sent since last PSH flag: 39] NetBIOS Session Service Message Type: Session message (0x00) Length: 35 SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response to: 721] [Time from request: 0.000927170 seconds] SMB Command: Session Setup AndX (0x73) NT Status: STATUS_LOGON_FAILURE (0xc000006d) Flags: 0x98, Request/Response, Canonicalized Pathnames, Case Sensitivity 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc041, Unicode Strings, Error Code Type, Long Names Used, Long Names Allowed 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported .... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path .... .... .1.. .... = Long Names Used: Path names in request are long file names .... .... ...0 .... = Security Signatures Required: Security signatures are not required .... .... .... 0... = Compressed: Compression is not requested .... .... .... .0.. = Security Signatures: Security signatures are not supported .... .... .... ..0. = Extended Attributes: Extended attributes are not supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 0 Process ID: 53123 User ID: 13701 Multiplex ID: 3 Session Setup AndX Response (0x73) Word Count (WCT): 0 Byte Count (BCC): 0 0000 52 54 00 74 a0 d7 52 54 00 f1 30 56 08 00 45 00 RT.t..RT..0V..E. 0010 00 4f 53 5a 00 00 ff 06 f2 f9 c0 a8 7a 02 c0 a8 .OSZ........z... 0020 7a 01 01 bd 8b f8 9a 87 bc eb 1a f0 11 1a 50 18 z.............P. 0030 ff ff 5a 99 00 00 00 00 00 23 ff 53 4d 42 73 6d ..Z......#.SMBsm 0040 00 00 c0 98 41 c0 00 00 00 00 00 00 00 00 00 00 ....A........... 0050 00 00 00 00 83 cf 85 35 03 00 00 00 00 .......5.....