Re: A way to see how many diffrent files are acessed using SMB/CIFS

[Martin Visser <martinvisser99 () gmail com>]

Hime,

You can certainly do this, but you may need to be a little more specific on
what you mean by "access". As you can see from the snippet below, there are
different stages that may or may not be important. (I just filtered on "smb"
after connecting to my fileserver).

No.     Time        Source                Destination           Protocol
Info
   4984 59.832941   192.168.0.210         192.168.0.14          SMB
Open AndX Request, FID: 0x453e, Path: \marty\conficker\confick_domains.txt
   4985 59.835820   192.168.0.14          192.168.0.210         SMB
Open AndX Response, FID: 0x453e
   4987 59.836968   192.168.0.210         192.168.0.14          SMB
Trans2 Request, QUERY_PATH_INFO, Query File All Info, Path:
\marty\conficker\confick_domains.txt
   4988 59.839303   192.168.0.14          192.168.0.210         SMB
Trans2 Response, QUERY_PATH_INFO
   4989 59.840647   192.168.0.210         192.168.0.14          SMB
Read AndX Request, FID: 0x453e, 16384 bytes at offset 0
   5006 59.868510   192.168.0.14          192.168.0.210         SMB
Read AndX Response, FID: 0x453e, 16384 bytes


The first two frames show the open request/response sequence. In my case I
had permission to access the file, however if I was denied access (and hence
obtained a different response), in your case do you count this or not.

The next two frames, show the client getting the basic attributes of the
file, but not reading the contents. Again, is this an "access"

Finally the last two frames show a read request of the contents. In some
case I may only be partially reading a file, so what constitutes an
"access".

The data is all available for your interpretation.

You can use appropriate filters in Statistics:IO Graphs to get something
useful.For instance maybe you should just count successful file open
responses.
To do this you enter "(smb.cmd == 0x2d ) && (smb.nt_status == 0x00000000)"
in the Filter field. You would then display at the appropriate sample
interval the number of Packets/Tick. (This assumes one response per packet).
Of course this shows all of the Open responses - even if they are used for
enumerating directories to display file information in a window. You may
need to investigate Read or Write Reponses (the issue there though is there
will be usually many response for each files. So in this case you would need
to a little extra processing, possibly associating file paths with File IDs,
and then making a decision on the Read/Writes as to what you are interested
in.

Hopefully this will give you an idea of where to further explore your
request.



Regards, Martin

MartinVisser99 () gmail com


On Sat, Dec 11, 2010 at 2:00 AM, Hime Marko <marcos75 () yahoo com> wrote:

> Hi.
>
> I have 30m capture from a NetApp CIFS server.
> I'm looking for a way to know how many dffrent files are accessed each
> second to
> one of the CIFS shares on this server.
>
>
> Can someone did it/know how to do it ?
>
> Thnaks !!!
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe