Wireshark-users: Re: [Wireshark-users] A way to see how many diffrent files are acessed using SMB
From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Sun, 12 Dec 2010 14:33:28 +1100
Hime,

You can certainly do this, but you may need to be a little more specific on what you mean by "access". As you can see from the snippet below, there are different stages that may or may not be important. (I just filtered on "smb" after connecting to my fileserver).

No.     Time        Source                Destination           Protocol Info
   4984 59.832941   192.168.0.210         192.168.0.14          SMB      Open AndX Request, FID: 0x453e, Path: \marty\conficker\confick_domains.txt
   4985 59.835820   192.168.0.14          192.168.0.210         SMB      Open AndX Response, FID: 0x453e
   4987 59.836968   192.168.0.210         192.168.0.14          SMB      Trans2 Request, QUERY_PATH_INFO, Query File All Info, Path: \marty\conficker\confick_domains.txt
   4988 59.839303   192.168.0.14          192.168.0.210         SMB      Trans2 Response, QUERY_PATH_INFO
   4989 59.840647   192.168.0.210         192.168.0.14          SMB      Read AndX Request, FID: 0x453e, 16384 bytes at offset 0
   5006 59.868510   192.168.0.14          192.168.0.210         SMB      Read AndX Response, FID: 0x453e, 16384 bytes


The first two frames show the open request/response sequence. In my case I had permission to access the file, however if I was denied access (and hence obtained a different response), in your case do you count this or not.

The next two frames, show the client getting the basic attributes of the file, but not reading the contents. Again, is this an "access"

Finally the last two frames show a read request of the contents. In some case I may only be partially reading a file, so what constitutes an "access".

The data is all available for your interpretation.

You can use appropriate filters in Statistics:IO Graphs to get something useful.For instance maybe you should just count successful file open responses.
To do this you enter "(smb.cmd == 0x2d ) && (smb.nt_status == 0x00000000)" in the Filter field. You would then display at the appropriate sample interval the number of Packets/Tick. (This assumes one response per packet).
Of course this shows all of the Open responses - even if they are used for enumerating directories to display file information in a window. You may need to investigate Read or Write Reponses (the issue there though is there will be usually many response for each files. So in this case you would need to a little extra processing, possibly associating file paths with File IDs, and then making a decision on the Read/Writes as to what you are interested in.

Hopefully this will give you an idea of where to further explore your request.



Regards, Martin

MartinVisser99@xxxxxxxxx


On Sat, Dec 11, 2010 at 2:00 AM, Hime Marko <marcos75@xxxxxxxxx> wrote:
Hi.

I have 30m capture from a NetApp CIFS server.
I'm looking for a way to know how many dffrent files are accessed each second to
one of the CIFS shares on this server.


Can someone did it/know how to do it ?

Thnaks !!!



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe