summaryrefslogtreecommitdiff
path: root/script
diff options
context:
space:
mode:
authorGary Lockyer <gary@catalyst.net.nz>2017-08-07 10:08:28 +1200
committerDouglas Bagnall <dbagnall@samba.org>2017-08-17 07:59:38 +0200
commitbeeec1ff7c8b1461c265d9143de8221e2ec9b70a (patch)
tree6bf56b0747f266fb7fb4286681e4f64ec1c207fc /script
parent7057abcfcde4a7059448719e9abe08d18c9ec149 (diff)
downloadsamba-beeec1ff7c8b1461c265d9143de8221e2ec9b70a.tar.gz
tests: replace traffic_summary test with python blackbox test
Replace the shell subunit test for script/traffic_summary.pl with a python black box test. This involves moving the test files to more standard locations. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Thu Aug 17 07:59:38 CEST 2017 on sn-devel-144
Diffstat (limited to 'script')
-rw-r--r--script/testdata/traffic_summary.expected29
-rw-r--r--script/testdata/traffic_summary.pdml4989
-rwxr-xr-xscript/tests/test_traffic_summary.sh47
3 files changed, 0 insertions, 5065 deletions
diff --git a/script/testdata/traffic_summary.expected b/script/testdata/traffic_summary.expected
deleted file mode 100644
index b1db3271f48..00000000000
--- a/script/testdata/traffic_summary.expected
+++ /dev/null
@@ -1,29 +0,0 @@
-1486690576.530451000 11 0 1 2 nbns 0 query
-1486690578.137335000 06 0 3 3 kerberos 10 krb-as-req machine
-1486690578.141276000 06 0 3 3 kerberos 11 krb-as-rep
-1486690584.104038000 06 49 4 3 kerberos 10 krb-as-req user
-1486690584.108221000 06 49 3 4 kerberos 11 krb-as-rep
-1486690584.139378000 06 50 4 3 kerberos 14 krb-ap-req
-1486690584.143220000 06 50 3 4 kerberos 13 krb-tgs-rep
-1486690584.770344000 06 60 4 3 ldap 0 bindRequest 3 sasl 1.3.6.1.5.5.2
-1486690584.774978000 06 60 3 4 ldap 1 bindResponse
-1486690584.775218000 06 60 4 3 ldap 3 searchRequest (objectClass=*) rootDomainNamingContext,configurationNamingContext,schemaNamingContext,defaultNamingContext
-1486690584.775574000 06 60 4 3 ldap 3 searchRequest DC,DC,DC (objectSid) objectSid
-1486690586.238734000 06 92 4 3 ldap 3 searchRequest 2 WKGUID,DC,DC,DC (objectClass=*)
-1486934236.150107000 6 5 6 smb 255 No further commands (0xff)
-1486934236.150278000 6 6 5 dcerpc 11 Bind
-1486934236.201029000 6 6 5 srvsvc 15 NetShareEnumAll
-1486934237.552194000 11 30 7 3 browser 0x00000008 Browser Election Request (0x08)
-1486690678.178692000 06 1177 8 9 lsarpc 27 lsa_SetInformationTrustedDomain
-1486690679.853951000 06 1183 9 8 epm 3 Map
-1486690679.854842000 06 1184 9 8 rpc_netlogon 4 NetrServerReqChallenge
-1487197586.858394000 11 66 10 8 cldap 3 searchRequest (&(&(NtVer)(DnsDomain))(AAC)) NetLogon
-1487197586.864862000 06 12 10 8 smb2 0 Negotiate Protocol
-1487197588.515337000 11 76 10 11 dns 0 query
-1487197588.911149000 11 76 11 10 dns 1 response
-1487197589.619792000 06 29 10 10 dnsserver 9 DnssrvUpdateRecord2
-1487200690.757022000 06 10 4 3 samr 0 Connect
-1487200691.039416000 06 14 4 3 drsuapi 0 DsBind
-1486934584.809271000 11 322 12 7 smb_netlogon 0x00000012 SAM LOGON request from client (0x12)
-1486690719.940434000 06 1400 4 3 ldap 6 modifyRequest servicePrincipalName 2 replace
-1486690682.579057000 06 1207 4 3 ldap 0 bindRequest 0 simple
diff --git a/script/testdata/traffic_summary.pdml b/script/testdata/traffic_summary.pdml
deleted file mode 100644
index ac56a244da5..00000000000
--- a/script/testdata/traffic_summary.pdml
+++ /dev/null
@@ -1,4989 +0,0 @@
-<?xml version="1.0"?>
-<?xml-stylesheet type="text/xsl" href="pdml2html.xsl"?>
-<!-- You can find pdml2html.xsl in /usr/share/wireshark or at https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=pdml2html.xsl. -->
-<!-- Examples in this file are taken from a packet capture of make test -->
-<!-- where values where too large and of no interest they where replaced with "...elided..." -->
-<pdml version="0" creator="wireshark/2.0.2" time="Wed Feb 15 14:51:04 2017" capture_file="sample.pcap">
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="78">
- <field name="num" pos="0" show="1" showname="Number" value="1" size="78"/>
- <field name="len" pos="0" show="78" showname="Frame Length" value="4e" size="78"/>
- <field name="caplen" pos="0" show="78" showname="Captured Length" value="4e" size="78"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:16.530451000 NZDT" showname="Captured Time" value="1486690576.530451000" size="78"/>
- </proto>
- <proto name="frame" showname="Frame 1: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)" size="78" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:16.530451000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:16.530451000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690576.530451000 seconds" size="0" pos="0" show="1486690576.530451000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.number" showname="Frame Number: 1" size="0" pos="0" show="1"/>
- <field name="frame.len" showname="Frame Length: 78 bytes (624 bits)" size="0" pos="0" show="78"/>
- <field name="frame.cap_len" showname="Capture Length: 78 bytes (624 bits)" size="0" pos="0" show="78"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:udp:nbns" size="0" pos="0" show="raw:ip:udp:nbns"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="78" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.255.255.255" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 78" size="2" pos="2" show="78" value="004e"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: UDP (17)" size="1" pos="9" show="17" value="11"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.1" size="4" pos="12" show="127.0.0.1" value="7f000001"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.1" hide="yes" size="4" pos="12" show="127.0.0.1" value="7f000001"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.1" hide="yes" size="4" pos="12" show="127.0.0.1" value="7f000001"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.1" hide="yes" size="4" pos="12" show="127.0.0.1" value="7f000001"/>
- <field name="ip.dst" showname="Destination: 127.255.255.255" size="4" pos="16" show="127.255.255.255" value="7fffffff"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.255.255.255" hide="yes" size="4" pos="16" show="127.255.255.255" value="7fffffff"/>
- <field name="ip.dst_host" showname="Destination Host: 127.255.255.255" hide="yes" size="4" pos="16" show="127.255.255.255" value="7fffffff"/>
- <field name="ip.host" showname="Source or Destination Host: 127.255.255.255" hide="yes" size="4" pos="16" show="127.255.255.255" value="7fffffff"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000001"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7fffffff"/>
- </proto>
- <proto name="udp" showname="User Datagram Protocol, Src Port: 14705 (14705), Dst Port: 137 (137)" size="8" pos="20">
- <field name="udp.srcport" showname="Source Port: 14705" size="2" pos="20" show="14705" value="3971"/>
- <field name="udp.dstport" showname="Destination Port: 137" size="2" pos="22" show="137" value="0089"/>
- <field name="udp.port" showname="Source or Destination Port: 14705" hide="yes" size="2" pos="20" show="14705" value="3971"/>
- <field name="udp.port" showname="Source or Destination Port: 137" hide="yes" size="2" pos="22" show="137" value="0089"/>
- <field name="udp.length" showname="Length: 58" size="2" pos="24" show="58" value="003a"/>
- <field name="udp.checksum" showname="Checksum: 0x0000 (none)" size="2" pos="26" show="0x00000000" value="0000">
- <field name="udp.checksum_good" showname="Good Checksum: False" size="2" pos="26" show="0" value="0000"/>
- <field name="udp.checksum_bad" showname="Bad Checksum: False" size="2" pos="26" show="0" value="0000"/>
- </field>
- <field name="udp.stream" showname="Stream index: 0" size="0" pos="28" show="0"/>
- </proto>
- <proto name="nbns" showname="NetBIOS Name Service" size="50" pos="28">
- <field name="nbns.id" showname="Transaction ID: 0x29d6" size="2" pos="28" show="0x000029d6" value="29d6"/>
- <field name="nbns.flags" showname="Flags: 0x0010, Opcode: Name query, Broadcast" size="2" pos="30" show="0x00000010" value="0010">
- <field name="nbns.flags.response" showname="0... .... .... .... = Response: Message is a query" size="2" pos="30" show="0" value="0" unmaskedvalue="0010"/>
- <field name="nbns.flags.opcode" showname=".000 0... .... .... = Opcode: Name query (0)" size="2" pos="30" show="0" value="0" unmaskedvalue="0010"/>
- <field name="nbns.flags.truncated" showname=".... ..0. .... .... = Truncated: Message is not truncated" size="2" pos="30" show="0" value="0" unmaskedvalue="0010"/>
- <field name="nbns.flags.recdesired" showname=".... ...0 .... .... = Recursion desired: Don&#x27;t do query recursively" size="2" pos="30" show="0" value="0" unmaskedvalue="0010"/>
- <field name="nbns.flags.broadcast" showname=".... .... ...1 .... = Broadcast: Broadcast packet" size="2" pos="30" show="1" value="FFFFFFFF" unmaskedvalue="0010"/>
- </field>
- <field name="nbns.count.queries" showname="Questions: 1" size="2" pos="32" show="1" value="0001"/>
- <field name="nbns.count.answers" showname="Answer RRs: 0" size="2" pos="34" show="0" value="0000"/>
- <field name="nbns.count.auth_rr" showname="Authority RRs: 0" size="2" pos="36" show="0" value="0000"/>
- <field name="nbns.count.add_rr" showname="Additional RRs: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="" show="Queries" size="38" pos="40" value="20454d455045444542454d454545444341434143414341434143414341434141410000200001">
- <field name="" show="LOCALDC&lt;00&gt;: type NB, class IN" size="38" pos="40" value="20454d455045444542454d454545444341434143414341434143414341434141410000200001">
- <field name="nbns.name" showname="Name: LOCALDC&lt;00&gt; (Workstation/Redirector)" size="34" pos="40" show="LOCALDC&lt;00&gt;" value="20454d455045444542454d4545454443414341434143414341434143414341414100"/>
- <field name="nbns.type" showname="Type: NB (32)" size="2" pos="74" show="32" value="0020"/>
- <field name="nbns.class" showname="Class: IN (1)" size="2" pos="76" show="1" value="0001"/>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="296">
- <field name="num" pos="0" show="47" showname="Number" value="2f" size="296"/>
- <field name="len" pos="0" show="296" showname="Frame Length" value="128" size="296"/>
- <field name="caplen" pos="0" show="296" showname="Captured Length" value="128" size="296"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:18.137335000 NZDT" showname="Captured Time" value="1486690578.137335000" size="296"/>
- </proto>
- <proto name="frame" showname="Frame 47: 296 bytes on wire (2368 bits), 296 bytes captured (2368 bits)" size="296" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:18.137335000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:18.137335000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690578.137335000 seconds" size="0" pos="0" show="1486690578.137335000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000016000 seconds" size="0" pos="0" show="0.000016000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000016000 seconds" size="0" pos="0" show="0.000016000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 1.606884000 seconds" size="0" pos="0" show="1.606884000"/>
- <field name="frame.number" showname="Frame Number: 47" size="0" pos="0" show="47"/>
- <field name="frame.len" showname="Frame Length: 296 bytes (2368 bits)" size="0" pos="0" show="296"/>
- <field name="frame.cap_len" showname="Capture Length: 296 bytes (2368 bits)" size="0" pos="0" show="296"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="296" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.21, Dst: 127.0.0.21" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 296" size="2" pos="2" show="296" value="0128"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.21" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000015"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14723 (14723), Dst Port: 88 (88), Seq: 1, Ack: 1, Len: 256" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 14723" size="2" pos="20" show="14723" value="3983"/>
- <field name="tcp.dstport" showname="Destination Port: 88" size="2" pos="22" show="88" value="0058"/>
- <field name="tcp.port" showname="Source or Destination Port: 14723" hide="yes" size="2" pos="20" show="14723" value="3983"/>
- <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="22" show="88" value="0058"/>
- <field name="tcp.stream" showname="Stream index: 0" size="0" pos="20" show="0"/>
- <field name="tcp.len" showname="TCP Segment Len: 256" size="1" pos="32" show="256" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="24" show="1" value="00000001"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 257 (relative sequence number)" size="0" pos="20" show="257"/>
- <field name="tcp.ack" showname="Acknowledgment number: 1 (relative ack number)" size="4" pos="28" show="1" value="00000001"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000012000 seconds" size="0" pos="20" show="0.000012000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 256" size="0" pos="20" show="256"/>
- </field>
- <field name="tcp.pdu.size" showname="PDU Size: 256" size="256" pos="40" show="256" value="000000fc6a81f93081f6a103020105a20302010aa350304e304ca103020102a24504433041a003020112a23a0438cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2e12cc397eb617687733caf785f07d6f23cf87adc9a1fc5cb1b3ca7e6d17cc86fa48197308194a00703050000000000a1153013a003020101a10c300a1b084c4f43414c444324a2131b1153414d42412e4558414d504c452e434f4da3263024a003020102a11d301b1b066b72627467741b1153414d42412e4558414d504c452e434f4da511180f32303137303231313031333631375aa70602043e9a5c0ea81a3018020112020111020110020105020117020103020102020101"/>
- </proto>
- <proto name="kerberos" showname="Kerberos" size="256" pos="40">
- <field name="" show="Record Mark: 252 bytes" size="4" pos="40" value="000000fc">
- <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="40" show="0" value="0" unmaskedvalue="000000fc"/>
- <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0000 1111 1100 = Record Length: 252" size="4" pos="40" show="252" value="FC" unmaskedvalue="000000fc"/>
- </field>
- <field name="kerberos.as_req_element" showname="as-req" size="249" pos="47" show="" value="">
- <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="54" show="5" value="05"/>
- <field name="kerberos.msg_type" showname="msg-type: krb-as-req (10)" size="1" pos="59" show="10" value="0a"/>
- <field name="kerberos.padata" showname="padata: 1 item" size="78" pos="64" show="1" value="304ca103020102a24504433041a003020112a23a0438cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2e12cc397eb617687733caf785f07d6f23cf87adc9a1fc5cb1b3ca7e6d17cc86f">
- <field name="kerberos.PA_DATA_element" showname="PA-DATA PA-ENC-TIMESTAMP" size="78" pos="64" show="" value="">
- <field name="kerberos.padata_type" showname="padata-type: kRB5-PADATA-ENC-TIMESTAMP (2)" size="1" pos="70" show="2" value="02">
- <field name="kerberos.padata_value" showname="padata-value: 3041a003020112a23a0438cecfe4905d9670c770a992a464..." size="67" pos="75" show="30:41:a0:03:02:01:12:a2:3a:04:38:ce:cf:e4:90:5d:96:70:c7:70:a9:92:a4:64:5a:9c:47:7b:63:9c:fa:fa:d2:1b:a2:e1:2c:c3:97:eb:61:76:87:73:3c:af:78:5f:07:d6:f2:3c:f8:7a:dc:9a:1f:c5:cb:1b:3c:a7:e6:d1:7c:c8:6f" value="3041a003020112a23a0438cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2e12cc397eb617687733caf785f07d6f23cf87adc9a1fc5cb1b3ca7e6d17cc86f">
- <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="81" show="18" value="12"/>
- <field name="kerberos.cipher" showname="cipher: cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2..." size="56" pos="86" show="ce:cf:e4:90:5d:96:70:c7:70:a9:92:a4:64:5a:9c:47:7b:63:9c:fa:fa:d2:1b:a2:e1:2c:c3:97:eb:61:76:87:73:3c:af:78:5f:07:d6:f2:3c:f8:7a:dc:9a:1f:c5:cb:1b:3c:a7:e6:d1:7c:c8:6f" value="cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2e12cc397eb617687733caf785f07d6f23cf87adc9a1fc5cb1b3ca7e6d17cc86f"/>
- </field>
- </field>
- </field>
- </field>
- <field name="kerberos.req_body_element" showname="req-body" size="151" pos="145" show="" value="">
- <field name="ber.bitstring.padding" showname="Padding: 0" size="1" pos="152" show="0" value="00"/>
- <field name="kerberos.kdc_options" showname="kdc-options: 00000000" size="4" pos="153" show="00:00:00:00" value="00000000">
- <field name="kerberos.reserved" showname="0... .... = reserved: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.forwardable" showname=".0.. .... = forwardable: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.forwarded" showname="..0. .... = forwarded: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.proxiable" showname="...0 .... = proxiable: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.proxy" showname=".... 0... = proxy: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.allow-postdate" showname=".... .0.. = allow-postdate: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.postdated" showname=".... ..0. = postdated: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.unused7" showname=".... ...0 = unused7: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.renewable" showname="0... .... = renewable: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.unused9" showname=".0.. .... = unused9: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.unused10" showname="..0. .... = unused10: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.opt-hardware-auth" showname="...0 .... = opt-hardware-auth: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.request-anonymous" showname=".... ..0. = request-anonymous: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.canonicalize" showname=".... ...0 = canonicalize: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.constrained-delegation" showname="0... .... = constrained-delegation: False" size="1" pos="155" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.disable-transited-check" showname="..0. .... = disable-transited-check: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.renewable-ok" showname="...0 .... = renewable-ok: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.enc-tkt-in-skey" showname=".... 0... = enc-tkt-in-skey: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.renew" showname=".... ..0. = renew: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.validate" showname=".... ...0 = validate: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="kerberos.cname_element" showname="cname" size="21" pos="159" show="" value="">
- <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="165" show="1" value="01"/>
- <field name="kerberos.name_string" showname="name-string: 1 item" size="10" pos="170" show="1" value="1b084c4f43414c444324">
- <field name="kerberos.KerberosString" showname="KerberosString: LOCALDC$" size="8" pos="172" show="LOCALDC$" value="4c4f43414c444324"/>
- </field>
- </field>
- <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="184" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- <field name="kerberos.sname_element" showname="sname" size="38" pos="203" show="" value="">
- <field name="kerberos.name_type" showname="name-type: kRB5-NT-SRV-INST (2)" size="1" pos="209" show="2" value="02"/>
- <field name="kerberos.name_string" showname="name-string: 2 items" size="27" pos="214" show="2" value="1b066b72627467741b1153414d42412e4558414d504c452e434f4d">
- <field name="kerberos.KerberosString" showname="KerberosString: krbtgt" size="6" pos="216" show="krbtgt" value="6b7262746774"/>
- <field name="kerberos.KerberosString" showname="KerberosString: SAMBA.EXAMPLE.COM" size="17" pos="224" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- </field>
- </field>
- <field name="kerberos.till" showname="till: 2017-02-11 01:36:17 (UTC)" size="15" pos="245" show="2017-02-11 01:36:17 (UTC)" value="32303137303231313031333631375a"/>
- <field name="kerberos.nonce" showname="nonce: 1050303502" size="4" pos="264" show="1050303502" value="3e9a5c0e"/>
- <field name="kerberos.etype" showname="etype: 8 items" size="24" pos="272" show="8" value="020112020111020110020105020117020103020102020101">
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="274" show="18" value="12"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)" size="1" pos="277" show="17" value="11"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)" size="1" pos="280" show="16" value="10"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-MD5 (5)" size="1" pos="283" show="5" value="05"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)" size="1" pos="286" show="23" value="17"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD5 (3)" size="1" pos="289" show="3" value="03"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD4 (2)" size="1" pos="292" show="2" value="02"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-CRC (1)" size="1" pos="295" show="1" value="01"/>
- </field>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="1527">
- <field name="num" pos="0" show="53" showname="Number" value="35" size="1527"/>
- <field name="len" pos="0" show="1527" showname="Frame Length" value="5f7" size="1527"/>
- <field name="caplen" pos="0" show="1527" showname="Captured Length" value="5f7" size="1527"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:18.141276000 NZDT" showname="Captured Time" value="1486690578.141276000" size="1527"/>
- </proto>
- <proto name="frame" showname="Frame 53: 1527 bytes on wire (12216 bits), 1527 bytes captured (12216 bits)" size="1527" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:18.141276000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:18.141276000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690578.141276000 seconds" size="0" pos="0" show="1486690578.141276000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.003784000 seconds" size="0" pos="0" show="0.003784000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.003784000 seconds" size="0" pos="0" show="0.003784000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 1.610825000 seconds" size="0" pos="0" show="1.610825000"/>
- <field name="frame.number" showname="Frame Number: 53" size="0" pos="0" show="53"/>
- <field name="frame.len" showname="Frame Length: 1527 bytes (12216 bits)" size="0" pos="0" show="1527"/>
- <field name="frame.cap_len" showname="Capture Length: 1527 bytes (12216 bits)" size="0" pos="0" show="1527"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="1527" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.21, Dst: 127.0.0.21" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 1527" size="2" pos="2" show="1527" value="05f7"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.21" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000015"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 88 (88), Dst Port: 14723 (14723), Seq: 1, Ack: 257, Len: 1487" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 88" size="2" pos="20" show="88" value="0058"/>
- <field name="tcp.dstport" showname="Destination Port: 14723" size="2" pos="22" show="14723" value="3983"/>
- <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="20" show="88" value="0058"/>
- <field name="tcp.port" showname="Source or Destination Port: 14723" hide="yes" size="2" pos="22" show="14723" value="3983"/>
- <field name="tcp.stream" showname="Stream index: 0" size="0" pos="20" show="0"/>
- <field name="tcp.len" showname="TCP Segment Len: 1487" size="1" pos="32" show="1487" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="24" show="1" value="00000001"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 1488 (relative sequence number)" size="0" pos="20" show="1488"/>
- <field name="tcp.ack" showname="Acknowledgment number: 257 (relative ack number)" size="4" pos="28" show="257" value="00000101"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 47" size="0" pos="20" show="47"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.003941000 seconds" size="0" pos="20" show="0.003941000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000012000 seconds" size="0" pos="20" show="0.000012000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 1487" size="0" pos="20" show="1487"/>
- </field>
- <field name="tcp.pdu.size" showname="PDU Size: 1487" size="1487" pos="40" show="1487" value="...elided..."/>
- </proto>
- <proto name="kerberos" showname="Kerberos" size="1487" pos="40">
- <field name="" show="Record Mark: 1483 bytes" size="4" pos="40" value="000005cb">
- <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="40" show="0" value="0" unmaskedvalue="000005cb"/>
- <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0101 1100 1011 = Record Length: 1483" size="4" pos="40" show="1483" value="5CB" unmaskedvalue="000005cb"/>
- </field>
- <field name="kerberos.as_rep_element" showname="as-rep" size="1479" pos="48" show="" value="">
- <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="56" show="5" value="05"/>
- <field name="kerberos.msg_type" showname="msg-type: krb-as-rep (11)" size="1" pos="61" show="11" value="0b"/>
- <field name="kerberos.padata" showname="padata: 1 item" size="57" pos="66" show="1" value="3037a103020103a230042e53414d42412e4558414d504c452e434f4d686f73746c6f63616c64632e73616d62612e6578616d706c652e636f6d">
- <field name="kerberos.PA_DATA_element" showname="PA-DATA PA-PW-SALT" size="57" pos="66" show="" value="">
- <field name="kerberos.padata_type" showname="padata-type: kRB5-PADATA-PW-SALT (3)" size="1" pos="72" show="3" value="03">
- <field name="kerberos.padata_value" showname="padata-value: 53414d42412e4558414d504c452e434f4d686f73746c6f63..." size="46" pos="77" show="53:41:4d:42:41:2e:45:58:41:4d:50:4c:45:2e:43:4f:4d:68:6f:73:74:6c:6f:63:61:6c:64:63:2e:73:61:6d:62:61:2e:65:78:61:6d:70:6c:65:2e:63:6f:6d" value="53414d42412e4558414d504c452e434f4d686f73746c6f63616c64632e73616d62612e6578616d706c652e636f6d">
- <field name="kerberos.smb.nt_status" showname="NT Status: Unknown (0x424d4153)" size="4" pos="77" show="0x424d4153" value="53414d42"/>
- <field name="kerberos.smb.unknown" showname="Unknown: 0x58452e41" size="4" pos="81" show="0x58452e41" value="412e4558"/>
- <field name="kerberos.smb.unknown" showname="Unknown: 0x4c504d41" size="4" pos="85" show="0x4c504d41" value="414d504c"/>
- </field>
- </field>
- </field>
- </field>
- <field name="kerberos.crealm" showname="crealm: SAMBA.EXAMPLE.COM" size="17" pos="127" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- <field name="kerberos.cname_element" showname="cname" size="21" pos="146" show="" value="">
- <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="152" show="1" value="01"/>
- <field name="kerberos.name_string" showname="name-string: 1 item" size="10" pos="157" show="1" value="1b084c4f43414c444324">
- <field name="kerberos.KerberosString" showname="KerberosString: LOCALDC$" size="8" pos="159" show="LOCALDC$" value="4c4f43414c444324"/>
- </field>
- </field>
- <field name="kerberos.ticket_element" showname="ticket" size="1105" pos="175" show="" value="">
- <field name="kerberos.tkt_vno" showname="tkt-vno: 5" size="1" pos="183" show="5" value="05"/>
- <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="188" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- <field name="kerberos.sname_element" showname="sname" size="38" pos="207" show="" value="">
- <field name="kerberos.name_type" showname="name-type: kRB5-NT-SRV-INST (2)" size="1" pos="213" show="2" value="02"/>
- <field name="kerberos.name_string" showname="name-string: 2 items" size="27" pos="218" show="2" value="1b066b72627467741b1153414d42412e4558414d504c452e434f4d">
- <field name="kerberos.KerberosString" showname="KerberosString: krbtgt" size="6" pos="220" show="krbtgt" value="6b7262746774"/>
- <field name="kerberos.KerberosString" showname="KerberosString: SAMBA.EXAMPLE.COM" size="17" pos="228" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- </field>
- </field>
- <field name="kerberos.enc_part_element" showname="enc-part" size="1031" pos="249" show="" value="">
- <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="257" show="18" value="12"/>
- <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="262" show="1" value="01"/>
- <field name="kerberos.cipher" showname="cipher: 22e144d817a8c9e491c0eaa7aaf8e719ed4e92231d14006c..." size="1009" pos="271" show="...elided..." value="...elided..."/>
- </field>
- </field>
- <field name="kerberos.enc_part_element" showname="enc-part" size="244" pos="1283" show="" value="">
- <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="1290" show="18" value="12"/>
- <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="1295" show="1" value="01"/>
- <field name="kerberos.cipher" showname="cipher: 0131d06ef55ec3e3dd9a2de408afb6236c32fc6776e0cde6..." size="225" pos="1302" show="...elided..." value="...elided..."/>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="301">
- <field name="num" pos="0" show="2400" showname="Number" value="960" size="301"/>
- <field name="len" pos="0" show="301" showname="Frame Length" value="12d" size="301"/>
- <field name="caplen" pos="0" show="301" showname="Captured Length" value="12d" size="301"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.104038000 NZDT" showname="Captured Time" value="1486690584.104038000" size="301"/>
- </proto>
- <proto name="frame" showname="Frame 2400: 301 bytes on wire (2408 bits), 301 bytes captured (2408 bits)" size="301" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.104038000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.104038000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690584.104038000 seconds" size="0" pos="0" show="1486690584.104038000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000010000 seconds" size="0" pos="0" show="0.000010000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000010000 seconds" size="0" pos="0" show="0.000010000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 7.573587000 seconds" size="0" pos="0" show="7.573587000"/>
- <field name="frame.number" showname="Frame Number: 2400" size="0" pos="0" show="2400"/>
- <field name="frame.len" showname="Frame Length: 301 bytes (2408 bits)" size="0" pos="0" show="301"/>
- <field name="frame.cap_len" showname="Capture Length: 301 bytes (2408 bits)" size="0" pos="0" show="301"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="301" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 301" size="2" pos="2" show="301" value="012d"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14787 (14787), Dst Port: 88 (88), Seq: 1, Ack: 1, Len: 261" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 14787" size="2" pos="20" show="14787" value="39c3"/>
- <field name="tcp.dstport" showname="Destination Port: 88" size="2" pos="22" show="88" value="0058"/>
- <field name="tcp.port" showname="Source or Destination Port: 14787" hide="yes" size="2" pos="20" show="14787" value="39c3"/>
- <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="22" show="88" value="0058"/>
- <field name="tcp.stream" showname="Stream index: 49" size="0" pos="20" show="49"/>
- <field name="tcp.len" showname="TCP Segment Len: 261" size="1" pos="32" show="261" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="24" show="1" value="00000001"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 262 (relative sequence number)" size="0" pos="20" show="262"/>
- <field name="tcp.ack" showname="Acknowledgment number: 1 (relative ack number)" size="4" pos="28" show="1" value="00000001"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000009000 seconds" size="0" pos="20" show="0.000009000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 261" size="0" pos="20" show="261"/>
- </field>
- <field name="tcp.pdu.size" showname="PDU Size: 261" size="261" pos="40" show="261" value="...elided..."/>
- </proto>
- <proto name="kerberos" showname="Kerberos" size="261" pos="40">
- <field name="" show="Record Mark: 257 bytes" size="4" pos="40" value="00000101">
- <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="40" show="0" value="0" unmaskedvalue="00000101"/>
- <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0001 0000 0001 = Record Length: 257" size="4" pos="40" show="257" value="101" unmaskedvalue="00000101"/>
- </field>
- <field name="kerberos.as_req_element" showname="as-req" size="254" pos="47" show="" value="">
- <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="54" show="5" value="05"/>
- <field name="kerberos.msg_type" showname="msg-type: krb-as-req (10)" size="1" pos="59" show="10" value="0a"/>
- <field name="kerberos.padata" showname="padata: 1 item" size="78" pos="64" show="1" value="...elided...">
- <field name="kerberos.PA_DATA_element" showname="PA-DATA PA-ENC-TIMESTAMP" size="78" pos="64" show="" value="">
- <field name="kerberos.padata_type" showname="padata-type: kRB5-PADATA-ENC-TIMESTAMP (2)" size="1" pos="70" show="2" value="02">
- <field name="kerberos.padata_value" showname="padata-value: 3041a003020112a23a0438cf413abdcde5fe3a6b82a38e52..." size="67" pos="75" show="...elided..." value="...elided...">
- <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="81" show="18" value="12"/>
- <field name="kerberos.cipher" showname="cipher: cf413abdcde5fe3a6b82a38e520fb2dc3063cae319cecdc1..." size="56" pos="86" show="...elided..." value="...elided..."/>
- </field>
- </field>
- </field>
- </field>
- <field name="kerberos.req_body_element" showname="req-body" size="156" pos="145" show="" value="">
- <field name="ber.bitstring.padding" showname="Padding: 0" size="1" pos="152" show="0" value="00"/>
- <field name="kerberos.kdc_options" showname="kdc-options: 40000000 (forwardable)" size="4" pos="153" show="40:00:00:00" value="40000000">
- <field name="kerberos.reserved" showname="0... .... = reserved: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
- <field name="kerberos.forwardable" showname=".1.. .... = forwardable: True" size="1" pos="153" show="1" value="FFFFFFFF" unmaskedvalue="40"/>
- <field name="kerberos.forwarded" showname="..0. .... = forwarded: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
- <field name="kerberos.proxiable" showname="...0 .... = proxiable: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
- <field name="kerberos.proxy" showname=".... 0... = proxy: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
- <field name="kerberos.allow-postdate" showname=".... .0.. = allow-postdate: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
- <field name="kerberos.postdated" showname=".... ..0. = postdated: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
- <field name="kerberos.unused7" showname=".... ...0 = unused7: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
- <field name="kerberos.renewable" showname="0... .... = renewable: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.unused9" showname=".0.. .... = unused9: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.unused10" showname="..0. .... = unused10: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.opt-hardware-auth" showname="...0 .... = opt-hardware-auth: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.request-anonymous" showname=".... ..0. = request-anonymous: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.canonicalize" showname=".... ...0 = canonicalize: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.constrained-delegation" showname="0... .... = constrained-delegation: False" size="1" pos="155" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.disable-transited-check" showname="..0. .... = disable-transited-check: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.renewable-ok" showname="...0 .... = renewable-ok: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.enc-tkt-in-skey" showname=".... 0... = enc-tkt-in-skey: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.renew" showname=".... ..0. = renew: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.validate" showname=".... ...0 = validate: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="kerberos.cname_element" showname="cname" size="26" pos="159" show="" value="">
- <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="165" show="1" value="01"/>
- <field name="kerberos.name_string" showname="name-string: 1 item" size="15" pos="170" show="1" value="1b0d41646d696e6973747261746f72">
- <field name="kerberos.KerberosString" showname="KerberosString: Administrator" size="13" pos="172" show="Administrator" value="41646d696e6973747261746f72"/>
- </field>
- </field>
- <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="189" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- <field name="kerberos.sname_element" showname="sname" size="38" pos="208" show="" value="">
- <field name="kerberos.name_type" showname="name-type: kRB5-NT-SRV-INST (2)" size="1" pos="214" show="2" value="02"/>
- <field name="kerberos.name_string" showname="name-string: 2 items" size="27" pos="219" show="2" value="1b066b72627467741b1153414d42412e4558414d504c452e434f4d">
- <field name="kerberos.KerberosString" showname="KerberosString: krbtgt" size="6" pos="221" show="krbtgt" value="6b7262746774"/>
- <field name="kerberos.KerberosString" showname="KerberosString: SAMBA.EXAMPLE.COM" size="17" pos="229" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- </field>
- </field>
- <field name="kerberos.till" showname="till: 2017-02-11 01:36:24 (UTC)" size="15" pos="250" show="2017-02-11 01:36:24 (UTC)" value="32303137303231313031333632345a"/>
- <field name="kerberos.nonce" showname="nonce: 1225047325" size="4" pos="269" show="1225047325" value="4904bd1d"/>
- <field name="kerberos.etype" showname="etype: 8 items" size="24" pos="277" show="8" value="020112020111020110020105020117020103020102020101">
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="279" show="18" value="12"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)" size="1" pos="282" show="17" value="11"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)" size="1" pos="285" show="16" value="10"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-MD5 (5)" size="1" pos="288" show="5" value="05"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)" size="1" pos="291" show="23" value="17"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD5 (3)" size="1" pos="294" show="3" value="03"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD4 (2)" size="1" pos="297" show="2" value="02"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-CRC (1)" size="1" pos="300" show="1" value="01"/>
- </field>
- </field>
- </field>
- </proto>
-</packet>
-
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="70">
- <field name="num" pos="0" show="2408" showname="Number" value="968" size="70"/>
- <field name="len" pos="0" show="70" showname="Frame Length" value="46" size="70"/>
- <field name="caplen" pos="0" show="70" showname="Captured Length" value="46" size="70"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.108221000 NZDT" showname="Captured Time" value="1486690584.108221000" size="70"/>
- </proto>
- <proto name="frame" showname="Frame 2408: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)" size="70" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.108221000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.108221000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690584.108221000 seconds" size="0" pos="0" show="1486690584.108221000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000003000 seconds" size="0" pos="0" show="0.000003000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000003000 seconds" size="0" pos="0" show="0.000003000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 7.577770000 seconds" size="0" pos="0" show="7.577770000"/>
- <field name="frame.number" showname="Frame Number: 2408" size="0" pos="0" show="2408"/>
- <field name="frame.len" showname="Frame Length: 70 bytes (560 bits)" size="0" pos="0" show="70"/>
- <field name="frame.cap_len" showname="Capture Length: 70 bytes (560 bits)" size="0" pos="0" show="70"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="70" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.21, Dst: 127.0.0.11" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 70" size="2" pos="2" show="70" value="0046"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.21" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst" showname="Destination: 127.0.0.11" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000015"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00000b"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 88 (88), Dst Port: 14787 (14787), Seq: 1505, Ack: 262, Len: 30" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 88" size="2" pos="20" show="88" value="0058"/>
- <field name="tcp.dstport" showname="Destination Port: 14787" size="2" pos="22" show="14787" value="39c3"/>
- <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="20" show="88" value="0058"/>
- <field name="tcp.port" showname="Source or Destination Port: 14787" hide="yes" size="2" pos="22" show="14787" value="39c3"/>
- <field name="tcp.stream" showname="Stream index: 49" size="0" pos="20" show="49"/>
- <field name="tcp.len" showname="TCP Segment Len: 30" size="1" pos="32" show="30" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 1505 (relative sequence number)" size="4" pos="24" show="1505" value="000005e1"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 1535 (relative sequence number)" size="0" pos="20" show="1535"/>
- <field name="tcp.ack" showname="Acknowledgment number: 262 (relative ack number)" size="4" pos="28" show="262" value="00000106"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000009000 seconds" size="0" pos="20" show="0.000009000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 1534" size="0" pos="20" show="1534"/>
- </field>
- <field name="tcp.pdu.size" showname="PDU Size: 1534" size="1534" pos="20" show="1534" value="...elided..."/>
- <field name="tcp.segment_data" showname="TCP segment data (30 bytes)" size="30" pos="40" show="54:c1:fb:c3:43:df:f3:ce:39:c5:50:6d:bb:0a:e1:fb:63:1d:43:4e:45:94:4b:8a:05:ae:cf:89:93:62" value="54c1fbc343dff3ce39c5506dbb0ae1fb631d434e45944b8a05aecf899362"/>
- </proto>
- <proto name="fake-field-wrapper">
- <field name="tcp.segments" showname="3 Reassembled TCP Segments (1534 bytes): #2406(4), #2407(1500), #2408(30)" size="1534" pos="0" show="" value="">
- <field name="tcp.segment" showname="Frame: 2406, payload: 0-3 (4 bytes)" size="4" pos="0" show="2406" value="000005fa"/>
- <field name="tcp.segment" showname="Frame: 2407, payload: 4-1503 (1500 bytes)" size="1500" pos="4" show="2407" value="...elided..."/>
- <field name="tcp.segment" showname="Frame: 2408, payload: 1504-1533 (30 bytes)" size="30" pos="1504" show="2408" value="54c1fbc343dff3ce39c5506dbb0ae1fb631d434e45944b8a05aecf899362"/>
- <field name="tcp.segment.count" showname="Segment count: 3" size="0" pos="0" show="3"/>
- <field name="tcp.reassembled.length" showname="Reassembled TCP length: 1534" size="0" pos="0" show="1534"/>
- <field name="tcp.reassembled.data" showname="Reassembled TCP Data: 000005fa6b8205f6308205f2a003020105a10302010ba22b..." size="1534" pos="0" show="...elided..." value="...elided..."/>
- </field>
-</proto>
- <proto name="kerberos" showname="Kerberos" size="1534" pos="0">
- <field name="" show="Record Mark: 1530 bytes" size="4" pos="0" value="000005fa">
- <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="0" show="0" value="0" unmaskedvalue="000005fa"/>
- <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0101 1111 1010 = Record Length: 1530" size="4" pos="0" show="1530" value="5FA" unmaskedvalue="000005fa"/>
- </field>
- <field name="kerberos.as_rep_element" showname="as-rep" size="1526" pos="8" show="" value="">
- <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="16" show="5" value="05"/>
- <field name="kerberos.msg_type" showname="msg-type: krb-as-rep (11)" size="1" pos="21" show="11" value="0b"/>
- <field name="kerberos.padata" showname="padata: 1 item" size="41" pos="26" show="1" value="3027a103020103a220041e53414d42412e4558414d504c452e434f4d41646d696e6973747261746f72">
- <field name="kerberos.PA_DATA_element" showname="PA-DATA PA-PW-SALT" size="41" pos="26" show="" value="">
- <field name="kerberos.padata_type" showname="padata-type: kRB5-PADATA-PW-SALT (3)" size="1" pos="32" show="3" value="03">
- <field name="kerberos.padata_value" showname="padata-value: 53414d42412e4558414d504c452e434f4d41646d696e6973..." size="30" pos="37" show="53:41:4d:42:41:2e:45:58:41:4d:50:4c:45:2e:43:4f:4d:41:64:6d:69:6e:69:73:74:72:61:74:6f:72" value="53414d42412e4558414d504c452e434f4d41646d696e6973747261746f72">
- <field name="kerberos.smb.nt_status" showname="NT Status: Unknown (0x424d4153)" size="4" pos="37" show="0x424d4153" value="53414d42"/>
- <field name="kerberos.smb.unknown" showname="Unknown: 0x58452e41" size="4" pos="41" show="0x58452e41" value="412e4558"/>
- <field name="kerberos.smb.unknown" showname="Unknown: 0x4c504d41" size="4" pos="45" show="0x4c504d41" value="414d504c"/>
- </field>
- </field>
- </field>
- </field>
- <field name="kerberos.crealm" showname="crealm: SAMBA.EXAMPLE.COM" size="17" pos="71" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- <field name="kerberos.cname_element" showname="cname" size="26" pos="90" show="" value="">
- <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="96" show="1" value="01"/>
- <field name="kerberos.name_string" showname="name-string: 1 item" size="15" pos="101" show="1" value="1b0d41646d696e6973747261746f72">
- <field name="kerberos.KerberosString" showname="KerberosString: Administrator" size="13" pos="103" show="Administrator" value="41646d696e6973747261746f72"/>
- </field>
- </field>
- <field name="kerberos.ticket_element" showname="ticket" size="1142" pos="124" show="" value="">
- <field name="kerberos.tkt_vno" showname="tkt-vno: 5" size="1" pos="132" show="5" value="05"/>
- <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="137" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- <field name="kerberos.sname_element" showname="sname" size="38" pos="156" show="" value="">
- <field name="kerberos.name_type" showname="name-type: kRB5-NT-SRV-INST (2)" size="1" pos="162" show="2" value="02"/>
- <field name="kerberos.name_string" showname="name-string: 2 items" size="27" pos="167" show="2" value="1b066b72627467741b1153414d42412e4558414d504c452e434f4d">
- <field name="kerberos.KerberosString" showname="KerberosString: krbtgt" size="6" pos="169" show="krbtgt" value="6b7262746774"/>
- <field name="kerberos.KerberosString" showname="KerberosString: SAMBA.EXAMPLE.COM" size="17" pos="177" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- </field>
- </field>
- <field name="kerberos.enc_part_element" showname="enc-part" size="1068" pos="198" show="" value="">
- <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="206" show="18" value="12"/>
- <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="211" show="1" value="01"/>
- <field name="kerberos.cipher" showname="cipher: 5a2a14fec09c49807c1be2a0b335af26ed64f89184336870..." size="1046" pos="220" show="...elided..." value="...elided..."/>
- </field>
- </field>
- <field name="kerberos.enc_part_element" showname="enc-part" size="264" pos="1270" show="" value="">
- <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="1278" show="18" value="12"/>
- <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="1283" show="1" value="01"/>
- <field name="kerberos.cipher" showname="cipher: 3ecb1568e8ee09adcebe1ec65c1e767415512cd84449fabc..." size="244" pos="1290" show="...elided..." value="...elided..."/>
- </field>
- </field>
- </proto>
-</packet>
-
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="82">
- <field name="num" pos="0" show="2422" showname="Number" value="976" size="82"/>
- <field name="len" pos="0" show="82" showname="Frame Length" value="52" size="82"/>
- <field name="caplen" pos="0" show="82" showname="Captured Length" value="52" size="82"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.139378000 NZDT" showname="Captured Time" value="1486690584.139378000" size="82"/>
- </proto>
- <proto name="frame" showname="Frame 2422: 82 bytes on wire (656 bits), 82 bytes captured (656 bits)" size="82" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.139378000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.139378000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690584.139378000 seconds" size="0" pos="0" show="1486690584.139378000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000003000 seconds" size="0" pos="0" show="0.000003000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000003000 seconds" size="0" pos="0" show="0.000003000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 7.608927000 seconds" size="0" pos="0" show="7.608927000"/>
- <field name="frame.number" showname="Frame Number: 2422" size="0" pos="0" show="2422"/>
- <field name="frame.len" showname="Frame Length: 82 bytes (656 bits)" size="0" pos="0" show="82"/>
- <field name="frame.cap_len" showname="Capture Length: 82 bytes (656 bits)" size="0" pos="0" show="82"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="82" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 82" size="2" pos="2" show="82" value="0052"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14788 (14788), Dst Port: 88 (88), Seq: 1501, Ack: 1, Len: 42" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 14788" size="2" pos="20" show="14788" value="39c4"/>
- <field name="tcp.dstport" showname="Destination Port: 88" size="2" pos="22" show="88" value="0058"/>
- <field name="tcp.port" showname="Source or Destination Port: 14788" hide="yes" size="2" pos="20" show="14788" value="39c4"/>
- <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="22" show="88" value="0058"/>
- <field name="tcp.stream" showname="Stream index: 50" size="0" pos="20" show="50"/>
- <field name="tcp.len" showname="TCP Segment Len: 42" size="1" pos="32" show="42" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 1501 (relative sequence number)" size="4" pos="24" show="1501" value="000005dd"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 1543 (relative sequence number)" size="0" pos="20" show="1543"/>
- <field name="tcp.ack" showname="Acknowledgment number: 1 (relative ack number)" size="4" pos="28" show="1" value="00000001"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000009000 seconds" size="0" pos="20" show="0.000009000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 1542" size="0" pos="20" show="1542"/>
- </field>
- <field name="tcp.pdu.size" showname="PDU Size: 1542" size="1542" pos="20" show="1542" value="...elided..."/>
- <field name="tcp.segment_data" showname="TCP segment data (42 bytes)" size="42" pos="40" show="30:30:30:30:30:5a:a7:06:02:04:99:16:39:d0:a8:1a:30:18:02:01:12:02:01:11:02:01:10:02:01:05:02:01:17:02:01:03:02:01:02:02:01:01" value="30303030305aa7060204991639d0a81a3018020112020111020110020105020117020103020102020101"/>
- </proto>
- <proto name="fake-field-wrapper">
- <field name="tcp.segments" showname="2 Reassembled TCP Segments (1542 bytes): #2421(1500), #2422(42)" size="1542" pos="0" show="" value="">
- <field name="tcp.segment" showname="Frame: 2421, payload: 0-1499 (1500 bytes)" size="1500" pos="0" show="2421" value="...elided..."/>
- <field name="tcp.segment" showname="Frame: 2422, payload: 1500-1541 (42 bytes)" size="42" pos="1500" show="2422" value="30303030305aa7060204991639d0a81a3018020112020111020110020105020117020103020102020101"/>
- <field name="tcp.segment.count" showname="Segment count: 2" size="0" pos="0" show="2"/>
- <field name="tcp.reassembled.length" showname="Reassembled TCP length: 1542" size="0" pos="0" show="1542"/>
- <field name="tcp.reassembled.data" showname="Reassembled TCP Data: 000006026c8205fe308205faa103020105a20302010ca382..." size="1542" pos="0" show="...elided..." value="...elided..."/>
- </field>
-</proto>
- <proto name="kerberos" showname="Kerberos" size="1542" pos="0">
- <field name="" show="Record Mark: 1538 bytes" size="4" pos="0" value="00000602">
- <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="0" show="0" value="0" unmaskedvalue="00000602"/>
- <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0110 0000 0010 = Record Length: 1538" size="4" pos="0" show="1538" value="602" unmaskedvalue="00000602"/>
- </field>
- <field name="kerberos.tgs_req_element" showname="tgs-req" size="1534" pos="8" show="" value="">
- <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="16" show="5" value="05"/>
- <field name="kerberos.msg_type" showname="msg-type: krb-tgs-req (12)" size="1" pos="21" show="12" value="0c"/>
- <field name="kerberos.padata" showname="padata: 1 item" size="1395" pos="30" show="1" value="...elided...">
- <field name="kerberos.PA_DATA_element" showname="PA-DATA PA-TGS-REQ" size="1395" pos="30" show="" value="">
- <field name="kerberos.padata_type" showname="padata-type: kRB5-PADATA-TGS-REQ (1)" size="1" pos="38" show="1" value="01">
- <field name="kerberos.padata_value" showname="padata-value: 6e82055e3082055aa003020105a10302010ea20703050000..." size="1378" pos="47" show="...elided..." value="...elided...">
- <field name="kerberos.ap_req_element" showname="ap-req" size="1374" pos="51" show="" value="">
- <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="59" show="5" value="05"/>
- <field name="kerberos.msg_type" showname="msg-type: krb-ap-req (14)" size="1" pos="64" show="14" value="0e"/>
- <field name="ber.bitstring.padding" showname="Padding: 0" size="1" pos="69" show="0" value="00"/>
- <field name="kerberos.ap_options" showname="ap-options: 00000000" size="4" pos="70" show="00:00:00:00" value="00000000">
- <field name="kerberos.reserved" showname="0... .... = reserved: False" size="1" pos="70" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.use-session-key" showname=".0.. .... = use-session-key: False" size="1" pos="70" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.mutual-required" showname="..0. .... = mutual-required: False" size="1" pos="70" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="kerberos.ticket_element" showname="ticket" size="1142" pos="82" show="" value="">
- <field name="kerberos.tkt_vno" showname="tkt-vno: 5" size="1" pos="90" show="5" value="05"/>
- <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="95" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- <field name="kerberos.sname_element" showname="sname" size="38" pos="114" show="" value="">
- <field name="kerberos.name_type" showname="name-type: kRB5-NT-SRV-INST (2)" size="1" pos="120" show="2" value="02"/>
- <field name="kerberos.name_string" showname="name-string: 2 items" size="27" pos="125" show="2" value="1b066b72627467741b1153414d42412e4558414d504c452e434f4d">
- <field name="kerberos.KerberosString" showname="KerberosString: krbtgt" size="6" pos="127" show="krbtgt" value="6b7262746774"/>
- <field name="kerberos.KerberosString" showname="KerberosString: SAMBA.EXAMPLE.COM" size="17" pos="135" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- </field>
- </field>
- <field name="kerberos.enc_part_element" showname="enc-part" size="1068" pos="156" show="" value="">
- <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="164" show="18" value="12"/>
- <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="169" show="1" value="01"/>
- <field name="kerberos.cipher" showname="cipher: 5a2a14fec09c49807c1be2a0b335af26ed64f89184336870..." size="1046" pos="178" show="...elided..." value="...elided..."/>
- </field>
- </field>
- <field name="kerberos.authenticator_element" showname="authenticator" size="198" pos="1227" show="" value="">
- <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="1234" show="18" value="12"/>
- <field name="kerberos.cipher" showname="cipher: 263f6091496efbdb7c0b3c7e40fa7bfbf2e284a38b105cb9..." size="184" pos="1241" show="...elided..." value="...elided..."/>
- </field>
- </field>
- </field>
- </field>
- </field>
- </field>
- <field name="kerberos.req_body_element" showname="req-body" size="115" pos="1427" show="" value="">
- <field name="ber.bitstring.padding" showname="Padding: 0" size="1" pos="1433" show="0" value="00"/>
- <field name="kerberos.kdc_options" showname="kdc-options: 00010000 (canonicalize)" size="4" pos="1434" show="00:01:00:00" value="00010000">
- <field name="kerberos.reserved" showname="0... .... = reserved: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.forwardable" showname=".0.. .... = forwardable: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.forwarded" showname="..0. .... = forwarded: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.proxiable" showname="...0 .... = proxiable: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.proxy" showname=".... 0... = proxy: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.allow-postdate" showname=".... .0.. = allow-postdate: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.postdated" showname=".... ..0. = postdated: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.unused7" showname=".... ...0 = unused7: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.renewable" showname="0... .... = renewable: False" size="1" pos="1435" show="0" value="0" unmaskedvalue="01"/>
- <field name="kerberos.unused9" showname=".0.. .... = unused9: False" size="1" pos="1435" show="0" value="0" unmaskedvalue="01"/>
- <field name="kerberos.unused10" showname="..0. .... = unused10: False" size="1" pos="1435" show="0" value="0" unmaskedvalue="01"/>
- <field name="kerberos.opt-hardware-auth" showname="...0 .... = opt-hardware-auth: False" size="1" pos="1435" show="0" value="0" unmaskedvalue="01"/>
- <field name="kerberos.request-anonymous" showname=".... ..0. = request-anonymous: False" size="1" pos="1435" show="0" value="0" unmaskedvalue="01"/>
- <field name="kerberos.canonicalize" showname=".... ...1 = canonicalize: True" size="1" pos="1435" show="1" value="FFFFFFFF" unmaskedvalue="01"/>
- <field name="kerberos.constrained-delegation" showname="0... .... = constrained-delegation: False" size="1" pos="1436" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.disable-transited-check" showname="..0. .... = disable-transited-check: False" size="1" pos="1437" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.renewable-ok" showname="...0 .... = renewable-ok: False" size="1" pos="1437" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.enc-tkt-in-skey" showname=".... 0... = enc-tkt-in-skey: False" size="1" pos="1437" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.renew" showname=".... ..0. = renew: False" size="1" pos="1437" show="0" value="0" unmaskedvalue="00"/>
- <field name="kerberos.validate" showname=".... ...0 = validate: False" size="1" pos="1437" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="1442" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- <field name="kerberos.sname_element" showname="sname" size="26" pos="1461" show="" value="">
- <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="1467" show="1" value="01"/>
- <field name="kerberos.name_string" showname="name-string: 2 items" size="15" pos="1472" show="2" value="1b046c6461701b076c6f63616c6463">
- <field name="kerberos.KerberosString" showname="KerberosString: ldap" size="4" pos="1474" show="ldap" value="6c646170"/>
- <field name="kerberos.KerberosString" showname="KerberosString: localdc" size="7" pos="1480" show="localdc" value="6c6f63616c6463"/>
- </field>
- </field>
- <field name="kerberos.till" showname="till: 1970-01-01 00:00:00 (UTC)" size="15" pos="1491" show="1970-01-01 00:00:00 (UTC)" value="31393730303130313030303030305a"/>
- <field name="kerberos.nonce" showname="nonce: 2568370640" size="4" pos="1510" show="2568370640" value="991639d0"/>
- <field name="kerberos.etype" showname="etype: 8 items" size="24" pos="1518" show="8" value="020112020111020110020105020117020103020102020101">
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="1520" show="18" value="12"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)" size="1" pos="1523" show="17" value="11"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)" size="1" pos="1526" show="16" value="10"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-MD5 (5)" size="1" pos="1529" show="5" value="05"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)" size="1" pos="1532" show="23" value="17"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD5 (3)" size="1" pos="1535" show="3" value="03"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD4 (2)" size="1" pos="1538" show="2" value="02"/>
- <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-CRC (1)" size="1" pos="1541" show="1" value="01"/>
- </field>
- </field>
- </field>
- </proto>
-</packet>
-
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="1517">
- <field name="num" pos="0" show="2429" showname="Number" value="97d" size="1517"/>
- <field name="len" pos="0" show="1517" showname="Frame Length" value="5ed" size="1517"/>
- <field name="caplen" pos="0" show="1517" showname="Captured Length" value="5ed" size="1517"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.143220000 NZDT" showname="Captured Time" value="1486690584.143220000" size="1517"/>
- </proto>
- <proto name="frame" showname="Frame 2429: 1517 bytes on wire (12136 bits), 1517 bytes captured (12136 bits)" size="1517" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.143220000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.143220000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690584.143220000 seconds" size="0" pos="0" show="1486690584.143220000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.003735000 seconds" size="0" pos="0" show="0.003735000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.003735000 seconds" size="0" pos="0" show="0.003735000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 7.612769000 seconds" size="0" pos="0" show="7.612769000"/>
- <field name="frame.number" showname="Frame Number: 2429" size="0" pos="0" show="2429"/>
- <field name="frame.len" showname="Frame Length: 1517 bytes (12136 bits)" size="0" pos="0" show="1517"/>
- <field name="frame.cap_len" showname="Capture Length: 1517 bytes (12136 bits)" size="0" pos="0" show="1517"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="1517" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.21, Dst: 127.0.0.11" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 1517" size="2" pos="2" show="1517" value="05ed"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.21" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst" showname="Destination: 127.0.0.11" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000015"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00000b"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 88 (88), Dst Port: 14788 (14788), Seq: 1, Ack: 1543, Len: 1477" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 88" size="2" pos="20" show="88" value="0058"/>
- <field name="tcp.dstport" showname="Destination Port: 14788" size="2" pos="22" show="14788" value="39c4"/>
- <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="20" show="88" value="0058"/>
- <field name="tcp.port" showname="Source or Destination Port: 14788" hide="yes" size="2" pos="22" show="14788" value="39c4"/>
- <field name="tcp.stream" showname="Stream index: 50" size="0" pos="20" show="50"/>
- <field name="tcp.len" showname="TCP Segment Len: 1477" size="1" pos="32" show="1477" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="24" show="1" value="00000001"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 1478 (relative sequence number)" size="0" pos="20" show="1478"/>
- <field name="tcp.ack" showname="Acknowledgment number: 1543 (relative ack number)" size="4" pos="28" show="1543" value="00000607"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 2422" size="0" pos="20" show="2422"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.003842000 seconds" size="0" pos="20" show="0.003842000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000009000 seconds" size="0" pos="20" show="0.000009000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 1477" size="0" pos="20" show="1477"/>
- </field>
- <field name="tcp.pdu.size" showname="PDU Size: 1477" size="1477" pos="40" show="1477" value="...elided..."/>
- </proto>
- <proto name="kerberos" showname="Kerberos" size="1477" pos="40">
- <field name="" show="Record Mark: 1473 bytes" size="4" pos="40" value="000005c1">
- <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="40" show="0" value="0" unmaskedvalue="000005c1"/>
- <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0101 1100 0001 = Record Length: 1473" size="4" pos="40" show="1473" value="5C1" unmaskedvalue="000005c1"/>
- </field>
- <field name="kerberos.tgs_rep_element" showname="tgs-rep" size="1469" pos="48" show="" value="">
- <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="56" show="5" value="05"/>
- <field name="kerberos.msg_type" showname="msg-type: krb-tgs-rep (13)" size="1" pos="61" show="13" value="0d"/>
- <field name="kerberos.crealm" showname="crealm: SAMBA.EXAMPLE.COM" size="17" pos="66" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- <field name="kerberos.cname_element" showname="cname" size="26" pos="85" show="" value="">
- <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="91" show="1" value="01"/>
- <field name="kerberos.name_string" showname="name-string: 1 item" size="15" pos="96" show="1" value="1b0d41646d696e6973747261746f72">
- <field name="kerberos.KerberosString" showname="KerberosString: Administrator" size="13" pos="98" show="Administrator" value="41646d696e6973747261746f72"/>
- </field>
- </field>
- <field name="kerberos.ticket_element" showname="ticket" size="1149" pos="119" show="" value="">
- <field name="kerberos.tkt_vno" showname="tkt-vno: 5" size="1" pos="127" show="5" value="05"/>
- <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="132" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- <field name="kerberos.sname_element" showname="sname" size="26" pos="151" show="" value="">
- <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="157" show="1" value="01"/>
- <field name="kerberos.name_string" showname="name-string: 2 items" size="15" pos="162" show="2" value="1b046c6461701b076c6f63616c6463">
- <field name="kerberos.KerberosString" showname="KerberosString: ldap" size="4" pos="164" show="ldap" value="6c646170"/>
- <field name="kerberos.KerberosString" showname="KerberosString: localdc" size="7" pos="170" show="localdc" value="6c6f63616c6463"/>
- </field>
- </field>
- <field name="kerberos.enc_part_element" showname="enc-part" size="1087" pos="181" show="" value="">
- <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="189" show="18" value="12"/>
- <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="194" show="1" value="01"/>
- <field name="kerberos.cipher" showname="cipher: 9cbdd51b88f631bfc183eee24f54171f1e6222ebd70ef513..." size="1065" pos="203" show="...elided..." value="...elided..."/>
- </field>
- </field>
- <field name="kerberos.enc_part_element" showname="enc-part" size="246" pos="1271" show="" value="">
- <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="1278" show="18" value="12"/>
- <field name="kerberos.cipher" showname="cipher: 144b5a45ac6ad8fd830d6f7ec0b00a5cf26d277598a63a5e..." size="232" pos="1285" show="...elided..." value="...elided..."/>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="138">
- <field name="num" pos="0" show="3105" showname="Number" value="c21" size="138"/>
- <field name="len" pos="0" show="138" showname="Frame Length" value="8a" size="138"/>
- <field name="caplen" pos="0" show="138" showname="Captured Length" value="8a" size="138"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.770344000 NZDT" showname="Captured Time" value="1486690584.770344000" size="138"/>
- </proto>
- <proto name="frame" showname="Frame 3105: 138 bytes on wire (1104 bits), 138 bytes captured (1104 bits)" size="138" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.770344000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.770344000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690584.770344000 seconds" size="0" pos="0" show="1486690584.770344000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000005000 seconds" size="0" pos="0" show="0.000005000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000005000 seconds" size="0" pos="0" show="0.000005000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 8.239893000 seconds" size="0" pos="0" show="8.239893000"/>
- <field name="frame.number" showname="Frame Number: 3105" size="0" pos="0" show="3105"/>
- <field name="frame.len" showname="Frame Length: 138 bytes (1104 bits)" size="0" pos="0" show="138"/>
- <field name="frame.cap_len" showname="Capture Length: 138 bytes (1104 bits)" size="0" pos="0" show="138"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap:gss-api:spnego:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:ldap:gss-api:spnego:spnego-krb5"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="138" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 138" size="2" pos="2" show="138" value="008a"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14794 (14794), Dst Port: 389 (389), Seq: 6184, Ack: 332, Len: 98" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 14794" size="2" pos="20" show="14794" value="39ca"/>
- <field name="tcp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
- <field name="tcp.port" showname="Source or Destination Port: 14794" hide="yes" size="2" pos="20" show="14794" value="39ca"/>
- <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
- <field name="tcp.stream" showname="Stream index: 60" size="0" pos="20" show="60"/>
- <field name="tcp.len" showname="TCP Segment Len: 98" size="1" pos="32" show="98" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 6184 (relative sequence number)" size="4" pos="24" show="6184" value="00001828"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 6282 (relative sequence number)" size="0" pos="20" show="6282"/>
- <field name="tcp.ack" showname="Acknowledgment number: 332 (relative ack number)" size="4" pos="28" show="332" value="0000014c"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000020000 seconds" size="0" pos="20" show="0.000020000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 3098" size="0" pos="20" show="3098"/>
- </field>
- <field name="tcp.pdu.size" showname="PDU Size: 3098" size="3098" pos="20" show="3098" value="...elided..."/>
- <field name="tcp.segment_data" showname="TCP segment data (98 bytes)" size="98" pos="40" show="...elided..." value="...elided..."/>
- </proto>
- <proto name="fake-field-wrapper">
- <field name="tcp.segments" showname="3 Reassembled TCP Segments (3098 bytes): #3103(1500), #3104(1500), #3105(98)" size="3098" pos="0" show="" value="">
- <field name="tcp.segment" showname="Frame: 3103, payload: 0-1499 (1500 bytes)" size="1500" pos="0" show="3103" value="...elided..."/>
- <field name="tcp.segment" showname="Frame: 3104, payload: 1500-2999 (1500 bytes)" size="1500" pos="1500" show="3104" value="...elided..."/>
- <field name="tcp.segment" showname="Frame: 3105, payload: 3000-3097 (98 bytes)" size="98" pos="3000" show="3105" value="...elided..."/>
- <field name="tcp.segment.count" showname="Segment count: 3" size="0" pos="0" show="3"/>
- <field name="tcp.reassembled.length" showname="Reassembled TCP length: 3098" size="0" pos="0" show="3098"/>
-<field name="tcp.reassembled.data" showname="Reassembled TCP Data: 30820c1602010360820c0f0201030400a3820c06040a4753..." size="3098" pos="0" show="...elided ..."/>
- </field>
-</proto>
- <proto name="ldap" showname="Lightweight Directory Access Protocol" size="3098" pos="0">
- <field name="ldap.LDAPMessage_element" showname="LDAPMessage bindRequest(3) &quot;&lt;ROOT&gt;&quot; sasl" size="3098" pos="0" show="" value="">
- <field name="ldap.messageID" showname="messageID: 3" size="1" pos="6" show="3" value="03"/>
- <field name="ldap.protocolOp" showname="protocolOp: bindRequest (0)" size="3091" pos="7" show="0" value="...elided...">
- <field name="ldap.bindRequest_element" showname="bindRequest" size="3087" pos="11" show="" value="">
- <field name="ldap.version" showname="version: 3" size="1" pos="13" show="3" value="03"/>
- <field name="ldap.name" showname="name: " size="0" pos="16" show=""/>
- <field name="ldap.authentication" showname="authentication: sasl (3)" size="3078" pos="20" show="3" value="...elided...">
- <field name="ldap.sasl_element" showname="sasl" size="3078" pos="20" show="" value="">
- <field name="ldap.mechanism" showname="mechanism: GSS-SPNEGO" size="10" pos="22" show="GSS-SPNEGO" value="4753532d53504e45474f"/>
-<field name="ldap.credentials" showname="credentials: 60820bf206062b0601050502a0820be630820be2a0243022..." size="3062" pos="36" show="...elided..."/>
- <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="3062" pos="36">
- <field name="gss-api.OID" showname="OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)" size="6" pos="42" show="1.3.6.1.5.5.2" value="2b0601050502"/>
- <proto name="spnego" showname="Simple Protected Negotiation" size="3050" pos="48">
- <field name="spnego.negTokenInit_element" showname="negTokenInit" size="3046" pos="52" show="" value="">
- <field name="spnego.mechTypes" showname="mechTypes: 3 items" size="34" pos="60" show="3" value="06092a864882f71201020206092a864886f712010202060a2b06010401823702020a">
- <field name="spnego.MechType" showname="MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)" size="9" pos="62" show="1.2.840.48018.1.2.2" value="2a864882f712010202"/>
- <field name="spnego.MechType" showname="MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)" size="9" pos="73" show="1.2.840.113554.1.2.2" value="2a864886f712010202"/>
- <field name="spnego.MechType" showname="MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)" size="10" pos="84" show="1.3.6.1.4.1.311.2.2.10" value="2b06010401823702020a"/>
- </field>
- <field name="spnego.mechToken" showname="mechToken: 60820bb006092a864886f71201020201006e820b9f30820b..." size="2996" pos="102" show="... elided ..."/>
-<field name="spnego.krb5.blob" showname="krb5_blob: 60820bb006092a864886f71201020201006e820b9f30820b..." size="2979" pos="102" show="...elided...">
- <field name="spnego.krb5_oid" showname="KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)" size="9" pos="108" show="1.2.840.113554.1.2.2" value="2a864886f712010202"/>
- <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB5_AP_REQ (0x0001)" size="2" pos="117" show="0x00000001" value="0100"/>
- <proto name="kerberos" showname="Kerberos" size="2979" pos="119">
- <field name="kerberos.ap_req_element" showname="ap-req" size="2975" pos="123" show="" value="">
- <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="131" show="5" value="05"/>
- <field name="kerberos.msg_type" showname="msg-type: krb-ap-req (14)" size="1" pos="136" show="14" value="0e"/>
- <field name="ber.bitstring.padding" showname="Padding: 0" size="1" pos="141" show="0" value="00"/>
- <field name="kerberos.ap_options" showname="ap-options: 20000000 (mutual-required)" size="4" pos="142" show="20:00:00:00" value="20000000">
- <field name="kerberos.reserved" showname="0... .... = reserved: False" size="1" pos="142" show="0" value="0" unmaskedvalue="20"/>
- <field name="kerberos.use-session-key" showname=".0.. .... = use-session-key: False" size="1" pos="142" show="0" value="0" unmaskedvalue="20"/>
- <field name="kerberos.mutual-required" showname="..1. .... = mutual-required: True" size="1" pos="142" show="1" value="FFFFFFFF" unmaskedvalue="20"/>
- </field>
- <field name="kerberos.ticket_element" showname="ticket" size="1149" pos="154" show="" value="">
- <field name="kerberos.tkt_vno" showname="tkt-vno: 5" size="1" pos="162" show="5" value="05"/>
- <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="167" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
- <field name="kerberos.sname_element" showname="sname" size="26" pos="186" show="" value="">
- <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="192" show="1" value="01"/>
- <field name="kerberos.name_string" showname="name-string: 2 items" size="15" pos="197" show="2" value="1b046c6461701b076c6f63616c6463">
- <field name="kerberos.KerberosString" showname="KerberosString: ldap" size="4" pos="199" show="ldap" value="6c646170"/>
- <field name="kerberos.KerberosString" showname="KerberosString: localdc" size="7" pos="205" show="localdc" value="6c6f63616c6463"/>
- </field>
- </field>
- <field name="kerberos.enc_part_element" showname="enc-part" size="1087" pos="216" show="" value="">
- <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="224" show="18" value="12"/>
- <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="229" show="1" value="01"/>
- <field name="kerberos.cipher" showname="cipher: 024239fcb8e525339bcf284915f78b5e83507ed9ab592579..." size="1065" pos="238" show="...elided..."/>
- </field>
- </field>
- <field name="kerberos.authenticator_element" showname="authenticator" size="1791" pos="1307" show="" value="">
- <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="1315" show="18" value="12"/>
- <field name="kerberos.cipher" showname="cipher: fce1dd0bc30bb4341ecc246b1a495b189ed13aec7c2c304c..." size="1774" pos="1324" show="...elided..."/>
- </field>
- </field>
- </proto>
- </field>
- </field>
- </proto>
- </proto>
- </field>
- </field>
- </field>
- </field>
- </field>
- </proto>
-</packet>
-
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="245">
- <field name="num" pos="0" show="3110" showname="Number" value="c26" size="245"/>
- <field name="len" pos="0" show="245" showname="Frame Length" value="f5" size="245"/>
- <field name="caplen" pos="0" show="245" showname="Captured Length" value="f5" size="245"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.774978000 NZDT" showname="Captured Time" value="1486690584.774978000" size="245"/>
- </proto>
- <proto name="frame" showname="Frame 3110: 245 bytes on wire (1960 bits), 245 bytes captured (1960 bits)" size="245" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.774978000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.774978000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690584.774978000 seconds" size="0" pos="0" show="1486690584.774978000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.004542000 seconds" size="0" pos="0" show="0.004542000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.004542000 seconds" size="0" pos="0" show="0.004542000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 8.244527000 seconds" size="0" pos="0" show="8.244527000"/>
- <field name="frame.number" showname="Frame Number: 3110" size="0" pos="0" show="3110"/>
- <field name="frame.len" showname="Frame Length: 245 bytes (1960 bits)" size="0" pos="0" show="245"/>
- <field name="frame.cap_len" showname="Capture Length: 245 bytes (1960 bits)" size="0" pos="0" show="245"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap:spnego:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:ldap:spnego:spnego-krb5"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="245" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.21, Dst: 127.0.0.11" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 245" size="2" pos="2" show="245" value="00f5"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.21" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst" showname="Destination: 127.0.0.11" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000015"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00000b"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 389 (389), Dst Port: 14794 (14794), Seq: 332, Ack: 6282, Len: 205" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 389" size="2" pos="20" show="389" value="0185"/>
- <field name="tcp.dstport" showname="Destination Port: 14794" size="2" pos="22" show="14794" value="39ca"/>
- <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="20" show="389" value="0185"/>
- <field name="tcp.port" showname="Source or Destination Port: 14794" hide="yes" size="2" pos="22" show="14794" value="39ca"/>
- <field name="tcp.stream" showname="Stream index: 60" size="0" pos="20" show="60"/>
- <field name="tcp.len" showname="TCP Segment Len: 205" size="1" pos="32" show="205" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 332 (relative sequence number)" size="4" pos="24" show="332" value="0000014c"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 537 (relative sequence number)" size="0" pos="20" show="537"/>
- <field name="tcp.ack" showname="Acknowledgment number: 6282 (relative ack number)" size="4" pos="28" show="6282" value="0000188a"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 3105" size="0" pos="20" show="3105"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.004634000 seconds" size="0" pos="20" show="0.004634000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000020000 seconds" size="0" pos="20" show="0.000020000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 205" size="0" pos="20" show="205"/>
- </field>
- <field name="tcp.pdu.size" showname="PDU Size: 205" size="205" pos="40" show="205" value="3081ca0201036181c40a0100040004008781baa181b73081b4a0030a0100a10b06092a864882f712010202a2819f04819c60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cfa6d4852ae0ac9c3d140a024f2e8d4c2d7211bd69c753416bfa8160c7317e948e506ce510e46456672b4b42d14a0c83f34bf0f6afb2b073adeed33044cb414ab8e7ff72208b26f402155c562e6ff9201f5d5a7cd9a4a244"/>
- </proto>
- <proto name="ldap" showname="Lightweight Directory Access Protocol" size="205" pos="40">
- <field name="ldap.LDAPMessage_element" showname="LDAPMessage bindResponse(3) success" size="205" pos="40" show="" value="">
- <field name="ldap.messageID" showname="messageID: 3" size="1" pos="45" show="3" value="03"/>
- <field name="ldap.protocolOp" showname="protocolOp: bindResponse (1)" size="199" pos="46" show="1" value="6181c40a0100040004008781baa181b73081b4a0030a0100a10b06092a864882f712010202a2819f04819c60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cfa6d4852ae0ac9c3d140a024f2e8d4c2d7211bd69c753416bfa8160c7317e948e506ce510e46456672b4b42d14a0c83f34bf0f6afb2b073adeed33044cb414ab8e7ff72208b26f402155c562e6ff9201f5d5a7cd9a4a244">
- <field name="ldap.bindResponse_element" showname="bindResponse" size="196" pos="49" show="" value="">
- <field name="ldap.resultCode" showname="resultCode: success (0)" size="1" pos="51" show="0" value="00"/>
- <field name="ldap.matchedDN" showname="matchedDN: " size="0" pos="54" show=""/>
- <field name="ldap.errorMessage" showname="errorMessage: " size="0" pos="56" show=""/>
- <field name="ldap.serverSaslCreds" showname="serverSaslCreds: a181b73081b4a0030a0100a10b06092a864882f712010202..." size="186" pos="59" show="a1:81:b7:30:81:b4:a0:03:0a:01:00:a1:0b:06:09:2a:86:48:82:f7:12:01:02:02:a2:81:9f:04:81:9c:60:81:99:06:09:2a:86:48:86:f7:12:01:02:02:02:00:6f:81:89:30:81:86:a0:03:02:01:05:a1:03:02:01:0f:a2:7a:30:78:a0:03:02:01:12:a2:71:04:6f:2d:b6:12:33:c5:61:f6:7b:14:ba:43:37:ca:9d:ce:f2:c8:8e:92:5b:29:c1:d2:cf:a6:d4:85:2a:e0:ac:9c:3d:14:0a:02:4f:2e:8d:4c:2d:72:11:bd:69:c7:53:41:6b:fa:81:60:c7:31:7e:94:8e:50:6c:e5:10:e4:64:56:67:2b:4b:42:d1:4a:0c:83:f3:4b:f0:f6:af:b2:b0:73:ad:ee:d3:30:44:cb:41:4a:b8:e7:ff:72:20:8b:26:f4:02:15:5c:56:2e:6f:f9:20:1f:5d:5a:7c:d9:a4:a2:44" value="a181b73081b4a0030a0100a10b06092a864882f712010202a2819f04819c60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cfa6d4852ae0ac9c3d140a024f2e8d4c2d7211bd69c753416bfa8160c7317e948e506ce510e46456672b4b42d14a0c83f34bf0f6afb2b073adeed33044cb414ab8e7ff72208b26f402155c562e6ff9201f5d5a7cd9a4a244"/>
- <proto name="spnego" showname="Simple Protected Negotiation" size="186" pos="59">
- <field name="spnego.negTokenTarg_element" showname="negTokenTarg" size="183" pos="62" show="" value="">
- <field name="spnego.negResult" showname="negResult: accept-completed (0)" size="1" pos="69" show="0" value="00"/>
- <field name="spnego.supportedMech" showname="supportedMech: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)" size="9" pos="74" show="1.2.840.48018.1.2.2" value="2a864882f712010202"/>
- <field name="spnego.responseToken" showname="responseToken: 60819906092a864886f71201020202006f8189308186a003..." size="156" pos="89" show="60:81:99:06:09:2a:86:48:86:f7:12:01:02:02:02:00:6f:81:89:30:81:86:a0:03:02:01:05:a1:03:02:01:0f:a2:7a:30:78:a0:03:02:01:12:a2:71:04:6f:2d:b6:12:33:c5:61:f6:7b:14:ba:43:37:ca:9d:ce:f2:c8:8e:92:5b:29:c1:d2:cf:a6:d4:85:2a:e0:ac:9c:3d:14:0a:02:4f:2e:8d:4c:2d:72:11:bd:69:c7:53:41:6b:fa:81:60:c7:31:7e:94:8e:50:6c:e5:10:e4:64:56:67:2b:4b:42:d1:4a:0c:83:f3:4b:f0:f6:af:b2:b0:73:ad:ee:d3:30:44:cb:41:4a:b8:e7:ff:72:20:8b:26:f4:02:15:5c:56:2e:6f:f9:20:1f:5d:5a:7c:d9:a4:a2:44" value="60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cfa6d4852ae0ac9c3d140a024f2e8d4c2d7211bd69c753416bfa8160c7317e948e506ce510e46456672b4b42d14a0c83f34bf0f6afb2b073adeed33044cb414ab8e7ff72208b26f402155c562e6ff9201f5d5a7cd9a4a244"/>
- <field name="spnego.krb5.blob" showname="krb5_blob: 60819906092a864886f71201020202006f8189308186a003..." size="140" pos="89" show="60:81:99:06:09:2a:86:48:86:f7:12:01:02:02:02:00:6f:81:89:30:81:86:a0:03:02:01:05:a1:03:02:01:0f:a2:7a:30:78:a0:03:02:01:12:a2:71:04:6f:2d:b6:12:33:c5:61:f6:7b:14:ba:43:37:ca:9d:ce:f2:c8:8e:92:5b:29:c1:d2:cf:a6:d4:85:2a:e0:ac:9c:3d:14:0a:02:4f:2e:8d:4c:2d:72:11:bd:69:c7:53:41:6b:fa:81:60:c7:31:7e:94:8e:50:6c:e5:10:e4:64:56:67:2b:4b:42:d1:4a:0c:83:f3:4b:f0:f6:af:b2:b0:73:ad:ee:d3:30:44:cb:41:4a:b8:e7:ff:72:20:8b:26:f4" value="60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cfa6d4852ae0ac9c3d140a024f2e8d4c2d7211bd69c753416bfa8160c7317e948e506ce510e46456672b4b42d14a0c83f34bf0f6afb2b073adeed33044cb414ab8e7ff72208b26f4">
- <field name="spnego.krb5_oid" showname="KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)" size="9" pos="94" show="1.2.840.113554.1.2.2" value="2a864886f712010202"/>
- <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB5_AP_REP (0x0002)" size="2" pos="103" show="0x00000002" value="0200"/>
- <proto name="kerberos" showname="Kerberos" size="140" pos="105">
- <field name="kerberos.ap_rep_element" showname="ap-rep" size="137" pos="108" show="" value="">
- <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="115" show="5" value="05"/>
- <field name="kerberos.msg_type" showname="msg-type: krb-ap-rep (15)" size="1" pos="120" show="15" value="0f"/>
- <field name="kerberos.enc_part_element" showname="enc-part" size="122" pos="123" show="" value="">
- <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="129" show="18" value="12"/>
- <field name="kerberos.cipher" showname="cipher: 2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cf..." size="111" pos="134" show="2d:b6:12:33:c5:61:f6:7b:14:ba:43:37:ca:9d:ce:f2:c8:8e:92:5b:29:c1:d2:cf:a6:d4:85:2a:e0:ac:9c:3d:14:0a:02:4f:2e:8d:4c:2d:72:11:bd:69:c7:53:41:6b:fa:81:60:c7:31:7e:94:8e:50:6c:e5:10:e4:64:56:67:2b:4b:42:d1:4a:0c:83:f3:4b:f0:f6:af:b2:b0:73:ad:ee:d3:30:44:cb:41:4a:b8:e7:ff:72:20:8b:26:f4:02:15:5c:56:2e:6f:f9:20:1f:5d:5a:7c:d9:a4:a2:44" value="2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cfa6d4852ae0ac9c3d140a024f2e8d4c2d7211bd69c753416bfa8160c7317e948e506ce510e46456672b4b42d14a0c83f34bf0f6afb2b073adeed33044cb414ab8e7ff72208b26f402155c562e6ff9201f5d5a7cd9a4a244"/>
- </field>
- </field>
- </proto>
- </field>
- </field>
- </proto>
- </field>
- </field>
- <field name="ldap.response_to" showname="Response To: 3105" size="0" pos="46" show="3105"/>
- <field name="ldap.time" showname="Time: 0.004634000 seconds" size="0" pos="46" show="0.004634000"/>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="209">
- <field name="num" pos="0" show="3113" showname="Number" value="c29" size="209"/>
- <field name="len" pos="0" show="209" showname="Frame Length" value="d1" size="209"/>
- <field name="caplen" pos="0" show="209" showname="Captured Length" value="d1" size="209"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.775218000 NZDT" showname="Captured Time" value="1486690584.775218000" size="209"/>
- </proto>
- <proto name="frame" showname="Frame 3113: 209 bytes on wire (1672 bits), 209 bytes captured (1672 bits)" size="209" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.775218000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.775218000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690584.775218000 seconds" size="0" pos="0" show="1486690584.775218000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000137000 seconds" size="0" pos="0" show="0.000137000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000137000 seconds" size="0" pos="0" show="0.000137000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 8.244767000 seconds" size="0" pos="0" show="8.244767000"/>
- <field name="frame.number" showname="Frame Number: 3113" size="0" pos="0" show="3113"/>
- <field name="frame.len" showname="Frame Length: 209 bytes (1672 bits)" size="0" pos="0" show="209"/>
- <field name="frame.cap_len" showname="Capture Length: 209 bytes (1672 bits)" size="0" pos="0" show="209"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap:gss-api:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:ldap:gss-api:spnego-krb5"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="209" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 209" size="2" pos="2" show="209" value="00d1"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14794 (14794), Dst Port: 389 (389), Seq: 6282, Ack: 537, Len: 169" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 14794" size="2" pos="20" show="14794" value="39ca"/>
- <field name="tcp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
- <field name="tcp.port" showname="Source or Destination Port: 14794" hide="yes" size="2" pos="20" show="14794" value="39ca"/>
- <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
- <field name="tcp.stream" showname="Stream index: 60" size="0" pos="20" show="60"/>
- <field name="tcp.len" showname="TCP Segment Len: 169" size="1" pos="32" show="169" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 6282 (relative sequence number)" size="4" pos="24" show="6282" value="0000188a"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 6451 (relative sequence number)" size="0" pos="20" show="6451"/>
- <field name="tcp.ack" showname="Acknowledgment number: 537 (relative ack number)" size="4" pos="28" show="537" value="00000219"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 3110" size="0" pos="20" show="3110"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000240000 seconds" size="0" pos="20" show="0.000240000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000020000 seconds" size="0" pos="20" show="0.000020000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 169" size="0" pos="20" show="169"/>
- </field>
- <field name="tcp.pdu.size" showname="PDU Size: 169" size="169" pos="40" show="169" value="000000a5050404ff000c000c00000000327fba42f2b5c0e4f071d599072f1f8530818602010463818004000a01000a0100020100020100010100870b6f626a656374436c61737330600417726f6f74446f6d61696e4e616d696e67436f6e74657874041a636f6e66696775726174696f6e4e616d696e67436f6e746578740413736368656d614e616d696e67436f6e74657874041464656661756c744e616d696e67436f6e74657874"/>
- </proto>
- <proto name="ldap" showname="Lightweight Directory Access Protocol" size="169" pos="40">
- <field name="ldap.sasl_buffer_length" showname="SASL Buffer Length: 165" size="4" pos="40" show="165" value="000000a5"/>
- <field name="" show="SASL Buffer" size="169" pos="40" value="000000a5050404ff000c000c00000000327fba42f2b5c0e4f071d599072f1f8530818602010463818004000a01000a0100020100020100010100870b6f626a656374436c61737330600417726f6f74446f6d61696e4e616d696e67436f6e74657874041a636f6e66696775726174696f6e4e616d696e67436f6e746578740413736368656d614e616d696e67436f6e74657874041464656661756c744e616d696e67436f6e74657874">
- <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="28" pos="44">
- <field name="spnego.krb5.blob" showname="krb5_blob: 050404ff000c000c00000000327fba42f2b5c0e4f071d599..." size="28" pos="44" show="05:04:04:ff:00:0c:00:0c:00:00:00:00:32:7f:ba:42:f2:b5:c0:e4:f0:71:d5:99:07:2f:1f:85" value="050404ff000c000c00000000327fba42f2b5c0e4f071d599072f1f85">
- <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)" size="2" pos="44" show="0x00000405" value="0504"/>
- <field name="spnego.krb5.cfx_flags" showname="krb5_cfx_flags: 0x04, AcceptorSubkey" size="1" pos="46" show="0x00000004" value="04">
- <field name="spnego.krb5.acceptor_subkey" showname=".... .1.. = AcceptorSubkey: Set" size="1" pos="46" show="1" value="FFFFFFFF" unmaskedvalue="04"/>
- <field name="spnego.krb5.sealed" showname=".... ..0. = Sealed: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
- <field name="spnego.krb5.send_by_acceptor" showname=".... ...0 = SendByAcceptor: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
- </field>
- <field name="spnego.krb5.filler" showname="krb5_filler: ff" size="1" pos="47" show="ff" value="ff"/>
- <field name="spnego.krb5.cfx_ec" showname="krb5_cfx_ec: 12" size="2" pos="48" show="12" value="000c"/>
- <field name="spnego.krb5.cfx_rrc" showname="krb5_cfx_rrc: 12" size="2" pos="50" show="12" value="000c"/>
- <field name="spnego.krb5.cfx_seq" showname="krb5_cfx_seq: 847231554" size="8" pos="52" show="847231554" value="00000000327fba42"/>
- <field name="spnego.krb5.sgn_cksum" showname="krb5_sgn_cksum: f2b5c0e4f071d599072f1f85" size="12" pos="60" show="f2:b5:c0:e4:f0:71:d5:99:07:2f:1f:85" value="f2b5c0e4f071d599072f1f85"/>
- </field>
- </proto>
- <field name="" show="GSS-API payload (137 bytes)" size="137" pos="72" value="30818602010463818004000a01000a0100020100020100010100870b6f626a656374436c61737330600417726f6f74446f6d61696e4e616d696e67436f6e74657874041a636f6e66696775726174696f6e4e616d696e67436f6e746578740413736368656d614e616d696e67436f6e74657874041464656661756c744e616d696e67436f6e74657874">
- <field name="ldap.LDAPMessage_element" showname="LDAPMessage searchRequest(4) &quot;&lt;ROOT&gt;&quot; baseObject" size="137" pos="72" show="" value="">
- <field name="ldap.messageID" showname="messageID: 4" size="1" pos="77" show="4" value="04"/>
- <field name="ldap.protocolOp" showname="protocolOp: searchRequest (3)" size="131" pos="78" show="3" value="63818004000a01000a0100020100020100010100870b6f626a656374436c61737330600417726f6f74446f6d61696e4e616d696e67436f6e74657874041a636f6e66696775726174696f6e4e616d696e67436f6e746578740413736368656d614e616d696e67436f6e74657874041464656661756c744e616d696e67436f6e74657874">
- <field name="ldap.searchRequest_element" showname="searchRequest" size="128" pos="81" show="" value="">
- <field name="ldap.baseObject" showname="baseObject: " size="0" pos="83" show=""/>
- <field name="ldap.scope" showname="scope: baseObject (0)" size="1" pos="85" show="0" value="00"/>
- <field name="ldap.derefAliases" showname="derefAliases: neverDerefAliases (0)" size="1" pos="88" show="0" value="00"/>
- <field name="ldap.sizeLimit" showname="sizeLimit: 0" size="1" pos="91" show="0" value="00"/>
- <field name="ldap.timeLimit" showname="timeLimit: 0" size="1" pos="94" show="0" value="00"/>
- <field name="ldap.typesOnly" showname="typesOnly: False" size="1" pos="97" show="0" value="00"/>
- <field name="" show="Filter: (objectClass=*)" size="13" pos="98" value="870b6f626a656374436c617373">
- <field name="ldap.filter" showname="filter: present (7)" size="11" pos="100" show="7" value="6f626a656374436c617373">
- <field name="ldap.present" showname="present: objectClass" size="11" pos="100" show="objectClass" value="6f626a656374436c617373"/>
- </field>
- </field>
- <field name="ldap.attributes" showname="attributes: 4 items" size="96" pos="113" show="4" value="0417726f6f74446f6d61696e4e616d696e67436f6e74657874041a636f6e66696775726174696f6e4e616d696e67436f6e746578740413736368656d614e616d696e67436f6e74657874041464656661756c744e616d696e67436f6e74657874">
- <field name="ldap.AttributeDescription" showname="AttributeDescription: rootDomainNamingContext" size="23" pos="115" show="rootDomainNamingContext" value="726f6f74446f6d61696e4e616d696e67436f6e74657874"/>
- <field name="ldap.AttributeDescription" showname="AttributeDescription: configurationNamingContext" size="26" pos="140" show="configurationNamingContext" value="636f6e66696775726174696f6e4e616d696e67436f6e74657874"/>
- <field name="ldap.AttributeDescription" showname="AttributeDescription: schemaNamingContext" size="19" pos="168" show="schemaNamingContext" value="736368656d614e616d696e67436f6e74657874"/>
- <field name="ldap.AttributeDescription" showname="AttributeDescription: defaultNamingContext" size="20" pos="189" show="defaultNamingContext" value="64656661756c744e616d696e67436f6e74657874"/>
- </field>
- </field>
- </field>
- </field>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="146">
- <field name="num" pos="0" show="3119" showname="Number" value="c2f" size="146"/>
- <field name="len" pos="0" show="146" showname="Frame Length" value="92" size="146"/>
- <field name="caplen" pos="0" show="146" showname="Captured Length" value="92" size="146"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.775574000 NZDT" showname="Captured Time" value="1486690584.775574000" size="146"/>
- </proto>
- <proto name="frame" showname="Frame 3119: 146 bytes on wire (1168 bits), 146 bytes captured (1168 bits)" size="146" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.775574000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.775574000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690584.775574000 seconds" size="0" pos="0" show="1486690584.775574000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000096000 seconds" size="0" pos="0" show="0.000096000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000096000 seconds" size="0" pos="0" show="0.000096000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 8.245123000 seconds" size="0" pos="0" show="8.245123000"/>
- <field name="frame.number" showname="Frame Number: 3119" size="0" pos="0" show="3119"/>
- <field name="frame.len" showname="Frame Length: 146 bytes (1168 bits)" size="0" pos="0" show="146"/>
- <field name="frame.cap_len" showname="Capture Length: 146 bytes (1168 bits)" size="0" pos="0" show="146"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap:gss-api:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:ldap:gss-api:spnego-krb5"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="146" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 146" size="2" pos="2" show="146" value="0092"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14794 (14794), Dst Port: 389 (389), Seq: 6451, Ack: 868, Len: 106" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 14794" size="2" pos="20" show="14794" value="39ca"/>
- <field name="tcp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
- <field name="tcp.port" showname="Source or Destination Port: 14794" hide="yes" size="2" pos="20" show="14794" value="39ca"/>
- <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
- <field name="tcp.stream" showname="Stream index: 60" size="0" pos="20" show="60"/>
- <field name="tcp.len" showname="TCP Segment Len: 106" size="1" pos="32" show="106" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 6451 (relative sequence number)" size="4" pos="24" show="6451" value="00001933"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 6557 (relative sequence number)" size="0" pos="20" show="6557"/>
- <field name="tcp.ack" showname="Acknowledgment number: 868 (relative ack number)" size="4" pos="28" show="868" value="00000364"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 3116" size="0" pos="20" show="3116"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000167000 seconds" size="0" pos="20" show="0.000167000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000020000 seconds" size="0" pos="20" show="0.000020000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 106" size="0" pos="20" show="106"/>
- </field>
- <field name="tcp.pdu.size" showname="PDU Size: 106" size="106" pos="40" show="106" value="00000066050404ff000c000c00000000327fba430a655f88ee6b2540ee57965f30480201056343041a44433d73616d62612c44433d6578616d706c652c44433d636f6d0a01000a010002010002010001010087096f626a656374536964300b04096f626a656374536964"/>
- </proto>
- <proto name="ldap" showname="Lightweight Directory Access Protocol" size="106" pos="40">
- <field name="ldap.sasl_buffer_length" showname="SASL Buffer Length: 102" size="4" pos="40" show="102" value="00000066"/>
- <field name="" show="SASL Buffer" size="106" pos="40" value="00000066050404ff000c000c00000000327fba430a655f88ee6b2540ee57965f30480201056343041a44433d73616d62612c44433d6578616d706c652c44433d636f6d0a01000a010002010002010001010087096f626a656374536964300b04096f626a656374536964">
- <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="28" pos="44">
- <field name="spnego.krb5.blob" showname="krb5_blob: 050404ff000c000c00000000327fba430a655f88ee6b2540..." size="28" pos="44" show="05:04:04:ff:00:0c:00:0c:00:00:00:00:32:7f:ba:43:0a:65:5f:88:ee:6b:25:40:ee:57:96:5f" value="050404ff000c000c00000000327fba430a655f88ee6b2540ee57965f">
- <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)" size="2" pos="44" show="0x00000405" value="0504"/>
- <field name="spnego.krb5.cfx_flags" showname="krb5_cfx_flags: 0x04, AcceptorSubkey" size="1" pos="46" show="0x00000004" value="04">
- <field name="spnego.krb5.acceptor_subkey" showname=".... .1.. = AcceptorSubkey: Set" size="1" pos="46" show="1" value="FFFFFFFF" unmaskedvalue="04"/>
- <field name="spnego.krb5.sealed" showname=".... ..0. = Sealed: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
- <field name="spnego.krb5.send_by_acceptor" showname=".... ...0 = SendByAcceptor: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
- </field>
- <field name="spnego.krb5.filler" showname="krb5_filler: ff" size="1" pos="47" show="ff" value="ff"/>
- <field name="spnego.krb5.cfx_ec" showname="krb5_cfx_ec: 12" size="2" pos="48" show="12" value="000c"/>
- <field name="spnego.krb5.cfx_rrc" showname="krb5_cfx_rrc: 12" size="2" pos="50" show="12" value="000c"/>
- <field name="spnego.krb5.cfx_seq" showname="krb5_cfx_seq: 847231555" size="8" pos="52" show="847231555" value="00000000327fba43"/>
- <field name="spnego.krb5.sgn_cksum" showname="krb5_sgn_cksum: 0a655f88ee6b2540ee57965f" size="12" pos="60" show="0a:65:5f:88:ee:6b:25:40:ee:57:96:5f" value="0a655f88ee6b2540ee57965f"/>
- </field>
- </proto>
- <field name="" show="GSS-API payload (74 bytes)" size="74" pos="72" value="30480201056343041a44433d73616d62612c44433d6578616d706c652c44433d636f6d0a01000a010002010002010001010087096f626a656374536964300b04096f626a656374536964">
- <field name="ldap.LDAPMessage_element" showname="LDAPMessage searchRequest(5) &quot;DC=samba,DC=example,DC=com&quot; baseObject" size="74" pos="72" show="" value="">
- <field name="ldap.messageID" showname="messageID: 5" size="1" pos="76" show="5" value="05"/>
- <field name="ldap.protocolOp" showname="protocolOp: searchRequest (3)" size="69" pos="77" show="3" value="6343041a44433d73616d62612c44433d6578616d706c652c44433d636f6d0a01000a010002010002010001010087096f626a656374536964300b04096f626a656374536964">
- <field name="ldap.searchRequest_element" showname="searchRequest" size="67" pos="79" show="" value="">
- <field name="ldap.baseObject" showname="baseObject: DC=samba,DC=example,DC=com" size="26" pos="81" show="DC=samba,DC=example,DC=com" value="44433d73616d62612c44433d6578616d706c652c44433d636f6d"/>
- <field name="ldap.scope" showname="scope: baseObject (0)" size="1" pos="109" show="0" value="00"/>
- <field name="ldap.derefAliases" showname="derefAliases: neverDerefAliases (0)" size="1" pos="112" show="0" value="00"/>
- <field name="ldap.sizeLimit" showname="sizeLimit: 0" size="1" pos="115" show="0" value="00"/>
- <field name="ldap.timeLimit" showname="timeLimit: 0" size="1" pos="118" show="0" value="00"/>
- <field name="ldap.typesOnly" showname="typesOnly: False" size="1" pos="121" show="0" value="00"/>
- <field name="" show="Filter: (objectSid=*)" size="11" pos="122" value="87096f626a656374536964">
- <field name="ldap.filter" showname="filter: present (7)" size="9" pos="124" show="7" value="6f626a656374536964">
- <field name="ldap.present" showname="present: objectSid" size="9" pos="124" show="objectSid" value="6f626a656374536964"/>
- </field>
- </field>
- <field name="ldap.attributes" showname="attributes: 1 item" size="11" pos="135" show="1" value="04096f626a656374536964">
- <field name="ldap.AttributeDescription" showname="AttributeDescription: objectSid" size="9" pos="137" show="objectSid" value="6f626a656374536964"/>
- </field>
- </field>
- </field>
- </field>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="179">
- <field name="num" pos="0" show="4576" showname="Number" value="11e0" size="179"/>
- <field name="len" pos="0" show="179" showname="Frame Length" value="b3" size="179"/>
- <field name="caplen" pos="0" show="179" showname="Captured Length" value="b3" size="179"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:26.238734000 NZDT" showname="Captured Time" value="1486690586.238734000" size="179"/>
- </proto>
- <proto name="frame" showname="Frame 4576: 179 bytes on wire (1432 bits), 179 bytes captured (1432 bits)" size="179" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:26.238734000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:26.238734000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690586.238734000 seconds" size="0" pos="0" show="1486690586.238734000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000072000 seconds" size="0" pos="0" show="0.000072000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000072000 seconds" size="0" pos="0" show="0.000072000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 9.708283000 seconds" size="0" pos="0" show="9.708283000"/>
- <field name="frame.number" showname="Frame Number: 4576" size="0" pos="0" show="4576"/>
- <field name="frame.len" showname="Frame Length: 179 bytes (1432 bits)" size="0" pos="0" show="179"/>
- <field name="frame.cap_len" showname="Capture Length: 179 bytes (1432 bits)" size="0" pos="0" show="179"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap:gss-api:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:ldap:gss-api:spnego-krb5"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="179" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 179" size="2" pos="2" show="179" value="00b3"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14849 (14849), Dst Port: 389 (389), Seq: 6557, Ack: 992, Len: 139" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 14849" size="2" pos="20" show="14849" value="3a01"/>
- <field name="tcp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
- <field name="tcp.port" showname="Source or Destination Port: 14849" hide="yes" size="2" pos="20" show="14849" value="3a01"/>
- <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
- <field name="tcp.stream" showname="Stream index: 92" size="0" pos="20" show="92"/>
- <field name="tcp.len" showname="TCP Segment Len: 139" size="1" pos="32" show="139" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 6557 (relative sequence number)" size="4" pos="24" show="6557" value="0000199d"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 6696 (relative sequence number)" size="0" pos="20" show="6696"/>
- <field name="tcp.ack" showname="Acknowledgment number: 992 (relative ack number)" size="4" pos="28" show="992" value="000003e0"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 4573" size="0" pos="20" show="4573"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000145000 seconds" size="0" pos="20" show="0.000145000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000019000 seconds" size="0" pos="20" show="0.000019000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 139" size="0" pos="20" show="139"/>
- </field>
- <field name="tcp.pdu.size" showname="PDU Size: 139" size="139" pos="40" show="139" value="00000087050404ff000c000c000000001b8a1304757134702161c76a250240643069020106636404443c574b475549443d32464241433138373041444531314432393743343030433034464438443543442c44433d73616d62612c44433d6578616d706c652c44433d636f6d3e0a01020a0100020100020100010100870b6f626a656374436c6173733000"/>
- </proto>
- <proto name="ldap" showname="Lightweight Directory Access Protocol" size="139" pos="40">
- <field name="ldap.sasl_buffer_length" showname="SASL Buffer Length: 135" size="4" pos="40" show="135" value="00000087"/>
- <field name="" show="SASL Buffer" size="139" pos="40" value="00000087050404ff000c000c000000001b8a1304757134702161c76a250240643069020106636404443c574b475549443d32464241433138373041444531314432393743343030433034464438443543442c44433d73616d62612c44433d6578616d706c652c44433d636f6d3e0a01020a0100020100020100010100870b6f626a656374436c6173733000">
- <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="28" pos="44">
- <field name="spnego.krb5.blob" showname="krb5_blob: 050404ff000c000c000000001b8a1304757134702161c76a..." size="28" pos="44" show="05:04:04:ff:00:0c:00:0c:00:00:00:00:1b:8a:13:04:75:71:34:70:21:61:c7:6a:25:02:40:64" value="050404ff000c000c000000001b8a1304757134702161c76a25024064">
- <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)" size="2" pos="44" show="0x00000405" value="0504"/>
- <field name="spnego.krb5.cfx_flags" showname="krb5_cfx_flags: 0x04, AcceptorSubkey" size="1" pos="46" show="0x00000004" value="04">
- <field name="spnego.krb5.acceptor_subkey" showname=".... .1.. = AcceptorSubkey: Set" size="1" pos="46" show="1" value="FFFFFFFF" unmaskedvalue="04"/>
- <field name="spnego.krb5.sealed" showname=".... ..0. = Sealed: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
- <field name="spnego.krb5.send_by_acceptor" showname=".... ...0 = SendByAcceptor: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
- </field>
- <field name="spnego.krb5.filler" showname="krb5_filler: ff" size="1" pos="47" show="ff" value="ff"/>
- <field name="spnego.krb5.cfx_ec" showname="krb5_cfx_ec: 12" size="2" pos="48" show="12" value="000c"/>
- <field name="spnego.krb5.cfx_rrc" showname="krb5_cfx_rrc: 12" size="2" pos="50" show="12" value="000c"/>
- <field name="spnego.krb5.cfx_seq" showname="krb5_cfx_seq: 462033668" size="8" pos="52" show="462033668" value="000000001b8a1304"/>
- <field name="spnego.krb5.sgn_cksum" showname="krb5_sgn_cksum: 757134702161c76a25024064" size="12" pos="60" show="75:71:34:70:21:61:c7:6a:25:02:40:64" value="757134702161c76a25024064"/>
- </field>
- </proto>
- <field name="" show="GSS-API payload (107 bytes)" size="107" pos="72" value="3069020106636404443c574b475549443d32464241433138373041444531314432393743343030433034464438443543442c44433d73616d62612c44433d6578616d706c652c44433d636f6d3e0a01020a0100020100020100010100870b6f626a656374436c6173733000">
- <field name="ldap.LDAPMessage_element" showname="LDAPMessage searchRequest(6) &quot;&lt;WKGUID=2FBAC1870ADE11D297C400C04FD8D5CD,DC=samba,DC=example,DC=com&gt;&quot; wholeSubtree" size="107" pos="72" show="" value="">
- <field name="ldap.messageID" showname="messageID: 6" size="1" pos="76" show="6" value="06"/>
- <field name="ldap.protocolOp" showname="protocolOp: searchRequest (3)" size="102" pos="77" show="3" value="636404443c574b475549443d32464241433138373041444531314432393743343030433034464438443543442c44433d73616d62612c44433d6578616d706c652c44433d636f6d3e0a01020a0100020100020100010100870b6f626a656374436c6173733000">
- <field name="ldap.searchRequest_element" showname="searchRequest" size="100" pos="79" show="" value="">
- <field name="ldap.baseObject" showname="baseObject: &lt;WKGUID=2FBAC1870ADE11D297C400C04FD8D5CD,DC=samba,DC=example,DC=com&gt;" size="68" pos="81" show="&lt;WKGUID=2FBAC1870ADE11D297C400C04FD8D5CD,DC=samba,DC=example,DC=com&gt;" value="3c574b475549443d32464241433138373041444531314432393743343030433034464438443543442c44433d73616d62612c44433d6578616d706c652c44433d636f6d3e"/>
- <field name="ldap.scope" showname="scope: wholeSubtree (2)" size="1" pos="151" show="2" value="02"/>
- <field name="ldap.derefAliases" showname="derefAliases: neverDerefAliases (0)" size="1" pos="154" show="0" value="00"/>
- <field name="ldap.sizeLimit" showname="sizeLimit: 0" size="1" pos="157" show="0" value="00"/>
- <field name="ldap.timeLimit" showname="timeLimit: 0" size="1" pos="160" show="0" value="00"/>
- <field name="ldap.typesOnly" showname="typesOnly: False" size="1" pos="163" show="0" value="00"/>
- <field name="" show="Filter: (objectClass=*)" size="13" pos="164" value="870b6f626a656374436c617373">
- <field name="ldap.filter" showname="filter: present (7)" size="11" pos="166" show="7" value="6f626a656374436c617373">
- <field name="ldap.present" showname="present: objectClass" size="11" pos="166" show="objectClass" value="6f626a656374436c617373"/>
- </field>
- </field>
- <field name="ldap.attributes" showname="attributes: 0 items" size="0" pos="179" show="0"/>
- </field>
- </field>
- </field>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="167">
- <field name="num" pos="0" show="462" showname="Number" value="1ce" size="167"/>
- <field name="len" pos="0" show="167" showname="Frame Length" value="a7" size="167"/>
- <field name="caplen" pos="0" show="167" showname="Captured Length" value="a7" size="167"/>
- <field name="timestamp" pos="0" show="Feb 13, 2017 10:17:16.150107000 NZDT" showname="Captured Time" value="1486934236.150107000" size="167"/>
- </proto>
- <proto name="frame" showname="Frame 462: 167 bytes on wire (1336 bits), 167 bytes captured (1336 bits)" size="167" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 13, 2017 10:17:16.150107000 NZDT" size="0" pos="0" show="Feb 13, 2017 10:17:16.150107000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486934236.150107000 seconds" size="0" pos="0" show="1486934236.150107000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000165000 seconds" size="0" pos="0" show="0.000165000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000165000 seconds" size="0" pos="0" show="0.000165000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 465.527666000 seconds" size="0" pos="0" show="465.527666000"/>
- <field name="frame.number" showname="Frame Number: 462" size="0" pos="0" show="462"/>
- <field name="frame.len" showname="Frame Length: 167 bytes (1336 bits)" size="0" pos="0" show="167"/>
- <field name="frame.cap_len" showname="Capture Length: 167 bytes (1336 bits)" size="0" pos="0" show="167"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ipv6:tcp:nbss:smb" size="0" pos="0" show="raw:ipv6:tcp:nbss:smb"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="167" pos="0"/>
- <proto name="ipv6" showname="Internet Protocol Version 6, Src: fd00::5357:5f03, Dst: fd00::5357:5f0b" size="40" pos="0">
- <field name="ipv6.version" showname="0110 .... = Version: 6" size="1" pos="0" show="6" value="6" unmaskedvalue="60"/>
- <field name="ip.version" showname="0110 .... = Version: 6 [This field makes the filter match on &quot;ip.version == 6&quot; possible]" hide="yes" size="1" pos="0" show="6" value="6" unmaskedvalue="60"/>
- <field name="ipv6.tclass" showname=".... 0000 0000 .... .... .... .... .... = Traffic class: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="4" pos="0" show="0x00000000" value="0" unmaskedvalue="60000000">
- <field name="ipv6.tclass.dscp" showname=".... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)" size="4" pos="0" show="0" value="0" unmaskedvalue="60000000"/>
- <field name="ipv6.tclass.ecn" showname=".... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="4" pos="0" show="0" value="0" unmaskedvalue="60000000"/>
- </field>
- <field name="ipv6.flow" showname=".... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000" size="4" pos="0" show="0x00000000" value="0" unmaskedvalue="60000000"/>
- <field name="ipv6.plen" showname="Payload length: 167" size="2" pos="4" show="167" value="00a7">
- <field name="_ws.expert" showname="Expert Info (Warn/Protocol): IPv6 payload length exceeds framing length (127 bytes)" size="0" pos="4">
- <field name="ipv6.bogus_payload_length" showname="IPv6 payload length exceeds framing length (127 bytes)" size="0" pos="0" show="" value=""/>
- <field name="_ws.expert.message" showname="Message: IPv6 payload length exceeds framing length (127 bytes)" hide="yes" size="0" pos="0" show="IPv6 payload length exceeds framing length (127 bytes)"/>
- <field name="_ws.expert.severity" showname="Severity level: Warn" size="0" pos="0" show="0x00600000"/>
- <field name="_ws.expert.group" showname="Group: Protocol" size="0" pos="0" show="0x09000000"/>
- </field>
- </field>
- <field name="ipv6.nxt" showname="Next header: TCP (6)" size="1" pos="6" show="6" value="06"/>
- <field name="ipv6.hlim" showname="Hop limit: 0" size="1" pos="7" show="0" value="00"/>
- <field name="ipv6.src" showname="Source: fd00::5357:5f03" size="16" pos="8" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
- <field name="ipv6.addr" showname="Source or Destination Address: fd00::5357:5f03" hide="yes" size="16" pos="8" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
- <field name="ipv6.src_host" showname="Source Host: fd00::5357:5f03" hide="yes" size="16" pos="8" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
- <field name="ipv6.host" showname="Source or Destination Host: fd00::5357:5f03" hide="yes" size="16" pos="8" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
- <field name="ipv6.dst" showname="Destination: fd00::5357:5f0b" size="16" pos="24" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
- <field name="ipv6.addr" showname="Source or Destination Address: fd00::5357:5f0b" hide="yes" size="16" pos="24" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
- <field name="ipv6.dst_host" showname="Destination Host: fd00::5357:5f0b" hide="yes" size="16" pos="24" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
- <field name="ipv6.host" showname="Source or Destination Host: fd00::5357:5f0b" hide="yes" size="16" pos="24" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
- <field name="" show="Source GeoIP: Unknown" size="16" pos="8" value="fd000000000000000000000053575f03"/>
- <field name="" show="Destination GeoIP: Unknown" size="16" pos="24" value="fd000000000000000000000053575f0b"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 139 (139), Dst Port: 31861 (31861), Seq: 822, Ack: 847, Len: 107" size="20" pos="40">
- <field name="tcp.srcport" showname="Source Port: 139" size="2" pos="40" show="139" value="008b"/>
- <field name="tcp.dstport" showname="Destination Port: 31861" size="2" pos="42" show="31861" value="7c75"/>
- <field name="tcp.port" showname="Source or Destination Port: 139" hide="yes" size="2" pos="40" show="139" value="008b"/>
- <field name="tcp.port" showname="Source or Destination Port: 31861" hide="yes" size="2" pos="42" show="31861" value="7c75"/>
- <field name="tcp.stream" showname="Stream index: 6" size="0" pos="40" show="6"/>
- <field name="tcp.len" showname="TCP Segment Len: 107" size="1" pos="52" show="107" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 822 (relative sequence number)" size="4" pos="44" show="822" value="00000336"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 929 (relative sequence number)" size="0" pos="40" show="929"/>
- <field name="tcp.ack" showname="Acknowledgment number: 847 (relative ack number)" size="4" pos="48" show="847" value="0000034f"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="52" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="52" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="52" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="52" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="52" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="54" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="54" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="54" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="56" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="56" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="56" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="58" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="40" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 459" size="0" pos="40" show="459"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000204000 seconds" size="0" pos="40" show="0.000204000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000024000 seconds" size="0" pos="40" show="0.000024000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 107" size="0" pos="40" show="107"/>
- </field>
- </proto>
- <proto name="nbss" showname="NetBIOS Session Service" size="107" pos="60">
- <field name="nbss.type" showname="Message Type: Session message (0x00)" size="1" pos="60" show="0x00000000" value="00"/>
- <field name="nbss.length" showname="Length: 103" size="3" pos="61" show="103" value="000067"/>
- </proto>
- <proto name="smb" showname="SMB (Server Message Block Protocol)" size="103" pos="64">
- <field name="" show="SMB Header" size="32" pos="64" value="ff534d42a2000000008803c8000000000000000000000000ac6a6455deec0400">
- <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="64" show="0x424d53ff" value="ff534d42"/>
- <field name="smb.response_to" showname="Response to: 459" size="0" pos="64" show="459"/>
- <field name="smb.time" showname="Time from request: 0.000204000 seconds" size="0" pos="64" show="0.000204000"/>
- <field name="smb.cmd" showname="SMB Command: NT Create AndX (0xa2)" size="1" pos="68" show="162" value="a2"/>
- <field name="smb.nt_status" showname="NT Status: STATUS_SUCCESS (0x00000000)" size="4" pos="69" show="0" value="00000000"/>
- <field name="smb.flags" showname="Flags: 0x88, Request/Response, Case Sensitivity" size="1" pos="73" show="0x00000088" value="88">
- <field name="smb.flags.response" showname="1... .... = Request/Response: Message is a response to the client/redirector" size="1" pos="73" show="1" value="FFFFFFFF" unmaskedvalue="88"/>
- <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="73" show="0" value="0" unmaskedvalue="88"/>
- <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="73" show="0" value="0" unmaskedvalue="88"/>
- <field name="smb.flags.canon" showname="...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized" size="1" pos="73" show="0" value="0" unmaskedvalue="88"/>
- <field name="smb.flags.caseless" showname=".... 1... = Case Sensitivity: Path names are caseless" size="1" pos="73" show="1" value="FFFFFFFF" unmaskedvalue="88"/>
- <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="73" show="0" value="0" unmaskedvalue="88"/>
- <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="73" show="0" value="0" unmaskedvalue="88"/>
- </field>
- <field name="smb.flags2" showname="Flags2: 0xc803, Unicode Strings, Error Code Type, Extended Security Negotiation, Extended Attributes, Long Names Allowed" size="2" pos="74" show="0x0000c803" value="03c8">
- <field name="smb.flags2.string" showname="1... .... .... .... = Unicode Strings: Strings are Unicode" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="03c8"/>
- <field name="smb.flags2.nt_error" showname=".1.. .... .... .... = Error Code Type: Error codes are NT error codes" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="03c8"/>
- <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
- <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
- <field name="smb.flags2.esn" showname=".... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="03c8"/>
- <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
- <field name="smb.flags2.long_names_used" showname=".... .... .0.. .... = Long Names Used: Path names in request are not long file names" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
- <field name="smb.flags2.sec_sig_required" showname=".... .... ...0 .... = Security Signatures Required: Security signatures are not required" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
- <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
- <field name="smb.flags2.sec_sig" showname=".... .... .... .0.. = Security Signatures: Security signatures are not supported" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
- <field name="smb.flags2.ea" showname=".... .... .... ..1. = Extended Attributes: Extended attributes are supported" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="03c8"/>
- <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="03c8"/>
- </field>
- <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="76" show="0" value="0000"/>
- <field name="smb.signature" showname="Signature: 0000000000000000" size="8" pos="78" show="00:00:00:00:00:00:00:00" value="0000000000000000"/>
- <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="86" show="00:00" value="0000"/>
- <field name="smb.tid" showname="Tree ID: 27308 (\\LOCALNT4DC2\IPC$)" size="2" pos="88" show="27308" value="ac6a">
- <field name="smb.path" showname="Path: \\LOCALNT4DC2\IPC$" size="0" pos="152" show="\\LOCALNT4DC2\IPC$"/>
- <field name="smb.fid.mapped_in" showname="Mapped in: 456" size="0" pos="152" show="456"/>
- </field>
- <field name="smb.pid" showname="Process ID: 21860" size="2" pos="90" show="21860" value="6455"/>
- <field name="smb.uid" showname="User ID: 60638" size="2" pos="92" show="60638" value="deec"/>
- <field name="smb.mid" showname="Multiplex ID: 4" size="2" pos="94" show="4" value="0400"/>
- </field>
- <field name="" show="NT Create AndX Response (0xa2)" size="71" pos="96" value="22ff00000000792b01000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000200ff05000000">
- <field name="smb.wct" showname="Word Count (WCT): 34" size="1" pos="96" show="34" value="22"/>
- <field name="smb.cmd" showname="AndXCommand: No further commands (0xff)" size="1" pos="97" show="255" value="ff"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="98" show="00" value="00"/>
- <field name="smb.andxoffset" showname="AndXOffset: 0" size="2" pos="99" show="0" value="0000"/>
- <field name="smb.oplock.level" showname="Oplock level: No oplock granted (0)" size="1" pos="101" show="0" value="00"/>
- <field name="smb.fid" showname="FID: 0x2b79 (\srvsvc)" size="2" pos="102" show="0x00002b79" value="792b">
- <field name="smb.fid.opened_in" showname="Opened in: 462" size="0" pos="166" show="462"/>
- <field name="smb.file" showname="File Name: \srvsvc" size="0" pos="166" show="\srvsvc"/>
- <field name="smb.create_flags" showname="Create Flags: 0x00000000" size="4" pos="166" show="0x00000000" value="ff534d42">
- <field name="smb.nt.create.oplock" showname=".... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create.batch_oplock" showname=".... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create.dir" showname=".... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create.ext" showname=".... .... .... .... .... .... ...0 .... = Extended Response: Extended responses NOT required" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- </field>
- <field name="smb.access_mask" showname="Access Mask: 0x0002019f" size="4" pos="166" show="0x0002019f" value="ff534d42">
- <field name="smb.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: READ access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: WRITE access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.append" showname=".... .... .... .... .... .... .... .1.. = Append: APPEND access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.read_ea" showname=".... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.write_ea" showname=".... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.execute" showname=".... .... .... .... .... .... ..0. .... = Execute: NO execute access" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.delete_child" showname=".... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.read_attributes" showname=".... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.write_attributes" showname=".... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: NO delete access" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.read_control" showname=".... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.write_owner" showname=".... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.synchronize" showname=".... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.system_security" showname=".... ...0 .... .... .... .... .... .... = System Security: System security is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.maximum_allowed" showname=".... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.generic_read" showname="0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- </field>
- <field name="smb.file_attribute" showname="File Attributes: 0x00000000" size="4" pos="166" show="0x00000000" value="ff534d42">
- <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 0... .... = Normal: Has some attribute set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.reparse" showname=".... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- </field>
- <field name="smb.share_access" showname="Share Access: 0x00000003, Read, Write" size="4" pos="166" show="0x00000003" value="ff534d42">
- <field name="smb.share.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.share.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.share.access.delete" showname=".... .... .... .... .... .... .... .0.. = Delete: Object can NOT be shared for delete" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- </field>
- <field name="smb.create_options" showname="Create Options: 0x00000000" size="4" pos="166" show="0x00000000" value="ff534d42">
- <field name="smb.nt.create_options.directory" showname=".... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.write_through" showname=".... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.sequential_only" showname=".... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.intermediate_buffering" showname=".... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.sync_io_alert" showname=".... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.sync_io_nonalert" showname=".... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.non_directory" showname=".... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.create_tree_connection" showname=".... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.complete_if_oplocked" showname=".... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.no_ea_knowledge" showname=".... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.eight_dot_three_only" showname=".... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.random_access" showname=".... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.delete_on_close" showname=".... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.open_by_fileid" showname=".... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.backup_intent" showname=".... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.no_compression" showname=".... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.reserve_opfilter" showname=".... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.open_reparse_point" showname=".... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.open_no_recall" showname=".... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.open_for_free_space_query" showname=".... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
- </field>
- <field name="smb.create.disposition" showname="Disposition: Open (if file exists open it, else fail) (1)" size="0" pos="166" show="1"/>
- </field>
- <field name="smb.create.action" showname="Create action: The file existed and was opened (1)" size="4" pos="104" show="1" value="01000000"/>
- <field name="smb.create.time" showname="Created: No time specified (0)" size="8" pos="108" show="Jan 1, 1970 12:00:00.000000000 NZST" value="0000000000000000"/>
- <field name="smb.access.time" showname="Last Access: No time specified (0)" size="8" pos="116" show="Jan 1, 1970 12:00:00.000000000 NZST" value="0000000000000000"/>
- <field name="smb.last_write.time" showname="Last Write: No time specified (0)" size="8" pos="124" show="Jan 1, 1970 12:00:00.000000000 NZST" value="0000000000000000"/>
- <field name="smb.change.time" showname="Change: No time specified (0)" size="8" pos="132" show="Jan 1, 1970 12:00:00.000000000 NZST" value="0000000000000000"/>
- <field name="smb.file_attribute" showname="File Attributes: 0x00000080" size="4" pos="140" show="0x00000080" value="80000000">
- <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 1... .... = Normal: An ordinary file/dir" size="4" pos="140" show="1" value="FFFFFFFF" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.reparse" showname=".... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
- </field>
- <field name="smb.alloc_size" showname="Allocation Size: 0" size="8" pos="144" show="0" value="0000000000000000"/>
- <field name="smb.end_of_file" showname="End Of File: 0" size="8" pos="152" show="0" value="0000000000000000"/>
- <field name="smb.file_type" showname="File Type: Named pipe in message mode (2)" size="2" pos="160" show="2" value="0200"/>
- <field name="smb.ipc_state" showname="IPC State: 0x05ff, Endpoint: Consumer end of pipe, Pipe Type: Message pipe, Read Mode: Read messages from pipe" size="2" pos="162" show="0x000005ff" value="ff05">
- <field name="smb.ipc_state.nonblocking" showname="0... .... .... .... = Nonblocking: Reads/writes block if no data available" size="2" pos="162" show="0" value="0" unmaskedvalue="ff05"/>
- <field name="smb.ipc_state.endpoint" showname=".0.. .... .... .... = Endpoint: Consumer end of pipe (0)" size="2" pos="162" show="0" value="0" unmaskedvalue="ff05"/>
- <field name="smb.ipc_state.pipe_type" showname=".... 01.. .... .... = Pipe Type: Message pipe (1)" size="2" pos="162" show="1" value="1" unmaskedvalue="ff05"/>
- <field name="smb.ipc_state.read_mode" showname=".... ..01 .... .... = Read Mode: Read messages from pipe (1)" size="2" pos="162" show="1" value="1" unmaskedvalue="ff05"/>
- <field name="smb.ipc_state.icount" showname=".... .... 1111 1111 = Icount: 255" size="2" pos="162" show="255" value="FF" unmaskedvalue="ff05"/>
- </field>
- <field name="smb.is_directory" showname="Is Directory: This is NOT a directory (0)" size="1" pos="164" show="0" value="00"/>
- <field name="smb.bcc" showname="Byte Count (BCC): 0" size="2" pos="165" show="0" value="0000"/>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="220">
- <field name="num" pos="0" show="465" showname="Number" value="1d1" size="220"/>
- <field name="len" pos="0" show="220" showname="Frame Length" value="dc" size="220"/>
- <field name="caplen" pos="0" show="220" showname="Captured Length" value="dc" size="220"/>
- <field name="timestamp" pos="0" show="Feb 13, 2017 10:17:16.150278000 NZDT" showname="Captured Time" value="1486934236.150278000" size="220"/>
- </proto>
- <proto name="frame" showname="Frame 465: 220 bytes on wire (1760 bits), 220 bytes captured (1760 bits)" size="220" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 13, 2017 10:17:16.150278000 NZDT" size="0" pos="0" show="Feb 13, 2017 10:17:16.150278000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486934236.150278000 seconds" size="0" pos="0" show="1486934236.150278000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000134000 seconds" size="0" pos="0" show="0.000134000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000134000 seconds" size="0" pos="0" show="0.000134000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 465.527837000 seconds" size="0" pos="0" show="465.527837000"/>
- <field name="frame.number" showname="Frame Number: 465" size="0" pos="0" show="465"/>
- <field name="frame.len" showname="Frame Length: 220 bytes (1760 bits)" size="0" pos="0" show="220"/>
- <field name="frame.cap_len" showname="Capture Length: 220 bytes (1760 bits)" size="0" pos="0" show="220"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ipv6:tcp:nbss:smb:dcerpc" size="0" pos="0" show="raw:ipv6:tcp:nbss:smb:dcerpc"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="220" pos="0"/>
- <proto name="ipv6" showname="Internet Protocol Version 6, Src: fd00::5357:5f0b, Dst: fd00::5357:5f03" size="40" pos="0">
- <field name="ipv6.version" showname="0110 .... = Version: 6" size="1" pos="0" show="6" value="6" unmaskedvalue="60"/>
- <field name="ip.version" showname="0110 .... = Version: 6 [This field makes the filter match on &quot;ip.version == 6&quot; possible]" hide="yes" size="1" pos="0" show="6" value="6" unmaskedvalue="60"/>
- <field name="ipv6.tclass" showname=".... 0000 0000 .... .... .... .... .... = Traffic class: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="4" pos="0" show="0x00000000" value="0" unmaskedvalue="60000000">
- <field name="ipv6.tclass.dscp" showname=".... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)" size="4" pos="0" show="0" value="0" unmaskedvalue="60000000"/>
- <field name="ipv6.tclass.ecn" showname=".... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="4" pos="0" show="0" value="0" unmaskedvalue="60000000"/>
- </field>
- <field name="ipv6.flow" showname=".... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000" size="4" pos="0" show="0x00000000" value="0" unmaskedvalue="60000000"/>
- <field name="ipv6.plen" showname="Payload length: 220" size="2" pos="4" show="220" value="00dc">
- <field name="_ws.expert" showname="Expert Info (Warn/Protocol): IPv6 payload length exceeds framing length (180 bytes)" size="0" pos="4">
- <field name="ipv6.bogus_payload_length" showname="IPv6 payload length exceeds framing length (180 bytes)" size="0" pos="0" show="" value=""/>
- <field name="_ws.expert.message" showname="Message: IPv6 payload length exceeds framing length (180 bytes)" hide="yes" size="0" pos="0" show="IPv6 payload length exceeds framing length (180 bytes)"/>
- <field name="_ws.expert.severity" showname="Severity level: Warn" size="0" pos="0" show="0x00600000"/>
- <field name="_ws.expert.group" showname="Group: Protocol" size="0" pos="0" show="0x09000000"/>
- </field>
- </field>
- <field name="ipv6.nxt" showname="Next header: TCP (6)" size="1" pos="6" show="6" value="06"/>
- <field name="ipv6.hlim" showname="Hop limit: 0" size="1" pos="7" show="0" value="00"/>
- <field name="ipv6.src" showname="Source: fd00::5357:5f0b" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
- <field name="ipv6.addr" showname="Source or Destination Address: fd00::5357:5f0b" hide="yes" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
- <field name="ipv6.src_host" showname="Source Host: fd00::5357:5f0b" hide="yes" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
- <field name="ipv6.host" showname="Source or Destination Host: fd00::5357:5f0b" hide="yes" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
- <field name="ipv6.dst" showname="Destination: fd00::5357:5f03" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
- <field name="ipv6.addr" showname="Source or Destination Address: fd00::5357:5f03" hide="yes" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
- <field name="ipv6.dst_host" showname="Destination Host: fd00::5357:5f03" hide="yes" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
- <field name="ipv6.host" showname="Source or Destination Host: fd00::5357:5f03" hide="yes" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
- <field name="" show="Source GeoIP: Unknown" size="16" pos="8" value="fd000000000000000000000053575f0b"/>
- <field name="" show="Destination GeoIP: Unknown" size="16" pos="24" value="fd000000000000000000000053575f03"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 31861 (31861), Dst Port: 139 (139), Seq: 847, Ack: 929, Len: 160" size="20" pos="40">
- <field name="tcp.srcport" showname="Source Port: 31861" size="2" pos="40" show="31861" value="7c75"/>
- <field name="tcp.dstport" showname="Destination Port: 139" size="2" pos="42" show="139" value="008b"/>
- <field name="tcp.port" showname="Source or Destination Port: 31861" hide="yes" size="2" pos="40" show="31861" value="7c75"/>
- <field name="tcp.port" showname="Source or Destination Port: 139" hide="yes" size="2" pos="42" show="139" value="008b"/>
- <field name="tcp.stream" showname="Stream index: 6" size="0" pos="40" show="6"/>
- <field name="tcp.len" showname="TCP Segment Len: 160" size="1" pos="52" show="160" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 847 (relative sequence number)" size="4" pos="44" show="847" value="0000034f"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 1007 (relative sequence number)" size="0" pos="40" show="1007"/>
- <field name="tcp.ack" showname="Acknowledgment number: 929 (relative ack number)" size="4" pos="48" show="929" value="000003a1"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="52" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="52" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="52" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="52" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="52" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="54" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="54" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="54" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="56" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="56" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="56" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="58" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="40" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 462" size="0" pos="40" show="462"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000171000 seconds" size="0" pos="40" show="0.000171000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000024000 seconds" size="0" pos="40" show="0.000024000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 160" size="0" pos="40" show="160"/>
- </field>
- </proto>
- <proto name="nbss" showname="NetBIOS Session Service" size="160" pos="60">
- <field name="nbss.type" showname="Message Type: Session message (0x00)" size="1" pos="60" show="0x00000000" value="00"/>
- <field name="nbss.length" showname="Length: 156" size="3" pos="61" show="156" value="00009c"/>
- </proto>
- <proto name="smb" showname="SMB (Server Message Block Protocol)" size="156" pos="64">
- <field name="" show="SMB Header" size="32" pos="64" value="ff534d4225000000001843c8000000000000000000000000ac6a6455deec0500">
- <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="64" show="0x424d53ff" value="ff534d42"/>
- <field name="smb.cmd" showname="SMB Command: Trans (0x25)" size="1" pos="68" show="37" value="25"/>
- <field name="smb.nt_status" showname="NT Status: STATUS_SUCCESS (0x00000000)" size="4" pos="69" show="0" value="00000000"/>
- <field name="smb.flags" showname="Flags: 0x18, Canonicalized Pathnames, Case Sensitivity" size="1" pos="73" show="0x00000018" value="18">
- <field name="smb.flags.response" showname="0... .... = Request/Response: Message is a request to the server" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
- <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
- <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
- <field name="smb.flags.canon" showname="...1 .... = Canonicalized Pathnames: Pathnames are canonicalized" size="1" pos="73" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="smb.flags.caseless" showname=".... 1... = Case Sensitivity: Path names are caseless" size="1" pos="73" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
- <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
- </field>
- <field name="smb.flags2" showname="Flags2: 0xc843, Unicode Strings, Error Code Type, Extended Security Negotiation, Long Names Used, Extended Attributes, Long Names Allowed" size="2" pos="74" show="0x0000c843" value="43c8">
- <field name="smb.flags2.string" showname="1... .... .... .... = Unicode Strings: Strings are Unicode" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
- <field name="smb.flags2.nt_error" showname=".1.. .... .... .... = Error Code Type: Error codes are NT error codes" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
- <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
- <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
- <field name="smb.flags2.esn" showname=".... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
- <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
- <field name="smb.flags2.long_names_used" showname=".... .... .1.. .... = Long Names Used: Path names in request are long file names" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
- <field name="smb.flags2.sec_sig_required" showname=".... .... ...0 .... = Security Signatures Required: Security signatures are not required" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
- <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
- <field name="smb.flags2.sec_sig" showname=".... .... .... .0.. = Security Signatures: Security signatures are not supported" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
- <field name="smb.flags2.ea" showname=".... .... .... ..1. = Extended Attributes: Extended attributes are supported" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
- <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
- </field>
- <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="76" show="0" value="0000"/>
- <field name="smb.signature" showname="Signature: 0000000000000000" size="8" pos="78" show="00:00:00:00:00:00:00:00" value="0000000000000000"/>
- <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="86" show="00:00" value="0000"/>
- <field name="smb.tid" showname="Tree ID: 27308 (\\LOCALNT4DC2\IPC$)" size="2" pos="88" show="27308" value="ac6a">
- <field name="smb.path" showname="Path: \\LOCALNT4DC2\IPC$" size="0" pos="152" show="\\LOCALNT4DC2\IPC$"/>
- <field name="smb.fid.mapped_in" showname="Mapped in: 456" size="0" pos="152" show="456"/>
- </field>
- <field name="smb.pid" showname="Process ID: 21860" size="2" pos="90" show="21860" value="6455"/>
- <field name="smb.uid" showname="User ID: 60638" size="2" pos="92" show="60638" value="deec"/>
- <field name="smb.mid" showname="Multiplex ID: 5" size="2" pos="94" show="5" value="0500"/>
- </field>
- <field name="" show="Trans Request (0x25)" size="124" pos="96" value="10000048000000b81000000000000000000000000054004800540002002600792b5900005c0050004900500045005c000000000005000b03100000004800000001000000b810b810000000000100000000000100c84f324b7016d30112785a47bf6ee18803000000045d888aeb1cc9119fe808002b10486002000000">
- <field name="smb.wct" showname="Word Count (WCT): 16" size="1" pos="96" show="16" value="10"/>
- <field name="smb.tpc" showname="Total Parameter Count: 0" size="2" pos="97" show="0" value="0000"/>
- <field name="smb.tdc" showname="Total Data Count: 72" size="2" pos="99" show="72" value="4800"/>
- <field name="smb.mpc" showname="Max Parameter Count: 0" size="2" pos="101" show="0" value="0000"/>
- <field name="smb.mdc" showname="Max Data Count: 4280" size="2" pos="103" show="4280" value="b810"/>
- <field name="smb.msc" showname="Max Setup Count: 0" size="1" pos="105" show="0" value="00"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="106" show="00" value="00"/>
- <field name="smb.transaction.flags" showname="Flags: 0x0000" size="2" pos="107" show="0x00000000" value="0000">
- <field name="smb.transaction.flags.owt" showname=".... .... .... ..0. = One Way Transaction: Two way transaction" size="2" pos="107" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.transaction.flags.dtid" showname=".... .... .... ...0 = Disconnect TID: Do NOT disconnect TID" size="2" pos="107" show="0" value="0" unmaskedvalue="0000"/>
- </field>
- <field name="smb.timeout" showname="Timeout: Return immediately (0)" size="4" pos="109" show="0" value="00000000"/>
- <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="113" show="00:00" value="0000"/>
- <field name="smb.pc" showname="Parameter Count: 0" size="2" pos="115" show="0" value="0000"/>
- <field name="smb.po" showname="Parameter Offset: 84" size="2" pos="117" show="84" value="5400"/>
- <field name="smb.dc" showname="Data Count: 72" size="2" pos="119" show="72" value="4800"/>
- <field name="smb.data_offset" showname="Data Offset: 84" size="2" pos="121" show="84" value="5400"/>
- <field name="smb.sc" showname="Setup Count: 2" size="1" pos="123" show="2" value="02"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="124" show="00" value="00"/>
- <field name="smb.bcc" showname="Byte Count (BCC): 89" size="2" pos="129" show="89" value="5900"/>
- <field name="smb.trans_name" showname="Transaction Name: \PIPE\" size="14" pos="132" show="\PIPE\" value="5c0050004900500045005c000000"/>
- <field name="smb.padding" showname="Padding: 0000" size="2" pos="146" show="00:00" value="0000"/>
- </field>
- </proto>
- <proto name="smb_pipe" showname="SMB Pipe Protocol" size="21" pos="125">
- <field name="smb_pipe.function" showname="Function: TransactNmPipe (0x0026)" size="2" pos="125" show="0x00000026" value="2600"/>
- <field name="smb.fid" showname="FID: 0x2b79 (\srvsvc)" size="2" pos="127" show="0x00002b79" value="792b">
- <field name="smb.fid.opened_in" showname="Opened in: 462" size="0" pos="252" show="462"/>
- <field name="smb.file" showname="File Name: \srvsvc" size="0" pos="252" show="\srvsvc"/>
- <field name="smb.create_flags" showname="Create Flags: 0x00000000" size="4" pos="252" show="0x00000000" value="2600792b">
- <field name="smb.nt.create.oplock" showname=".... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create.batch_oplock" showname=".... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create.dir" showname=".... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create.ext" showname=".... .... .... .... .... .... ...0 .... = Extended Response: Extended responses NOT required" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- </field>
- <field name="smb.access_mask" showname="Access Mask: 0x0002019f" size="4" pos="252" show="0x0002019f" value="2600792b">
- <field name="smb.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: READ access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: WRITE access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.append" showname=".... .... .... .... .... .... .... .1.. = Append: APPEND access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.read_ea" showname=".... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.write_ea" showname=".... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.execute" showname=".... .... .... .... .... .... ..0. .... = Execute: NO execute access" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.delete_child" showname=".... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.read_attributes" showname=".... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.write_attributes" showname=".... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: NO delete access" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.read_control" showname=".... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.write_owner" showname=".... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.synchronize" showname=".... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.system_security" showname=".... ...0 .... .... .... .... .... .... = System Security: System security is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.maximum_allowed" showname=".... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.generic_read" showname="0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- </field>
- <field name="smb.file_attribute" showname="File Attributes: 0x00000000" size="4" pos="252" show="0x00000000" value="2600792b">
- <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 0... .... = Normal: Has some attribute set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.reparse" showname=".... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- </field>
- <field name="smb.share_access" showname="Share Access: 0x00000003, Read, Write" size="4" pos="252" show="0x00000003" value="2600792b">
- <field name="smb.share.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.share.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.share.access.delete" showname=".... .... .... .... .... .... .... .0.. = Delete: Object can NOT be shared for delete" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- </field>
- <field name="smb.create_options" showname="Create Options: 0x00000000" size="4" pos="252" show="0x00000000" value="2600792b">
- <field name="smb.nt.create_options.directory" showname=".... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.write_through" showname=".... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.sequential_only" showname=".... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.intermediate_buffering" showname=".... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.sync_io_alert" showname=".... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.sync_io_nonalert" showname=".... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.non_directory" showname=".... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.create_tree_connection" showname=".... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.complete_if_oplocked" showname=".... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.no_ea_knowledge" showname=".... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.eight_dot_three_only" showname=".... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.random_access" showname=".... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.delete_on_close" showname=".... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.open_by_fileid" showname=".... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.backup_intent" showname=".... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.no_compression" showname=".... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.reserve_opfilter" showname=".... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.open_reparse_point" showname=".... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.open_no_recall" showname=".... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.open_for_free_space_query" showname=".... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- </field>
- <field name="smb.create.disposition" showname="Disposition: Open (if file exists open it, else fail) (1)" size="0" pos="252" show="1"/>
- </field>
- </proto>
- <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind, Fragment: Single, FragLen: 72, Call: 1" size="72" pos="148">
- <field name="dcerpc.ver" showname="Version: 5" size="1" pos="148" show="5" value="05"/>
- <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="149" show="0" value="00"/>
- <field name="dcerpc.pkt_type" showname="Packet type: Bind (11)" size="1" pos="150" show="11" value="0b"/>
- <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="151" show="0x00000003" value="03">
- <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="151" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="151" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- </field>
- <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="152" show="10:00:00:00" value="10000000">
- <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="152" show="1" value="10"/>
- <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="152" show="0" value="10"/>
- <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="153" show="0" value="00"/>
- </field>
- <field name="dcerpc.cn_frag_len" showname="Frag Length: 72" size="2" pos="156" show="72" value="4800"/>
- <field name="dcerpc.cn_auth_len" showname="Auth Length: 0" size="2" pos="158" show="0" value="0000"/>
- <field name="dcerpc.cn_call_id" showname="Call ID: 1" size="4" pos="160" show="1" value="01000000"/>
- <field name="dcerpc.cn_max_xmit" showname="Max Xmit Frag: 4280" size="2" pos="164" show="4280" value="b810"/>
- <field name="dcerpc.cn_max_recv" showname="Max Recv Frag: 4280" size="2" pos="166" show="4280" value="b810"/>
- <field name="dcerpc.cn_assoc_group" showname="Assoc Group: 0x00000000" size="4" pos="168" show="0x00000000" value="00000000"/>
- <field name="dcerpc.cn_num_ctx_items" showname="Num Ctx Items: 1" size="1" pos="172" show="1" value="01"/>
- <field name="dcerpc.cn_ctx_item" showname="Ctx Item[1]: Context ID:0, SRVSVC, 32bit NDR" size="44" pos="176" show="" value="">
- <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="176" show="0" value="0000"/>
- <field name="dcerpc.cn_num_trans_items" showname="Num Trans Items: 1" size="1" pos="178" show="1" value="01"/>
- <field name="dcerpc.cn_bind_abstract_syntax" showname="Abstract Syntax: SRVSVC V3.0" size="20" pos="180" show="" value="">
- <field name="dcerpc.cn_bind_to_uuid" showname="Interface: SRVSVC UUID: 4b324fc8-1670-01d3-1278-5a47bf6ee188" size="16" pos="180" show="4b324fc8-1670-01d3-1278-5a47bf6ee188" value="c84f324b7016d30112785a47bf6ee188"/>
- <field name="dcerpc.cn_bind_if_ver" showname="Interface Ver: 3" size="2" pos="196" show="3" value="0300"/>
- <field name="dcerpc.cn_bind_if_ver_minor" showname="Interface Ver Minor: 0" size="2" pos="198" show="0" value="0000"/>
- </field>
- <field name="dcerpc.cn_bind_trans" showname="Transfer Syntax[1]: 32bit NDR V2" size="20" pos="200" show="" value="">
- <field name="dcerpc.cn_bind_trans_id" showname="Transfer Syntax: 32bit NDR UUID:8a885d04-1ceb-11c9-9fe8-08002b104860" size="16" pos="200" show="8a885d04-1ceb-11c9-9fe8-08002b104860" value="045d888aeb1cc9119fe808002b104860"/>
- <field name="dcerpc.cn_bind_trans_ver" showname="ver: 2" size="4" pos="216" show="2" value="02000000"/>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="244">
- <field name="num" pos="0" show="471" showname="Number" value="1d7" size="244"/>
- <field name="len" pos="0" show="244" showname="Frame Length" value="f4" size="244"/>
- <field name="caplen" pos="0" show="244" showname="Captured Length" value="f4" size="244"/>
- <field name="timestamp" pos="0" show="Feb 13, 2017 10:17:16.201029000 NZDT" showname="Captured Time" value="1486934236.201029000" size="244"/>
- </proto>
- <proto name="frame" showname="Frame 471: 244 bytes on wire (1952 bits), 244 bytes captured (1952 bits)" size="244" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 13, 2017 10:17:16.201029000 NZDT" size="0" pos="0" show="Feb 13, 2017 10:17:16.201029000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486934236.201029000 seconds" size="0" pos="0" show="1486934236.201029000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.050577000 seconds" size="0" pos="0" show="0.050577000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.050577000 seconds" size="0" pos="0" show="0.050577000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 465.578588000 seconds" size="0" pos="0" show="465.578588000"/>
- <field name="frame.number" showname="Frame Number: 471" size="0" pos="0" show="471"/>
- <field name="frame.len" showname="Frame Length: 244 bytes (1952 bits)" size="0" pos="0" show="244"/>
- <field name="frame.cap_len" showname="Capture Length: 244 bytes (1952 bits)" size="0" pos="0" show="244"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ipv6:tcp:nbss:smb:dcerpc" size="0" pos="0" show="raw:ipv6:tcp:nbss:smb:dcerpc"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="244" pos="0"/>
- <proto name="ipv6" showname="Internet Protocol Version 6, Src: fd00::5357:5f0b, Dst: fd00::5357:5f03" size="40" pos="0">
- <field name="ipv6.version" showname="0110 .... = Version: 6" size="1" pos="0" show="6" value="6" unmaskedvalue="60"/>
- <field name="ip.version" showname="0110 .... = Version: 6 [This field makes the filter match on &quot;ip.version == 6&quot; possible]" hide="yes" size="1" pos="0" show="6" value="6" unmaskedvalue="60"/>
- <field name="ipv6.tclass" showname=".... 0000 0000 .... .... .... .... .... = Traffic class: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="4" pos="0" show="0x00000000" value="0" unmaskedvalue="60000000">
- <field name="ipv6.tclass.dscp" showname=".... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)" size="4" pos="0" show="0" value="0" unmaskedvalue="60000000"/>
- <field name="ipv6.tclass.ecn" showname=".... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="4" pos="0" show="0" value="0" unmaskedvalue="60000000"/>
- </field>
- <field name="ipv6.flow" showname=".... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000" size="4" pos="0" show="0x00000000" value="0" unmaskedvalue="60000000"/>
- <field name="ipv6.plen" showname="Payload length: 244" size="2" pos="4" show="244" value="00f4">
- <field name="_ws.expert" showname="Expert Info (Warn/Protocol): IPv6 payload length exceeds framing length (204 bytes)" size="0" pos="4">
- <field name="ipv6.bogus_payload_length" showname="IPv6 payload length exceeds framing length (204 bytes)" size="0" pos="0" show="" value=""/>
- <field name="_ws.expert.message" showname="Message: IPv6 payload length exceeds framing length (204 bytes)" hide="yes" size="0" pos="0" show="IPv6 payload length exceeds framing length (204 bytes)"/>
- <field name="_ws.expert.severity" showname="Severity level: Warn" size="0" pos="0" show="0x00600000"/>
- <field name="_ws.expert.group" showname="Group: Protocol" size="0" pos="0" show="0x09000000"/>
- </field>
- </field>
- <field name="ipv6.nxt" showname="Next header: TCP (6)" size="1" pos="6" show="6" value="06"/>
- <field name="ipv6.hlim" showname="Hop limit: 0" size="1" pos="7" show="0" value="00"/>
- <field name="ipv6.src" showname="Source: fd00::5357:5f0b" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
- <field name="ipv6.addr" showname="Source or Destination Address: fd00::5357:5f0b" hide="yes" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
- <field name="ipv6.src_host" showname="Source Host: fd00::5357:5f0b" hide="yes" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
- <field name="ipv6.host" showname="Source or Destination Host: fd00::5357:5f0b" hide="yes" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
- <field name="ipv6.dst" showname="Destination: fd00::5357:5f03" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
- <field name="ipv6.addr" showname="Source or Destination Address: fd00::5357:5f03" hide="yes" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
- <field name="ipv6.dst_host" showname="Destination Host: fd00::5357:5f03" hide="yes" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
- <field name="ipv6.host" showname="Source or Destination Host: fd00::5357:5f03" hide="yes" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
- <field name="" show="Source GeoIP: Unknown" size="16" pos="8" value="fd000000000000000000000053575f0b"/>
- <field name="" show="Destination GeoIP: Unknown" size="16" pos="24" value="fd000000000000000000000053575f03"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 31861 (31861), Dst Port: 139 (139), Seq: 1007, Ack: 1057, Len: 184" size="20" pos="40">
- <field name="tcp.srcport" showname="Source Port: 31861" size="2" pos="40" show="31861" value="7c75"/>
- <field name="tcp.dstport" showname="Destination Port: 139" size="2" pos="42" show="139" value="008b"/>
- <field name="tcp.port" showname="Source or Destination Port: 31861" hide="yes" size="2" pos="40" show="31861" value="7c75"/>
- <field name="tcp.port" showname="Source or Destination Port: 139" hide="yes" size="2" pos="42" show="139" value="008b"/>
- <field name="tcp.stream" showname="Stream index: 6" size="0" pos="40" show="6"/>
- <field name="tcp.len" showname="TCP Segment Len: 184" size="1" pos="52" show="184" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 1007 (relative sequence number)" size="4" pos="44" show="1007" value="000003ef"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 1191 (relative sequence number)" size="0" pos="40" show="1191"/>
- <field name="tcp.ack" showname="Acknowledgment number: 1057 (relative ack number)" size="4" pos="48" show="1057" value="00000421"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="52" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="52" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="52" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="52" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="52" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="54" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="54" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="54" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="56" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="56" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="56" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="58" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="40" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 468" size="0" pos="40" show="468"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.050606000 seconds" size="0" pos="40" show="0.050606000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000024000 seconds" size="0" pos="40" show="0.000024000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 184" size="0" pos="40" show="184"/>
- </field>
- </proto>
- <proto name="nbss" showname="NetBIOS Session Service" size="184" pos="60">
- <field name="nbss.type" showname="Message Type: Session message (0x00)" size="1" pos="60" show="0x00000000" value="00"/>
- <field name="nbss.length" showname="Length: 180" size="3" pos="61" show="180" value="0000b4"/>
- </proto>
- <proto name="smb" showname="SMB (Server Message Block Protocol)" size="180" pos="64">
- <field name="" show="SMB Header" size="32" pos="64" value="ff534d4225000000001843c8000000000000000000000000ac6a6455deec0600">
- <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="64" show="0x424d53ff" value="ff534d42"/>
- <field name="smb.cmd" showname="SMB Command: Trans (0x25)" size="1" pos="68" show="37" value="25"/>
- <field name="smb.nt_status" showname="NT Status: STATUS_SUCCESS (0x00000000)" size="4" pos="69" show="0" value="00000000"/>
- <field name="smb.flags" showname="Flags: 0x18, Canonicalized Pathnames, Case Sensitivity" size="1" pos="73" show="0x00000018" value="18">
- <field name="smb.flags.response" showname="0... .... = Request/Response: Message is a request to the server" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
- <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
- <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
- <field name="smb.flags.canon" showname="...1 .... = Canonicalized Pathnames: Pathnames are canonicalized" size="1" pos="73" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="smb.flags.caseless" showname=".... 1... = Case Sensitivity: Path names are caseless" size="1" pos="73" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
- <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
- </field>
- <field name="smb.flags2" showname="Flags2: 0xc843, Unicode Strings, Error Code Type, Extended Security Negotiation, Long Names Used, Extended Attributes, Long Names Allowed" size="2" pos="74" show="0x0000c843" value="43c8">
- <field name="smb.flags2.string" showname="1... .... .... .... = Unicode Strings: Strings are Unicode" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
- <field name="smb.flags2.nt_error" showname=".1.. .... .... .... = Error Code Type: Error codes are NT error codes" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
- <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
- <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
- <field name="smb.flags2.esn" showname=".... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
- <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
- <field name="smb.flags2.long_names_used" showname=".... .... .1.. .... = Long Names Used: Path names in request are long file names" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
- <field name="smb.flags2.sec_sig_required" showname=".... .... ...0 .... = Security Signatures Required: Security signatures are not required" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
- <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
- <field name="smb.flags2.sec_sig" showname=".... .... .... .0.. = Security Signatures: Security signatures are not supported" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
- <field name="smb.flags2.ea" showname=".... .... .... ..1. = Extended Attributes: Extended attributes are supported" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
- <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
- </field>
- <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="76" show="0" value="0000"/>
- <field name="smb.signature" showname="Signature: 0000000000000000" size="8" pos="78" show="00:00:00:00:00:00:00:00" value="0000000000000000"/>
- <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="86" show="00:00" value="0000"/>
- <field name="smb.tid" showname="Tree ID: 27308 (\\LOCALNT4DC2\IPC$)" size="2" pos="88" show="27308" value="ac6a">
- <field name="smb.path" showname="Path: \\LOCALNT4DC2\IPC$" size="0" pos="152" show="\\LOCALNT4DC2\IPC$"/>
- <field name="smb.fid.mapped_in" showname="Mapped in: 456" size="0" pos="152" show="456"/>
- </field>
- <field name="smb.pid" showname="Process ID: 21860" size="2" pos="90" show="21860" value="6455"/>
- <field name="smb.uid" showname="User ID: 60638" size="2" pos="92" show="60638" value="deec"/>
- <field name="smb.mid" showname="Multiplex ID: 6" size="2" pos="94" show="6" value="0600"/>
- </field>
- <field name="" show="Trans Request (0x25)" size="148" pos="96" value="10000060000000b81000000000000000000000000054006000540002002600792b7100005c0050004900500045005c0000000000050000031000000060000000020000004800000000000f00000002000c000000000000000c0000004c004f00430041004c004e005400340044004300320000000100000001000000040002000000000000000000ffffffff0800020000000000">
- <field name="smb.wct" showname="Word Count (WCT): 16" size="1" pos="96" show="16" value="10"/>
- <field name="smb.tpc" showname="Total Parameter Count: 0" size="2" pos="97" show="0" value="0000"/>
- <field name="smb.tdc" showname="Total Data Count: 96" size="2" pos="99" show="96" value="6000"/>
- <field name="smb.mpc" showname="Max Parameter Count: 0" size="2" pos="101" show="0" value="0000"/>
- <field name="smb.mdc" showname="Max Data Count: 4280" size="2" pos="103" show="4280" value="b810"/>
- <field name="smb.msc" showname="Max Setup Count: 0" size="1" pos="105" show="0" value="00"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="106" show="00" value="00"/>
- <field name="smb.transaction.flags" showname="Flags: 0x0000" size="2" pos="107" show="0x00000000" value="0000">
- <field name="smb.transaction.flags.owt" showname=".... .... .... ..0. = One Way Transaction: Two way transaction" size="2" pos="107" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.transaction.flags.dtid" showname=".... .... .... ...0 = Disconnect TID: Do NOT disconnect TID" size="2" pos="107" show="0" value="0" unmaskedvalue="0000"/>
- </field>
- <field name="smb.timeout" showname="Timeout: Return immediately (0)" size="4" pos="109" show="0" value="00000000"/>
- <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="113" show="00:00" value="0000"/>
- <field name="smb.pc" showname="Parameter Count: 0" size="2" pos="115" show="0" value="0000"/>
- <field name="smb.po" showname="Parameter Offset: 84" size="2" pos="117" show="84" value="5400"/>
- <field name="smb.dc" showname="Data Count: 96" size="2" pos="119" show="96" value="6000"/>
- <field name="smb.data_offset" showname="Data Offset: 84" size="2" pos="121" show="84" value="5400"/>
- <field name="smb.sc" showname="Setup Count: 2" size="1" pos="123" show="2" value="02"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="124" show="00" value="00"/>
- <field name="smb.bcc" showname="Byte Count (BCC): 113" size="2" pos="129" show="113" value="7100"/>
- <field name="smb.trans_name" showname="Transaction Name: \PIPE\" size="14" pos="132" show="\PIPE\" value="5c0050004900500045005c000000"/>
- <field name="smb.padding" showname="Padding: 0000" size="2" pos="146" show="00:00" value="0000"/>
- </field>
- </proto>
- <proto name="smb_pipe" showname="SMB Pipe Protocol" size="21" pos="125">
- <field name="smb_pipe.function" showname="Function: TransactNmPipe (0x0026)" size="2" pos="125" show="0x00000026" value="2600"/>
- <field name="smb.fid" showname="FID: 0x2b79 (\srvsvc)" size="2" pos="127" show="0x00002b79" value="792b">
- <field name="smb.fid.opened_in" showname="Opened in: 462" size="0" pos="252" show="462"/>
- <field name="smb.file" showname="File Name: \srvsvc" size="0" pos="252" show="\srvsvc"/>
- <field name="smb.create_flags" showname="Create Flags: 0x00000000" size="4" pos="252" show="0x00000000" value="2600792b">
- <field name="smb.nt.create.oplock" showname=".... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create.batch_oplock" showname=".... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create.dir" showname=".... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create.ext" showname=".... .... .... .... .... .... ...0 .... = Extended Response: Extended responses NOT required" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- </field>
- <field name="smb.access_mask" showname="Access Mask: 0x0002019f" size="4" pos="252" show="0x0002019f" value="2600792b">
- <field name="smb.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: READ access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: WRITE access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.append" showname=".... .... .... .... .... .... .... .1.. = Append: APPEND access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.read_ea" showname=".... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.write_ea" showname=".... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.execute" showname=".... .... .... .... .... .... ..0. .... = Execute: NO execute access" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.delete_child" showname=".... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.read_attributes" showname=".... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.write_attributes" showname=".... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: NO delete access" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.read_control" showname=".... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.access.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.write_owner" showname=".... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.synchronize" showname=".... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.system_security" showname=".... ...0 .... .... .... .... .... .... = System Security: System security is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.maximum_allowed" showname=".... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.access.generic_read" showname="0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- </field>
- <field name="smb.file_attribute" showname="File Attributes: 0x00000000" size="4" pos="252" show="0x00000000" value="2600792b">
- <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 0... .... = Normal: Has some attribute set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.reparse" showname=".... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- </field>
- <field name="smb.share_access" showname="Share Access: 0x00000003, Read, Write" size="4" pos="252" show="0x00000003" value="2600792b">
- <field name="smb.share.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.share.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
- <field name="smb.share.access.delete" showname=".... .... .... .... .... .... .... .0.. = Delete: Object can NOT be shared for delete" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- </field>
- <field name="smb.create_options" showname="Create Options: 0x00000000" size="4" pos="252" show="0x00000000" value="2600792b">
- <field name="smb.nt.create_options.directory" showname=".... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.write_through" showname=".... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.sequential_only" showname=".... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.intermediate_buffering" showname=".... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.sync_io_alert" showname=".... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.sync_io_nonalert" showname=".... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.non_directory" showname=".... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.create_tree_connection" showname=".... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.complete_if_oplocked" showname=".... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.no_ea_knowledge" showname=".... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.eight_dot_three_only" showname=".... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.random_access" showname=".... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.delete_on_close" showname=".... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.open_by_fileid" showname=".... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.backup_intent" showname=".... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.no_compression" showname=".... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.reserve_opfilter" showname=".... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.open_reparse_point" showname=".... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.open_no_recall" showname=".... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- <field name="smb.nt.create_options.open_for_free_space_query" showname=".... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
- </field>
- <field name="smb.create.disposition" showname="Disposition: Open (if file exists open it, else fail) (1)" size="0" pos="252" show="1"/>
- </field>
- </proto>
- <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 96, Call: 2, Ctx: 0" size="96" pos="148">
- <field name="dcerpc.ver" showname="Version: 5" size="1" pos="148" show="5" value="05"/>
- <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="149" show="0" value="00"/>
- <field name="dcerpc.pkt_type" showname="Packet type: Request (0)" size="1" pos="150" show="0" value="00"/>
- <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="151" show="0x00000003" value="03">
- <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="151" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="151" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- </field>
- <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="152" show="10:00:00:00" value="10000000">
- <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="152" show="1" value="10"/>
- <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="152" show="0" value="10"/>
- <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="153" show="0" value="00"/>
- </field>
- <field name="dcerpc.cn_frag_len" showname="Frag Length: 96" size="2" pos="156" show="96" value="6000"/>
- <field name="dcerpc.cn_auth_len" showname="Auth Length: 0" size="2" pos="158" show="0" value="0000"/>
- <field name="dcerpc.cn_call_id" showname="Call ID: 2" size="4" pos="160" show="2" value="02000000"/>
- <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 72" size="4" pos="164" show="72" value="48000000"/>
- <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="168" show="0" value="0000"/>
- <field name="dcerpc.opnum" showname="Opnum: 15" size="2" pos="170" show="15" value="0f00"/>
- </proto>
- <proto name="srvsvc" showname="Server Service, NetShareEnumAll" size="72" pos="172">
- <field name="srvsvc.opnum" showname="Operation: NetShareEnumAll (15)" size="0" pos="172" show="15"/>
- <field name="" show="Pointer to Server Unc (uint16)" size="40" pos="172" value="000002000c000000000000000c0000004c004f00430041004c004e00540034004400430032000000">
- <field name="dcerpc.referent_id" showname="Referent ID: 0x00020000" size="4" pos="172" show="0x00020000" value="00000200"/>
- <field name="dcerpc.array.max_count" showname="Max Count: 12" size="4" pos="176" show="12" value="0c000000"/>
- <field name="dcerpc.array.offset" showname="Offset: 0" size="4" pos="180" show="0" value="00000000"/>
- <field name="dcerpc.array.actual_count" showname="Actual Count: 12" size="4" pos="184" show="12" value="0c000000"/>
- <field name="srvsvc.srvsvc_NetShareEnumAll.server_unc" showname="Server Unc: LOCALNT4DC2" size="24" pos="188" show="LOCALNT4DC2" value="4c004f00430041004c004e00540034004400430032000000"/>
- </field>
- <field name="" show="Pointer to Level (uint32)" size="4" pos="212" value="01000000">
- <field name="srvsvc.srvsvc_NetShareEnumAll.level" showname="Level: 1" size="4" pos="212" show="1" value="01000000"/>
- </field>
- <field name="" show="Pointer to Ctr (srvsvc_NetShareCtr)" size="16" pos="216" value="01000000040002000000000000000000">
- <field name="" show="srvsvc_NetShareCtr" size="8" pos="216" value="0100000004000200">
- <field name="srvsvc.srvsvc_NetShareEnumAll.ctr" showname="Ctr" size="4" pos="216" show="" value=""/>
- <field name="" show="Pointer to Ctr1 (srvsvc_NetShareCtr1)" size="8" pos="220" value="0400020000000000">
- <field name="dcerpc.referent_id" showname="Referent ID: 0x00020004" size="4" pos="220" show="0x00020004" value="04000200"/>
- <field name="srvsvc.srvsvc_NetShareCtr.ctr1" showname="Ctr1" size="8" pos="224" show="" value="">
- <field name="srvsvc.srvsvc_NetShareCtr1.count" showname="Count: 0" size="4" pos="224" show="0" value="00000000"/>
- <field name="dcerpc.null_pointer" showname="NULL Pointer: Pointer to Array (srvsvc_NetShareInfo1)" size="4" pos="228" show="00:00:00:00" value="00000000"/>
- </field>
- </field>
- </field>
- </field>
- <field name="srvsvc.srvsvc_NetShareEnumAll.max_buffer" showname="Max Buffer: 4294967295" size="4" pos="232" show="4294967295" value="ffffffff"/>
- <field name="" show="Pointer to Resume Handle (uint32)" size="8" pos="236" value="0800020000000000">
- <field name="dcerpc.referent_id" showname="Referent ID: 0x00020008" size="4" pos="236" show="0x00020008" value="08000200"/>
- <field name="srvsvc.srvsvc_NetShareEnumAll.resume_handle" showname="Resume Handle: 0" size="4" pos="240" show="0" value="00000000"/>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="222">
- <field name="num" pos="0" show="523" showname="Number" value="20b" size="222"/>
- <field name="len" pos="0" show="222" showname="Frame Length" value="de" size="222"/>
- <field name="caplen" pos="0" show="222" showname="Captured Length" value="de" size="222"/>
- <field name="timestamp" pos="0" show="Feb 13, 2017 10:17:17.552194000 NZDT" showname="Captured Time" value="1486934237.552194000" size="222"/>
- </proto>
- <proto name="frame" showname="Frame 523: 222 bytes on wire (1776 bits), 222 bytes captured (1776 bits)" size="222" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 13, 2017 10:17:17.552194000 NZDT" size="0" pos="0" show="Feb 13, 2017 10:17:17.552194000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486934237.552194000 seconds" size="0" pos="0" show="1486934237.552194000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000068000 seconds" size="0" pos="0" show="0.000068000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000068000 seconds" size="0" pos="0" show="0.000068000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 466.929753000 seconds" size="0" pos="0" show="466.929753000"/>
- <field name="frame.number" showname="Frame Number: 523" size="0" pos="0" show="523"/>
- <field name="frame.len" showname="Frame Length: 222 bytes (1776 bits)" size="0" pos="0" show="222"/>
- <field name="frame.cap_len" showname="Capture Length: 222 bytes (1776 bits)" size="0" pos="0" show="222"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:udp:nbdgm:smb:browser" size="0" pos="0" show="raw:ip:udp:nbdgm:smb:browser"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="222" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.3, Dst: 127.0.0.21" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 222" size="2" pos="2" show="222" value="00de"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: UDP (17)" size="1" pos="9" show="17" value="11"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.3" size="4" pos="12" show="127.0.0.3" value="7f000003"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.3" hide="yes" size="4" pos="12" show="127.0.0.3" value="7f000003"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.3" hide="yes" size="4" pos="12" show="127.0.0.3" value="7f000003"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.3" hide="yes" size="4" pos="12" show="127.0.0.3" value="7f000003"/>
- <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000003"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
- </proto>
- <proto name="udp" showname="User Datagram Protocol, Src Port: 138 (138), Dst Port: 138 (138)" size="8" pos="20">
- <field name="udp.srcport" showname="Source Port: 138" size="2" pos="20" show="138" value="008a"/>
- <field name="udp.dstport" showname="Destination Port: 138" size="2" pos="22" show="138" value="008a"/>
- <field name="udp.port" showname="Source or Destination Port: 138" hide="yes" size="2" pos="20" show="138" value="008a"/>
- <field name="udp.port" showname="Source or Destination Port: 138" hide="yes" size="2" pos="22" show="138" value="008a"/>
- <field name="udp.length" showname="Length: 202" size="2" pos="24" show="202" value="00ca"/>
- <field name="udp.checksum" showname="Checksum: 0x0000 (none)" size="2" pos="26" show="0x00000000" value="0000">
- <field name="udp.checksum_good" showname="Good Checksum: False" size="2" pos="26" show="0" value="0000"/>
- <field name="udp.checksum_bad" showname="Bad Checksum: False" size="2" pos="26" show="0" value="0000"/>
- </field>
- <field name="udp.stream" showname="Stream index: 30" size="0" pos="28" show="30"/>
- </proto>
- <proto name="nbdgm" showname="NetBIOS Datagram Service" size="82" pos="28">
- <field name="nbdgm.type" showname="Message Type: Direct_group datagram (17)" size="1" pos="28" show="17" value="11"/>
- <field name="nbdgm.next" showname="More fragments follow: No" size="1" pos="29" show="0" value="0a"/>
- <field name="nbdgm.first" showname="This is first fragment: Yes" size="1" pos="29" show="1" value="0a"/>
- <field name="nbdgm.node_type" showname="Node Type: M node (2)" size="1" pos="29" show="2" value="0a"/>
- <field name="nbdgm.dgram_id" showname="Datagram ID: 0x023d" size="2" pos="30" show="0x0000023d" value="023d"/>
- <field name="nbdgm.src.ip" showname="Source IP: 127.0.0.3" size="4" pos="32" show="127.0.0.3" value="7f000003"/>
- <field name="nbdgm.src.port" showname="Source Port: 138" size="2" pos="36" show="138" value="008a"/>
- <field name="nbdgm.dgram_len" showname="Datagram length: 180 bytes" size="2" pos="38" show="180" value="00b4"/>
- <field name="nbdgm.pkt_offset" showname="Packet offset: 0 bytes" size="2" pos="40" show="0" value="0000"/>
- <field name="nbdgm.source_name" showname="Source name: LOCALNT4DC2&lt;00&gt; (Workstation/Redirector)" size="34" pos="42" show="LOCALNT4DC2&lt;00&gt;" value="20454d455045444542454d454f464544454545454444434341434143414341414100"/>
- <field name="nbdgm.destination_name" showname="Destination name: SAMBA-TEST&lt;1e&gt; (Browser Election Service)" size="34" pos="76" show="SAMBA-TEST&lt;1e&gt;" value="2046444542454e45434542434e464545464644464543414341434143414341424f00"/>
- </proto>
- <proto name="smb" showname="SMB (Server Message Block Protocol)" size="112" pos="110">
- <field name="" show="SMB Header" size="32" pos="110" value="ff534d4225000000000000000000000000000000000000000000000000000000">
- <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="110" show="0x424d53ff" value="ff534d42"/>
- <field name="smb.cmd" showname="SMB Command: Trans (0x25)" size="1" pos="114" show="37" value="25"/>
- <field name="smb.error_class" showname="Error Class: Success (0x00)" size="1" pos="115" show="0x00000000" value="00"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="116" show="00" value="00"/>
- <field name="smb.error_code" showname="Error Code: No Error" size="2" pos="117" show="0x00000000" value="0000"/>
- <field name="smb.flags" showname="Flags: 0x00" size="1" pos="119" show="0x00000000" value="00">
- <field name="smb.flags.response" showname="0... .... = Request/Response: Message is a request to the server" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- <field name="smb.flags.canon" showname="...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- <field name="smb.flags.caseless" showname=".... 0... = Case Sensitivity: Path names are case sensitive" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="smb.flags2" showname="Flags2: 0x0000" size="2" pos="120" show="0x00000000" value="0000">
- <field name="smb.flags2.string" showname="0... .... .... .... = Unicode Strings: Strings are ASCII" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.nt_error" showname=".0.. .... .... .... = Error Code Type: Error codes are DOS error codes" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.esn" showname=".... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.long_names_used" showname=".... .... .0.. .... = Long Names Used: Path names in request are not long file names" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.sec_sig_required" showname=".... .... ...0 .... = Security Signatures Required: Security signatures are not required" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.sec_sig" showname=".... .... .... .0.. = Security Signatures: Security signatures are not supported" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.ea" showname=".... .... .... ..0. = Extended Attributes: Extended attributes are not supported" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...0 = Long Names Allowed: Long file names are not allowed in the response" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- </field>
- <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="122" show="0" value="0000"/>
- <field name="smb.signature" showname="Signature: 0000000000000000" size="8" pos="124" show="00:00:00:00:00:00:00:00" value="0000000000000000"/>
- <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="132" show="00:00" value="0000"/>
- <field name="smb.tid" showname="Tree ID: 0" size="2" pos="134" show="0" value="0000"/>
- <field name="smb.pid" showname="Process ID: 0" size="2" pos="136" show="0" value="0000"/>
- <field name="smb.uid" showname="User ID: 0" size="2" pos="138" show="0" value="0000"/>
- <field name="smb.mid" showname="Multiplex ID: 0" size="2" pos="140" show="0" value="0000"/>
- </field>
- <field name="" show="Trans Request (0x25)" size="80" pos="142" value="1100001a000000000000000000000000000000000000001a00560003000100010002002b005c4d41494c534c4f545c42524f5753450008018a0f011470170000000000004c4f43414c4e543444433200">
- <field name="smb.wct" showname="Word Count (WCT): 17" size="1" pos="142" show="17" value="11"/>
- <field name="smb.tpc" showname="Total Parameter Count: 0" size="2" pos="143" show="0" value="0000"/>
- <field name="smb.tdc" showname="Total Data Count: 26" size="2" pos="145" show="26" value="1a00"/>
- <field name="smb.mpc" showname="Max Parameter Count: 0" size="2" pos="147" show="0" value="0000"/>
- <field name="smb.mdc" showname="Max Data Count: 0" size="2" pos="149" show="0" value="0000"/>
- <field name="smb.msc" showname="Max Setup Count: 0" size="1" pos="151" show="0" value="00"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="152" show="00" value="00"/>
- <field name="smb.transaction.flags" showname="Flags: 0x0000" size="2" pos="153" show="0x00000000" value="0000">
- <field name="smb.transaction.flags.owt" showname=".... .... .... ..0. = One Way Transaction: Two way transaction" size="2" pos="153" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.transaction.flags.dtid" showname=".... .... .... ...0 = Disconnect TID: Do NOT disconnect TID" size="2" pos="153" show="0" value="0" unmaskedvalue="0000"/>
- </field>
- <field name="smb.timeout" showname="Timeout: Return immediately (0)" size="4" pos="155" show="0" value="00000000"/>
- <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="159" show="00:00" value="0000"/>
- <field name="smb.pc" showname="Parameter Count: 0" size="2" pos="161" show="0" value="0000"/>
- <field name="smb.po" showname="Parameter Offset: 0" size="2" pos="163" show="0" value="0000"/>
- <field name="smb.dc" showname="Data Count: 26" size="2" pos="165" show="26" value="1a00"/>
- <field name="smb.data_offset" showname="Data Offset: 86" size="2" pos="167" show="86" value="5600"/>
- <field name="smb.sc" showname="Setup Count: 3" size="1" pos="169" show="3" value="03"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="170" show="00" value="00"/>
- <field name="smb.bcc" showname="Byte Count (BCC): 43" size="2" pos="177" show="43" value="2b00"/>
- <field name="smb.trans_name" showname="Transaction Name: \MAILSLOT\BROWSE" size="17" pos="179" show="\MAILSLOT\BROWSE" value="5c4d41494c534c4f545c42524f57534500"/>
- </field>
- </proto>
- <proto name="mailslot" showname="SMB MailSlot Protocol" size="25" pos="171">
- <field name="mailslot.opcode" showname="Opcode: Write Mail Slot (1)" size="2" pos="171" show="1" value="0100"/>
- <field name="mailslot.priority" showname="Priority: 1" size="2" pos="173" show="1" value="0100"/>
- <field name="mailslot.class" showname="Class: Unreliable &amp; Broadcast (2)" size="2" pos="175" show="2" value="0200"/>
- <field name="mailslot.size" showname="Size: 43" size="2" pos="177" show="43" value="2b00"/>
- <field name="mailslot.name" showname="Mailslot Name: \MAILSLOT\BROWSE" size="17" pos="179" show="\MAILSLOT\BROWSE" value="5c4d41494c534c4f545c42524f57534500"/>
- </proto>
- <proto name="browser" showname="Microsoft Windows Browser Protocol" size="26" pos="196">
- <field name="browser.command" showname="Command: Browser Election Request (0x08)" size="1" pos="196" show="0x00000008" value="08"/>
- <field name="browser.election.version" showname="Election Version: 1" size="1" pos="197" show="1" value="01"/>
- <field name="browser.election.criteria" showname="Election Criteria: 0x14010f8a" size="4" pos="198" show="0x14010f8a" value="8a0f0114">
- <field name="browser.election.desire" showname="Election Desire: 0x8a, Standby, Domain Master, NT" size="1" pos="198" show="0x0000008a" value="8a">
- <field name="browser.election.desire.backup" showname=".... ...0 = Backup: NOT Backup Browse Server" size="1" pos="198" show="0" value="0" unmaskedvalue="8a"/>
- <field name="browser.election.desire.standby" showname=".... ..1. = Standby: Standby Browse Server" size="1" pos="198" show="1" value="FFFFFFFF" unmaskedvalue="8a"/>
- <field name="browser.election.desire.master" showname=".... .0.. = Master: NOT Master Browser" size="1" pos="198" show="0" value="0" unmaskedvalue="8a"/>
- <field name="browser.election.desire.domain_master" showname=".... 1... = Domain Master: Domain Master Browse Server" size="1" pos="198" show="1" value="FFFFFFFF" unmaskedvalue="8a"/>
- <field name="browser.election.desire.wins" showname="..0. .... = WINS: NOT WINS Client" size="1" pos="198" show="0" value="0" unmaskedvalue="8a"/>
- <field name="browser.election.desire.nt" showname="1... .... = NT: Windows NT Advanced Server" size="1" pos="198" show="1" value="FFFFFFFF" unmaskedvalue="8a"/>
- </field>
- <field name="browser.proto_major" showname="Browser Protocol Major Version: 15" size="1" pos="199" show="15" value="0f"/>
- <field name="browser.proto_minor" showname="Browser Protocol Minor Version: 1" size="1" pos="200" show="1" value="01"/>
- <field name="browser.election.os" showname="Election OS: 0x14, NT Workstation" size="1" pos="201" show="0x00000014" value="14">
- <field name="browser.election.os.wfw" showname=".... ...0 = WfW: Not Windows for Workgroups" size="1" pos="201" show="0" value="0" unmaskedvalue="14"/>
- <field name="browser.election.os.ntw" showname="...1 .... = NT Workstation: Windows NT Workstation" size="1" pos="201" show="1" value="FFFFFFFF" unmaskedvalue="14"/>
- <field name="browser.election.os.nts" showname="..0. .... = NT Server: Not Windows NT Server" size="1" pos="201" show="0" value="0" unmaskedvalue="14"/>
- </field>
- </field>
- <field name="browser.uptime" showname="Uptime: 6 seconds" size="4" pos="202" show="6000" value="70170000"/>
- <field name="browser.server" showname="Server Name: LOCALNT4DC2" size="12" pos="210" show="LOCALNT4DC2" value="4c4f43414c4e543444433200"/>
- </proto>
-</packet>
-
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="128">
- <field name="num" pos="0" show="50351" showname="Number" value="c4af" size="128"/>
- <field name="len" pos="0" show="128" showname="Frame Length" value="80" size="128"/>
- <field name="caplen" pos="0" show="128" showname="Captured Length" value="80" size="128"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:37:58.178692000 NZDT" showname="Captured Time" value="1486690678.178692000" size="128"/>
- </proto>
- <proto name="frame" showname="Frame 50351: 128 bytes on wire (1024 bits), 128 bytes captured (1024 bits)" size="128" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:37:58.178692000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:37:58.178692000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690678.178692000 seconds" size="0" pos="0" show="1486690678.178692000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.043192000 seconds" size="0" pos="0" show="0.043192000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.043192000 seconds" size="0" pos="0" show="0.043192000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 101.648241000 seconds" size="0" pos="0" show="101.648241000"/>
- <field name="frame.number" showname="Frame Number: 50351" size="0" pos="0" show="50351"/>
- <field name="frame.len" showname="Frame Length: 128 bytes (1024 bits)" size="0" pos="0" show="128"/>
- <field name="frame.cap_len" showname="Capture Length: 128 bytes (1024 bits)" size="0" pos="0" show="128"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:nbss:smb:dcerpc" size="0" pos="0" show="raw:ip:tcp:nbss:smb:dcerpc"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="128" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.30, Dst: 127.0.0.27" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 128" size="2" pos="2" show="128" value="0080"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.30" size="4" pos="12" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.30" hide="yes" size="4" pos="12" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.30" hide="yes" size="4" pos="12" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.30" hide="yes" size="4" pos="12" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.dst" showname="Destination: 127.0.0.27" size="4" pos="16" show="127.0.0.27" value="7f00001b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.27" hide="yes" size="4" pos="16" show="127.0.0.27" value="7f00001b"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.27" hide="yes" size="4" pos="16" show="127.0.0.27" value="7f00001b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.27" hide="yes" size="4" pos="16" show="127.0.0.27" value="7f00001b"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001e"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001b"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 445 (445), Dst Port: 17919 (17919), Seq: 1815, Ack: 3639, Len: 88" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 445" size="2" pos="20" show="445" value="01bd"/>
- <field name="tcp.dstport" showname="Destination Port: 17919" size="2" pos="22" show="17919" value="45ff"/>
- <field name="tcp.port" showname="Source or Destination Port: 445" hide="yes" size="2" pos="20" show="445" value="01bd"/>
- <field name="tcp.port" showname="Source or Destination Port: 17919" hide="yes" size="2" pos="22" show="17919" value="45ff"/>
- <field name="tcp.stream" showname="Stream index: 1177" size="0" pos="20" show="1177"/>
- <field name="tcp.len" showname="TCP Segment Len: 88" size="1" pos="32" show="88" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 1815 (relative sequence number)" size="4" pos="24" show="1815" value="00000717"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 1903 (relative sequence number)" size="0" pos="20" show="1903"/>
- <field name="tcp.ack" showname="Acknowledgment number: 3639 (relative ack number)" size="4" pos="28" show="3639" value="00000e37"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 50348" size="0" pos="20" show="50348"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.043267000 seconds" size="0" pos="20" show="0.043267000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000015000 seconds" size="0" pos="20" show="0.000015000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 88" size="0" pos="20" show="88"/>
- </field>
- </proto>
- <proto name="nbss" showname="NetBIOS Session Service" size="88" pos="40">
- <field name="nbss.type" showname="Message Type: Session message (0x00)" size="1" pos="40" show="0x00000000" value="00"/>
- <field name="nbss.length" showname="Length: 84" size="3" pos="41" show="84" value="000054"/>
- </proto>
- <proto name="smb" showname="SMB (Server Message Block Protocol)" size="84" pos="44">
- <field name="" show="SMB Header" size="32" pos="44" value="ff534d4225000000008817c8000045cbaf6829ae71c20000d95d0000c67c0b00">
- <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="44" show="0x424d53ff" value="ff534d42"/>
- <field name="smb.response_to" showname="Response to: 50348" size="0" pos="44" show="50348"/>
- <field name="smb.time" showname="Time from request: 0.043267000 seconds" size="0" pos="44" show="0.043267000"/>
- <field name="smb.cmd" showname="SMB Command: Trans (0x25)" size="1" pos="48" show="37" value="25"/>
- <field name="smb.nt_status" showname="NT Status: STATUS_SUCCESS (0x00000000)" size="4" pos="49" show="0" value="00000000"/>
- <field name="smb.flags" showname="Flags: 0x88, Request/Response, Case Sensitivity" size="1" pos="53" show="0x00000088" value="88">
- <field name="smb.flags.response" showname="1... .... = Request/Response: Message is a response to the client/redirector" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="88"/>
- <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="53" show="0" value="0" unmaskedvalue="88"/>
- <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="53" show="0" value="0" unmaskedvalue="88"/>
- <field name="smb.flags.canon" showname="...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized" size="1" pos="53" show="0" value="0" unmaskedvalue="88"/>
- <field name="smb.flags.caseless" showname=".... 1... = Case Sensitivity: Path names are caseless" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="88"/>
- <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="53" show="0" value="0" unmaskedvalue="88"/>
- <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="53" show="0" value="0" unmaskedvalue="88"/>
- </field>
- <field name="smb.flags2" showname="Flags2: 0xc817, Unicode Strings, Error Code Type, Extended Security Negotiation, Security Signatures Required, Security Signatures, Extended Attributes, Long Names Allowed" size="2" pos="54" show="0x0000c817" value="17c8">
- <field name="smb.flags2.string" showname="1... .... .... .... = Unicode Strings: Strings are Unicode" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
- <field name="smb.flags2.nt_error" showname=".1.. .... .... .... = Error Code Type: Error codes are NT error codes" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
- <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="54" show="0" value="0" unmaskedvalue="17c8"/>
- <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="54" show="0" value="0" unmaskedvalue="17c8"/>
- <field name="smb.flags2.esn" showname=".... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
- <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="54" show="0" value="0" unmaskedvalue="17c8"/>
- <field name="smb.flags2.long_names_used" showname=".... .... .0.. .... = Long Names Used: Path names in request are not long file names" size="2" pos="54" show="0" value="0" unmaskedvalue="17c8"/>
- <field name="smb.flags2.sec_sig_required" showname=".... .... ...1 .... = Security Signatures Required: Security signatures are required" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
- <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="54" show="0" value="0" unmaskedvalue="17c8"/>
- <field name="smb.flags2.sec_sig" showname=".... .... .... .1.. = Security Signatures: Security signatures are supported" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
- <field name="smb.flags2.ea" showname=".... .... .... ..1. = Extended Attributes: Extended attributes are supported" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
- <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
- </field>
- <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="56" show="0" value="0000"/>
- <field name="smb.signature" showname="Signature: 45cbaf6829ae71c2" size="8" pos="58" show="45:cb:af:68:29:ae:71:c2" value="45cbaf6829ae71c2"/>
- <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="66" show="00:00" value="0000"/>
- <field name="smb.tid" showname="Tree ID: 24025 (\\ADDC.ADDOM.SAMBA.EXAMPLE.COM\IPC$)" size="2" pos="68" show="24025" value="d95d">
- <field name="smb.path" showname="Path: \\ADDC.ADDOM.SAMBA.EXAMPLE.COM\IPC$" size="0" pos="112" show="\\ADDC.ADDOM.SAMBA.EXAMPLE.COM\IPC$"/>
- <field name="smb.fid.mapped_in" showname="Mapped in: 50252" size="0" pos="112" show="50252"/>
- </field>
- <field name="smb.pid" showname="Process ID: 0" size="2" pos="70" show="0" value="0000"/>
- <field name="smb.uid" showname="User ID: 31942" size="2" pos="72" show="31942" value="c67c"/>
- <field name="smb.mid" showname="Multiplex ID: 11" size="2" pos="74" show="11" value="0b00"/>
- </field>
- <field name="" show="Trans Response (0x25)" size="52" pos="76" value="0a00001c0000000000380000001c003800000000001d000005000203100000001c00000007000000040000000000000000000000">
- <field name="smb.fid" showname="FID: 0x2ea1 (\lsarpc)" size="0" pos="76" show="0x00002ea1">
- <field name="smb.fid.opened_in" showname="Opened in: 50258" size="0" pos="120" show="50258"/>
- <field name="smb.file" showname="File Name: \lsarpc" size="0" pos="120" show="\lsarpc"/>
- <field name="smb.create_flags" showname="Create Flags: 0x00000000" size="4" pos="120" show="0x00000000" value="ff534d42">
- <field name="smb.nt.create.oplock" showname=".... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create.batch_oplock" showname=".... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create.dir" showname=".... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create.ext" showname=".... .... .... .... .... .... ...0 .... = Extended Response: Extended responses NOT required" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- </field>
- <field name="smb.access_mask" showname="Access Mask: 0x0002019f" size="4" pos="120" show="0x0002019f" value="ff534d42">
- <field name="smb.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: READ access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: WRITE access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.append" showname=".... .... .... .... .... .... .... .1.. = Append: APPEND access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.read_ea" showname=".... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.write_ea" showname=".... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.execute" showname=".... .... .... .... .... .... ..0. .... = Execute: NO execute access" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.delete_child" showname=".... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.read_attributes" showname=".... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.write_attributes" showname=".... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: NO delete access" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.read_control" showname=".... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.access.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.write_owner" showname=".... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.synchronize" showname=".... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.system_security" showname=".... ...0 .... .... .... .... .... .... = System Security: System security is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.maximum_allowed" showname=".... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.access.generic_read" showname="0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- </field>
- <field name="smb.file_attribute" showname="File Attributes: 0x00000000" size="4" pos="120" show="0x00000000" value="ff534d42">
- <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 0... .... = Normal: Has some attribute set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.reparse" showname=".... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- </field>
- <field name="smb.share_access" showname="Share Access: 0x00000003, Read, Write" size="4" pos="120" show="0x00000003" value="ff534d42">
- <field name="smb.share.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.share.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
- <field name="smb.share.access.delete" showname=".... .... .... .... .... .... .... .0.. = Delete: Object can NOT be shared for delete" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- </field>
- <field name="smb.create_options" showname="Create Options: 0x00000000" size="4" pos="120" show="0x00000000" value="ff534d42">
- <field name="smb.nt.create_options.directory" showname=".... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.write_through" showname=".... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.sequential_only" showname=".... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.intermediate_buffering" showname=".... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.sync_io_alert" showname=".... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.sync_io_nonalert" showname=".... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.non_directory" showname=".... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.create_tree_connection" showname=".... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.complete_if_oplocked" showname=".... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.no_ea_knowledge" showname=".... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.eight_dot_three_only" showname=".... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.random_access" showname=".... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.delete_on_close" showname=".... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.open_by_fileid" showname=".... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.backup_intent" showname=".... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.no_compression" showname=".... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.reserve_opfilter" showname=".... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.open_reparse_point" showname=".... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.open_no_recall" showname=".... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- <field name="smb.nt.create_options.open_for_free_space_query" showname=".... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
- </field>
- <field name="smb.create.disposition" showname="Disposition: Open (if file exists open it, else fail) (1)" size="0" pos="120" show="1"/>
- </field>
- <field name="smb.wct" showname="Word Count (WCT): 10" size="1" pos="76" show="10" value="0a"/>
- <field name="smb.tpc" showname="Total Parameter Count: 0" size="2" pos="77" show="0" value="0000"/>
- <field name="smb.tdc" showname="Total Data Count: 28" size="2" pos="79" show="28" value="1c00"/>
- <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="81" show="00:00" value="0000"/>
- <field name="smb.pc" showname="Parameter Count: 0" size="2" pos="83" show="0" value="0000"/>
- <field name="smb.po" showname="Parameter Offset: 56" size="2" pos="85" show="56" value="3800"/>
- <field name="smb.pd" showname="Parameter Displacement: 0" size="2" pos="87" show="0" value="0000"/>
- <field name="smb.dc" showname="Data Count: 28" size="2" pos="89" show="28" value="1c00"/>
- <field name="smb.data_offset" showname="Data Offset: 56" size="2" pos="91" show="56" value="3800"/>
- <field name="smb.data_disp" showname="Data Displacement: 0" size="2" pos="93" show="0" value="0000"/>
- <field name="smb.sc" showname="Setup Count: 0" size="1" pos="95" show="0" value="00"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="96" show="00" value="00"/>
- <field name="smb.bcc" showname="Byte Count (BCC): 29" size="2" pos="97" show="29" value="1d00"/>
- <field name="smb.padding" showname="Padding: 00" size="1" pos="99" show="00" value="00"/>
- </field>
- </proto>
- <proto name="smb_pipe" showname="SMB Pipe Protocol" size="0" pos="0">
- <field name="smb_pipe.function" showname="Function: TransactNmPipe (0x0026)" size="0" pos="0" show="0x00000026"/>
- <field name="smb.fid" showname="FID: 0x2ea1 (\lsarpc)" size="0" pos="100" show="0x00002ea1">
- <field name="smb.fid.opened_in" showname="Opened in: 50258" size="0" pos="100" show="50258"/>
- <field name="smb.file" showname="File Name: \lsarpc" size="0" pos="100" show="\lsarpc"/>
- <field name="smb.create_flags" showname="Create Flags: 0x00000000" size="4" pos="100" show="0x00000000" value="05000203">
- <field name="smb.nt.create.oplock" showname=".... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create.batch_oplock" showname=".... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create.dir" showname=".... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create.ext" showname=".... .... .... .... .... .... ...0 .... = Extended Response: Extended responses NOT required" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- </field>
- <field name="smb.access_mask" showname="Access Mask: 0x0002019f" size="4" pos="100" show="0x0002019f" value="05000203">
- <field name="smb.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: READ access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
- <field name="smb.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: WRITE access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
- <field name="smb.access.append" showname=".... .... .... .... .... .... .... .1.. = Append: APPEND access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
- <field name="smb.access.read_ea" showname=".... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
- <field name="smb.access.write_ea" showname=".... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
- <field name="smb.access.execute" showname=".... .... .... .... .... .... ..0. .... = Execute: NO execute access" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.access.delete_child" showname=".... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.access.read_attributes" showname=".... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
- <field name="smb.access.write_attributes" showname=".... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
- <field name="smb.access.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: NO delete access" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.access.read_control" showname=".... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
- <field name="smb.access.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.access.write_owner" showname=".... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.access.synchronize" showname=".... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.access.system_security" showname=".... ...0 .... .... .... .... .... .... = System Security: System security is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.access.maximum_allowed" showname=".... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.access.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.access.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.access.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.access.generic_read" showname="0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- </field>
- <field name="smb.file_attribute" showname="File Attributes: 0x00000000" size="4" pos="100" show="0x00000000" value="05000203">
- <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 0... .... = Normal: Has some attribute set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- </field>
- <field name="smb.share_access" showname="Share Access: 0x00000003, Read, Write" size="4" pos="100" show="0x00000003" value="05000203">
- <field name="smb.share.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
- <field name="smb.share.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
- <field name="smb.share.access.delete" showname=".... .... .... .... .... .... .... .0.. = Delete: Object can NOT be shared for delete" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- </field>
- <field name="smb.create_options" showname="Create Options: 0x00000000" size="4" pos="100" show="0x00000000" value="05000203">
- <field name="smb.nt.create_options.directory" showname=".... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.write_through" showname=".... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.sequential_only" showname=".... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.intermediate_buffering" showname=".... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.sync_io_alert" showname=".... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.sync_io_nonalert" showname=".... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.non_directory" showname=".... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.create_tree_connection" showname=".... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.complete_if_oplocked" showname=".... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.no_ea_knowledge" showname=".... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.eight_dot_three_only" showname=".... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.random_access" showname=".... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.delete_on_close" showname=".... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.open_by_fileid" showname=".... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.backup_intent" showname=".... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.no_compression" showname=".... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.reserve_opfilter" showname=".... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.open_reparse_point" showname=".... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.open_no_recall" showname=".... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- <field name="smb.nt.create_options.open_for_free_space_query" showname=".... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
- </field>
- <field name="smb.create.disposition" showname="Disposition: Open (if file exists open it, else fail) (1)" size="0" pos="100" show="1"/>
- </field>
- </proto>
- <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Response, Fragment: Single, FragLen: 28, Call: 7, Ctx: 0, [Req: #50348]" size="28" pos="100">
- <field name="dcerpc.ver" showname="Version: 5" size="1" pos="100" show="5" value="05"/>
- <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="101" show="0" value="00"/>
- <field name="dcerpc.pkt_type" showname="Packet type: Response (2)" size="1" pos="102" show="2" value="02"/>
- <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="103" show="0x00000003" value="03">
- <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="103" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="103" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="103" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="103" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="103" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="103" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="103" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="103" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- </field>
- <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="104" show="10:00:00:00" value="10000000">
- <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="104" show="1" value="10"/>
- <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="104" show="0" value="10"/>
- <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="105" show="0" value="00"/>
- </field>
- <field name="dcerpc.cn_frag_len" showname="Frag Length: 28" size="2" pos="108" show="28" value="1c00"/>
- <field name="dcerpc.cn_auth_len" showname="Auth Length: 0" size="2" pos="110" show="0" value="0000"/>
- <field name="dcerpc.cn_call_id" showname="Call ID: 7" size="4" pos="112" show="7" value="07000000"/>
- <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 4" size="4" pos="116" show="4" value="04000000"/>
- <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="120" show="0" value="0000"/>
- <field name="dcerpc.cn_cancel_count" showname="Cancel count: 0" size="1" pos="122" show="0" value="00"/>
- <field name="dcerpc.opnum" showname="Opnum: 27" size="0" pos="100" show="27"/>
- <field name="dcerpc.request_in" showname="Request in frame: 50348" size="0" pos="100" show="50348"/>
- <field name="dcerpc.time" showname="Time from request: 0.043267000 seconds" size="0" pos="124" show="0.043267000"/>
- </proto>
- <proto name="lsarpc" showname="Local Security Authority, lsa_SetInformationTrustedDomain" size="4" pos="124">
- <field name="lsarpc.opnum" showname="Operation: lsa_SetInformationTrustedDomain (27)" size="0" pos="124" show="27"/>
- <field name="dcerpc.request_in" showname="Request in frame: 50348" size="0" pos="124" show="50348"/>
- <field name="lsarpc.status" showname="NT Error: STATUS_SUCCESS (0x00000000)" size="4" pos="124" show="0x00000000" value="00000000"/>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="196">
- <field name="num" pos="0" show="50491" showname="Number" value="c53b" size="196"/>
- <field name="len" pos="0" show="196" showname="Frame Length" value="c4" size="196"/>
- <field name="caplen" pos="0" show="196" showname="Captured Length" value="c4" size="196"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:37:59.853951000 NZDT" showname="Captured Time" value="1486690679.853951000" size="196"/>
- </proto>
- <proto name="frame" showname="Frame 50491: 196 bytes on wire (1568 bits), 196 bytes captured (1568 bits)" size="196" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:37:59.853951000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:37:59.853951000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690679.853951000 seconds" size="0" pos="0" show="1486690679.853951000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000093000 seconds" size="0" pos="0" show="0.000093000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000093000 seconds" size="0" pos="0" show="0.000093000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 103.323500000 seconds" size="0" pos="0" show="103.323500000"/>
- <field name="frame.number" showname="Frame Number: 50491" size="0" pos="0" show="50491"/>
- <field name="frame.len" showname="Frame Length: 196 bytes (1568 bits)" size="0" pos="0" show="196"/>
- <field name="frame.cap_len" showname="Capture Length: 196 bytes (1568 bits)" size="0" pos="0" show="196"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:dcerpc" size="0" pos="0" show="raw:ip:tcp:dcerpc"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="196" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.27, Dst: 127.0.0.30" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 196" size="2" pos="2" show="196" value="00c4"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.27" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.27" hide="yes" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.27" hide="yes" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.27" hide="yes" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
- <field name="ip.dst" showname="Destination: 127.0.0.30" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001b"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001e"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 17934 (17934), Dst Port: 135 (135), Seq: 73, Ack: 61, Len: 156" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 17934" size="2" pos="20" show="17934" value="460e"/>
- <field name="tcp.dstport" showname="Destination Port: 135" size="2" pos="22" show="135" value="0087"/>
- <field name="tcp.port" showname="Source or Destination Port: 17934" hide="yes" size="2" pos="20" show="17934" value="460e"/>
- <field name="tcp.port" showname="Source or Destination Port: 135" hide="yes" size="2" pos="22" show="135" value="0087"/>
- <field name="tcp.stream" showname="Stream index: 1183" size="0" pos="20" show="1183"/>
- <field name="tcp.len" showname="TCP Segment Len: 156" size="1" pos="32" show="156" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 73 (relative sequence number)" size="4" pos="24" show="73" value="00000049"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 229 (relative sequence number)" size="0" pos="20" show="229"/>
- <field name="tcp.ack" showname="Acknowledgment number: 61 (relative ack number)" size="4" pos="28" show="61" value="0000003d"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 50487" size="0" pos="20" show="50487"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000158000 seconds" size="0" pos="20" show="0.000158000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000013000 seconds" size="0" pos="20" show="0.000013000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 156" size="0" pos="20" show="156"/>
- </field>
- </proto>
- <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 156, Call: 9, Ctx: 0" size="156" pos="40">
- <field name="dcerpc.ver" showname="Version: 5" size="1" pos="40" show="5" value="05"/>
- <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="41" show="0" value="00"/>
- <field name="dcerpc.pkt_type" showname="Packet type: Request (0)" size="1" pos="42" show="0" value="00"/>
- <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="43" show="0x00000003" value="03">
- <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- </field>
- <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="44" show="10:00:00:00" value="10000000">
- <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="44" show="1" value="10"/>
- <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="44" show="0" value="10"/>
- <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="45" show="0" value="00"/>
- </field>
- <field name="dcerpc.cn_frag_len" showname="Frag Length: 156" size="2" pos="48" show="156" value="9c00"/>
- <field name="dcerpc.cn_auth_len" showname="Auth Length: 0" size="2" pos="50" show="0" value="0000"/>
- <field name="dcerpc.cn_call_id" showname="Call ID: 9" size="4" pos="52" show="9" value="09000000"/>
- <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 132" size="4" pos="56" show="132" value="84000000"/>
- <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="60" show="0" value="0000"/>
- <field name="dcerpc.opnum" showname="Opnum: 3" size="2" pos="62" show="3" value="0300"/>
- </proto>
- <proto name="epm" showname="DCE/RPC Endpoint Mapper, Map" size="132" pos="64">
- <field name="epm.opnum" showname="Operation: Map (3)" size="0" pos="64" show="3"/>
- <field name="" show="UUID pointer:" size="20" pos="64" value="01000000785634123412cdabef0001234567cffb">
- <field name="dcerpc.referent_id" showname="Referent ID: 0x00000001" size="4" pos="64" show="0x00000001" value="01000000"/>
- <field name="epm.uuid" showname="UUID: 12345678-1234-abcd-ef00-01234567cffb" size="16" pos="68" show="12345678-1234-abcd-ef00-01234567cffb" value="785634123412cdabef0001234567cffb"/>
- </field>
- <field name="" show="Tower pointer:" size="87" pos="84" value="020000004b0000004b000000050013000d785634123412cdabef0001234567cffb01000200000013000d045d888aeb1cc9119fe808002b10486002000200000001000b0200000001000702000087010009040000000000">
- <field name="dcerpc.referent_id" showname="Referent ID: 0x00000002" size="4" pos="84" show="0x00000002" value="02000000"/>
- <field name="epm.tower.len" showname="Length: 75" size="4" pos="88" show="75" value="4b000000"/>
- <field name="epm.tower.len" showname="Length: 75" size="4" pos="92" show="75" value="4b000000"/>
- <field name="epm.tower.num_floors" showname="Number of floors: 5" size="2" pos="96" show="5" value="0500"/>
- <field name="" show="Floor 1 UUID: RPC_NETLOGON" size="25" pos="98" value="13000d785634123412cdabef0001234567cffb010002000000">
- <field name="epm.tower.lhs.len" showname="LHS Length: 19" size="2" pos="98" show="19" value="1300"/>
- <field name="epm.tower.proto_id" showname="Protocol: UUID (0x0d)" size="1" pos="100" show="0x0000000d" value="0d"/>
- <field name="epm.uuid" showname="UUID: RPC_NETLOGON (12345678-1234-abcd-ef00-01234567cffb)" size="16" pos="101" show="12345678-1234-abcd-ef00-01234567cffb" value="785634123412cdabef0001234567cffb"/>
- <field name="epm.uuid_version" showname="Version: 1.00" size="2" pos="117" show="256" value="0100"/>
- <field name="epm.tower.rhs.len" showname="RHS Length: 2" size="2" pos="119" show="2" value="0200"/>
- <field name="epm.ver_min" showname="Version Minor: 0" size="2" pos="121" show="0" value="0000"/>
- </field>
- <field name="" show="Floor 2 UUID: 32bit NDR" size="25" pos="123" value="13000d045d888aeb1cc9119fe808002b104860020002000000">
- <field name="epm.tower.lhs.len" showname="LHS Length: 19" size="2" pos="123" show="19" value="1300"/>
- <field name="epm.tower.proto_id" showname="Protocol: UUID (0x0d)" size="1" pos="125" show="0x0000000d" value="0d"/>
- <field name="epm.uuid" showname="UUID: 32bit NDR (8a885d04-1ceb-11c9-9fe8-08002b104860)" size="16" pos="126" show="8a885d04-1ceb-11c9-9fe8-08002b104860" value="045d888aeb1cc9119fe808002b104860"/>
- <field name="epm.uuid_version" showname="Version: 2.00" size="2" pos="142" show="512" value="0200"/>
- <field name="epm.tower.rhs.len" showname="RHS Length: 2" size="2" pos="144" show="2" value="0200"/>
- <field name="epm.ver_min" showname="Version Minor: 0" size="2" pos="146" show="0" value="0000"/>
- </field>
- <field name="" show="Floor 3 RPC connection-oriented protocol" size="7" pos="148" value="01000b02000000">
- <field name="epm.tower.lhs.len" showname="LHS Length: 1" size="2" pos="148" show="1" value="0100"/>
- <field name="epm.tower.proto_id" showname="Protocol: RPC connection-oriented protocol (0x0b)" size="1" pos="150" show="0x0000000b" value="0b"/>
- <field name="epm.tower.rhs.len" showname="RHS Length: 2" size="2" pos="151" show="2" value="0200"/>
- </field>
- <field name="" show="Floor 4 TCP Port:135" size="7" pos="155" value="01000702000087">
- <field name="epm.tower.lhs.len" showname="LHS Length: 1" size="2" pos="155" show="1" value="0100"/>
- <field name="epm.tower.proto_id" showname="Protocol: DOD TCP (0x07)" size="1" pos="157" show="0x00000007" value="07"/>
- <field name="epm.tower.rhs.len" showname="RHS Length: 2" size="2" pos="158" show="2" value="0200"/>
- <field name="epm.proto.ip" showname="IP: 0.0.0.0" size="4" pos="167" show="0.0.0.0" value="00000000"/>
- </field>
- </field>
- <field name="epm.hnd" showname="Handle: 0000000000000000000000000000000000000000" size="20" pos="172" show="00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" value="0000000000000000000000000000000000000000"/>
- <field name="epm.max_towers" showname="Max Towers: 1" size="4" pos="192" show="1" value="01000000"/>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="172">
- <field name="num" pos="0" show="50520" showname="Number" value="c558" size="172"/>
- <field name="len" pos="0" show="172" showname="Frame Length" value="ac" size="172"/>
- <field name="caplen" pos="0" show="172" showname="Captured Length" value="ac" size="172"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:37:59.854842000 NZDT" showname="Captured Time" value="1486690679.854842000" size="172"/>
- </proto>
- <proto name="frame" showname="Frame 50520: 172 bytes on wire (1376 bits), 172 bytes captured (1376 bits)" size="172" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:37:59.854842000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:37:59.854842000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690679.854842000 seconds" size="0" pos="0" show="1486690679.854842000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000094000 seconds" size="0" pos="0" show="0.000094000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000094000 seconds" size="0" pos="0" show="0.000094000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 103.324391000 seconds" size="0" pos="0" show="103.324391000"/>
- <field name="frame.number" showname="Frame Number: 50520" size="0" pos="0" show="50520"/>
- <field name="frame.len" showname="Frame Length: 172 bytes (1376 bits)" size="0" pos="0" show="172"/>
- <field name="frame.cap_len" showname="Capture Length: 172 bytes (1376 bits)" size="0" pos="0" show="172"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:dcerpc" size="0" pos="0" show="raw:ip:tcp:dcerpc"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="172" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.27, Dst: 127.0.0.30" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 172" size="2" pos="2" show="172" value="00ac"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.27" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.27" hide="yes" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.27" hide="yes" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.27" hide="yes" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
- <field name="ip.dst" showname="Destination: 127.0.0.30" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001b"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001e"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 17935 (17935), Dst Port: 1026 (1026), Seq: 73, Ack: 61, Len: 132" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 17935" size="2" pos="20" show="17935" value="460f"/>
- <field name="tcp.dstport" showname="Destination Port: 1026" size="2" pos="22" show="1026" value="0402"/>
- <field name="tcp.port" showname="Source or Destination Port: 17935" hide="yes" size="2" pos="20" show="17935" value="460f"/>
- <field name="tcp.port" showname="Source or Destination Port: 1026" hide="yes" size="2" pos="22" show="1026" value="0402"/>
- <field name="tcp.stream" showname="Stream index: 1184" size="0" pos="20" show="1184"/>
- <field name="tcp.len" showname="TCP Segment Len: 132" size="1" pos="32" show="132" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 73 (relative sequence number)" size="4" pos="24" show="73" value="00000049"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 205 (relative sequence number)" size="0" pos="20" show="205"/>
- <field name="tcp.ack" showname="Acknowledgment number: 61 (relative ack number)" size="4" pos="28" show="61" value="0000003d"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 50516" size="0" pos="20" show="50516"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000138000 seconds" size="0" pos="20" show="0.000138000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000011000 seconds" size="0" pos="20" show="0.000011000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 132" size="0" pos="20" show="132"/>
- </field>
- </proto>
- <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 132, Call: 11, Ctx: 0" size="132" pos="40">
- <field name="dcerpc.ver" showname="Version: 5" size="1" pos="40" show="5" value="05"/>
- <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="41" show="0" value="00"/>
- <field name="dcerpc.pkt_type" showname="Packet type: Request (0)" size="1" pos="42" show="0" value="00"/>
- <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="43" show="0x00000003" value="03">
- <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- </field>
- <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="44" show="10:00:00:00" value="10000000">
- <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="44" show="1" value="10"/>
- <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="44" show="0" value="10"/>
- <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="45" show="0" value="00"/>
- </field>
- <field name="dcerpc.cn_frag_len" showname="Frag Length: 132" size="2" pos="48" show="132" value="8400"/>
- <field name="dcerpc.cn_auth_len" showname="Auth Length: 0" size="2" pos="50" show="0" value="0000"/>
- <field name="dcerpc.cn_call_id" showname="Call ID: 11" size="4" pos="52" show="11" value="0b000000"/>
- <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 108" size="4" pos="56" show="108" value="6c000000"/>
- <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="60" show="0" value="0000"/>
- <field name="dcerpc.opnum" showname="Opnum: 4" size="2" pos="62" show="4" value="0400"/>
- </proto>
- <proto name="rpc_netlogon" showname="Microsoft Network Logon, NetrServerReqChallenge" size="108" pos="64">
- <field name="netlogon.opnum" showname="Operation: NetrServerReqChallenge (4)" size="0" pos="64" show="4"/>
- <field name="" show="Server Handle: \\addc.addom.samba.example.com" size="78" pos="64" value="000002001f000000000000001f0000005c005c0061006400640063002e006100640064006f006d002e00730061006d00620061002e006500780061006d0070006c0065002e0063006f006d000000">
- <field name="dcerpc.referent_id" showname="Referent ID: 0x00020000" size="4" pos="64" show="0x00020000" value="00000200"/>
- <field name="dcerpc.array.max_count" showname="Max Count: 31" size="4" pos="68" show="31" value="1f000000"/>
- <field name="dcerpc.array.offset" showname="Offset: 0" size="4" pos="72" show="0" value="00000000"/>
- <field name="dcerpc.array.actual_count" showname="Actual Count: 31" size="4" pos="76" show="31" value="1f000000"/>
- <field name="netlogon.handle" showname="Handle: \\addc.addom.samba.example.com" size="62" pos="80" show="\\addc.addom.samba.example.com" value="5c005c0061006400640063002e006100640064006f006d002e00730061006d00620061002e006500780061006d0070006c0065002e0063006f006d000000"/>
- </field>
- <field name="" show="Computer Name: DC7" size="22" pos="142" value="00000400000000000000040000004400430037000000">
- <field name="dcerpc.array.max_count" showname="Max Count: 4" size="4" pos="144" show="4" value="04000000"/>
- <field name="dcerpc.array.offset" showname="Offset: 0" size="4" pos="148" show="0" value="00000000"/>
- <field name="dcerpc.array.actual_count" showname="Actual Count: 4" size="4" pos="152" show="4" value="04000000"/>
- <field name="netlogon.computer_name" showname="Computer Name: DC7" size="8" pos="156" show="DC7" value="4400430037000000"/>
- </field>
- <field name="netlogon.clientchallenge" showname="Client Challenge: 8dcc6ac9d5c32b44" size="8" pos="164" show="8d:cc:6a:c9:d5:c3:2b:44" value="8dcc6ac9d5c32b44"/>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="133">
- <field name="num" pos="0" show="685" showname="Number" value="2ad" size="133"/>
- <field name="len" pos="0" show="133" showname="Frame Length" value="85" size="133"/>
- <field name="caplen" pos="0" show="133" showname="Captured Length" value="85" size="133"/>
- <field name="timestamp" pos="0" show="Feb 16, 2017 11:26:26.858394000 NZDT" showname="Captured Time" value="1487197586.858394000" size="133"/>
- </proto>
- <proto name="frame" showname="Frame 685: 133 bytes on wire (1064 bits), 133 bytes captured (1064 bits)" size="133" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 16, 2017 11:26:26.858394000 NZDT" size="0" pos="0" show="Feb 16, 2017 11:26:26.858394000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1487197586.858394000 seconds" size="0" pos="0" show="1487197586.858394000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000149000 seconds" size="0" pos="0" show="0.000149000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000149000 seconds" size="0" pos="0" show="0.000149000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 30.699100000 seconds" size="0" pos="0" show="30.699100000"/>
- <field name="frame.number" showname="Frame Number: 685" size="0" pos="0" show="685"/>
- <field name="frame.len" showname="Frame Length: 133 bytes (1064 bits)" size="0" pos="0" show="133"/>
- <field name="frame.cap_len" showname="Capture Length: 133 bytes (1064 bits)" size="0" pos="0" show="133"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:udp:cldap" size="0" pos="0" show="raw:ip:udp:cldap"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="133" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.26, Dst: 127.0.0.30" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 133" size="2" pos="2" show="133" value="0085"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: UDP (17)" size="1" pos="9" show="17" value="11"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.26" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.dst" showname="Destination: 127.0.0.30" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001a"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001e"/>
- </proto>
- <proto name="udp" showname="User Datagram Protocol, Src Port: 31981 (31981), Dst Port: 389 (389)" size="8" pos="20">
- <field name="udp.srcport" showname="Source Port: 31981" size="2" pos="20" show="31981" value="7ced"/>
- <field name="udp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
- <field name="udp.port" showname="Source or Destination Port: 31981" hide="yes" size="2" pos="20" show="31981" value="7ced"/>
- <field name="udp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
- <field name="udp.length" showname="Length: 113" size="2" pos="24" show="113" value="0071"/>
- <field name="udp.checksum" showname="Checksum: 0x0000 (none)" size="2" pos="26" show="0x00000000" value="0000">
- <field name="udp.checksum_good" showname="Good Checksum: False" size="2" pos="26" show="0" value="0000"/>
- <field name="udp.checksum_bad" showname="Bad Checksum: False" size="2" pos="26" show="0" value="0000"/>
- </field>
- <field name="udp.stream" showname="Stream index: 66" size="0" pos="28" show="66"/>
- </proto>
- <proto name="cldap" showname="Connectionless Lightweight Directory Access Protocol" size="105" pos="28">
- <field name="ldap.LDAPMessage_element" showname="LDAPMessage searchRequest(20287) &quot;&lt;ROOT&gt;&quot; baseObject" size="105" pos="28" show="" value="">
- <field name="ldap.messageID" showname="messageID: 20287" size="2" pos="32" show="20287" value="4f3f"/>
- <field name="ldap.protocolOp" showname="protocolOp: searchRequest (3)" size="99" pos="34" show="3" value="636104000a01000a0100020100020100010100a042a30d04054e74566572040406000000a3240409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6da30b0403414143040400000000300a04084e65744c6f676f6e">
- <field name="ldap.searchRequest_element" showname="searchRequest" size="97" pos="36" show="" value="">
- <field name="ldap.baseObject" showname="baseObject: " size="0" pos="38" show=""/>
- <field name="ldap.scope" showname="scope: baseObject (0)" size="1" pos="40" show="0" value="00"/>
- <field name="ldap.derefAliases" showname="derefAliases: neverDerefAliases (0)" size="1" pos="43" show="0" value="00"/>
- <field name="ldap.sizeLimit" showname="sizeLimit: 0" size="1" pos="46" show="0" value="00"/>
- <field name="ldap.timeLimit" showname="timeLimit: 0" size="1" pos="49" show="0" value="00"/>
- <field name="ldap.typesOnly" showname="typesOnly: False" size="1" pos="52" show="0" value="00"/>
- <field name="" show="Filter: (&amp;(&amp;(NtVer=0x00000006)(DnsDomain=addom.samba.example.com))(AAC=00:00:00:00))" size="68" pos="53" value="a042a30d04054e74566572040406000000a3240409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6da30b0403414143040400000000">
- <field name="ldap.filter" showname="filter: and (0)" size="66" pos="55" show="0" value="a30d04054e74566572040406000000a3240409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6da30b0403414143040400000000">
- <field name="" show="and: (&amp;(&amp;(NtVer=0x00000006)(DnsDomain=addom.samba.example.com))(AAC=00:00:00:00))" size="66" pos="55" value="a30d04054e74566572040406000000a3240409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6da30b0403414143040400000000">
- <field name="ldap.and" showname="and: 3 items" size="66" pos="55" show="3" value="a30d04054e74566572040406000000a3240409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6da30b0403414143040400000000">
- <field name="" show="Filter: (NtVer=0x00000006)" size="15" pos="55" value="a30d04054e74566572040406000000">
- <field name="ldap.and_item" showname="and item: equalityMatch (3)" size="13" pos="57" show="3" value="04054e74566572040406000000">
- <field name="ldap.equalityMatch_element" showname="equalityMatch" size="13" pos="57" show="" value="">
- <field name="ldap.attributeDesc" showname="attributeDesc: NtVer" size="5" pos="59" show="NtVer" value="4e74566572"/>
- <field name="mscldap.ntver.flags" showname="Version Flags: 0x00000006, V5: Client requested version 5 netlogon response, V5EX: Client requested version 5 extended netlogon response" size="4" pos="66" show="0x00000006" value="06000000">
- <field name="mscldap.ntver.searchflags.v1" showname=".... .... .... .... .... .... .... ...0 = V1: Version 1 netlogon response not requested" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
- <field name="mscldap.ntver.searchflags.v5" showname=".... .... .... .... .... .... .... ..1. = V5: Client requested version 5 netlogon response" size="4" pos="66" show="1" value="FFFFFFFF" unmaskedvalue="06000000"/>
- <field name="mscldap.ntver.searchflags.v5ex" showname=".... .... .... .... .... .... .... .1.. = V5EX: Client requested version 5 extended netlogon response" size="4" pos="66" show="1" value="FFFFFFFF" unmaskedvalue="06000000"/>
- <field name="mscldap.ntver.searchflags.v5ep" showname=".... .... .... .... .... .... .... 0... = V5EP: IP address of server not requested" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
- <field name="mscldap.ntver.searchflags.vcs" showname=".... .... .... .... .... .... ...0 .... = VCS: Closest site information not requested" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
- <field name="mscldap.ntver.searchflags.vnt4" showname=".... ...0 .... .... .... .... .... .... = VNT4: Only full AD DS requested" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
- <field name="mscldap.ntver.searchflags.vpdc" showname="...0 .... .... .... .... .... .... .... = VPDC: Primary Domain Controller not requested" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
- <field name="mscldap.ntver.searchflags.vip" showname="..0. .... .... .... .... .... .... .... = VIP: IP details not requested (obsolete)" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
- <field name="mscldap.ntver.searchflags.vl" showname=".0.. .... .... .... .... .... .... .... = VL: Client is not the local machine" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
- <field name="mscldap.ntver.searchflags.vgc" showname="0... .... .... .... .... .... .... .... = VGC: Global Catalog not requested" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
- </field>
- </field>
- </field>
- </field>
- <field name="" show="Filter: (DnsDomain=addom.samba.example.com)" size="38" pos="70" value="a3240409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6d">
- <field name="ldap.and_item" showname="and item: equalityMatch (3)" size="36" pos="72" show="3" value="0409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6d">
- <field name="ldap.equalityMatch_element" showname="equalityMatch" size="36" pos="72" show="" value="">
- <field name="ldap.attributeDesc" showname="attributeDesc: DnsDomain" size="9" pos="74" show="DnsDomain" value="446e73446f6d61696e"/>
- <field name="ldap.assertionValue" showname="assertionValue: addom.samba.example.com" size="23" pos="85" show="addom.samba.example.com" value="6164646f6d2e73616d62612e6578616d706c652e636f6d"/>
- </field>
- </field>
- </field>
- <field name="" show="Filter: (AAC=00:00:00:00)" size="13" pos="108" value="a30b0403414143040400000000">
- <field name="ldap.and_item" showname="and item: equalityMatch (3)" size="11" pos="110" show="3" value="0403414143040400000000">
- <field name="ldap.equalityMatch_element" showname="equalityMatch" size="11" pos="110" show="" value="">
- <field name="ldap.attributeDesc" showname="attributeDesc: AAC" size="3" pos="112" show="AAC" value="414143"/>
- <field name="ldap.assertionValue" showname="assertionValue: 00:00:00:00" size="4" pos="117" show="00:00:00:00" value="00000000"/>
- </field>
- </field>
- </field>
- </field>
- </field>
- </field>
- </field>
- <field name="ldap.attributes" showname="attributes: 1 item" size="10" pos="123" show="1" value="04084e65744c6f676f6e">
- <field name="ldap.AttributeDescription" showname="AttributeDescription: NetLogon" size="8" pos="125" show="NetLogon" value="4e65744c6f676f6e"/>
- </field>
- </field>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="226">
- <field name="num" pos="0" show="698" showname="Number" value="2ba" size="226"/>
- <field name="len" pos="0" show="226" showname="Frame Length" value="e2" size="226"/>
- <field name="caplen" pos="0" show="226" showname="Captured Length" value="e2" size="226"/>
- <field name="timestamp" pos="0" show="Feb 16, 2017 11:26:26.864862000 NZDT" showname="Captured Time" value="1487197586.864862000" size="226"/>
- </proto>
- <proto name="frame" showname="Frame 698: 226 bytes on wire (1808 bits), 226 bytes captured (1808 bits)" size="226" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 16, 2017 11:26:26.864862000 NZDT" size="0" pos="0" show="Feb 16, 2017 11:26:26.864862000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1487197586.864862000 seconds" size="0" pos="0" show="1487197586.864862000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000059000 seconds" size="0" pos="0" show="0.000059000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000059000 seconds" size="0" pos="0" show="0.000059000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 30.705568000 seconds" size="0" pos="0" show="30.705568000"/>
- <field name="frame.number" showname="Frame Number: 698" size="0" pos="0" show="698"/>
- <field name="frame.len" showname="Frame Length: 226 bytes (1808 bits)" size="0" pos="0" show="226"/>
- <field name="frame.cap_len" showname="Capture Length: 226 bytes (1808 bits)" size="0" pos="0" show="226"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:nbss:smb2" size="0" pos="0" show="raw:ip:tcp:nbss:smb2"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="226" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.26, Dst: 127.0.0.30" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 226" size="2" pos="2" show="226" value="00e2"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.26" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.dst" showname="Destination: 127.0.0.30" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001a"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001e"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 31980 (31980), Dst Port: 445 (445), Seq: 89, Ack: 229, Len: 186" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 31980" size="2" pos="20" show="31980" value="7cec"/>
- <field name="tcp.dstport" showname="Destination Port: 445" size="2" pos="22" show="445" value="01bd"/>
- <field name="tcp.port" showname="Source or Destination Port: 31980" hide="yes" size="2" pos="20" show="31980" value="7cec"/>
- <field name="tcp.port" showname="Source or Destination Port: 445" hide="yes" size="2" pos="22" show="445" value="01bd"/>
- <field name="tcp.stream" showname="Stream index: 12" size="0" pos="20" show="12"/>
- <field name="tcp.len" showname="TCP Segment Len: 186" size="1" pos="32" show="186" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 89 (relative sequence number)" size="4" pos="24" show="89" value="00000059"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 275 (relative sequence number)" size="0" pos="20" show="275"/>
- <field name="tcp.ack" showname="Acknowledgment number: 229 (relative ack number)" size="4" pos="28" show="229" value="000000e5"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 695" size="0" pos="20" show="695"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000105000 seconds" size="0" pos="20" show="0.000105000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000014000 seconds" size="0" pos="20" show="0.000014000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 186" size="0" pos="20" show="186"/>
- <field name="tcp.analysis.flags" showname="TCP Analysis Flags" size="0" pos="20" show="" value="">
- <field name="_ws.expert" showname="Expert Info (Warn/Sequence): ACKed segment that wasn&#x27;t captured (common at capture start)" size="0" pos="20">
- <field name="tcp.analysis.ack_lost_segment" showname="ACKed segment that wasn&#x27;t captured (common at capture start)" size="0" pos="0" show="" value=""/>
- <field name="_ws.expert.message" showname="Message: ACKed segment that wasn&#x27;t captured (common at capture start)" hide="yes" size="0" pos="0" show="ACKed segment that wasn&#x27;t captured (common at capture start)"/>
- <field name="_ws.expert.severity" showname="Severity level: Warn" size="0" pos="0" show="0x00600000"/>
- <field name="_ws.expert.group" showname="Group: Sequence" size="0" pos="0" show="0x02000000"/>
- </field>
- </field>
- </field>
- </proto>
- <proto name="nbss" showname="NetBIOS Session Service" size="186" pos="40">
- <field name="nbss.type" showname="Message Type: Session message (0x00)" size="1" pos="40" show="0x00000000" value="00"/>
- <field name="nbss.length" showname="Length: 182" size="3" pos="41" show="182" value="0000b6"/>
- </proto>
- <proto name="smb2" showname="SMB2 (Server Message Block Protocol version 2)" size="182" pos="44">
- <field name="" show="SMB2 Header" size="64" pos="44" value="fe534d42400000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000">
- <field name="smb2.server_component_smb2" showname="Server Component: SMB2" size="4" pos="44" show="" value=""/>
- <field name="smb2.header_len" showname="Header Length: 64" size="2" pos="48" show="64" value="4000"/>
- <field name="smb2.credit.charge" showname="Credit Charge: 0" size="2" pos="50" show="0" value="0000"/>
- <field name="smb2.channel_sequence" showname="Channel Sequence: 0" size="2" pos="52" show="0" value="0000"/>
- <field name="smb2.reserved" showname="Reserved: 0000" size="2" pos="54" show="00:00" value="0000"/>
- <field name="smb2.cmd" showname="Command: Negotiate Protocol (0)" size="2" pos="56" show="0" value="0000"/>
- <field name="smb2.credits.requested" showname="Credits requested: 0" size="2" pos="58" show="0" value="0000"/>
- <field name="smb2.flags" showname="Flags: 0x00000000" size="4" pos="60" show="0x00000000" value="00000000">
- <field name="smb2.flags.response" showname=".... .... .... .... .... .... .... ...0 = Response: This is a REQUEST" size="4" pos="60" show="0" value="0" unmaskedvalue="00000000"/>
- <field name="smb2.flags.async" showname=".... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command" size="4" pos="60" show="0" value="0" unmaskedvalue="00000000"/>
- <field name="smb2.flags.chained" showname=".... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command" size="4" pos="60" show="0" value="0" unmaskedvalue="00000000"/>
- <field name="smb2.flags.signature" showname=".... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed" size="4" pos="60" show="0" value="0" unmaskedvalue="00000000"/>
- <field name="smb2.flags.dfs" showname="...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation" size="4" pos="60" show="0" value="0" unmaskedvalue="00000000"/>
- <field name="smb2.flags.replay" showname="..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation" size="4" pos="60" show="0" value="0" unmaskedvalue="00000000"/>
- </field>
- <field name="smb2.chain_offset" showname="Chain Offset: 0x00000000" size="4" pos="64" show="0x00000000" value="00000000"/>
- <field name="smb2.msg_id" showname="Message ID: 1" size="8" pos="68" show="1" value="0100000000000000"/>
- <field name="smb2.pid" showname="Process Id: 0x00000000" size="4" pos="76" show="0x00000000" value="00000000"/>
- <field name="smb2.tid" showname="Tree Id: 0x00000000" size="4" pos="80" show="0x00000000" value="00000000"/>
- <field name="smb2.sesid" showname="Session Id: 0x0000000000000000" size="8" pos="84" show="0x0000000000000000" value="0000000000000000"/>
- <field name="smb2.signature" showname="Signature: 00000000000000000000000000000000" size="16" pos="92" show="00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" value="00000000000000000000000000000000"/>
- </field>
- <field name="" show="Negotiate Protocol Request (0x00)" size="118" pos="108" value="24000800030000007f000000ee2b90e954001a488a0332bc9e697f2d780000000200000002021002220224020003020310031103000000000100260000000000010020000100dfcf45249723e007a592511728de102521de99235cfee4ef893464068a2f67a200000200060000000000020001000200">
- <field name="smb2.buffer_code" showname="StructureSize: 0x0024" size="2" pos="108" show="0x00000024" value="2400">
- <field name="smb2.buffer_code.length" showname="0000 0000 0010 010. = Fixed Part Length: 18" size="2" pos="108" show="18" value="12" unmaskedvalue="2400"/>
- <field name="smb2.buffer_code.dynamic" showname=".... .... .... ...0 = Dynamic Part: False" size="2" pos="108" show="0" value="0" unmaskedvalue="2400"/>
- </field>
- <field name="smb2.dialect_count" showname="Dialect count: 8" size="2" pos="110" show="8" value="0800"/>
- <field name="smb2.sec_mode" showname="Security mode: 0x03, Signing enabled, Signing required" size="1" pos="112" show="0x00000003" value="03">
- <field name="smb2.sec_mode.sign_enabled" showname=".... ...1 = Signing enabled: True" size="1" pos="112" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- <field name="smb2.sec_mode.sign_required" showname=".... ..1. = Signing required: True" size="1" pos="112" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- </field>
- <field name="smb2.reserved" showname="Reserved: 0000" size="2" pos="114" show="00:00" value="0000"/>
- <field name="smb2.capabilities" showname="Capabilities: 0x0000007f, DFS, LEASING, LARGE MTU, MULTI CHANNEL, PERSISTENT HANDLES, DIRECTORY LEASING, ENCRYPTION" size="4" pos="116" show="0x0000007f" value="7f000000">
- <field name="smb2.capabilities.dfs" showname=".... .... .... .... .... .... .... ...1 = DFS: This host supports DFS" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
- <field name="smb2.capabilities.leasing" showname=".... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
- <field name="smb2.capabilities.large_mtu" showname=".... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
- <field name="smb2.capabilities.multi_channel" showname=".... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
- <field name="smb2.capabilities.persistent_handles" showname=".... .... .... .... .... .... ...1 .... = PERSISTENT HANDLES: This host supports PERSISTENT HANDLES" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
- <field name="smb2.capabilities.directory_leasing" showname=".... .... .... .... .... .... ..1. .... = DIRECTORY LEASING: This host supports DIRECTORY LEASING" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
- <field name="smb2.capabilities.encryption" showname=".... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
- </field>
- <field name="smb2.client_guid" showname="Client Guid: e9902bee-0054-481a-8a03-32bc9e697f2d" size="16" pos="120" show="e9902bee-0054-481a-8a03-32bc9e697f2d" value="ee2b90e954001a488a0332bc9e697f2d"/>
- <field name="smb2.negotiate_context.offset" showname="NegotiateContextOffset: 0x0078" size="4" pos="136" show="0x00000078" value="78000000"/>
- <field name="smb2.negotiate_context.count" showname="NegotiateContextCount: 2" size="2" pos="140" show="2" value="0200"/>
- <field name="smb2.reserved" showname="Reserved: 0000" size="2" pos="142" show="00:00" value="0000"/>
- <field name="smb2.dialect" showname="Dialect: 0x0202" size="2" pos="144" show="0x00000202" value="0202"/>
- <field name="smb2.dialect" showname="Dialect: 0x0210" size="2" pos="146" show="0x00000210" value="1002"/>
- <field name="smb2.dialect" showname="Dialect: 0x0222" size="2" pos="148" show="0x00000222" value="2202"/>
- <field name="smb2.dialect" showname="Dialect: 0x0224" size="2" pos="150" show="0x00000224" value="2402"/>
- <field name="smb2.dialect" showname="Dialect: 0x0300" size="2" pos="152" show="0x00000300" value="0003"/>
- <field name="smb2.dialect" showname="Dialect: 0x0302" size="2" pos="154" show="0x00000302" value="0203"/>
- <field name="smb2.dialect" showname="Dialect: 0x0310" size="2" pos="156" show="0x00000310" value="1003"/>
- <field name="smb2.dialect" showname="Dialect: 0x0311" size="2" pos="158" show="0x00000311" value="1103"/>
- <field name="" show="Negotiate Context: SMB2_PREAUTH_INTEGRITY_CAPABILITIES " size="46" pos="164" value="0100260000000000010020000100dfcf45249723e007a592511728de102521de99235cfee4ef893464068a2f67a2">
- <field name="smb2.negotiate_context.type" showname="Type: SMB2_PREAUTH_INTEGRITY_CAPABILITIES (0x0001)" size="2" pos="164" show="0x00000001" value="0100"/>
- <field name="smb2.negotiate_context.data_length" showname="DataLength: 38" size="2" pos="166" show="38" value="2600"/>
- <field name="smb2.reserved" showname="Reserved: 00000000" size="4" pos="168" show="00:00:00:00" value="00000000"/>
- <field name="smb2.unknown" showname="unknown: 010020000100dfcf45249723e007a592511728de102521de..." size="38" pos="172" show="01:00:20:00:01:00:df:cf:45:24:97:23:e0:07:a5:92:51:17:28:de:10:25:21:de:99:23:5c:fe:e4:ef:89:34:64:06:8a:2f:67:a2" value="010020000100dfcf45249723e007a592511728de102521de99235cfee4ef893464068a2f67a2"/>
- </field>
- <field name="" show="Negotiate Context: SMB2_ENCRYPTION_CAPABILITIES " size="14" pos="212" value="0200060000000000020001000200">
- <field name="smb2.negotiate_context.type" showname="Type: SMB2_ENCRYPTION_CAPABILITIES (0x0002)" size="2" pos="212" show="0x00000002" value="0200"/>
- <field name="smb2.negotiate_context.data_length" showname="DataLength: 6" size="2" pos="214" show="6" value="0600"/>
- <field name="smb2.reserved" showname="Reserved: 00000000" size="4" pos="216" show="00:00:00:00" value="00000000"/>
- <field name="smb2.unknown" showname="unknown: 020001000200" size="6" pos="220" show="02:00:01:00:02:00" value="020001000200"/>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="96">
- <field name="num" pos="0" show="1166" showname="Number" value="48e" size="96"/>
- <field name="len" pos="0" show="96" showname="Frame Length" value="60" size="96"/>
- <field name="caplen" pos="0" show="96" showname="Captured Length" value="60" size="96"/>
- <field name="timestamp" pos="0" show="Feb 16, 2017 11:26:28.515337000 NZDT" showname="Captured Time" value="1487197588.515337000" size="96"/>
- </proto>
- <proto name="frame" showname="Frame 1166: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)" size="96" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 16, 2017 11:26:28.515337000 NZDT" size="0" pos="0" show="Feb 16, 2017 11:26:28.515337000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1487197588.515337000 seconds" size="0" pos="0" show="1487197588.515337000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000045000 seconds" size="0" pos="0" show="0.000045000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000045000 seconds" size="0" pos="0" show="0.000045000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 32.356043000 seconds" size="0" pos="0" show="32.356043000"/>
- <field name="frame.number" showname="Frame Number: 1166" size="0" pos="0" show="1166"/>
- <field name="frame.len" showname="Frame Length: 96 bytes (768 bits)" size="0" pos="0" show="96"/>
- <field name="frame.cap_len" showname="Capture Length: 96 bytes (768 bits)" size="0" pos="0" show="96"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:udp:dns" size="0" pos="0" show="raw:ip:udp:dns"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="96" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.26, Dst: 0.0.0.0" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 96" size="2" pos="2" show="96" value="0060"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: UDP (17)" size="1" pos="9" show="17" value="11"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.26" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.dst" showname="Destination: 0.0.0.0" size="4" pos="16" show="0.0.0.0" value="00000000"/>
- <field name="ip.addr" showname="Source or Destination Address: 0.0.0.0" hide="yes" size="4" pos="16" show="0.0.0.0" value="00000000"/>
- <field name="ip.dst_host" showname="Destination Host: 0.0.0.0" hide="yes" size="4" pos="16" show="0.0.0.0" value="00000000"/>
- <field name="ip.host" showname="Source or Destination Host: 0.0.0.0" hide="yes" size="4" pos="16" show="0.0.0.0" value="00000000"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001a"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="00000000"/>
- </proto>
- <proto name="udp" showname="User Datagram Protocol, Src Port: 31989 (31989), Dst Port: 53 (53)" size="8" pos="20">
- <field name="udp.srcport" showname="Source Port: 31989" size="2" pos="20" show="31989" value="7cf5"/>
- <field name="udp.dstport" showname="Destination Port: 53" size="2" pos="22" show="53" value="0035"/>
- <field name="udp.port" showname="Source or Destination Port: 31989" hide="yes" size="2" pos="20" show="31989" value="7cf5"/>
- <field name="udp.port" showname="Source or Destination Port: 53" hide="yes" size="2" pos="22" show="53" value="0035"/>
- <field name="udp.length" showname="Length: 76" size="2" pos="24" show="76" value="004c"/>
- <field name="udp.checksum" showname="Checksum: 0x0000 (none)" size="2" pos="26" show="0x00000000" value="0000">
- <field name="udp.checksum_good" showname="Good Checksum: False" size="2" pos="26" show="0" value="0000"/>
- <field name="udp.checksum_bad" showname="Bad Checksum: False" size="2" pos="26" show="0" value="0000"/>
- </field>
- <field name="udp.stream" showname="Stream index: 76" size="0" pos="28" show="76"/>
- </proto>
- <proto name="dns" showname="Domain Name System (query)" size="68" pos="28">
- <field name="dns.id" showname="Transaction ID: 0x1b5d" size="2" pos="28" show="0x00001b5d" value="1b5d"/>
- <field name="dns.flags" showname="Flags: 0x2800 Dynamic update" size="2" pos="30" show="0x00002800" value="2800">
- <field name="dns.flags.response" showname="0... .... .... .... = Response: Message is a query" size="2" pos="30" show="0" value="0" unmaskedvalue="2800"/>
- <field name="dns.flags.opcode" showname=".010 1... .... .... = Opcode: Dynamic update (5)" size="2" pos="30" show="5" value="5" unmaskedvalue="2800"/>
- <field name="dns.flags.truncated" showname=".... ..0. .... .... = Truncated: Message is not truncated" size="2" pos="30" show="0" value="0" unmaskedvalue="2800"/>
- <field name="dns.flags.recdesired" showname=".... ...0 .... .... = Recursion desired: Don&#x27;t do query recursively" size="2" pos="30" show="0" value="0" unmaskedvalue="2800"/>
- <field name="dns.flags.z" showname=".... .... .0.. .... = Z: reserved (0)" size="2" pos="30" show="0" value="0" unmaskedvalue="2800"/>
- <field name="dns.flags.checkdisable" showname=".... .... ...0 .... = Non-authenticated data: Unacceptable" size="2" pos="30" show="0" value="0" unmaskedvalue="2800"/>
- </field>
- <field name="dns.count.zones" showname="Zones: 1" size="2" pos="32" show="1" value="0001"/>
- <field name="dns.count.prerequisites" showname="Prerequisites: 0" size="2" pos="34" show="0" value="0000"/>
- <field name="dns.count.updates" showname="Updates: 1" size="2" pos="36" show="1" value="0001"/>
- <field name="dns.count.add_rr" showname="Additional RRs: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="" show="Zone" size="27" pos="40" value="0973616d626132303033076578616d706c6503636f6d0000060001">
- <field name="" show="samba2003.example.com: type SOA, class IN" size="27" pos="40" value="0973616d626132303033076578616d706c6503636f6d0000060001">
- <field name="dns.qry.name" showname="Name: samba2003.example.com" size="23" pos="40" show="samba2003.example.com" value="0973616d626132303033076578616d706c6503636f6d00"/>
- <field name="dns.qry.name.len" showname="Name Length: 21" size="23" pos="40" show="21" value="0973616d626132303033076578616d706c6503636f6d00"/>
- <field name="dns.count.labels" showname="Label Count: 3" size="23" pos="40" show="3" value="0973616d626132303033076578616d706c6503636f6d00"/>
- <field name="dns.qry.type" showname="Type: SOA (Start Of a zone of Authority) (6)" size="2" pos="63" show="6" value="0006"/>
- <field name="dns.qry.class" showname="Class: IN (0x0001)" size="2" pos="65" show="0x00000001" value="0001"/>
- </field>
- </field>
- <field name="" show="Updates" size="29" pos="67" value="0a636e616d655f74657374c00c0005000100000384000603646336c00c">
- <field name="" show="cname_test.samba2003.example.com: type CNAME, class IN, cname dc6.samba2003.example.com" size="29" pos="67" value="0a636e616d655f74657374c00c0005000100000384000603646336c00c">
- <field name="dns.resp.name" showname="Name: cname_test.samba2003.example.com" size="13" pos="67" show="cname_test.samba2003.example.com" value="0a636e616d655f74657374c00c"/>
- <field name="dns.resp.type" showname="Type: CNAME (Canonical NAME for an alias) (5)" size="2" pos="80" show="5" value="0005"/>
- <field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="82" show="0x00000001" value="0001"/>
- <field name="dns.resp.ttl" showname="Time to live: 900" size="4" pos="84" show="900" value="00000384"/>
- <field name="dns.resp.len" showname="Data length: 6" size="2" pos="88" show="6" value="0006"/>
- <field name="dns.cname" showname="CNAME: dc6.samba2003.example.com" size="6" pos="90" show="dc6.samba2003.example.com" value="03646336c00c"/>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="96">
- <field name="num" pos="0" show="1167" showname="Number" value="48f" size="96"/>
- <field name="len" pos="0" show="96" showname="Frame Length" value="60" size="96"/>
- <field name="caplen" pos="0" show="96" showname="Captured Length" value="60" size="96"/>
- <field name="timestamp" pos="0" show="Feb 16, 2017 11:26:28.911149000 NZDT" showname="Captured Time" value="1487197588.911149000" size="96"/>
- </proto>
- <proto name="frame" showname="Frame 1167: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)" size="96" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 16, 2017 11:26:28.911149000 NZDT" size="0" pos="0" show="Feb 16, 2017 11:26:28.911149000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1487197588.911149000 seconds" size="0" pos="0" show="1487197588.911149000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.395812000 seconds" size="0" pos="0" show="0.395812000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.395812000 seconds" size="0" pos="0" show="0.395812000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 32.751855000 seconds" size="0" pos="0" show="32.751855000"/>
- <field name="frame.number" showname="Frame Number: 1167" size="0" pos="0" show="1167"/>
- <field name="frame.len" showname="Frame Length: 96 bytes (768 bits)" size="0" pos="0" show="96"/>
- <field name="frame.cap_len" showname="Capture Length: 96 bytes (768 bits)" size="0" pos="0" show="96"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:udp:dns" size="0" pos="0" show="raw:ip:udp:dns"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="96" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 0.0.0.0, Dst: 127.0.0.26" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 96" size="2" pos="2" show="96" value="0060"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: UDP (17)" size="1" pos="9" show="17" value="11"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 0.0.0.0" size="4" pos="12" show="0.0.0.0" value="00000000"/>
- <field name="ip.addr" showname="Source or Destination Address: 0.0.0.0" hide="yes" size="4" pos="12" show="0.0.0.0" value="00000000"/>
- <field name="ip.src_host" showname="Source Host: 0.0.0.0" hide="yes" size="4" pos="12" show="0.0.0.0" value="00000000"/>
- <field name="ip.host" showname="Source or Destination Host: 0.0.0.0" hide="yes" size="4" pos="12" show="0.0.0.0" value="00000000"/>
- <field name="ip.dst" showname="Destination: 127.0.0.26" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.26" hide="yes" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.26" hide="yes" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.26" hide="yes" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="00000000"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001a"/>
- </proto>
- <proto name="udp" showname="User Datagram Protocol, Src Port: 53 (53), Dst Port: 31989 (31989)" size="8" pos="20">
- <field name="udp.srcport" showname="Source Port: 53" size="2" pos="20" show="53" value="0035"/>
- <field name="udp.dstport" showname="Destination Port: 31989" size="2" pos="22" show="31989" value="7cf5"/>
- <field name="udp.port" showname="Source or Destination Port: 53" hide="yes" size="2" pos="20" show="53" value="0035"/>
- <field name="udp.port" showname="Source or Destination Port: 31989" hide="yes" size="2" pos="22" show="31989" value="7cf5"/>
- <field name="udp.length" showname="Length: 76" size="2" pos="24" show="76" value="004c"/>
- <field name="udp.checksum" showname="Checksum: 0x0000 (none)" size="2" pos="26" show="0x00000000" value="0000">
- <field name="udp.checksum_good" showname="Good Checksum: False" size="2" pos="26" show="0" value="0000"/>
- <field name="udp.checksum_bad" showname="Bad Checksum: False" size="2" pos="26" show="0" value="0000"/>
- </field>
- <field name="udp.stream" showname="Stream index: 76" size="0" pos="28" show="76"/>
- </proto>
- <proto name="dns" showname="Domain Name System (response)" size="68" pos="28">
- <field name="dns.response_to" showname="Request In: 1166" size="0" pos="28" show="1166"/>
- <field name="dns.time" showname="Time: 0.395812000 seconds" size="0" pos="28" show="0.395812000"/>
- <field name="dns.id" showname="Transaction ID: 0x1b5d" size="2" pos="28" show="0x00001b5d" value="1b5d"/>
- <field name="dns.flags" showname="Flags: 0xa880 Dynamic update response, No error" size="2" pos="30" show="0x0000a880" value="a880">
- <field name="dns.flags.response" showname="1... .... .... .... = Response: Message is a response" size="2" pos="30" show="1" value="FFFFFFFF" unmaskedvalue="a880"/>
- <field name="dns.flags.opcode" showname=".010 1... .... .... = Opcode: Dynamic update (5)" size="2" pos="30" show="5" value="5" unmaskedvalue="a880"/>
- <field name="dns.flags.authoritative" showname=".... .0.. .... .... = Authoritative: Server is not an authority for domain" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
- <field name="dns.flags.truncated" showname=".... ..0. .... .... = Truncated: Message is not truncated" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
- <field name="dns.flags.recdesired" showname=".... ...0 .... .... = Recursion desired: Don&#x27;t do query recursively" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
- <field name="dns.flags.recavail" showname=".... .... 1... .... = Recursion available: Server can do recursive queries" size="2" pos="30" show="1" value="FFFFFFFF" unmaskedvalue="a880"/>
- <field name="dns.flags.z" showname=".... .... .0.. .... = Z: reserved (0)" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
- <field name="dns.flags.authenticated" showname=".... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
- <field name="dns.flags.checkdisable" showname=".... .... ...0 .... = Non-authenticated data: Unacceptable" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
- <field name="dns.flags.rcode" showname=".... .... .... 0000 = Reply code: No error (0)" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
- </field>
- <field name="dns.count.zones" showname="Zones: 1" size="2" pos="32" show="1" value="0001"/>
- <field name="dns.count.prerequisites" showname="Prerequisites: 0" size="2" pos="34" show="0" value="0000"/>
- <field name="dns.count.updates" showname="Updates: 1" size="2" pos="36" show="1" value="0001"/>
- <field name="dns.count.add_rr" showname="Additional RRs: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="" show="Zone" size="27" pos="40" value="0973616d626132303033076578616d706c6503636f6d0000060001">
- <field name="" show="samba2003.example.com: type SOA, class IN" size="27" pos="40" value="0973616d626132303033076578616d706c6503636f6d0000060001">
- <field name="dns.qry.name" showname="Name: samba2003.example.com" size="23" pos="40" show="samba2003.example.com" value="0973616d626132303033076578616d706c6503636f6d00"/>
- <field name="dns.qry.name.len" showname="Name Length: 21" size="23" pos="40" show="21" value="0973616d626132303033076578616d706c6503636f6d00"/>
- <field name="dns.count.labels" showname="Label Count: 3" size="23" pos="40" show="3" value="0973616d626132303033076578616d706c6503636f6d00"/>
- <field name="dns.qry.type" showname="Type: SOA (Start Of a zone of Authority) (6)" size="2" pos="63" show="6" value="0006"/>
- <field name="dns.qry.class" showname="Class: IN (0x0001)" size="2" pos="65" show="0x00000001" value="0001"/>
- </field>
- </field>
- <field name="" show="Updates" size="29" pos="67" value="0a636e616d655f74657374c00c0005000100000384000603646336c00c">
- <field name="" show="cname_test.samba2003.example.com: type CNAME, class IN, cname dc6.samba2003.example.com" size="29" pos="67" value="0a636e616d655f74657374c00c0005000100000384000603646336c00c">
- <field name="dns.resp.name" showname="Name: cname_test.samba2003.example.com" size="13" pos="67" show="cname_test.samba2003.example.com" value="0a636e616d655f74657374c00c"/>
- <field name="dns.resp.type" showname="Type: CNAME (Canonical NAME for an alias) (5)" size="2" pos="80" show="5" value="0005"/>
- <field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="82" show="0x00000001" value="0001"/>
- <field name="dns.resp.ttl" showname="Time to live: 900" size="4" pos="84" show="900" value="00000384"/>
- <field name="dns.resp.len" showname="Data length: 6" size="2" pos="88" show="6" value="0006"/>
- <field name="dns.cname" showname="CNAME: dc6.samba2003.example.com" size="6" pos="90" show="dc6.samba2003.example.com" value="03646336c00c"/>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="328">
- <field name="num" pos="0" show="1380" showname="Number" value="564" size="328"/>
- <field name="len" pos="0" show="328" showname="Frame Length" value="148" size="328"/>
- <field name="caplen" pos="0" show="328" showname="Captured Length" value="148" size="328"/>
- <field name="timestamp" pos="0" show="Feb 16, 2017 11:26:29.619792000 NZDT" showname="Captured Time" value="1487197589.619792000" size="328"/>
- </proto>
- <proto name="frame" showname="Frame 1380: 328 bytes on wire (2624 bits), 328 bytes captured (2624 bits)" size="328" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 16, 2017 11:26:29.619792000 NZDT" size="0" pos="0" show="Feb 16, 2017 11:26:29.619792000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1487197589.619792000 seconds" size="0" pos="0" show="1487197589.619792000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000186000 seconds" size="0" pos="0" show="0.000186000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000186000 seconds" size="0" pos="0" show="0.000186000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 33.460498000 seconds" size="0" pos="0" show="33.460498000"/>
- <field name="frame.number" showname="Frame Number: 1380" size="0" pos="0" show="1380"/>
- <field name="frame.len" showname="Frame Length: 328 bytes (2624 bits)" size="0" pos="0" show="328"/>
- <field name="frame.cap_len" showname="Capture Length: 328 bytes (2624 bits)" size="0" pos="0" show="328"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:dcerpc:ntlmssp" size="0" pos="0" show="raw:ip:tcp:dcerpc:ntlmssp"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="328" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.26, Dst: 127.0.0.26" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 328" size="2" pos="2" show="328" value="0148"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.26" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.dst" showname="Destination: 127.0.0.26" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.26" hide="yes" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.26" hide="yes" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.26" hide="yes" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001a"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001a"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 32030 (32030), Dst Port: 49152 (49152), Seq: 799, Ack: 439, Len: 288" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 32030" size="2" pos="20" show="32030" value="7d1e"/>
- <field name="tcp.dstport" showname="Destination Port: 49152" size="2" pos="22" show="49152" value="c000"/>
- <field name="tcp.port" showname="Source or Destination Port: 32030" hide="yes" size="2" pos="20" show="32030" value="7d1e"/>
- <field name="tcp.port" showname="Source or Destination Port: 49152" hide="yes" size="2" pos="22" show="49152" value="c000"/>
- <field name="tcp.stream" showname="Stream index: 29" size="0" pos="20" show="29"/>
- <field name="tcp.len" showname="TCP Segment Len: 288" size="1" pos="32" show="288" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 799 (relative sequence number)" size="4" pos="24" show="799" value="0000031f"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 1087 (relative sequence number)" size="0" pos="20" show="1087"/>
- <field name="tcp.ack" showname="Acknowledgment number: 439 (relative ack number)" size="4" pos="28" show="439" value="000001b7"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 1377" size="0" pos="20" show="1377"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000209000 seconds" size="0" pos="20" show="0.000209000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000014000 seconds" size="0" pos="20" show="0.000014000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 288" size="0" pos="20" show="288"/>
- </field>
- </proto>
- <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 288, Call: 2, Ctx: 0" size="288" pos="40">
- <field name="dcerpc.ver" showname="Version: 5" size="1" pos="40" show="5" value="05"/>
- <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="41" show="0" value="00"/>
- <field name="dcerpc.pkt_type" showname="Packet type: Request (0)" size="1" pos="42" show="0" value="00"/>
- <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="43" show="0x00000003" value="03">
- <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- </field>
- <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="44" show="10:00:00:00" value="10000000">
- <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="44" show="1" value="10"/>
- <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="44" show="0" value="10"/>
- <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="45" show="0" value="00"/>
- </field>
- <field name="dcerpc.cn_frag_len" showname="Frag Length: 288" size="2" pos="48" show="288" value="2001"/>
- <field name="dcerpc.cn_auth_len" showname="Auth Length: 16" size="2" pos="50" show="16" value="1000"/>
- <field name="dcerpc.cn_call_id" showname="Call ID: 2" size="4" pos="52" show="2" value="02000000"/>
- <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 236" size="4" pos="56" show="236" value="ec000000"/>
- <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="60" show="0" value="0000"/>
- <field name="dcerpc.opnum" showname="Opnum: 9" size="2" pos="62" show="9" value="0900"/>
- <field name="dcerpc.auth_type" showname="Auth type: SPNEGO (9)" size="1" pos="304" show="9" value="09"/>
- <field name="dcerpc.auth_level" showname="Auth level: Packet integrity (5)" size="1" pos="305" show="5" value="05"/>
- <field name="dcerpc.auth_pad_len" showname="Auth pad len: 4" size="1" pos="306" show="4" value="04"/>
- <field name="dcerpc.auth_rsrvd" showname="Auth Rsrvd: 0" size="1" pos="307" show="0" value="00"/>
- <field name="dcerpc.auth_ctx_id" showname="Auth Context ID: 1" size="4" pos="308" show="1" value="01000000"/>
- <field name="dcerpc.auth_padding" showname="Auth Padding: 00000000" size="4" pos="300" show="00:00:00:00" value="00000000"/>
- <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="28" pos="312">
- <field name="ntlmssp.verf" showname="NTLMSSP Verifier" size="16" pos="312" show="" value="">
- <field name="ntlmssp.verf.vers" showname="Version Number: 1" size="4" pos="312" show="1" value="01000000"/>
- <field name="ntlmssp.verf.body" showname="Verifier Body: 9f7b95490561ec3101000000" size="12" pos="316" show="9f:7b:95:49:05:61:ec:31:01:00:00:00" value="9f7b95490561ec3101000000"/>
- </field>
- </proto>
- </proto>
- <proto name="dnsserver" showname="DNS Server, DnssrvUpdateRecord2" size="236" pos="64">
- <field name="dnsserver.opnum" showname="Operation: DnssrvUpdateRecord2 (9)" size="0" pos="64" show="9"/>
- <field name="" show="Long frame" size="236" pos="64" value="0000070000000000000002000b000000000000000b0000003100320037002e0030002e0030002e0032003600000000000400020016000000000000001600000073616d6261323030332e6578616d706c652e636f6d000000260000000000000026000000727063656d707479746578747265632e73616d6261323030332e6578616d706c652e636f6d000000080002000000000000001000f000000001000000840300000000000000000000000000008ae3137102f43671010004000100000002402800a4c2ab504d57b3409d66ee4fd5fba07605000000045d888aeb1cc9119fe808002b10486002000000">
- <field name="_ws.expert" showname="Expert Info (Warn/Protocol): Long frame" size="0" pos="64">
- <field name="dcerpc.long_frame" showname="Long frame" size="0" pos="0" show="" value=""/>
- <field name="_ws.expert.message" showname="Message: Long frame" hide="yes" size="0" pos="0" show="Long frame"/>
- <field name="_ws.expert.severity" showname="Severity level: Warn" size="0" pos="0" show="0x00600000"/>
- <field name="_ws.expert.group" showname="Group: Protocol" size="0" pos="0" show="0x09000000"/>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="160">
- <field name="num" pos="0" show="496" showname="Number" value="1f0" size="160"/>
- <field name="len" pos="0" show="160" showname="Frame Length" value="a0" size="160"/>
- <field name="caplen" pos="0" show="160" showname="Captured Length" value="a0" size="160"/>
- <field name="timestamp" pos="0" show="Feb 16, 2017 12:18:10.757022000 NZDT" showname="Captured Time" value="1487200690.757022000" size="160"/>
- </proto>
- <proto name="frame" showname="Frame 496: 160 bytes on wire (1280 bits), 160 bytes captured (1280 bits)" size="160" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 16, 2017 12:18:10.757022000 NZDT" size="0" pos="0" show="Feb 16, 2017 12:18:10.757022000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1487200690.757022000 seconds" size="0" pos="0" show="1487200690.757022000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000083000 seconds" size="0" pos="0" show="0.000083000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000083000 seconds" size="0" pos="0" show="0.000083000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 5.519298000 seconds" size="0" pos="0" show="5.519298000"/>
- <field name="frame.number" showname="Frame Number: 496" size="0" pos="0" show="496"/>
- <field name="frame.len" showname="Frame Length: 160 bytes (1280 bits)" size="0" pos="0" show="160"/>
- <field name="frame.cap_len" showname="Capture Length: 160 bytes (1280 bits)" size="0" pos="0" show="160"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:nbss:smb:dcerpc" size="0" pos="0" show="raw:ip:tcp:nbss:smb:dcerpc"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="160" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 160" size="2" pos="2" show="160" value="00a0"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 19094 (19094), Dst Port: 445 (445), Seq: 2889, Ack: 1672, Len: 120" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 19094" size="2" pos="20" show="19094" value="4a96"/>
- <field name="tcp.dstport" showname="Destination Port: 445" size="2" pos="22" show="445" value="01bd"/>
- <field name="tcp.port" showname="Source or Destination Port: 19094" hide="yes" size="2" pos="20" show="19094" value="4a96"/>
- <field name="tcp.port" showname="Source or Destination Port: 445" hide="yes" size="2" pos="22" show="445" value="01bd"/>
- <field name="tcp.stream" showname="Stream index: 10" size="0" pos="20" show="10"/>
- <field name="tcp.len" showname="TCP Segment Len: 120" size="1" pos="32" show="120" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 2889 (relative sequence number)" size="4" pos="24" show="2889" value="00000b49"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 3009 (relative sequence number)" size="0" pos="20" show="3009"/>
- <field name="tcp.ack" showname="Acknowledgment number: 1672 (relative ack number)" size="4" pos="28" show="1672" value="00000688"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 493" size="0" pos="20" show="493"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000154000 seconds" size="0" pos="20" show="0.000154000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000013000 seconds" size="0" pos="20" show="0.000013000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 120" size="0" pos="20" show="120"/>
- </field>
- </proto>
- <proto name="nbss" showname="NetBIOS Session Service" size="120" pos="40">
- <field name="nbss.type" showname="Message Type: Session message (0x00)" size="1" pos="40" show="0x00000000" value="00"/>
- <field name="nbss.length" showname="Length: 116" size="3" pos="41" show="116" value="000074"/>
- </proto>
- <proto name="smb" showname="SMB (Server Message Block Protocol)" size="116" pos="44">
- <field name="" show="SMB Header" size="32" pos="44" value="ff534d4225000000001857c80000644f31ab2d1ec497000002e9000025190a00">
- <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="44" show="0x424d53ff" value="ff534d42"/>
- <field name="smb.cmd" showname="SMB Command: Trans (0x25)" size="1" pos="48" show="37" value="25"/>
- <field name="smb.nt_status" showname="NT Status: STATUS_SUCCESS (0x00000000)" size="4" pos="49" show="0" value="00000000"/>
- <field name="smb.flags" showname="Flags: 0x18, Canonicalized Pathnames, Case Sensitivity" size="1" pos="53" show="0x00000018" value="18">
- <field name="smb.flags.response" showname="0... .... = Request/Response: Message is a request to the server" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="smb.flags.canon" showname="...1 .... = Canonicalized Pathnames: Pathnames are canonicalized" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="smb.flags.caseless" showname=".... 1... = Case Sensitivity: Path names are caseless" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
- </field>
- <field name="smb.flags2" showname="Flags2: 0xc857, Unicode Strings, Error Code Type, Extended Security Negotiation, Long Names Used, Security Signatures Required, Security Signatures, Extended Attributes, Long Names Allowed" size="2" pos="54" show="0x0000c857" value="57c8">
- <field name="smb.flags2.string" showname="1... .... .... .... = Unicode Strings: Strings are Unicode" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
- <field name="smb.flags2.nt_error" showname=".1.. .... .... .... = Error Code Type: Error codes are NT error codes" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
- <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="54" show="0" value="0" unmaskedvalue="57c8"/>
- <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="54" show="0" value="0" unmaskedvalue="57c8"/>
- <field name="smb.flags2.esn" showname=".... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
- <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="54" show="0" value="0" unmaskedvalue="57c8"/>
- <field name="smb.flags2.long_names_used" showname=".... .... .1.. .... = Long Names Used: Path names in request are long file names" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
- <field name="smb.flags2.sec_sig_required" showname=".... .... ...1 .... = Security Signatures Required: Security signatures are required" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
- <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="54" show="0" value="0" unmaskedvalue="57c8"/>
- <field name="smb.flags2.sec_sig" showname=".... .... .... .1.. = Security Signatures: Security signatures are supported" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
- <field name="smb.flags2.ea" showname=".... .... .... ..1. = Extended Attributes: Extended attributes are supported" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
- <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
- </field>
- <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="56" show="0" value="0000"/>
- <field name="smb.signature" showname="Signature: 644f31ab2d1ec497" size="8" pos="58" show="64:4f:31:ab:2d:1e:c4:97" value="644f31ab2d1ec497"/>
- <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="66" show="00:00" value="0000"/>
- <field name="smb.tid" showname="Tree ID: 59650 (\\LOCALDC\IPC$)" size="2" pos="68" show="59650" value="02e9">
- <field name="smb.path" showname="Path: \\LOCALDC\IPC$" size="0" pos="112" show="\\LOCALDC\IPC$"/>
- <field name="smb.fid.mapped_in" showname="Mapped in: 451" size="0" pos="112" show="451"/>
- </field>
- <field name="smb.pid" showname="Process ID: 0" size="2" pos="70" show="0" value="0000"/>
- <field name="smb.uid" showname="User ID: 6437" size="2" pos="72" show="6437" value="2519"/>
- <field name="smb.mid" showname="Multiplex ID: 10" size="2" pos="74" show="10" value="0a00"/>
- </field>
- <field name="" show="Trans Request (0x25)" size="84" pos="76" value="10000020000000b8100000000000000000000000005400200054000200260002003100005c0050004900500045005c00000000000500000310000000200000000200000008000000000000000000000000000002">
- <field name="smb.wct" showname="Word Count (WCT): 16" size="1" pos="76" show="16" value="10"/>
- <field name="smb.tpc" showname="Total Parameter Count: 0" size="2" pos="77" show="0" value="0000"/>
- <field name="smb.tdc" showname="Total Data Count: 32" size="2" pos="79" show="32" value="2000"/>
- <field name="smb.mpc" showname="Max Parameter Count: 0" size="2" pos="81" show="0" value="0000"/>
- <field name="smb.mdc" showname="Max Data Count: 4280" size="2" pos="83" show="4280" value="b810"/>
- <field name="smb.msc" showname="Max Setup Count: 0" size="1" pos="85" show="0" value="00"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="86" show="00" value="00"/>
- <field name="smb.transaction.flags" showname="Flags: 0x0000" size="2" pos="87" show="0x00000000" value="0000">
- <field name="smb.transaction.flags.owt" showname=".... .... .... ..0. = One Way Transaction: Two way transaction" size="2" pos="87" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.transaction.flags.dtid" showname=".... .... .... ...0 = Disconnect TID: Do NOT disconnect TID" size="2" pos="87" show="0" value="0" unmaskedvalue="0000"/>
- </field>
- <field name="smb.timeout" showname="Timeout: Return immediately (0)" size="4" pos="89" show="0" value="00000000"/>
- <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="93" show="00:00" value="0000"/>
- <field name="smb.pc" showname="Parameter Count: 0" size="2" pos="95" show="0" value="0000"/>
- <field name="smb.po" showname="Parameter Offset: 84" size="2" pos="97" show="84" value="5400"/>
- <field name="smb.dc" showname="Data Count: 32" size="2" pos="99" show="32" value="2000"/>
- <field name="smb.data_offset" showname="Data Offset: 84" size="2" pos="101" show="84" value="5400"/>
- <field name="smb.sc" showname="Setup Count: 2" size="1" pos="103" show="2" value="02"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="104" show="00" value="00"/>
- <field name="smb.bcc" showname="Byte Count (BCC): 49" size="2" pos="109" show="49" value="3100"/>
- <field name="smb.trans_name" showname="Transaction Name: \PIPE\" size="14" pos="112" show="\PIPE\" value="5c0050004900500045005c000000"/>
- <field name="smb.padding" showname="Padding: 0000" size="2" pos="126" show="00:00" value="0000"/>
- </field>
- </proto>
- <proto name="smb_pipe" showname="SMB Pipe Protocol" size="21" pos="105">
- <field name="smb_pipe.function" showname="Function: TransactNmPipe (0x0026)" size="2" pos="105" show="0x00000026" value="2600"/>
- <field name="smb.fid" showname="FID: 0x0002 (\samr)" size="2" pos="107" show="0x00000002" value="0200">
- <field name="smb.fid.opened_in" showname="Opened in: 487" size="0" pos="212" show="487"/>
- <field name="smb.file" showname="File Name: \samr" size="0" pos="212" show="\samr"/>
- <field name="smb.create_flags" showname="Create Flags: 0x00000000" size="4" pos="212" show="0x00000000" value="26000200">
- <field name="smb.nt.create.oplock" showname=".... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create.batch_oplock" showname=".... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create.dir" showname=".... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create.ext" showname=".... .... .... .... .... .... ...0 .... = Extended Response: Extended responses NOT required" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- </field>
- <field name="smb.access_mask" showname="Access Mask: 0x0002019f" size="4" pos="212" show="0x0002019f" value="26000200">
- <field name="smb.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: READ access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
- <field name="smb.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: WRITE access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
- <field name="smb.access.append" showname=".... .... .... .... .... .... .... .1.. = Append: APPEND access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
- <field name="smb.access.read_ea" showname=".... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
- <field name="smb.access.write_ea" showname=".... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
- <field name="smb.access.execute" showname=".... .... .... .... .... .... ..0. .... = Execute: NO execute access" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.access.delete_child" showname=".... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.access.read_attributes" showname=".... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
- <field name="smb.access.write_attributes" showname=".... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
- <field name="smb.access.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: NO delete access" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.access.read_control" showname=".... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
- <field name="smb.access.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.access.write_owner" showname=".... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.access.synchronize" showname=".... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.access.system_security" showname=".... ...0 .... .... .... .... .... .... = System Security: System security is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.access.maximum_allowed" showname=".... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.access.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.access.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.access.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.access.generic_read" showname="0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- </field>
- <field name="smb.file_attribute" showname="File Attributes: 0x00000000" size="4" pos="212" show="0x00000000" value="26000200">
- <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 0... .... = Normal: Has some attribute set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.reparse" showname=".... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- </field>
- <field name="smb.share_access" showname="Share Access: 0x00000003, Read, Write" size="4" pos="212" show="0x00000003" value="26000200">
- <field name="smb.share.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
- <field name="smb.share.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
- <field name="smb.share.access.delete" showname=".... .... .... .... .... .... .... .0.. = Delete: Object can NOT be shared for delete" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- </field>
- <field name="smb.create_options" showname="Create Options: 0x00000000" size="4" pos="212" show="0x00000000" value="26000200">
- <field name="smb.nt.create_options.directory" showname=".... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.write_through" showname=".... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.sequential_only" showname=".... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.intermediate_buffering" showname=".... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.sync_io_alert" showname=".... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.sync_io_nonalert" showname=".... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.non_directory" showname=".... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.create_tree_connection" showname=".... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.complete_if_oplocked" showname=".... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.no_ea_knowledge" showname=".... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.eight_dot_three_only" showname=".... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.random_access" showname=".... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.delete_on_close" showname=".... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.open_by_fileid" showname=".... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.backup_intent" showname=".... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.no_compression" showname=".... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.reserve_opfilter" showname=".... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.open_reparse_point" showname=".... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.open_no_recall" showname=".... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- <field name="smb.nt.create_options.open_for_free_space_query" showname=".... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
- </field>
- <field name="smb.create.disposition" showname="Disposition: Open (if file exists open it, else fail) (1)" size="0" pos="212" show="1"/>
- </field>
- </proto>
- <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 32, Call: 2, Ctx: 0" size="32" pos="128">
- <field name="dcerpc.ver" showname="Version: 5" size="1" pos="128" show="5" value="05"/>
- <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="129" show="0" value="00"/>
- <field name="dcerpc.pkt_type" showname="Packet type: Request (0)" size="1" pos="130" show="0" value="00"/>
- <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="131" show="0x00000003" value="03">
- <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="131" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="131" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="131" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="131" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="131" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="131" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="131" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="131" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- </field>
- <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="132" show="10:00:00:00" value="10000000">
- <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="132" show="1" value="10"/>
- <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="132" show="0" value="10"/>
- <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="133" show="0" value="00"/>
- </field>
- <field name="dcerpc.cn_frag_len" showname="Frag Length: 32" size="2" pos="136" show="32" value="2000"/>
- <field name="dcerpc.cn_auth_len" showname="Auth Length: 0" size="2" pos="138" show="0" value="0000"/>
- <field name="dcerpc.cn_call_id" showname="Call ID: 2" size="4" pos="140" show="2" value="02000000"/>
- <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 8" size="4" pos="144" show="8" value="08000000"/>
- <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="148" show="0" value="0000"/>
- <field name="dcerpc.opnum" showname="Opnum: 0" size="2" pos="150" show="0" value="0000"/>
- </proto>
- <proto name="samr" showname="SAMR (pidl), Connect" size="8" pos="152">
- <field name="samr.opnum" showname="Operation: Connect (0)" size="0" pos="152" show="0"/>
- <field name="dcerpc.null_pointer" showname="NULL Pointer: Pointer to System Name (uint16)" size="4" pos="152" show="00:00:00:00" value="00000000"/>
- <field name="samr.connect.access_mask" showname="Access Mask: 0x02000000" size="4" pos="156" show="0x02000000" value="00000002">
- <field name="" show="Generic rights: 0x00000000" size="4" pos="156" value="00000002">
- <field name="nt.access_mask.generic_read" showname="0... .... .... .... .... .... .... .... = Generic read: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- <field name="nt.access_mask.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic write: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- <field name="nt.access_mask.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic execute: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- <field name="nt.access_mask.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic all: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- </field>
- <field name="nt.access_mask.maximum_allowed" showname=".... ..1. .... .... .... .... .... .... = Maximum allowed: Set" size="4" pos="156" show="1" value="FFFFFFFF" unmaskedvalue="00000002"/>
- <field name="nt.access_mask.access_sacl" showname=".... .... 0... .... .... .... .... .... = Access SACL: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- <field name="" show="Standard rights: 0x00000000" size="4" pos="156" value="00000002">
- <field name="nt.access_mask.synchronise" showname=".... .... ...0 .... .... .... .... .... = Synchronise: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- <field name="nt.access_mask.write_owner" showname=".... .... .... 0... .... .... .... .... = Write owner: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- <field name="nt.access_mask.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- <field name="nt.access_mask.read_control" showname=".... .... .... ..0. .... .... .... .... = Read control: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- <field name="nt.access_mask.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- </field>
- <field name="" show="SAMR Connect specific rights: 0x00000000" size="4" pos="156" value="00000002">
- <field name="samr.samr_ConnectAccessMask.SAMR_ACCESS_LOOKUP_DOMAIN" showname=".... .... .... .... .... .... ..0. .... = Samr Access Lookup Domain: SAMR_ACCESS_LOOKUP_DOMAIN is NOT SET" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- <field name="samr.samr_ConnectAccessMask.SAMR_ACCESS_ENUM_DOMAINS" showname=".... .... .... .... .... .... ...0 .... = Samr Access Enum Domains: SAMR_ACCESS_ENUM_DOMAINS is NOT SET" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- <field name="samr.samr_ConnectAccessMask.SAMR_ACCESS_CREATE_DOMAIN" showname=".... .... .... .... .... .... .... 0... = Samr Access Create Domain: SAMR_ACCESS_CREATE_DOMAIN is NOT SET" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- <field name="samr.samr_ConnectAccessMask.SAMR_ACCESS_INITIALIZE_SERVER" showname=".... .... .... .... .... .... .... .0.. = Samr Access Initialize Server: SAMR_ACCESS_INITIALIZE_SERVER is NOT SET" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- <field name="samr.samr_ConnectAccessMask.SAMR_ACCESS_SHUTDOWN_SERVER" showname=".... .... .... .... .... .... .... ..0. = Samr Access Shutdown Server: SAMR_ACCESS_SHUTDOWN_SERVER is NOT SET" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- <field name="samr.samr_ConnectAccessMask.SAMR_ACCESS_CONNECT_TO_SERVER" showname=".... .... .... .... .... .... .... ...0 = Samr Access Connect To Server: SAMR_ACCESS_CONNECT_TO_SERVER is NOT SET" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="244">
- <field name="num" pos="0" show="618" showname="Number" value="26a" size="244"/>
- <field name="len" pos="0" show="244" showname="Frame Length" value="f4" size="244"/>
- <field name="caplen" pos="0" show="244" showname="Captured Length" value="f4" size="244"/>
- <field name="timestamp" pos="0" show="Feb 16, 2017 12:18:11.039416000 NZDT" showname="Captured Time" value="1487200691.039416000" size="244"/>
- </proto>
- <proto name="frame" showname="Frame 618: 244 bytes on wire (1952 bits), 244 bytes captured (1952 bits)" size="244" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 16, 2017 12:18:11.039416000 NZDT" size="0" pos="0" show="Feb 16, 2017 12:18:11.039416000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1487200691.039416000 seconds" size="0" pos="0" show="1487200691.039416000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000200000 seconds" size="0" pos="0" show="0.000200000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000200000 seconds" size="0" pos="0" show="0.000200000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 5.801692000 seconds" size="0" pos="0" show="5.801692000"/>
- <field name="frame.number" showname="Frame Number: 618" size="0" pos="0" show="618"/>
- <field name="frame.len" showname="Frame Length: 244 bytes (1952 bits)" size="0" pos="0" show="244"/>
- <field name="frame.cap_len" showname="Capture Length: 244 bytes (1952 bits)" size="0" pos="0" show="244"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:dcerpc:spnego-krb5:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:dcerpc:spnego-krb5:spnego-krb5"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="244" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 244" size="2" pos="2" show="244" value="00f4"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 19098 (19098), Dst Port: 49152 (49152), Seq: 1870, Ack: 367, Len: 204" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 19098" size="2" pos="20" show="19098" value="4a9a"/>
- <field name="tcp.dstport" showname="Destination Port: 49152" size="2" pos="22" show="49152" value="c000"/>
- <field name="tcp.port" showname="Source or Destination Port: 19098" hide="yes" size="2" pos="20" show="19098" value="4a9a"/>
- <field name="tcp.port" showname="Source or Destination Port: 49152" hide="yes" size="2" pos="22" show="49152" value="c000"/>
- <field name="tcp.stream" showname="Stream index: 14" size="0" pos="20" show="14"/>
- <field name="tcp.len" showname="TCP Segment Len: 204" size="1" pos="32" show="204" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 1870 (relative sequence number)" size="4" pos="24" show="1870" value="0000074e"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 2074 (relative sequence number)" size="0" pos="20" show="2074"/>
- <field name="tcp.ack" showname="Acknowledgment number: 367 (relative ack number)" size="4" pos="28" show="367" value="0000016f"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 615" size="0" pos="20" show="615"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000257000 seconds" size="0" pos="20" show="0.000257000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000055000 seconds" size="0" pos="20" show="0.000055000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 204" size="0" pos="20" show="204"/>
- </field>
- </proto>
- <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 204, Call: 2, Ctx: 0" size="204" pos="40">
- <field name="dcerpc.ver" showname="Version: 5" size="1" pos="40" show="5" value="05"/>
- <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="41" show="0" value="00"/>
- <field name="dcerpc.pkt_type" showname="Packet type: Request (0)" size="1" pos="42" show="0" value="00"/>
- <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="43" show="0x00000003" value="03">
- <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
- </field>
- <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="44" show="10:00:00:00" value="10000000">
- <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="44" show="1" value="10"/>
- <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="44" show="0" value="10"/>
- <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="45" show="0" value="00"/>
- </field>
- <field name="dcerpc.cn_frag_len" showname="Frag Length: 204" size="2" pos="48" show="204" value="cc00"/>
- <field name="dcerpc.cn_auth_len" showname="Auth Length: 76" size="2" pos="50" show="76" value="4c00"/>
- <field name="dcerpc.cn_call_id" showname="Call ID: 2" size="4" pos="52" show="2" value="02000000"/>
- <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 84" size="4" pos="56" show="84" value="54000000"/>
- <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="60" show="0" value="0000"/>
- <field name="dcerpc.opnum" showname="Opnum: 0" size="2" pos="62" show="0" value="0000"/>
- <field name="dcerpc.auth_type" showname="Auth type: SPNEGO (9)" size="1" pos="160" show="9" value="09"/>
- <field name="dcerpc.auth_level" showname="Auth level: Packet privacy (6)" size="1" pos="161" show="6" value="06"/>
- <field name="dcerpc.auth_pad_len" showname="Auth pad len: 12" size="1" pos="162" show="12" value="0c"/>
- <field name="dcerpc.auth_rsrvd" showname="Auth Rsrvd: 0" size="1" pos="163" show="0" value="00"/>
- <field name="dcerpc.auth_ctx_id" showname="Auth Context ID: 1" size="4" pos="164" show="1" value="01000000"/>
- <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="76" pos="168">
- <field name="spnego.krb5.blob" showname="krb5_blob: 050406ff0010001c000000000bcbcd947efcdcdd031c9af0..." size="76" pos="168" show="05:04:06:ff:00:10:00:1c:00:00:00:00:0b:cb:cd:94:7e:fc:dc:dd:03:1c:9a:f0:b0:c9:a0:30:4e:3f:5a:f9:bd:9f:63:82:c8:cb:eb:fe:08:6b:0f:7d:93:b3:30:d3:6c:90:51:24:3a:38:c9:aa:26:c0:0c:5a:a0:a2:7b:1d:10:4b:31:f6:34:4a:cd:24:f8:c2:c9:73" value="050406ff0010001c000000000bcbcd947efcdcdd031c9af0b0c9a0304e3f5af9bd9f6382c8cbebfe086b0f7d93b330d36c9051243a38c9aa26c00c5aa0a27b1d104b31f6344acd24f8c2c973">
- <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)" size="2" pos="168" show="0x00000405" value="0504"/>
- <field name="spnego.krb5.cfx_flags" showname="krb5_cfx_flags: 0x06, AcceptorSubkey, Sealed" size="1" pos="170" show="0x00000006" value="06">
- <field name="spnego.krb5.acceptor_subkey" showname=".... .1.. = AcceptorSubkey: Set" size="1" pos="170" show="1" value="FFFFFFFF" unmaskedvalue="06"/>
- <field name="spnego.krb5.sealed" showname=".... ..1. = Sealed: Set" size="1" pos="170" show="1" value="FFFFFFFF" unmaskedvalue="06"/>
- <field name="spnego.krb5.send_by_acceptor" showname=".... ...0 = SendByAcceptor: Not set" size="1" pos="170" show="0" value="0" unmaskedvalue="06"/>
- </field>
- <field name="spnego.krb5.filler" showname="krb5_filler: ff" size="1" pos="171" show="ff" value="ff"/>
- <field name="spnego.krb5.cfx_ec" showname="krb5_cfx_ec: 16" size="2" pos="172" show="16" value="0010"/>
- <field name="spnego.krb5.cfx_rrc" showname="krb5_cfx_rrc: 28" size="2" pos="174" show="28" value="001c"/>
- <field name="spnego.krb5.cfx_seq" showname="krb5_cfx_seq: 197905812" size="8" pos="176" show="197905812" value="000000000bcbcd94"/>
- <field name="spnego.krb5.sgn_cksum" showname="krb5_sgn_cksum: 7efcdcdd031c9af0b0c9a0304e3f5af9bd9f6382c8cbebfe..." size="60" pos="184" show="7e:fc:dc:dd:03:1c:9a:f0:b0:c9:a0:30:4e:3f:5a:f9:bd:9f:63:82:c8:cb:eb:fe:08:6b:0f:7d:93:b3:30:d3:6c:90:51:24:3a:38:c9:aa:26:c0:0c:5a:a0:a2:7b:1d:10:4b:31:f6:34:4a:cd:24:f8:c2:c9:73" value="7efcdcdd031c9af0b0c9a0304e3f5af9bd9f6382c8cbebfe086b0f7d93b330d36c9051243a38c9aa26c00c5aa0a27b1d104b31f6344acd24f8c2c973"/>
- </field>
- </proto>
- </proto>
- <proto name="drsuapi" showname="DRSUAPI, DsBind" size="96" pos="64">
- <field name="drsuapi.opnum" showname="Operation: DsBind (0)" size="0" pos="64" show="0"/>
- <field name="dcerpc.encrypted_stub_data" showname="Encrypted stub data: 536b3d9d2cae12c8cfef430800028a405e0c5b0dd1ab3a67..." size="96" pos="64" show="53:6b:3d:9d:2c:ae:12:c8:cf:ef:43:08:00:02:8a:40:5e:0c:5b:0d:d1:ab:3a:67:7b:bf:dc:66:7d:f1:90:ff:c6:6b:04:07:07:e2:7e:20:ca:73:41:fc:bf:0e:16:07:00:31:88:a1:7d:13:54:99:50:55:29:f1:ce:07:e8:92:78:69:63:7c:f2:60:2a:fd:7b:60:49:5d:7e:bf:dc:b2:2b:b7:47:86:6e:c8:51:1c:53:bb:73:35:dc:5c:b1:b0" value="536b3d9d2cae12c8cfef430800028a405e0c5b0dd1ab3a677bbfdc667df190ffc66b040707e27e20ca7341fcbf0e1607003188a17d135499505529f1ce07e8927869637cf2602afd7b60495d7ebfdcb22bb747866ec8511c53bb7335dc5cb1b0"/>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="314">
- <field name="num" pos="0" show="1971790" showname="Number" value="1e164e" size="314"/>
- <field name="len" pos="0" show="314" showname="Frame Length" value="13a" size="314"/>
- <field name="caplen" pos="0" show="314" showname="Captured Length" value="13a" size="314"/>
- <field name="timestamp" pos="0" show="Feb 13, 2017 10:23:04.809271000 NZDT" showname="Captured Time" value="1486934584.809271000" size="314"/>
- </proto>
- <proto name="frame" showname="Frame 1971790: 314 bytes on wire (2512 bits), 314 bytes captured (2512 bits)" size="314" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 13, 2017 10:23:04.809271000 NZDT" size="0" pos="0" show="Feb 13, 2017 10:23:04.809271000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486934584.809271000 seconds" size="0" pos="0" show="1486934584.809271000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.053481000 seconds" size="0" pos="0" show="0.053481000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.053481000 seconds" size="0" pos="0" show="0.053481000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 814.186830000 seconds" size="0" pos="0" show="814.186830000"/>
- <field name="frame.number" showname="Frame Number: 1971790" size="0" pos="0" show="1971790"/>
- <field name="frame.len" showname="Frame Length: 314 bytes (2512 bits)" size="0" pos="0" show="314"/>
- <field name="frame.cap_len" showname="Capture Length: 314 bytes (2512 bits)" size="0" pos="0" show="314"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:udp:nbdgm:smb:smb_netlogon" size="0" pos="0" show="raw:ip:udp:nbdgm:smb:smb_netlogon"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="314" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.4, Dst: 127.0.0.3" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 314" size="2" pos="2" show="314" value="013a"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: UDP (17)" size="1" pos="9" show="17" value="11"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.4" size="4" pos="12" show="127.0.0.4" value="7f000004"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.4" hide="yes" size="4" pos="12" show="127.0.0.4" value="7f000004"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.4" hide="yes" size="4" pos="12" show="127.0.0.4" value="7f000004"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.4" hide="yes" size="4" pos="12" show="127.0.0.4" value="7f000004"/>
- <field name="ip.dst" showname="Destination: 127.0.0.3" size="4" pos="16" show="127.0.0.3" value="7f000003"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.3" hide="yes" size="4" pos="16" show="127.0.0.3" value="7f000003"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.3" hide="yes" size="4" pos="16" show="127.0.0.3" value="7f000003"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.3" hide="yes" size="4" pos="16" show="127.0.0.3" value="7f000003"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000004"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000003"/>
- </proto>
- <proto name="udp" showname="User Datagram Protocol, Src Port: 138 (138), Dst Port: 138 (138)" size="8" pos="20">
- <field name="udp.srcport" showname="Source Port: 138" size="2" pos="20" show="138" value="008a"/>
- <field name="udp.dstport" showname="Destination Port: 138" size="2" pos="22" show="138" value="008a"/>
- <field name="udp.port" showname="Source or Destination Port: 138" hide="yes" size="2" pos="20" show="138" value="008a"/>
- <field name="udp.port" showname="Source or Destination Port: 138" hide="yes" size="2" pos="22" show="138" value="008a"/>
- <field name="udp.length" showname="Length: 294" size="2" pos="24" show="294" value="0126"/>
- <field name="udp.checksum" showname="Checksum: 0x0000 (none)" size="2" pos="26" show="0x00000000" value="0000">
- <field name="udp.checksum_good" showname="Good Checksum: False" size="2" pos="26" show="0" value="0000"/>
- <field name="udp.checksum_bad" showname="Bad Checksum: False" size="2" pos="26" show="0" value="0000"/>
- </field>
- <field name="udp.stream" showname="Stream index: 322" size="0" pos="28" show="322"/>
- </proto>
- <proto name="nbdgm" showname="NetBIOS Datagram Service" size="82" pos="28">
- <field name="nbdgm.type" showname="Message Type: Direct_group datagram (17)" size="1" pos="28" show="17" value="11"/>
- <field name="nbdgm.next" showname="More fragments follow: No" size="1" pos="29" show="0" value="0a"/>
- <field name="nbdgm.first" showname="This is first fragment: Yes" size="1" pos="29" show="1" value="0a"/>
- <field name="nbdgm.node_type" showname="Node Type: M node (2)" size="1" pos="29" show="2" value="0a"/>
- <field name="nbdgm.dgram_id" showname="Datagram ID: 0x7172" size="2" pos="30" show="0x00007172" value="7172"/>
- <field name="nbdgm.src.ip" showname="Source IP: 127.0.0.4" size="4" pos="32" show="127.0.0.4" value="7f000004"/>
- <field name="nbdgm.src.port" showname="Source Port: 138" size="2" pos="36" show="138" value="008a"/>
- <field name="nbdgm.dgram_len" showname="Datagram length: 272 bytes" size="2" pos="38" show="272" value="0110"/>
- <field name="nbdgm.pkt_offset" showname="Packet offset: 0 bytes" size="2" pos="40" show="0" value="0000"/>
- <field name="nbdgm.source_name" showname="Source name: LOCALNT4MEMBER3&lt;00&gt; (Workstation/Redirector)" size="34" pos="42" show="LOCALNT4MEMBER3&lt;00&gt;" value="20454d455045444542454d454f46454445454e4546454e4543454646434444414100"/>
- <field name="nbdgm.destination_name" showname="Destination name: SAMBA-TEST&lt;1c&gt; (Domain Controllers)" size="34" pos="76" show="SAMBA-TEST&lt;1c&gt;" value="2046444542454e45434542434e464545464644464543414341434143414341424d00"/>
- </proto>
- <proto name="smb" showname="SMB (Server Message Block Protocol)" size="204" pos="110">
- <field name="" show="SMB Header" size="32" pos="110" value="ff534d4225000000000000000000000000000000000000000000000000000000">
- <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="110" show="0x424d53ff" value="ff534d42"/>
- <field name="smb.cmd" showname="SMB Command: Trans (0x25)" size="1" pos="114" show="37" value="25"/>
- <field name="smb.error_class" showname="Error Class: Success (0x00)" size="1" pos="115" show="0x00000000" value="00"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="116" show="00" value="00"/>
- <field name="smb.error_code" showname="Error Code: No Error" size="2" pos="117" show="0x00000000" value="0000"/>
- <field name="smb.flags" showname="Flags: 0x00" size="1" pos="119" show="0x00000000" value="00">
- <field name="smb.flags.response" showname="0... .... = Request/Response: Message is a request to the server" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- <field name="smb.flags.canon" showname="...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- <field name="smb.flags.caseless" showname=".... 0... = Case Sensitivity: Path names are case sensitive" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="smb.flags2" showname="Flags2: 0x0000" size="2" pos="120" show="0x00000000" value="0000">
- <field name="smb.flags2.string" showname="0... .... .... .... = Unicode Strings: Strings are ASCII" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.nt_error" showname=".0.. .... .... .... = Error Code Type: Error codes are DOS error codes" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.esn" showname=".... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.long_names_used" showname=".... .... .0.. .... = Long Names Used: Path names in request are not long file names" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.sec_sig_required" showname=".... .... ...0 .... = Security Signatures Required: Security signatures are not required" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.sec_sig" showname=".... .... .... .0.. = Security Signatures: Security signatures are not supported" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.ea" showname=".... .... .... ..0. = Extended Attributes: Extended attributes are not supported" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...0 = Long Names Allowed: Long file names are not allowed in the response" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
- </field>
- <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="122" show="0" value="0000"/>
- <field name="smb.signature" showname="Signature: 0000000000000000" size="8" pos="124" show="00:00:00:00:00:00:00:00" value="0000000000000000"/>
- <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="132" show="00:00" value="0000"/>
- <field name="smb.tid" showname="Tree ID: 0" size="2" pos="134" show="0" value="0000"/>
- <field name="smb.pid" showname="Process ID: 0" size="2" pos="136" show="0" value="0000"/>
- <field name="smb.uid" showname="User ID: 0" size="2" pos="138" show="0" value="0000"/>
- <field name="smb.mid" showname="Multiplex ID: 0" size="2" pos="140" show="0" value="0000"/>
- </field>
- <field name="" show="Trans Request (0x25)" size="172" pos="142" value="110000710000000000000000000000000000000000000071005b00030001000000020087005c4d41494c534c4f545c4e45545c4e544c4f474f4e00120000004c004f00430041004c004e00540034004d0045004d00420045005200330000004c004f00430041004c004e00540034004d0045004d004200450052003300240000005c4d41494c534c4f545c4e45545c4745544443333030303037460080000000000000000b000000ffffffff">
- <field name="smb.wct" showname="Word Count (WCT): 17" size="1" pos="142" show="17" value="11"/>
- <field name="smb.tpc" showname="Total Parameter Count: 0" size="2" pos="143" show="0" value="0000"/>
- <field name="smb.tdc" showname="Total Data Count: 113" size="2" pos="145" show="113" value="7100"/>
- <field name="smb.mpc" showname="Max Parameter Count: 0" size="2" pos="147" show="0" value="0000"/>
- <field name="smb.mdc" showname="Max Data Count: 0" size="2" pos="149" show="0" value="0000"/>
- <field name="smb.msc" showname="Max Setup Count: 0" size="1" pos="151" show="0" value="00"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="152" show="00" value="00"/>
- <field name="smb.transaction.flags" showname="Flags: 0x0000" size="2" pos="153" show="0x00000000" value="0000">
- <field name="smb.transaction.flags.owt" showname=".... .... .... ..0. = One Way Transaction: Two way transaction" size="2" pos="153" show="0" value="0" unmaskedvalue="0000"/>
- <field name="smb.transaction.flags.dtid" showname=".... .... .... ...0 = Disconnect TID: Do NOT disconnect TID" size="2" pos="153" show="0" value="0" unmaskedvalue="0000"/>
- </field>
- <field name="smb.timeout" showname="Timeout: Return immediately (0)" size="4" pos="155" show="0" value="00000000"/>
- <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="159" show="00:00" value="0000"/>
- <field name="smb.pc" showname="Parameter Count: 0" size="2" pos="161" show="0" value="0000"/>
- <field name="smb.po" showname="Parameter Offset: 0" size="2" pos="163" show="0" value="0000"/>
- <field name="smb.dc" showname="Data Count: 113" size="2" pos="165" show="113" value="7100"/>
- <field name="smb.data_offset" showname="Data Offset: 91" size="2" pos="167" show="91" value="5b00"/>
- <field name="smb.sc" showname="Setup Count: 3" size="1" pos="169" show="3" value="03"/>
- <field name="smb.reserved" showname="Reserved: 00" size="1" pos="170" show="00" value="00"/>
- <field name="smb.bcc" showname="Byte Count (BCC): 135" size="2" pos="177" show="135" value="8700"/>
- <field name="smb.trans_name" showname="Transaction Name: \MAILSLOT\NET\NTLOGON" size="22" pos="179" show="\MAILSLOT\NET\NTLOGON" value="5c4d41494c534c4f545c4e45545c4e544c4f474f4e00"/>
- </field>
- </proto>
- <proto name="mailslot" showname="SMB MailSlot Protocol" size="30" pos="171">
- <field name="mailslot.opcode" showname="Opcode: Write Mail Slot (1)" size="2" pos="171" show="1" value="0100"/>
- <field name="mailslot.priority" showname="Priority: 0" size="2" pos="173" show="0" value="0000"/>
- <field name="mailslot.class" showname="Class: Unreliable &amp; Broadcast (2)" size="2" pos="175" show="2" value="0200"/>
- <field name="mailslot.size" showname="Size: 135" size="2" pos="177" show="135" value="8700"/>
- <field name="mailslot.name" showname="Mailslot Name: \MAILSLOT\NET\NTLOGON" size="22" pos="179" show="\MAILSLOT\NET\NTLOGON" value="5c4d41494c534c4f545c4e45545c4e544c4f474f4e00"/>
- </proto>
- <proto name="smb_netlogon" showname="Microsoft Windows Logon Protocol (Old)" size="113" pos="201">
- <field name="smb_netlogon.command" showname="Command: SAM LOGON request from client (0x12)" size="1" pos="201" show="0x00000012" value="12"/>
- <field name="smb_netlogon.request_count" showname="Request Count: 0" size="2" pos="203" show="0" value="0000"/>
- <field name="smb_netlogon.unicode_computer_name" showname="Unicode Computer Name: LOCALNT4MEMBER3" size="32" pos="205" show="LOCALNT4MEMBER3" value="4c004f00430041004c004e00540034004d0045004d0042004500520033000000"/>
- <field name="smb_netlogon.user_name" showname="User Name: LOCALNT4MEMBER3$" size="34" pos="237" show="LOCALNT4MEMBER3$" value="4c004f00430041004c004e00540034004d0045004d00420045005200330024000000"/>
- <field name="smb_netlogon.mailslot_name" showname="Mailslot Name: \MAILSLOT\NET\GETDC300007F" size="27" pos="271" show="\MAILSLOT\NET\GETDC300007F" value="5c4d41494c534c4f545c4e45545c47455444433330303030374600"/>
- <field name="smb_netlogon.flags" showname="Account control: 0x00000080, Workstation Trust" size="4" pos="298" show="0x00000080" value="80000000">
- <field name="smb_netlogon.flags.autolock" showname=".... .... .... .... .... .0.. .... .... = Autolock: User account NOT auto-locked" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb_netlogon.flags.expire" showname=".... .... .... .... .... ..0. .... .... = Expire: User password will expire" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb_netlogon.flags.server" showname=".... .... .... .... .... ...0 .... .... = Server Trust: NOT a Server Trust user account" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb_netlogon.flags.workstation" showname=".... .... .... .... .... .... 1... .... = Workstation Trust: Workstation Trust user account" size="4" pos="298" show="1" value="FFFFFFFF" unmaskedvalue="80000000"/>
- <field name="smb_netlogon.flags.interdomain" showname=".... .... .... .... .... .... .0.. .... = Interdomain Trust: NOT a Inter-domain Trust user account" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb_netlogon.flags.mns" showname=".... .... .... .... .... .... ..0. .... = MNS User: NOT a MNS Logon user account" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb_netlogon.flags.normal" showname=".... .... .... .... .... .... ...0 .... = Normal User: NOT a normal user account" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb_netlogon.flags.temp_dup" showname=".... .... .... .... .... .... .... 0... = Temp Duplicate User: NOT a temp duplicate user account" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb_netlogon.flags.password" showname=".... .... .... .... .... .... .... .0.. = Password: Password required" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb_netlogon.flags.homedir" showname=".... .... .... .... .... .... .... ..0. = Homedir: Homedir required" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
- <field name="smb_netlogon.flags.enabled" showname=".... .... .... .... .... .... .... ...0 = Enabled: User account disabled" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
- </field>
- <field name="smb_netlogon.domain_sid_size" showname="Domain SID Size: 0" size="4" pos="302" show="0" value="00000000"/>
- <field name="smb_netlogon.nt_version" showname="NT Version: 11" size="4" pos="306" show="11" value="0b000000"/>
- <field name="smb_netlogon.lmnt_token" showname="LMNT Token: 0xffff (Windows NT Networking)" size="2" pos="310" show="0x0000ffff" value="ffff"/>
- <field name="smb_netlogon.lm_token" showname="LM20 Token: 0xffff (LanMan 2.0 or higher)" size="2" pos="312" show="0x0000ffff" value="ffff"/>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="248">
- <field name="num" pos="0" show="64697" showname="Number" value="fcb9" size="248"/>
- <field name="len" pos="0" show="248" showname="Frame Length" value="f8" size="248"/>
- <field name="caplen" pos="0" show="248" showname="Captured Length" value="f8" size="248"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:38:39.940434000 NZDT" showname="Captured Time" value="1486690719.940434000" size="248"/>
- </proto>
- <proto name="frame" showname="Frame 64697: 248 bytes on wire (1984 bits), 248 bytes captured (1984 bits)" size="248" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:38:39.940434000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:38:39.940434000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690719.940434000 seconds" size="0" pos="0" show="1486690719.940434000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000173000 seconds" size="0" pos="0" show="0.000173000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000173000 seconds" size="0" pos="0" show="0.000173000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 143.409983000 seconds" size="0" pos="0" show="143.409983000"/>
- <field name="frame.number" showname="Frame Number: 64697" size="0" pos="0" show="64697"/>
- <field name="frame.len" showname="Frame Length: 248 bytes (1984 bits)" size="0" pos="0" show="248"/>
- <field name="frame.cap_len" showname="Capture Length: 248 bytes (1984 bits)" size="0" pos="0" show="248"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap:gss-api:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:ldap:gss-api:spnego-krb5"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="248" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 248" size="2" pos="2" show="248" value="00f8"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 18512 (18512), Dst Port: 389 (389), Seq: 7674, Ack: 11148, Len: 208" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 18512" size="2" pos="20" show="18512" value="4850"/>
- <field name="tcp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
- <field name="tcp.port" showname="Source or Destination Port: 18512" hide="yes" size="2" pos="20" show="18512" value="4850"/>
- <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
- <field name="tcp.stream" showname="Stream index: 1400" size="0" pos="20" show="1400"/>
- <field name="tcp.len" showname="TCP Segment Len: 208" size="1" pos="32" show="208" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 7674 (relative sequence number)" size="4" pos="24" show="7674" value="00001dfa"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 7882 (relative sequence number)" size="0" pos="20" show="7882"/>
- <field name="tcp.ack" showname="Acknowledgment number: 11148 (relative ack number)" size="4" pos="28" show="11148" value="00002b8c"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 64694" size="0" pos="20" show="64694"/>
- <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000241000 seconds" size="0" pos="20" show="0.000241000"/>
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000019000 seconds" size="0" pos="20" show="0.000019000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 208" size="0" pos="20" show="208"/>
- </field>
- <field name="tcp.pdu.size" showname="PDU Size: 208" size="208" pos="40" show="208" value="000000cc050404ff000c000c0000000034b876cafa1236459c941cdfeb431f613081ad0201346681a7043c636e3d6c6461707465737432636f6d70757465722c636e3d636f6d7075746572732c44433d73616d62612c44433d6578616d706c652c44433d636f6d306730650a010230600414736572766963655072696e636970616c4e616d6531480416686f73742f6c6461707465737432636f6d70757465720416686f73742f6c6461707465737432636f6d70757465720416636966732f6c6461707465737432636f6d7075746572"/>
- </proto>
- <proto name="ldap" showname="Lightweight Directory Access Protocol" size="208" pos="40">
- <field name="ldap.sasl_buffer_length" showname="SASL Buffer Length: 204" size="4" pos="40" show="204" value="000000cc"/>
- <field name="" show="SASL Buffer" size="208" pos="40" value="000000cc050404ff000c000c0000000034b876cafa1236459c941cdfeb431f613081ad0201346681a7043c636e3d6c6461707465737432636f6d70757465722c636e3d636f6d7075746572732c44433d73616d62612c44433d6578616d706c652c44433d636f6d306730650a010230600414736572766963655072696e636970616c4e616d6531480416686f73742f6c6461707465737432636f6d70757465720416686f73742f6c6461707465737432636f6d70757465720416636966732f6c6461707465737432636f6d7075746572">
- <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="28" pos="44">
- <field name="spnego.krb5.blob" showname="krb5_blob: 050404ff000c000c0000000034b876cafa1236459c941cdf..." size="28" pos="44" show="05:04:04:ff:00:0c:00:0c:00:00:00:00:34:b8:76:ca:fa:12:36:45:9c:94:1c:df:eb:43:1f:61" value="050404ff000c000c0000000034b876cafa1236459c941cdfeb431f61">
- <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)" size="2" pos="44" show="0x00000405" value="0504"/>
- <field name="spnego.krb5.cfx_flags" showname="krb5_cfx_flags: 0x04, AcceptorSubkey" size="1" pos="46" show="0x00000004" value="04">
- <field name="spnego.krb5.acceptor_subkey" showname=".... .1.. = AcceptorSubkey: Set" size="1" pos="46" show="1" value="FFFFFFFF" unmaskedvalue="04"/>
- <field name="spnego.krb5.sealed" showname=".... ..0. = Sealed: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
- <field name="spnego.krb5.send_by_acceptor" showname=".... ...0 = SendByAcceptor: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
- </field>
- <field name="spnego.krb5.filler" showname="krb5_filler: ff" size="1" pos="47" show="ff" value="ff"/>
- <field name="spnego.krb5.cfx_ec" showname="krb5_cfx_ec: 12" size="2" pos="48" show="12" value="000c"/>
- <field name="spnego.krb5.cfx_rrc" showname="krb5_cfx_rrc: 12" size="2" pos="50" show="12" value="000c"/>
- <field name="spnego.krb5.cfx_seq" showname="krb5_cfx_seq: 884504266" size="8" pos="52" show="884504266" value="0000000034b876ca"/>
- <field name="spnego.krb5.sgn_cksum" showname="krb5_sgn_cksum: fa1236459c941cdfeb431f61" size="12" pos="60" show="fa:12:36:45:9c:94:1c:df:eb:43:1f:61" value="fa1236459c941cdfeb431f61"/>
- </field>
- </proto>
- <field name="" show="GSS-API payload (176 bytes)" size="176" pos="72" value="3081ad0201346681a7043c636e3d6c6461707465737432636f6d70757465722c636e3d636f6d7075746572732c44433d73616d62612c44433d6578616d706c652c44433d636f6d306730650a010230600414736572766963655072696e636970616c4e616d6531480416686f73742f6c6461707465737432636f6d70757465720416686f73742f6c6461707465737432636f6d70757465720416636966732f6c6461707465737432636f6d7075746572">
- <field name="ldap.LDAPMessage_element" showname="LDAPMessage modifyRequest(52) &quot;cn=ldaptest2computer,cn=computers,DC=samba,DC=example,DC=com&quot;" size="176" pos="72" show="" value="">
- <field name="ldap.messageID" showname="messageID: 52" size="1" pos="77" show="52" value="34"/>
- <field name="ldap.protocolOp" showname="protocolOp: modifyRequest (6)" size="170" pos="78" show="6" value="6681a7043c636e3d6c6461707465737432636f6d70757465722c636e3d636f6d7075746572732c44433d73616d62612c44433d6578616d706c652c44433d636f6d306730650a010230600414736572766963655072696e636970616c4e616d6531480416686f73742f6c6461707465737432636f6d70757465720416686f73742f6c6461707465737432636f6d70757465720416636966732f6c6461707465737432636f6d7075746572">
- <field name="ldap.modifyRequest_element" showname="modifyRequest" size="167" pos="81" show="" value="">
- <field name="ldap.object" showname="object: cn=ldaptest2computer,cn=computers,DC=samba,DC=example,DC=com" size="60" pos="83" show="cn=ldaptest2computer,cn=computers,DC=samba,DC=example,DC=com" value="636e3d6c6461707465737432636f6d70757465722c636e3d636f6d7075746572732c44433d73616d62612c44433d6578616d706c652c44433d636f6d"/>
- <field name="ldap.modification" showname="modification: 1 item" size="103" pos="145" show="1" value="30650a010230600414736572766963655072696e636970616c4e616d6531480416686f73742f6c6461707465737432636f6d70757465720416686f73742f6c6461707465737432636f6d70757465720416636966732f6c6461707465737432636f6d7075746572">
- <field name="ldap.modification_item_element" showname="modification item" size="103" pos="145" show="" value="">
- <field name="ldap.operation" showname="operation: replace (2)" size="1" pos="149" show="2" value="02"/>
- <field name="ldap.modification_element" showname="modification servicePrincipalName" size="98" pos="150" show="" value="">
- <field name="ldap.type" showname="type: servicePrincipalName" size="20" pos="154" show="servicePrincipalName" value="736572766963655072696e636970616c4e616d65"/>
- <field name="ldap.vals" showname="vals: 3 items" size="72" pos="176" show="3" value="0416686f73742f6c6461707465737432636f6d70757465720416686f73742f6c6461707465737432636f6d70757465720416636966732f6c6461707465737432636f6d7075746572">
- <field name="ldap.AttributeValue" showname="AttributeValue: host/ldaptest2computer" size="22" pos="178" show="68:6f:73:74:2f:6c:64:61:70:74:65:73:74:32:63:6f:6d:70:75:74:65:72" value="686f73742f6c6461707465737432636f6d7075746572"/>
- <field name="ldap.AttributeValue" showname="AttributeValue: host/ldaptest2computer" size="22" pos="202" show="68:6f:73:74:2f:6c:64:61:70:74:65:73:74:32:63:6f:6d:70:75:74:65:72" value="686f73742f6c6461707465737432636f6d7075746572"/>
- <field name="ldap.AttributeValue" showname="AttributeValue: cifs/ldaptest2computer" size="22" pos="226" show="63:69:66:73:2f:6c:64:61:70:74:65:73:74:32:63:6f:6d:70:75:74:65:72" value="636966732f6c6461707465737432636f6d7075746572"/>
- </field>
- </field>
- </field>
- </field>
- </field>
- </field>
- </field>
- </field>
- </field>
- </proto>
-</packet>
-
-<packet>
- <proto name="geninfo" pos="0" showname="General information" size="95">
- <field name="num" pos="0" show="51638" showname="Number" value="c9b6" size="95"/>
- <field name="len" pos="0" show="95" showname="Frame Length" value="5f" size="95"/>
- <field name="caplen" pos="0" show="95" showname="Captured Length" value="5f" size="95"/>
- <field name="timestamp" pos="0" show="Feb 10, 2017 14:38:02.579057000 NZDT" showname="Captured Time" value="1486690682.579057000" size="95"/>
- </proto>
- <proto name="frame" showname="Frame 51638: 95 bytes on wire (760 bits), 95 bytes captured (760 bits)" size="95" pos="0">
- <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
- <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:38:02.579057000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:38:02.579057000 NZDT"/>
- <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
- <field name="frame.time_epoch" showname="Epoch Time: 1486690682.579057000 seconds" size="0" pos="0" show="1486690682.579057000"/>
- <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000038000 seconds" size="0" pos="0" show="0.000038000"/>
- <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000038000 seconds" size="0" pos="0" show="0.000038000"/>
- <field name="frame.time_relative" showname="Time since reference or first frame: 106.048606000 seconds" size="0" pos="0" show="106.048606000"/>
- <field name="frame.number" showname="Frame Number: 51638" size="0" pos="0" show="51638"/>
- <field name="frame.len" showname="Frame Length: 95 bytes (760 bits)" size="0" pos="0" show="95"/>
- <field name="frame.cap_len" showname="Capture Length: 95 bytes (760 bits)" size="0" pos="0" show="95"/>
- <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
- <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
- <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap" size="0" pos="0" show="raw:ip:tcp:ldap"/>
- </proto>
- <proto name="raw" showname="Raw packet data" size="95" pos="0"/>
- <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
- <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
- <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
- <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
- <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
- </field>
- <field name="ip.len" showname="Total Length: 95" size="2" pos="2" show="95" value="005f"/>
- <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
- <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
- <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
- <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
- <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
- </field>
- <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
- <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
- <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
- <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
- <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
- <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
- </field>
- <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
- <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
- <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
- <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
- </proto>
- <proto name="tcp" showname="Transmission Control Protocol, Src Port: 18036 (18036), Dst Port: 389 (389), Seq: 1, Ack: 1, Len: 55" size="20" pos="20">
- <field name="tcp.srcport" showname="Source Port: 18036" size="2" pos="20" show="18036" value="4674"/>
- <field name="tcp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
- <field name="tcp.port" showname="Source or Destination Port: 18036" hide="yes" size="2" pos="20" show="18036" value="4674"/>
- <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
- <field name="tcp.stream" showname="Stream index: 1207" size="0" pos="20" show="1207"/>
- <field name="tcp.len" showname="TCP Segment Len: 55" size="1" pos="32" show="55" value="50"/>
- <field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="24" show="1" value="00000001"/>
- <field name="tcp.nxtseq" showname="Next sequence number: 56 (relative sequence number)" size="0" pos="20" show="56"/>
- <field name="tcp.ack" showname="Acknowledgment number: 1 (relative ack number)" size="4" pos="28" show="1" value="00000001"/>
- <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
- <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
- <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
- <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
- <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
- <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
- </field>
- <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
- <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
- <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
- <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
- <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
- </field>
- <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
- <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
- <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000073000 seconds" size="0" pos="20" show="0.000073000"/>
- <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 55" size="0" pos="20" show="55"/>
- </field>
- <field name="tcp.pdu.size" showname="PDU Size: 55" size="55" pos="40" show="55" value="30350201016030020103041f41646d696e6973747261746f724053414d42412e4558414d504c452e434f4d800a6c6f6344437061737331"/>
- </proto>
- <proto name="ldap" showname="Lightweight Directory Access Protocol" size="55" pos="40">
- <field name="ldap.LDAPMessage_element" showname="LDAPMessage bindRequest(1) &quot;Administrator@SAMBA.EXAMPLE.COM&quot; simple" size="55" pos="40" show="" value="">
- <field name="ldap.messageID" showname="messageID: 1" size="1" pos="44" show="1" value="01"/>
- <field name="ldap.protocolOp" showname="protocolOp: bindRequest (0)" size="50" pos="45" show="0" value="6030020103041f41646d696e6973747261746f724053414d42412e4558414d504c452e434f4d800a6c6f6344437061737331">
- <field name="ldap.bindRequest_element" showname="bindRequest" size="48" pos="47" show="" value="">
- <field name="ldap.version" showname="version: 3" size="1" pos="49" show="3" value="03"/>
- <field name="ldap.name" showname="name: Administrator@SAMBA.EXAMPLE.COM" size="31" pos="52" show="Administrator@SAMBA.EXAMPLE.COM" value="41646d696e6973747261746f724053414d42412e4558414d504c452e434f4d"/>
- <field name="ldap.authentication" showname="authentication: simple (0)" size="10" pos="85" show="0" value="6c6f6344437061737331">
- <field name="ldap.simple" showname="simple: 6c6f6344437061737331" size="10" pos="85" show="6c:6f:63:44:43:70:61:73:73:31" value="6c6f6344437061737331"/>
- </field>
- </field>
- </field>
- </field>
- </proto>
-</packet>
-
-
-</pdml>
diff --git a/script/tests/test_traffic_summary.sh b/script/tests/test_traffic_summary.sh
deleted file mode 100755
index 2dc7bed51fe..00000000000
--- a/script/tests/test_traffic_summary.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/sh
-
-if [ $# -lt 1 ]; then
-cat <<EOF
-Usage: test_traffic_summary.sh
-EOF
-exit 1;
-fi
-
-PREFIX="$1"
-shift 1
-ARGS=$@
-
-. `dirname $0`/../../testprogs/blackbox/subunit.sh
-
-script_dir=`dirname $0`/..
-input="$script_dir/testdata/traffic_summary.pdml"
-expected="$script_dir/testdata/traffic_summary.expected"
-output="$(mktemp $TMPDIR/traffic_summary.XXXXXXXXXXX)"
-ts="$script_dir/traffic_summary.pl"
-
-traffic_summary() {
-
- $ts $input >$output
- if [ "$?" != "0" ]; then
- return 1
- fi
-
- diff $output $expected
- if [ "$?" != "0" ]; then
- return 1
- fi
-}
-
-# Check the required perl modules for traffic_summary
-# skip the tests if they are not installed
-perl -MXML::Twig -e 1
-if [ "$?" != "0" ]; then
- subunit_start_test "traffic_summary"
- subunit_skip_test "traffic_summary" <<EOF
-perl module XML::Twig not installed
-EOF
-else
- testit "traffic_summary" traffic_summary
-fi
-
-exit $failed