search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:selftest: reformat smb2_s3only list
[Samba.git] / script / testdata / traffic_summary.pdml
blobac56a244da52179a5445f17aa1b1c1d08035bb3f
1 <?xml version="1.0"?>
2 <?xml-stylesheet type="text/xsl" href="pdml2html.xsl"?>
3 <!-- You can find pdml2html.xsl in /usr/share/wireshark or at https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=pdml2html.xsl. -->
4 <!-- Examples in this file are taken from a packet capture of make test -->
5 <!-- where values where too large and of no interest they where replaced with "...elided..." -->
6 <pdml version="0" creator="wireshark/2.0.2" time="Wed Feb 15 14:51:04 2017" capture_file="sample.pcap">
7
8 <packet>
9 <proto name="geninfo" pos="0" showname="General information" size="78">
10 <field name="num" pos="0" show="1" showname="Number" value="1" size="78"/>
11 <field name="len" pos="0" show="78" showname="Frame Length" value="4e" size="78"/>
12 <field name="caplen" pos="0" show="78" showname="Captured Length" value="4e" size="78"/>
13 <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:16.530451000 NZDT" showname="Captured Time" value="1486690576.530451000" size="78"/>
14 </proto>
15 <proto name="frame" showname="Frame 1: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)" size="78" pos="0">
16 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
17 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:16.530451000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:16.530451000 NZDT"/>
18 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
19 <field name="frame.time_epoch" showname="Epoch Time: 1486690576.530451000 seconds" size="0" pos="0" show="1486690576.530451000"/>
20 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
21 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
22 <field name="frame.time_relative" showname="Time since reference or first frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
23 <field name="frame.number" showname="Frame Number: 1" size="0" pos="0" show="1"/>
24 <field name="frame.len" showname="Frame Length: 78 bytes (624 bits)" size="0" pos="0" show="78"/>
25 <field name="frame.cap_len" showname="Capture Length: 78 bytes (624 bits)" size="0" pos="0" show="78"/>
26 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
27 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
28 <field name="frame.protocols" showname="Protocols in frame: raw:ip:udp:nbns" size="0" pos="0" show="raw:ip:udp:nbns"/>
29 </proto>
30 <proto name="raw" showname="Raw packet data" size="78" pos="0"/>
31 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.255.255.255" size="20" pos="0">
32 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
33 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
34 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
35 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
36 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
37 </field>
38 <field name="ip.len" showname="Total Length: 78" size="2" pos="2" show="78" value="004e"/>
39 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
40 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
41 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
42 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
43 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
44 </field>
45 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
46 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
47 <field name="ip.proto" showname="Protocol: UDP (17)" size="1" pos="9" show="17" value="11"/>
48 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
49 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
50 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
51 </field>
52 <field name="ip.src" showname="Source: 127.0.0.1" size="4" pos="12" show="127.0.0.1" value="7f000001"/>
53 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.1" hide="yes" size="4" pos="12" show="127.0.0.1" value="7f000001"/>
54 <field name="ip.src_host" showname="Source Host: 127.0.0.1" hide="yes" size="4" pos="12" show="127.0.0.1" value="7f000001"/>
55 <field name="ip.host" showname="Source or Destination Host: 127.0.0.1" hide="yes" size="4" pos="12" show="127.0.0.1" value="7f000001"/>
56 <field name="ip.dst" showname="Destination: 127.255.255.255" size="4" pos="16" show="127.255.255.255" value="7fffffff"/>
57 <field name="ip.addr" showname="Source or Destination Address: 127.255.255.255" hide="yes" size="4" pos="16" show="127.255.255.255" value="7fffffff"/>
58 <field name="ip.dst_host" showname="Destination Host: 127.255.255.255" hide="yes" size="4" pos="16" show="127.255.255.255" value="7fffffff"/>
59 <field name="ip.host" showname="Source or Destination Host: 127.255.255.255" hide="yes" size="4" pos="16" show="127.255.255.255" value="7fffffff"/>
60 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000001"/>
61 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7fffffff"/>
62 </proto>
63 <proto name="udp" showname="User Datagram Protocol, Src Port: 14705 (14705), Dst Port: 137 (137)" size="8" pos="20">
64 <field name="udp.srcport" showname="Source Port: 14705" size="2" pos="20" show="14705" value="3971"/>
65 <field name="udp.dstport" showname="Destination Port: 137" size="2" pos="22" show="137" value="0089"/>
66 <field name="udp.port" showname="Source or Destination Port: 14705" hide="yes" size="2" pos="20" show="14705" value="3971"/>
67 <field name="udp.port" showname="Source or Destination Port: 137" hide="yes" size="2" pos="22" show="137" value="0089"/>
68 <field name="udp.length" showname="Length: 58" size="2" pos="24" show="58" value="003a"/>
69 <field name="udp.checksum" showname="Checksum: 0x0000 (none)" size="2" pos="26" show="0x00000000" value="0000">
70 <field name="udp.checksum_good" showname="Good Checksum: False" size="2" pos="26" show="0" value="0000"/>
71 <field name="udp.checksum_bad" showname="Bad Checksum: False" size="2" pos="26" show="0" value="0000"/>
72 </field>
73 <field name="udp.stream" showname="Stream index: 0" size="0" pos="28" show="0"/>
74 </proto>
75 <proto name="nbns" showname="NetBIOS Name Service" size="50" pos="28">
76 <field name="nbns.id" showname="Transaction ID: 0x29d6" size="2" pos="28" show="0x000029d6" value="29d6"/>
77 <field name="nbns.flags" showname="Flags: 0x0010, Opcode: Name query, Broadcast" size="2" pos="30" show="0x00000010" value="0010">
78 <field name="nbns.flags.response" showname="0... .... .... .... = Response: Message is a query" size="2" pos="30" show="0" value="0" unmaskedvalue="0010"/>
79 <field name="nbns.flags.opcode" showname=".000 0... .... .... = Opcode: Name query (0)" size="2" pos="30" show="0" value="0" unmaskedvalue="0010"/>
80 <field name="nbns.flags.truncated" showname=".... ..0. .... .... = Truncated: Message is not truncated" size="2" pos="30" show="0" value="0" unmaskedvalue="0010"/>
81 <field name="nbns.flags.recdesired" showname=".... ...0 .... .... = Recursion desired: Don&#x27;t do query recursively" size="2" pos="30" show="0" value="0" unmaskedvalue="0010"/>
82 <field name="nbns.flags.broadcast" showname=".... .... ...1 .... = Broadcast: Broadcast packet" size="2" pos="30" show="1" value="FFFFFFFF" unmaskedvalue="0010"/>
83 </field>
84 <field name="nbns.count.queries" showname="Questions: 1" size="2" pos="32" show="1" value="0001"/>
85 <field name="nbns.count.answers" showname="Answer RRs: 0" size="2" pos="34" show="0" value="0000"/>
86 <field name="nbns.count.auth_rr" showname="Authority RRs: 0" size="2" pos="36" show="0" value="0000"/>
87 <field name="nbns.count.add_rr" showname="Additional RRs: 0" size="2" pos="38" show="0" value="0000"/>
88 <field name="" show="Queries" size="38" pos="40" value="20454d455045444542454d454545444341434143414341434143414341434141410000200001">
89 <field name="" show="LOCALDC&lt;00&gt;: type NB, class IN" size="38" pos="40" value="20454d455045444542454d454545444341434143414341434143414341434141410000200001">
90 <field name="nbns.name" showname="Name: LOCALDC&lt;00&gt; (Workstation/Redirector)" size="34" pos="40" show="LOCALDC&lt;00&gt;" value="20454d455045444542454d4545454443414341434143414341434143414341414100"/>
91 <field name="nbns.type" showname="Type: NB (32)" size="2" pos="74" show="32" value="0020"/>
92 <field name="nbns.class" showname="Class: IN (1)" size="2" pos="76" show="1" value="0001"/>
93 </field>
94 </field>
95 </proto>
96 </packet>
97
98 <packet>
99 <proto name="geninfo" pos="0" showname="General information" size="296">
100 <field name="num" pos="0" show="47" showname="Number" value="2f" size="296"/>
101 <field name="len" pos="0" show="296" showname="Frame Length" value="128" size="296"/>
102 <field name="caplen" pos="0" show="296" showname="Captured Length" value="128" size="296"/>
103 <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:18.137335000 NZDT" showname="Captured Time" value="1486690578.137335000" size="296"/>
104 </proto>
105 <proto name="frame" showname="Frame 47: 296 bytes on wire (2368 bits), 296 bytes captured (2368 bits)" size="296" pos="0">
106 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
107 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:18.137335000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:18.137335000 NZDT"/>
108 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
109 <field name="frame.time_epoch" showname="Epoch Time: 1486690578.137335000 seconds" size="0" pos="0" show="1486690578.137335000"/>
110 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000016000 seconds" size="0" pos="0" show="0.000016000"/>
111 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000016000 seconds" size="0" pos="0" show="0.000016000"/>
112 <field name="frame.time_relative" showname="Time since reference or first frame: 1.606884000 seconds" size="0" pos="0" show="1.606884000"/>
113 <field name="frame.number" showname="Frame Number: 47" size="0" pos="0" show="47"/>
114 <field name="frame.len" showname="Frame Length: 296 bytes (2368 bits)" size="0" pos="0" show="296"/>
115 <field name="frame.cap_len" showname="Capture Length: 296 bytes (2368 bits)" size="0" pos="0" show="296"/>
116 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
117 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
118 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
119 </proto>
120 <proto name="raw" showname="Raw packet data" size="296" pos="0"/>
121 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.21, Dst: 127.0.0.21" size="20" pos="0">
122 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
123 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
124 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
125 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
126 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
127 </field>
128 <field name="ip.len" showname="Total Length: 296" size="2" pos="2" show="296" value="0128"/>
129 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
130 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
131 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
132 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
133 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
134 </field>
135 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
136 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
137 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
138 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
139 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
140 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
141 </field>
142 <field name="ip.src" showname="Source: 127.0.0.21" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
143 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
144 <field name="ip.src_host" showname="Source Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
145 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
146 <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
147 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
148 <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
149 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
150 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000015"/>
151 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
152 </proto>
153 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14723 (14723), Dst Port: 88 (88), Seq: 1, Ack: 1, Len: 256" size="20" pos="20">
154 <field name="tcp.srcport" showname="Source Port: 14723" size="2" pos="20" show="14723" value="3983"/>
155 <field name="tcp.dstport" showname="Destination Port: 88" size="2" pos="22" show="88" value="0058"/>
156 <field name="tcp.port" showname="Source or Destination Port: 14723" hide="yes" size="2" pos="20" show="14723" value="3983"/>
157 <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="22" show="88" value="0058"/>
158 <field name="tcp.stream" showname="Stream index: 0" size="0" pos="20" show="0"/>
159 <field name="tcp.len" showname="TCP Segment Len: 256" size="1" pos="32" show="256" value="50"/>
160 <field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="24" show="1" value="00000001"/>
161 <field name="tcp.nxtseq" showname="Next sequence number: 257 (relative sequence number)" size="0" pos="20" show="257"/>
162 <field name="tcp.ack" showname="Acknowledgment number: 1 (relative ack number)" size="4" pos="28" show="1" value="00000001"/>
163 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
164 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
165 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
166 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
167 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
168 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
169 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
170 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
171 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
172 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
173 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
174 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
175 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
176 </field>
177 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
178 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
179 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
180 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
181 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
182 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
183 </field>
184 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
185 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
186 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000012000 seconds" size="0" pos="20" show="0.000012000"/>
187 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 256" size="0" pos="20" show="256"/>
188 </field>
189 <field name="tcp.pdu.size" showname="PDU Size: 256" size="256" pos="40" show="256" value="000000fc6a81f93081f6a103020105a20302010aa350304e304ca103020102a24504433041a003020112a23a0438cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2e12cc397eb617687733caf785f07d6f23cf87adc9a1fc5cb1b3ca7e6d17cc86fa48197308194a00703050000000000a1153013a003020101a10c300a1b084c4f43414c444324a2131b1153414d42412e4558414d504c452e434f4da3263024a003020102a11d301b1b066b72627467741b1153414d42412e4558414d504c452e434f4da511180f32303137303231313031333631375aa70602043e9a5c0ea81a3018020112020111020110020105020117020103020102020101"/>
190 </proto>
191 <proto name="kerberos" showname="Kerberos" size="256" pos="40">
192 <field name="" show="Record Mark: 252 bytes" size="4" pos="40" value="000000fc">
193 <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="40" show="0" value="0" unmaskedvalue="000000fc"/>
194 <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0000 1111 1100 = Record Length: 252" size="4" pos="40" show="252" value="FC" unmaskedvalue="000000fc"/>
195 </field>
196 <field name="kerberos.as_req_element" showname="as-req" size="249" pos="47" show="" value="">
197 <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="54" show="5" value="05"/>
198 <field name="kerberos.msg_type" showname="msg-type: krb-as-req (10)" size="1" pos="59" show="10" value="0a"/>
199 <field name="kerberos.padata" showname="padata: 1 item" size="78" pos="64" show="1" value="304ca103020102a24504433041a003020112a23a0438cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2e12cc397eb617687733caf785f07d6f23cf87adc9a1fc5cb1b3ca7e6d17cc86f">
200 <field name="kerberos.PA_DATA_element" showname="PA-DATA PA-ENC-TIMESTAMP" size="78" pos="64" show="" value="">
201 <field name="kerberos.padata_type" showname="padata-type: kRB5-PADATA-ENC-TIMESTAMP (2)" size="1" pos="70" show="2" value="02">
202 <field name="kerberos.padata_value" showname="padata-value: 3041a003020112a23a0438cecfe4905d9670c770a992a464..." size="67" pos="75" show="30:41:a0:03:02:01:12:a2:3a:04:38:ce:cf:e4:90:5d:96:70:c7:70:a9:92:a4:64:5a:9c:47:7b:63:9c:fa:fa:d2:1b:a2:e1:2c:c3:97:eb:61:76:87:73:3c:af:78:5f:07:d6:f2:3c:f8:7a:dc:9a:1f:c5:cb:1b:3c:a7:e6:d1:7c:c8:6f" value="3041a003020112a23a0438cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2e12cc397eb617687733caf785f07d6f23cf87adc9a1fc5cb1b3ca7e6d17cc86f">
203 <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="81" show="18" value="12"/>
204 <field name="kerberos.cipher" showname="cipher: cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2..." size="56" pos="86" show="ce:cf:e4:90:5d:96:70:c7:70:a9:92:a4:64:5a:9c:47:7b:63:9c:fa:fa:d2:1b:a2:e1:2c:c3:97:eb:61:76:87:73:3c:af:78:5f:07:d6:f2:3c:f8:7a:dc:9a:1f:c5:cb:1b:3c:a7:e6:d1:7c:c8:6f" value="cecfe4905d9670c770a992a4645a9c477b639cfafad21ba2e12cc397eb617687733caf785f07d6f23cf87adc9a1fc5cb1b3ca7e6d17cc86f"/>
205 </field>
206 </field>
207 </field>
208 </field>
209 <field name="kerberos.req_body_element" showname="req-body" size="151" pos="145" show="" value="">
210 <field name="ber.bitstring.padding" showname="Padding: 0" size="1" pos="152" show="0" value="00"/>
211 <field name="kerberos.kdc_options" showname="kdc-options: 00000000" size="4" pos="153" show="00:00:00:00" value="00000000">
212 <field name="kerberos.reserved" showname="0... .... = reserved: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
213 <field name="kerberos.forwardable" showname=".0.. .... = forwardable: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
214 <field name="kerberos.forwarded" showname="..0. .... = forwarded: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
215 <field name="kerberos.proxiable" showname="...0 .... = proxiable: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
216 <field name="kerberos.proxy" showname=".... 0... = proxy: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
217 <field name="kerberos.allow-postdate" showname=".... .0.. = allow-postdate: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
218 <field name="kerberos.postdated" showname=".... ..0. = postdated: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
219 <field name="kerberos.unused7" showname=".... ...0 = unused7: False" size="1" pos="153" show="0" value="0" unmaskedvalue="00"/>
220 <field name="kerberos.renewable" showname="0... .... = renewable: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
221 <field name="kerberos.unused9" showname=".0.. .... = unused9: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
222 <field name="kerberos.unused10" showname="..0. .... = unused10: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
223 <field name="kerberos.opt-hardware-auth" showname="...0 .... = opt-hardware-auth: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
224 <field name="kerberos.request-anonymous" showname=".... ..0. = request-anonymous: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
225 <field name="kerberos.canonicalize" showname=".... ...0 = canonicalize: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
226 <field name="kerberos.constrained-delegation" showname="0... .... = constrained-delegation: False" size="1" pos="155" show="0" value="0" unmaskedvalue="00"/>
227 <field name="kerberos.disable-transited-check" showname="..0. .... = disable-transited-check: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
228 <field name="kerberos.renewable-ok" showname="...0 .... = renewable-ok: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
229 <field name="kerberos.enc-tkt-in-skey" showname=".... 0... = enc-tkt-in-skey: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
230 <field name="kerberos.renew" showname=".... ..0. = renew: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
231 <field name="kerberos.validate" showname=".... ...0 = validate: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
232 </field>
233 <field name="kerberos.cname_element" showname="cname" size="21" pos="159" show="" value="">
234 <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="165" show="1" value="01"/>
235 <field name="kerberos.name_string" showname="name-string: 1 item" size="10" pos="170" show="1" value="1b084c4f43414c444324">
236 <field name="kerberos.KerberosString" showname="KerberosString: LOCALDC$" size="8" pos="172" show="LOCALDC$" value="4c4f43414c444324"/>
237 </field>
238 </field>
239 <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="184" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
240 <field name="kerberos.sname_element" showname="sname" size="38" pos="203" show="" value="">
241 <field name="kerberos.name_type" showname="name-type: kRB5-NT-SRV-INST (2)" size="1" pos="209" show="2" value="02"/>
242 <field name="kerberos.name_string" showname="name-string: 2 items" size="27" pos="214" show="2" value="1b066b72627467741b1153414d42412e4558414d504c452e434f4d">
243 <field name="kerberos.KerberosString" showname="KerberosString: krbtgt" size="6" pos="216" show="krbtgt" value="6b7262746774"/>
244 <field name="kerberos.KerberosString" showname="KerberosString: SAMBA.EXAMPLE.COM" size="17" pos="224" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
245 </field>
246 </field>
247 <field name="kerberos.till" showname="till: 2017-02-11 01:36:17 (UTC)" size="15" pos="245" show="2017-02-11 01:36:17 (UTC)" value="32303137303231313031333631375a"/>
248 <field name="kerberos.nonce" showname="nonce: 1050303502" size="4" pos="264" show="1050303502" value="3e9a5c0e"/>
249 <field name="kerberos.etype" showname="etype: 8 items" size="24" pos="272" show="8" value="020112020111020110020105020117020103020102020101">
250 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="274" show="18" value="12"/>
251 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)" size="1" pos="277" show="17" value="11"/>
252 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)" size="1" pos="280" show="16" value="10"/>
253 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-MD5 (5)" size="1" pos="283" show="5" value="05"/>
254 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)" size="1" pos="286" show="23" value="17"/>
255 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD5 (3)" size="1" pos="289" show="3" value="03"/>
256 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD4 (2)" size="1" pos="292" show="2" value="02"/>
257 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-CRC (1)" size="1" pos="295" show="1" value="01"/>
258 </field>
259 </field>
260 </field>
261 </proto>
262 </packet>
263
264 <packet>
265 <proto name="geninfo" pos="0" showname="General information" size="1527">
266 <field name="num" pos="0" show="53" showname="Number" value="35" size="1527"/>
267 <field name="len" pos="0" show="1527" showname="Frame Length" value="5f7" size="1527"/>
268 <field name="caplen" pos="0" show="1527" showname="Captured Length" value="5f7" size="1527"/>
269 <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:18.141276000 NZDT" showname="Captured Time" value="1486690578.141276000" size="1527"/>
270 </proto>
271 <proto name="frame" showname="Frame 53: 1527 bytes on wire (12216 bits), 1527 bytes captured (12216 bits)" size="1527" pos="0">
272 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
273 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:18.141276000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:18.141276000 NZDT"/>
274 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
275 <field name="frame.time_epoch" showname="Epoch Time: 1486690578.141276000 seconds" size="0" pos="0" show="1486690578.141276000"/>
276 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.003784000 seconds" size="0" pos="0" show="0.003784000"/>
277 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.003784000 seconds" size="0" pos="0" show="0.003784000"/>
278 <field name="frame.time_relative" showname="Time since reference or first frame: 1.610825000 seconds" size="0" pos="0" show="1.610825000"/>
279 <field name="frame.number" showname="Frame Number: 53" size="0" pos="0" show="53"/>
280 <field name="frame.len" showname="Frame Length: 1527 bytes (12216 bits)" size="0" pos="0" show="1527"/>
281 <field name="frame.cap_len" showname="Capture Length: 1527 bytes (12216 bits)" size="0" pos="0" show="1527"/>
282 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
283 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
284 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
285 </proto>
286 <proto name="raw" showname="Raw packet data" size="1527" pos="0"/>
287 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.21, Dst: 127.0.0.21" size="20" pos="0">
288 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
289 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
290 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
291 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
292 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
293 </field>
294 <field name="ip.len" showname="Total Length: 1527" size="2" pos="2" show="1527" value="05f7"/>
295 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
296 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
297 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
298 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
299 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
300 </field>
301 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
302 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
303 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
304 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
305 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
306 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
307 </field>
308 <field name="ip.src" showname="Source: 127.0.0.21" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
309 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
310 <field name="ip.src_host" showname="Source Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
311 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
312 <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
313 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
314 <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
315 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
316 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000015"/>
317 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
318 </proto>
319 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 88 (88), Dst Port: 14723 (14723), Seq: 1, Ack: 257, Len: 1487" size="20" pos="20">
320 <field name="tcp.srcport" showname="Source Port: 88" size="2" pos="20" show="88" value="0058"/>
321 <field name="tcp.dstport" showname="Destination Port: 14723" size="2" pos="22" show="14723" value="3983"/>
322 <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="20" show="88" value="0058"/>
323 <field name="tcp.port" showname="Source or Destination Port: 14723" hide="yes" size="2" pos="22" show="14723" value="3983"/>
324 <field name="tcp.stream" showname="Stream index: 0" size="0" pos="20" show="0"/>
325 <field name="tcp.len" showname="TCP Segment Len: 1487" size="1" pos="32" show="1487" value="50"/>
326 <field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="24" show="1" value="00000001"/>
327 <field name="tcp.nxtseq" showname="Next sequence number: 1488 (relative sequence number)" size="0" pos="20" show="1488"/>
328 <field name="tcp.ack" showname="Acknowledgment number: 257 (relative ack number)" size="4" pos="28" show="257" value="00000101"/>
329 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
330 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
331 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
332 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
333 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
334 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
335 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
336 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
337 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
338 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
339 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
340 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
341 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
342 </field>
343 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
344 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
345 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
346 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
347 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
348 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
349 </field>
350 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
351 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
352 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 47" size="0" pos="20" show="47"/>
353 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.003941000 seconds" size="0" pos="20" show="0.003941000"/>
354 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000012000 seconds" size="0" pos="20" show="0.000012000"/>
355 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 1487" size="0" pos="20" show="1487"/>
356 </field>
357 <field name="tcp.pdu.size" showname="PDU Size: 1487" size="1487" pos="40" show="1487" value="...elided..."/>
358 </proto>
359 <proto name="kerberos" showname="Kerberos" size="1487" pos="40">
360 <field name="" show="Record Mark: 1483 bytes" size="4" pos="40" value="000005cb">
361 <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="40" show="0" value="0" unmaskedvalue="000005cb"/>
362 <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0101 1100 1011 = Record Length: 1483" size="4" pos="40" show="1483" value="5CB" unmaskedvalue="000005cb"/>
363 </field>
364 <field name="kerberos.as_rep_element" showname="as-rep" size="1479" pos="48" show="" value="">
365 <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="56" show="5" value="05"/>
366 <field name="kerberos.msg_type" showname="msg-type: krb-as-rep (11)" size="1" pos="61" show="11" value="0b"/>
367 <field name="kerberos.padata" showname="padata: 1 item" size="57" pos="66" show="1" value="3037a103020103a230042e53414d42412e4558414d504c452e434f4d686f73746c6f63616c64632e73616d62612e6578616d706c652e636f6d">
368 <field name="kerberos.PA_DATA_element" showname="PA-DATA PA-PW-SALT" size="57" pos="66" show="" value="">
369 <field name="kerberos.padata_type" showname="padata-type: kRB5-PADATA-PW-SALT (3)" size="1" pos="72" show="3" value="03">
370 <field name="kerberos.padata_value" showname="padata-value: 53414d42412e4558414d504c452e434f4d686f73746c6f63..." size="46" pos="77" show="53:41:4d:42:41:2e:45:58:41:4d:50:4c:45:2e:43:4f:4d:68:6f:73:74:6c:6f:63:61:6c:64:63:2e:73:61:6d:62:61:2e:65:78:61:6d:70:6c:65:2e:63:6f:6d" value="53414d42412e4558414d504c452e434f4d686f73746c6f63616c64632e73616d62612e6578616d706c652e636f6d">
371 <field name="kerberos.smb.nt_status" showname="NT Status: Unknown (0x424d4153)" size="4" pos="77" show="0x424d4153" value="53414d42"/>
372 <field name="kerberos.smb.unknown" showname="Unknown: 0x58452e41" size="4" pos="81" show="0x58452e41" value="412e4558"/>
373 <field name="kerberos.smb.unknown" showname="Unknown: 0x4c504d41" size="4" pos="85" show="0x4c504d41" value="414d504c"/>
374 </field>
375 </field>
376 </field>
377 </field>
378 <field name="kerberos.crealm" showname="crealm: SAMBA.EXAMPLE.COM" size="17" pos="127" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
379 <field name="kerberos.cname_element" showname="cname" size="21" pos="146" show="" value="">
380 <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="152" show="1" value="01"/>
381 <field name="kerberos.name_string" showname="name-string: 1 item" size="10" pos="157" show="1" value="1b084c4f43414c444324">
382 <field name="kerberos.KerberosString" showname="KerberosString: LOCALDC$" size="8" pos="159" show="LOCALDC$" value="4c4f43414c444324"/>
383 </field>
384 </field>
385 <field name="kerberos.ticket_element" showname="ticket" size="1105" pos="175" show="" value="">
386 <field name="kerberos.tkt_vno" showname="tkt-vno: 5" size="1" pos="183" show="5" value="05"/>
387 <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="188" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
388 <field name="kerberos.sname_element" showname="sname" size="38" pos="207" show="" value="">
389 <field name="kerberos.name_type" showname="name-type: kRB5-NT-SRV-INST (2)" size="1" pos="213" show="2" value="02"/>
390 <field name="kerberos.name_string" showname="name-string: 2 items" size="27" pos="218" show="2" value="1b066b72627467741b1153414d42412e4558414d504c452e434f4d">
391 <field name="kerberos.KerberosString" showname="KerberosString: krbtgt" size="6" pos="220" show="krbtgt" value="6b7262746774"/>
392 <field name="kerberos.KerberosString" showname="KerberosString: SAMBA.EXAMPLE.COM" size="17" pos="228" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
393 </field>
394 </field>
395 <field name="kerberos.enc_part_element" showname="enc-part" size="1031" pos="249" show="" value="">
396 <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="257" show="18" value="12"/>
397 <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="262" show="1" value="01"/>
398 <field name="kerberos.cipher" showname="cipher: 22e144d817a8c9e491c0eaa7aaf8e719ed4e92231d14006c..." size="1009" pos="271" show="...elided..." value="...elided..."/>
399 </field>
400 </field>
401 <field name="kerberos.enc_part_element" showname="enc-part" size="244" pos="1283" show="" value="">
402 <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="1290" show="18" value="12"/>
403 <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="1295" show="1" value="01"/>
404 <field name="kerberos.cipher" showname="cipher: 0131d06ef55ec3e3dd9a2de408afb6236c32fc6776e0cde6..." size="225" pos="1302" show="...elided..." value="...elided..."/>
405 </field>
406 </field>
407 </proto>
408 </packet>
409
410 <packet>
411 <proto name="geninfo" pos="0" showname="General information" size="301">
412 <field name="num" pos="0" show="2400" showname="Number" value="960" size="301"/>
413 <field name="len" pos="0" show="301" showname="Frame Length" value="12d" size="301"/>
414 <field name="caplen" pos="0" show="301" showname="Captured Length" value="12d" size="301"/>
415 <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.104038000 NZDT" showname="Captured Time" value="1486690584.104038000" size="301"/>
416 </proto>
417 <proto name="frame" showname="Frame 2400: 301 bytes on wire (2408 bits), 301 bytes captured (2408 bits)" size="301" pos="0">
418 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
419 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.104038000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.104038000 NZDT"/>
420 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
421 <field name="frame.time_epoch" showname="Epoch Time: 1486690584.104038000 seconds" size="0" pos="0" show="1486690584.104038000"/>
422 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000010000 seconds" size="0" pos="0" show="0.000010000"/>
423 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000010000 seconds" size="0" pos="0" show="0.000010000"/>
424 <field name="frame.time_relative" showname="Time since reference or first frame: 7.573587000 seconds" size="0" pos="0" show="7.573587000"/>
425 <field name="frame.number" showname="Frame Number: 2400" size="0" pos="0" show="2400"/>
426 <field name="frame.len" showname="Frame Length: 301 bytes (2408 bits)" size="0" pos="0" show="301"/>
427 <field name="frame.cap_len" showname="Capture Length: 301 bytes (2408 bits)" size="0" pos="0" show="301"/>
428 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
429 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
430 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
431 </proto>
432 <proto name="raw" showname="Raw packet data" size="301" pos="0"/>
433 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
434 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
435 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
436 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
437 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
438 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
439 </field>
440 <field name="ip.len" showname="Total Length: 301" size="2" pos="2" show="301" value="012d"/>
441 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
442 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
443 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
444 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
445 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
446 </field>
447 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
448 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
449 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
450 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
451 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
452 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
453 </field>
454 <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
455 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
456 <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
457 <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
458 <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
459 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
460 <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
461 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
462 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
463 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
464 </proto>
465 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14787 (14787), Dst Port: 88 (88), Seq: 1, Ack: 1, Len: 261" size="20" pos="20">
466 <field name="tcp.srcport" showname="Source Port: 14787" size="2" pos="20" show="14787" value="39c3"/>
467 <field name="tcp.dstport" showname="Destination Port: 88" size="2" pos="22" show="88" value="0058"/>
468 <field name="tcp.port" showname="Source or Destination Port: 14787" hide="yes" size="2" pos="20" show="14787" value="39c3"/>
469 <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="22" show="88" value="0058"/>
470 <field name="tcp.stream" showname="Stream index: 49" size="0" pos="20" show="49"/>
471 <field name="tcp.len" showname="TCP Segment Len: 261" size="1" pos="32" show="261" value="50"/>
472 <field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="24" show="1" value="00000001"/>
473 <field name="tcp.nxtseq" showname="Next sequence number: 262 (relative sequence number)" size="0" pos="20" show="262"/>
474 <field name="tcp.ack" showname="Acknowledgment number: 1 (relative ack number)" size="4" pos="28" show="1" value="00000001"/>
475 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
476 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
477 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
478 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
479 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
480 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
481 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
482 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
483 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
484 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
485 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
486 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
487 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
488 </field>
489 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
490 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
491 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
492 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
493 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
494 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
495 </field>
496 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
497 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
498 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000009000 seconds" size="0" pos="20" show="0.000009000"/>
499 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 261" size="0" pos="20" show="261"/>
500 </field>
501 <field name="tcp.pdu.size" showname="PDU Size: 261" size="261" pos="40" show="261" value="...elided..."/>
502 </proto>
503 <proto name="kerberos" showname="Kerberos" size="261" pos="40">
504 <field name="" show="Record Mark: 257 bytes" size="4" pos="40" value="00000101">
505 <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="40" show="0" value="0" unmaskedvalue="00000101"/>
506 <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0001 0000 0001 = Record Length: 257" size="4" pos="40" show="257" value="101" unmaskedvalue="00000101"/>
507 </field>
508 <field name="kerberos.as_req_element" showname="as-req" size="254" pos="47" show="" value="">
509 <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="54" show="5" value="05"/>
510 <field name="kerberos.msg_type" showname="msg-type: krb-as-req (10)" size="1" pos="59" show="10" value="0a"/>
511 <field name="kerberos.padata" showname="padata: 1 item" size="78" pos="64" show="1" value="...elided...">
512 <field name="kerberos.PA_DATA_element" showname="PA-DATA PA-ENC-TIMESTAMP" size="78" pos="64" show="" value="">
513 <field name="kerberos.padata_type" showname="padata-type: kRB5-PADATA-ENC-TIMESTAMP (2)" size="1" pos="70" show="2" value="02">
514 <field name="kerberos.padata_value" showname="padata-value: 3041a003020112a23a0438cf413abdcde5fe3a6b82a38e52..." size="67" pos="75" show="...elided..." value="...elided...">
515 <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="81" show="18" value="12"/>
516 <field name="kerberos.cipher" showname="cipher: cf413abdcde5fe3a6b82a38e520fb2dc3063cae319cecdc1..." size="56" pos="86" show="...elided..." value="...elided..."/>
517 </field>
518 </field>
519 </field>
520 </field>
521 <field name="kerberos.req_body_element" showname="req-body" size="156" pos="145" show="" value="">
522 <field name="ber.bitstring.padding" showname="Padding: 0" size="1" pos="152" show="0" value="00"/>
523 <field name="kerberos.kdc_options" showname="kdc-options: 40000000 (forwardable)" size="4" pos="153" show="40:00:00:00" value="40000000">
524 <field name="kerberos.reserved" showname="0... .... = reserved: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
525 <field name="kerberos.forwardable" showname=".1.. .... = forwardable: True" size="1" pos="153" show="1" value="FFFFFFFF" unmaskedvalue="40"/>
526 <field name="kerberos.forwarded" showname="..0. .... = forwarded: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
527 <field name="kerberos.proxiable" showname="...0 .... = proxiable: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
528 <field name="kerberos.proxy" showname=".... 0... = proxy: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
529 <field name="kerberos.allow-postdate" showname=".... .0.. = allow-postdate: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
530 <field name="kerberos.postdated" showname=".... ..0. = postdated: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
531 <field name="kerberos.unused7" showname=".... ...0 = unused7: False" size="1" pos="153" show="0" value="0" unmaskedvalue="40"/>
532 <field name="kerberos.renewable" showname="0... .... = renewable: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
533 <field name="kerberos.unused9" showname=".0.. .... = unused9: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
534 <field name="kerberos.unused10" showname="..0. .... = unused10: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
535 <field name="kerberos.opt-hardware-auth" showname="...0 .... = opt-hardware-auth: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
536 <field name="kerberos.request-anonymous" showname=".... ..0. = request-anonymous: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
537 <field name="kerberos.canonicalize" showname=".... ...0 = canonicalize: False" size="1" pos="154" show="0" value="0" unmaskedvalue="00"/>
538 <field name="kerberos.constrained-delegation" showname="0... .... = constrained-delegation: False" size="1" pos="155" show="0" value="0" unmaskedvalue="00"/>
539 <field name="kerberos.disable-transited-check" showname="..0. .... = disable-transited-check: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
540 <field name="kerberos.renewable-ok" showname="...0 .... = renewable-ok: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
541 <field name="kerberos.enc-tkt-in-skey" showname=".... 0... = enc-tkt-in-skey: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
542 <field name="kerberos.renew" showname=".... ..0. = renew: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
543 <field name="kerberos.validate" showname=".... ...0 = validate: False" size="1" pos="156" show="0" value="0" unmaskedvalue="00"/>
544 </field>
545 <field name="kerberos.cname_element" showname="cname" size="26" pos="159" show="" value="">
546 <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="165" show="1" value="01"/>
547 <field name="kerberos.name_string" showname="name-string: 1 item" size="15" pos="170" show="1" value="1b0d41646d696e6973747261746f72">
548 <field name="kerberos.KerberosString" showname="KerberosString: Administrator" size="13" pos="172" show="Administrator" value="41646d696e6973747261746f72"/>
549 </field>
550 </field>
551 <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="189" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
552 <field name="kerberos.sname_element" showname="sname" size="38" pos="208" show="" value="">
553 <field name="kerberos.name_type" showname="name-type: kRB5-NT-SRV-INST (2)" size="1" pos="214" show="2" value="02"/>
554 <field name="kerberos.name_string" showname="name-string: 2 items" size="27" pos="219" show="2" value="1b066b72627467741b1153414d42412e4558414d504c452e434f4d">
555 <field name="kerberos.KerberosString" showname="KerberosString: krbtgt" size="6" pos="221" show="krbtgt" value="6b7262746774"/>
556 <field name="kerberos.KerberosString" showname="KerberosString: SAMBA.EXAMPLE.COM" size="17" pos="229" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
557 </field>
558 </field>
559 <field name="kerberos.till" showname="till: 2017-02-11 01:36:24 (UTC)" size="15" pos="250" show="2017-02-11 01:36:24 (UTC)" value="32303137303231313031333632345a"/>
560 <field name="kerberos.nonce" showname="nonce: 1225047325" size="4" pos="269" show="1225047325" value="4904bd1d"/>
561 <field name="kerberos.etype" showname="etype: 8 items" size="24" pos="277" show="8" value="020112020111020110020105020117020103020102020101">
562 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="279" show="18" value="12"/>
563 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)" size="1" pos="282" show="17" value="11"/>
564 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)" size="1" pos="285" show="16" value="10"/>
565 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-MD5 (5)" size="1" pos="288" show="5" value="05"/>
566 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)" size="1" pos="291" show="23" value="17"/>
567 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD5 (3)" size="1" pos="294" show="3" value="03"/>
568 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD4 (2)" size="1" pos="297" show="2" value="02"/>
569 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-CRC (1)" size="1" pos="300" show="1" value="01"/>
570 </field>
571 </field>
572 </field>
573 </proto>
574 </packet>
575
576
577 <packet>
578 <proto name="geninfo" pos="0" showname="General information" size="70">
579 <field name="num" pos="0" show="2408" showname="Number" value="968" size="70"/>
580 <field name="len" pos="0" show="70" showname="Frame Length" value="46" size="70"/>
581 <field name="caplen" pos="0" show="70" showname="Captured Length" value="46" size="70"/>
582 <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.108221000 NZDT" showname="Captured Time" value="1486690584.108221000" size="70"/>
583 </proto>
584 <proto name="frame" showname="Frame 2408: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)" size="70" pos="0">
585 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
586 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.108221000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.108221000 NZDT"/>
587 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
588 <field name="frame.time_epoch" showname="Epoch Time: 1486690584.108221000 seconds" size="0" pos="0" show="1486690584.108221000"/>
589 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000003000 seconds" size="0" pos="0" show="0.000003000"/>
590 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000003000 seconds" size="0" pos="0" show="0.000003000"/>
591 <field name="frame.time_relative" showname="Time since reference or first frame: 7.577770000 seconds" size="0" pos="0" show="7.577770000"/>
592 <field name="frame.number" showname="Frame Number: 2408" size="0" pos="0" show="2408"/>
593 <field name="frame.len" showname="Frame Length: 70 bytes (560 bits)" size="0" pos="0" show="70"/>
594 <field name="frame.cap_len" showname="Capture Length: 70 bytes (560 bits)" size="0" pos="0" show="70"/>
595 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
596 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
597 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
598 </proto>
599 <proto name="raw" showname="Raw packet data" size="70" pos="0"/>
600 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.21, Dst: 127.0.0.11" size="20" pos="0">
601 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
602 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
603 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
604 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
605 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
606 </field>
607 <field name="ip.len" showname="Total Length: 70" size="2" pos="2" show="70" value="0046"/>
608 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
609 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
610 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
611 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
612 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
613 </field>
614 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
615 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
616 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
617 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
618 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
619 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
620 </field>
621 <field name="ip.src" showname="Source: 127.0.0.21" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
622 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
623 <field name="ip.src_host" showname="Source Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
624 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
625 <field name="ip.dst" showname="Destination: 127.0.0.11" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
626 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
627 <field name="ip.dst_host" showname="Destination Host: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
628 <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
629 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000015"/>
630 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00000b"/>
631 </proto>
632 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 88 (88), Dst Port: 14787 (14787), Seq: 1505, Ack: 262, Len: 30" size="20" pos="20">
633 <field name="tcp.srcport" showname="Source Port: 88" size="2" pos="20" show="88" value="0058"/>
634 <field name="tcp.dstport" showname="Destination Port: 14787" size="2" pos="22" show="14787" value="39c3"/>
635 <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="20" show="88" value="0058"/>
636 <field name="tcp.port" showname="Source or Destination Port: 14787" hide="yes" size="2" pos="22" show="14787" value="39c3"/>
637 <field name="tcp.stream" showname="Stream index: 49" size="0" pos="20" show="49"/>
638 <field name="tcp.len" showname="TCP Segment Len: 30" size="1" pos="32" show="30" value="50"/>
639 <field name="tcp.seq" showname="Sequence number: 1505 (relative sequence number)" size="4" pos="24" show="1505" value="000005e1"/>
640 <field name="tcp.nxtseq" showname="Next sequence number: 1535 (relative sequence number)" size="0" pos="20" show="1535"/>
641 <field name="tcp.ack" showname="Acknowledgment number: 262 (relative ack number)" size="4" pos="28" show="262" value="00000106"/>
642 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
643 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
644 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
645 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
646 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
647 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
648 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
649 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
650 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
651 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
652 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
653 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
654 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
655 </field>
656 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
657 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
658 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
659 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
660 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
661 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
662 </field>
663 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
664 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
665 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000009000 seconds" size="0" pos="20" show="0.000009000"/>
666 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 1534" size="0" pos="20" show="1534"/>
667 </field>
668 <field name="tcp.pdu.size" showname="PDU Size: 1534" size="1534" pos="20" show="1534" value="...elided..."/>
669 <field name="tcp.segment_data" showname="TCP segment data (30 bytes)" size="30" pos="40" show="54:c1:fb:c3:43:df:f3:ce:39:c5:50:6d:bb:0a:e1:fb:63:1d:43:4e:45:94:4b:8a:05:ae:cf:89:93:62" value="54c1fbc343dff3ce39c5506dbb0ae1fb631d434e45944b8a05aecf899362"/>
670 </proto>
671 <proto name="fake-field-wrapper">
672 <field name="tcp.segments" showname="3 Reassembled TCP Segments (1534 bytes): #2406(4), #2407(1500), #2408(30)" size="1534" pos="0" show="" value="">
673 <field name="tcp.segment" showname="Frame: 2406, payload: 0-3 (4 bytes)" size="4" pos="0" show="2406" value="000005fa"/>
674 <field name="tcp.segment" showname="Frame: 2407, payload: 4-1503 (1500 bytes)" size="1500" pos="4" show="2407" value="...elided..."/>
675 <field name="tcp.segment" showname="Frame: 2408, payload: 1504-1533 (30 bytes)" size="30" pos="1504" show="2408" value="54c1fbc343dff3ce39c5506dbb0ae1fb631d434e45944b8a05aecf899362"/>
676 <field name="tcp.segment.count" showname="Segment count: 3" size="0" pos="0" show="3"/>
677 <field name="tcp.reassembled.length" showname="Reassembled TCP length: 1534" size="0" pos="0" show="1534"/>
678 <field name="tcp.reassembled.data" showname="Reassembled TCP Data: 000005fa6b8205f6308205f2a003020105a10302010ba22b..." size="1534" pos="0" show="...elided..." value="...elided..."/>
679 </field>
680 </proto>
681 <proto name="kerberos" showname="Kerberos" size="1534" pos="0">
682 <field name="" show="Record Mark: 1530 bytes" size="4" pos="0" value="000005fa">
683 <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="0" show="0" value="0" unmaskedvalue="000005fa"/>
684 <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0101 1111 1010 = Record Length: 1530" size="4" pos="0" show="1530" value="5FA" unmaskedvalue="000005fa"/>
685 </field>
686 <field name="kerberos.as_rep_element" showname="as-rep" size="1526" pos="8" show="" value="">
687 <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="16" show="5" value="05"/>
688 <field name="kerberos.msg_type" showname="msg-type: krb-as-rep (11)" size="1" pos="21" show="11" value="0b"/>
689 <field name="kerberos.padata" showname="padata: 1 item" size="41" pos="26" show="1" value="3027a103020103a220041e53414d42412e4558414d504c452e434f4d41646d696e6973747261746f72">
690 <field name="kerberos.PA_DATA_element" showname="PA-DATA PA-PW-SALT" size="41" pos="26" show="" value="">
691 <field name="kerberos.padata_type" showname="padata-type: kRB5-PADATA-PW-SALT (3)" size="1" pos="32" show="3" value="03">
692 <field name="kerberos.padata_value" showname="padata-value: 53414d42412e4558414d504c452e434f4d41646d696e6973..." size="30" pos="37" show="53:41:4d:42:41:2e:45:58:41:4d:50:4c:45:2e:43:4f:4d:41:64:6d:69:6e:69:73:74:72:61:74:6f:72" value="53414d42412e4558414d504c452e434f4d41646d696e6973747261746f72">
693 <field name="kerberos.smb.nt_status" showname="NT Status: Unknown (0x424d4153)" size="4" pos="37" show="0x424d4153" value="53414d42"/>
694 <field name="kerberos.smb.unknown" showname="Unknown: 0x58452e41" size="4" pos="41" show="0x58452e41" value="412e4558"/>
695 <field name="kerberos.smb.unknown" showname="Unknown: 0x4c504d41" size="4" pos="45" show="0x4c504d41" value="414d504c"/>
696 </field>
697 </field>
698 </field>
699 </field>
700 <field name="kerberos.crealm" showname="crealm: SAMBA.EXAMPLE.COM" size="17" pos="71" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
701 <field name="kerberos.cname_element" showname="cname" size="26" pos="90" show="" value="">
702 <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="96" show="1" value="01"/>
703 <field name="kerberos.name_string" showname="name-string: 1 item" size="15" pos="101" show="1" value="1b0d41646d696e6973747261746f72">
704 <field name="kerberos.KerberosString" showname="KerberosString: Administrator" size="13" pos="103" show="Administrator" value="41646d696e6973747261746f72"/>
705 </field>
706 </field>
707 <field name="kerberos.ticket_element" showname="ticket" size="1142" pos="124" show="" value="">
708 <field name="kerberos.tkt_vno" showname="tkt-vno: 5" size="1" pos="132" show="5" value="05"/>
709 <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="137" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
710 <field name="kerberos.sname_element" showname="sname" size="38" pos="156" show="" value="">
711 <field name="kerberos.name_type" showname="name-type: kRB5-NT-SRV-INST (2)" size="1" pos="162" show="2" value="02"/>
712 <field name="kerberos.name_string" showname="name-string: 2 items" size="27" pos="167" show="2" value="1b066b72627467741b1153414d42412e4558414d504c452e434f4d">
713 <field name="kerberos.KerberosString" showname="KerberosString: krbtgt" size="6" pos="169" show="krbtgt" value="6b7262746774"/>
714 <field name="kerberos.KerberosString" showname="KerberosString: SAMBA.EXAMPLE.COM" size="17" pos="177" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
715 </field>
716 </field>
717 <field name="kerberos.enc_part_element" showname="enc-part" size="1068" pos="198" show="" value="">
718 <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="206" show="18" value="12"/>
719 <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="211" show="1" value="01"/>
720 <field name="kerberos.cipher" showname="cipher: 5a2a14fec09c49807c1be2a0b335af26ed64f89184336870..." size="1046" pos="220" show="...elided..." value="...elided..."/>
721 </field>
722 </field>
723 <field name="kerberos.enc_part_element" showname="enc-part" size="264" pos="1270" show="" value="">
724 <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="1278" show="18" value="12"/>
725 <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="1283" show="1" value="01"/>
726 <field name="kerberos.cipher" showname="cipher: 3ecb1568e8ee09adcebe1ec65c1e767415512cd84449fabc..." size="244" pos="1290" show="...elided..." value="...elided..."/>
727 </field>
728 </field>
729 </proto>
730 </packet>
731
732
733 <packet>
734 <proto name="geninfo" pos="0" showname="General information" size="82">
735 <field name="num" pos="0" show="2422" showname="Number" value="976" size="82"/>
736 <field name="len" pos="0" show="82" showname="Frame Length" value="52" size="82"/>
737 <field name="caplen" pos="0" show="82" showname="Captured Length" value="52" size="82"/>
738 <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.139378000 NZDT" showname="Captured Time" value="1486690584.139378000" size="82"/>
739 </proto>
740 <proto name="frame" showname="Frame 2422: 82 bytes on wire (656 bits), 82 bytes captured (656 bits)" size="82" pos="0">
741 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
742 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.139378000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.139378000 NZDT"/>
743 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
744 <field name="frame.time_epoch" showname="Epoch Time: 1486690584.139378000 seconds" size="0" pos="0" show="1486690584.139378000"/>
745 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000003000 seconds" size="0" pos="0" show="0.000003000"/>
746 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000003000 seconds" size="0" pos="0" show="0.000003000"/>
747 <field name="frame.time_relative" showname="Time since reference or first frame: 7.608927000 seconds" size="0" pos="0" show="7.608927000"/>
748 <field name="frame.number" showname="Frame Number: 2422" size="0" pos="0" show="2422"/>
749 <field name="frame.len" showname="Frame Length: 82 bytes (656 bits)" size="0" pos="0" show="82"/>
750 <field name="frame.cap_len" showname="Capture Length: 82 bytes (656 bits)" size="0" pos="0" show="82"/>
751 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
752 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
753 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
754 </proto>
755 <proto name="raw" showname="Raw packet data" size="82" pos="0"/>
756 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
757 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
758 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
759 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
760 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
761 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
762 </field>
763 <field name="ip.len" showname="Total Length: 82" size="2" pos="2" show="82" value="0052"/>
764 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
765 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
766 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
767 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
768 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
769 </field>
770 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
771 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
772 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
773 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
774 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
775 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
776 </field>
777 <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
778 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
779 <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
780 <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
781 <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
782 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
783 <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
784 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
785 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
786 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
787 </proto>
788 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14788 (14788), Dst Port: 88 (88), Seq: 1501, Ack: 1, Len: 42" size="20" pos="20">
789 <field name="tcp.srcport" showname="Source Port: 14788" size="2" pos="20" show="14788" value="39c4"/>
790 <field name="tcp.dstport" showname="Destination Port: 88" size="2" pos="22" show="88" value="0058"/>
791 <field name="tcp.port" showname="Source or Destination Port: 14788" hide="yes" size="2" pos="20" show="14788" value="39c4"/>
792 <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="22" show="88" value="0058"/>
793 <field name="tcp.stream" showname="Stream index: 50" size="0" pos="20" show="50"/>
794 <field name="tcp.len" showname="TCP Segment Len: 42" size="1" pos="32" show="42" value="50"/>
795 <field name="tcp.seq" showname="Sequence number: 1501 (relative sequence number)" size="4" pos="24" show="1501" value="000005dd"/>
796 <field name="tcp.nxtseq" showname="Next sequence number: 1543 (relative sequence number)" size="0" pos="20" show="1543"/>
797 <field name="tcp.ack" showname="Acknowledgment number: 1 (relative ack number)" size="4" pos="28" show="1" value="00000001"/>
798 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
799 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
800 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
801 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
802 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
803 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
804 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
805 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
806 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
807 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
808 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
809 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
810 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
811 </field>
812 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
813 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
814 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
815 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
816 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
817 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
818 </field>
819 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
820 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
821 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000009000 seconds" size="0" pos="20" show="0.000009000"/>
822 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 1542" size="0" pos="20" show="1542"/>
823 </field>
824 <field name="tcp.pdu.size" showname="PDU Size: 1542" size="1542" pos="20" show="1542" value="...elided..."/>
825 <field name="tcp.segment_data" showname="TCP segment data (42 bytes)" size="42" pos="40" show="30:30:30:30:30:5a:a7:06:02:04:99:16:39:d0:a8:1a:30:18:02:01:12:02:01:11:02:01:10:02:01:05:02:01:17:02:01:03:02:01:02:02:01:01" value="30303030305aa7060204991639d0a81a3018020112020111020110020105020117020103020102020101"/>
826 </proto>
827 <proto name="fake-field-wrapper">
828 <field name="tcp.segments" showname="2 Reassembled TCP Segments (1542 bytes): #2421(1500), #2422(42)" size="1542" pos="0" show="" value="">
829 <field name="tcp.segment" showname="Frame: 2421, payload: 0-1499 (1500 bytes)" size="1500" pos="0" show="2421" value="...elided..."/>
830 <field name="tcp.segment" showname="Frame: 2422, payload: 1500-1541 (42 bytes)" size="42" pos="1500" show="2422" value="30303030305aa7060204991639d0a81a3018020112020111020110020105020117020103020102020101"/>
831 <field name="tcp.segment.count" showname="Segment count: 2" size="0" pos="0" show="2"/>
832 <field name="tcp.reassembled.length" showname="Reassembled TCP length: 1542" size="0" pos="0" show="1542"/>
833 <field name="tcp.reassembled.data" showname="Reassembled TCP Data: 000006026c8205fe308205faa103020105a20302010ca382..." size="1542" pos="0" show="...elided..." value="...elided..."/>
834 </field>
835 </proto>
836 <proto name="kerberos" showname="Kerberos" size="1542" pos="0">
837 <field name="" show="Record Mark: 1538 bytes" size="4" pos="0" value="00000602">
838 <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="0" show="0" value="0" unmaskedvalue="00000602"/>
839 <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0110 0000 0010 = Record Length: 1538" size="4" pos="0" show="1538" value="602" unmaskedvalue="00000602"/>
840 </field>
841 <field name="kerberos.tgs_req_element" showname="tgs-req" size="1534" pos="8" show="" value="">
842 <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="16" show="5" value="05"/>
843 <field name="kerberos.msg_type" showname="msg-type: krb-tgs-req (12)" size="1" pos="21" show="12" value="0c"/>
844 <field name="kerberos.padata" showname="padata: 1 item" size="1395" pos="30" show="1" value="...elided...">
845 <field name="kerberos.PA_DATA_element" showname="PA-DATA PA-TGS-REQ" size="1395" pos="30" show="" value="">
846 <field name="kerberos.padata_type" showname="padata-type: kRB5-PADATA-TGS-REQ (1)" size="1" pos="38" show="1" value="01">
847 <field name="kerberos.padata_value" showname="padata-value: 6e82055e3082055aa003020105a10302010ea20703050000..." size="1378" pos="47" show="...elided..." value="...elided...">
848 <field name="kerberos.ap_req_element" showname="ap-req" size="1374" pos="51" show="" value="">
849 <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="59" show="5" value="05"/>
850 <field name="kerberos.msg_type" showname="msg-type: krb-ap-req (14)" size="1" pos="64" show="14" value="0e"/>
851 <field name="ber.bitstring.padding" showname="Padding: 0" size="1" pos="69" show="0" value="00"/>
852 <field name="kerberos.ap_options" showname="ap-options: 00000000" size="4" pos="70" show="00:00:00:00" value="00000000">
853 <field name="kerberos.reserved" showname="0... .... = reserved: False" size="1" pos="70" show="0" value="0" unmaskedvalue="00"/>
854 <field name="kerberos.use-session-key" showname=".0.. .... = use-session-key: False" size="1" pos="70" show="0" value="0" unmaskedvalue="00"/>
855 <field name="kerberos.mutual-required" showname="..0. .... = mutual-required: False" size="1" pos="70" show="0" value="0" unmaskedvalue="00"/>
856 </field>
857 <field name="kerberos.ticket_element" showname="ticket" size="1142" pos="82" show="" value="">
858 <field name="kerberos.tkt_vno" showname="tkt-vno: 5" size="1" pos="90" show="5" value="05"/>
859 <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="95" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
860 <field name="kerberos.sname_element" showname="sname" size="38" pos="114" show="" value="">
861 <field name="kerberos.name_type" showname="name-type: kRB5-NT-SRV-INST (2)" size="1" pos="120" show="2" value="02"/>
862 <field name="kerberos.name_string" showname="name-string: 2 items" size="27" pos="125" show="2" value="1b066b72627467741b1153414d42412e4558414d504c452e434f4d">
863 <field name="kerberos.KerberosString" showname="KerberosString: krbtgt" size="6" pos="127" show="krbtgt" value="6b7262746774"/>
864 <field name="kerberos.KerberosString" showname="KerberosString: SAMBA.EXAMPLE.COM" size="17" pos="135" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
865 </field>
866 </field>
867 <field name="kerberos.enc_part_element" showname="enc-part" size="1068" pos="156" show="" value="">
868 <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="164" show="18" value="12"/>
869 <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="169" show="1" value="01"/>
870 <field name="kerberos.cipher" showname="cipher: 5a2a14fec09c49807c1be2a0b335af26ed64f89184336870..." size="1046" pos="178" show="...elided..." value="...elided..."/>
871 </field>
872 </field>
873 <field name="kerberos.authenticator_element" showname="authenticator" size="198" pos="1227" show="" value="">
874 <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="1234" show="18" value="12"/>
875 <field name="kerberos.cipher" showname="cipher: 263f6091496efbdb7c0b3c7e40fa7bfbf2e284a38b105cb9..." size="184" pos="1241" show="...elided..." value="...elided..."/>
876 </field>
877 </field>
878 </field>
879 </field>
880 </field>
881 </field>
882 <field name="kerberos.req_body_element" showname="req-body" size="115" pos="1427" show="" value="">
883 <field name="ber.bitstring.padding" showname="Padding: 0" size="1" pos="1433" show="0" value="00"/>
884 <field name="kerberos.kdc_options" showname="kdc-options: 00010000 (canonicalize)" size="4" pos="1434" show="00:01:00:00" value="00010000">
885 <field name="kerberos.reserved" showname="0... .... = reserved: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
886 <field name="kerberos.forwardable" showname=".0.. .... = forwardable: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
887 <field name="kerberos.forwarded" showname="..0. .... = forwarded: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
888 <field name="kerberos.proxiable" showname="...0 .... = proxiable: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
889 <field name="kerberos.proxy" showname=".... 0... = proxy: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
890 <field name="kerberos.allow-postdate" showname=".... .0.. = allow-postdate: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
891 <field name="kerberos.postdated" showname=".... ..0. = postdated: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
892 <field name="kerberos.unused7" showname=".... ...0 = unused7: False" size="1" pos="1434" show="0" value="0" unmaskedvalue="00"/>
893 <field name="kerberos.renewable" showname="0... .... = renewable: False" size="1" pos="1435" show="0" value="0" unmaskedvalue="01"/>
894 <field name="kerberos.unused9" showname=".0.. .... = unused9: False" size="1" pos="1435" show="0" value="0" unmaskedvalue="01"/>
895 <field name="kerberos.unused10" showname="..0. .... = unused10: False" size="1" pos="1435" show="0" value="0" unmaskedvalue="01"/>
896 <field name="kerberos.opt-hardware-auth" showname="...0 .... = opt-hardware-auth: False" size="1" pos="1435" show="0" value="0" unmaskedvalue="01"/>
897 <field name="kerberos.request-anonymous" showname=".... ..0. = request-anonymous: False" size="1" pos="1435" show="0" value="0" unmaskedvalue="01"/>
898 <field name="kerberos.canonicalize" showname=".... ...1 = canonicalize: True" size="1" pos="1435" show="1" value="FFFFFFFF" unmaskedvalue="01"/>
899 <field name="kerberos.constrained-delegation" showname="0... .... = constrained-delegation: False" size="1" pos="1436" show="0" value="0" unmaskedvalue="00"/>
900 <field name="kerberos.disable-transited-check" showname="..0. .... = disable-transited-check: False" size="1" pos="1437" show="0" value="0" unmaskedvalue="00"/>
901 <field name="kerberos.renewable-ok" showname="...0 .... = renewable-ok: False" size="1" pos="1437" show="0" value="0" unmaskedvalue="00"/>
902 <field name="kerberos.enc-tkt-in-skey" showname=".... 0... = enc-tkt-in-skey: False" size="1" pos="1437" show="0" value="0" unmaskedvalue="00"/>
903 <field name="kerberos.renew" showname=".... ..0. = renew: False" size="1" pos="1437" show="0" value="0" unmaskedvalue="00"/>
904 <field name="kerberos.validate" showname=".... ...0 = validate: False" size="1" pos="1437" show="0" value="0" unmaskedvalue="00"/>
905 </field>
906 <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="1442" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
907 <field name="kerberos.sname_element" showname="sname" size="26" pos="1461" show="" value="">
908 <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="1467" show="1" value="01"/>
909 <field name="kerberos.name_string" showname="name-string: 2 items" size="15" pos="1472" show="2" value="1b046c6461701b076c6f63616c6463">
910 <field name="kerberos.KerberosString" showname="KerberosString: ldap" size="4" pos="1474" show="ldap" value="6c646170"/>
911 <field name="kerberos.KerberosString" showname="KerberosString: localdc" size="7" pos="1480" show="localdc" value="6c6f63616c6463"/>
912 </field>
913 </field>
914 <field name="kerberos.till" showname="till: 1970-01-01 00:00:00 (UTC)" size="15" pos="1491" show="1970-01-01 00:00:00 (UTC)" value="31393730303130313030303030305a"/>
915 <field name="kerberos.nonce" showname="nonce: 2568370640" size="4" pos="1510" show="2568370640" value="991639d0"/>
916 <field name="kerberos.etype" showname="etype: 8 items" size="24" pos="1518" show="8" value="020112020111020110020105020117020103020102020101">
917 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="1520" show="18" value="12"/>
918 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)" size="1" pos="1523" show="17" value="11"/>
919 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)" size="1" pos="1526" show="16" value="10"/>
920 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES3-CBC-MD5 (5)" size="1" pos="1529" show="5" value="05"/>
921 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)" size="1" pos="1532" show="23" value="17"/>
922 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD5 (3)" size="1" pos="1535" show="3" value="03"/>
923 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-MD4 (2)" size="1" pos="1538" show="2" value="02"/>
924 <field name="kerberos.ENCTYPE" showname="ENCTYPE: eTYPE-DES-CBC-CRC (1)" size="1" pos="1541" show="1" value="01"/>
925 </field>
926 </field>
927 </field>
928 </proto>
929 </packet>
930
931
932 <packet>
933 <proto name="geninfo" pos="0" showname="General information" size="1517">
934 <field name="num" pos="0" show="2429" showname="Number" value="97d" size="1517"/>
935 <field name="len" pos="0" show="1517" showname="Frame Length" value="5ed" size="1517"/>
936 <field name="caplen" pos="0" show="1517" showname="Captured Length" value="5ed" size="1517"/>
937 <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.143220000 NZDT" showname="Captured Time" value="1486690584.143220000" size="1517"/>
938 </proto>
939 <proto name="frame" showname="Frame 2429: 1517 bytes on wire (12136 bits), 1517 bytes captured (12136 bits)" size="1517" pos="0">
940 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
941 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.143220000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.143220000 NZDT"/>
942 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
943 <field name="frame.time_epoch" showname="Epoch Time: 1486690584.143220000 seconds" size="0" pos="0" show="1486690584.143220000"/>
944 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.003735000 seconds" size="0" pos="0" show="0.003735000"/>
945 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.003735000 seconds" size="0" pos="0" show="0.003735000"/>
946 <field name="frame.time_relative" showname="Time since reference or first frame: 7.612769000 seconds" size="0" pos="0" show="7.612769000"/>
947 <field name="frame.number" showname="Frame Number: 2429" size="0" pos="0" show="2429"/>
948 <field name="frame.len" showname="Frame Length: 1517 bytes (12136 bits)" size="0" pos="0" show="1517"/>
949 <field name="frame.cap_len" showname="Capture Length: 1517 bytes (12136 bits)" size="0" pos="0" show="1517"/>
950 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
951 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
952 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:kerberos" size="0" pos="0" show="raw:ip:tcp:kerberos"/>
953 </proto>
954 <proto name="raw" showname="Raw packet data" size="1517" pos="0"/>
955 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.21, Dst: 127.0.0.11" size="20" pos="0">
956 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
957 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
958 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
959 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
960 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
961 </field>
962 <field name="ip.len" showname="Total Length: 1517" size="2" pos="2" show="1517" value="05ed"/>
963 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
964 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
965 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
966 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
967 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
968 </field>
969 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
970 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
971 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
972 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
973 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
974 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
975 </field>
976 <field name="ip.src" showname="Source: 127.0.0.21" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
977 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
978 <field name="ip.src_host" showname="Source Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
979 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
980 <field name="ip.dst" showname="Destination: 127.0.0.11" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
981 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
982 <field name="ip.dst_host" showname="Destination Host: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
983 <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
984 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000015"/>
985 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00000b"/>
986 </proto>
987 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 88 (88), Dst Port: 14788 (14788), Seq: 1, Ack: 1543, Len: 1477" size="20" pos="20">
988 <field name="tcp.srcport" showname="Source Port: 88" size="2" pos="20" show="88" value="0058"/>
989 <field name="tcp.dstport" showname="Destination Port: 14788" size="2" pos="22" show="14788" value="39c4"/>
990 <field name="tcp.port" showname="Source or Destination Port: 88" hide="yes" size="2" pos="20" show="88" value="0058"/>
991 <field name="tcp.port" showname="Source or Destination Port: 14788" hide="yes" size="2" pos="22" show="14788" value="39c4"/>
992 <field name="tcp.stream" showname="Stream index: 50" size="0" pos="20" show="50"/>
993 <field name="tcp.len" showname="TCP Segment Len: 1477" size="1" pos="32" show="1477" value="50"/>
994 <field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="24" show="1" value="00000001"/>
995 <field name="tcp.nxtseq" showname="Next sequence number: 1478 (relative sequence number)" size="0" pos="20" show="1478"/>
996 <field name="tcp.ack" showname="Acknowledgment number: 1543 (relative ack number)" size="4" pos="28" show="1543" value="00000607"/>
997 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
998 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
999 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
1000 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
1001 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1002 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1003 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1004 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1005 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1006 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1007 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1008 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1009 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
1010 </field>
1011 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
1012 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
1013 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
1014 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
1015 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
1016 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
1017 </field>
1018 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
1019 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
1020 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 2422" size="0" pos="20" show="2422"/>
1021 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.003842000 seconds" size="0" pos="20" show="0.003842000"/>
1022 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000009000 seconds" size="0" pos="20" show="0.000009000"/>
1023 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 1477" size="0" pos="20" show="1477"/>
1024 </field>
1025 <field name="tcp.pdu.size" showname="PDU Size: 1477" size="1477" pos="40" show="1477" value="...elided..."/>
1026 </proto>
1027 <proto name="kerberos" showname="Kerberos" size="1477" pos="40">
1028 <field name="" show="Record Mark: 1473 bytes" size="4" pos="40" value="000005c1">
1029 <field name="kerberos.rm.reserved" showname="0... .... .... .... .... .... .... .... = Reserved: Not set" size="4" pos="40" show="0" value="0" unmaskedvalue="000005c1"/>
1030 <field name="kerberos.rm.length" showname=".000 0000 0000 0000 0000 0101 1100 0001 = Record Length: 1473" size="4" pos="40" show="1473" value="5C1" unmaskedvalue="000005c1"/>
1031 </field>
1032 <field name="kerberos.tgs_rep_element" showname="tgs-rep" size="1469" pos="48" show="" value="">
1033 <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="56" show="5" value="05"/>
1034 <field name="kerberos.msg_type" showname="msg-type: krb-tgs-rep (13)" size="1" pos="61" show="13" value="0d"/>
1035 <field name="kerberos.crealm" showname="crealm: SAMBA.EXAMPLE.COM" size="17" pos="66" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
1036 <field name="kerberos.cname_element" showname="cname" size="26" pos="85" show="" value="">
1037 <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="91" show="1" value="01"/>
1038 <field name="kerberos.name_string" showname="name-string: 1 item" size="15" pos="96" show="1" value="1b0d41646d696e6973747261746f72">
1039 <field name="kerberos.KerberosString" showname="KerberosString: Administrator" size="13" pos="98" show="Administrator" value="41646d696e6973747261746f72"/>
1040 </field>
1041 </field>
1042 <field name="kerberos.ticket_element" showname="ticket" size="1149" pos="119" show="" value="">
1043 <field name="kerberos.tkt_vno" showname="tkt-vno: 5" size="1" pos="127" show="5" value="05"/>
1044 <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="132" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
1045 <field name="kerberos.sname_element" showname="sname" size="26" pos="151" show="" value="">
1046 <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="157" show="1" value="01"/>
1047 <field name="kerberos.name_string" showname="name-string: 2 items" size="15" pos="162" show="2" value="1b046c6461701b076c6f63616c6463">
1048 <field name="kerberos.KerberosString" showname="KerberosString: ldap" size="4" pos="164" show="ldap" value="6c646170"/>
1049 <field name="kerberos.KerberosString" showname="KerberosString: localdc" size="7" pos="170" show="localdc" value="6c6f63616c6463"/>
1050 </field>
1051 </field>
1052 <field name="kerberos.enc_part_element" showname="enc-part" size="1087" pos="181" show="" value="">
1053 <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="189" show="18" value="12"/>
1054 <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="194" show="1" value="01"/>
1055 <field name="kerberos.cipher" showname="cipher: 9cbdd51b88f631bfc183eee24f54171f1e6222ebd70ef513..." size="1065" pos="203" show="...elided..." value="...elided..."/>
1056 </field>
1057 </field>
1058 <field name="kerberos.enc_part_element" showname="enc-part" size="246" pos="1271" show="" value="">
1059 <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="1278" show="18" value="12"/>
1060 <field name="kerberos.cipher" showname="cipher: 144b5a45ac6ad8fd830d6f7ec0b00a5cf26d277598a63a5e..." size="232" pos="1285" show="...elided..." value="...elided..."/>
1061 </field>
1062 </field>
1063 </proto>
1064 </packet>
1065
1066 <packet>
1067 <proto name="geninfo" pos="0" showname="General information" size="138">
1068 <field name="num" pos="0" show="3105" showname="Number" value="c21" size="138"/>
1069 <field name="len" pos="0" show="138" showname="Frame Length" value="8a" size="138"/>
1070 <field name="caplen" pos="0" show="138" showname="Captured Length" value="8a" size="138"/>
1071 <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.770344000 NZDT" showname="Captured Time" value="1486690584.770344000" size="138"/>
1072 </proto>
1073 <proto name="frame" showname="Frame 3105: 138 bytes on wire (1104 bits), 138 bytes captured (1104 bits)" size="138" pos="0">
1074 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
1075 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.770344000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.770344000 NZDT"/>
1076 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
1077 <field name="frame.time_epoch" showname="Epoch Time: 1486690584.770344000 seconds" size="0" pos="0" show="1486690584.770344000"/>
1078 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000005000 seconds" size="0" pos="0" show="0.000005000"/>
1079 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000005000 seconds" size="0" pos="0" show="0.000005000"/>
1080 <field name="frame.time_relative" showname="Time since reference or first frame: 8.239893000 seconds" size="0" pos="0" show="8.239893000"/>
1081 <field name="frame.number" showname="Frame Number: 3105" size="0" pos="0" show="3105"/>
1082 <field name="frame.len" showname="Frame Length: 138 bytes (1104 bits)" size="0" pos="0" show="138"/>
1083 <field name="frame.cap_len" showname="Capture Length: 138 bytes (1104 bits)" size="0" pos="0" show="138"/>
1084 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
1085 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
1086 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap:gss-api:spnego:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:ldap:gss-api:spnego:spnego-krb5"/>
1087 </proto>
1088 <proto name="raw" showname="Raw packet data" size="138" pos="0"/>
1089 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
1090 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
1091 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
1092 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
1093 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
1094 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
1095 </field>
1096 <field name="ip.len" showname="Total Length: 138" size="2" pos="2" show="138" value="008a"/>
1097 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
1098 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
1099 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
1100 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
1101 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
1102 </field>
1103 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
1104 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
1105 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
1106 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
1107 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
1108 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
1109 </field>
1110 <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1111 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1112 <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1113 <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1114 <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1115 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1116 <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1117 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1118 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
1119 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
1120 </proto>
1121 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14794 (14794), Dst Port: 389 (389), Seq: 6184, Ack: 332, Len: 98" size="20" pos="20">
1122 <field name="tcp.srcport" showname="Source Port: 14794" size="2" pos="20" show="14794" value="39ca"/>
1123 <field name="tcp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
1124 <field name="tcp.port" showname="Source or Destination Port: 14794" hide="yes" size="2" pos="20" show="14794" value="39ca"/>
1125 <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
1126 <field name="tcp.stream" showname="Stream index: 60" size="0" pos="20" show="60"/>
1127 <field name="tcp.len" showname="TCP Segment Len: 98" size="1" pos="32" show="98" value="50"/>
1128 <field name="tcp.seq" showname="Sequence number: 6184 (relative sequence number)" size="4" pos="24" show="6184" value="00001828"/>
1129 <field name="tcp.nxtseq" showname="Next sequence number: 6282 (relative sequence number)" size="0" pos="20" show="6282"/>
1130 <field name="tcp.ack" showname="Acknowledgment number: 332 (relative ack number)" size="4" pos="28" show="332" value="0000014c"/>
1131 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
1132 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
1133 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
1134 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
1135 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1136 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1137 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1138 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1139 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1140 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1141 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1142 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1143 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
1144 </field>
1145 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
1146 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
1147 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
1148 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
1149 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
1150 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
1151 </field>
1152 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
1153 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
1154 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000020000 seconds" size="0" pos="20" show="0.000020000"/>
1155 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 3098" size="0" pos="20" show="3098"/>
1156 </field>
1157 <field name="tcp.pdu.size" showname="PDU Size: 3098" size="3098" pos="20" show="3098" value="...elided..."/>
1158 <field name="tcp.segment_data" showname="TCP segment data (98 bytes)" size="98" pos="40" show="...elided..." value="...elided..."/>
1159 </proto>
1160 <proto name="fake-field-wrapper">
1161 <field name="tcp.segments" showname="3 Reassembled TCP Segments (3098 bytes): #3103(1500), #3104(1500), #3105(98)" size="3098" pos="0" show="" value="">
1162 <field name="tcp.segment" showname="Frame: 3103, payload: 0-1499 (1500 bytes)" size="1500" pos="0" show="3103" value="...elided..."/>
1163 <field name="tcp.segment" showname="Frame: 3104, payload: 1500-2999 (1500 bytes)" size="1500" pos="1500" show="3104" value="...elided..."/>
1164 <field name="tcp.segment" showname="Frame: 3105, payload: 3000-3097 (98 bytes)" size="98" pos="3000" show="3105" value="...elided..."/>
1165 <field name="tcp.segment.count" showname="Segment count: 3" size="0" pos="0" show="3"/>
1166 <field name="tcp.reassembled.length" showname="Reassembled TCP length: 3098" size="0" pos="0" show="3098"/>
1167 <field name="tcp.reassembled.data" showname="Reassembled TCP Data: 30820c1602010360820c0f0201030400a3820c06040a4753..." size="3098" pos="0" show="...elided ..."/>
1168 </field>
1169 </proto>
1170 <proto name="ldap" showname="Lightweight Directory Access Protocol" size="3098" pos="0">
1171 <field name="ldap.LDAPMessage_element" showname="LDAPMessage bindRequest(3) &quot;&lt;ROOT&gt;&quot; sasl" size="3098" pos="0" show="" value="">
1172 <field name="ldap.messageID" showname="messageID: 3" size="1" pos="6" show="3" value="03"/>
1173 <field name="ldap.protocolOp" showname="protocolOp: bindRequest (0)" size="3091" pos="7" show="0" value="...elided...">
1174 <field name="ldap.bindRequest_element" showname="bindRequest" size="3087" pos="11" show="" value="">
1175 <field name="ldap.version" showname="version: 3" size="1" pos="13" show="3" value="03"/>
1176 <field name="ldap.name" showname="name: " size="0" pos="16" show=""/>
1177 <field name="ldap.authentication" showname="authentication: sasl (3)" size="3078" pos="20" show="3" value="...elided...">
1178 <field name="ldap.sasl_element" showname="sasl" size="3078" pos="20" show="" value="">
1179 <field name="ldap.mechanism" showname="mechanism: GSS-SPNEGO" size="10" pos="22" show="GSS-SPNEGO" value="4753532d53504e45474f"/>
1180 <field name="ldap.credentials" showname="credentials: 60820bf206062b0601050502a0820be630820be2a0243022..." size="3062" pos="36" show="...elided..."/>
1181 <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="3062" pos="36">
1182 <field name="gss-api.OID" showname="OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)" size="6" pos="42" show="1.3.6.1.5.5.2" value="2b0601050502"/>
1183 <proto name="spnego" showname="Simple Protected Negotiation" size="3050" pos="48">
1184 <field name="spnego.negTokenInit_element" showname="negTokenInit" size="3046" pos="52" show="" value="">
1185 <field name="spnego.mechTypes" showname="mechTypes: 3 items" size="34" pos="60" show="3" value="06092a864882f71201020206092a864886f712010202060a2b06010401823702020a">
1186 <field name="spnego.MechType" showname="MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)" size="9" pos="62" show="1.2.840.48018.1.2.2" value="2a864882f712010202"/>
1187 <field name="spnego.MechType" showname="MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)" size="9" pos="73" show="1.2.840.113554.1.2.2" value="2a864886f712010202"/>
1188 <field name="spnego.MechType" showname="MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)" size="10" pos="84" show="1.3.6.1.4.1.311.2.2.10" value="2b06010401823702020a"/>
1189 </field>
1190 <field name="spnego.mechToken" showname="mechToken: 60820bb006092a864886f71201020201006e820b9f30820b..." size="2996" pos="102" show="... elided ..."/>
1191 <field name="spnego.krb5.blob" showname="krb5_blob: 60820bb006092a864886f71201020201006e820b9f30820b..." size="2979" pos="102" show="...elided...">
1192 <field name="spnego.krb5_oid" showname="KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)" size="9" pos="108" show="1.2.840.113554.1.2.2" value="2a864886f712010202"/>
1193 <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB5_AP_REQ (0x0001)" size="2" pos="117" show="0x00000001" value="0100"/>
1194 <proto name="kerberos" showname="Kerberos" size="2979" pos="119">
1195 <field name="kerberos.ap_req_element" showname="ap-req" size="2975" pos="123" show="" value="">
1196 <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="131" show="5" value="05"/>
1197 <field name="kerberos.msg_type" showname="msg-type: krb-ap-req (14)" size="1" pos="136" show="14" value="0e"/>
1198 <field name="ber.bitstring.padding" showname="Padding: 0" size="1" pos="141" show="0" value="00"/>
1199 <field name="kerberos.ap_options" showname="ap-options: 20000000 (mutual-required)" size="4" pos="142" show="20:00:00:00" value="20000000">
1200 <field name="kerberos.reserved" showname="0... .... = reserved: False" size="1" pos="142" show="0" value="0" unmaskedvalue="20"/>
1201 <field name="kerberos.use-session-key" showname=".0.. .... = use-session-key: False" size="1" pos="142" show="0" value="0" unmaskedvalue="20"/>
1202 <field name="kerberos.mutual-required" showname="..1. .... = mutual-required: True" size="1" pos="142" show="1" value="FFFFFFFF" unmaskedvalue="20"/>
1203 </field>
1204 <field name="kerberos.ticket_element" showname="ticket" size="1149" pos="154" show="" value="">
1205 <field name="kerberos.tkt_vno" showname="tkt-vno: 5" size="1" pos="162" show="5" value="05"/>
1206 <field name="kerberos.realm" showname="realm: SAMBA.EXAMPLE.COM" size="17" pos="167" show="SAMBA.EXAMPLE.COM" value="53414d42412e4558414d504c452e434f4d"/>
1207 <field name="kerberos.sname_element" showname="sname" size="26" pos="186" show="" value="">
1208 <field name="kerberos.name_type" showname="name-type: kRB5-NT-PRINCIPAL (1)" size="1" pos="192" show="1" value="01"/>
1209 <field name="kerberos.name_string" showname="name-string: 2 items" size="15" pos="197" show="2" value="1b046c6461701b076c6f63616c6463">
1210 <field name="kerberos.KerberosString" showname="KerberosString: ldap" size="4" pos="199" show="ldap" value="6c646170"/>
1211 <field name="kerberos.KerberosString" showname="KerberosString: localdc" size="7" pos="205" show="localdc" value="6c6f63616c6463"/>
1212 </field>
1213 </field>
1214 <field name="kerberos.enc_part_element" showname="enc-part" size="1087" pos="216" show="" value="">
1215 <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="224" show="18" value="12"/>
1216 <field name="kerberos.kvno" showname="kvno: 1" size="1" pos="229" show="1" value="01"/>
1217 <field name="kerberos.cipher" showname="cipher: 024239fcb8e525339bcf284915f78b5e83507ed9ab592579..." size="1065" pos="238" show="...elided..."/>
1218 </field>
1219 </field>
1220 <field name="kerberos.authenticator_element" showname="authenticator" size="1791" pos="1307" show="" value="">
1221 <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="1315" show="18" value="12"/>
1222 <field name="kerberos.cipher" showname="cipher: fce1dd0bc30bb4341ecc246b1a495b189ed13aec7c2c304c..." size="1774" pos="1324" show="...elided..."/>
1223 </field>
1224 </field>
1225 </proto>
1226 </field>
1227 </field>
1228 </proto>
1229 </proto>
1230 </field>
1231 </field>
1232 </field>
1233 </field>
1234 </field>
1235 </proto>
1236 </packet>
1237
1238
1239 <packet>
1240 <proto name="geninfo" pos="0" showname="General information" size="245">
1241 <field name="num" pos="0" show="3110" showname="Number" value="c26" size="245"/>
1242 <field name="len" pos="0" show="245" showname="Frame Length" value="f5" size="245"/>
1243 <field name="caplen" pos="0" show="245" showname="Captured Length" value="f5" size="245"/>
1244 <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.774978000 NZDT" showname="Captured Time" value="1486690584.774978000" size="245"/>
1245 </proto>
1246 <proto name="frame" showname="Frame 3110: 245 bytes on wire (1960 bits), 245 bytes captured (1960 bits)" size="245" pos="0">
1247 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
1248 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.774978000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.774978000 NZDT"/>
1249 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
1250 <field name="frame.time_epoch" showname="Epoch Time: 1486690584.774978000 seconds" size="0" pos="0" show="1486690584.774978000"/>
1251 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.004542000 seconds" size="0" pos="0" show="0.004542000"/>
1252 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.004542000 seconds" size="0" pos="0" show="0.004542000"/>
1253 <field name="frame.time_relative" showname="Time since reference or first frame: 8.244527000 seconds" size="0" pos="0" show="8.244527000"/>
1254 <field name="frame.number" showname="Frame Number: 3110" size="0" pos="0" show="3110"/>
1255 <field name="frame.len" showname="Frame Length: 245 bytes (1960 bits)" size="0" pos="0" show="245"/>
1256 <field name="frame.cap_len" showname="Capture Length: 245 bytes (1960 bits)" size="0" pos="0" show="245"/>
1257 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
1258 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
1259 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap:spnego:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:ldap:spnego:spnego-krb5"/>
1260 </proto>
1261 <proto name="raw" showname="Raw packet data" size="245" pos="0"/>
1262 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.21, Dst: 127.0.0.11" size="20" pos="0">
1263 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
1264 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
1265 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
1266 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
1267 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
1268 </field>
1269 <field name="ip.len" showname="Total Length: 245" size="2" pos="2" show="245" value="00f5"/>
1270 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
1271 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
1272 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
1273 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
1274 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
1275 </field>
1276 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
1277 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
1278 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
1279 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
1280 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
1281 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
1282 </field>
1283 <field name="ip.src" showname="Source: 127.0.0.21" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
1284 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
1285 <field name="ip.src_host" showname="Source Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
1286 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="12" show="127.0.0.21" value="7f000015"/>
1287 <field name="ip.dst" showname="Destination: 127.0.0.11" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
1288 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
1289 <field name="ip.dst_host" showname="Destination Host: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
1290 <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="16" show="127.0.0.11" value="7f00000b"/>
1291 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000015"/>
1292 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00000b"/>
1293 </proto>
1294 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 389 (389), Dst Port: 14794 (14794), Seq: 332, Ack: 6282, Len: 205" size="20" pos="20">
1295 <field name="tcp.srcport" showname="Source Port: 389" size="2" pos="20" show="389" value="0185"/>
1296 <field name="tcp.dstport" showname="Destination Port: 14794" size="2" pos="22" show="14794" value="39ca"/>
1297 <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="20" show="389" value="0185"/>
1298 <field name="tcp.port" showname="Source or Destination Port: 14794" hide="yes" size="2" pos="22" show="14794" value="39ca"/>
1299 <field name="tcp.stream" showname="Stream index: 60" size="0" pos="20" show="60"/>
1300 <field name="tcp.len" showname="TCP Segment Len: 205" size="1" pos="32" show="205" value="50"/>
1301 <field name="tcp.seq" showname="Sequence number: 332 (relative sequence number)" size="4" pos="24" show="332" value="0000014c"/>
1302 <field name="tcp.nxtseq" showname="Next sequence number: 537 (relative sequence number)" size="0" pos="20" show="537"/>
1303 <field name="tcp.ack" showname="Acknowledgment number: 6282 (relative ack number)" size="4" pos="28" show="6282" value="0000188a"/>
1304 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
1305 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
1306 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
1307 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
1308 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1309 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1310 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1311 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1312 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1313 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1314 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1315 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1316 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
1317 </field>
1318 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
1319 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
1320 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
1321 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
1322 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
1323 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
1324 </field>
1325 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
1326 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
1327 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 3105" size="0" pos="20" show="3105"/>
1328 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.004634000 seconds" size="0" pos="20" show="0.004634000"/>
1329 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000020000 seconds" size="0" pos="20" show="0.000020000"/>
1330 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 205" size="0" pos="20" show="205"/>
1331 </field>
1332 <field name="tcp.pdu.size" showname="PDU Size: 205" size="205" pos="40" show="205" value="3081ca0201036181c40a0100040004008781baa181b73081b4a0030a0100a10b06092a864882f712010202a2819f04819c60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cfa6d4852ae0ac9c3d140a024f2e8d4c2d7211bd69c753416bfa8160c7317e948e506ce510e46456672b4b42d14a0c83f34bf0f6afb2b073adeed33044cb414ab8e7ff72208b26f402155c562e6ff9201f5d5a7cd9a4a244"/>
1333 </proto>
1334 <proto name="ldap" showname="Lightweight Directory Access Protocol" size="205" pos="40">
1335 <field name="ldap.LDAPMessage_element" showname="LDAPMessage bindResponse(3) success" size="205" pos="40" show="" value="">
1336 <field name="ldap.messageID" showname="messageID: 3" size="1" pos="45" show="3" value="03"/>
1337 <field name="ldap.protocolOp" showname="protocolOp: bindResponse (1)" size="199" pos="46" show="1" value="6181c40a0100040004008781baa181b73081b4a0030a0100a10b06092a864882f712010202a2819f04819c60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cfa6d4852ae0ac9c3d140a024f2e8d4c2d7211bd69c753416bfa8160c7317e948e506ce510e46456672b4b42d14a0c83f34bf0f6afb2b073adeed33044cb414ab8e7ff72208b26f402155c562e6ff9201f5d5a7cd9a4a244">
1338 <field name="ldap.bindResponse_element" showname="bindResponse" size="196" pos="49" show="" value="">
1339 <field name="ldap.resultCode" showname="resultCode: success (0)" size="1" pos="51" show="0" value="00"/>
1340 <field name="ldap.matchedDN" showname="matchedDN: " size="0" pos="54" show=""/>
1341 <field name="ldap.errorMessage" showname="errorMessage: " size="0" pos="56" show=""/>
1342 <field name="ldap.serverSaslCreds" showname="serverSaslCreds: a181b73081b4a0030a0100a10b06092a864882f712010202..." size="186" pos="59" show="a1:81:b7:30:81:b4:a0:03:0a:01:00:a1:0b:06:09:2a:86:48:82:f7:12:01:02:02:a2:81:9f:04:81:9c:60:81:99:06:09:2a:86:48:86:f7:12:01:02:02:02:00:6f:81:89:30:81:86:a0:03:02:01:05:a1:03:02:01:0f:a2:7a:30:78:a0:03:02:01:12:a2:71:04:6f:2d:b6:12:33:c5:61:f6:7b:14:ba:43:37:ca:9d:ce:f2:c8:8e:92:5b:29:c1:d2:cf:a6:d4:85:2a:e0:ac:9c:3d:14:0a:02:4f:2e:8d:4c:2d:72:11:bd:69:c7:53:41:6b:fa:81:60:c7:31:7e:94:8e:50:6c:e5:10:e4:64:56:67:2b:4b:42:d1:4a:0c:83:f3:4b:f0:f6:af:b2:b0:73:ad:ee:d3:30:44:cb:41:4a:b8:e7:ff:72:20:8b:26:f4:02:15:5c:56:2e:6f:f9:20:1f:5d:5a:7c:d9:a4:a2:44" value="a181b73081b4a0030a0100a10b06092a864882f712010202a2819f04819c60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cfa6d4852ae0ac9c3d140a024f2e8d4c2d7211bd69c753416bfa8160c7317e948e506ce510e46456672b4b42d14a0c83f34bf0f6afb2b073adeed33044cb414ab8e7ff72208b26f402155c562e6ff9201f5d5a7cd9a4a244"/>
1343 <proto name="spnego" showname="Simple Protected Negotiation" size="186" pos="59">
1344 <field name="spnego.negTokenTarg_element" showname="negTokenTarg" size="183" pos="62" show="" value="">
1345 <field name="spnego.negResult" showname="negResult: accept-completed (0)" size="1" pos="69" show="0" value="00"/>
1346 <field name="spnego.supportedMech" showname="supportedMech: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)" size="9" pos="74" show="1.2.840.48018.1.2.2" value="2a864882f712010202"/>
1347 <field name="spnego.responseToken" showname="responseToken: 60819906092a864886f71201020202006f8189308186a003..." size="156" pos="89" show="60:81:99:06:09:2a:86:48:86:f7:12:01:02:02:02:00:6f:81:89:30:81:86:a0:03:02:01:05:a1:03:02:01:0f:a2:7a:30:78:a0:03:02:01:12:a2:71:04:6f:2d:b6:12:33:c5:61:f6:7b:14:ba:43:37:ca:9d:ce:f2:c8:8e:92:5b:29:c1:d2:cf:a6:d4:85:2a:e0:ac:9c:3d:14:0a:02:4f:2e:8d:4c:2d:72:11:bd:69:c7:53:41:6b:fa:81:60:c7:31:7e:94:8e:50:6c:e5:10:e4:64:56:67:2b:4b:42:d1:4a:0c:83:f3:4b:f0:f6:af:b2:b0:73:ad:ee:d3:30:44:cb:41:4a:b8:e7:ff:72:20:8b:26:f4:02:15:5c:56:2e:6f:f9:20:1f:5d:5a:7c:d9:a4:a2:44" value="60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cfa6d4852ae0ac9c3d140a024f2e8d4c2d7211bd69c753416bfa8160c7317e948e506ce510e46456672b4b42d14a0c83f34bf0f6afb2b073adeed33044cb414ab8e7ff72208b26f402155c562e6ff9201f5d5a7cd9a4a244"/>
1348 <field name="spnego.krb5.blob" showname="krb5_blob: 60819906092a864886f71201020202006f8189308186a003..." size="140" pos="89" show="60:81:99:06:09:2a:86:48:86:f7:12:01:02:02:02:00:6f:81:89:30:81:86:a0:03:02:01:05:a1:03:02:01:0f:a2:7a:30:78:a0:03:02:01:12:a2:71:04:6f:2d:b6:12:33:c5:61:f6:7b:14:ba:43:37:ca:9d:ce:f2:c8:8e:92:5b:29:c1:d2:cf:a6:d4:85:2a:e0:ac:9c:3d:14:0a:02:4f:2e:8d:4c:2d:72:11:bd:69:c7:53:41:6b:fa:81:60:c7:31:7e:94:8e:50:6c:e5:10:e4:64:56:67:2b:4b:42:d1:4a:0c:83:f3:4b:f0:f6:af:b2:b0:73:ad:ee:d3:30:44:cb:41:4a:b8:e7:ff:72:20:8b:26:f4" value="60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cfa6d4852ae0ac9c3d140a024f2e8d4c2d7211bd69c753416bfa8160c7317e948e506ce510e46456672b4b42d14a0c83f34bf0f6afb2b073adeed33044cb414ab8e7ff72208b26f4">
1349 <field name="spnego.krb5_oid" showname="KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)" size="9" pos="94" show="1.2.840.113554.1.2.2" value="2a864886f712010202"/>
1350 <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB5_AP_REP (0x0002)" size="2" pos="103" show="0x00000002" value="0200"/>
1351 <proto name="kerberos" showname="Kerberos" size="140" pos="105">
1352 <field name="kerberos.ap_rep_element" showname="ap-rep" size="137" pos="108" show="" value="">
1353 <field name="kerberos.pvno" showname="pvno: 5" size="1" pos="115" show="5" value="05"/>
1354 <field name="kerberos.msg_type" showname="msg-type: krb-ap-rep (15)" size="1" pos="120" show="15" value="0f"/>
1355 <field name="kerberos.enc_part_element" showname="enc-part" size="122" pos="123" show="" value="">
1356 <field name="kerberos.etype" showname="etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)" size="1" pos="129" show="18" value="12"/>
1357 <field name="kerberos.cipher" showname="cipher: 2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cf..." size="111" pos="134" show="2d:b6:12:33:c5:61:f6:7b:14:ba:43:37:ca:9d:ce:f2:c8:8e:92:5b:29:c1:d2:cf:a6:d4:85:2a:e0:ac:9c:3d:14:0a:02:4f:2e:8d:4c:2d:72:11:bd:69:c7:53:41:6b:fa:81:60:c7:31:7e:94:8e:50:6c:e5:10:e4:64:56:67:2b:4b:42:d1:4a:0c:83:f3:4b:f0:f6:af:b2:b0:73:ad:ee:d3:30:44:cb:41:4a:b8:e7:ff:72:20:8b:26:f4:02:15:5c:56:2e:6f:f9:20:1f:5d:5a:7c:d9:a4:a2:44" value="2db61233c561f67b14ba4337ca9dcef2c88e925b29c1d2cfa6d4852ae0ac9c3d140a024f2e8d4c2d7211bd69c753416bfa8160c7317e948e506ce510e46456672b4b42d14a0c83f34bf0f6afb2b073adeed33044cb414ab8e7ff72208b26f402155c562e6ff9201f5d5a7cd9a4a244"/>
1358 </field>
1359 </field>
1360 </proto>
1361 </field>
1362 </field>
1363 </proto>
1364 </field>
1365 </field>
1366 <field name="ldap.response_to" showname="Response To: 3105" size="0" pos="46" show="3105"/>
1367 <field name="ldap.time" showname="Time: 0.004634000 seconds" size="0" pos="46" show="0.004634000"/>
1368 </field>
1369 </proto>
1370 </packet>
1371
1372 <packet>
1373 <proto name="geninfo" pos="0" showname="General information" size="209">
1374 <field name="num" pos="0" show="3113" showname="Number" value="c29" size="209"/>
1375 <field name="len" pos="0" show="209" showname="Frame Length" value="d1" size="209"/>
1376 <field name="caplen" pos="0" show="209" showname="Captured Length" value="d1" size="209"/>
1377 <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.775218000 NZDT" showname="Captured Time" value="1486690584.775218000" size="209"/>
1378 </proto>
1379 <proto name="frame" showname="Frame 3113: 209 bytes on wire (1672 bits), 209 bytes captured (1672 bits)" size="209" pos="0">
1380 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
1381 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.775218000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.775218000 NZDT"/>
1382 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
1383 <field name="frame.time_epoch" showname="Epoch Time: 1486690584.775218000 seconds" size="0" pos="0" show="1486690584.775218000"/>
1384 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000137000 seconds" size="0" pos="0" show="0.000137000"/>
1385 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000137000 seconds" size="0" pos="0" show="0.000137000"/>
1386 <field name="frame.time_relative" showname="Time since reference or first frame: 8.244767000 seconds" size="0" pos="0" show="8.244767000"/>
1387 <field name="frame.number" showname="Frame Number: 3113" size="0" pos="0" show="3113"/>
1388 <field name="frame.len" showname="Frame Length: 209 bytes (1672 bits)" size="0" pos="0" show="209"/>
1389 <field name="frame.cap_len" showname="Capture Length: 209 bytes (1672 bits)" size="0" pos="0" show="209"/>
1390 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
1391 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
1392 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap:gss-api:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:ldap:gss-api:spnego-krb5"/>
1393 </proto>
1394 <proto name="raw" showname="Raw packet data" size="209" pos="0"/>
1395 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
1396 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
1397 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
1398 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
1399 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
1400 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
1401 </field>
1402 <field name="ip.len" showname="Total Length: 209" size="2" pos="2" show="209" value="00d1"/>
1403 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
1404 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
1405 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
1406 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
1407 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
1408 </field>
1409 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
1410 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
1411 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
1412 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
1413 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
1414 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
1415 </field>
1416 <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1417 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1418 <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1419 <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1420 <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1421 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1422 <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1423 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1424 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
1425 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
1426 </proto>
1427 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14794 (14794), Dst Port: 389 (389), Seq: 6282, Ack: 537, Len: 169" size="20" pos="20">
1428 <field name="tcp.srcport" showname="Source Port: 14794" size="2" pos="20" show="14794" value="39ca"/>
1429 <field name="tcp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
1430 <field name="tcp.port" showname="Source or Destination Port: 14794" hide="yes" size="2" pos="20" show="14794" value="39ca"/>
1431 <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
1432 <field name="tcp.stream" showname="Stream index: 60" size="0" pos="20" show="60"/>
1433 <field name="tcp.len" showname="TCP Segment Len: 169" size="1" pos="32" show="169" value="50"/>
1434 <field name="tcp.seq" showname="Sequence number: 6282 (relative sequence number)" size="4" pos="24" show="6282" value="0000188a"/>
1435 <field name="tcp.nxtseq" showname="Next sequence number: 6451 (relative sequence number)" size="0" pos="20" show="6451"/>
1436 <field name="tcp.ack" showname="Acknowledgment number: 537 (relative ack number)" size="4" pos="28" show="537" value="00000219"/>
1437 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
1438 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
1439 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
1440 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
1441 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1442 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1443 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1444 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1445 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1446 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1447 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1448 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1449 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
1450 </field>
1451 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
1452 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
1453 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
1454 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
1455 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
1456 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
1457 </field>
1458 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
1459 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
1460 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 3110" size="0" pos="20" show="3110"/>
1461 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000240000 seconds" size="0" pos="20" show="0.000240000"/>
1462 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000020000 seconds" size="0" pos="20" show="0.000020000"/>
1463 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 169" size="0" pos="20" show="169"/>
1464 </field>
1465 <field name="tcp.pdu.size" showname="PDU Size: 169" size="169" pos="40" show="169" value="000000a5050404ff000c000c00000000327fba42f2b5c0e4f071d599072f1f8530818602010463818004000a01000a0100020100020100010100870b6f626a656374436c61737330600417726f6f74446f6d61696e4e616d696e67436f6e74657874041a636f6e66696775726174696f6e4e616d696e67436f6e746578740413736368656d614e616d696e67436f6e74657874041464656661756c744e616d696e67436f6e74657874"/>
1466 </proto>
1467 <proto name="ldap" showname="Lightweight Directory Access Protocol" size="169" pos="40">
1468 <field name="ldap.sasl_buffer_length" showname="SASL Buffer Length: 165" size="4" pos="40" show="165" value="000000a5"/>
1469 <field name="" show="SASL Buffer" size="169" pos="40" value="000000a5050404ff000c000c00000000327fba42f2b5c0e4f071d599072f1f8530818602010463818004000a01000a0100020100020100010100870b6f626a656374436c61737330600417726f6f74446f6d61696e4e616d696e67436f6e74657874041a636f6e66696775726174696f6e4e616d696e67436f6e746578740413736368656d614e616d696e67436f6e74657874041464656661756c744e616d696e67436f6e74657874">
1470 <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="28" pos="44">
1471 <field name="spnego.krb5.blob" showname="krb5_blob: 050404ff000c000c00000000327fba42f2b5c0e4f071d599..." size="28" pos="44" show="05:04:04:ff:00:0c:00:0c:00:00:00:00:32:7f:ba:42:f2:b5:c0:e4:f0:71:d5:99:07:2f:1f:85" value="050404ff000c000c00000000327fba42f2b5c0e4f071d599072f1f85">
1472 <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)" size="2" pos="44" show="0x00000405" value="0504"/>
1473 <field name="spnego.krb5.cfx_flags" showname="krb5_cfx_flags: 0x04, AcceptorSubkey" size="1" pos="46" show="0x00000004" value="04">
1474 <field name="spnego.krb5.acceptor_subkey" showname=".... .1.. = AcceptorSubkey: Set" size="1" pos="46" show="1" value="FFFFFFFF" unmaskedvalue="04"/>
1475 <field name="spnego.krb5.sealed" showname=".... ..0. = Sealed: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
1476 <field name="spnego.krb5.send_by_acceptor" showname=".... ...0 = SendByAcceptor: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
1477 </field>
1478 <field name="spnego.krb5.filler" showname="krb5_filler: ff" size="1" pos="47" show="ff" value="ff"/>
1479 <field name="spnego.krb5.cfx_ec" showname="krb5_cfx_ec: 12" size="2" pos="48" show="12" value="000c"/>
1480 <field name="spnego.krb5.cfx_rrc" showname="krb5_cfx_rrc: 12" size="2" pos="50" show="12" value="000c"/>
1481 <field name="spnego.krb5.cfx_seq" showname="krb5_cfx_seq: 847231554" size="8" pos="52" show="847231554" value="00000000327fba42"/>
1482 <field name="spnego.krb5.sgn_cksum" showname="krb5_sgn_cksum: f2b5c0e4f071d599072f1f85" size="12" pos="60" show="f2:b5:c0:e4:f0:71:d5:99:07:2f:1f:85" value="f2b5c0e4f071d599072f1f85"/>
1483 </field>
1484 </proto>
1485 <field name="" show="GSS-API payload (137 bytes)" size="137" pos="72" value="30818602010463818004000a01000a0100020100020100010100870b6f626a656374436c61737330600417726f6f74446f6d61696e4e616d696e67436f6e74657874041a636f6e66696775726174696f6e4e616d696e67436f6e746578740413736368656d614e616d696e67436f6e74657874041464656661756c744e616d696e67436f6e74657874">
1486 <field name="ldap.LDAPMessage_element" showname="LDAPMessage searchRequest(4) &quot;&lt;ROOT&gt;&quot; baseObject" size="137" pos="72" show="" value="">
1487 <field name="ldap.messageID" showname="messageID: 4" size="1" pos="77" show="4" value="04"/>
1488 <field name="ldap.protocolOp" showname="protocolOp: searchRequest (3)" size="131" pos="78" show="3" value="63818004000a01000a0100020100020100010100870b6f626a656374436c61737330600417726f6f74446f6d61696e4e616d696e67436f6e74657874041a636f6e66696775726174696f6e4e616d696e67436f6e746578740413736368656d614e616d696e67436f6e74657874041464656661756c744e616d696e67436f6e74657874">
1489 <field name="ldap.searchRequest_element" showname="searchRequest" size="128" pos="81" show="" value="">
1490 <field name="ldap.baseObject" showname="baseObject: " size="0" pos="83" show=""/>
1491 <field name="ldap.scope" showname="scope: baseObject (0)" size="1" pos="85" show="0" value="00"/>
1492 <field name="ldap.derefAliases" showname="derefAliases: neverDerefAliases (0)" size="1" pos="88" show="0" value="00"/>
1493 <field name="ldap.sizeLimit" showname="sizeLimit: 0" size="1" pos="91" show="0" value="00"/>
1494 <field name="ldap.timeLimit" showname="timeLimit: 0" size="1" pos="94" show="0" value="00"/>
1495 <field name="ldap.typesOnly" showname="typesOnly: False" size="1" pos="97" show="0" value="00"/>
1496 <field name="" show="Filter: (objectClass=*)" size="13" pos="98" value="870b6f626a656374436c617373">
1497 <field name="ldap.filter" showname="filter: present (7)" size="11" pos="100" show="7" value="6f626a656374436c617373">
1498 <field name="ldap.present" showname="present: objectClass" size="11" pos="100" show="objectClass" value="6f626a656374436c617373"/>
1499 </field>
1500 </field>
1501 <field name="ldap.attributes" showname="attributes: 4 items" size="96" pos="113" show="4" value="0417726f6f74446f6d61696e4e616d696e67436f6e74657874041a636f6e66696775726174696f6e4e616d696e67436f6e746578740413736368656d614e616d696e67436f6e74657874041464656661756c744e616d696e67436f6e74657874">
1502 <field name="ldap.AttributeDescription" showname="AttributeDescription: rootDomainNamingContext" size="23" pos="115" show="rootDomainNamingContext" value="726f6f74446f6d61696e4e616d696e67436f6e74657874"/>
1503 <field name="ldap.AttributeDescription" showname="AttributeDescription: configurationNamingContext" size="26" pos="140" show="configurationNamingContext" value="636f6e66696775726174696f6e4e616d696e67436f6e74657874"/>
1504 <field name="ldap.AttributeDescription" showname="AttributeDescription: schemaNamingContext" size="19" pos="168" show="schemaNamingContext" value="736368656d614e616d696e67436f6e74657874"/>
1505 <field name="ldap.AttributeDescription" showname="AttributeDescription: defaultNamingContext" size="20" pos="189" show="defaultNamingContext" value="64656661756c744e616d696e67436f6e74657874"/>
1506 </field>
1507 </field>
1508 </field>
1509 </field>
1510 </field>
1511 </field>
1512 </proto>
1513 </packet>
1514
1515 <packet>
1516 <proto name="geninfo" pos="0" showname="General information" size="146">
1517 <field name="num" pos="0" show="3119" showname="Number" value="c2f" size="146"/>
1518 <field name="len" pos="0" show="146" showname="Frame Length" value="92" size="146"/>
1519 <field name="caplen" pos="0" show="146" showname="Captured Length" value="92" size="146"/>
1520 <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:24.775574000 NZDT" showname="Captured Time" value="1486690584.775574000" size="146"/>
1521 </proto>
1522 <proto name="frame" showname="Frame 3119: 146 bytes on wire (1168 bits), 146 bytes captured (1168 bits)" size="146" pos="0">
1523 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
1524 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:24.775574000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:24.775574000 NZDT"/>
1525 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
1526 <field name="frame.time_epoch" showname="Epoch Time: 1486690584.775574000 seconds" size="0" pos="0" show="1486690584.775574000"/>
1527 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000096000 seconds" size="0" pos="0" show="0.000096000"/>
1528 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000096000 seconds" size="0" pos="0" show="0.000096000"/>
1529 <field name="frame.time_relative" showname="Time since reference or first frame: 8.245123000 seconds" size="0" pos="0" show="8.245123000"/>
1530 <field name="frame.number" showname="Frame Number: 3119" size="0" pos="0" show="3119"/>
1531 <field name="frame.len" showname="Frame Length: 146 bytes (1168 bits)" size="0" pos="0" show="146"/>
1532 <field name="frame.cap_len" showname="Capture Length: 146 bytes (1168 bits)" size="0" pos="0" show="146"/>
1533 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
1534 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
1535 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap:gss-api:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:ldap:gss-api:spnego-krb5"/>
1536 </proto>
1537 <proto name="raw" showname="Raw packet data" size="146" pos="0"/>
1538 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
1539 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
1540 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
1541 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
1542 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
1543 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
1544 </field>
1545 <field name="ip.len" showname="Total Length: 146" size="2" pos="2" show="146" value="0092"/>
1546 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
1547 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
1548 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
1549 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
1550 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
1551 </field>
1552 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
1553 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
1554 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
1555 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
1556 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
1557 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
1558 </field>
1559 <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1560 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1561 <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1562 <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1563 <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1564 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1565 <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1566 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1567 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
1568 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
1569 </proto>
1570 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14794 (14794), Dst Port: 389 (389), Seq: 6451, Ack: 868, Len: 106" size="20" pos="20">
1571 <field name="tcp.srcport" showname="Source Port: 14794" size="2" pos="20" show="14794" value="39ca"/>
1572 <field name="tcp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
1573 <field name="tcp.port" showname="Source or Destination Port: 14794" hide="yes" size="2" pos="20" show="14794" value="39ca"/>
1574 <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
1575 <field name="tcp.stream" showname="Stream index: 60" size="0" pos="20" show="60"/>
1576 <field name="tcp.len" showname="TCP Segment Len: 106" size="1" pos="32" show="106" value="50"/>
1577 <field name="tcp.seq" showname="Sequence number: 6451 (relative sequence number)" size="4" pos="24" show="6451" value="00001933"/>
1578 <field name="tcp.nxtseq" showname="Next sequence number: 6557 (relative sequence number)" size="0" pos="20" show="6557"/>
1579 <field name="tcp.ack" showname="Acknowledgment number: 868 (relative ack number)" size="4" pos="28" show="868" value="00000364"/>
1580 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
1581 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
1582 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
1583 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
1584 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1585 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1586 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1587 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1588 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1589 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1590 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1591 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1592 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
1593 </field>
1594 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
1595 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
1596 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
1597 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
1598 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
1599 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
1600 </field>
1601 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
1602 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
1603 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 3116" size="0" pos="20" show="3116"/>
1604 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000167000 seconds" size="0" pos="20" show="0.000167000"/>
1605 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000020000 seconds" size="0" pos="20" show="0.000020000"/>
1606 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 106" size="0" pos="20" show="106"/>
1607 </field>
1608 <field name="tcp.pdu.size" showname="PDU Size: 106" size="106" pos="40" show="106" value="00000066050404ff000c000c00000000327fba430a655f88ee6b2540ee57965f30480201056343041a44433d73616d62612c44433d6578616d706c652c44433d636f6d0a01000a010002010002010001010087096f626a656374536964300b04096f626a656374536964"/>
1609 </proto>
1610 <proto name="ldap" showname="Lightweight Directory Access Protocol" size="106" pos="40">
1611 <field name="ldap.sasl_buffer_length" showname="SASL Buffer Length: 102" size="4" pos="40" show="102" value="00000066"/>
1612 <field name="" show="SASL Buffer" size="106" pos="40" value="00000066050404ff000c000c00000000327fba430a655f88ee6b2540ee57965f30480201056343041a44433d73616d62612c44433d6578616d706c652c44433d636f6d0a01000a010002010002010001010087096f626a656374536964300b04096f626a656374536964">
1613 <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="28" pos="44">
1614 <field name="spnego.krb5.blob" showname="krb5_blob: 050404ff000c000c00000000327fba430a655f88ee6b2540..." size="28" pos="44" show="05:04:04:ff:00:0c:00:0c:00:00:00:00:32:7f:ba:43:0a:65:5f:88:ee:6b:25:40:ee:57:96:5f" value="050404ff000c000c00000000327fba430a655f88ee6b2540ee57965f">
1615 <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)" size="2" pos="44" show="0x00000405" value="0504"/>
1616 <field name="spnego.krb5.cfx_flags" showname="krb5_cfx_flags: 0x04, AcceptorSubkey" size="1" pos="46" show="0x00000004" value="04">
1617 <field name="spnego.krb5.acceptor_subkey" showname=".... .1.. = AcceptorSubkey: Set" size="1" pos="46" show="1" value="FFFFFFFF" unmaskedvalue="04"/>
1618 <field name="spnego.krb5.sealed" showname=".... ..0. = Sealed: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
1619 <field name="spnego.krb5.send_by_acceptor" showname=".... ...0 = SendByAcceptor: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
1620 </field>
1621 <field name="spnego.krb5.filler" showname="krb5_filler: ff" size="1" pos="47" show="ff" value="ff"/>
1622 <field name="spnego.krb5.cfx_ec" showname="krb5_cfx_ec: 12" size="2" pos="48" show="12" value="000c"/>
1623 <field name="spnego.krb5.cfx_rrc" showname="krb5_cfx_rrc: 12" size="2" pos="50" show="12" value="000c"/>
1624 <field name="spnego.krb5.cfx_seq" showname="krb5_cfx_seq: 847231555" size="8" pos="52" show="847231555" value="00000000327fba43"/>
1625 <field name="spnego.krb5.sgn_cksum" showname="krb5_sgn_cksum: 0a655f88ee6b2540ee57965f" size="12" pos="60" show="0a:65:5f:88:ee:6b:25:40:ee:57:96:5f" value="0a655f88ee6b2540ee57965f"/>
1626 </field>
1627 </proto>
1628 <field name="" show="GSS-API payload (74 bytes)" size="74" pos="72" value="30480201056343041a44433d73616d62612c44433d6578616d706c652c44433d636f6d0a01000a010002010002010001010087096f626a656374536964300b04096f626a656374536964">
1629 <field name="ldap.LDAPMessage_element" showname="LDAPMessage searchRequest(5) &quot;DC=samba,DC=example,DC=com&quot; baseObject" size="74" pos="72" show="" value="">
1630 <field name="ldap.messageID" showname="messageID: 5" size="1" pos="76" show="5" value="05"/>
1631 <field name="ldap.protocolOp" showname="protocolOp: searchRequest (3)" size="69" pos="77" show="3" value="6343041a44433d73616d62612c44433d6578616d706c652c44433d636f6d0a01000a010002010002010001010087096f626a656374536964300b04096f626a656374536964">
1632 <field name="ldap.searchRequest_element" showname="searchRequest" size="67" pos="79" show="" value="">
1633 <field name="ldap.baseObject" showname="baseObject: DC=samba,DC=example,DC=com" size="26" pos="81" show="DC=samba,DC=example,DC=com" value="44433d73616d62612c44433d6578616d706c652c44433d636f6d"/>
1634 <field name="ldap.scope" showname="scope: baseObject (0)" size="1" pos="109" show="0" value="00"/>
1635 <field name="ldap.derefAliases" showname="derefAliases: neverDerefAliases (0)" size="1" pos="112" show="0" value="00"/>
1636 <field name="ldap.sizeLimit" showname="sizeLimit: 0" size="1" pos="115" show="0" value="00"/>
1637 <field name="ldap.timeLimit" showname="timeLimit: 0" size="1" pos="118" show="0" value="00"/>
1638 <field name="ldap.typesOnly" showname="typesOnly: False" size="1" pos="121" show="0" value="00"/>
1639 <field name="" show="Filter: (objectSid=*)" size="11" pos="122" value="87096f626a656374536964">
1640 <field name="ldap.filter" showname="filter: present (7)" size="9" pos="124" show="7" value="6f626a656374536964">
1641 <field name="ldap.present" showname="present: objectSid" size="9" pos="124" show="objectSid" value="6f626a656374536964"/>
1642 </field>
1643 </field>
1644 <field name="ldap.attributes" showname="attributes: 1 item" size="11" pos="135" show="1" value="04096f626a656374536964">
1645 <field name="ldap.AttributeDescription" showname="AttributeDescription: objectSid" size="9" pos="137" show="objectSid" value="6f626a656374536964"/>
1646 </field>
1647 </field>
1648 </field>
1649 </field>
1650 </field>
1651 </field>
1652 </proto>
1653 </packet>
1654
1655 <packet>
1656 <proto name="geninfo" pos="0" showname="General information" size="179">
1657 <field name="num" pos="0" show="4576" showname="Number" value="11e0" size="179"/>
1658 <field name="len" pos="0" show="179" showname="Frame Length" value="b3" size="179"/>
1659 <field name="caplen" pos="0" show="179" showname="Captured Length" value="b3" size="179"/>
1660 <field name="timestamp" pos="0" show="Feb 10, 2017 14:36:26.238734000 NZDT" showname="Captured Time" value="1486690586.238734000" size="179"/>
1661 </proto>
1662 <proto name="frame" showname="Frame 4576: 179 bytes on wire (1432 bits), 179 bytes captured (1432 bits)" size="179" pos="0">
1663 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
1664 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:36:26.238734000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:36:26.238734000 NZDT"/>
1665 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
1666 <field name="frame.time_epoch" showname="Epoch Time: 1486690586.238734000 seconds" size="0" pos="0" show="1486690586.238734000"/>
1667 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000072000 seconds" size="0" pos="0" show="0.000072000"/>
1668 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000072000 seconds" size="0" pos="0" show="0.000072000"/>
1669 <field name="frame.time_relative" showname="Time since reference or first frame: 9.708283000 seconds" size="0" pos="0" show="9.708283000"/>
1670 <field name="frame.number" showname="Frame Number: 4576" size="0" pos="0" show="4576"/>
1671 <field name="frame.len" showname="Frame Length: 179 bytes (1432 bits)" size="0" pos="0" show="179"/>
1672 <field name="frame.cap_len" showname="Capture Length: 179 bytes (1432 bits)" size="0" pos="0" show="179"/>
1673 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
1674 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
1675 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap:gss-api:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:ldap:gss-api:spnego-krb5"/>
1676 </proto>
1677 <proto name="raw" showname="Raw packet data" size="179" pos="0"/>
1678 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
1679 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
1680 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
1681 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
1682 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
1683 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
1684 </field>
1685 <field name="ip.len" showname="Total Length: 179" size="2" pos="2" show="179" value="00b3"/>
1686 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
1687 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
1688 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
1689 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
1690 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
1691 </field>
1692 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
1693 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
1694 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
1695 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
1696 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
1697 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
1698 </field>
1699 <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1700 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1701 <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1702 <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
1703 <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1704 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1705 <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1706 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
1707 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
1708 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
1709 </proto>
1710 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 14849 (14849), Dst Port: 389 (389), Seq: 6557, Ack: 992, Len: 139" size="20" pos="20">
1711 <field name="tcp.srcport" showname="Source Port: 14849" size="2" pos="20" show="14849" value="3a01"/>
1712 <field name="tcp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
1713 <field name="tcp.port" showname="Source or Destination Port: 14849" hide="yes" size="2" pos="20" show="14849" value="3a01"/>
1714 <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
1715 <field name="tcp.stream" showname="Stream index: 92" size="0" pos="20" show="92"/>
1716 <field name="tcp.len" showname="TCP Segment Len: 139" size="1" pos="32" show="139" value="50"/>
1717 <field name="tcp.seq" showname="Sequence number: 6557 (relative sequence number)" size="4" pos="24" show="6557" value="0000199d"/>
1718 <field name="tcp.nxtseq" showname="Next sequence number: 6696 (relative sequence number)" size="0" pos="20" show="6696"/>
1719 <field name="tcp.ack" showname="Acknowledgment number: 992 (relative ack number)" size="4" pos="28" show="992" value="000003e0"/>
1720 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
1721 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
1722 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
1723 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
1724 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1725 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1726 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1727 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1728 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1729 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1730 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1731 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
1732 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
1733 </field>
1734 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
1735 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
1736 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
1737 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
1738 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
1739 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
1740 </field>
1741 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
1742 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
1743 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 4573" size="0" pos="20" show="4573"/>
1744 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000145000 seconds" size="0" pos="20" show="0.000145000"/>
1745 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000019000 seconds" size="0" pos="20" show="0.000019000"/>
1746 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 139" size="0" pos="20" show="139"/>
1747 </field>
1748 <field name="tcp.pdu.size" showname="PDU Size: 139" size="139" pos="40" show="139" value="00000087050404ff000c000c000000001b8a1304757134702161c76a250240643069020106636404443c574b475549443d32464241433138373041444531314432393743343030433034464438443543442c44433d73616d62612c44433d6578616d706c652c44433d636f6d3e0a01020a0100020100020100010100870b6f626a656374436c6173733000"/>
1749 </proto>
1750 <proto name="ldap" showname="Lightweight Directory Access Protocol" size="139" pos="40">
1751 <field name="ldap.sasl_buffer_length" showname="SASL Buffer Length: 135" size="4" pos="40" show="135" value="00000087"/>
1752 <field name="" show="SASL Buffer" size="139" pos="40" value="00000087050404ff000c000c000000001b8a1304757134702161c76a250240643069020106636404443c574b475549443d32464241433138373041444531314432393743343030433034464438443543442c44433d73616d62612c44433d6578616d706c652c44433d636f6d3e0a01020a0100020100020100010100870b6f626a656374436c6173733000">
1753 <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="28" pos="44">
1754 <field name="spnego.krb5.blob" showname="krb5_blob: 050404ff000c000c000000001b8a1304757134702161c76a..." size="28" pos="44" show="05:04:04:ff:00:0c:00:0c:00:00:00:00:1b:8a:13:04:75:71:34:70:21:61:c7:6a:25:02:40:64" value="050404ff000c000c000000001b8a1304757134702161c76a25024064">
1755 <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)" size="2" pos="44" show="0x00000405" value="0504"/>
1756 <field name="spnego.krb5.cfx_flags" showname="krb5_cfx_flags: 0x04, AcceptorSubkey" size="1" pos="46" show="0x00000004" value="04">
1757 <field name="spnego.krb5.acceptor_subkey" showname=".... .1.. = AcceptorSubkey: Set" size="1" pos="46" show="1" value="FFFFFFFF" unmaskedvalue="04"/>
1758 <field name="spnego.krb5.sealed" showname=".... ..0. = Sealed: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
1759 <field name="spnego.krb5.send_by_acceptor" showname=".... ...0 = SendByAcceptor: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
1760 </field>
1761 <field name="spnego.krb5.filler" showname="krb5_filler: ff" size="1" pos="47" show="ff" value="ff"/>
1762 <field name="spnego.krb5.cfx_ec" showname="krb5_cfx_ec: 12" size="2" pos="48" show="12" value="000c"/>
1763 <field name="spnego.krb5.cfx_rrc" showname="krb5_cfx_rrc: 12" size="2" pos="50" show="12" value="000c"/>
1764 <field name="spnego.krb5.cfx_seq" showname="krb5_cfx_seq: 462033668" size="8" pos="52" show="462033668" value="000000001b8a1304"/>
1765 <field name="spnego.krb5.sgn_cksum" showname="krb5_sgn_cksum: 757134702161c76a25024064" size="12" pos="60" show="75:71:34:70:21:61:c7:6a:25:02:40:64" value="757134702161c76a25024064"/>
1766 </field>
1767 </proto>
1768 <field name="" show="GSS-API payload (107 bytes)" size="107" pos="72" value="3069020106636404443c574b475549443d32464241433138373041444531314432393743343030433034464438443543442c44433d73616d62612c44433d6578616d706c652c44433d636f6d3e0a01020a0100020100020100010100870b6f626a656374436c6173733000">
1769 <field name="ldap.LDAPMessage_element" showname="LDAPMessage searchRequest(6) &quot;&lt;WKGUID=2FBAC1870ADE11D297C400C04FD8D5CD,DC=samba,DC=example,DC=com&gt;&quot; wholeSubtree" size="107" pos="72" show="" value="">
1770 <field name="ldap.messageID" showname="messageID: 6" size="1" pos="76" show="6" value="06"/>
1771 <field name="ldap.protocolOp" showname="protocolOp: searchRequest (3)" size="102" pos="77" show="3" value="636404443c574b475549443d32464241433138373041444531314432393743343030433034464438443543442c44433d73616d62612c44433d6578616d706c652c44433d636f6d3e0a01020a0100020100020100010100870b6f626a656374436c6173733000">
1772 <field name="ldap.searchRequest_element" showname="searchRequest" size="100" pos="79" show="" value="">
1773 <field name="ldap.baseObject" showname="baseObject: &lt;WKGUID=2FBAC1870ADE11D297C400C04FD8D5CD,DC=samba,DC=example,DC=com&gt;" size="68" pos="81" show="&lt;WKGUID=2FBAC1870ADE11D297C400C04FD8D5CD,DC=samba,DC=example,DC=com&gt;" value="3c574b475549443d32464241433138373041444531314432393743343030433034464438443543442c44433d73616d62612c44433d6578616d706c652c44433d636f6d3e"/>
1774 <field name="ldap.scope" showname="scope: wholeSubtree (2)" size="1" pos="151" show="2" value="02"/>
1775 <field name="ldap.derefAliases" showname="derefAliases: neverDerefAliases (0)" size="1" pos="154" show="0" value="00"/>
1776 <field name="ldap.sizeLimit" showname="sizeLimit: 0" size="1" pos="157" show="0" value="00"/>
1777 <field name="ldap.timeLimit" showname="timeLimit: 0" size="1" pos="160" show="0" value="00"/>
1778 <field name="ldap.typesOnly" showname="typesOnly: False" size="1" pos="163" show="0" value="00"/>
1779 <field name="" show="Filter: (objectClass=*)" size="13" pos="164" value="870b6f626a656374436c617373">
1780 <field name="ldap.filter" showname="filter: present (7)" size="11" pos="166" show="7" value="6f626a656374436c617373">
1781 <field name="ldap.present" showname="present: objectClass" size="11" pos="166" show="objectClass" value="6f626a656374436c617373"/>
1782 </field>
1783 </field>
1784 <field name="ldap.attributes" showname="attributes: 0 items" size="0" pos="179" show="0"/>
1785 </field>
1786 </field>
1787 </field>
1788 </field>
1789 </field>
1790 </proto>
1791 </packet>
1792
1793 <packet>
1794 <proto name="geninfo" pos="0" showname="General information" size="167">
1795 <field name="num" pos="0" show="462" showname="Number" value="1ce" size="167"/>
1796 <field name="len" pos="0" show="167" showname="Frame Length" value="a7" size="167"/>
1797 <field name="caplen" pos="0" show="167" showname="Captured Length" value="a7" size="167"/>
1798 <field name="timestamp" pos="0" show="Feb 13, 2017 10:17:16.150107000 NZDT" showname="Captured Time" value="1486934236.150107000" size="167"/>
1799 </proto>
1800 <proto name="frame" showname="Frame 462: 167 bytes on wire (1336 bits), 167 bytes captured (1336 bits)" size="167" pos="0">
1801 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
1802 <field name="frame.time" showname="Arrival Time: Feb 13, 2017 10:17:16.150107000 NZDT" size="0" pos="0" show="Feb 13, 2017 10:17:16.150107000 NZDT"/>
1803 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
1804 <field name="frame.time_epoch" showname="Epoch Time: 1486934236.150107000 seconds" size="0" pos="0" show="1486934236.150107000"/>
1805 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000165000 seconds" size="0" pos="0" show="0.000165000"/>
1806 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000165000 seconds" size="0" pos="0" show="0.000165000"/>
1807 <field name="frame.time_relative" showname="Time since reference or first frame: 465.527666000 seconds" size="0" pos="0" show="465.527666000"/>
1808 <field name="frame.number" showname="Frame Number: 462" size="0" pos="0" show="462"/>
1809 <field name="frame.len" showname="Frame Length: 167 bytes (1336 bits)" size="0" pos="0" show="167"/>
1810 <field name="frame.cap_len" showname="Capture Length: 167 bytes (1336 bits)" size="0" pos="0" show="167"/>
1811 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
1812 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
1813 <field name="frame.protocols" showname="Protocols in frame: raw:ipv6:tcp:nbss:smb" size="0" pos="0" show="raw:ipv6:tcp:nbss:smb"/>
1814 </proto>
1815 <proto name="raw" showname="Raw packet data" size="167" pos="0"/>
1816 <proto name="ipv6" showname="Internet Protocol Version 6, Src: fd00::5357:5f03, Dst: fd00::5357:5f0b" size="40" pos="0">
1817 <field name="ipv6.version" showname="0110 .... = Version: 6" size="1" pos="0" show="6" value="6" unmaskedvalue="60"/>
1818 <field name="ip.version" showname="0110 .... = Version: 6 [This field makes the filter match on &quot;ip.version == 6&quot; possible]" hide="yes" size="1" pos="0" show="6" value="6" unmaskedvalue="60"/>
1819 <field name="ipv6.tclass" showname=".... 0000 0000 .... .... .... .... .... = Traffic class: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="4" pos="0" show="0x00000000" value="0" unmaskedvalue="60000000">
1820 <field name="ipv6.tclass.dscp" showname=".... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)" size="4" pos="0" show="0" value="0" unmaskedvalue="60000000"/>
1821 <field name="ipv6.tclass.ecn" showname=".... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="4" pos="0" show="0" value="0" unmaskedvalue="60000000"/>
1822 </field>
1823 <field name="ipv6.flow" showname=".... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000" size="4" pos="0" show="0x00000000" value="0" unmaskedvalue="60000000"/>
1824 <field name="ipv6.plen" showname="Payload length: 167" size="2" pos="4" show="167" value="00a7">
1825 <field name="_ws.expert" showname="Expert Info (Warn/Protocol): IPv6 payload length exceeds framing length (127 bytes)" size="0" pos="4">
1826 <field name="ipv6.bogus_payload_length" showname="IPv6 payload length exceeds framing length (127 bytes)" size="0" pos="0" show="" value=""/>
1827 <field name="_ws.expert.message" showname="Message: IPv6 payload length exceeds framing length (127 bytes)" hide="yes" size="0" pos="0" show="IPv6 payload length exceeds framing length (127 bytes)"/>
1828 <field name="_ws.expert.severity" showname="Severity level: Warn" size="0" pos="0" show="0x00600000"/>
1829 <field name="_ws.expert.group" showname="Group: Protocol" size="0" pos="0" show="0x09000000"/>
1830 </field>
1831 </field>
1832 <field name="ipv6.nxt" showname="Next header: TCP (6)" size="1" pos="6" show="6" value="06"/>
1833 <field name="ipv6.hlim" showname="Hop limit: 0" size="1" pos="7" show="0" value="00"/>
1834 <field name="ipv6.src" showname="Source: fd00::5357:5f03" size="16" pos="8" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
1835 <field name="ipv6.addr" showname="Source or Destination Address: fd00::5357:5f03" hide="yes" size="16" pos="8" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
1836 <field name="ipv6.src_host" showname="Source Host: fd00::5357:5f03" hide="yes" size="16" pos="8" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
1837 <field name="ipv6.host" showname="Source or Destination Host: fd00::5357:5f03" hide="yes" size="16" pos="8" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
1838 <field name="ipv6.dst" showname="Destination: fd00::5357:5f0b" size="16" pos="24" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
1839 <field name="ipv6.addr" showname="Source or Destination Address: fd00::5357:5f0b" hide="yes" size="16" pos="24" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
1840 <field name="ipv6.dst_host" showname="Destination Host: fd00::5357:5f0b" hide="yes" size="16" pos="24" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
1841 <field name="ipv6.host" showname="Source or Destination Host: fd00::5357:5f0b" hide="yes" size="16" pos="24" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
1842 <field name="" show="Source GeoIP: Unknown" size="16" pos="8" value="fd000000000000000000000053575f03"/>
1843 <field name="" show="Destination GeoIP: Unknown" size="16" pos="24" value="fd000000000000000000000053575f0b"/>
1844 </proto>
1845 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 139 (139), Dst Port: 31861 (31861), Seq: 822, Ack: 847, Len: 107" size="20" pos="40">
1846 <field name="tcp.srcport" showname="Source Port: 139" size="2" pos="40" show="139" value="008b"/>
1847 <field name="tcp.dstport" showname="Destination Port: 31861" size="2" pos="42" show="31861" value="7c75"/>
1848 <field name="tcp.port" showname="Source or Destination Port: 139" hide="yes" size="2" pos="40" show="139" value="008b"/>
1849 <field name="tcp.port" showname="Source or Destination Port: 31861" hide="yes" size="2" pos="42" show="31861" value="7c75"/>
1850 <field name="tcp.stream" showname="Stream index: 6" size="0" pos="40" show="6"/>
1851 <field name="tcp.len" showname="TCP Segment Len: 107" size="1" pos="52" show="107" value="50"/>
1852 <field name="tcp.seq" showname="Sequence number: 822 (relative sequence number)" size="4" pos="44" show="822" value="00000336"/>
1853 <field name="tcp.nxtseq" showname="Next sequence number: 929 (relative sequence number)" size="0" pos="40" show="929"/>
1854 <field name="tcp.ack" showname="Acknowledgment number: 847 (relative ack number)" size="4" pos="48" show="847" value="0000034f"/>
1855 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="52" show="20" value="50"/>
1856 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="52" show="0x00000018" value="18" unmaskedvalue="5018">
1857 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="52" show="0" value="0" unmaskedvalue="50"/>
1858 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="52" show="0" value="0" unmaskedvalue="50"/>
1859 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
1860 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
1861 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
1862 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1863 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
1864 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
1865 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
1866 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
1867 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="52" show="*******AP***" value="5018"/>
1868 </field>
1869 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="54" show="32767" value="7fff"/>
1870 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="54" show="32767" value="7fff"/>
1871 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="54" show="-2" value="7fff"/>
1872 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="56" show="0x00000000" value="0000">
1873 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="56" show="0" value="0000"/>
1874 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="56" show="0" value="0000"/>
1875 </field>
1876 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="58" show="0" value="0000"/>
1877 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="40" show="" value="">
1878 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 459" size="0" pos="40" show="459"/>
1879 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000204000 seconds" size="0" pos="40" show="0.000204000"/>
1880 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000024000 seconds" size="0" pos="40" show="0.000024000"/>
1881 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 107" size="0" pos="40" show="107"/>
1882 </field>
1883 </proto>
1884 <proto name="nbss" showname="NetBIOS Session Service" size="107" pos="60">
1885 <field name="nbss.type" showname="Message Type: Session message (0x00)" size="1" pos="60" show="0x00000000" value="00"/>
1886 <field name="nbss.length" showname="Length: 103" size="3" pos="61" show="103" value="000067"/>
1887 </proto>
1888 <proto name="smb" showname="SMB (Server Message Block Protocol)" size="103" pos="64">
1889 <field name="" show="SMB Header" size="32" pos="64" value="ff534d42a2000000008803c8000000000000000000000000ac6a6455deec0400">
1890 <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="64" show="0x424d53ff" value="ff534d42"/>
1891 <field name="smb.response_to" showname="Response to: 459" size="0" pos="64" show="459"/>
1892 <field name="smb.time" showname="Time from request: 0.000204000 seconds" size="0" pos="64" show="0.000204000"/>
1893 <field name="smb.cmd" showname="SMB Command: NT Create AndX (0xa2)" size="1" pos="68" show="162" value="a2"/>
1894 <field name="smb.nt_status" showname="NT Status: STATUS_SUCCESS (0x00000000)" size="4" pos="69" show="0" value="00000000"/>
1895 <field name="smb.flags" showname="Flags: 0x88, Request/Response, Case Sensitivity" size="1" pos="73" show="0x00000088" value="88">
1896 <field name="smb.flags.response" showname="1... .... = Request/Response: Message is a response to the client/redirector" size="1" pos="73" show="1" value="FFFFFFFF" unmaskedvalue="88"/>
1897 <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="73" show="0" value="0" unmaskedvalue="88"/>
1898 <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="73" show="0" value="0" unmaskedvalue="88"/>
1899 <field name="smb.flags.canon" showname="...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized" size="1" pos="73" show="0" value="0" unmaskedvalue="88"/>
1900 <field name="smb.flags.caseless" showname=".... 1... = Case Sensitivity: Path names are caseless" size="1" pos="73" show="1" value="FFFFFFFF" unmaskedvalue="88"/>
1901 <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="73" show="0" value="0" unmaskedvalue="88"/>
1902 <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="73" show="0" value="0" unmaskedvalue="88"/>
1903 </field>
1904 <field name="smb.flags2" showname="Flags2: 0xc803, Unicode Strings, Error Code Type, Extended Security Negotiation, Extended Attributes, Long Names Allowed" size="2" pos="74" show="0x0000c803" value="03c8">
1905 <field name="smb.flags2.string" showname="1... .... .... .... = Unicode Strings: Strings are Unicode" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="03c8"/>
1906 <field name="smb.flags2.nt_error" showname=".1.. .... .... .... = Error Code Type: Error codes are NT error codes" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="03c8"/>
1907 <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
1908 <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
1909 <field name="smb.flags2.esn" showname=".... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="03c8"/>
1910 <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
1911 <field name="smb.flags2.long_names_used" showname=".... .... .0.. .... = Long Names Used: Path names in request are not long file names" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
1912 <field name="smb.flags2.sec_sig_required" showname=".... .... ...0 .... = Security Signatures Required: Security signatures are not required" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
1913 <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
1914 <field name="smb.flags2.sec_sig" showname=".... .... .... .0.. = Security Signatures: Security signatures are not supported" size="2" pos="74" show="0" value="0" unmaskedvalue="03c8"/>
1915 <field name="smb.flags2.ea" showname=".... .... .... ..1. = Extended Attributes: Extended attributes are supported" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="03c8"/>
1916 <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="03c8"/>
1917 </field>
1918 <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="76" show="0" value="0000"/>
1919 <field name="smb.signature" showname="Signature: 0000000000000000" size="8" pos="78" show="00:00:00:00:00:00:00:00" value="0000000000000000"/>
1920 <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="86" show="00:00" value="0000"/>
1921 <field name="smb.tid" showname="Tree ID: 27308 (\\LOCALNT4DC2\IPC$)" size="2" pos="88" show="27308" value="ac6a">
1922 <field name="smb.path" showname="Path: \\LOCALNT4DC2\IPC$" size="0" pos="152" show="\\LOCALNT4DC2\IPC$"/>
1923 <field name="smb.fid.mapped_in" showname="Mapped in: 456" size="0" pos="152" show="456"/>
1924 </field>
1925 <field name="smb.pid" showname="Process ID: 21860" size="2" pos="90" show="21860" value="6455"/>
1926 <field name="smb.uid" showname="User ID: 60638" size="2" pos="92" show="60638" value="deec"/>
1927 <field name="smb.mid" showname="Multiplex ID: 4" size="2" pos="94" show="4" value="0400"/>
1928 </field>
1929 <field name="" show="NT Create AndX Response (0xa2)" size="71" pos="96" value="22ff00000000792b01000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000200ff05000000">
1930 <field name="smb.wct" showname="Word Count (WCT): 34" size="1" pos="96" show="34" value="22"/>
1931 <field name="smb.cmd" showname="AndXCommand: No further commands (0xff)" size="1" pos="97" show="255" value="ff"/>
1932 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="98" show="00" value="00"/>
1933 <field name="smb.andxoffset" showname="AndXOffset: 0" size="2" pos="99" show="0" value="0000"/>
1934 <field name="smb.oplock.level" showname="Oplock level: No oplock granted (0)" size="1" pos="101" show="0" value="00"/>
1935 <field name="smb.fid" showname="FID: 0x2b79 (\srvsvc)" size="2" pos="102" show="0x00002b79" value="792b">
1936 <field name="smb.fid.opened_in" showname="Opened in: 462" size="0" pos="166" show="462"/>
1937 <field name="smb.file" showname="File Name: \srvsvc" size="0" pos="166" show="\srvsvc"/>
1938 <field name="smb.create_flags" showname="Create Flags: 0x00000000" size="4" pos="166" show="0x00000000" value="ff534d42">
1939 <field name="smb.nt.create.oplock" showname=".... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1940 <field name="smb.nt.create.batch_oplock" showname=".... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1941 <field name="smb.nt.create.dir" showname=".... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1942 <field name="smb.nt.create.ext" showname=".... .... .... .... .... .... ...0 .... = Extended Response: Extended responses NOT required" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1943 </field>
1944 <field name="smb.access_mask" showname="Access Mask: 0x0002019f" size="4" pos="166" show="0x0002019f" value="ff534d42">
1945 <field name="smb.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: READ access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
1946 <field name="smb.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: WRITE access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
1947 <field name="smb.access.append" showname=".... .... .... .... .... .... .... .1.. = Append: APPEND access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
1948 <field name="smb.access.read_ea" showname=".... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
1949 <field name="smb.access.write_ea" showname=".... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
1950 <field name="smb.access.execute" showname=".... .... .... .... .... .... ..0. .... = Execute: NO execute access" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1951 <field name="smb.access.delete_child" showname=".... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1952 <field name="smb.access.read_attributes" showname=".... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
1953 <field name="smb.access.write_attributes" showname=".... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
1954 <field name="smb.access.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: NO delete access" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1955 <field name="smb.access.read_control" showname=".... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
1956 <field name="smb.access.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1957 <field name="smb.access.write_owner" showname=".... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1958 <field name="smb.access.synchronize" showname=".... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1959 <field name="smb.access.system_security" showname=".... ...0 .... .... .... .... .... .... = System Security: System security is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1960 <field name="smb.access.maximum_allowed" showname=".... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1961 <field name="smb.access.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1962 <field name="smb.access.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1963 <field name="smb.access.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1964 <field name="smb.access.generic_read" showname="0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1965 </field>
1966 <field name="smb.file_attribute" showname="File Attributes: 0x00000000" size="4" pos="166" show="0x00000000" value="ff534d42">
1967 <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1968 <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1969 <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1970 <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1971 <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1972 <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1973 <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1974 <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 0... .... = Normal: Has some attribute set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1975 <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1976 <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1977 <field name="smb.file_attribute.reparse" showname=".... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1978 <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1979 <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1980 <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1981 <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1982 </field>
1983 <field name="smb.share_access" showname="Share Access: 0x00000003, Read, Write" size="4" pos="166" show="0x00000003" value="ff534d42">
1984 <field name="smb.share.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
1985 <field name="smb.share.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE" size="4" pos="64" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
1986 <field name="smb.share.access.delete" showname=".... .... .... .... .... .... .... .0.. = Delete: Object can NOT be shared for delete" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1987 </field>
1988 <field name="smb.create_options" showname="Create Options: 0x00000000" size="4" pos="166" show="0x00000000" value="ff534d42">
1989 <field name="smb.nt.create_options.directory" showname=".... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1990 <field name="smb.nt.create_options.write_through" showname=".... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1991 <field name="smb.nt.create_options.sequential_only" showname=".... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1992 <field name="smb.nt.create_options.intermediate_buffering" showname=".... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1993 <field name="smb.nt.create_options.sync_io_alert" showname=".... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1994 <field name="smb.nt.create_options.sync_io_nonalert" showname=".... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1995 <field name="smb.nt.create_options.non_directory" showname=".... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1996 <field name="smb.nt.create_options.create_tree_connection" showname=".... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1997 <field name="smb.nt.create_options.complete_if_oplocked" showname=".... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1998 <field name="smb.nt.create_options.no_ea_knowledge" showname=".... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
1999 <field name="smb.nt.create_options.eight_dot_three_only" showname=".... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
2000 <field name="smb.nt.create_options.random_access" showname=".... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
2001 <field name="smb.nt.create_options.delete_on_close" showname=".... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
2002 <field name="smb.nt.create_options.open_by_fileid" showname=".... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
2003 <field name="smb.nt.create_options.backup_intent" showname=".... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
2004 <field name="smb.nt.create_options.no_compression" showname=".... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
2005 <field name="smb.nt.create_options.reserve_opfilter" showname=".... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
2006 <field name="smb.nt.create_options.open_reparse_point" showname=".... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
2007 <field name="smb.nt.create_options.open_no_recall" showname=".... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
2008 <field name="smb.nt.create_options.open_for_free_space_query" showname=".... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query" size="4" pos="64" show="0" value="0" unmaskedvalue="ff534d42"/>
2009 </field>
2010 <field name="smb.create.disposition" showname="Disposition: Open (if file exists open it, else fail) (1)" size="0" pos="166" show="1"/>
2011 </field>
2012 <field name="smb.create.action" showname="Create action: The file existed and was opened (1)" size="4" pos="104" show="1" value="01000000"/>
2013 <field name="smb.create.time" showname="Created: No time specified (0)" size="8" pos="108" show="Jan 1, 1970 12:00:00.000000000 NZST" value="0000000000000000"/>
2014 <field name="smb.access.time" showname="Last Access: No time specified (0)" size="8" pos="116" show="Jan 1, 1970 12:00:00.000000000 NZST" value="0000000000000000"/>
2015 <field name="smb.last_write.time" showname="Last Write: No time specified (0)" size="8" pos="124" show="Jan 1, 1970 12:00:00.000000000 NZST" value="0000000000000000"/>
2016 <field name="smb.change.time" showname="Change: No time specified (0)" size="8" pos="132" show="Jan 1, 1970 12:00:00.000000000 NZST" value="0000000000000000"/>
2017 <field name="smb.file_attribute" showname="File Attributes: 0x00000080" size="4" pos="140" show="0x00000080" value="80000000">
2018 <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2019 <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2020 <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2021 <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2022 <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2023 <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2024 <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2025 <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 1... .... = Normal: An ordinary file/dir" size="4" pos="140" show="1" value="FFFFFFFF" unmaskedvalue="80000000"/>
2026 <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2027 <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2028 <field name="smb.file_attribute.reparse" showname=".... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2029 <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2030 <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2031 <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2032 <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="140" show="0" value="0" unmaskedvalue="80000000"/>
2033 </field>
2034 <field name="smb.alloc_size" showname="Allocation Size: 0" size="8" pos="144" show="0" value="0000000000000000"/>
2035 <field name="smb.end_of_file" showname="End Of File: 0" size="8" pos="152" show="0" value="0000000000000000"/>
2036 <field name="smb.file_type" showname="File Type: Named pipe in message mode (2)" size="2" pos="160" show="2" value="0200"/>
2037 <field name="smb.ipc_state" showname="IPC State: 0x05ff, Endpoint: Consumer end of pipe, Pipe Type: Message pipe, Read Mode: Read messages from pipe" size="2" pos="162" show="0x000005ff" value="ff05">
2038 <field name="smb.ipc_state.nonblocking" showname="0... .... .... .... = Nonblocking: Reads/writes block if no data available" size="2" pos="162" show="0" value="0" unmaskedvalue="ff05"/>
2039 <field name="smb.ipc_state.endpoint" showname=".0.. .... .... .... = Endpoint: Consumer end of pipe (0)" size="2" pos="162" show="0" value="0" unmaskedvalue="ff05"/>
2040 <field name="smb.ipc_state.pipe_type" showname=".... 01.. .... .... = Pipe Type: Message pipe (1)" size="2" pos="162" show="1" value="1" unmaskedvalue="ff05"/>
2041 <field name="smb.ipc_state.read_mode" showname=".... ..01 .... .... = Read Mode: Read messages from pipe (1)" size="2" pos="162" show="1" value="1" unmaskedvalue="ff05"/>
2042 <field name="smb.ipc_state.icount" showname=".... .... 1111 1111 = Icount: 255" size="2" pos="162" show="255" value="FF" unmaskedvalue="ff05"/>
2043 </field>
2044 <field name="smb.is_directory" showname="Is Directory: This is NOT a directory (0)" size="1" pos="164" show="0" value="00"/>
2045 <field name="smb.bcc" showname="Byte Count (BCC): 0" size="2" pos="165" show="0" value="0000"/>
2046 </field>
2047 </proto>
2048 </packet>
2049
2050 <packet>
2051 <proto name="geninfo" pos="0" showname="General information" size="220">
2052 <field name="num" pos="0" show="465" showname="Number" value="1d1" size="220"/>
2053 <field name="len" pos="0" show="220" showname="Frame Length" value="dc" size="220"/>
2054 <field name="caplen" pos="0" show="220" showname="Captured Length" value="dc" size="220"/>
2055 <field name="timestamp" pos="0" show="Feb 13, 2017 10:17:16.150278000 NZDT" showname="Captured Time" value="1486934236.150278000" size="220"/>
2056 </proto>
2057 <proto name="frame" showname="Frame 465: 220 bytes on wire (1760 bits), 220 bytes captured (1760 bits)" size="220" pos="0">
2058 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
2059 <field name="frame.time" showname="Arrival Time: Feb 13, 2017 10:17:16.150278000 NZDT" size="0" pos="0" show="Feb 13, 2017 10:17:16.150278000 NZDT"/>
2060 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
2061 <field name="frame.time_epoch" showname="Epoch Time: 1486934236.150278000 seconds" size="0" pos="0" show="1486934236.150278000"/>
2062 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000134000 seconds" size="0" pos="0" show="0.000134000"/>
2063 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000134000 seconds" size="0" pos="0" show="0.000134000"/>
2064 <field name="frame.time_relative" showname="Time since reference or first frame: 465.527837000 seconds" size="0" pos="0" show="465.527837000"/>
2065 <field name="frame.number" showname="Frame Number: 465" size="0" pos="0" show="465"/>
2066 <field name="frame.len" showname="Frame Length: 220 bytes (1760 bits)" size="0" pos="0" show="220"/>
2067 <field name="frame.cap_len" showname="Capture Length: 220 bytes (1760 bits)" size="0" pos="0" show="220"/>
2068 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
2069 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
2070 <field name="frame.protocols" showname="Protocols in frame: raw:ipv6:tcp:nbss:smb:dcerpc" size="0" pos="0" show="raw:ipv6:tcp:nbss:smb:dcerpc"/>
2071 </proto>
2072 <proto name="raw" showname="Raw packet data" size="220" pos="0"/>
2073 <proto name="ipv6" showname="Internet Protocol Version 6, Src: fd00::5357:5f0b, Dst: fd00::5357:5f03" size="40" pos="0">
2074 <field name="ipv6.version" showname="0110 .... = Version: 6" size="1" pos="0" show="6" value="6" unmaskedvalue="60"/>
2075 <field name="ip.version" showname="0110 .... = Version: 6 [This field makes the filter match on &quot;ip.version == 6&quot; possible]" hide="yes" size="1" pos="0" show="6" value="6" unmaskedvalue="60"/>
2076 <field name="ipv6.tclass" showname=".... 0000 0000 .... .... .... .... .... = Traffic class: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="4" pos="0" show="0x00000000" value="0" unmaskedvalue="60000000">
2077 <field name="ipv6.tclass.dscp" showname=".... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)" size="4" pos="0" show="0" value="0" unmaskedvalue="60000000"/>
2078 <field name="ipv6.tclass.ecn" showname=".... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="4" pos="0" show="0" value="0" unmaskedvalue="60000000"/>
2079 </field>
2080 <field name="ipv6.flow" showname=".... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000" size="4" pos="0" show="0x00000000" value="0" unmaskedvalue="60000000"/>
2081 <field name="ipv6.plen" showname="Payload length: 220" size="2" pos="4" show="220" value="00dc">
2082 <field name="_ws.expert" showname="Expert Info (Warn/Protocol): IPv6 payload length exceeds framing length (180 bytes)" size="0" pos="4">
2083 <field name="ipv6.bogus_payload_length" showname="IPv6 payload length exceeds framing length (180 bytes)" size="0" pos="0" show="" value=""/>
2084 <field name="_ws.expert.message" showname="Message: IPv6 payload length exceeds framing length (180 bytes)" hide="yes" size="0" pos="0" show="IPv6 payload length exceeds framing length (180 bytes)"/>
2085 <field name="_ws.expert.severity" showname="Severity level: Warn" size="0" pos="0" show="0x00600000"/>
2086 <field name="_ws.expert.group" showname="Group: Protocol" size="0" pos="0" show="0x09000000"/>
2087 </field>
2088 </field>
2089 <field name="ipv6.nxt" showname="Next header: TCP (6)" size="1" pos="6" show="6" value="06"/>
2090 <field name="ipv6.hlim" showname="Hop limit: 0" size="1" pos="7" show="0" value="00"/>
2091 <field name="ipv6.src" showname="Source: fd00::5357:5f0b" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
2092 <field name="ipv6.addr" showname="Source or Destination Address: fd00::5357:5f0b" hide="yes" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
2093 <field name="ipv6.src_host" showname="Source Host: fd00::5357:5f0b" hide="yes" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
2094 <field name="ipv6.host" showname="Source or Destination Host: fd00::5357:5f0b" hide="yes" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
2095 <field name="ipv6.dst" showname="Destination: fd00::5357:5f03" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
2096 <field name="ipv6.addr" showname="Source or Destination Address: fd00::5357:5f03" hide="yes" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
2097 <field name="ipv6.dst_host" showname="Destination Host: fd00::5357:5f03" hide="yes" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
2098 <field name="ipv6.host" showname="Source or Destination Host: fd00::5357:5f03" hide="yes" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
2099 <field name="" show="Source GeoIP: Unknown" size="16" pos="8" value="fd000000000000000000000053575f0b"/>
2100 <field name="" show="Destination GeoIP: Unknown" size="16" pos="24" value="fd000000000000000000000053575f03"/>
2101 </proto>
2102 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 31861 (31861), Dst Port: 139 (139), Seq: 847, Ack: 929, Len: 160" size="20" pos="40">
2103 <field name="tcp.srcport" showname="Source Port: 31861" size="2" pos="40" show="31861" value="7c75"/>
2104 <field name="tcp.dstport" showname="Destination Port: 139" size="2" pos="42" show="139" value="008b"/>
2105 <field name="tcp.port" showname="Source or Destination Port: 31861" hide="yes" size="2" pos="40" show="31861" value="7c75"/>
2106 <field name="tcp.port" showname="Source or Destination Port: 139" hide="yes" size="2" pos="42" show="139" value="008b"/>
2107 <field name="tcp.stream" showname="Stream index: 6" size="0" pos="40" show="6"/>
2108 <field name="tcp.len" showname="TCP Segment Len: 160" size="1" pos="52" show="160" value="50"/>
2109 <field name="tcp.seq" showname="Sequence number: 847 (relative sequence number)" size="4" pos="44" show="847" value="0000034f"/>
2110 <field name="tcp.nxtseq" showname="Next sequence number: 1007 (relative sequence number)" size="0" pos="40" show="1007"/>
2111 <field name="tcp.ack" showname="Acknowledgment number: 929 (relative ack number)" size="4" pos="48" show="929" value="000003a1"/>
2112 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="52" show="20" value="50"/>
2113 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="52" show="0x00000018" value="18" unmaskedvalue="5018">
2114 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="52" show="0" value="0" unmaskedvalue="50"/>
2115 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="52" show="0" value="0" unmaskedvalue="50"/>
2116 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
2117 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
2118 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
2119 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
2120 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
2121 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
2122 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
2123 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
2124 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="52" show="*******AP***" value="5018"/>
2125 </field>
2126 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="54" show="32767" value="7fff"/>
2127 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="54" show="32767" value="7fff"/>
2128 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="54" show="-2" value="7fff"/>
2129 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="56" show="0x00000000" value="0000">
2130 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="56" show="0" value="0000"/>
2131 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="56" show="0" value="0000"/>
2132 </field>
2133 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="58" show="0" value="0000"/>
2134 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="40" show="" value="">
2135 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 462" size="0" pos="40" show="462"/>
2136 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000171000 seconds" size="0" pos="40" show="0.000171000"/>
2137 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000024000 seconds" size="0" pos="40" show="0.000024000"/>
2138 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 160" size="0" pos="40" show="160"/>
2139 </field>
2140 </proto>
2141 <proto name="nbss" showname="NetBIOS Session Service" size="160" pos="60">
2142 <field name="nbss.type" showname="Message Type: Session message (0x00)" size="1" pos="60" show="0x00000000" value="00"/>
2143 <field name="nbss.length" showname="Length: 156" size="3" pos="61" show="156" value="00009c"/>
2144 </proto>
2145 <proto name="smb" showname="SMB (Server Message Block Protocol)" size="156" pos="64">
2146 <field name="" show="SMB Header" size="32" pos="64" value="ff534d4225000000001843c8000000000000000000000000ac6a6455deec0500">
2147 <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="64" show="0x424d53ff" value="ff534d42"/>
2148 <field name="smb.cmd" showname="SMB Command: Trans (0x25)" size="1" pos="68" show="37" value="25"/>
2149 <field name="smb.nt_status" showname="NT Status: STATUS_SUCCESS (0x00000000)" size="4" pos="69" show="0" value="00000000"/>
2150 <field name="smb.flags" showname="Flags: 0x18, Canonicalized Pathnames, Case Sensitivity" size="1" pos="73" show="0x00000018" value="18">
2151 <field name="smb.flags.response" showname="0... .... = Request/Response: Message is a request to the server" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
2152 <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
2153 <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
2154 <field name="smb.flags.canon" showname="...1 .... = Canonicalized Pathnames: Pathnames are canonicalized" size="1" pos="73" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
2155 <field name="smb.flags.caseless" showname=".... 1... = Case Sensitivity: Path names are caseless" size="1" pos="73" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
2156 <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
2157 <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
2158 </field>
2159 <field name="smb.flags2" showname="Flags2: 0xc843, Unicode Strings, Error Code Type, Extended Security Negotiation, Long Names Used, Extended Attributes, Long Names Allowed" size="2" pos="74" show="0x0000c843" value="43c8">
2160 <field name="smb.flags2.string" showname="1... .... .... .... = Unicode Strings: Strings are Unicode" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
2161 <field name="smb.flags2.nt_error" showname=".1.. .... .... .... = Error Code Type: Error codes are NT error codes" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
2162 <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
2163 <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
2164 <field name="smb.flags2.esn" showname=".... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
2165 <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
2166 <field name="smb.flags2.long_names_used" showname=".... .... .1.. .... = Long Names Used: Path names in request are long file names" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
2167 <field name="smb.flags2.sec_sig_required" showname=".... .... ...0 .... = Security Signatures Required: Security signatures are not required" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
2168 <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
2169 <field name="smb.flags2.sec_sig" showname=".... .... .... .0.. = Security Signatures: Security signatures are not supported" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
2170 <field name="smb.flags2.ea" showname=".... .... .... ..1. = Extended Attributes: Extended attributes are supported" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
2171 <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
2172 </field>
2173 <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="76" show="0" value="0000"/>
2174 <field name="smb.signature" showname="Signature: 0000000000000000" size="8" pos="78" show="00:00:00:00:00:00:00:00" value="0000000000000000"/>
2175 <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="86" show="00:00" value="0000"/>
2176 <field name="smb.tid" showname="Tree ID: 27308 (\\LOCALNT4DC2\IPC$)" size="2" pos="88" show="27308" value="ac6a">
2177 <field name="smb.path" showname="Path: \\LOCALNT4DC2\IPC$" size="0" pos="152" show="\\LOCALNT4DC2\IPC$"/>
2178 <field name="smb.fid.mapped_in" showname="Mapped in: 456" size="0" pos="152" show="456"/>
2179 </field>
2180 <field name="smb.pid" showname="Process ID: 21860" size="2" pos="90" show="21860" value="6455"/>
2181 <field name="smb.uid" showname="User ID: 60638" size="2" pos="92" show="60638" value="deec"/>
2182 <field name="smb.mid" showname="Multiplex ID: 5" size="2" pos="94" show="5" value="0500"/>
2183 </field>
2184 <field name="" show="Trans Request (0x25)" size="124" pos="96" value="10000048000000b81000000000000000000000000054004800540002002600792b5900005c0050004900500045005c000000000005000b03100000004800000001000000b810b810000000000100000000000100c84f324b7016d30112785a47bf6ee18803000000045d888aeb1cc9119fe808002b10486002000000">
2185 <field name="smb.wct" showname="Word Count (WCT): 16" size="1" pos="96" show="16" value="10"/>
2186 <field name="smb.tpc" showname="Total Parameter Count: 0" size="2" pos="97" show="0" value="0000"/>
2187 <field name="smb.tdc" showname="Total Data Count: 72" size="2" pos="99" show="72" value="4800"/>
2188 <field name="smb.mpc" showname="Max Parameter Count: 0" size="2" pos="101" show="0" value="0000"/>
2189 <field name="smb.mdc" showname="Max Data Count: 4280" size="2" pos="103" show="4280" value="b810"/>
2190 <field name="smb.msc" showname="Max Setup Count: 0" size="1" pos="105" show="0" value="00"/>
2191 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="106" show="00" value="00"/>
2192 <field name="smb.transaction.flags" showname="Flags: 0x0000" size="2" pos="107" show="0x00000000" value="0000">
2193 <field name="smb.transaction.flags.owt" showname=".... .... .... ..0. = One Way Transaction: Two way transaction" size="2" pos="107" show="0" value="0" unmaskedvalue="0000"/>
2194 <field name="smb.transaction.flags.dtid" showname=".... .... .... ...0 = Disconnect TID: Do NOT disconnect TID" size="2" pos="107" show="0" value="0" unmaskedvalue="0000"/>
2195 </field>
2196 <field name="smb.timeout" showname="Timeout: Return immediately (0)" size="4" pos="109" show="0" value="00000000"/>
2197 <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="113" show="00:00" value="0000"/>
2198 <field name="smb.pc" showname="Parameter Count: 0" size="2" pos="115" show="0" value="0000"/>
2199 <field name="smb.po" showname="Parameter Offset: 84" size="2" pos="117" show="84" value="5400"/>
2200 <field name="smb.dc" showname="Data Count: 72" size="2" pos="119" show="72" value="4800"/>
2201 <field name="smb.data_offset" showname="Data Offset: 84" size="2" pos="121" show="84" value="5400"/>
2202 <field name="smb.sc" showname="Setup Count: 2" size="1" pos="123" show="2" value="02"/>
2203 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="124" show="00" value="00"/>
2204 <field name="smb.bcc" showname="Byte Count (BCC): 89" size="2" pos="129" show="89" value="5900"/>
2205 <field name="smb.trans_name" showname="Transaction Name: \PIPE\" size="14" pos="132" show="\PIPE\" value="5c0050004900500045005c000000"/>
2206 <field name="smb.padding" showname="Padding: 0000" size="2" pos="146" show="00:00" value="0000"/>
2207 </field>
2208 </proto>
2209 <proto name="smb_pipe" showname="SMB Pipe Protocol" size="21" pos="125">
2210 <field name="smb_pipe.function" showname="Function: TransactNmPipe (0x0026)" size="2" pos="125" show="0x00000026" value="2600"/>
2211 <field name="smb.fid" showname="FID: 0x2b79 (\srvsvc)" size="2" pos="127" show="0x00002b79" value="792b">
2212 <field name="smb.fid.opened_in" showname="Opened in: 462" size="0" pos="252" show="462"/>
2213 <field name="smb.file" showname="File Name: \srvsvc" size="0" pos="252" show="\srvsvc"/>
2214 <field name="smb.create_flags" showname="Create Flags: 0x00000000" size="4" pos="252" show="0x00000000" value="2600792b">
2215 <field name="smb.nt.create.oplock" showname=".... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2216 <field name="smb.nt.create.batch_oplock" showname=".... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2217 <field name="smb.nt.create.dir" showname=".... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2218 <field name="smb.nt.create.ext" showname=".... .... .... .... .... .... ...0 .... = Extended Response: Extended responses NOT required" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2219 </field>
2220 <field name="smb.access_mask" showname="Access Mask: 0x0002019f" size="4" pos="252" show="0x0002019f" value="2600792b">
2221 <field name="smb.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: READ access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2222 <field name="smb.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: WRITE access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2223 <field name="smb.access.append" showname=".... .... .... .... .... .... .... .1.. = Append: APPEND access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2224 <field name="smb.access.read_ea" showname=".... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2225 <field name="smb.access.write_ea" showname=".... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2226 <field name="smb.access.execute" showname=".... .... .... .... .... .... ..0. .... = Execute: NO execute access" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2227 <field name="smb.access.delete_child" showname=".... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2228 <field name="smb.access.read_attributes" showname=".... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2229 <field name="smb.access.write_attributes" showname=".... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2230 <field name="smb.access.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: NO delete access" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2231 <field name="smb.access.read_control" showname=".... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2232 <field name="smb.access.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2233 <field name="smb.access.write_owner" showname=".... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2234 <field name="smb.access.synchronize" showname=".... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2235 <field name="smb.access.system_security" showname=".... ...0 .... .... .... .... .... .... = System Security: System security is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2236 <field name="smb.access.maximum_allowed" showname=".... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2237 <field name="smb.access.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2238 <field name="smb.access.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2239 <field name="smb.access.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2240 <field name="smb.access.generic_read" showname="0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2241 </field>
2242 <field name="smb.file_attribute" showname="File Attributes: 0x00000000" size="4" pos="252" show="0x00000000" value="2600792b">
2243 <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2244 <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2245 <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2246 <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2247 <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2248 <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2249 <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2250 <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 0... .... = Normal: Has some attribute set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2251 <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2252 <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2253 <field name="smb.file_attribute.reparse" showname=".... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2254 <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2255 <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2256 <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2257 <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2258 </field>
2259 <field name="smb.share_access" showname="Share Access: 0x00000003, Read, Write" size="4" pos="252" show="0x00000003" value="2600792b">
2260 <field name="smb.share.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2261 <field name="smb.share.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2262 <field name="smb.share.access.delete" showname=".... .... .... .... .... .... .... .0.. = Delete: Object can NOT be shared for delete" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2263 </field>
2264 <field name="smb.create_options" showname="Create Options: 0x00000000" size="4" pos="252" show="0x00000000" value="2600792b">
2265 <field name="smb.nt.create_options.directory" showname=".... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2266 <field name="smb.nt.create_options.write_through" showname=".... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2267 <field name="smb.nt.create_options.sequential_only" showname=".... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2268 <field name="smb.nt.create_options.intermediate_buffering" showname=".... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2269 <field name="smb.nt.create_options.sync_io_alert" showname=".... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2270 <field name="smb.nt.create_options.sync_io_nonalert" showname=".... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2271 <field name="smb.nt.create_options.non_directory" showname=".... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2272 <field name="smb.nt.create_options.create_tree_connection" showname=".... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2273 <field name="smb.nt.create_options.complete_if_oplocked" showname=".... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2274 <field name="smb.nt.create_options.no_ea_knowledge" showname=".... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2275 <field name="smb.nt.create_options.eight_dot_three_only" showname=".... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2276 <field name="smb.nt.create_options.random_access" showname=".... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2277 <field name="smb.nt.create_options.delete_on_close" showname=".... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2278 <field name="smb.nt.create_options.open_by_fileid" showname=".... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2279 <field name="smb.nt.create_options.backup_intent" showname=".... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2280 <field name="smb.nt.create_options.no_compression" showname=".... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2281 <field name="smb.nt.create_options.reserve_opfilter" showname=".... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2282 <field name="smb.nt.create_options.open_reparse_point" showname=".... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2283 <field name="smb.nt.create_options.open_no_recall" showname=".... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2284 <field name="smb.nt.create_options.open_for_free_space_query" showname=".... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2285 </field>
2286 <field name="smb.create.disposition" showname="Disposition: Open (if file exists open it, else fail) (1)" size="0" pos="252" show="1"/>
2287 </field>
2288 </proto>
2289 <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind, Fragment: Single, FragLen: 72, Call: 1" size="72" pos="148">
2290 <field name="dcerpc.ver" showname="Version: 5" size="1" pos="148" show="5" value="05"/>
2291 <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="149" show="0" value="00"/>
2292 <field name="dcerpc.pkt_type" showname="Packet type: Bind (11)" size="1" pos="150" show="11" value="0b"/>
2293 <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="151" show="0x00000003" value="03">
2294 <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
2295 <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
2296 <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
2297 <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
2298 <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
2299 <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
2300 <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="151" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
2301 <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="151" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
2302 </field>
2303 <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="152" show="10:00:00:00" value="10000000">
2304 <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="152" show="1" value="10"/>
2305 <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="152" show="0" value="10"/>
2306 <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="153" show="0" value="00"/>
2307 </field>
2308 <field name="dcerpc.cn_frag_len" showname="Frag Length: 72" size="2" pos="156" show="72" value="4800"/>
2309 <field name="dcerpc.cn_auth_len" showname="Auth Length: 0" size="2" pos="158" show="0" value="0000"/>
2310 <field name="dcerpc.cn_call_id" showname="Call ID: 1" size="4" pos="160" show="1" value="01000000"/>
2311 <field name="dcerpc.cn_max_xmit" showname="Max Xmit Frag: 4280" size="2" pos="164" show="4280" value="b810"/>
2312 <field name="dcerpc.cn_max_recv" showname="Max Recv Frag: 4280" size="2" pos="166" show="4280" value="b810"/>
2313 <field name="dcerpc.cn_assoc_group" showname="Assoc Group: 0x00000000" size="4" pos="168" show="0x00000000" value="00000000"/>
2314 <field name="dcerpc.cn_num_ctx_items" showname="Num Ctx Items: 1" size="1" pos="172" show="1" value="01"/>
2315 <field name="dcerpc.cn_ctx_item" showname="Ctx Item[1]: Context ID:0, SRVSVC, 32bit NDR" size="44" pos="176" show="" value="">
2316 <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="176" show="0" value="0000"/>
2317 <field name="dcerpc.cn_num_trans_items" showname="Num Trans Items: 1" size="1" pos="178" show="1" value="01"/>
2318 <field name="dcerpc.cn_bind_abstract_syntax" showname="Abstract Syntax: SRVSVC V3.0" size="20" pos="180" show="" value="">
2319 <field name="dcerpc.cn_bind_to_uuid" showname="Interface: SRVSVC UUID: 4b324fc8-1670-01d3-1278-5a47bf6ee188" size="16" pos="180" show="4b324fc8-1670-01d3-1278-5a47bf6ee188" value="c84f324b7016d30112785a47bf6ee188"/>
2320 <field name="dcerpc.cn_bind_if_ver" showname="Interface Ver: 3" size="2" pos="196" show="3" value="0300"/>
2321 <field name="dcerpc.cn_bind_if_ver_minor" showname="Interface Ver Minor: 0" size="2" pos="198" show="0" value="0000"/>
2322 </field>
2323 <field name="dcerpc.cn_bind_trans" showname="Transfer Syntax[1]: 32bit NDR V2" size="20" pos="200" show="" value="">
2324 <field name="dcerpc.cn_bind_trans_id" showname="Transfer Syntax: 32bit NDR UUID:8a885d04-1ceb-11c9-9fe8-08002b104860" size="16" pos="200" show="8a885d04-1ceb-11c9-9fe8-08002b104860" value="045d888aeb1cc9119fe808002b104860"/>
2325 <field name="dcerpc.cn_bind_trans_ver" showname="ver: 2" size="4" pos="216" show="2" value="02000000"/>
2326 </field>
2327 </field>
2328 </proto>
2329 </packet>
2330
2331 <packet>
2332 <proto name="geninfo" pos="0" showname="General information" size="244">
2333 <field name="num" pos="0" show="471" showname="Number" value="1d7" size="244"/>
2334 <field name="len" pos="0" show="244" showname="Frame Length" value="f4" size="244"/>
2335 <field name="caplen" pos="0" show="244" showname="Captured Length" value="f4" size="244"/>
2336 <field name="timestamp" pos="0" show="Feb 13, 2017 10:17:16.201029000 NZDT" showname="Captured Time" value="1486934236.201029000" size="244"/>
2337 </proto>
2338 <proto name="frame" showname="Frame 471: 244 bytes on wire (1952 bits), 244 bytes captured (1952 bits)" size="244" pos="0">
2339 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
2340 <field name="frame.time" showname="Arrival Time: Feb 13, 2017 10:17:16.201029000 NZDT" size="0" pos="0" show="Feb 13, 2017 10:17:16.201029000 NZDT"/>
2341 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
2342 <field name="frame.time_epoch" showname="Epoch Time: 1486934236.201029000 seconds" size="0" pos="0" show="1486934236.201029000"/>
2343 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.050577000 seconds" size="0" pos="0" show="0.050577000"/>
2344 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.050577000 seconds" size="0" pos="0" show="0.050577000"/>
2345 <field name="frame.time_relative" showname="Time since reference or first frame: 465.578588000 seconds" size="0" pos="0" show="465.578588000"/>
2346 <field name="frame.number" showname="Frame Number: 471" size="0" pos="0" show="471"/>
2347 <field name="frame.len" showname="Frame Length: 244 bytes (1952 bits)" size="0" pos="0" show="244"/>
2348 <field name="frame.cap_len" showname="Capture Length: 244 bytes (1952 bits)" size="0" pos="0" show="244"/>
2349 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
2350 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
2351 <field name="frame.protocols" showname="Protocols in frame: raw:ipv6:tcp:nbss:smb:dcerpc" size="0" pos="0" show="raw:ipv6:tcp:nbss:smb:dcerpc"/>
2352 </proto>
2353 <proto name="raw" showname="Raw packet data" size="244" pos="0"/>
2354 <proto name="ipv6" showname="Internet Protocol Version 6, Src: fd00::5357:5f0b, Dst: fd00::5357:5f03" size="40" pos="0">
2355 <field name="ipv6.version" showname="0110 .... = Version: 6" size="1" pos="0" show="6" value="6" unmaskedvalue="60"/>
2356 <field name="ip.version" showname="0110 .... = Version: 6 [This field makes the filter match on &quot;ip.version == 6&quot; possible]" hide="yes" size="1" pos="0" show="6" value="6" unmaskedvalue="60"/>
2357 <field name="ipv6.tclass" showname=".... 0000 0000 .... .... .... .... .... = Traffic class: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="4" pos="0" show="0x00000000" value="0" unmaskedvalue="60000000">
2358 <field name="ipv6.tclass.dscp" showname=".... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)" size="4" pos="0" show="0" value="0" unmaskedvalue="60000000"/>
2359 <field name="ipv6.tclass.ecn" showname=".... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="4" pos="0" show="0" value="0" unmaskedvalue="60000000"/>
2360 </field>
2361 <field name="ipv6.flow" showname=".... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000" size="4" pos="0" show="0x00000000" value="0" unmaskedvalue="60000000"/>
2362 <field name="ipv6.plen" showname="Payload length: 244" size="2" pos="4" show="244" value="00f4">
2363 <field name="_ws.expert" showname="Expert Info (Warn/Protocol): IPv6 payload length exceeds framing length (204 bytes)" size="0" pos="4">
2364 <field name="ipv6.bogus_payload_length" showname="IPv6 payload length exceeds framing length (204 bytes)" size="0" pos="0" show="" value=""/>
2365 <field name="_ws.expert.message" showname="Message: IPv6 payload length exceeds framing length (204 bytes)" hide="yes" size="0" pos="0" show="IPv6 payload length exceeds framing length (204 bytes)"/>
2366 <field name="_ws.expert.severity" showname="Severity level: Warn" size="0" pos="0" show="0x00600000"/>
2367 <field name="_ws.expert.group" showname="Group: Protocol" size="0" pos="0" show="0x09000000"/>
2368 </field>
2369 </field>
2370 <field name="ipv6.nxt" showname="Next header: TCP (6)" size="1" pos="6" show="6" value="06"/>
2371 <field name="ipv6.hlim" showname="Hop limit: 0" size="1" pos="7" show="0" value="00"/>
2372 <field name="ipv6.src" showname="Source: fd00::5357:5f0b" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
2373 <field name="ipv6.addr" showname="Source or Destination Address: fd00::5357:5f0b" hide="yes" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
2374 <field name="ipv6.src_host" showname="Source Host: fd00::5357:5f0b" hide="yes" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
2375 <field name="ipv6.host" showname="Source or Destination Host: fd00::5357:5f0b" hide="yes" size="16" pos="8" show="fd00::5357:5f0b" value="fd000000000000000000000053575f0b"/>
2376 <field name="ipv6.dst" showname="Destination: fd00::5357:5f03" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
2377 <field name="ipv6.addr" showname="Source or Destination Address: fd00::5357:5f03" hide="yes" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
2378 <field name="ipv6.dst_host" showname="Destination Host: fd00::5357:5f03" hide="yes" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
2379 <field name="ipv6.host" showname="Source or Destination Host: fd00::5357:5f03" hide="yes" size="16" pos="24" show="fd00::5357:5f03" value="fd000000000000000000000053575f03"/>
2380 <field name="" show="Source GeoIP: Unknown" size="16" pos="8" value="fd000000000000000000000053575f0b"/>
2381 <field name="" show="Destination GeoIP: Unknown" size="16" pos="24" value="fd000000000000000000000053575f03"/>
2382 </proto>
2383 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 31861 (31861), Dst Port: 139 (139), Seq: 1007, Ack: 1057, Len: 184" size="20" pos="40">
2384 <field name="tcp.srcport" showname="Source Port: 31861" size="2" pos="40" show="31861" value="7c75"/>
2385 <field name="tcp.dstport" showname="Destination Port: 139" size="2" pos="42" show="139" value="008b"/>
2386 <field name="tcp.port" showname="Source or Destination Port: 31861" hide="yes" size="2" pos="40" show="31861" value="7c75"/>
2387 <field name="tcp.port" showname="Source or Destination Port: 139" hide="yes" size="2" pos="42" show="139" value="008b"/>
2388 <field name="tcp.stream" showname="Stream index: 6" size="0" pos="40" show="6"/>
2389 <field name="tcp.len" showname="TCP Segment Len: 184" size="1" pos="52" show="184" value="50"/>
2390 <field name="tcp.seq" showname="Sequence number: 1007 (relative sequence number)" size="4" pos="44" show="1007" value="000003ef"/>
2391 <field name="tcp.nxtseq" showname="Next sequence number: 1191 (relative sequence number)" size="0" pos="40" show="1191"/>
2392 <field name="tcp.ack" showname="Acknowledgment number: 1057 (relative ack number)" size="4" pos="48" show="1057" value="00000421"/>
2393 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="52" show="20" value="50"/>
2394 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="52" show="0x00000018" value="18" unmaskedvalue="5018">
2395 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="52" show="0" value="0" unmaskedvalue="50"/>
2396 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="52" show="0" value="0" unmaskedvalue="50"/>
2397 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
2398 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
2399 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
2400 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
2401 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
2402 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
2403 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
2404 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
2405 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="52" show="*******AP***" value="5018"/>
2406 </field>
2407 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="54" show="32767" value="7fff"/>
2408 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="54" show="32767" value="7fff"/>
2409 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="54" show="-2" value="7fff"/>
2410 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="56" show="0x00000000" value="0000">
2411 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="56" show="0" value="0000"/>
2412 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="56" show="0" value="0000"/>
2413 </field>
2414 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="58" show="0" value="0000"/>
2415 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="40" show="" value="">
2416 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 468" size="0" pos="40" show="468"/>
2417 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.050606000 seconds" size="0" pos="40" show="0.050606000"/>
2418 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000024000 seconds" size="0" pos="40" show="0.000024000"/>
2419 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 184" size="0" pos="40" show="184"/>
2420 </field>
2421 </proto>
2422 <proto name="nbss" showname="NetBIOS Session Service" size="184" pos="60">
2423 <field name="nbss.type" showname="Message Type: Session message (0x00)" size="1" pos="60" show="0x00000000" value="00"/>
2424 <field name="nbss.length" showname="Length: 180" size="3" pos="61" show="180" value="0000b4"/>
2425 </proto>
2426 <proto name="smb" showname="SMB (Server Message Block Protocol)" size="180" pos="64">
2427 <field name="" show="SMB Header" size="32" pos="64" value="ff534d4225000000001843c8000000000000000000000000ac6a6455deec0600">
2428 <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="64" show="0x424d53ff" value="ff534d42"/>
2429 <field name="smb.cmd" showname="SMB Command: Trans (0x25)" size="1" pos="68" show="37" value="25"/>
2430 <field name="smb.nt_status" showname="NT Status: STATUS_SUCCESS (0x00000000)" size="4" pos="69" show="0" value="00000000"/>
2431 <field name="smb.flags" showname="Flags: 0x18, Canonicalized Pathnames, Case Sensitivity" size="1" pos="73" show="0x00000018" value="18">
2432 <field name="smb.flags.response" showname="0... .... = Request/Response: Message is a request to the server" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
2433 <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
2434 <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
2435 <field name="smb.flags.canon" showname="...1 .... = Canonicalized Pathnames: Pathnames are canonicalized" size="1" pos="73" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
2436 <field name="smb.flags.caseless" showname=".... 1... = Case Sensitivity: Path names are caseless" size="1" pos="73" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
2437 <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
2438 <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="73" show="0" value="0" unmaskedvalue="18"/>
2439 </field>
2440 <field name="smb.flags2" showname="Flags2: 0xc843, Unicode Strings, Error Code Type, Extended Security Negotiation, Long Names Used, Extended Attributes, Long Names Allowed" size="2" pos="74" show="0x0000c843" value="43c8">
2441 <field name="smb.flags2.string" showname="1... .... .... .... = Unicode Strings: Strings are Unicode" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
2442 <field name="smb.flags2.nt_error" showname=".1.. .... .... .... = Error Code Type: Error codes are NT error codes" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
2443 <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
2444 <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
2445 <field name="smb.flags2.esn" showname=".... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
2446 <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
2447 <field name="smb.flags2.long_names_used" showname=".... .... .1.. .... = Long Names Used: Path names in request are long file names" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
2448 <field name="smb.flags2.sec_sig_required" showname=".... .... ...0 .... = Security Signatures Required: Security signatures are not required" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
2449 <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
2450 <field name="smb.flags2.sec_sig" showname=".... .... .... .0.. = Security Signatures: Security signatures are not supported" size="2" pos="74" show="0" value="0" unmaskedvalue="43c8"/>
2451 <field name="smb.flags2.ea" showname=".... .... .... ..1. = Extended Attributes: Extended attributes are supported" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
2452 <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response" size="2" pos="74" show="1" value="FFFFFFFF" unmaskedvalue="43c8"/>
2453 </field>
2454 <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="76" show="0" value="0000"/>
2455 <field name="smb.signature" showname="Signature: 0000000000000000" size="8" pos="78" show="00:00:00:00:00:00:00:00" value="0000000000000000"/>
2456 <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="86" show="00:00" value="0000"/>
2457 <field name="smb.tid" showname="Tree ID: 27308 (\\LOCALNT4DC2\IPC$)" size="2" pos="88" show="27308" value="ac6a">
2458 <field name="smb.path" showname="Path: \\LOCALNT4DC2\IPC$" size="0" pos="152" show="\\LOCALNT4DC2\IPC$"/>
2459 <field name="smb.fid.mapped_in" showname="Mapped in: 456" size="0" pos="152" show="456"/>
2460 </field>
2461 <field name="smb.pid" showname="Process ID: 21860" size="2" pos="90" show="21860" value="6455"/>
2462 <field name="smb.uid" showname="User ID: 60638" size="2" pos="92" show="60638" value="deec"/>
2463 <field name="smb.mid" showname="Multiplex ID: 6" size="2" pos="94" show="6" value="0600"/>
2464 </field>
2465 <field name="" show="Trans Request (0x25)" size="148" pos="96" value="10000060000000b81000000000000000000000000054006000540002002600792b7100005c0050004900500045005c0000000000050000031000000060000000020000004800000000000f00000002000c000000000000000c0000004c004f00430041004c004e005400340044004300320000000100000001000000040002000000000000000000ffffffff0800020000000000">
2466 <field name="smb.wct" showname="Word Count (WCT): 16" size="1" pos="96" show="16" value="10"/>
2467 <field name="smb.tpc" showname="Total Parameter Count: 0" size="2" pos="97" show="0" value="0000"/>
2468 <field name="smb.tdc" showname="Total Data Count: 96" size="2" pos="99" show="96" value="6000"/>
2469 <field name="smb.mpc" showname="Max Parameter Count: 0" size="2" pos="101" show="0" value="0000"/>
2470 <field name="smb.mdc" showname="Max Data Count: 4280" size="2" pos="103" show="4280" value="b810"/>
2471 <field name="smb.msc" showname="Max Setup Count: 0" size="1" pos="105" show="0" value="00"/>
2472 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="106" show="00" value="00"/>
2473 <field name="smb.transaction.flags" showname="Flags: 0x0000" size="2" pos="107" show="0x00000000" value="0000">
2474 <field name="smb.transaction.flags.owt" showname=".... .... .... ..0. = One Way Transaction: Two way transaction" size="2" pos="107" show="0" value="0" unmaskedvalue="0000"/>
2475 <field name="smb.transaction.flags.dtid" showname=".... .... .... ...0 = Disconnect TID: Do NOT disconnect TID" size="2" pos="107" show="0" value="0" unmaskedvalue="0000"/>
2476 </field>
2477 <field name="smb.timeout" showname="Timeout: Return immediately (0)" size="4" pos="109" show="0" value="00000000"/>
2478 <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="113" show="00:00" value="0000"/>
2479 <field name="smb.pc" showname="Parameter Count: 0" size="2" pos="115" show="0" value="0000"/>
2480 <field name="smb.po" showname="Parameter Offset: 84" size="2" pos="117" show="84" value="5400"/>
2481 <field name="smb.dc" showname="Data Count: 96" size="2" pos="119" show="96" value="6000"/>
2482 <field name="smb.data_offset" showname="Data Offset: 84" size="2" pos="121" show="84" value="5400"/>
2483 <field name="smb.sc" showname="Setup Count: 2" size="1" pos="123" show="2" value="02"/>
2484 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="124" show="00" value="00"/>
2485 <field name="smb.bcc" showname="Byte Count (BCC): 113" size="2" pos="129" show="113" value="7100"/>
2486 <field name="smb.trans_name" showname="Transaction Name: \PIPE\" size="14" pos="132" show="\PIPE\" value="5c0050004900500045005c000000"/>
2487 <field name="smb.padding" showname="Padding: 0000" size="2" pos="146" show="00:00" value="0000"/>
2488 </field>
2489 </proto>
2490 <proto name="smb_pipe" showname="SMB Pipe Protocol" size="21" pos="125">
2491 <field name="smb_pipe.function" showname="Function: TransactNmPipe (0x0026)" size="2" pos="125" show="0x00000026" value="2600"/>
2492 <field name="smb.fid" showname="FID: 0x2b79 (\srvsvc)" size="2" pos="127" show="0x00002b79" value="792b">
2493 <field name="smb.fid.opened_in" showname="Opened in: 462" size="0" pos="252" show="462"/>
2494 <field name="smb.file" showname="File Name: \srvsvc" size="0" pos="252" show="\srvsvc"/>
2495 <field name="smb.create_flags" showname="Create Flags: 0x00000000" size="4" pos="252" show="0x00000000" value="2600792b">
2496 <field name="smb.nt.create.oplock" showname=".... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2497 <field name="smb.nt.create.batch_oplock" showname=".... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2498 <field name="smb.nt.create.dir" showname=".... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2499 <field name="smb.nt.create.ext" showname=".... .... .... .... .... .... ...0 .... = Extended Response: Extended responses NOT required" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2500 </field>
2501 <field name="smb.access_mask" showname="Access Mask: 0x0002019f" size="4" pos="252" show="0x0002019f" value="2600792b">
2502 <field name="smb.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: READ access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2503 <field name="smb.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: WRITE access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2504 <field name="smb.access.append" showname=".... .... .... .... .... .... .... .1.. = Append: APPEND access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2505 <field name="smb.access.read_ea" showname=".... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2506 <field name="smb.access.write_ea" showname=".... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2507 <field name="smb.access.execute" showname=".... .... .... .... .... .... ..0. .... = Execute: NO execute access" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2508 <field name="smb.access.delete_child" showname=".... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2509 <field name="smb.access.read_attributes" showname=".... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2510 <field name="smb.access.write_attributes" showname=".... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2511 <field name="smb.access.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: NO delete access" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2512 <field name="smb.access.read_control" showname=".... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2513 <field name="smb.access.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2514 <field name="smb.access.write_owner" showname=".... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2515 <field name="smb.access.synchronize" showname=".... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2516 <field name="smb.access.system_security" showname=".... ...0 .... .... .... .... .... .... = System Security: System security is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2517 <field name="smb.access.maximum_allowed" showname=".... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2518 <field name="smb.access.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2519 <field name="smb.access.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2520 <field name="smb.access.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2521 <field name="smb.access.generic_read" showname="0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2522 </field>
2523 <field name="smb.file_attribute" showname="File Attributes: 0x00000000" size="4" pos="252" show="0x00000000" value="2600792b">
2524 <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2525 <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2526 <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2527 <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2528 <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2529 <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2530 <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2531 <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 0... .... = Normal: Has some attribute set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2532 <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2533 <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2534 <field name="smb.file_attribute.reparse" showname=".... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2535 <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2536 <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2537 <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2538 <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2539 </field>
2540 <field name="smb.share_access" showname="Share Access: 0x00000003, Read, Write" size="4" pos="252" show="0x00000003" value="2600792b">
2541 <field name="smb.share.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2542 <field name="smb.share.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE" size="4" pos="125" show="1" value="FFFFFFFF" unmaskedvalue="2600792b"/>
2543 <field name="smb.share.access.delete" showname=".... .... .... .... .... .... .... .0.. = Delete: Object can NOT be shared for delete" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2544 </field>
2545 <field name="smb.create_options" showname="Create Options: 0x00000000" size="4" pos="252" show="0x00000000" value="2600792b">
2546 <field name="smb.nt.create_options.directory" showname=".... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2547 <field name="smb.nt.create_options.write_through" showname=".... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2548 <field name="smb.nt.create_options.sequential_only" showname=".... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2549 <field name="smb.nt.create_options.intermediate_buffering" showname=".... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2550 <field name="smb.nt.create_options.sync_io_alert" showname=".... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2551 <field name="smb.nt.create_options.sync_io_nonalert" showname=".... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2552 <field name="smb.nt.create_options.non_directory" showname=".... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2553 <field name="smb.nt.create_options.create_tree_connection" showname=".... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2554 <field name="smb.nt.create_options.complete_if_oplocked" showname=".... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2555 <field name="smb.nt.create_options.no_ea_knowledge" showname=".... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2556 <field name="smb.nt.create_options.eight_dot_three_only" showname=".... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2557 <field name="smb.nt.create_options.random_access" showname=".... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2558 <field name="smb.nt.create_options.delete_on_close" showname=".... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2559 <field name="smb.nt.create_options.open_by_fileid" showname=".... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2560 <field name="smb.nt.create_options.backup_intent" showname=".... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2561 <field name="smb.nt.create_options.no_compression" showname=".... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2562 <field name="smb.nt.create_options.reserve_opfilter" showname=".... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2563 <field name="smb.nt.create_options.open_reparse_point" showname=".... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2564 <field name="smb.nt.create_options.open_no_recall" showname=".... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2565 <field name="smb.nt.create_options.open_for_free_space_query" showname=".... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query" size="4" pos="125" show="0" value="0" unmaskedvalue="2600792b"/>
2566 </field>
2567 <field name="smb.create.disposition" showname="Disposition: Open (if file exists open it, else fail) (1)" size="0" pos="252" show="1"/>
2568 </field>
2569 </proto>
2570 <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 96, Call: 2, Ctx: 0" size="96" pos="148">
2571 <field name="dcerpc.ver" showname="Version: 5" size="1" pos="148" show="5" value="05"/>
2572 <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="149" show="0" value="00"/>
2573 <field name="dcerpc.pkt_type" showname="Packet type: Request (0)" size="1" pos="150" show="0" value="00"/>
2574 <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="151" show="0x00000003" value="03">
2575 <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
2576 <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
2577 <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
2578 <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
2579 <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
2580 <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="151" show="0" value="0" unmaskedvalue="03"/>
2581 <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="151" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
2582 <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="151" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
2583 </field>
2584 <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="152" show="10:00:00:00" value="10000000">
2585 <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="152" show="1" value="10"/>
2586 <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="152" show="0" value="10"/>
2587 <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="153" show="0" value="00"/>
2588 </field>
2589 <field name="dcerpc.cn_frag_len" showname="Frag Length: 96" size="2" pos="156" show="96" value="6000"/>
2590 <field name="dcerpc.cn_auth_len" showname="Auth Length: 0" size="2" pos="158" show="0" value="0000"/>
2591 <field name="dcerpc.cn_call_id" showname="Call ID: 2" size="4" pos="160" show="2" value="02000000"/>
2592 <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 72" size="4" pos="164" show="72" value="48000000"/>
2593 <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="168" show="0" value="0000"/>
2594 <field name="dcerpc.opnum" showname="Opnum: 15" size="2" pos="170" show="15" value="0f00"/>
2595 </proto>
2596 <proto name="srvsvc" showname="Server Service, NetShareEnumAll" size="72" pos="172">
2597 <field name="srvsvc.opnum" showname="Operation: NetShareEnumAll (15)" size="0" pos="172" show="15"/>
2598 <field name="" show="Pointer to Server Unc (uint16)" size="40" pos="172" value="000002000c000000000000000c0000004c004f00430041004c004e00540034004400430032000000">
2599 <field name="dcerpc.referent_id" showname="Referent ID: 0x00020000" size="4" pos="172" show="0x00020000" value="00000200"/>
2600 <field name="dcerpc.array.max_count" showname="Max Count: 12" size="4" pos="176" show="12" value="0c000000"/>
2601 <field name="dcerpc.array.offset" showname="Offset: 0" size="4" pos="180" show="0" value="00000000"/>
2602 <field name="dcerpc.array.actual_count" showname="Actual Count: 12" size="4" pos="184" show="12" value="0c000000"/>
2603 <field name="srvsvc.srvsvc_NetShareEnumAll.server_unc" showname="Server Unc: LOCALNT4DC2" size="24" pos="188" show="LOCALNT4DC2" value="4c004f00430041004c004e00540034004400430032000000"/>
2604 </field>
2605 <field name="" show="Pointer to Level (uint32)" size="4" pos="212" value="01000000">
2606 <field name="srvsvc.srvsvc_NetShareEnumAll.level" showname="Level: 1" size="4" pos="212" show="1" value="01000000"/>
2607 </field>
2608 <field name="" show="Pointer to Ctr (srvsvc_NetShareCtr)" size="16" pos="216" value="01000000040002000000000000000000">
2609 <field name="" show="srvsvc_NetShareCtr" size="8" pos="216" value="0100000004000200">
2610 <field name="srvsvc.srvsvc_NetShareEnumAll.ctr" showname="Ctr" size="4" pos="216" show="" value=""/>
2611 <field name="" show="Pointer to Ctr1 (srvsvc_NetShareCtr1)" size="8" pos="220" value="0400020000000000">
2612 <field name="dcerpc.referent_id" showname="Referent ID: 0x00020004" size="4" pos="220" show="0x00020004" value="04000200"/>
2613 <field name="srvsvc.srvsvc_NetShareCtr.ctr1" showname="Ctr1" size="8" pos="224" show="" value="">
2614 <field name="srvsvc.srvsvc_NetShareCtr1.count" showname="Count: 0" size="4" pos="224" show="0" value="00000000"/>
2615 <field name="dcerpc.null_pointer" showname="NULL Pointer: Pointer to Array (srvsvc_NetShareInfo1)" size="4" pos="228" show="00:00:00:00" value="00000000"/>
2616 </field>
2617 </field>
2618 </field>
2619 </field>
2620 <field name="srvsvc.srvsvc_NetShareEnumAll.max_buffer" showname="Max Buffer: 4294967295" size="4" pos="232" show="4294967295" value="ffffffff"/>
2621 <field name="" show="Pointer to Resume Handle (uint32)" size="8" pos="236" value="0800020000000000">
2622 <field name="dcerpc.referent_id" showname="Referent ID: 0x00020008" size="4" pos="236" show="0x00020008" value="08000200"/>
2623 <field name="srvsvc.srvsvc_NetShareEnumAll.resume_handle" showname="Resume Handle: 0" size="4" pos="240" show="0" value="00000000"/>
2624 </field>
2625 </proto>
2626 </packet>
2627
2628 <packet>
2629 <proto name="geninfo" pos="0" showname="General information" size="222">
2630 <field name="num" pos="0" show="523" showname="Number" value="20b" size="222"/>
2631 <field name="len" pos="0" show="222" showname="Frame Length" value="de" size="222"/>
2632 <field name="caplen" pos="0" show="222" showname="Captured Length" value="de" size="222"/>
2633 <field name="timestamp" pos="0" show="Feb 13, 2017 10:17:17.552194000 NZDT" showname="Captured Time" value="1486934237.552194000" size="222"/>
2634 </proto>
2635 <proto name="frame" showname="Frame 523: 222 bytes on wire (1776 bits), 222 bytes captured (1776 bits)" size="222" pos="0">
2636 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
2637 <field name="frame.time" showname="Arrival Time: Feb 13, 2017 10:17:17.552194000 NZDT" size="0" pos="0" show="Feb 13, 2017 10:17:17.552194000 NZDT"/>
2638 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
2639 <field name="frame.time_epoch" showname="Epoch Time: 1486934237.552194000 seconds" size="0" pos="0" show="1486934237.552194000"/>
2640 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000068000 seconds" size="0" pos="0" show="0.000068000"/>
2641 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000068000 seconds" size="0" pos="0" show="0.000068000"/>
2642 <field name="frame.time_relative" showname="Time since reference or first frame: 466.929753000 seconds" size="0" pos="0" show="466.929753000"/>
2643 <field name="frame.number" showname="Frame Number: 523" size="0" pos="0" show="523"/>
2644 <field name="frame.len" showname="Frame Length: 222 bytes (1776 bits)" size="0" pos="0" show="222"/>
2645 <field name="frame.cap_len" showname="Capture Length: 222 bytes (1776 bits)" size="0" pos="0" show="222"/>
2646 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
2647 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
2648 <field name="frame.protocols" showname="Protocols in frame: raw:ip:udp:nbdgm:smb:browser" size="0" pos="0" show="raw:ip:udp:nbdgm:smb:browser"/>
2649 </proto>
2650 <proto name="raw" showname="Raw packet data" size="222" pos="0"/>
2651 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.3, Dst: 127.0.0.21" size="20" pos="0">
2652 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
2653 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
2654 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
2655 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
2656 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
2657 </field>
2658 <field name="ip.len" showname="Total Length: 222" size="2" pos="2" show="222" value="00de"/>
2659 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
2660 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
2661 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
2662 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
2663 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
2664 </field>
2665 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
2666 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
2667 <field name="ip.proto" showname="Protocol: UDP (17)" size="1" pos="9" show="17" value="11"/>
2668 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
2669 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
2670 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
2671 </field>
2672 <field name="ip.src" showname="Source: 127.0.0.3" size="4" pos="12" show="127.0.0.3" value="7f000003"/>
2673 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.3" hide="yes" size="4" pos="12" show="127.0.0.3" value="7f000003"/>
2674 <field name="ip.src_host" showname="Source Host: 127.0.0.3" hide="yes" size="4" pos="12" show="127.0.0.3" value="7f000003"/>
2675 <field name="ip.host" showname="Source or Destination Host: 127.0.0.3" hide="yes" size="4" pos="12" show="127.0.0.3" value="7f000003"/>
2676 <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
2677 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
2678 <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
2679 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
2680 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000003"/>
2681 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
2682 </proto>
2683 <proto name="udp" showname="User Datagram Protocol, Src Port: 138 (138), Dst Port: 138 (138)" size="8" pos="20">
2684 <field name="udp.srcport" showname="Source Port: 138" size="2" pos="20" show="138" value="008a"/>
2685 <field name="udp.dstport" showname="Destination Port: 138" size="2" pos="22" show="138" value="008a"/>
2686 <field name="udp.port" showname="Source or Destination Port: 138" hide="yes" size="2" pos="20" show="138" value="008a"/>
2687 <field name="udp.port" showname="Source or Destination Port: 138" hide="yes" size="2" pos="22" show="138" value="008a"/>
2688 <field name="udp.length" showname="Length: 202" size="2" pos="24" show="202" value="00ca"/>
2689 <field name="udp.checksum" showname="Checksum: 0x0000 (none)" size="2" pos="26" show="0x00000000" value="0000">
2690 <field name="udp.checksum_good" showname="Good Checksum: False" size="2" pos="26" show="0" value="0000"/>
2691 <field name="udp.checksum_bad" showname="Bad Checksum: False" size="2" pos="26" show="0" value="0000"/>
2692 </field>
2693 <field name="udp.stream" showname="Stream index: 30" size="0" pos="28" show="30"/>
2694 </proto>
2695 <proto name="nbdgm" showname="NetBIOS Datagram Service" size="82" pos="28">
2696 <field name="nbdgm.type" showname="Message Type: Direct_group datagram (17)" size="1" pos="28" show="17" value="11"/>
2697 <field name="nbdgm.next" showname="More fragments follow: No" size="1" pos="29" show="0" value="0a"/>
2698 <field name="nbdgm.first" showname="This is first fragment: Yes" size="1" pos="29" show="1" value="0a"/>
2699 <field name="nbdgm.node_type" showname="Node Type: M node (2)" size="1" pos="29" show="2" value="0a"/>
2700 <field name="nbdgm.dgram_id" showname="Datagram ID: 0x023d" size="2" pos="30" show="0x0000023d" value="023d"/>
2701 <field name="nbdgm.src.ip" showname="Source IP: 127.0.0.3" size="4" pos="32" show="127.0.0.3" value="7f000003"/>
2702 <field name="nbdgm.src.port" showname="Source Port: 138" size="2" pos="36" show="138" value="008a"/>
2703 <field name="nbdgm.dgram_len" showname="Datagram length: 180 bytes" size="2" pos="38" show="180" value="00b4"/>
2704 <field name="nbdgm.pkt_offset" showname="Packet offset: 0 bytes" size="2" pos="40" show="0" value="0000"/>
2705 <field name="nbdgm.source_name" showname="Source name: LOCALNT4DC2&lt;00&gt; (Workstation/Redirector)" size="34" pos="42" show="LOCALNT4DC2&lt;00&gt;" value="20454d455045444542454d454f464544454545454444434341434143414341414100"/>
2706 <field name="nbdgm.destination_name" showname="Destination name: SAMBA-TEST&lt;1e&gt; (Browser Election Service)" size="34" pos="76" show="SAMBA-TEST&lt;1e&gt;" value="2046444542454e45434542434e464545464644464543414341434143414341424f00"/>
2707 </proto>
2708 <proto name="smb" showname="SMB (Server Message Block Protocol)" size="112" pos="110">
2709 <field name="" show="SMB Header" size="32" pos="110" value="ff534d4225000000000000000000000000000000000000000000000000000000">
2710 <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="110" show="0x424d53ff" value="ff534d42"/>
2711 <field name="smb.cmd" showname="SMB Command: Trans (0x25)" size="1" pos="114" show="37" value="25"/>
2712 <field name="smb.error_class" showname="Error Class: Success (0x00)" size="1" pos="115" show="0x00000000" value="00"/>
2713 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="116" show="00" value="00"/>
2714 <field name="smb.error_code" showname="Error Code: No Error" size="2" pos="117" show="0x00000000" value="0000"/>
2715 <field name="smb.flags" showname="Flags: 0x00" size="1" pos="119" show="0x00000000" value="00">
2716 <field name="smb.flags.response" showname="0... .... = Request/Response: Message is a request to the server" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
2717 <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
2718 <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
2719 <field name="smb.flags.canon" showname="...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
2720 <field name="smb.flags.caseless" showname=".... 0... = Case Sensitivity: Path names are case sensitive" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
2721 <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
2722 <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
2723 </field>
2724 <field name="smb.flags2" showname="Flags2: 0x0000" size="2" pos="120" show="0x00000000" value="0000">
2725 <field name="smb.flags2.string" showname="0... .... .... .... = Unicode Strings: Strings are ASCII" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
2726 <field name="smb.flags2.nt_error" showname=".0.. .... .... .... = Error Code Type: Error codes are DOS error codes" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
2727 <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
2728 <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
2729 <field name="smb.flags2.esn" showname=".... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
2730 <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
2731 <field name="smb.flags2.long_names_used" showname=".... .... .0.. .... = Long Names Used: Path names in request are not long file names" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
2732 <field name="smb.flags2.sec_sig_required" showname=".... .... ...0 .... = Security Signatures Required: Security signatures are not required" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
2733 <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
2734 <field name="smb.flags2.sec_sig" showname=".... .... .... .0.. = Security Signatures: Security signatures are not supported" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
2735 <field name="smb.flags2.ea" showname=".... .... .... ..0. = Extended Attributes: Extended attributes are not supported" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
2736 <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...0 = Long Names Allowed: Long file names are not allowed in the response" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
2737 </field>
2738 <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="122" show="0" value="0000"/>
2739 <field name="smb.signature" showname="Signature: 0000000000000000" size="8" pos="124" show="00:00:00:00:00:00:00:00" value="0000000000000000"/>
2740 <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="132" show="00:00" value="0000"/>
2741 <field name="smb.tid" showname="Tree ID: 0" size="2" pos="134" show="0" value="0000"/>
2742 <field name="smb.pid" showname="Process ID: 0" size="2" pos="136" show="0" value="0000"/>
2743 <field name="smb.uid" showname="User ID: 0" size="2" pos="138" show="0" value="0000"/>
2744 <field name="smb.mid" showname="Multiplex ID: 0" size="2" pos="140" show="0" value="0000"/>
2745 </field>
2746 <field name="" show="Trans Request (0x25)" size="80" pos="142" value="1100001a000000000000000000000000000000000000001a00560003000100010002002b005c4d41494c534c4f545c42524f5753450008018a0f011470170000000000004c4f43414c4e543444433200">
2747 <field name="smb.wct" showname="Word Count (WCT): 17" size="1" pos="142" show="17" value="11"/>
2748 <field name="smb.tpc" showname="Total Parameter Count: 0" size="2" pos="143" show="0" value="0000"/>
2749 <field name="smb.tdc" showname="Total Data Count: 26" size="2" pos="145" show="26" value="1a00"/>
2750 <field name="smb.mpc" showname="Max Parameter Count: 0" size="2" pos="147" show="0" value="0000"/>
2751 <field name="smb.mdc" showname="Max Data Count: 0" size="2" pos="149" show="0" value="0000"/>
2752 <field name="smb.msc" showname="Max Setup Count: 0" size="1" pos="151" show="0" value="00"/>
2753 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="152" show="00" value="00"/>
2754 <field name="smb.transaction.flags" showname="Flags: 0x0000" size="2" pos="153" show="0x00000000" value="0000">
2755 <field name="smb.transaction.flags.owt" showname=".... .... .... ..0. = One Way Transaction: Two way transaction" size="2" pos="153" show="0" value="0" unmaskedvalue="0000"/>
2756 <field name="smb.transaction.flags.dtid" showname=".... .... .... ...0 = Disconnect TID: Do NOT disconnect TID" size="2" pos="153" show="0" value="0" unmaskedvalue="0000"/>
2757 </field>
2758 <field name="smb.timeout" showname="Timeout: Return immediately (0)" size="4" pos="155" show="0" value="00000000"/>
2759 <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="159" show="00:00" value="0000"/>
2760 <field name="smb.pc" showname="Parameter Count: 0" size="2" pos="161" show="0" value="0000"/>
2761 <field name="smb.po" showname="Parameter Offset: 0" size="2" pos="163" show="0" value="0000"/>
2762 <field name="smb.dc" showname="Data Count: 26" size="2" pos="165" show="26" value="1a00"/>
2763 <field name="smb.data_offset" showname="Data Offset: 86" size="2" pos="167" show="86" value="5600"/>
2764 <field name="smb.sc" showname="Setup Count: 3" size="1" pos="169" show="3" value="03"/>
2765 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="170" show="00" value="00"/>
2766 <field name="smb.bcc" showname="Byte Count (BCC): 43" size="2" pos="177" show="43" value="2b00"/>
2767 <field name="smb.trans_name" showname="Transaction Name: \MAILSLOT\BROWSE" size="17" pos="179" show="\MAILSLOT\BROWSE" value="5c4d41494c534c4f545c42524f57534500"/>
2768 </field>
2769 </proto>
2770 <proto name="mailslot" showname="SMB MailSlot Protocol" size="25" pos="171">
2771 <field name="mailslot.opcode" showname="Opcode: Write Mail Slot (1)" size="2" pos="171" show="1" value="0100"/>
2772 <field name="mailslot.priority" showname="Priority: 1" size="2" pos="173" show="1" value="0100"/>
2773 <field name="mailslot.class" showname="Class: Unreliable &amp; Broadcast (2)" size="2" pos="175" show="2" value="0200"/>
2774 <field name="mailslot.size" showname="Size: 43" size="2" pos="177" show="43" value="2b00"/>
2775 <field name="mailslot.name" showname="Mailslot Name: \MAILSLOT\BROWSE" size="17" pos="179" show="\MAILSLOT\BROWSE" value="5c4d41494c534c4f545c42524f57534500"/>
2776 </proto>
2777 <proto name="browser" showname="Microsoft Windows Browser Protocol" size="26" pos="196">
2778 <field name="browser.command" showname="Command: Browser Election Request (0x08)" size="1" pos="196" show="0x00000008" value="08"/>
2779 <field name="browser.election.version" showname="Election Version: 1" size="1" pos="197" show="1" value="01"/>
2780 <field name="browser.election.criteria" showname="Election Criteria: 0x14010f8a" size="4" pos="198" show="0x14010f8a" value="8a0f0114">
2781 <field name="browser.election.desire" showname="Election Desire: 0x8a, Standby, Domain Master, NT" size="1" pos="198" show="0x0000008a" value="8a">
2782 <field name="browser.election.desire.backup" showname=".... ...0 = Backup: NOT Backup Browse Server" size="1" pos="198" show="0" value="0" unmaskedvalue="8a"/>
2783 <field name="browser.election.desire.standby" showname=".... ..1. = Standby: Standby Browse Server" size="1" pos="198" show="1" value="FFFFFFFF" unmaskedvalue="8a"/>
2784 <field name="browser.election.desire.master" showname=".... .0.. = Master: NOT Master Browser" size="1" pos="198" show="0" value="0" unmaskedvalue="8a"/>
2785 <field name="browser.election.desire.domain_master" showname=".... 1... = Domain Master: Domain Master Browse Server" size="1" pos="198" show="1" value="FFFFFFFF" unmaskedvalue="8a"/>
2786 <field name="browser.election.desire.wins" showname="..0. .... = WINS: NOT WINS Client" size="1" pos="198" show="0" value="0" unmaskedvalue="8a"/>
2787 <field name="browser.election.desire.nt" showname="1... .... = NT: Windows NT Advanced Server" size="1" pos="198" show="1" value="FFFFFFFF" unmaskedvalue="8a"/>
2788 </field>
2789 <field name="browser.proto_major" showname="Browser Protocol Major Version: 15" size="1" pos="199" show="15" value="0f"/>
2790 <field name="browser.proto_minor" showname="Browser Protocol Minor Version: 1" size="1" pos="200" show="1" value="01"/>
2791 <field name="browser.election.os" showname="Election OS: 0x14, NT Workstation" size="1" pos="201" show="0x00000014" value="14">
2792 <field name="browser.election.os.wfw" showname=".... ...0 = WfW: Not Windows for Workgroups" size="1" pos="201" show="0" value="0" unmaskedvalue="14"/>
2793 <field name="browser.election.os.ntw" showname="...1 .... = NT Workstation: Windows NT Workstation" size="1" pos="201" show="1" value="FFFFFFFF" unmaskedvalue="14"/>
2794 <field name="browser.election.os.nts" showname="..0. .... = NT Server: Not Windows NT Server" size="1" pos="201" show="0" value="0" unmaskedvalue="14"/>
2795 </field>
2796 </field>
2797 <field name="browser.uptime" showname="Uptime: 6 seconds" size="4" pos="202" show="6000" value="70170000"/>
2798 <field name="browser.server" showname="Server Name: LOCALNT4DC2" size="12" pos="210" show="LOCALNT4DC2" value="4c4f43414c4e543444433200"/>
2799 </proto>
2800 </packet>
2801
2802
2803 <packet>
2804 <proto name="geninfo" pos="0" showname="General information" size="128">
2805 <field name="num" pos="0" show="50351" showname="Number" value="c4af" size="128"/>
2806 <field name="len" pos="0" show="128" showname="Frame Length" value="80" size="128"/>
2807 <field name="caplen" pos="0" show="128" showname="Captured Length" value="80" size="128"/>
2808 <field name="timestamp" pos="0" show="Feb 10, 2017 14:37:58.178692000 NZDT" showname="Captured Time" value="1486690678.178692000" size="128"/>
2809 </proto>
2810 <proto name="frame" showname="Frame 50351: 128 bytes on wire (1024 bits), 128 bytes captured (1024 bits)" size="128" pos="0">
2811 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
2812 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:37:58.178692000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:37:58.178692000 NZDT"/>
2813 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
2814 <field name="frame.time_epoch" showname="Epoch Time: 1486690678.178692000 seconds" size="0" pos="0" show="1486690678.178692000"/>
2815 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.043192000 seconds" size="0" pos="0" show="0.043192000"/>
2816 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.043192000 seconds" size="0" pos="0" show="0.043192000"/>
2817 <field name="frame.time_relative" showname="Time since reference or first frame: 101.648241000 seconds" size="0" pos="0" show="101.648241000"/>
2818 <field name="frame.number" showname="Frame Number: 50351" size="0" pos="0" show="50351"/>
2819 <field name="frame.len" showname="Frame Length: 128 bytes (1024 bits)" size="0" pos="0" show="128"/>
2820 <field name="frame.cap_len" showname="Capture Length: 128 bytes (1024 bits)" size="0" pos="0" show="128"/>
2821 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
2822 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
2823 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:nbss:smb:dcerpc" size="0" pos="0" show="raw:ip:tcp:nbss:smb:dcerpc"/>
2824 </proto>
2825 <proto name="raw" showname="Raw packet data" size="128" pos="0"/>
2826 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.30, Dst: 127.0.0.27" size="20" pos="0">
2827 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
2828 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
2829 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
2830 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
2831 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
2832 </field>
2833 <field name="ip.len" showname="Total Length: 128" size="2" pos="2" show="128" value="0080"/>
2834 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
2835 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
2836 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
2837 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
2838 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
2839 </field>
2840 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
2841 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
2842 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
2843 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
2844 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
2845 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
2846 </field>
2847 <field name="ip.src" showname="Source: 127.0.0.30" size="4" pos="12" show="127.0.0.30" value="7f00001e"/>
2848 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.30" hide="yes" size="4" pos="12" show="127.0.0.30" value="7f00001e"/>
2849 <field name="ip.src_host" showname="Source Host: 127.0.0.30" hide="yes" size="4" pos="12" show="127.0.0.30" value="7f00001e"/>
2850 <field name="ip.host" showname="Source or Destination Host: 127.0.0.30" hide="yes" size="4" pos="12" show="127.0.0.30" value="7f00001e"/>
2851 <field name="ip.dst" showname="Destination: 127.0.0.27" size="4" pos="16" show="127.0.0.27" value="7f00001b"/>
2852 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.27" hide="yes" size="4" pos="16" show="127.0.0.27" value="7f00001b"/>
2853 <field name="ip.dst_host" showname="Destination Host: 127.0.0.27" hide="yes" size="4" pos="16" show="127.0.0.27" value="7f00001b"/>
2854 <field name="ip.host" showname="Source or Destination Host: 127.0.0.27" hide="yes" size="4" pos="16" show="127.0.0.27" value="7f00001b"/>
2855 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001e"/>
2856 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001b"/>
2857 </proto>
2858 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 445 (445), Dst Port: 17919 (17919), Seq: 1815, Ack: 3639, Len: 88" size="20" pos="20">
2859 <field name="tcp.srcport" showname="Source Port: 445" size="2" pos="20" show="445" value="01bd"/>
2860 <field name="tcp.dstport" showname="Destination Port: 17919" size="2" pos="22" show="17919" value="45ff"/>
2861 <field name="tcp.port" showname="Source or Destination Port: 445" hide="yes" size="2" pos="20" show="445" value="01bd"/>
2862 <field name="tcp.port" showname="Source or Destination Port: 17919" hide="yes" size="2" pos="22" show="17919" value="45ff"/>
2863 <field name="tcp.stream" showname="Stream index: 1177" size="0" pos="20" show="1177"/>
2864 <field name="tcp.len" showname="TCP Segment Len: 88" size="1" pos="32" show="88" value="50"/>
2865 <field name="tcp.seq" showname="Sequence number: 1815 (relative sequence number)" size="4" pos="24" show="1815" value="00000717"/>
2866 <field name="tcp.nxtseq" showname="Next sequence number: 1903 (relative sequence number)" size="0" pos="20" show="1903"/>
2867 <field name="tcp.ack" showname="Acknowledgment number: 3639 (relative ack number)" size="4" pos="28" show="3639" value="00000e37"/>
2868 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
2869 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
2870 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
2871 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
2872 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
2873 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
2874 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
2875 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
2876 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
2877 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
2878 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
2879 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
2880 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
2881 </field>
2882 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
2883 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
2884 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
2885 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
2886 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
2887 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
2888 </field>
2889 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
2890 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
2891 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 50348" size="0" pos="20" show="50348"/>
2892 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.043267000 seconds" size="0" pos="20" show="0.043267000"/>
2893 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000015000 seconds" size="0" pos="20" show="0.000015000"/>
2894 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 88" size="0" pos="20" show="88"/>
2895 </field>
2896 </proto>
2897 <proto name="nbss" showname="NetBIOS Session Service" size="88" pos="40">
2898 <field name="nbss.type" showname="Message Type: Session message (0x00)" size="1" pos="40" show="0x00000000" value="00"/>
2899 <field name="nbss.length" showname="Length: 84" size="3" pos="41" show="84" value="000054"/>
2900 </proto>
2901 <proto name="smb" showname="SMB (Server Message Block Protocol)" size="84" pos="44">
2902 <field name="" show="SMB Header" size="32" pos="44" value="ff534d4225000000008817c8000045cbaf6829ae71c20000d95d0000c67c0b00">
2903 <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="44" show="0x424d53ff" value="ff534d42"/>
2904 <field name="smb.response_to" showname="Response to: 50348" size="0" pos="44" show="50348"/>
2905 <field name="smb.time" showname="Time from request: 0.043267000 seconds" size="0" pos="44" show="0.043267000"/>
2906 <field name="smb.cmd" showname="SMB Command: Trans (0x25)" size="1" pos="48" show="37" value="25"/>
2907 <field name="smb.nt_status" showname="NT Status: STATUS_SUCCESS (0x00000000)" size="4" pos="49" show="0" value="00000000"/>
2908 <field name="smb.flags" showname="Flags: 0x88, Request/Response, Case Sensitivity" size="1" pos="53" show="0x00000088" value="88">
2909 <field name="smb.flags.response" showname="1... .... = Request/Response: Message is a response to the client/redirector" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="88"/>
2910 <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="53" show="0" value="0" unmaskedvalue="88"/>
2911 <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="53" show="0" value="0" unmaskedvalue="88"/>
2912 <field name="smb.flags.canon" showname="...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized" size="1" pos="53" show="0" value="0" unmaskedvalue="88"/>
2913 <field name="smb.flags.caseless" showname=".... 1... = Case Sensitivity: Path names are caseless" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="88"/>
2914 <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="53" show="0" value="0" unmaskedvalue="88"/>
2915 <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="53" show="0" value="0" unmaskedvalue="88"/>
2916 </field>
2917 <field name="smb.flags2" showname="Flags2: 0xc817, Unicode Strings, Error Code Type, Extended Security Negotiation, Security Signatures Required, Security Signatures, Extended Attributes, Long Names Allowed" size="2" pos="54" show="0x0000c817" value="17c8">
2918 <field name="smb.flags2.string" showname="1... .... .... .... = Unicode Strings: Strings are Unicode" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
2919 <field name="smb.flags2.nt_error" showname=".1.. .... .... .... = Error Code Type: Error codes are NT error codes" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
2920 <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="54" show="0" value="0" unmaskedvalue="17c8"/>
2921 <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="54" show="0" value="0" unmaskedvalue="17c8"/>
2922 <field name="smb.flags2.esn" showname=".... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
2923 <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="54" show="0" value="0" unmaskedvalue="17c8"/>
2924 <field name="smb.flags2.long_names_used" showname=".... .... .0.. .... = Long Names Used: Path names in request are not long file names" size="2" pos="54" show="0" value="0" unmaskedvalue="17c8"/>
2925 <field name="smb.flags2.sec_sig_required" showname=".... .... ...1 .... = Security Signatures Required: Security signatures are required" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
2926 <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="54" show="0" value="0" unmaskedvalue="17c8"/>
2927 <field name="smb.flags2.sec_sig" showname=".... .... .... .1.. = Security Signatures: Security signatures are supported" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
2928 <field name="smb.flags2.ea" showname=".... .... .... ..1. = Extended Attributes: Extended attributes are supported" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
2929 <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="17c8"/>
2930 </field>
2931 <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="56" show="0" value="0000"/>
2932 <field name="smb.signature" showname="Signature: 45cbaf6829ae71c2" size="8" pos="58" show="45:cb:af:68:29:ae:71:c2" value="45cbaf6829ae71c2"/>
2933 <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="66" show="00:00" value="0000"/>
2934 <field name="smb.tid" showname="Tree ID: 24025 (\\ADDC.ADDOM.SAMBA.EXAMPLE.COM\IPC$)" size="2" pos="68" show="24025" value="d95d">
2935 <field name="smb.path" showname="Path: \\ADDC.ADDOM.SAMBA.EXAMPLE.COM\IPC$" size="0" pos="112" show="\\ADDC.ADDOM.SAMBA.EXAMPLE.COM\IPC$"/>
2936 <field name="smb.fid.mapped_in" showname="Mapped in: 50252" size="0" pos="112" show="50252"/>
2937 </field>
2938 <field name="smb.pid" showname="Process ID: 0" size="2" pos="70" show="0" value="0000"/>
2939 <field name="smb.uid" showname="User ID: 31942" size="2" pos="72" show="31942" value="c67c"/>
2940 <field name="smb.mid" showname="Multiplex ID: 11" size="2" pos="74" show="11" value="0b00"/>
2941 </field>
2942 <field name="" show="Trans Response (0x25)" size="52" pos="76" value="0a00001c0000000000380000001c003800000000001d000005000203100000001c00000007000000040000000000000000000000">
2943 <field name="smb.fid" showname="FID: 0x2ea1 (\lsarpc)" size="0" pos="76" show="0x00002ea1">
2944 <field name="smb.fid.opened_in" showname="Opened in: 50258" size="0" pos="120" show="50258"/>
2945 <field name="smb.file" showname="File Name: \lsarpc" size="0" pos="120" show="\lsarpc"/>
2946 <field name="smb.create_flags" showname="Create Flags: 0x00000000" size="4" pos="120" show="0x00000000" value="ff534d42">
2947 <field name="smb.nt.create.oplock" showname=".... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2948 <field name="smb.nt.create.batch_oplock" showname=".... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2949 <field name="smb.nt.create.dir" showname=".... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2950 <field name="smb.nt.create.ext" showname=".... .... .... .... .... .... ...0 .... = Extended Response: Extended responses NOT required" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2951 </field>
2952 <field name="smb.access_mask" showname="Access Mask: 0x0002019f" size="4" pos="120" show="0x0002019f" value="ff534d42">
2953 <field name="smb.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: READ access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
2954 <field name="smb.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: WRITE access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
2955 <field name="smb.access.append" showname=".... .... .... .... .... .... .... .1.. = Append: APPEND access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
2956 <field name="smb.access.read_ea" showname=".... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
2957 <field name="smb.access.write_ea" showname=".... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
2958 <field name="smb.access.execute" showname=".... .... .... .... .... .... ..0. .... = Execute: NO execute access" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2959 <field name="smb.access.delete_child" showname=".... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2960 <field name="smb.access.read_attributes" showname=".... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
2961 <field name="smb.access.write_attributes" showname=".... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
2962 <field name="smb.access.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: NO delete access" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2963 <field name="smb.access.read_control" showname=".... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
2964 <field name="smb.access.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2965 <field name="smb.access.write_owner" showname=".... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2966 <field name="smb.access.synchronize" showname=".... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2967 <field name="smb.access.system_security" showname=".... ...0 .... .... .... .... .... .... = System Security: System security is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2968 <field name="smb.access.maximum_allowed" showname=".... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2969 <field name="smb.access.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2970 <field name="smb.access.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2971 <field name="smb.access.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2972 <field name="smb.access.generic_read" showname="0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2973 </field>
2974 <field name="smb.file_attribute" showname="File Attributes: 0x00000000" size="4" pos="120" show="0x00000000" value="ff534d42">
2975 <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2976 <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2977 <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2978 <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2979 <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2980 <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2981 <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2982 <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 0... .... = Normal: Has some attribute set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2983 <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2984 <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2985 <field name="smb.file_attribute.reparse" showname=".... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2986 <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2987 <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2988 <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2989 <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2990 </field>
2991 <field name="smb.share_access" showname="Share Access: 0x00000003, Read, Write" size="4" pos="120" show="0x00000003" value="ff534d42">
2992 <field name="smb.share.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
2993 <field name="smb.share.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE" size="4" pos="44" show="1" value="FFFFFFFF" unmaskedvalue="ff534d42"/>
2994 <field name="smb.share.access.delete" showname=".... .... .... .... .... .... .... .0.. = Delete: Object can NOT be shared for delete" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2995 </field>
2996 <field name="smb.create_options" showname="Create Options: 0x00000000" size="4" pos="120" show="0x00000000" value="ff534d42">
2997 <field name="smb.nt.create_options.directory" showname=".... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2998 <field name="smb.nt.create_options.write_through" showname=".... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
2999 <field name="smb.nt.create_options.sequential_only" showname=".... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3000 <field name="smb.nt.create_options.intermediate_buffering" showname=".... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3001 <field name="smb.nt.create_options.sync_io_alert" showname=".... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3002 <field name="smb.nt.create_options.sync_io_nonalert" showname=".... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3003 <field name="smb.nt.create_options.non_directory" showname=".... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3004 <field name="smb.nt.create_options.create_tree_connection" showname=".... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3005 <field name="smb.nt.create_options.complete_if_oplocked" showname=".... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3006 <field name="smb.nt.create_options.no_ea_knowledge" showname=".... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3007 <field name="smb.nt.create_options.eight_dot_three_only" showname=".... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3008 <field name="smb.nt.create_options.random_access" showname=".... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3009 <field name="smb.nt.create_options.delete_on_close" showname=".... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3010 <field name="smb.nt.create_options.open_by_fileid" showname=".... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3011 <field name="smb.nt.create_options.backup_intent" showname=".... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3012 <field name="smb.nt.create_options.no_compression" showname=".... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3013 <field name="smb.nt.create_options.reserve_opfilter" showname=".... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3014 <field name="smb.nt.create_options.open_reparse_point" showname=".... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3015 <field name="smb.nt.create_options.open_no_recall" showname=".... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3016 <field name="smb.nt.create_options.open_for_free_space_query" showname=".... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query" size="4" pos="44" show="0" value="0" unmaskedvalue="ff534d42"/>
3017 </field>
3018 <field name="smb.create.disposition" showname="Disposition: Open (if file exists open it, else fail) (1)" size="0" pos="120" show="1"/>
3019 </field>
3020 <field name="smb.wct" showname="Word Count (WCT): 10" size="1" pos="76" show="10" value="0a"/>
3021 <field name="smb.tpc" showname="Total Parameter Count: 0" size="2" pos="77" show="0" value="0000"/>
3022 <field name="smb.tdc" showname="Total Data Count: 28" size="2" pos="79" show="28" value="1c00"/>
3023 <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="81" show="00:00" value="0000"/>
3024 <field name="smb.pc" showname="Parameter Count: 0" size="2" pos="83" show="0" value="0000"/>
3025 <field name="smb.po" showname="Parameter Offset: 56" size="2" pos="85" show="56" value="3800"/>
3026 <field name="smb.pd" showname="Parameter Displacement: 0" size="2" pos="87" show="0" value="0000"/>
3027 <field name="smb.dc" showname="Data Count: 28" size="2" pos="89" show="28" value="1c00"/>
3028 <field name="smb.data_offset" showname="Data Offset: 56" size="2" pos="91" show="56" value="3800"/>
3029 <field name="smb.data_disp" showname="Data Displacement: 0" size="2" pos="93" show="0" value="0000"/>
3030 <field name="smb.sc" showname="Setup Count: 0" size="1" pos="95" show="0" value="00"/>
3031 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="96" show="00" value="00"/>
3032 <field name="smb.bcc" showname="Byte Count (BCC): 29" size="2" pos="97" show="29" value="1d00"/>
3033 <field name="smb.padding" showname="Padding: 00" size="1" pos="99" show="00" value="00"/>
3034 </field>
3035 </proto>
3036 <proto name="smb_pipe" showname="SMB Pipe Protocol" size="0" pos="0">
3037 <field name="smb_pipe.function" showname="Function: TransactNmPipe (0x0026)" size="0" pos="0" show="0x00000026"/>
3038 <field name="smb.fid" showname="FID: 0x2ea1 (\lsarpc)" size="0" pos="100" show="0x00002ea1">
3039 <field name="smb.fid.opened_in" showname="Opened in: 50258" size="0" pos="100" show="50258"/>
3040 <field name="smb.file" showname="File Name: \lsarpc" size="0" pos="100" show="\lsarpc"/>
3041 <field name="smb.create_flags" showname="Create Flags: 0x00000000" size="4" pos="100" show="0x00000000" value="05000203">
3042 <field name="smb.nt.create.oplock" showname=".... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3043 <field name="smb.nt.create.batch_oplock" showname=".... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3044 <field name="smb.nt.create.dir" showname=".... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3045 <field name="smb.nt.create.ext" showname=".... .... .... .... .... .... ...0 .... = Extended Response: Extended responses NOT required" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3046 </field>
3047 <field name="smb.access_mask" showname="Access Mask: 0x0002019f" size="4" pos="100" show="0x0002019f" value="05000203">
3048 <field name="smb.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: READ access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
3049 <field name="smb.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: WRITE access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
3050 <field name="smb.access.append" showname=".... .... .... .... .... .... .... .1.. = Append: APPEND access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
3051 <field name="smb.access.read_ea" showname=".... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
3052 <field name="smb.access.write_ea" showname=".... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
3053 <field name="smb.access.execute" showname=".... .... .... .... .... .... ..0. .... = Execute: NO execute access" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3054 <field name="smb.access.delete_child" showname=".... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3055 <field name="smb.access.read_attributes" showname=".... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
3056 <field name="smb.access.write_attributes" showname=".... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
3057 <field name="smb.access.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: NO delete access" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3058 <field name="smb.access.read_control" showname=".... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
3059 <field name="smb.access.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3060 <field name="smb.access.write_owner" showname=".... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3061 <field name="smb.access.synchronize" showname=".... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3062 <field name="smb.access.system_security" showname=".... ...0 .... .... .... .... .... .... = System Security: System security is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3063 <field name="smb.access.maximum_allowed" showname=".... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3064 <field name="smb.access.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3065 <field name="smb.access.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3066 <field name="smb.access.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3067 <field name="smb.access.generic_read" showname="0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3068 </field>
3069 <field name="smb.file_attribute" showname="File Attributes: 0x00000000" size="4" pos="100" show="0x00000000" value="05000203">
3070 <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3071 <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3072 <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3073 <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3074 <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3075 <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3076 <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3077 <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 0... .... = Normal: Has some attribute set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3078 <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3079 <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3080 <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3081 <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3082 <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3083 <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3084 </field>
3085 <field name="smb.share_access" showname="Share Access: 0x00000003, Read, Write" size="4" pos="100" show="0x00000003" value="05000203">
3086 <field name="smb.share.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
3087 <field name="smb.share.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE" size="4" pos="100" show="1" value="FFFFFFFF" unmaskedvalue="05000203"/>
3088 <field name="smb.share.access.delete" showname=".... .... .... .... .... .... .... .0.. = Delete: Object can NOT be shared for delete" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3089 </field>
3090 <field name="smb.create_options" showname="Create Options: 0x00000000" size="4" pos="100" show="0x00000000" value="05000203">
3091 <field name="smb.nt.create_options.directory" showname=".... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3092 <field name="smb.nt.create_options.write_through" showname=".... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3093 <field name="smb.nt.create_options.sequential_only" showname=".... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3094 <field name="smb.nt.create_options.intermediate_buffering" showname=".... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3095 <field name="smb.nt.create_options.sync_io_alert" showname=".... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3096 <field name="smb.nt.create_options.sync_io_nonalert" showname=".... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3097 <field name="smb.nt.create_options.non_directory" showname=".... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3098 <field name="smb.nt.create_options.create_tree_connection" showname=".... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3099 <field name="smb.nt.create_options.complete_if_oplocked" showname=".... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3100 <field name="smb.nt.create_options.no_ea_knowledge" showname=".... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3101 <field name="smb.nt.create_options.eight_dot_three_only" showname=".... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3102 <field name="smb.nt.create_options.random_access" showname=".... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3103 <field name="smb.nt.create_options.delete_on_close" showname=".... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3104 <field name="smb.nt.create_options.open_by_fileid" showname=".... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3105 <field name="smb.nt.create_options.backup_intent" showname=".... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3106 <field name="smb.nt.create_options.no_compression" showname=".... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3107 <field name="smb.nt.create_options.reserve_opfilter" showname=".... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3108 <field name="smb.nt.create_options.open_reparse_point" showname=".... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3109 <field name="smb.nt.create_options.open_no_recall" showname=".... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3110 <field name="smb.nt.create_options.open_for_free_space_query" showname=".... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query" size="4" pos="100" show="0" value="0" unmaskedvalue="05000203"/>
3111 </field>
3112 <field name="smb.create.disposition" showname="Disposition: Open (if file exists open it, else fail) (1)" size="0" pos="100" show="1"/>
3113 </field>
3114 </proto>
3115 <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Response, Fragment: Single, FragLen: 28, Call: 7, Ctx: 0, [Req: #50348]" size="28" pos="100">
3116 <field name="dcerpc.ver" showname="Version: 5" size="1" pos="100" show="5" value="05"/>
3117 <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="101" show="0" value="00"/>
3118 <field name="dcerpc.pkt_type" showname="Packet type: Response (2)" size="1" pos="102" show="2" value="02"/>
3119 <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="103" show="0x00000003" value="03">
3120 <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="103" show="0" value="0" unmaskedvalue="03"/>
3121 <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="103" show="0" value="0" unmaskedvalue="03"/>
3122 <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="103" show="0" value="0" unmaskedvalue="03"/>
3123 <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="103" show="0" value="0" unmaskedvalue="03"/>
3124 <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="103" show="0" value="0" unmaskedvalue="03"/>
3125 <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="103" show="0" value="0" unmaskedvalue="03"/>
3126 <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="103" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
3127 <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="103" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
3128 </field>
3129 <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="104" show="10:00:00:00" value="10000000">
3130 <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="104" show="1" value="10"/>
3131 <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="104" show="0" value="10"/>
3132 <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="105" show="0" value="00"/>
3133 </field>
3134 <field name="dcerpc.cn_frag_len" showname="Frag Length: 28" size="2" pos="108" show="28" value="1c00"/>
3135 <field name="dcerpc.cn_auth_len" showname="Auth Length: 0" size="2" pos="110" show="0" value="0000"/>
3136 <field name="dcerpc.cn_call_id" showname="Call ID: 7" size="4" pos="112" show="7" value="07000000"/>
3137 <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 4" size="4" pos="116" show="4" value="04000000"/>
3138 <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="120" show="0" value="0000"/>
3139 <field name="dcerpc.cn_cancel_count" showname="Cancel count: 0" size="1" pos="122" show="0" value="00"/>
3140 <field name="dcerpc.opnum" showname="Opnum: 27" size="0" pos="100" show="27"/>
3141 <field name="dcerpc.request_in" showname="Request in frame: 50348" size="0" pos="100" show="50348"/>
3142 <field name="dcerpc.time" showname="Time from request: 0.043267000 seconds" size="0" pos="124" show="0.043267000"/>
3143 </proto>
3144 <proto name="lsarpc" showname="Local Security Authority, lsa_SetInformationTrustedDomain" size="4" pos="124">
3145 <field name="lsarpc.opnum" showname="Operation: lsa_SetInformationTrustedDomain (27)" size="0" pos="124" show="27"/>
3146 <field name="dcerpc.request_in" showname="Request in frame: 50348" size="0" pos="124" show="50348"/>
3147 <field name="lsarpc.status" showname="NT Error: STATUS_SUCCESS (0x00000000)" size="4" pos="124" show="0x00000000" value="00000000"/>
3148 </proto>
3149 </packet>
3150
3151 <packet>
3152 <proto name="geninfo" pos="0" showname="General information" size="196">
3153 <field name="num" pos="0" show="50491" showname="Number" value="c53b" size="196"/>
3154 <field name="len" pos="0" show="196" showname="Frame Length" value="c4" size="196"/>
3155 <field name="caplen" pos="0" show="196" showname="Captured Length" value="c4" size="196"/>
3156 <field name="timestamp" pos="0" show="Feb 10, 2017 14:37:59.853951000 NZDT" showname="Captured Time" value="1486690679.853951000" size="196"/>
3157 </proto>
3158 <proto name="frame" showname="Frame 50491: 196 bytes on wire (1568 bits), 196 bytes captured (1568 bits)" size="196" pos="0">
3159 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
3160 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:37:59.853951000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:37:59.853951000 NZDT"/>
3161 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
3162 <field name="frame.time_epoch" showname="Epoch Time: 1486690679.853951000 seconds" size="0" pos="0" show="1486690679.853951000"/>
3163 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000093000 seconds" size="0" pos="0" show="0.000093000"/>
3164 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000093000 seconds" size="0" pos="0" show="0.000093000"/>
3165 <field name="frame.time_relative" showname="Time since reference or first frame: 103.323500000 seconds" size="0" pos="0" show="103.323500000"/>
3166 <field name="frame.number" showname="Frame Number: 50491" size="0" pos="0" show="50491"/>
3167 <field name="frame.len" showname="Frame Length: 196 bytes (1568 bits)" size="0" pos="0" show="196"/>
3168 <field name="frame.cap_len" showname="Capture Length: 196 bytes (1568 bits)" size="0" pos="0" show="196"/>
3169 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
3170 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
3171 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:dcerpc" size="0" pos="0" show="raw:ip:tcp:dcerpc"/>
3172 </proto>
3173 <proto name="raw" showname="Raw packet data" size="196" pos="0"/>
3174 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.27, Dst: 127.0.0.30" size="20" pos="0">
3175 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
3176 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
3177 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
3178 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
3179 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
3180 </field>
3181 <field name="ip.len" showname="Total Length: 196" size="2" pos="2" show="196" value="00c4"/>
3182 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
3183 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
3184 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
3185 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
3186 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
3187 </field>
3188 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
3189 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
3190 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
3191 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
3192 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
3193 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
3194 </field>
3195 <field name="ip.src" showname="Source: 127.0.0.27" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
3196 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.27" hide="yes" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
3197 <field name="ip.src_host" showname="Source Host: 127.0.0.27" hide="yes" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
3198 <field name="ip.host" showname="Source or Destination Host: 127.0.0.27" hide="yes" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
3199 <field name="ip.dst" showname="Destination: 127.0.0.30" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3200 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3201 <field name="ip.dst_host" showname="Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3202 <field name="ip.host" showname="Source or Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3203 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001b"/>
3204 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001e"/>
3205 </proto>
3206 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 17934 (17934), Dst Port: 135 (135), Seq: 73, Ack: 61, Len: 156" size="20" pos="20">
3207 <field name="tcp.srcport" showname="Source Port: 17934" size="2" pos="20" show="17934" value="460e"/>
3208 <field name="tcp.dstport" showname="Destination Port: 135" size="2" pos="22" show="135" value="0087"/>
3209 <field name="tcp.port" showname="Source or Destination Port: 17934" hide="yes" size="2" pos="20" show="17934" value="460e"/>
3210 <field name="tcp.port" showname="Source or Destination Port: 135" hide="yes" size="2" pos="22" show="135" value="0087"/>
3211 <field name="tcp.stream" showname="Stream index: 1183" size="0" pos="20" show="1183"/>
3212 <field name="tcp.len" showname="TCP Segment Len: 156" size="1" pos="32" show="156" value="50"/>
3213 <field name="tcp.seq" showname="Sequence number: 73 (relative sequence number)" size="4" pos="24" show="73" value="00000049"/>
3214 <field name="tcp.nxtseq" showname="Next sequence number: 229 (relative sequence number)" size="0" pos="20" show="229"/>
3215 <field name="tcp.ack" showname="Acknowledgment number: 61 (relative ack number)" size="4" pos="28" show="61" value="0000003d"/>
3216 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
3217 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
3218 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
3219 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
3220 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3221 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3222 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3223 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
3224 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
3225 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3226 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3227 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3228 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
3229 </field>
3230 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
3231 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
3232 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
3233 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
3234 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
3235 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
3236 </field>
3237 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
3238 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
3239 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 50487" size="0" pos="20" show="50487"/>
3240 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000158000 seconds" size="0" pos="20" show="0.000158000"/>
3241 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000013000 seconds" size="0" pos="20" show="0.000013000"/>
3242 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 156" size="0" pos="20" show="156"/>
3243 </field>
3244 </proto>
3245 <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 156, Call: 9, Ctx: 0" size="156" pos="40">
3246 <field name="dcerpc.ver" showname="Version: 5" size="1" pos="40" show="5" value="05"/>
3247 <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="41" show="0" value="00"/>
3248 <field name="dcerpc.pkt_type" showname="Packet type: Request (0)" size="1" pos="42" show="0" value="00"/>
3249 <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="43" show="0x00000003" value="03">
3250 <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
3251 <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
3252 <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
3253 <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
3254 <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
3255 <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
3256 <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
3257 <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
3258 </field>
3259 <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="44" show="10:00:00:00" value="10000000">
3260 <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="44" show="1" value="10"/>
3261 <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="44" show="0" value="10"/>
3262 <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="45" show="0" value="00"/>
3263 </field>
3264 <field name="dcerpc.cn_frag_len" showname="Frag Length: 156" size="2" pos="48" show="156" value="9c00"/>
3265 <field name="dcerpc.cn_auth_len" showname="Auth Length: 0" size="2" pos="50" show="0" value="0000"/>
3266 <field name="dcerpc.cn_call_id" showname="Call ID: 9" size="4" pos="52" show="9" value="09000000"/>
3267 <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 132" size="4" pos="56" show="132" value="84000000"/>
3268 <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="60" show="0" value="0000"/>
3269 <field name="dcerpc.opnum" showname="Opnum: 3" size="2" pos="62" show="3" value="0300"/>
3270 </proto>
3271 <proto name="epm" showname="DCE/RPC Endpoint Mapper, Map" size="132" pos="64">
3272 <field name="epm.opnum" showname="Operation: Map (3)" size="0" pos="64" show="3"/>
3273 <field name="" show="UUID pointer:" size="20" pos="64" value="01000000785634123412cdabef0001234567cffb">
3274 <field name="dcerpc.referent_id" showname="Referent ID: 0x00000001" size="4" pos="64" show="0x00000001" value="01000000"/>
3275 <field name="epm.uuid" showname="UUID: 12345678-1234-abcd-ef00-01234567cffb" size="16" pos="68" show="12345678-1234-abcd-ef00-01234567cffb" value="785634123412cdabef0001234567cffb"/>
3276 </field>
3277 <field name="" show="Tower pointer:" size="87" pos="84" value="020000004b0000004b000000050013000d785634123412cdabef0001234567cffb01000200000013000d045d888aeb1cc9119fe808002b10486002000200000001000b0200000001000702000087010009040000000000">
3278 <field name="dcerpc.referent_id" showname="Referent ID: 0x00000002" size="4" pos="84" show="0x00000002" value="02000000"/>
3279 <field name="epm.tower.len" showname="Length: 75" size="4" pos="88" show="75" value="4b000000"/>
3280 <field name="epm.tower.len" showname="Length: 75" size="4" pos="92" show="75" value="4b000000"/>
3281 <field name="epm.tower.num_floors" showname="Number of floors: 5" size="2" pos="96" show="5" value="0500"/>
3282 <field name="" show="Floor 1 UUID: RPC_NETLOGON" size="25" pos="98" value="13000d785634123412cdabef0001234567cffb010002000000">
3283 <field name="epm.tower.lhs.len" showname="LHS Length: 19" size="2" pos="98" show="19" value="1300"/>
3284 <field name="epm.tower.proto_id" showname="Protocol: UUID (0x0d)" size="1" pos="100" show="0x0000000d" value="0d"/>
3285 <field name="epm.uuid" showname="UUID: RPC_NETLOGON (12345678-1234-abcd-ef00-01234567cffb)" size="16" pos="101" show="12345678-1234-abcd-ef00-01234567cffb" value="785634123412cdabef0001234567cffb"/>
3286 <field name="epm.uuid_version" showname="Version: 1.00" size="2" pos="117" show="256" value="0100"/>
3287 <field name="epm.tower.rhs.len" showname="RHS Length: 2" size="2" pos="119" show="2" value="0200"/>
3288 <field name="epm.ver_min" showname="Version Minor: 0" size="2" pos="121" show="0" value="0000"/>
3289 </field>
3290 <field name="" show="Floor 2 UUID: 32bit NDR" size="25" pos="123" value="13000d045d888aeb1cc9119fe808002b104860020002000000">
3291 <field name="epm.tower.lhs.len" showname="LHS Length: 19" size="2" pos="123" show="19" value="1300"/>
3292 <field name="epm.tower.proto_id" showname="Protocol: UUID (0x0d)" size="1" pos="125" show="0x0000000d" value="0d"/>
3293 <field name="epm.uuid" showname="UUID: 32bit NDR (8a885d04-1ceb-11c9-9fe8-08002b104860)" size="16" pos="126" show="8a885d04-1ceb-11c9-9fe8-08002b104860" value="045d888aeb1cc9119fe808002b104860"/>
3294 <field name="epm.uuid_version" showname="Version: 2.00" size="2" pos="142" show="512" value="0200"/>
3295 <field name="epm.tower.rhs.len" showname="RHS Length: 2" size="2" pos="144" show="2" value="0200"/>
3296 <field name="epm.ver_min" showname="Version Minor: 0" size="2" pos="146" show="0" value="0000"/>
3297 </field>
3298 <field name="" show="Floor 3 RPC connection-oriented protocol" size="7" pos="148" value="01000b02000000">
3299 <field name="epm.tower.lhs.len" showname="LHS Length: 1" size="2" pos="148" show="1" value="0100"/>
3300 <field name="epm.tower.proto_id" showname="Protocol: RPC connection-oriented protocol (0x0b)" size="1" pos="150" show="0x0000000b" value="0b"/>
3301 <field name="epm.tower.rhs.len" showname="RHS Length: 2" size="2" pos="151" show="2" value="0200"/>
3302 </field>
3303 <field name="" show="Floor 4 TCP Port:135" size="7" pos="155" value="01000702000087">
3304 <field name="epm.tower.lhs.len" showname="LHS Length: 1" size="2" pos="155" show="1" value="0100"/>
3305 <field name="epm.tower.proto_id" showname="Protocol: DOD TCP (0x07)" size="1" pos="157" show="0x00000007" value="07"/>
3306 <field name="epm.tower.rhs.len" showname="RHS Length: 2" size="2" pos="158" show="2" value="0200"/>
3307 <field name="epm.proto.ip" showname="IP: 0.0.0.0" size="4" pos="167" show="0.0.0.0" value="00000000"/>
3308 </field>
3309 </field>
3310 <field name="epm.hnd" showname="Handle: 0000000000000000000000000000000000000000" size="20" pos="172" show="00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" value="0000000000000000000000000000000000000000"/>
3311 <field name="epm.max_towers" showname="Max Towers: 1" size="4" pos="192" show="1" value="01000000"/>
3312 </proto>
3313 </packet>
3314
3315 <packet>
3316 <proto name="geninfo" pos="0" showname="General information" size="172">
3317 <field name="num" pos="0" show="50520" showname="Number" value="c558" size="172"/>
3318 <field name="len" pos="0" show="172" showname="Frame Length" value="ac" size="172"/>
3319 <field name="caplen" pos="0" show="172" showname="Captured Length" value="ac" size="172"/>
3320 <field name="timestamp" pos="0" show="Feb 10, 2017 14:37:59.854842000 NZDT" showname="Captured Time" value="1486690679.854842000" size="172"/>
3321 </proto>
3322 <proto name="frame" showname="Frame 50520: 172 bytes on wire (1376 bits), 172 bytes captured (1376 bits)" size="172" pos="0">
3323 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
3324 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:37:59.854842000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:37:59.854842000 NZDT"/>
3325 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
3326 <field name="frame.time_epoch" showname="Epoch Time: 1486690679.854842000 seconds" size="0" pos="0" show="1486690679.854842000"/>
3327 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000094000 seconds" size="0" pos="0" show="0.000094000"/>
3328 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000094000 seconds" size="0" pos="0" show="0.000094000"/>
3329 <field name="frame.time_relative" showname="Time since reference or first frame: 103.324391000 seconds" size="0" pos="0" show="103.324391000"/>
3330 <field name="frame.number" showname="Frame Number: 50520" size="0" pos="0" show="50520"/>
3331 <field name="frame.len" showname="Frame Length: 172 bytes (1376 bits)" size="0" pos="0" show="172"/>
3332 <field name="frame.cap_len" showname="Capture Length: 172 bytes (1376 bits)" size="0" pos="0" show="172"/>
3333 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
3334 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
3335 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:dcerpc" size="0" pos="0" show="raw:ip:tcp:dcerpc"/>
3336 </proto>
3337 <proto name="raw" showname="Raw packet data" size="172" pos="0"/>
3338 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.27, Dst: 127.0.0.30" size="20" pos="0">
3339 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
3340 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
3341 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
3342 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
3343 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
3344 </field>
3345 <field name="ip.len" showname="Total Length: 172" size="2" pos="2" show="172" value="00ac"/>
3346 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
3347 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
3348 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
3349 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
3350 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
3351 </field>
3352 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
3353 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
3354 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
3355 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
3356 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
3357 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
3358 </field>
3359 <field name="ip.src" showname="Source: 127.0.0.27" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
3360 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.27" hide="yes" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
3361 <field name="ip.src_host" showname="Source Host: 127.0.0.27" hide="yes" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
3362 <field name="ip.host" showname="Source or Destination Host: 127.0.0.27" hide="yes" size="4" pos="12" show="127.0.0.27" value="7f00001b"/>
3363 <field name="ip.dst" showname="Destination: 127.0.0.30" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3364 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3365 <field name="ip.dst_host" showname="Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3366 <field name="ip.host" showname="Source or Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3367 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001b"/>
3368 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001e"/>
3369 </proto>
3370 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 17935 (17935), Dst Port: 1026 (1026), Seq: 73, Ack: 61, Len: 132" size="20" pos="20">
3371 <field name="tcp.srcport" showname="Source Port: 17935" size="2" pos="20" show="17935" value="460f"/>
3372 <field name="tcp.dstport" showname="Destination Port: 1026" size="2" pos="22" show="1026" value="0402"/>
3373 <field name="tcp.port" showname="Source or Destination Port: 17935" hide="yes" size="2" pos="20" show="17935" value="460f"/>
3374 <field name="tcp.port" showname="Source or Destination Port: 1026" hide="yes" size="2" pos="22" show="1026" value="0402"/>
3375 <field name="tcp.stream" showname="Stream index: 1184" size="0" pos="20" show="1184"/>
3376 <field name="tcp.len" showname="TCP Segment Len: 132" size="1" pos="32" show="132" value="50"/>
3377 <field name="tcp.seq" showname="Sequence number: 73 (relative sequence number)" size="4" pos="24" show="73" value="00000049"/>
3378 <field name="tcp.nxtseq" showname="Next sequence number: 205 (relative sequence number)" size="0" pos="20" show="205"/>
3379 <field name="tcp.ack" showname="Acknowledgment number: 61 (relative ack number)" size="4" pos="28" show="61" value="0000003d"/>
3380 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
3381 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
3382 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
3383 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
3384 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3385 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3386 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3387 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
3388 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
3389 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3390 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3391 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3392 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
3393 </field>
3394 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
3395 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
3396 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
3397 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
3398 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
3399 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
3400 </field>
3401 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
3402 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
3403 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 50516" size="0" pos="20" show="50516"/>
3404 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000138000 seconds" size="0" pos="20" show="0.000138000"/>
3405 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000011000 seconds" size="0" pos="20" show="0.000011000"/>
3406 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 132" size="0" pos="20" show="132"/>
3407 </field>
3408 </proto>
3409 <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 132, Call: 11, Ctx: 0" size="132" pos="40">
3410 <field name="dcerpc.ver" showname="Version: 5" size="1" pos="40" show="5" value="05"/>
3411 <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="41" show="0" value="00"/>
3412 <field name="dcerpc.pkt_type" showname="Packet type: Request (0)" size="1" pos="42" show="0" value="00"/>
3413 <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="43" show="0x00000003" value="03">
3414 <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
3415 <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
3416 <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
3417 <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
3418 <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
3419 <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
3420 <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
3421 <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
3422 </field>
3423 <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="44" show="10:00:00:00" value="10000000">
3424 <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="44" show="1" value="10"/>
3425 <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="44" show="0" value="10"/>
3426 <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="45" show="0" value="00"/>
3427 </field>
3428 <field name="dcerpc.cn_frag_len" showname="Frag Length: 132" size="2" pos="48" show="132" value="8400"/>
3429 <field name="dcerpc.cn_auth_len" showname="Auth Length: 0" size="2" pos="50" show="0" value="0000"/>
3430 <field name="dcerpc.cn_call_id" showname="Call ID: 11" size="4" pos="52" show="11" value="0b000000"/>
3431 <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 108" size="4" pos="56" show="108" value="6c000000"/>
3432 <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="60" show="0" value="0000"/>
3433 <field name="dcerpc.opnum" showname="Opnum: 4" size="2" pos="62" show="4" value="0400"/>
3434 </proto>
3435 <proto name="rpc_netlogon" showname="Microsoft Network Logon, NetrServerReqChallenge" size="108" pos="64">
3436 <field name="netlogon.opnum" showname="Operation: NetrServerReqChallenge (4)" size="0" pos="64" show="4"/>
3437 <field name="" show="Server Handle: \\addc.addom.samba.example.com" size="78" pos="64" value="000002001f000000000000001f0000005c005c0061006400640063002e006100640064006f006d002e00730061006d00620061002e006500780061006d0070006c0065002e0063006f006d000000">
3438 <field name="dcerpc.referent_id" showname="Referent ID: 0x00020000" size="4" pos="64" show="0x00020000" value="00000200"/>
3439 <field name="dcerpc.array.max_count" showname="Max Count: 31" size="4" pos="68" show="31" value="1f000000"/>
3440 <field name="dcerpc.array.offset" showname="Offset: 0" size="4" pos="72" show="0" value="00000000"/>
3441 <field name="dcerpc.array.actual_count" showname="Actual Count: 31" size="4" pos="76" show="31" value="1f000000"/>
3442 <field name="netlogon.handle" showname="Handle: \\addc.addom.samba.example.com" size="62" pos="80" show="\\addc.addom.samba.example.com" value="5c005c0061006400640063002e006100640064006f006d002e00730061006d00620061002e006500780061006d0070006c0065002e0063006f006d000000"/>
3443 </field>
3444 <field name="" show="Computer Name: DC7" size="22" pos="142" value="00000400000000000000040000004400430037000000">
3445 <field name="dcerpc.array.max_count" showname="Max Count: 4" size="4" pos="144" show="4" value="04000000"/>
3446 <field name="dcerpc.array.offset" showname="Offset: 0" size="4" pos="148" show="0" value="00000000"/>
3447 <field name="dcerpc.array.actual_count" showname="Actual Count: 4" size="4" pos="152" show="4" value="04000000"/>
3448 <field name="netlogon.computer_name" showname="Computer Name: DC7" size="8" pos="156" show="DC7" value="4400430037000000"/>
3449 </field>
3450 <field name="netlogon.clientchallenge" showname="Client Challenge: 8dcc6ac9d5c32b44" size="8" pos="164" show="8d:cc:6a:c9:d5:c3:2b:44" value="8dcc6ac9d5c32b44"/>
3451 </proto>
3452 </packet>
3453
3454 <packet>
3455 <proto name="geninfo" pos="0" showname="General information" size="133">
3456 <field name="num" pos="0" show="685" showname="Number" value="2ad" size="133"/>
3457 <field name="len" pos="0" show="133" showname="Frame Length" value="85" size="133"/>
3458 <field name="caplen" pos="0" show="133" showname="Captured Length" value="85" size="133"/>
3459 <field name="timestamp" pos="0" show="Feb 16, 2017 11:26:26.858394000 NZDT" showname="Captured Time" value="1487197586.858394000" size="133"/>
3460 </proto>
3461 <proto name="frame" showname="Frame 685: 133 bytes on wire (1064 bits), 133 bytes captured (1064 bits)" size="133" pos="0">
3462 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
3463 <field name="frame.time" showname="Arrival Time: Feb 16, 2017 11:26:26.858394000 NZDT" size="0" pos="0" show="Feb 16, 2017 11:26:26.858394000 NZDT"/>
3464 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
3465 <field name="frame.time_epoch" showname="Epoch Time: 1487197586.858394000 seconds" size="0" pos="0" show="1487197586.858394000"/>
3466 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000149000 seconds" size="0" pos="0" show="0.000149000"/>
3467 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000149000 seconds" size="0" pos="0" show="0.000149000"/>
3468 <field name="frame.time_relative" showname="Time since reference or first frame: 30.699100000 seconds" size="0" pos="0" show="30.699100000"/>
3469 <field name="frame.number" showname="Frame Number: 685" size="0" pos="0" show="685"/>
3470 <field name="frame.len" showname="Frame Length: 133 bytes (1064 bits)" size="0" pos="0" show="133"/>
3471 <field name="frame.cap_len" showname="Capture Length: 133 bytes (1064 bits)" size="0" pos="0" show="133"/>
3472 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
3473 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
3474 <field name="frame.protocols" showname="Protocols in frame: raw:ip:udp:cldap" size="0" pos="0" show="raw:ip:udp:cldap"/>
3475 </proto>
3476 <proto name="raw" showname="Raw packet data" size="133" pos="0"/>
3477 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.26, Dst: 127.0.0.30" size="20" pos="0">
3478 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
3479 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
3480 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
3481 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
3482 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
3483 </field>
3484 <field name="ip.len" showname="Total Length: 133" size="2" pos="2" show="133" value="0085"/>
3485 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
3486 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
3487 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
3488 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
3489 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
3490 </field>
3491 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
3492 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
3493 <field name="ip.proto" showname="Protocol: UDP (17)" size="1" pos="9" show="17" value="11"/>
3494 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
3495 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
3496 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
3497 </field>
3498 <field name="ip.src" showname="Source: 127.0.0.26" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
3499 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
3500 <field name="ip.src_host" showname="Source Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
3501 <field name="ip.host" showname="Source or Destination Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
3502 <field name="ip.dst" showname="Destination: 127.0.0.30" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3503 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3504 <field name="ip.dst_host" showname="Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3505 <field name="ip.host" showname="Source or Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3506 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001a"/>
3507 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001e"/>
3508 </proto>
3509 <proto name="udp" showname="User Datagram Protocol, Src Port: 31981 (31981), Dst Port: 389 (389)" size="8" pos="20">
3510 <field name="udp.srcport" showname="Source Port: 31981" size="2" pos="20" show="31981" value="7ced"/>
3511 <field name="udp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
3512 <field name="udp.port" showname="Source or Destination Port: 31981" hide="yes" size="2" pos="20" show="31981" value="7ced"/>
3513 <field name="udp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
3514 <field name="udp.length" showname="Length: 113" size="2" pos="24" show="113" value="0071"/>
3515 <field name="udp.checksum" showname="Checksum: 0x0000 (none)" size="2" pos="26" show="0x00000000" value="0000">
3516 <field name="udp.checksum_good" showname="Good Checksum: False" size="2" pos="26" show="0" value="0000"/>
3517 <field name="udp.checksum_bad" showname="Bad Checksum: False" size="2" pos="26" show="0" value="0000"/>
3518 </field>
3519 <field name="udp.stream" showname="Stream index: 66" size="0" pos="28" show="66"/>
3520 </proto>
3521 <proto name="cldap" showname="Connectionless Lightweight Directory Access Protocol" size="105" pos="28">
3522 <field name="ldap.LDAPMessage_element" showname="LDAPMessage searchRequest(20287) &quot;&lt;ROOT&gt;&quot; baseObject" size="105" pos="28" show="" value="">
3523 <field name="ldap.messageID" showname="messageID: 20287" size="2" pos="32" show="20287" value="4f3f"/>
3524 <field name="ldap.protocolOp" showname="protocolOp: searchRequest (3)" size="99" pos="34" show="3" value="636104000a01000a0100020100020100010100a042a30d04054e74566572040406000000a3240409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6da30b0403414143040400000000300a04084e65744c6f676f6e">
3525 <field name="ldap.searchRequest_element" showname="searchRequest" size="97" pos="36" show="" value="">
3526 <field name="ldap.baseObject" showname="baseObject: " size="0" pos="38" show=""/>
3527 <field name="ldap.scope" showname="scope: baseObject (0)" size="1" pos="40" show="0" value="00"/>
3528 <field name="ldap.derefAliases" showname="derefAliases: neverDerefAliases (0)" size="1" pos="43" show="0" value="00"/>
3529 <field name="ldap.sizeLimit" showname="sizeLimit: 0" size="1" pos="46" show="0" value="00"/>
3530 <field name="ldap.timeLimit" showname="timeLimit: 0" size="1" pos="49" show="0" value="00"/>
3531 <field name="ldap.typesOnly" showname="typesOnly: False" size="1" pos="52" show="0" value="00"/>
3532 <field name="" show="Filter: (&amp;(&amp;(NtVer=0x00000006)(DnsDomain=addom.samba.example.com))(AAC=00:00:00:00))" size="68" pos="53" value="a042a30d04054e74566572040406000000a3240409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6da30b0403414143040400000000">
3533 <field name="ldap.filter" showname="filter: and (0)" size="66" pos="55" show="0" value="a30d04054e74566572040406000000a3240409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6da30b0403414143040400000000">
3534 <field name="" show="and: (&amp;(&amp;(NtVer=0x00000006)(DnsDomain=addom.samba.example.com))(AAC=00:00:00:00))" size="66" pos="55" value="a30d04054e74566572040406000000a3240409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6da30b0403414143040400000000">
3535 <field name="ldap.and" showname="and: 3 items" size="66" pos="55" show="3" value="a30d04054e74566572040406000000a3240409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6da30b0403414143040400000000">
3536 <field name="" show="Filter: (NtVer=0x00000006)" size="15" pos="55" value="a30d04054e74566572040406000000">
3537 <field name="ldap.and_item" showname="and item: equalityMatch (3)" size="13" pos="57" show="3" value="04054e74566572040406000000">
3538 <field name="ldap.equalityMatch_element" showname="equalityMatch" size="13" pos="57" show="" value="">
3539 <field name="ldap.attributeDesc" showname="attributeDesc: NtVer" size="5" pos="59" show="NtVer" value="4e74566572"/>
3540 <field name="mscldap.ntver.flags" showname="Version Flags: 0x00000006, V5: Client requested version 5 netlogon response, V5EX: Client requested version 5 extended netlogon response" size="4" pos="66" show="0x00000006" value="06000000">
3541 <field name="mscldap.ntver.searchflags.v1" showname=".... .... .... .... .... .... .... ...0 = V1: Version 1 netlogon response not requested" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
3542 <field name="mscldap.ntver.searchflags.v5" showname=".... .... .... .... .... .... .... ..1. = V5: Client requested version 5 netlogon response" size="4" pos="66" show="1" value="FFFFFFFF" unmaskedvalue="06000000"/>
3543 <field name="mscldap.ntver.searchflags.v5ex" showname=".... .... .... .... .... .... .... .1.. = V5EX: Client requested version 5 extended netlogon response" size="4" pos="66" show="1" value="FFFFFFFF" unmaskedvalue="06000000"/>
3544 <field name="mscldap.ntver.searchflags.v5ep" showname=".... .... .... .... .... .... .... 0... = V5EP: IP address of server not requested" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
3545 <field name="mscldap.ntver.searchflags.vcs" showname=".... .... .... .... .... .... ...0 .... = VCS: Closest site information not requested" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
3546 <field name="mscldap.ntver.searchflags.vnt4" showname=".... ...0 .... .... .... .... .... .... = VNT4: Only full AD DS requested" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
3547 <field name="mscldap.ntver.searchflags.vpdc" showname="...0 .... .... .... .... .... .... .... = VPDC: Primary Domain Controller not requested" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
3548 <field name="mscldap.ntver.searchflags.vip" showname="..0. .... .... .... .... .... .... .... = VIP: IP details not requested (obsolete)" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
3549 <field name="mscldap.ntver.searchflags.vl" showname=".0.. .... .... .... .... .... .... .... = VL: Client is not the local machine" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
3550 <field name="mscldap.ntver.searchflags.vgc" showname="0... .... .... .... .... .... .... .... = VGC: Global Catalog not requested" size="4" pos="66" show="0" value="0" unmaskedvalue="06000000"/>
3551 </field>
3552 </field>
3553 </field>
3554 </field>
3555 <field name="" show="Filter: (DnsDomain=addom.samba.example.com)" size="38" pos="70" value="a3240409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6d">
3556 <field name="ldap.and_item" showname="and item: equalityMatch (3)" size="36" pos="72" show="3" value="0409446e73446f6d61696e04176164646f6d2e73616d62612e6578616d706c652e636f6d">
3557 <field name="ldap.equalityMatch_element" showname="equalityMatch" size="36" pos="72" show="" value="">
3558 <field name="ldap.attributeDesc" showname="attributeDesc: DnsDomain" size="9" pos="74" show="DnsDomain" value="446e73446f6d61696e"/>
3559 <field name="ldap.assertionValue" showname="assertionValue: addom.samba.example.com" size="23" pos="85" show="addom.samba.example.com" value="6164646f6d2e73616d62612e6578616d706c652e636f6d"/>
3560 </field>
3561 </field>
3562 </field>
3563 <field name="" show="Filter: (AAC=00:00:00:00)" size="13" pos="108" value="a30b0403414143040400000000">
3564 <field name="ldap.and_item" showname="and item: equalityMatch (3)" size="11" pos="110" show="3" value="0403414143040400000000">
3565 <field name="ldap.equalityMatch_element" showname="equalityMatch" size="11" pos="110" show="" value="">
3566 <field name="ldap.attributeDesc" showname="attributeDesc: AAC" size="3" pos="112" show="AAC" value="414143"/>
3567 <field name="ldap.assertionValue" showname="assertionValue: 00:00:00:00" size="4" pos="117" show="00:00:00:00" value="00000000"/>
3568 </field>
3569 </field>
3570 </field>
3571 </field>
3572 </field>
3573 </field>
3574 </field>
3575 <field name="ldap.attributes" showname="attributes: 1 item" size="10" pos="123" show="1" value="04084e65744c6f676f6e">
3576 <field name="ldap.AttributeDescription" showname="AttributeDescription: NetLogon" size="8" pos="125" show="NetLogon" value="4e65744c6f676f6e"/>
3577 </field>
3578 </field>
3579 </field>
3580 </field>
3581 </proto>
3582 </packet>
3583
3584 <packet>
3585 <proto name="geninfo" pos="0" showname="General information" size="226">
3586 <field name="num" pos="0" show="698" showname="Number" value="2ba" size="226"/>
3587 <field name="len" pos="0" show="226" showname="Frame Length" value="e2" size="226"/>
3588 <field name="caplen" pos="0" show="226" showname="Captured Length" value="e2" size="226"/>
3589 <field name="timestamp" pos="0" show="Feb 16, 2017 11:26:26.864862000 NZDT" showname="Captured Time" value="1487197586.864862000" size="226"/>
3590 </proto>
3591 <proto name="frame" showname="Frame 698: 226 bytes on wire (1808 bits), 226 bytes captured (1808 bits)" size="226" pos="0">
3592 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
3593 <field name="frame.time" showname="Arrival Time: Feb 16, 2017 11:26:26.864862000 NZDT" size="0" pos="0" show="Feb 16, 2017 11:26:26.864862000 NZDT"/>
3594 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
3595 <field name="frame.time_epoch" showname="Epoch Time: 1487197586.864862000 seconds" size="0" pos="0" show="1487197586.864862000"/>
3596 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000059000 seconds" size="0" pos="0" show="0.000059000"/>
3597 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000059000 seconds" size="0" pos="0" show="0.000059000"/>
3598 <field name="frame.time_relative" showname="Time since reference or first frame: 30.705568000 seconds" size="0" pos="0" show="30.705568000"/>
3599 <field name="frame.number" showname="Frame Number: 698" size="0" pos="0" show="698"/>
3600 <field name="frame.len" showname="Frame Length: 226 bytes (1808 bits)" size="0" pos="0" show="226"/>
3601 <field name="frame.cap_len" showname="Capture Length: 226 bytes (1808 bits)" size="0" pos="0" show="226"/>
3602 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
3603 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
3604 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:nbss:smb2" size="0" pos="0" show="raw:ip:tcp:nbss:smb2"/>
3605 </proto>
3606 <proto name="raw" showname="Raw packet data" size="226" pos="0"/>
3607 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.26, Dst: 127.0.0.30" size="20" pos="0">
3608 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
3609 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
3610 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
3611 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
3612 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
3613 </field>
3614 <field name="ip.len" showname="Total Length: 226" size="2" pos="2" show="226" value="00e2"/>
3615 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
3616 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
3617 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
3618 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
3619 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
3620 </field>
3621 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
3622 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
3623 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
3624 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
3625 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
3626 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
3627 </field>
3628 <field name="ip.src" showname="Source: 127.0.0.26" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
3629 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
3630 <field name="ip.src_host" showname="Source Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
3631 <field name="ip.host" showname="Source or Destination Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
3632 <field name="ip.dst" showname="Destination: 127.0.0.30" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3633 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3634 <field name="ip.dst_host" showname="Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3635 <field name="ip.host" showname="Source or Destination Host: 127.0.0.30" hide="yes" size="4" pos="16" show="127.0.0.30" value="7f00001e"/>
3636 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001a"/>
3637 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001e"/>
3638 </proto>
3639 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 31980 (31980), Dst Port: 445 (445), Seq: 89, Ack: 229, Len: 186" size="20" pos="20">
3640 <field name="tcp.srcport" showname="Source Port: 31980" size="2" pos="20" show="31980" value="7cec"/>
3641 <field name="tcp.dstport" showname="Destination Port: 445" size="2" pos="22" show="445" value="01bd"/>
3642 <field name="tcp.port" showname="Source or Destination Port: 31980" hide="yes" size="2" pos="20" show="31980" value="7cec"/>
3643 <field name="tcp.port" showname="Source or Destination Port: 445" hide="yes" size="2" pos="22" show="445" value="01bd"/>
3644 <field name="tcp.stream" showname="Stream index: 12" size="0" pos="20" show="12"/>
3645 <field name="tcp.len" showname="TCP Segment Len: 186" size="1" pos="32" show="186" value="50"/>
3646 <field name="tcp.seq" showname="Sequence number: 89 (relative sequence number)" size="4" pos="24" show="89" value="00000059"/>
3647 <field name="tcp.nxtseq" showname="Next sequence number: 275 (relative sequence number)" size="0" pos="20" show="275"/>
3648 <field name="tcp.ack" showname="Acknowledgment number: 229 (relative ack number)" size="4" pos="28" show="229" value="000000e5"/>
3649 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
3650 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
3651 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
3652 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
3653 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3654 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3655 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3656 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
3657 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
3658 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3659 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3660 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
3661 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
3662 </field>
3663 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
3664 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
3665 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
3666 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
3667 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
3668 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
3669 </field>
3670 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
3671 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
3672 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 695" size="0" pos="20" show="695"/>
3673 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000105000 seconds" size="0" pos="20" show="0.000105000"/>
3674 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000014000 seconds" size="0" pos="20" show="0.000014000"/>
3675 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 186" size="0" pos="20" show="186"/>
3676 <field name="tcp.analysis.flags" showname="TCP Analysis Flags" size="0" pos="20" show="" value="">
3677 <field name="_ws.expert" showname="Expert Info (Warn/Sequence): ACKed segment that wasn&#x27;t captured (common at capture start)" size="0" pos="20">
3678 <field name="tcp.analysis.ack_lost_segment" showname="ACKed segment that wasn&#x27;t captured (common at capture start)" size="0" pos="0" show="" value=""/>
3679 <field name="_ws.expert.message" showname="Message: ACKed segment that wasn&#x27;t captured (common at capture start)" hide="yes" size="0" pos="0" show="ACKed segment that wasn&#x27;t captured (common at capture start)"/>
3680 <field name="_ws.expert.severity" showname="Severity level: Warn" size="0" pos="0" show="0x00600000"/>
3681 <field name="_ws.expert.group" showname="Group: Sequence" size="0" pos="0" show="0x02000000"/>
3682 </field>
3683 </field>
3684 </field>
3685 </proto>
3686 <proto name="nbss" showname="NetBIOS Session Service" size="186" pos="40">
3687 <field name="nbss.type" showname="Message Type: Session message (0x00)" size="1" pos="40" show="0x00000000" value="00"/>
3688 <field name="nbss.length" showname="Length: 182" size="3" pos="41" show="182" value="0000b6"/>
3689 </proto>
3690 <proto name="smb2" showname="SMB2 (Server Message Block Protocol version 2)" size="182" pos="44">
3691 <field name="" show="SMB2 Header" size="64" pos="44" value="fe534d42400000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000">
3692 <field name="smb2.server_component_smb2" showname="Server Component: SMB2" size="4" pos="44" show="" value=""/>
3693 <field name="smb2.header_len" showname="Header Length: 64" size="2" pos="48" show="64" value="4000"/>
3694 <field name="smb2.credit.charge" showname="Credit Charge: 0" size="2" pos="50" show="0" value="0000"/>
3695 <field name="smb2.channel_sequence" showname="Channel Sequence: 0" size="2" pos="52" show="0" value="0000"/>
3696 <field name="smb2.reserved" showname="Reserved: 0000" size="2" pos="54" show="00:00" value="0000"/>
3697 <field name="smb2.cmd" showname="Command: Negotiate Protocol (0)" size="2" pos="56" show="0" value="0000"/>
3698 <field name="smb2.credits.requested" showname="Credits requested: 0" size="2" pos="58" show="0" value="0000"/>
3699 <field name="smb2.flags" showname="Flags: 0x00000000" size="4" pos="60" show="0x00000000" value="00000000">
3700 <field name="smb2.flags.response" showname=".... .... .... .... .... .... .... ...0 = Response: This is a REQUEST" size="4" pos="60" show="0" value="0" unmaskedvalue="00000000"/>
3701 <field name="smb2.flags.async" showname=".... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command" size="4" pos="60" show="0" value="0" unmaskedvalue="00000000"/>
3702 <field name="smb2.flags.chained" showname=".... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command" size="4" pos="60" show="0" value="0" unmaskedvalue="00000000"/>
3703 <field name="smb2.flags.signature" showname=".... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed" size="4" pos="60" show="0" value="0" unmaskedvalue="00000000"/>
3704 <field name="smb2.flags.dfs" showname="...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation" size="4" pos="60" show="0" value="0" unmaskedvalue="00000000"/>
3705 <field name="smb2.flags.replay" showname="..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation" size="4" pos="60" show="0" value="0" unmaskedvalue="00000000"/>
3706 </field>
3707 <field name="smb2.chain_offset" showname="Chain Offset: 0x00000000" size="4" pos="64" show="0x00000000" value="00000000"/>
3708 <field name="smb2.msg_id" showname="Message ID: 1" size="8" pos="68" show="1" value="0100000000000000"/>
3709 <field name="smb2.pid" showname="Process Id: 0x00000000" size="4" pos="76" show="0x00000000" value="00000000"/>
3710 <field name="smb2.tid" showname="Tree Id: 0x00000000" size="4" pos="80" show="0x00000000" value="00000000"/>
3711 <field name="smb2.sesid" showname="Session Id: 0x0000000000000000" size="8" pos="84" show="0x0000000000000000" value="0000000000000000"/>
3712 <field name="smb2.signature" showname="Signature: 00000000000000000000000000000000" size="16" pos="92" show="00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" value="00000000000000000000000000000000"/>
3713 </field>
3714 <field name="" show="Negotiate Protocol Request (0x00)" size="118" pos="108" value="24000800030000007f000000ee2b90e954001a488a0332bc9e697f2d780000000200000002021002220224020003020310031103000000000100260000000000010020000100dfcf45249723e007a592511728de102521de99235cfee4ef893464068a2f67a200000200060000000000020001000200">
3715 <field name="smb2.buffer_code" showname="StructureSize: 0x0024" size="2" pos="108" show="0x00000024" value="2400">
3716 <field name="smb2.buffer_code.length" showname="0000 0000 0010 010. = Fixed Part Length: 18" size="2" pos="108" show="18" value="12" unmaskedvalue="2400"/>
3717 <field name="smb2.buffer_code.dynamic" showname=".... .... .... ...0 = Dynamic Part: False" size="2" pos="108" show="0" value="0" unmaskedvalue="2400"/>
3718 </field>
3719 <field name="smb2.dialect_count" showname="Dialect count: 8" size="2" pos="110" show="8" value="0800"/>
3720 <field name="smb2.sec_mode" showname="Security mode: 0x03, Signing enabled, Signing required" size="1" pos="112" show="0x00000003" value="03">
3721 <field name="smb2.sec_mode.sign_enabled" showname=".... ...1 = Signing enabled: True" size="1" pos="112" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
3722 <field name="smb2.sec_mode.sign_required" showname=".... ..1. = Signing required: True" size="1" pos="112" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
3723 </field>
3724 <field name="smb2.reserved" showname="Reserved: 0000" size="2" pos="114" show="00:00" value="0000"/>
3725 <field name="smb2.capabilities" showname="Capabilities: 0x0000007f, DFS, LEASING, LARGE MTU, MULTI CHANNEL, PERSISTENT HANDLES, DIRECTORY LEASING, ENCRYPTION" size="4" pos="116" show="0x0000007f" value="7f000000">
3726 <field name="smb2.capabilities.dfs" showname=".... .... .... .... .... .... .... ...1 = DFS: This host supports DFS" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
3727 <field name="smb2.capabilities.leasing" showname=".... .... .... .... .... .... .... ..1. = LEASING: This host supports LEASING" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
3728 <field name="smb2.capabilities.large_mtu" showname=".... .... .... .... .... .... .... .1.. = LARGE MTU: This host supports LARGE_MTU" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
3729 <field name="smb2.capabilities.multi_channel" showname=".... .... .... .... .... .... .... 1... = MULTI CHANNEL: This host supports MULTI CHANNEL" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
3730 <field name="smb2.capabilities.persistent_handles" showname=".... .... .... .... .... .... ...1 .... = PERSISTENT HANDLES: This host supports PERSISTENT HANDLES" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
3731 <field name="smb2.capabilities.directory_leasing" showname=".... .... .... .... .... .... ..1. .... = DIRECTORY LEASING: This host supports DIRECTORY LEASING" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
3732 <field name="smb2.capabilities.encryption" showname=".... .... .... .... .... .... .1.. .... = ENCRYPTION: This host supports ENCRYPTION" size="4" pos="116" show="1" value="FFFFFFFF" unmaskedvalue="7f000000"/>
3733 </field>
3734 <field name="smb2.client_guid" showname="Client Guid: e9902bee-0054-481a-8a03-32bc9e697f2d" size="16" pos="120" show="e9902bee-0054-481a-8a03-32bc9e697f2d" value="ee2b90e954001a488a0332bc9e697f2d"/>
3735 <field name="smb2.negotiate_context.offset" showname="NegotiateContextOffset: 0x0078" size="4" pos="136" show="0x00000078" value="78000000"/>
3736 <field name="smb2.negotiate_context.count" showname="NegotiateContextCount: 2" size="2" pos="140" show="2" value="0200"/>
3737 <field name="smb2.reserved" showname="Reserved: 0000" size="2" pos="142" show="00:00" value="0000"/>
3738 <field name="smb2.dialect" showname="Dialect: 0x0202" size="2" pos="144" show="0x00000202" value="0202"/>
3739 <field name="smb2.dialect" showname="Dialect: 0x0210" size="2" pos="146" show="0x00000210" value="1002"/>
3740 <field name="smb2.dialect" showname="Dialect: 0x0222" size="2" pos="148" show="0x00000222" value="2202"/>
3741 <field name="smb2.dialect" showname="Dialect: 0x0224" size="2" pos="150" show="0x00000224" value="2402"/>
3742 <field name="smb2.dialect" showname="Dialect: 0x0300" size="2" pos="152" show="0x00000300" value="0003"/>
3743 <field name="smb2.dialect" showname="Dialect: 0x0302" size="2" pos="154" show="0x00000302" value="0203"/>
3744 <field name="smb2.dialect" showname="Dialect: 0x0310" size="2" pos="156" show="0x00000310" value="1003"/>
3745 <field name="smb2.dialect" showname="Dialect: 0x0311" size="2" pos="158" show="0x00000311" value="1103"/>
3746 <field name="" show="Negotiate Context: SMB2_PREAUTH_INTEGRITY_CAPABILITIES " size="46" pos="164" value="0100260000000000010020000100dfcf45249723e007a592511728de102521de99235cfee4ef893464068a2f67a2">
3747 <field name="smb2.negotiate_context.type" showname="Type: SMB2_PREAUTH_INTEGRITY_CAPABILITIES (0x0001)" size="2" pos="164" show="0x00000001" value="0100"/>
3748 <field name="smb2.negotiate_context.data_length" showname="DataLength: 38" size="2" pos="166" show="38" value="2600"/>
3749 <field name="smb2.reserved" showname="Reserved: 00000000" size="4" pos="168" show="00:00:00:00" value="00000000"/>
3750 <field name="smb2.unknown" showname="unknown: 010020000100dfcf45249723e007a592511728de102521de..." size="38" pos="172" show="01:00:20:00:01:00:df:cf:45:24:97:23:e0:07:a5:92:51:17:28:de:10:25:21:de:99:23:5c:fe:e4:ef:89:34:64:06:8a:2f:67:a2" value="010020000100dfcf45249723e007a592511728de102521de99235cfee4ef893464068a2f67a2"/>
3751 </field>
3752 <field name="" show="Negotiate Context: SMB2_ENCRYPTION_CAPABILITIES " size="14" pos="212" value="0200060000000000020001000200">
3753 <field name="smb2.negotiate_context.type" showname="Type: SMB2_ENCRYPTION_CAPABILITIES (0x0002)" size="2" pos="212" show="0x00000002" value="0200"/>
3754 <field name="smb2.negotiate_context.data_length" showname="DataLength: 6" size="2" pos="214" show="6" value="0600"/>
3755 <field name="smb2.reserved" showname="Reserved: 00000000" size="4" pos="216" show="00:00:00:00" value="00000000"/>
3756 <field name="smb2.unknown" showname="unknown: 020001000200" size="6" pos="220" show="02:00:01:00:02:00" value="020001000200"/>
3757 </field>
3758 </field>
3759 </proto>
3760 </packet>
3761
3762 <packet>
3763 <proto name="geninfo" pos="0" showname="General information" size="96">
3764 <field name="num" pos="0" show="1166" showname="Number" value="48e" size="96"/>
3765 <field name="len" pos="0" show="96" showname="Frame Length" value="60" size="96"/>
3766 <field name="caplen" pos="0" show="96" showname="Captured Length" value="60" size="96"/>
3767 <field name="timestamp" pos="0" show="Feb 16, 2017 11:26:28.515337000 NZDT" showname="Captured Time" value="1487197588.515337000" size="96"/>
3768 </proto>
3769 <proto name="frame" showname="Frame 1166: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)" size="96" pos="0">
3770 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
3771 <field name="frame.time" showname="Arrival Time: Feb 16, 2017 11:26:28.515337000 NZDT" size="0" pos="0" show="Feb 16, 2017 11:26:28.515337000 NZDT"/>
3772 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
3773 <field name="frame.time_epoch" showname="Epoch Time: 1487197588.515337000 seconds" size="0" pos="0" show="1487197588.515337000"/>
3774 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000045000 seconds" size="0" pos="0" show="0.000045000"/>
3775 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000045000 seconds" size="0" pos="0" show="0.000045000"/>
3776 <field name="frame.time_relative" showname="Time since reference or first frame: 32.356043000 seconds" size="0" pos="0" show="32.356043000"/>
3777 <field name="frame.number" showname="Frame Number: 1166" size="0" pos="0" show="1166"/>
3778 <field name="frame.len" showname="Frame Length: 96 bytes (768 bits)" size="0" pos="0" show="96"/>
3779 <field name="frame.cap_len" showname="Capture Length: 96 bytes (768 bits)" size="0" pos="0" show="96"/>
3780 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
3781 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
3782 <field name="frame.protocols" showname="Protocols in frame: raw:ip:udp:dns" size="0" pos="0" show="raw:ip:udp:dns"/>
3783 </proto>
3784 <proto name="raw" showname="Raw packet data" size="96" pos="0"/>
3785 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.26, Dst: 0.0.0.0" size="20" pos="0">
3786 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
3787 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
3788 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
3789 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
3790 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
3791 </field>
3792 <field name="ip.len" showname="Total Length: 96" size="2" pos="2" show="96" value="0060"/>
3793 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
3794 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
3795 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
3796 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
3797 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
3798 </field>
3799 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
3800 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
3801 <field name="ip.proto" showname="Protocol: UDP (17)" size="1" pos="9" show="17" value="11"/>
3802 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
3803 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
3804 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
3805 </field>
3806 <field name="ip.src" showname="Source: 127.0.0.26" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
3807 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
3808 <field name="ip.src_host" showname="Source Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
3809 <field name="ip.host" showname="Source or Destination Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
3810 <field name="ip.dst" showname="Destination: 0.0.0.0" size="4" pos="16" show="0.0.0.0" value="00000000"/>
3811 <field name="ip.addr" showname="Source or Destination Address: 0.0.0.0" hide="yes" size="4" pos="16" show="0.0.0.0" value="00000000"/>
3812 <field name="ip.dst_host" showname="Destination Host: 0.0.0.0" hide="yes" size="4" pos="16" show="0.0.0.0" value="00000000"/>
3813 <field name="ip.host" showname="Source or Destination Host: 0.0.0.0" hide="yes" size="4" pos="16" show="0.0.0.0" value="00000000"/>
3814 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001a"/>
3815 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="00000000"/>
3816 </proto>
3817 <proto name="udp" showname="User Datagram Protocol, Src Port: 31989 (31989), Dst Port: 53 (53)" size="8" pos="20">
3818 <field name="udp.srcport" showname="Source Port: 31989" size="2" pos="20" show="31989" value="7cf5"/>
3819 <field name="udp.dstport" showname="Destination Port: 53" size="2" pos="22" show="53" value="0035"/>
3820 <field name="udp.port" showname="Source or Destination Port: 31989" hide="yes" size="2" pos="20" show="31989" value="7cf5"/>
3821 <field name="udp.port" showname="Source or Destination Port: 53" hide="yes" size="2" pos="22" show="53" value="0035"/>
3822 <field name="udp.length" showname="Length: 76" size="2" pos="24" show="76" value="004c"/>
3823 <field name="udp.checksum" showname="Checksum: 0x0000 (none)" size="2" pos="26" show="0x00000000" value="0000">
3824 <field name="udp.checksum_good" showname="Good Checksum: False" size="2" pos="26" show="0" value="0000"/>
3825 <field name="udp.checksum_bad" showname="Bad Checksum: False" size="2" pos="26" show="0" value="0000"/>
3826 </field>
3827 <field name="udp.stream" showname="Stream index: 76" size="0" pos="28" show="76"/>
3828 </proto>
3829 <proto name="dns" showname="Domain Name System (query)" size="68" pos="28">
3830 <field name="dns.id" showname="Transaction ID: 0x1b5d" size="2" pos="28" show="0x00001b5d" value="1b5d"/>
3831 <field name="dns.flags" showname="Flags: 0x2800 Dynamic update" size="2" pos="30" show="0x00002800" value="2800">
3832 <field name="dns.flags.response" showname="0... .... .... .... = Response: Message is a query" size="2" pos="30" show="0" value="0" unmaskedvalue="2800"/>
3833 <field name="dns.flags.opcode" showname=".010 1... .... .... = Opcode: Dynamic update (5)" size="2" pos="30" show="5" value="5" unmaskedvalue="2800"/>
3834 <field name="dns.flags.truncated" showname=".... ..0. .... .... = Truncated: Message is not truncated" size="2" pos="30" show="0" value="0" unmaskedvalue="2800"/>
3835 <field name="dns.flags.recdesired" showname=".... ...0 .... .... = Recursion desired: Don&#x27;t do query recursively" size="2" pos="30" show="0" value="0" unmaskedvalue="2800"/>
3836 <field name="dns.flags.z" showname=".... .... .0.. .... = Z: reserved (0)" size="2" pos="30" show="0" value="0" unmaskedvalue="2800"/>
3837 <field name="dns.flags.checkdisable" showname=".... .... ...0 .... = Non-authenticated data: Unacceptable" size="2" pos="30" show="0" value="0" unmaskedvalue="2800"/>
3838 </field>
3839 <field name="dns.count.zones" showname="Zones: 1" size="2" pos="32" show="1" value="0001"/>
3840 <field name="dns.count.prerequisites" showname="Prerequisites: 0" size="2" pos="34" show="0" value="0000"/>
3841 <field name="dns.count.updates" showname="Updates: 1" size="2" pos="36" show="1" value="0001"/>
3842 <field name="dns.count.add_rr" showname="Additional RRs: 0" size="2" pos="38" show="0" value="0000"/>
3843 <field name="" show="Zone" size="27" pos="40" value="0973616d626132303033076578616d706c6503636f6d0000060001">
3844 <field name="" show="samba2003.example.com: type SOA, class IN" size="27" pos="40" value="0973616d626132303033076578616d706c6503636f6d0000060001">
3845 <field name="dns.qry.name" showname="Name: samba2003.example.com" size="23" pos="40" show="samba2003.example.com" value="0973616d626132303033076578616d706c6503636f6d00"/>
3846 <field name="dns.qry.name.len" showname="Name Length: 21" size="23" pos="40" show="21" value="0973616d626132303033076578616d706c6503636f6d00"/>
3847 <field name="dns.count.labels" showname="Label Count: 3" size="23" pos="40" show="3" value="0973616d626132303033076578616d706c6503636f6d00"/>
3848 <field name="dns.qry.type" showname="Type: SOA (Start Of a zone of Authority) (6)" size="2" pos="63" show="6" value="0006"/>
3849 <field name="dns.qry.class" showname="Class: IN (0x0001)" size="2" pos="65" show="0x00000001" value="0001"/>
3850 </field>
3851 </field>
3852 <field name="" show="Updates" size="29" pos="67" value="0a636e616d655f74657374c00c0005000100000384000603646336c00c">
3853 <field name="" show="cname_test.samba2003.example.com: type CNAME, class IN, cname dc6.samba2003.example.com" size="29" pos="67" value="0a636e616d655f74657374c00c0005000100000384000603646336c00c">
3854 <field name="dns.resp.name" showname="Name: cname_test.samba2003.example.com" size="13" pos="67" show="cname_test.samba2003.example.com" value="0a636e616d655f74657374c00c"/>
3855 <field name="dns.resp.type" showname="Type: CNAME (Canonical NAME for an alias) (5)" size="2" pos="80" show="5" value="0005"/>
3856 <field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="82" show="0x00000001" value="0001"/>
3857 <field name="dns.resp.ttl" showname="Time to live: 900" size="4" pos="84" show="900" value="00000384"/>
3858 <field name="dns.resp.len" showname="Data length: 6" size="2" pos="88" show="6" value="0006"/>
3859 <field name="dns.cname" showname="CNAME: dc6.samba2003.example.com" size="6" pos="90" show="dc6.samba2003.example.com" value="03646336c00c"/>
3860 </field>
3861 </field>
3862 </proto>
3863 </packet>
3864
3865 <packet>
3866 <proto name="geninfo" pos="0" showname="General information" size="96">
3867 <field name="num" pos="0" show="1167" showname="Number" value="48f" size="96"/>
3868 <field name="len" pos="0" show="96" showname="Frame Length" value="60" size="96"/>
3869 <field name="caplen" pos="0" show="96" showname="Captured Length" value="60" size="96"/>
3870 <field name="timestamp" pos="0" show="Feb 16, 2017 11:26:28.911149000 NZDT" showname="Captured Time" value="1487197588.911149000" size="96"/>
3871 </proto>
3872 <proto name="frame" showname="Frame 1167: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)" size="96" pos="0">
3873 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
3874 <field name="frame.time" showname="Arrival Time: Feb 16, 2017 11:26:28.911149000 NZDT" size="0" pos="0" show="Feb 16, 2017 11:26:28.911149000 NZDT"/>
3875 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
3876 <field name="frame.time_epoch" showname="Epoch Time: 1487197588.911149000 seconds" size="0" pos="0" show="1487197588.911149000"/>
3877 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.395812000 seconds" size="0" pos="0" show="0.395812000"/>
3878 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.395812000 seconds" size="0" pos="0" show="0.395812000"/>
3879 <field name="frame.time_relative" showname="Time since reference or first frame: 32.751855000 seconds" size="0" pos="0" show="32.751855000"/>
3880 <field name="frame.number" showname="Frame Number: 1167" size="0" pos="0" show="1167"/>
3881 <field name="frame.len" showname="Frame Length: 96 bytes (768 bits)" size="0" pos="0" show="96"/>
3882 <field name="frame.cap_len" showname="Capture Length: 96 bytes (768 bits)" size="0" pos="0" show="96"/>
3883 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
3884 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
3885 <field name="frame.protocols" showname="Protocols in frame: raw:ip:udp:dns" size="0" pos="0" show="raw:ip:udp:dns"/>
3886 </proto>
3887 <proto name="raw" showname="Raw packet data" size="96" pos="0"/>
3888 <proto name="ip" showname="Internet Protocol Version 4, Src: 0.0.0.0, Dst: 127.0.0.26" size="20" pos="0">
3889 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
3890 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
3891 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
3892 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
3893 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
3894 </field>
3895 <field name="ip.len" showname="Total Length: 96" size="2" pos="2" show="96" value="0060"/>
3896 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
3897 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
3898 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
3899 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
3900 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
3901 </field>
3902 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
3903 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
3904 <field name="ip.proto" showname="Protocol: UDP (17)" size="1" pos="9" show="17" value="11"/>
3905 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
3906 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
3907 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
3908 </field>
3909 <field name="ip.src" showname="Source: 0.0.0.0" size="4" pos="12" show="0.0.0.0" value="00000000"/>
3910 <field name="ip.addr" showname="Source or Destination Address: 0.0.0.0" hide="yes" size="4" pos="12" show="0.0.0.0" value="00000000"/>
3911 <field name="ip.src_host" showname="Source Host: 0.0.0.0" hide="yes" size="4" pos="12" show="0.0.0.0" value="00000000"/>
3912 <field name="ip.host" showname="Source or Destination Host: 0.0.0.0" hide="yes" size="4" pos="12" show="0.0.0.0" value="00000000"/>
3913 <field name="ip.dst" showname="Destination: 127.0.0.26" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
3914 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.26" hide="yes" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
3915 <field name="ip.dst_host" showname="Destination Host: 127.0.0.26" hide="yes" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
3916 <field name="ip.host" showname="Source or Destination Host: 127.0.0.26" hide="yes" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
3917 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="00000000"/>
3918 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001a"/>
3919 </proto>
3920 <proto name="udp" showname="User Datagram Protocol, Src Port: 53 (53), Dst Port: 31989 (31989)" size="8" pos="20">
3921 <field name="udp.srcport" showname="Source Port: 53" size="2" pos="20" show="53" value="0035"/>
3922 <field name="udp.dstport" showname="Destination Port: 31989" size="2" pos="22" show="31989" value="7cf5"/>
3923 <field name="udp.port" showname="Source or Destination Port: 53" hide="yes" size="2" pos="20" show="53" value="0035"/>
3924 <field name="udp.port" showname="Source or Destination Port: 31989" hide="yes" size="2" pos="22" show="31989" value="7cf5"/>
3925 <field name="udp.length" showname="Length: 76" size="2" pos="24" show="76" value="004c"/>
3926 <field name="udp.checksum" showname="Checksum: 0x0000 (none)" size="2" pos="26" show="0x00000000" value="0000">
3927 <field name="udp.checksum_good" showname="Good Checksum: False" size="2" pos="26" show="0" value="0000"/>
3928 <field name="udp.checksum_bad" showname="Bad Checksum: False" size="2" pos="26" show="0" value="0000"/>
3929 </field>
3930 <field name="udp.stream" showname="Stream index: 76" size="0" pos="28" show="76"/>
3931 </proto>
3932 <proto name="dns" showname="Domain Name System (response)" size="68" pos="28">
3933 <field name="dns.response_to" showname="Request In: 1166" size="0" pos="28" show="1166"/>
3934 <field name="dns.time" showname="Time: 0.395812000 seconds" size="0" pos="28" show="0.395812000"/>
3935 <field name="dns.id" showname="Transaction ID: 0x1b5d" size="2" pos="28" show="0x00001b5d" value="1b5d"/>
3936 <field name="dns.flags" showname="Flags: 0xa880 Dynamic update response, No error" size="2" pos="30" show="0x0000a880" value="a880">
3937 <field name="dns.flags.response" showname="1... .... .... .... = Response: Message is a response" size="2" pos="30" show="1" value="FFFFFFFF" unmaskedvalue="a880"/>
3938 <field name="dns.flags.opcode" showname=".010 1... .... .... = Opcode: Dynamic update (5)" size="2" pos="30" show="5" value="5" unmaskedvalue="a880"/>
3939 <field name="dns.flags.authoritative" showname=".... .0.. .... .... = Authoritative: Server is not an authority for domain" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
3940 <field name="dns.flags.truncated" showname=".... ..0. .... .... = Truncated: Message is not truncated" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
3941 <field name="dns.flags.recdesired" showname=".... ...0 .... .... = Recursion desired: Don&#x27;t do query recursively" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
3942 <field name="dns.flags.recavail" showname=".... .... 1... .... = Recursion available: Server can do recursive queries" size="2" pos="30" show="1" value="FFFFFFFF" unmaskedvalue="a880"/>
3943 <field name="dns.flags.z" showname=".... .... .0.. .... = Z: reserved (0)" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
3944 <field name="dns.flags.authenticated" showname=".... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
3945 <field name="dns.flags.checkdisable" showname=".... .... ...0 .... = Non-authenticated data: Unacceptable" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
3946 <field name="dns.flags.rcode" showname=".... .... .... 0000 = Reply code: No error (0)" size="2" pos="30" show="0" value="0" unmaskedvalue="a880"/>
3947 </field>
3948 <field name="dns.count.zones" showname="Zones: 1" size="2" pos="32" show="1" value="0001"/>
3949 <field name="dns.count.prerequisites" showname="Prerequisites: 0" size="2" pos="34" show="0" value="0000"/>
3950 <field name="dns.count.updates" showname="Updates: 1" size="2" pos="36" show="1" value="0001"/>
3951 <field name="dns.count.add_rr" showname="Additional RRs: 0" size="2" pos="38" show="0" value="0000"/>
3952 <field name="" show="Zone" size="27" pos="40" value="0973616d626132303033076578616d706c6503636f6d0000060001">
3953 <field name="" show="samba2003.example.com: type SOA, class IN" size="27" pos="40" value="0973616d626132303033076578616d706c6503636f6d0000060001">
3954 <field name="dns.qry.name" showname="Name: samba2003.example.com" size="23" pos="40" show="samba2003.example.com" value="0973616d626132303033076578616d706c6503636f6d00"/>
3955 <field name="dns.qry.name.len" showname="Name Length: 21" size="23" pos="40" show="21" value="0973616d626132303033076578616d706c6503636f6d00"/>
3956 <field name="dns.count.labels" showname="Label Count: 3" size="23" pos="40" show="3" value="0973616d626132303033076578616d706c6503636f6d00"/>
3957 <field name="dns.qry.type" showname="Type: SOA (Start Of a zone of Authority) (6)" size="2" pos="63" show="6" value="0006"/>
3958 <field name="dns.qry.class" showname="Class: IN (0x0001)" size="2" pos="65" show="0x00000001" value="0001"/>
3959 </field>
3960 </field>
3961 <field name="" show="Updates" size="29" pos="67" value="0a636e616d655f74657374c00c0005000100000384000603646336c00c">
3962 <field name="" show="cname_test.samba2003.example.com: type CNAME, class IN, cname dc6.samba2003.example.com" size="29" pos="67" value="0a636e616d655f74657374c00c0005000100000384000603646336c00c">
3963 <field name="dns.resp.name" showname="Name: cname_test.samba2003.example.com" size="13" pos="67" show="cname_test.samba2003.example.com" value="0a636e616d655f74657374c00c"/>
3964 <field name="dns.resp.type" showname="Type: CNAME (Canonical NAME for an alias) (5)" size="2" pos="80" show="5" value="0005"/>
3965 <field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="82" show="0x00000001" value="0001"/>
3966 <field name="dns.resp.ttl" showname="Time to live: 900" size="4" pos="84" show="900" value="00000384"/>
3967 <field name="dns.resp.len" showname="Data length: 6" size="2" pos="88" show="6" value="0006"/>
3968 <field name="dns.cname" showname="CNAME: dc6.samba2003.example.com" size="6" pos="90" show="dc6.samba2003.example.com" value="03646336c00c"/>
3969 </field>
3970 </field>
3971 </proto>
3972 </packet>
3973
3974 <packet>
3975 <proto name="geninfo" pos="0" showname="General information" size="328">
3976 <field name="num" pos="0" show="1380" showname="Number" value="564" size="328"/>
3977 <field name="len" pos="0" show="328" showname="Frame Length" value="148" size="328"/>
3978 <field name="caplen" pos="0" show="328" showname="Captured Length" value="148" size="328"/>
3979 <field name="timestamp" pos="0" show="Feb 16, 2017 11:26:29.619792000 NZDT" showname="Captured Time" value="1487197589.619792000" size="328"/>
3980 </proto>
3981 <proto name="frame" showname="Frame 1380: 328 bytes on wire (2624 bits), 328 bytes captured (2624 bits)" size="328" pos="0">
3982 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
3983 <field name="frame.time" showname="Arrival Time: Feb 16, 2017 11:26:29.619792000 NZDT" size="0" pos="0" show="Feb 16, 2017 11:26:29.619792000 NZDT"/>
3984 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
3985 <field name="frame.time_epoch" showname="Epoch Time: 1487197589.619792000 seconds" size="0" pos="0" show="1487197589.619792000"/>
3986 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000186000 seconds" size="0" pos="0" show="0.000186000"/>
3987 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000186000 seconds" size="0" pos="0" show="0.000186000"/>
3988 <field name="frame.time_relative" showname="Time since reference or first frame: 33.460498000 seconds" size="0" pos="0" show="33.460498000"/>
3989 <field name="frame.number" showname="Frame Number: 1380" size="0" pos="0" show="1380"/>
3990 <field name="frame.len" showname="Frame Length: 328 bytes (2624 bits)" size="0" pos="0" show="328"/>
3991 <field name="frame.cap_len" showname="Capture Length: 328 bytes (2624 bits)" size="0" pos="0" show="328"/>
3992 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
3993 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
3994 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:dcerpc:ntlmssp" size="0" pos="0" show="raw:ip:tcp:dcerpc:ntlmssp"/>
3995 </proto>
3996 <proto name="raw" showname="Raw packet data" size="328" pos="0"/>
3997 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.26, Dst: 127.0.0.26" size="20" pos="0">
3998 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
3999 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
4000 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
4001 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
4002 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
4003 </field>
4004 <field name="ip.len" showname="Total Length: 328" size="2" pos="2" show="328" value="0148"/>
4005 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
4006 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
4007 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
4008 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
4009 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
4010 </field>
4011 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
4012 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
4013 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
4014 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
4015 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
4016 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
4017 </field>
4018 <field name="ip.src" showname="Source: 127.0.0.26" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
4019 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
4020 <field name="ip.src_host" showname="Source Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
4021 <field name="ip.host" showname="Source or Destination Host: 127.0.0.26" hide="yes" size="4" pos="12" show="127.0.0.26" value="7f00001a"/>
4022 <field name="ip.dst" showname="Destination: 127.0.0.26" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
4023 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.26" hide="yes" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
4024 <field name="ip.dst_host" showname="Destination Host: 127.0.0.26" hide="yes" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
4025 <field name="ip.host" showname="Source or Destination Host: 127.0.0.26" hide="yes" size="4" pos="16" show="127.0.0.26" value="7f00001a"/>
4026 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00001a"/>
4027 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f00001a"/>
4028 </proto>
4029 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 32030 (32030), Dst Port: 49152 (49152), Seq: 799, Ack: 439, Len: 288" size="20" pos="20">
4030 <field name="tcp.srcport" showname="Source Port: 32030" size="2" pos="20" show="32030" value="7d1e"/>
4031 <field name="tcp.dstport" showname="Destination Port: 49152" size="2" pos="22" show="49152" value="c000"/>
4032 <field name="tcp.port" showname="Source or Destination Port: 32030" hide="yes" size="2" pos="20" show="32030" value="7d1e"/>
4033 <field name="tcp.port" showname="Source or Destination Port: 49152" hide="yes" size="2" pos="22" show="49152" value="c000"/>
4034 <field name="tcp.stream" showname="Stream index: 29" size="0" pos="20" show="29"/>
4035 <field name="tcp.len" showname="TCP Segment Len: 288" size="1" pos="32" show="288" value="50"/>
4036 <field name="tcp.seq" showname="Sequence number: 799 (relative sequence number)" size="4" pos="24" show="799" value="0000031f"/>
4037 <field name="tcp.nxtseq" showname="Next sequence number: 1087 (relative sequence number)" size="0" pos="20" show="1087"/>
4038 <field name="tcp.ack" showname="Acknowledgment number: 439 (relative ack number)" size="4" pos="28" show="439" value="000001b7"/>
4039 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
4040 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
4041 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
4042 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
4043 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4044 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4045 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4046 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
4047 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
4048 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4049 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4050 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4051 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
4052 </field>
4053 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
4054 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
4055 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
4056 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
4057 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
4058 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
4059 </field>
4060 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
4061 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
4062 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 1377" size="0" pos="20" show="1377"/>
4063 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000209000 seconds" size="0" pos="20" show="0.000209000"/>
4064 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000014000 seconds" size="0" pos="20" show="0.000014000"/>
4065 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 288" size="0" pos="20" show="288"/>
4066 </field>
4067 </proto>
4068 <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 288, Call: 2, Ctx: 0" size="288" pos="40">
4069 <field name="dcerpc.ver" showname="Version: 5" size="1" pos="40" show="5" value="05"/>
4070 <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="41" show="0" value="00"/>
4071 <field name="dcerpc.pkt_type" showname="Packet type: Request (0)" size="1" pos="42" show="0" value="00"/>
4072 <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="43" show="0x00000003" value="03">
4073 <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
4074 <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
4075 <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
4076 <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
4077 <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
4078 <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
4079 <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
4080 <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
4081 </field>
4082 <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="44" show="10:00:00:00" value="10000000">
4083 <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="44" show="1" value="10"/>
4084 <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="44" show="0" value="10"/>
4085 <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="45" show="0" value="00"/>
4086 </field>
4087 <field name="dcerpc.cn_frag_len" showname="Frag Length: 288" size="2" pos="48" show="288" value="2001"/>
4088 <field name="dcerpc.cn_auth_len" showname="Auth Length: 16" size="2" pos="50" show="16" value="1000"/>
4089 <field name="dcerpc.cn_call_id" showname="Call ID: 2" size="4" pos="52" show="2" value="02000000"/>
4090 <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 236" size="4" pos="56" show="236" value="ec000000"/>
4091 <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="60" show="0" value="0000"/>
4092 <field name="dcerpc.opnum" showname="Opnum: 9" size="2" pos="62" show="9" value="0900"/>
4093 <field name="dcerpc.auth_type" showname="Auth type: SPNEGO (9)" size="1" pos="304" show="9" value="09"/>
4094 <field name="dcerpc.auth_level" showname="Auth level: Packet integrity (5)" size="1" pos="305" show="5" value="05"/>
4095 <field name="dcerpc.auth_pad_len" showname="Auth pad len: 4" size="1" pos="306" show="4" value="04"/>
4096 <field name="dcerpc.auth_rsrvd" showname="Auth Rsrvd: 0" size="1" pos="307" show="0" value="00"/>
4097 <field name="dcerpc.auth_ctx_id" showname="Auth Context ID: 1" size="4" pos="308" show="1" value="01000000"/>
4098 <field name="dcerpc.auth_padding" showname="Auth Padding: 00000000" size="4" pos="300" show="00:00:00:00" value="00000000"/>
4099 <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="28" pos="312">
4100 <field name="ntlmssp.verf" showname="NTLMSSP Verifier" size="16" pos="312" show="" value="">
4101 <field name="ntlmssp.verf.vers" showname="Version Number: 1" size="4" pos="312" show="1" value="01000000"/>
4102 <field name="ntlmssp.verf.body" showname="Verifier Body: 9f7b95490561ec3101000000" size="12" pos="316" show="9f:7b:95:49:05:61:ec:31:01:00:00:00" value="9f7b95490561ec3101000000"/>
4103 </field>
4104 </proto>
4105 </proto>
4106 <proto name="dnsserver" showname="DNS Server, DnssrvUpdateRecord2" size="236" pos="64">
4107 <field name="dnsserver.opnum" showname="Operation: DnssrvUpdateRecord2 (9)" size="0" pos="64" show="9"/>
4108 <field name="" show="Long frame" size="236" pos="64" value="0000070000000000000002000b000000000000000b0000003100320037002e0030002e0030002e0032003600000000000400020016000000000000001600000073616d6261323030332e6578616d706c652e636f6d000000260000000000000026000000727063656d707479746578747265632e73616d6261323030332e6578616d706c652e636f6d000000080002000000000000001000f000000001000000840300000000000000000000000000008ae3137102f43671010004000100000002402800a4c2ab504d57b3409d66ee4fd5fba07605000000045d888aeb1cc9119fe808002b10486002000000">
4109 <field name="_ws.expert" showname="Expert Info (Warn/Protocol): Long frame" size="0" pos="64">
4110 <field name="dcerpc.long_frame" showname="Long frame" size="0" pos="0" show="" value=""/>
4111 <field name="_ws.expert.message" showname="Message: Long frame" hide="yes" size="0" pos="0" show="Long frame"/>
4112 <field name="_ws.expert.severity" showname="Severity level: Warn" size="0" pos="0" show="0x00600000"/>
4113 <field name="_ws.expert.group" showname="Group: Protocol" size="0" pos="0" show="0x09000000"/>
4114 </field>
4115 </field>
4116 </proto>
4117 </packet>
4118
4119 <packet>
4120 <proto name="geninfo" pos="0" showname="General information" size="160">
4121 <field name="num" pos="0" show="496" showname="Number" value="1f0" size="160"/>
4122 <field name="len" pos="0" show="160" showname="Frame Length" value="a0" size="160"/>
4123 <field name="caplen" pos="0" show="160" showname="Captured Length" value="a0" size="160"/>
4124 <field name="timestamp" pos="0" show="Feb 16, 2017 12:18:10.757022000 NZDT" showname="Captured Time" value="1487200690.757022000" size="160"/>
4125 </proto>
4126 <proto name="frame" showname="Frame 496: 160 bytes on wire (1280 bits), 160 bytes captured (1280 bits)" size="160" pos="0">
4127 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
4128 <field name="frame.time" showname="Arrival Time: Feb 16, 2017 12:18:10.757022000 NZDT" size="0" pos="0" show="Feb 16, 2017 12:18:10.757022000 NZDT"/>
4129 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
4130 <field name="frame.time_epoch" showname="Epoch Time: 1487200690.757022000 seconds" size="0" pos="0" show="1487200690.757022000"/>
4131 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000083000 seconds" size="0" pos="0" show="0.000083000"/>
4132 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000083000 seconds" size="0" pos="0" show="0.000083000"/>
4133 <field name="frame.time_relative" showname="Time since reference or first frame: 5.519298000 seconds" size="0" pos="0" show="5.519298000"/>
4134 <field name="frame.number" showname="Frame Number: 496" size="0" pos="0" show="496"/>
4135 <field name="frame.len" showname="Frame Length: 160 bytes (1280 bits)" size="0" pos="0" show="160"/>
4136 <field name="frame.cap_len" showname="Capture Length: 160 bytes (1280 bits)" size="0" pos="0" show="160"/>
4137 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
4138 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
4139 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:nbss:smb:dcerpc" size="0" pos="0" show="raw:ip:tcp:nbss:smb:dcerpc"/>
4140 </proto>
4141 <proto name="raw" showname="Raw packet data" size="160" pos="0"/>
4142 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
4143 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
4144 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
4145 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
4146 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
4147 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
4148 </field>
4149 <field name="ip.len" showname="Total Length: 160" size="2" pos="2" show="160" value="00a0"/>
4150 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
4151 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
4152 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
4153 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
4154 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
4155 </field>
4156 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
4157 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
4158 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
4159 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
4160 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
4161 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
4162 </field>
4163 <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4164 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4165 <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4166 <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4167 <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4168 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4169 <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4170 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4171 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
4172 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
4173 </proto>
4174 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 19094 (19094), Dst Port: 445 (445), Seq: 2889, Ack: 1672, Len: 120" size="20" pos="20">
4175 <field name="tcp.srcport" showname="Source Port: 19094" size="2" pos="20" show="19094" value="4a96"/>
4176 <field name="tcp.dstport" showname="Destination Port: 445" size="2" pos="22" show="445" value="01bd"/>
4177 <field name="tcp.port" showname="Source or Destination Port: 19094" hide="yes" size="2" pos="20" show="19094" value="4a96"/>
4178 <field name="tcp.port" showname="Source or Destination Port: 445" hide="yes" size="2" pos="22" show="445" value="01bd"/>
4179 <field name="tcp.stream" showname="Stream index: 10" size="0" pos="20" show="10"/>
4180 <field name="tcp.len" showname="TCP Segment Len: 120" size="1" pos="32" show="120" value="50"/>
4181 <field name="tcp.seq" showname="Sequence number: 2889 (relative sequence number)" size="4" pos="24" show="2889" value="00000b49"/>
4182 <field name="tcp.nxtseq" showname="Next sequence number: 3009 (relative sequence number)" size="0" pos="20" show="3009"/>
4183 <field name="tcp.ack" showname="Acknowledgment number: 1672 (relative ack number)" size="4" pos="28" show="1672" value="00000688"/>
4184 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
4185 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
4186 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
4187 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
4188 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4189 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4190 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4191 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
4192 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
4193 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4194 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4195 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4196 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
4197 </field>
4198 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
4199 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
4200 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
4201 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
4202 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
4203 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
4204 </field>
4205 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
4206 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
4207 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 493" size="0" pos="20" show="493"/>
4208 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000154000 seconds" size="0" pos="20" show="0.000154000"/>
4209 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000013000 seconds" size="0" pos="20" show="0.000013000"/>
4210 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 120" size="0" pos="20" show="120"/>
4211 </field>
4212 </proto>
4213 <proto name="nbss" showname="NetBIOS Session Service" size="120" pos="40">
4214 <field name="nbss.type" showname="Message Type: Session message (0x00)" size="1" pos="40" show="0x00000000" value="00"/>
4215 <field name="nbss.length" showname="Length: 116" size="3" pos="41" show="116" value="000074"/>
4216 </proto>
4217 <proto name="smb" showname="SMB (Server Message Block Protocol)" size="116" pos="44">
4218 <field name="" show="SMB Header" size="32" pos="44" value="ff534d4225000000001857c80000644f31ab2d1ec497000002e9000025190a00">
4219 <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="44" show="0x424d53ff" value="ff534d42"/>
4220 <field name="smb.cmd" showname="SMB Command: Trans (0x25)" size="1" pos="48" show="37" value="25"/>
4221 <field name="smb.nt_status" showname="NT Status: STATUS_SUCCESS (0x00000000)" size="4" pos="49" show="0" value="00000000"/>
4222 <field name="smb.flags" showname="Flags: 0x18, Canonicalized Pathnames, Case Sensitivity" size="1" pos="53" show="0x00000018" value="18">
4223 <field name="smb.flags.response" showname="0... .... = Request/Response: Message is a request to the server" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
4224 <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
4225 <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
4226 <field name="smb.flags.canon" showname="...1 .... = Canonicalized Pathnames: Pathnames are canonicalized" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
4227 <field name="smb.flags.caseless" showname=".... 1... = Case Sensitivity: Path names are caseless" size="1" pos="53" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
4228 <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
4229 <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="53" show="0" value="0" unmaskedvalue="18"/>
4230 </field>
4231 <field name="smb.flags2" showname="Flags2: 0xc857, Unicode Strings, Error Code Type, Extended Security Negotiation, Long Names Used, Security Signatures Required, Security Signatures, Extended Attributes, Long Names Allowed" size="2" pos="54" show="0x0000c857" value="57c8">
4232 <field name="smb.flags2.string" showname="1... .... .... .... = Unicode Strings: Strings are Unicode" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
4233 <field name="smb.flags2.nt_error" showname=".1.. .... .... .... = Error Code Type: Error codes are NT error codes" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
4234 <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="54" show="0" value="0" unmaskedvalue="57c8"/>
4235 <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="54" show="0" value="0" unmaskedvalue="57c8"/>
4236 <field name="smb.flags2.esn" showname=".... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
4237 <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="54" show="0" value="0" unmaskedvalue="57c8"/>
4238 <field name="smb.flags2.long_names_used" showname=".... .... .1.. .... = Long Names Used: Path names in request are long file names" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
4239 <field name="smb.flags2.sec_sig_required" showname=".... .... ...1 .... = Security Signatures Required: Security signatures are required" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
4240 <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="54" show="0" value="0" unmaskedvalue="57c8"/>
4241 <field name="smb.flags2.sec_sig" showname=".... .... .... .1.. = Security Signatures: Security signatures are supported" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
4242 <field name="smb.flags2.ea" showname=".... .... .... ..1. = Extended Attributes: Extended attributes are supported" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
4243 <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response" size="2" pos="54" show="1" value="FFFFFFFF" unmaskedvalue="57c8"/>
4244 </field>
4245 <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="56" show="0" value="0000"/>
4246 <field name="smb.signature" showname="Signature: 644f31ab2d1ec497" size="8" pos="58" show="64:4f:31:ab:2d:1e:c4:97" value="644f31ab2d1ec497"/>
4247 <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="66" show="00:00" value="0000"/>
4248 <field name="smb.tid" showname="Tree ID: 59650 (\\LOCALDC\IPC$)" size="2" pos="68" show="59650" value="02e9">
4249 <field name="smb.path" showname="Path: \\LOCALDC\IPC$" size="0" pos="112" show="\\LOCALDC\IPC$"/>
4250 <field name="smb.fid.mapped_in" showname="Mapped in: 451" size="0" pos="112" show="451"/>
4251 </field>
4252 <field name="smb.pid" showname="Process ID: 0" size="2" pos="70" show="0" value="0000"/>
4253 <field name="smb.uid" showname="User ID: 6437" size="2" pos="72" show="6437" value="2519"/>
4254 <field name="smb.mid" showname="Multiplex ID: 10" size="2" pos="74" show="10" value="0a00"/>
4255 </field>
4256 <field name="" show="Trans Request (0x25)" size="84" pos="76" value="10000020000000b8100000000000000000000000005400200054000200260002003100005c0050004900500045005c00000000000500000310000000200000000200000008000000000000000000000000000002">
4257 <field name="smb.wct" showname="Word Count (WCT): 16" size="1" pos="76" show="16" value="10"/>
4258 <field name="smb.tpc" showname="Total Parameter Count: 0" size="2" pos="77" show="0" value="0000"/>
4259 <field name="smb.tdc" showname="Total Data Count: 32" size="2" pos="79" show="32" value="2000"/>
4260 <field name="smb.mpc" showname="Max Parameter Count: 0" size="2" pos="81" show="0" value="0000"/>
4261 <field name="smb.mdc" showname="Max Data Count: 4280" size="2" pos="83" show="4280" value="b810"/>
4262 <field name="smb.msc" showname="Max Setup Count: 0" size="1" pos="85" show="0" value="00"/>
4263 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="86" show="00" value="00"/>
4264 <field name="smb.transaction.flags" showname="Flags: 0x0000" size="2" pos="87" show="0x00000000" value="0000">
4265 <field name="smb.transaction.flags.owt" showname=".... .... .... ..0. = One Way Transaction: Two way transaction" size="2" pos="87" show="0" value="0" unmaskedvalue="0000"/>
4266 <field name="smb.transaction.flags.dtid" showname=".... .... .... ...0 = Disconnect TID: Do NOT disconnect TID" size="2" pos="87" show="0" value="0" unmaskedvalue="0000"/>
4267 </field>
4268 <field name="smb.timeout" showname="Timeout: Return immediately (0)" size="4" pos="89" show="0" value="00000000"/>
4269 <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="93" show="00:00" value="0000"/>
4270 <field name="smb.pc" showname="Parameter Count: 0" size="2" pos="95" show="0" value="0000"/>
4271 <field name="smb.po" showname="Parameter Offset: 84" size="2" pos="97" show="84" value="5400"/>
4272 <field name="smb.dc" showname="Data Count: 32" size="2" pos="99" show="32" value="2000"/>
4273 <field name="smb.data_offset" showname="Data Offset: 84" size="2" pos="101" show="84" value="5400"/>
4274 <field name="smb.sc" showname="Setup Count: 2" size="1" pos="103" show="2" value="02"/>
4275 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="104" show="00" value="00"/>
4276 <field name="smb.bcc" showname="Byte Count (BCC): 49" size="2" pos="109" show="49" value="3100"/>
4277 <field name="smb.trans_name" showname="Transaction Name: \PIPE\" size="14" pos="112" show="\PIPE\" value="5c0050004900500045005c000000"/>
4278 <field name="smb.padding" showname="Padding: 0000" size="2" pos="126" show="00:00" value="0000"/>
4279 </field>
4280 </proto>
4281 <proto name="smb_pipe" showname="SMB Pipe Protocol" size="21" pos="105">
4282 <field name="smb_pipe.function" showname="Function: TransactNmPipe (0x0026)" size="2" pos="105" show="0x00000026" value="2600"/>
4283 <field name="smb.fid" showname="FID: 0x0002 (\samr)" size="2" pos="107" show="0x00000002" value="0200">
4284 <field name="smb.fid.opened_in" showname="Opened in: 487" size="0" pos="212" show="487"/>
4285 <field name="smb.file" showname="File Name: \samr" size="0" pos="212" show="\samr"/>
4286 <field name="smb.create_flags" showname="Create Flags: 0x00000000" size="4" pos="212" show="0x00000000" value="26000200">
4287 <field name="smb.nt.create.oplock" showname=".... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4288 <field name="smb.nt.create.batch_oplock" showname=".... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4289 <field name="smb.nt.create.dir" showname=".... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4290 <field name="smb.nt.create.ext" showname=".... .... .... .... .... .... ...0 .... = Extended Response: Extended responses NOT required" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4291 </field>
4292 <field name="smb.access_mask" showname="Access Mask: 0x0002019f" size="4" pos="212" show="0x0002019f" value="26000200">
4293 <field name="smb.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: READ access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
4294 <field name="smb.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: WRITE access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
4295 <field name="smb.access.append" showname=".... .... .... .... .... .... .... .1.. = Append: APPEND access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
4296 <field name="smb.access.read_ea" showname=".... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
4297 <field name="smb.access.write_ea" showname=".... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
4298 <field name="smb.access.execute" showname=".... .... .... .... .... .... ..0. .... = Execute: NO execute access" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4299 <field name="smb.access.delete_child" showname=".... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4300 <field name="smb.access.read_attributes" showname=".... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
4301 <field name="smb.access.write_attributes" showname=".... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
4302 <field name="smb.access.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: NO delete access" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4303 <field name="smb.access.read_control" showname=".... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
4304 <field name="smb.access.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4305 <field name="smb.access.write_owner" showname=".... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4306 <field name="smb.access.synchronize" showname=".... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4307 <field name="smb.access.system_security" showname=".... ...0 .... .... .... .... .... .... = System Security: System security is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4308 <field name="smb.access.maximum_allowed" showname=".... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4309 <field name="smb.access.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4310 <field name="smb.access.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4311 <field name="smb.access.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4312 <field name="smb.access.generic_read" showname="0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4313 </field>
4314 <field name="smb.file_attribute" showname="File Attributes: 0x00000000" size="4" pos="212" show="0x00000000" value="26000200">
4315 <field name="smb.file_attribute.read_only" showname=".... .... .... .... .... .... .... ...0 = Read Only: NOT read only" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4316 <field name="smb.file_attribute.hidden" showname=".... .... .... .... .... .... .... ..0. = Hidden: NOT hidden" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4317 <field name="smb.file_attribute.system" showname=".... .... .... .... .... .... .... .0.. = System: NOT a system file/dir" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4318 <field name="smb.file_attribute.volume" showname=".... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4319 <field name="smb.file_attribute.directory" showname=".... .... .... .... .... .... ...0 .... = Directory: NOT a directory" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4320 <field name="smb.file_attribute.archive" showname=".... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4321 <field name="smb.file_attribute.device" showname=".... .... .... .... .... .... .0.. .... = Device: NOT a device" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4322 <field name="smb.file_attribute.normal" showname=".... .... .... .... .... .... 0... .... = Normal: Has some attribute set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4323 <field name="smb.file_attribute.temporary" showname=".... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4324 <field name="smb.file_attribute.sparse" showname=".... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4325 <field name="smb.file_attribute.reparse" showname=".... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4326 <field name="smb.file_attribute.compressed" showname=".... .... .... .... .... 0... .... .... = Compressed: Uncompressed" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4327 <field name="smb.file_attribute.offline" showname=".... .... .... .... ...0 .... .... .... = Offline: Online" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4328 <field name="smb.file_attribute.not_content_indexed" showname=".... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4329 <field name="smb.file_attribute.encrypted" showname=".... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4330 </field>
4331 <field name="smb.share_access" showname="Share Access: 0x00000003, Read, Write" size="4" pos="212" show="0x00000003" value="26000200">
4332 <field name="smb.share.access.read" showname=".... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
4333 <field name="smb.share.access.write" showname=".... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE" size="4" pos="105" show="1" value="FFFFFFFF" unmaskedvalue="26000200"/>
4334 <field name="smb.share.access.delete" showname=".... .... .... .... .... .... .... .0.. = Delete: Object can NOT be shared for delete" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4335 </field>
4336 <field name="smb.create_options" showname="Create Options: 0x00000000" size="4" pos="212" show="0x00000000" value="26000200">
4337 <field name="smb.nt.create_options.directory" showname=".... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4338 <field name="smb.nt.create_options.write_through" showname=".... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4339 <field name="smb.nt.create_options.sequential_only" showname=".... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4340 <field name="smb.nt.create_options.intermediate_buffering" showname=".... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4341 <field name="smb.nt.create_options.sync_io_alert" showname=".... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4342 <field name="smb.nt.create_options.sync_io_nonalert" showname=".... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4343 <field name="smb.nt.create_options.non_directory" showname=".... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4344 <field name="smb.nt.create_options.create_tree_connection" showname=".... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4345 <field name="smb.nt.create_options.complete_if_oplocked" showname=".... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4346 <field name="smb.nt.create_options.no_ea_knowledge" showname=".... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4347 <field name="smb.nt.create_options.eight_dot_three_only" showname=".... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4348 <field name="smb.nt.create_options.random_access" showname=".... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4349 <field name="smb.nt.create_options.delete_on_close" showname=".... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4350 <field name="smb.nt.create_options.open_by_fileid" showname=".... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4351 <field name="smb.nt.create_options.backup_intent" showname=".... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4352 <field name="smb.nt.create_options.no_compression" showname=".... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4353 <field name="smb.nt.create_options.reserve_opfilter" showname=".... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4354 <field name="smb.nt.create_options.open_reparse_point" showname=".... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4355 <field name="smb.nt.create_options.open_no_recall" showname=".... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4356 <field name="smb.nt.create_options.open_for_free_space_query" showname=".... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query" size="4" pos="105" show="0" value="0" unmaskedvalue="26000200"/>
4357 </field>
4358 <field name="smb.create.disposition" showname="Disposition: Open (if file exists open it, else fail) (1)" size="0" pos="212" show="1"/>
4359 </field>
4360 </proto>
4361 <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 32, Call: 2, Ctx: 0" size="32" pos="128">
4362 <field name="dcerpc.ver" showname="Version: 5" size="1" pos="128" show="5" value="05"/>
4363 <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="129" show="0" value="00"/>
4364 <field name="dcerpc.pkt_type" showname="Packet type: Request (0)" size="1" pos="130" show="0" value="00"/>
4365 <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="131" show="0x00000003" value="03">
4366 <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="131" show="0" value="0" unmaskedvalue="03"/>
4367 <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="131" show="0" value="0" unmaskedvalue="03"/>
4368 <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="131" show="0" value="0" unmaskedvalue="03"/>
4369 <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="131" show="0" value="0" unmaskedvalue="03"/>
4370 <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="131" show="0" value="0" unmaskedvalue="03"/>
4371 <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="131" show="0" value="0" unmaskedvalue="03"/>
4372 <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="131" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
4373 <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="131" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
4374 </field>
4375 <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="132" show="10:00:00:00" value="10000000">
4376 <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="132" show="1" value="10"/>
4377 <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="132" show="0" value="10"/>
4378 <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="133" show="0" value="00"/>
4379 </field>
4380 <field name="dcerpc.cn_frag_len" showname="Frag Length: 32" size="2" pos="136" show="32" value="2000"/>
4381 <field name="dcerpc.cn_auth_len" showname="Auth Length: 0" size="2" pos="138" show="0" value="0000"/>
4382 <field name="dcerpc.cn_call_id" showname="Call ID: 2" size="4" pos="140" show="2" value="02000000"/>
4383 <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 8" size="4" pos="144" show="8" value="08000000"/>
4384 <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="148" show="0" value="0000"/>
4385 <field name="dcerpc.opnum" showname="Opnum: 0" size="2" pos="150" show="0" value="0000"/>
4386 </proto>
4387 <proto name="samr" showname="SAMR (pidl), Connect" size="8" pos="152">
4388 <field name="samr.opnum" showname="Operation: Connect (0)" size="0" pos="152" show="0"/>
4389 <field name="dcerpc.null_pointer" showname="NULL Pointer: Pointer to System Name (uint16)" size="4" pos="152" show="00:00:00:00" value="00000000"/>
4390 <field name="samr.connect.access_mask" showname="Access Mask: 0x02000000" size="4" pos="156" show="0x02000000" value="00000002">
4391 <field name="" show="Generic rights: 0x00000000" size="4" pos="156" value="00000002">
4392 <field name="nt.access_mask.generic_read" showname="0... .... .... .... .... .... .... .... = Generic read: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4393 <field name="nt.access_mask.generic_write" showname=".0.. .... .... .... .... .... .... .... = Generic write: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4394 <field name="nt.access_mask.generic_execute" showname="..0. .... .... .... .... .... .... .... = Generic execute: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4395 <field name="nt.access_mask.generic_all" showname="...0 .... .... .... .... .... .... .... = Generic all: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4396 </field>
4397 <field name="nt.access_mask.maximum_allowed" showname=".... ..1. .... .... .... .... .... .... = Maximum allowed: Set" size="4" pos="156" show="1" value="FFFFFFFF" unmaskedvalue="00000002"/>
4398 <field name="nt.access_mask.access_sacl" showname=".... .... 0... .... .... .... .... .... = Access SACL: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4399 <field name="" show="Standard rights: 0x00000000" size="4" pos="156" value="00000002">
4400 <field name="nt.access_mask.synchronise" showname=".... .... ...0 .... .... .... .... .... = Synchronise: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4401 <field name="nt.access_mask.write_owner" showname=".... .... .... 0... .... .... .... .... = Write owner: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4402 <field name="nt.access_mask.write_dac" showname=".... .... .... .0.. .... .... .... .... = Write DAC: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4403 <field name="nt.access_mask.read_control" showname=".... .... .... ..0. .... .... .... .... = Read control: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4404 <field name="nt.access_mask.delete" showname=".... .... .... ...0 .... .... .... .... = Delete: Not set" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4405 </field>
4406 <field name="" show="SAMR Connect specific rights: 0x00000000" size="4" pos="156" value="00000002">
4407 <field name="samr.samr_ConnectAccessMask.SAMR_ACCESS_LOOKUP_DOMAIN" showname=".... .... .... .... .... .... ..0. .... = Samr Access Lookup Domain: SAMR_ACCESS_LOOKUP_DOMAIN is NOT SET" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4408 <field name="samr.samr_ConnectAccessMask.SAMR_ACCESS_ENUM_DOMAINS" showname=".... .... .... .... .... .... ...0 .... = Samr Access Enum Domains: SAMR_ACCESS_ENUM_DOMAINS is NOT SET" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4409 <field name="samr.samr_ConnectAccessMask.SAMR_ACCESS_CREATE_DOMAIN" showname=".... .... .... .... .... .... .... 0... = Samr Access Create Domain: SAMR_ACCESS_CREATE_DOMAIN is NOT SET" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4410 <field name="samr.samr_ConnectAccessMask.SAMR_ACCESS_INITIALIZE_SERVER" showname=".... .... .... .... .... .... .... .0.. = Samr Access Initialize Server: SAMR_ACCESS_INITIALIZE_SERVER is NOT SET" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4411 <field name="samr.samr_ConnectAccessMask.SAMR_ACCESS_SHUTDOWN_SERVER" showname=".... .... .... .... .... .... .... ..0. = Samr Access Shutdown Server: SAMR_ACCESS_SHUTDOWN_SERVER is NOT SET" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4412 <field name="samr.samr_ConnectAccessMask.SAMR_ACCESS_CONNECT_TO_SERVER" showname=".... .... .... .... .... .... .... ...0 = Samr Access Connect To Server: SAMR_ACCESS_CONNECT_TO_SERVER is NOT SET" size="4" pos="156" show="0" value="0" unmaskedvalue="00000002"/>
4413 </field>
4414 </field>
4415 </proto>
4416 </packet>
4417
4418 <packet>
4419 <proto name="geninfo" pos="0" showname="General information" size="244">
4420 <field name="num" pos="0" show="618" showname="Number" value="26a" size="244"/>
4421 <field name="len" pos="0" show="244" showname="Frame Length" value="f4" size="244"/>
4422 <field name="caplen" pos="0" show="244" showname="Captured Length" value="f4" size="244"/>
4423 <field name="timestamp" pos="0" show="Feb 16, 2017 12:18:11.039416000 NZDT" showname="Captured Time" value="1487200691.039416000" size="244"/>
4424 </proto>
4425 <proto name="frame" showname="Frame 618: 244 bytes on wire (1952 bits), 244 bytes captured (1952 bits)" size="244" pos="0">
4426 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
4427 <field name="frame.time" showname="Arrival Time: Feb 16, 2017 12:18:11.039416000 NZDT" size="0" pos="0" show="Feb 16, 2017 12:18:11.039416000 NZDT"/>
4428 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
4429 <field name="frame.time_epoch" showname="Epoch Time: 1487200691.039416000 seconds" size="0" pos="0" show="1487200691.039416000"/>
4430 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000200000 seconds" size="0" pos="0" show="0.000200000"/>
4431 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000200000 seconds" size="0" pos="0" show="0.000200000"/>
4432 <field name="frame.time_relative" showname="Time since reference or first frame: 5.801692000 seconds" size="0" pos="0" show="5.801692000"/>
4433 <field name="frame.number" showname="Frame Number: 618" size="0" pos="0" show="618"/>
4434 <field name="frame.len" showname="Frame Length: 244 bytes (1952 bits)" size="0" pos="0" show="244"/>
4435 <field name="frame.cap_len" showname="Capture Length: 244 bytes (1952 bits)" size="0" pos="0" show="244"/>
4436 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
4437 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
4438 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:dcerpc:spnego-krb5:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:dcerpc:spnego-krb5:spnego-krb5"/>
4439 </proto>
4440 <proto name="raw" showname="Raw packet data" size="244" pos="0"/>
4441 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
4442 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
4443 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
4444 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
4445 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
4446 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
4447 </field>
4448 <field name="ip.len" showname="Total Length: 244" size="2" pos="2" show="244" value="00f4"/>
4449 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
4450 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
4451 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
4452 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
4453 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
4454 </field>
4455 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
4456 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
4457 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
4458 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
4459 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
4460 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
4461 </field>
4462 <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4463 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4464 <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4465 <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4466 <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4467 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4468 <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4469 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4470 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
4471 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
4472 </proto>
4473 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 19098 (19098), Dst Port: 49152 (49152), Seq: 1870, Ack: 367, Len: 204" size="20" pos="20">
4474 <field name="tcp.srcport" showname="Source Port: 19098" size="2" pos="20" show="19098" value="4a9a"/>
4475 <field name="tcp.dstport" showname="Destination Port: 49152" size="2" pos="22" show="49152" value="c000"/>
4476 <field name="tcp.port" showname="Source or Destination Port: 19098" hide="yes" size="2" pos="20" show="19098" value="4a9a"/>
4477 <field name="tcp.port" showname="Source or Destination Port: 49152" hide="yes" size="2" pos="22" show="49152" value="c000"/>
4478 <field name="tcp.stream" showname="Stream index: 14" size="0" pos="20" show="14"/>
4479 <field name="tcp.len" showname="TCP Segment Len: 204" size="1" pos="32" show="204" value="50"/>
4480 <field name="tcp.seq" showname="Sequence number: 1870 (relative sequence number)" size="4" pos="24" show="1870" value="0000074e"/>
4481 <field name="tcp.nxtseq" showname="Next sequence number: 2074 (relative sequence number)" size="0" pos="20" show="2074"/>
4482 <field name="tcp.ack" showname="Acknowledgment number: 367 (relative ack number)" size="4" pos="28" show="367" value="0000016f"/>
4483 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
4484 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
4485 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
4486 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
4487 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4488 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4489 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4490 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
4491 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
4492 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4493 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4494 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4495 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
4496 </field>
4497 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
4498 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
4499 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
4500 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
4501 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
4502 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
4503 </field>
4504 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
4505 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
4506 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 615" size="0" pos="20" show="615"/>
4507 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000257000 seconds" size="0" pos="20" show="0.000257000"/>
4508 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000055000 seconds" size="0" pos="20" show="0.000055000"/>
4509 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 204" size="0" pos="20" show="204"/>
4510 </field>
4511 </proto>
4512 <proto name="dcerpc" showname="Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 204, Call: 2, Ctx: 0" size="204" pos="40">
4513 <field name="dcerpc.ver" showname="Version: 5" size="1" pos="40" show="5" value="05"/>
4514 <field name="dcerpc.ver_minor" showname="Version (minor): 0" size="1" pos="41" show="0" value="00"/>
4515 <field name="dcerpc.pkt_type" showname="Packet type: Request (0)" size="1" pos="42" show="0" value="00"/>
4516 <field name="dcerpc.cn_flags" showname="Packet Flags: 0x03" size="1" pos="43" show="0x00000003" value="03">
4517 <field name="dcerpc.cn_flags.object" showname="0... .... = Object: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
4518 <field name="dcerpc.cn_flags.maybe" showname=".0.. .... = Maybe: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
4519 <field name="dcerpc.cn_flags.dne" showname="..0. .... = Did Not Execute: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
4520 <field name="dcerpc.cn_flags.mpx" showname="...0 .... = Multiplex: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
4521 <field name="dcerpc.cn_flags.reserved" showname=".... 0... = Reserved: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
4522 <field name="dcerpc.cn_flags.cancel_pending" showname=".... .0.. = Cancel Pending: Not set" size="1" pos="43" show="0" value="0" unmaskedvalue="03"/>
4523 <field name="dcerpc.cn_flags.last_frag" showname=".... ..1. = Last Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
4524 <field name="dcerpc.cn_flags.first_frag" showname=".... ...1 = First Frag: Set" size="1" pos="43" show="1" value="FFFFFFFF" unmaskedvalue="03"/>
4525 </field>
4526 <field name="dcerpc.drep" showname="Data Representation: 10000000" size="4" pos="44" show="10:00:00:00" value="10000000">
4527 <field name="dcerpc.drep.byteorder" showname="Byte order: Little-endian (1)" size="1" pos="44" show="1" value="10"/>
4528 <field name="dcerpc.drep.character" showname="Character: ASCII (0)" size="1" pos="44" show="0" value="10"/>
4529 <field name="dcerpc.drep.fp" showname="Floating-point: IEEE (0)" size="1" pos="45" show="0" value="00"/>
4530 </field>
4531 <field name="dcerpc.cn_frag_len" showname="Frag Length: 204" size="2" pos="48" show="204" value="cc00"/>
4532 <field name="dcerpc.cn_auth_len" showname="Auth Length: 76" size="2" pos="50" show="76" value="4c00"/>
4533 <field name="dcerpc.cn_call_id" showname="Call ID: 2" size="4" pos="52" show="2" value="02000000"/>
4534 <field name="dcerpc.cn_alloc_hint" showname="Alloc hint: 84" size="4" pos="56" show="84" value="54000000"/>
4535 <field name="dcerpc.cn_ctx_id" showname="Context ID: 0" size="2" pos="60" show="0" value="0000"/>
4536 <field name="dcerpc.opnum" showname="Opnum: 0" size="2" pos="62" show="0" value="0000"/>
4537 <field name="dcerpc.auth_type" showname="Auth type: SPNEGO (9)" size="1" pos="160" show="9" value="09"/>
4538 <field name="dcerpc.auth_level" showname="Auth level: Packet privacy (6)" size="1" pos="161" show="6" value="06"/>
4539 <field name="dcerpc.auth_pad_len" showname="Auth pad len: 12" size="1" pos="162" show="12" value="0c"/>
4540 <field name="dcerpc.auth_rsrvd" showname="Auth Rsrvd: 0" size="1" pos="163" show="0" value="00"/>
4541 <field name="dcerpc.auth_ctx_id" showname="Auth Context ID: 1" size="4" pos="164" show="1" value="01000000"/>
4542 <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="76" pos="168">
4543 <field name="spnego.krb5.blob" showname="krb5_blob: 050406ff0010001c000000000bcbcd947efcdcdd031c9af0..." size="76" pos="168" show="05:04:06:ff:00:10:00:1c:00:00:00:00:0b:cb:cd:94:7e:fc:dc:dd:03:1c:9a:f0:b0:c9:a0:30:4e:3f:5a:f9:bd:9f:63:82:c8:cb:eb:fe:08:6b:0f:7d:93:b3:30:d3:6c:90:51:24:3a:38:c9:aa:26:c0:0c:5a:a0:a2:7b:1d:10:4b:31:f6:34:4a:cd:24:f8:c2:c9:73" value="050406ff0010001c000000000bcbcd947efcdcdd031c9af0b0c9a0304e3f5af9bd9f6382c8cbebfe086b0f7d93b330d36c9051243a38c9aa26c00c5aa0a27b1d104b31f6344acd24f8c2c973">
4544 <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)" size="2" pos="168" show="0x00000405" value="0504"/>
4545 <field name="spnego.krb5.cfx_flags" showname="krb5_cfx_flags: 0x06, AcceptorSubkey, Sealed" size="1" pos="170" show="0x00000006" value="06">
4546 <field name="spnego.krb5.acceptor_subkey" showname=".... .1.. = AcceptorSubkey: Set" size="1" pos="170" show="1" value="FFFFFFFF" unmaskedvalue="06"/>
4547 <field name="spnego.krb5.sealed" showname=".... ..1. = Sealed: Set" size="1" pos="170" show="1" value="FFFFFFFF" unmaskedvalue="06"/>
4548 <field name="spnego.krb5.send_by_acceptor" showname=".... ...0 = SendByAcceptor: Not set" size="1" pos="170" show="0" value="0" unmaskedvalue="06"/>
4549 </field>
4550 <field name="spnego.krb5.filler" showname="krb5_filler: ff" size="1" pos="171" show="ff" value="ff"/>
4551 <field name="spnego.krb5.cfx_ec" showname="krb5_cfx_ec: 16" size="2" pos="172" show="16" value="0010"/>
4552 <field name="spnego.krb5.cfx_rrc" showname="krb5_cfx_rrc: 28" size="2" pos="174" show="28" value="001c"/>
4553 <field name="spnego.krb5.cfx_seq" showname="krb5_cfx_seq: 197905812" size="8" pos="176" show="197905812" value="000000000bcbcd94"/>
4554 <field name="spnego.krb5.sgn_cksum" showname="krb5_sgn_cksum: 7efcdcdd031c9af0b0c9a0304e3f5af9bd9f6382c8cbebfe..." size="60" pos="184" show="7e:fc:dc:dd:03:1c:9a:f0:b0:c9:a0:30:4e:3f:5a:f9:bd:9f:63:82:c8:cb:eb:fe:08:6b:0f:7d:93:b3:30:d3:6c:90:51:24:3a:38:c9:aa:26:c0:0c:5a:a0:a2:7b:1d:10:4b:31:f6:34:4a:cd:24:f8:c2:c9:73" value="7efcdcdd031c9af0b0c9a0304e3f5af9bd9f6382c8cbebfe086b0f7d93b330d36c9051243a38c9aa26c00c5aa0a27b1d104b31f6344acd24f8c2c973"/>
4555 </field>
4556 </proto>
4557 </proto>
4558 <proto name="drsuapi" showname="DRSUAPI, DsBind" size="96" pos="64">
4559 <field name="drsuapi.opnum" showname="Operation: DsBind (0)" size="0" pos="64" show="0"/>
4560 <field name="dcerpc.encrypted_stub_data" showname="Encrypted stub data: 536b3d9d2cae12c8cfef430800028a405e0c5b0dd1ab3a67..." size="96" pos="64" show="53:6b:3d:9d:2c:ae:12:c8:cf:ef:43:08:00:02:8a:40:5e:0c:5b:0d:d1:ab:3a:67:7b:bf:dc:66:7d:f1:90:ff:c6:6b:04:07:07:e2:7e:20:ca:73:41:fc:bf:0e:16:07:00:31:88:a1:7d:13:54:99:50:55:29:f1:ce:07:e8:92:78:69:63:7c:f2:60:2a:fd:7b:60:49:5d:7e:bf:dc:b2:2b:b7:47:86:6e:c8:51:1c:53:bb:73:35:dc:5c:b1:b0" value="536b3d9d2cae12c8cfef430800028a405e0c5b0dd1ab3a677bbfdc667df190ffc66b040707e27e20ca7341fcbf0e1607003188a17d135499505529f1ce07e8927869637cf2602afd7b60495d7ebfdcb22bb747866ec8511c53bb7335dc5cb1b0"/>
4561 </proto>
4562 </packet>
4563
4564 <packet>
4565 <proto name="geninfo" pos="0" showname="General information" size="314">
4566 <field name="num" pos="0" show="1971790" showname="Number" value="1e164e" size="314"/>
4567 <field name="len" pos="0" show="314" showname="Frame Length" value="13a" size="314"/>
4568 <field name="caplen" pos="0" show="314" showname="Captured Length" value="13a" size="314"/>
4569 <field name="timestamp" pos="0" show="Feb 13, 2017 10:23:04.809271000 NZDT" showname="Captured Time" value="1486934584.809271000" size="314"/>
4570 </proto>
4571 <proto name="frame" showname="Frame 1971790: 314 bytes on wire (2512 bits), 314 bytes captured (2512 bits)" size="314" pos="0">
4572 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
4573 <field name="frame.time" showname="Arrival Time: Feb 13, 2017 10:23:04.809271000 NZDT" size="0" pos="0" show="Feb 13, 2017 10:23:04.809271000 NZDT"/>
4574 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
4575 <field name="frame.time_epoch" showname="Epoch Time: 1486934584.809271000 seconds" size="0" pos="0" show="1486934584.809271000"/>
4576 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.053481000 seconds" size="0" pos="0" show="0.053481000"/>
4577 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.053481000 seconds" size="0" pos="0" show="0.053481000"/>
4578 <field name="frame.time_relative" showname="Time since reference or first frame: 814.186830000 seconds" size="0" pos="0" show="814.186830000"/>
4579 <field name="frame.number" showname="Frame Number: 1971790" size="0" pos="0" show="1971790"/>
4580 <field name="frame.len" showname="Frame Length: 314 bytes (2512 bits)" size="0" pos="0" show="314"/>
4581 <field name="frame.cap_len" showname="Capture Length: 314 bytes (2512 bits)" size="0" pos="0" show="314"/>
4582 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
4583 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
4584 <field name="frame.protocols" showname="Protocols in frame: raw:ip:udp:nbdgm:smb:smb_netlogon" size="0" pos="0" show="raw:ip:udp:nbdgm:smb:smb_netlogon"/>
4585 </proto>
4586 <proto name="raw" showname="Raw packet data" size="314" pos="0"/>
4587 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.4, Dst: 127.0.0.3" size="20" pos="0">
4588 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
4589 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
4590 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
4591 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
4592 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
4593 </field>
4594 <field name="ip.len" showname="Total Length: 314" size="2" pos="2" show="314" value="013a"/>
4595 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
4596 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
4597 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
4598 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
4599 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
4600 </field>
4601 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
4602 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
4603 <field name="ip.proto" showname="Protocol: UDP (17)" size="1" pos="9" show="17" value="11"/>
4604 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
4605 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
4606 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
4607 </field>
4608 <field name="ip.src" showname="Source: 127.0.0.4" size="4" pos="12" show="127.0.0.4" value="7f000004"/>
4609 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.4" hide="yes" size="4" pos="12" show="127.0.0.4" value="7f000004"/>
4610 <field name="ip.src_host" showname="Source Host: 127.0.0.4" hide="yes" size="4" pos="12" show="127.0.0.4" value="7f000004"/>
4611 <field name="ip.host" showname="Source or Destination Host: 127.0.0.4" hide="yes" size="4" pos="12" show="127.0.0.4" value="7f000004"/>
4612 <field name="ip.dst" showname="Destination: 127.0.0.3" size="4" pos="16" show="127.0.0.3" value="7f000003"/>
4613 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.3" hide="yes" size="4" pos="16" show="127.0.0.3" value="7f000003"/>
4614 <field name="ip.dst_host" showname="Destination Host: 127.0.0.3" hide="yes" size="4" pos="16" show="127.0.0.3" value="7f000003"/>
4615 <field name="ip.host" showname="Source or Destination Host: 127.0.0.3" hide="yes" size="4" pos="16" show="127.0.0.3" value="7f000003"/>
4616 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f000004"/>
4617 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000003"/>
4618 </proto>
4619 <proto name="udp" showname="User Datagram Protocol, Src Port: 138 (138), Dst Port: 138 (138)" size="8" pos="20">
4620 <field name="udp.srcport" showname="Source Port: 138" size="2" pos="20" show="138" value="008a"/>
4621 <field name="udp.dstport" showname="Destination Port: 138" size="2" pos="22" show="138" value="008a"/>
4622 <field name="udp.port" showname="Source or Destination Port: 138" hide="yes" size="2" pos="20" show="138" value="008a"/>
4623 <field name="udp.port" showname="Source or Destination Port: 138" hide="yes" size="2" pos="22" show="138" value="008a"/>
4624 <field name="udp.length" showname="Length: 294" size="2" pos="24" show="294" value="0126"/>
4625 <field name="udp.checksum" showname="Checksum: 0x0000 (none)" size="2" pos="26" show="0x00000000" value="0000">
4626 <field name="udp.checksum_good" showname="Good Checksum: False" size="2" pos="26" show="0" value="0000"/>
4627 <field name="udp.checksum_bad" showname="Bad Checksum: False" size="2" pos="26" show="0" value="0000"/>
4628 </field>
4629 <field name="udp.stream" showname="Stream index: 322" size="0" pos="28" show="322"/>
4630 </proto>
4631 <proto name="nbdgm" showname="NetBIOS Datagram Service" size="82" pos="28">
4632 <field name="nbdgm.type" showname="Message Type: Direct_group datagram (17)" size="1" pos="28" show="17" value="11"/>
4633 <field name="nbdgm.next" showname="More fragments follow: No" size="1" pos="29" show="0" value="0a"/>
4634 <field name="nbdgm.first" showname="This is first fragment: Yes" size="1" pos="29" show="1" value="0a"/>
4635 <field name="nbdgm.node_type" showname="Node Type: M node (2)" size="1" pos="29" show="2" value="0a"/>
4636 <field name="nbdgm.dgram_id" showname="Datagram ID: 0x7172" size="2" pos="30" show="0x00007172" value="7172"/>
4637 <field name="nbdgm.src.ip" showname="Source IP: 127.0.0.4" size="4" pos="32" show="127.0.0.4" value="7f000004"/>
4638 <field name="nbdgm.src.port" showname="Source Port: 138" size="2" pos="36" show="138" value="008a"/>
4639 <field name="nbdgm.dgram_len" showname="Datagram length: 272 bytes" size="2" pos="38" show="272" value="0110"/>
4640 <field name="nbdgm.pkt_offset" showname="Packet offset: 0 bytes" size="2" pos="40" show="0" value="0000"/>
4641 <field name="nbdgm.source_name" showname="Source name: LOCALNT4MEMBER3&lt;00&gt; (Workstation/Redirector)" size="34" pos="42" show="LOCALNT4MEMBER3&lt;00&gt;" value="20454d455045444542454d454f46454445454e4546454e4543454646434444414100"/>
4642 <field name="nbdgm.destination_name" showname="Destination name: SAMBA-TEST&lt;1c&gt; (Domain Controllers)" size="34" pos="76" show="SAMBA-TEST&lt;1c&gt;" value="2046444542454e45434542434e464545464644464543414341434143414341424d00"/>
4643 </proto>
4644 <proto name="smb" showname="SMB (Server Message Block Protocol)" size="204" pos="110">
4645 <field name="" show="SMB Header" size="32" pos="110" value="ff534d4225000000000000000000000000000000000000000000000000000000">
4646 <field name="smb.server_component" showname="Server Component: SMB" size="4" pos="110" show="0x424d53ff" value="ff534d42"/>
4647 <field name="smb.cmd" showname="SMB Command: Trans (0x25)" size="1" pos="114" show="37" value="25"/>
4648 <field name="smb.error_class" showname="Error Class: Success (0x00)" size="1" pos="115" show="0x00000000" value="00"/>
4649 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="116" show="00" value="00"/>
4650 <field name="smb.error_code" showname="Error Code: No Error" size="2" pos="117" show="0x00000000" value="0000"/>
4651 <field name="smb.flags" showname="Flags: 0x00" size="1" pos="119" show="0x00000000" value="00">
4652 <field name="smb.flags.response" showname="0... .... = Request/Response: Message is a request to the server" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
4653 <field name="smb.flags.notify" showname=".0.. .... = Notify: Notify client only on open" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
4654 <field name="smb.flags.oplock" showname="..0. .... = Oplocks: OpLock not requested/granted" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
4655 <field name="smb.flags.canon" showname="...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
4656 <field name="smb.flags.caseless" showname=".... 0... = Case Sensitivity: Path names are case sensitive" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
4657 <field name="smb.flags.receive_buffer" showname=".... ..0. = Receive Buffer Posted: Receive buffer has not been posted" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
4658 <field name="smb.flags.lock" showname=".... ...0 = Lock and Read: Lock&amp;Read, Write&amp;Unlock are not supported" size="1" pos="119" show="0" value="0" unmaskedvalue="00"/>
4659 </field>
4660 <field name="smb.flags2" showname="Flags2: 0x0000" size="2" pos="120" show="0x00000000" value="0000">
4661 <field name="smb.flags2.string" showname="0... .... .... .... = Unicode Strings: Strings are ASCII" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
4662 <field name="smb.flags2.nt_error" showname=".0.. .... .... .... = Error Code Type: Error codes are DOS error codes" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
4663 <field name="smb.flags2.roe" showname="..0. .... .... .... = Execute-only Reads: Don&#x27;t permit reads if execute-only" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
4664 <field name="smb.flags2.dfs" showname="...0 .... .... .... = Dfs: Don&#x27;t resolve pathnames with Dfs" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
4665 <field name="smb.flags2.esn" showname=".... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
4666 <field name="smb.flags2.reparse_path" showname=".... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
4667 <field name="smb.flags2.long_names_used" showname=".... .... .0.. .... = Long Names Used: Path names in request are not long file names" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
4668 <field name="smb.flags2.sec_sig_required" showname=".... .... ...0 .... = Security Signatures Required: Security signatures are not required" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
4669 <field name="smb.flags2.compressed" showname=".... .... .... 0... = Compressed: Compression is not requested" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
4670 <field name="smb.flags2.sec_sig" showname=".... .... .... .0.. = Security Signatures: Security signatures are not supported" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
4671 <field name="smb.flags2.ea" showname=".... .... .... ..0. = Extended Attributes: Extended attributes are not supported" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
4672 <field name="smb.flags2.long_names_allowed" showname=".... .... .... ...0 = Long Names Allowed: Long file names are not allowed in the response" size="2" pos="120" show="0" value="0" unmaskedvalue="0000"/>
4673 </field>
4674 <field name="smb.pid.high" showname="Process ID High: 0" size="2" pos="122" show="0" value="0000"/>
4675 <field name="smb.signature" showname="Signature: 0000000000000000" size="8" pos="124" show="00:00:00:00:00:00:00:00" value="0000000000000000"/>
4676 <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="132" show="00:00" value="0000"/>
4677 <field name="smb.tid" showname="Tree ID: 0" size="2" pos="134" show="0" value="0000"/>
4678 <field name="smb.pid" showname="Process ID: 0" size="2" pos="136" show="0" value="0000"/>
4679 <field name="smb.uid" showname="User ID: 0" size="2" pos="138" show="0" value="0000"/>
4680 <field name="smb.mid" showname="Multiplex ID: 0" size="2" pos="140" show="0" value="0000"/>
4681 </field>
4682 <field name="" show="Trans Request (0x25)" size="172" pos="142" value="110000710000000000000000000000000000000000000071005b00030001000000020087005c4d41494c534c4f545c4e45545c4e544c4f474f4e00120000004c004f00430041004c004e00540034004d0045004d00420045005200330000004c004f00430041004c004e00540034004d0045004d004200450052003300240000005c4d41494c534c4f545c4e45545c4745544443333030303037460080000000000000000b000000ffffffff">
4683 <field name="smb.wct" showname="Word Count (WCT): 17" size="1" pos="142" show="17" value="11"/>
4684 <field name="smb.tpc" showname="Total Parameter Count: 0" size="2" pos="143" show="0" value="0000"/>
4685 <field name="smb.tdc" showname="Total Data Count: 113" size="2" pos="145" show="113" value="7100"/>
4686 <field name="smb.mpc" showname="Max Parameter Count: 0" size="2" pos="147" show="0" value="0000"/>
4687 <field name="smb.mdc" showname="Max Data Count: 0" size="2" pos="149" show="0" value="0000"/>
4688 <field name="smb.msc" showname="Max Setup Count: 0" size="1" pos="151" show="0" value="00"/>
4689 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="152" show="00" value="00"/>
4690 <field name="smb.transaction.flags" showname="Flags: 0x0000" size="2" pos="153" show="0x00000000" value="0000">
4691 <field name="smb.transaction.flags.owt" showname=".... .... .... ..0. = One Way Transaction: Two way transaction" size="2" pos="153" show="0" value="0" unmaskedvalue="0000"/>
4692 <field name="smb.transaction.flags.dtid" showname=".... .... .... ...0 = Disconnect TID: Do NOT disconnect TID" size="2" pos="153" show="0" value="0" unmaskedvalue="0000"/>
4693 </field>
4694 <field name="smb.timeout" showname="Timeout: Return immediately (0)" size="4" pos="155" show="0" value="00000000"/>
4695 <field name="smb.reserved" showname="Reserved: 0000" size="2" pos="159" show="00:00" value="0000"/>
4696 <field name="smb.pc" showname="Parameter Count: 0" size="2" pos="161" show="0" value="0000"/>
4697 <field name="smb.po" showname="Parameter Offset: 0" size="2" pos="163" show="0" value="0000"/>
4698 <field name="smb.dc" showname="Data Count: 113" size="2" pos="165" show="113" value="7100"/>
4699 <field name="smb.data_offset" showname="Data Offset: 91" size="2" pos="167" show="91" value="5b00"/>
4700 <field name="smb.sc" showname="Setup Count: 3" size="1" pos="169" show="3" value="03"/>
4701 <field name="smb.reserved" showname="Reserved: 00" size="1" pos="170" show="00" value="00"/>
4702 <field name="smb.bcc" showname="Byte Count (BCC): 135" size="2" pos="177" show="135" value="8700"/>
4703 <field name="smb.trans_name" showname="Transaction Name: \MAILSLOT\NET\NTLOGON" size="22" pos="179" show="\MAILSLOT\NET\NTLOGON" value="5c4d41494c534c4f545c4e45545c4e544c4f474f4e00"/>
4704 </field>
4705 </proto>
4706 <proto name="mailslot" showname="SMB MailSlot Protocol" size="30" pos="171">
4707 <field name="mailslot.opcode" showname="Opcode: Write Mail Slot (1)" size="2" pos="171" show="1" value="0100"/>
4708 <field name="mailslot.priority" showname="Priority: 0" size="2" pos="173" show="0" value="0000"/>
4709 <field name="mailslot.class" showname="Class: Unreliable &amp; Broadcast (2)" size="2" pos="175" show="2" value="0200"/>
4710 <field name="mailslot.size" showname="Size: 135" size="2" pos="177" show="135" value="8700"/>
4711 <field name="mailslot.name" showname="Mailslot Name: \MAILSLOT\NET\NTLOGON" size="22" pos="179" show="\MAILSLOT\NET\NTLOGON" value="5c4d41494c534c4f545c4e45545c4e544c4f474f4e00"/>
4712 </proto>
4713 <proto name="smb_netlogon" showname="Microsoft Windows Logon Protocol (Old)" size="113" pos="201">
4714 <field name="smb_netlogon.command" showname="Command: SAM LOGON request from client (0x12)" size="1" pos="201" show="0x00000012" value="12"/>
4715 <field name="smb_netlogon.request_count" showname="Request Count: 0" size="2" pos="203" show="0" value="0000"/>
4716 <field name="smb_netlogon.unicode_computer_name" showname="Unicode Computer Name: LOCALNT4MEMBER3" size="32" pos="205" show="LOCALNT4MEMBER3" value="4c004f00430041004c004e00540034004d0045004d0042004500520033000000"/>
4717 <field name="smb_netlogon.user_name" showname="User Name: LOCALNT4MEMBER3$" size="34" pos="237" show="LOCALNT4MEMBER3$" value="4c004f00430041004c004e00540034004d0045004d00420045005200330024000000"/>
4718 <field name="smb_netlogon.mailslot_name" showname="Mailslot Name: \MAILSLOT\NET\GETDC300007F" size="27" pos="271" show="\MAILSLOT\NET\GETDC300007F" value="5c4d41494c534c4f545c4e45545c47455444433330303030374600"/>
4719 <field name="smb_netlogon.flags" showname="Account control: 0x00000080, Workstation Trust" size="4" pos="298" show="0x00000080" value="80000000">
4720 <field name="smb_netlogon.flags.autolock" showname=".... .... .... .... .... .0.. .... .... = Autolock: User account NOT auto-locked" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
4721 <field name="smb_netlogon.flags.expire" showname=".... .... .... .... .... ..0. .... .... = Expire: User password will expire" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
4722 <field name="smb_netlogon.flags.server" showname=".... .... .... .... .... ...0 .... .... = Server Trust: NOT a Server Trust user account" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
4723 <field name="smb_netlogon.flags.workstation" showname=".... .... .... .... .... .... 1... .... = Workstation Trust: Workstation Trust user account" size="4" pos="298" show="1" value="FFFFFFFF" unmaskedvalue="80000000"/>
4724 <field name="smb_netlogon.flags.interdomain" showname=".... .... .... .... .... .... .0.. .... = Interdomain Trust: NOT a Inter-domain Trust user account" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
4725 <field name="smb_netlogon.flags.mns" showname=".... .... .... .... .... .... ..0. .... = MNS User: NOT a MNS Logon user account" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
4726 <field name="smb_netlogon.flags.normal" showname=".... .... .... .... .... .... ...0 .... = Normal User: NOT a normal user account" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
4727 <field name="smb_netlogon.flags.temp_dup" showname=".... .... .... .... .... .... .... 0... = Temp Duplicate User: NOT a temp duplicate user account" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
4728 <field name="smb_netlogon.flags.password" showname=".... .... .... .... .... .... .... .0.. = Password: Password required" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
4729 <field name="smb_netlogon.flags.homedir" showname=".... .... .... .... .... .... .... ..0. = Homedir: Homedir required" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
4730 <field name="smb_netlogon.flags.enabled" showname=".... .... .... .... .... .... .... ...0 = Enabled: User account disabled" size="4" pos="298" show="0" value="0" unmaskedvalue="80000000"/>
4731 </field>
4732 <field name="smb_netlogon.domain_sid_size" showname="Domain SID Size: 0" size="4" pos="302" show="0" value="00000000"/>
4733 <field name="smb_netlogon.nt_version" showname="NT Version: 11" size="4" pos="306" show="11" value="0b000000"/>
4734 <field name="smb_netlogon.lmnt_token" showname="LMNT Token: 0xffff (Windows NT Networking)" size="2" pos="310" show="0x0000ffff" value="ffff"/>
4735 <field name="smb_netlogon.lm_token" showname="LM20 Token: 0xffff (LanMan 2.0 or higher)" size="2" pos="312" show="0x0000ffff" value="ffff"/>
4736 </proto>
4737 </packet>
4738
4739 <packet>
4740 <proto name="geninfo" pos="0" showname="General information" size="248">
4741 <field name="num" pos="0" show="64697" showname="Number" value="fcb9" size="248"/>
4742 <field name="len" pos="0" show="248" showname="Frame Length" value="f8" size="248"/>
4743 <field name="caplen" pos="0" show="248" showname="Captured Length" value="f8" size="248"/>
4744 <field name="timestamp" pos="0" show="Feb 10, 2017 14:38:39.940434000 NZDT" showname="Captured Time" value="1486690719.940434000" size="248"/>
4745 </proto>
4746 <proto name="frame" showname="Frame 64697: 248 bytes on wire (1984 bits), 248 bytes captured (1984 bits)" size="248" pos="0">
4747 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
4748 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:38:39.940434000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:38:39.940434000 NZDT"/>
4749 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
4750 <field name="frame.time_epoch" showname="Epoch Time: 1486690719.940434000 seconds" size="0" pos="0" show="1486690719.940434000"/>
4751 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000173000 seconds" size="0" pos="0" show="0.000173000"/>
4752 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000173000 seconds" size="0" pos="0" show="0.000173000"/>
4753 <field name="frame.time_relative" showname="Time since reference or first frame: 143.409983000 seconds" size="0" pos="0" show="143.409983000"/>
4754 <field name="frame.number" showname="Frame Number: 64697" size="0" pos="0" show="64697"/>
4755 <field name="frame.len" showname="Frame Length: 248 bytes (1984 bits)" size="0" pos="0" show="248"/>
4756 <field name="frame.cap_len" showname="Capture Length: 248 bytes (1984 bits)" size="0" pos="0" show="248"/>
4757 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
4758 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
4759 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap:gss-api:spnego-krb5" size="0" pos="0" show="raw:ip:tcp:ldap:gss-api:spnego-krb5"/>
4760 </proto>
4761 <proto name="raw" showname="Raw packet data" size="248" pos="0"/>
4762 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
4763 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
4764 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
4765 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
4766 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
4767 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
4768 </field>
4769 <field name="ip.len" showname="Total Length: 248" size="2" pos="2" show="248" value="00f8"/>
4770 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
4771 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
4772 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
4773 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
4774 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
4775 </field>
4776 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
4777 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
4778 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
4779 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
4780 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
4781 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
4782 </field>
4783 <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4784 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4785 <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4786 <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4787 <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4788 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4789 <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4790 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4791 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
4792 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
4793 </proto>
4794 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 18512 (18512), Dst Port: 389 (389), Seq: 7674, Ack: 11148, Len: 208" size="20" pos="20">
4795 <field name="tcp.srcport" showname="Source Port: 18512" size="2" pos="20" show="18512" value="4850"/>
4796 <field name="tcp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
4797 <field name="tcp.port" showname="Source or Destination Port: 18512" hide="yes" size="2" pos="20" show="18512" value="4850"/>
4798 <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
4799 <field name="tcp.stream" showname="Stream index: 1400" size="0" pos="20" show="1400"/>
4800 <field name="tcp.len" showname="TCP Segment Len: 208" size="1" pos="32" show="208" value="50"/>
4801 <field name="tcp.seq" showname="Sequence number: 7674 (relative sequence number)" size="4" pos="24" show="7674" value="00001dfa"/>
4802 <field name="tcp.nxtseq" showname="Next sequence number: 7882 (relative sequence number)" size="0" pos="20" show="7882"/>
4803 <field name="tcp.ack" showname="Acknowledgment number: 11148 (relative ack number)" size="4" pos="28" show="11148" value="00002b8c"/>
4804 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
4805 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
4806 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
4807 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
4808 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4809 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4810 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4811 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
4812 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
4813 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4814 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4815 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4816 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
4817 </field>
4818 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
4819 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
4820 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
4821 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
4822 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
4823 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
4824 </field>
4825 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
4826 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
4827 <field name="tcp.analysis.acks_frame" showname="This is an ACK to the segment in frame: 64694" size="0" pos="20" show="64694"/>
4828 <field name="tcp.analysis.ack_rtt" showname="The RTT to ACK the segment was: 0.000241000 seconds" size="0" pos="20" show="0.000241000"/>
4829 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000019000 seconds" size="0" pos="20" show="0.000019000"/>
4830 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 208" size="0" pos="20" show="208"/>
4831 </field>
4832 <field name="tcp.pdu.size" showname="PDU Size: 208" size="208" pos="40" show="208" value="000000cc050404ff000c000c0000000034b876cafa1236459c941cdfeb431f613081ad0201346681a7043c636e3d6c6461707465737432636f6d70757465722c636e3d636f6d7075746572732c44433d73616d62612c44433d6578616d706c652c44433d636f6d306730650a010230600414736572766963655072696e636970616c4e616d6531480416686f73742f6c6461707465737432636f6d70757465720416686f73742f6c6461707465737432636f6d70757465720416636966732f6c6461707465737432636f6d7075746572"/>
4833 </proto>
4834 <proto name="ldap" showname="Lightweight Directory Access Protocol" size="208" pos="40">
4835 <field name="ldap.sasl_buffer_length" showname="SASL Buffer Length: 204" size="4" pos="40" show="204" value="000000cc"/>
4836 <field name="" show="SASL Buffer" size="208" pos="40" value="000000cc050404ff000c000c0000000034b876cafa1236459c941cdfeb431f613081ad0201346681a7043c636e3d6c6461707465737432636f6d70757465722c636e3d636f6d7075746572732c44433d73616d62612c44433d6578616d706c652c44433d636f6d306730650a010230600414736572766963655072696e636970616c4e616d6531480416686f73742f6c6461707465737432636f6d70757465720416686f73742f6c6461707465737432636f6d70757465720416636966732f6c6461707465737432636f6d7075746572">
4837 <proto name="gss-api" showname="GSS-API Generic Security Service Application Program Interface" size="28" pos="44">
4838 <field name="spnego.krb5.blob" showname="krb5_blob: 050404ff000c000c0000000034b876cafa1236459c941cdf..." size="28" pos="44" show="05:04:04:ff:00:0c:00:0c:00:00:00:00:34:b8:76:ca:fa:12:36:45:9c:94:1c:df:eb:43:1f:61" value="050404ff000c000c0000000034b876cafa1236459c941cdfeb431f61">
4839 <field name="spnego.krb5.tok_id" showname="krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)" size="2" pos="44" show="0x00000405" value="0504"/>
4840 <field name="spnego.krb5.cfx_flags" showname="krb5_cfx_flags: 0x04, AcceptorSubkey" size="1" pos="46" show="0x00000004" value="04">
4841 <field name="spnego.krb5.acceptor_subkey" showname=".... .1.. = AcceptorSubkey: Set" size="1" pos="46" show="1" value="FFFFFFFF" unmaskedvalue="04"/>
4842 <field name="spnego.krb5.sealed" showname=".... ..0. = Sealed: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
4843 <field name="spnego.krb5.send_by_acceptor" showname=".... ...0 = SendByAcceptor: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="04"/>
4844 </field>
4845 <field name="spnego.krb5.filler" showname="krb5_filler: ff" size="1" pos="47" show="ff" value="ff"/>
4846 <field name="spnego.krb5.cfx_ec" showname="krb5_cfx_ec: 12" size="2" pos="48" show="12" value="000c"/>
4847 <field name="spnego.krb5.cfx_rrc" showname="krb5_cfx_rrc: 12" size="2" pos="50" show="12" value="000c"/>
4848 <field name="spnego.krb5.cfx_seq" showname="krb5_cfx_seq: 884504266" size="8" pos="52" show="884504266" value="0000000034b876ca"/>
4849 <field name="spnego.krb5.sgn_cksum" showname="krb5_sgn_cksum: fa1236459c941cdfeb431f61" size="12" pos="60" show="fa:12:36:45:9c:94:1c:df:eb:43:1f:61" value="fa1236459c941cdfeb431f61"/>
4850 </field>
4851 </proto>
4852 <field name="" show="GSS-API payload (176 bytes)" size="176" pos="72" value="3081ad0201346681a7043c636e3d6c6461707465737432636f6d70757465722c636e3d636f6d7075746572732c44433d73616d62612c44433d6578616d706c652c44433d636f6d306730650a010230600414736572766963655072696e636970616c4e616d6531480416686f73742f6c6461707465737432636f6d70757465720416686f73742f6c6461707465737432636f6d70757465720416636966732f6c6461707465737432636f6d7075746572">
4853 <field name="ldap.LDAPMessage_element" showname="LDAPMessage modifyRequest(52) &quot;cn=ldaptest2computer,cn=computers,DC=samba,DC=example,DC=com&quot;" size="176" pos="72" show="" value="">
4854 <field name="ldap.messageID" showname="messageID: 52" size="1" pos="77" show="52" value="34"/>
4855 <field name="ldap.protocolOp" showname="protocolOp: modifyRequest (6)" size="170" pos="78" show="6" value="6681a7043c636e3d6c6461707465737432636f6d70757465722c636e3d636f6d7075746572732c44433d73616d62612c44433d6578616d706c652c44433d636f6d306730650a010230600414736572766963655072696e636970616c4e616d6531480416686f73742f6c6461707465737432636f6d70757465720416686f73742f6c6461707465737432636f6d70757465720416636966732f6c6461707465737432636f6d7075746572">
4856 <field name="ldap.modifyRequest_element" showname="modifyRequest" size="167" pos="81" show="" value="">
4857 <field name="ldap.object" showname="object: cn=ldaptest2computer,cn=computers,DC=samba,DC=example,DC=com" size="60" pos="83" show="cn=ldaptest2computer,cn=computers,DC=samba,DC=example,DC=com" value="636e3d6c6461707465737432636f6d70757465722c636e3d636f6d7075746572732c44433d73616d62612c44433d6578616d706c652c44433d636f6d"/>
4858 <field name="ldap.modification" showname="modification: 1 item" size="103" pos="145" show="1" value="30650a010230600414736572766963655072696e636970616c4e616d6531480416686f73742f6c6461707465737432636f6d70757465720416686f73742f6c6461707465737432636f6d70757465720416636966732f6c6461707465737432636f6d7075746572">
4859 <field name="ldap.modification_item_element" showname="modification item" size="103" pos="145" show="" value="">
4860 <field name="ldap.operation" showname="operation: replace (2)" size="1" pos="149" show="2" value="02"/>
4861 <field name="ldap.modification_element" showname="modification servicePrincipalName" size="98" pos="150" show="" value="">
4862 <field name="ldap.type" showname="type: servicePrincipalName" size="20" pos="154" show="servicePrincipalName" value="736572766963655072696e636970616c4e616d65"/>
4863 <field name="ldap.vals" showname="vals: 3 items" size="72" pos="176" show="3" value="0416686f73742f6c6461707465737432636f6d70757465720416686f73742f6c6461707465737432636f6d70757465720416636966732f6c6461707465737432636f6d7075746572">
4864 <field name="ldap.AttributeValue" showname="AttributeValue: host/ldaptest2computer" size="22" pos="178" show="68:6f:73:74:2f:6c:64:61:70:74:65:73:74:32:63:6f:6d:70:75:74:65:72" value="686f73742f6c6461707465737432636f6d7075746572"/>
4865 <field name="ldap.AttributeValue" showname="AttributeValue: host/ldaptest2computer" size="22" pos="202" show="68:6f:73:74:2f:6c:64:61:70:74:65:73:74:32:63:6f:6d:70:75:74:65:72" value="686f73742f6c6461707465737432636f6d7075746572"/>
4866 <field name="ldap.AttributeValue" showname="AttributeValue: cifs/ldaptest2computer" size="22" pos="226" show="63:69:66:73:2f:6c:64:61:70:74:65:73:74:32:63:6f:6d:70:75:74:65:72" value="636966732f6c6461707465737432636f6d7075746572"/>
4867 </field>
4868 </field>
4869 </field>
4870 </field>
4871 </field>
4872 </field>
4873 </field>
4874 </field>
4875 </field>
4876 </proto>
4877 </packet>
4878
4879 <packet>
4880 <proto name="geninfo" pos="0" showname="General information" size="95">
4881 <field name="num" pos="0" show="51638" showname="Number" value="c9b6" size="95"/>
4882 <field name="len" pos="0" show="95" showname="Frame Length" value="5f" size="95"/>
4883 <field name="caplen" pos="0" show="95" showname="Captured Length" value="5f" size="95"/>
4884 <field name="timestamp" pos="0" show="Feb 10, 2017 14:38:02.579057000 NZDT" showname="Captured Time" value="1486690682.579057000" size="95"/>
4885 </proto>
4886 <proto name="frame" showname="Frame 51638: 95 bytes on wire (760 bits), 95 bytes captured (760 bits)" size="95" pos="0">
4887 <field name="frame.encap_type" showname="Encapsulation type: Raw IP (7)" size="0" pos="0" show="7"/>
4888 <field name="frame.time" showname="Arrival Time: Feb 10, 2017 14:38:02.579057000 NZDT" size="0" pos="0" show="Feb 10, 2017 14:38:02.579057000 NZDT"/>
4889 <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
4890 <field name="frame.time_epoch" showname="Epoch Time: 1486690682.579057000 seconds" size="0" pos="0" show="1486690682.579057000"/>
4891 <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000038000 seconds" size="0" pos="0" show="0.000038000"/>
4892 <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000038000 seconds" size="0" pos="0" show="0.000038000"/>
4893 <field name="frame.time_relative" showname="Time since reference or first frame: 106.048606000 seconds" size="0" pos="0" show="106.048606000"/>
4894 <field name="frame.number" showname="Frame Number: 51638" size="0" pos="0" show="51638"/>
4895 <field name="frame.len" showname="Frame Length: 95 bytes (760 bits)" size="0" pos="0" show="95"/>
4896 <field name="frame.cap_len" showname="Capture Length: 95 bytes (760 bits)" size="0" pos="0" show="95"/>
4897 <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
4898 <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
4899 <field name="frame.protocols" showname="Protocols in frame: raw:ip:tcp:ldap" size="0" pos="0" show="raw:ip:tcp:ldap"/>
4900 </proto>
4901 <proto name="raw" showname="Raw packet data" size="95" pos="0"/>
4902 <proto name="ip" showname="Internet Protocol Version 4, Src: 127.0.0.11, Dst: 127.0.0.21" size="20" pos="0">
4903 <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="0" show="4" value="4" unmaskedvalue="45"/>
4904 <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes" size="1" pos="0" show="5" value="5" unmaskedvalue="45"/>
4905 <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="1" show="0x00000000" value="00">
4906 <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
4907 <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="1" show="0" value="0" unmaskedvalue="00"/>
4908 </field>
4909 <field name="ip.len" showname="Total Length: 95" size="2" pos="2" show="95" value="005f"/>
4910 <field name="ip.id" showname="Identification: 0xffff (65535)" size="2" pos="4" show="0x0000ffff" value="ffff"/>
4911 <field name="ip.flags" showname="Flags: 0x02 (Don&#x27;t Fragment)" size="1" pos="6" show="0x00000002" value="40">
4912 <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="6" show="0" value="40"/>
4913 <field name="ip.flags.df" showname=".1.. .... = Don&#x27;t fragment: Set" size="1" pos="6" show="1" value="40"/>
4914 <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="6" show="0" value="40"/>
4915 </field>
4916 <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="6" show="0" value="4000"/>
4917 <field name="ip.ttl" showname="Time to live: 255" size="1" pos="8" show="255" value="ff"/>
4918 <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="9" show="6" value="06"/>
4919 <field name="ip.checksum" showname="Header checksum: 0x0000 [validation disabled]" size="2" pos="10" show="0x00000000" value="0000">
4920 <field name="ip.checksum_good" showname="Good: False" size="2" pos="10" show="0" value="0000"/>
4921 <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="10" show="0" value="0000"/>
4922 </field>
4923 <field name="ip.src" showname="Source: 127.0.0.11" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4924 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4925 <field name="ip.src_host" showname="Source Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4926 <field name="ip.host" showname="Source or Destination Host: 127.0.0.11" hide="yes" size="4" pos="12" show="127.0.0.11" value="7f00000b"/>
4927 <field name="ip.dst" showname="Destination: 127.0.0.21" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4928 <field name="ip.addr" showname="Source or Destination Address: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4929 <field name="ip.dst_host" showname="Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4930 <field name="ip.host" showname="Source or Destination Host: 127.0.0.21" hide="yes" size="4" pos="16" show="127.0.0.21" value="7f000015"/>
4931 <field name="" show="Source GeoIP: Unknown" size="4" pos="12" value="7f00000b"/>
4932 <field name="" show="Destination GeoIP: Unknown" size="4" pos="16" value="7f000015"/>
4933 </proto>
4934 <proto name="tcp" showname="Transmission Control Protocol, Src Port: 18036 (18036), Dst Port: 389 (389), Seq: 1, Ack: 1, Len: 55" size="20" pos="20">
4935 <field name="tcp.srcport" showname="Source Port: 18036" size="2" pos="20" show="18036" value="4674"/>
4936 <field name="tcp.dstport" showname="Destination Port: 389" size="2" pos="22" show="389" value="0185"/>
4937 <field name="tcp.port" showname="Source or Destination Port: 18036" hide="yes" size="2" pos="20" show="18036" value="4674"/>
4938 <field name="tcp.port" showname="Source or Destination Port: 389" hide="yes" size="2" pos="22" show="389" value="0185"/>
4939 <field name="tcp.stream" showname="Stream index: 1207" size="0" pos="20" show="1207"/>
4940 <field name="tcp.len" showname="TCP Segment Len: 55" size="1" pos="32" show="55" value="50"/>
4941 <field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="24" show="1" value="00000001"/>
4942 <field name="tcp.nxtseq" showname="Next sequence number: 56 (relative sequence number)" size="0" pos="20" show="56"/>
4943 <field name="tcp.ack" showname="Acknowledgment number: 1 (relative ack number)" size="4" pos="28" show="1" value="00000001"/>
4944 <field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="32" show="20" value="50"/>
4945 <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="32" show="0x00000018" value="18" unmaskedvalue="5018">
4946 <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
4947 <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="32" show="0" value="0" unmaskedvalue="50"/>
4948 <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4949 <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4950 <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4951 <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
4952 <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="33" show="1" value="FFFFFFFF" unmaskedvalue="18"/>
4953 <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4954 <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4955 <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="33" show="0" value="0" unmaskedvalue="18"/>
4956 <field name="tcp.flags.str" showname="TCP Flags: *******AP***" size="2" pos="32" show="*******AP***" value="5018"/>
4957 </field>
4958 <field name="tcp.window_size_value" showname="Window size value: 32767" size="2" pos="34" show="32767" value="7fff"/>
4959 <field name="tcp.window_size" showname="Calculated window size: 32767" size="2" pos="34" show="32767" value="7fff"/>
4960 <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -2 (no window scaling used)" size="2" pos="34" show="-2" value="7fff"/>
4961 <field name="tcp.checksum" showname="Checksum: 0x0000 [validation disabled]" size="2" pos="36" show="0x00000000" value="0000">
4962 <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="36" show="0" value="0000"/>
4963 <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="36" show="0" value="0000"/>
4964 </field>
4965 <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="38" show="0" value="0000"/>
4966 <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="20" show="" value="">
4967 <field name="tcp.analysis.initial_rtt" showname="iRTT: 0.000073000 seconds" size="0" pos="20" show="0.000073000"/>
4968 <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 55" size="0" pos="20" show="55"/>
4969 </field>
4970 <field name="tcp.pdu.size" showname="PDU Size: 55" size="55" pos="40" show="55" value="30350201016030020103041f41646d696e6973747261746f724053414d42412e4558414d504c452e434f4d800a6c6f6344437061737331"/>
4971 </proto>
4972 <proto name="ldap" showname="Lightweight Directory Access Protocol" size="55" pos="40">
4973 <field name="ldap.LDAPMessage_element" showname="LDAPMessage bindRequest(1) &quot;Administrator@SAMBA.EXAMPLE.COM&quot; simple" size="55" pos="40" show="" value="">
4974 <field name="ldap.messageID" showname="messageID: 1" size="1" pos="44" show="1" value="01"/>
4975 <field name="ldap.protocolOp" showname="protocolOp: bindRequest (0)" size="50" pos="45" show="0" value="6030020103041f41646d696e6973747261746f724053414d42412e4558414d504c452e434f4d800a6c6f6344437061737331">
4976 <field name="ldap.bindRequest_element" showname="bindRequest" size="48" pos="47" show="" value="">
4977 <field name="ldap.version" showname="version: 3" size="1" pos="49" show="3" value="03"/>
4978 <field name="ldap.name" showname="name: Administrator@SAMBA.EXAMPLE.COM" size="31" pos="52" show="Administrator@SAMBA.EXAMPLE.COM" value="41646d696e6973747261746f724053414d42412e4558414d504c452e434f4d"/>
4979 <field name="ldap.authentication" showname="authentication: simple (0)" size="10" pos="85" show="0" value="6c6f6344437061737331">
4980 <field name="ldap.simple" showname="simple: 6c6f6344437061737331" size="10" pos="85" show="6c:6f:63:44:43:70:61:73:73:31" value="6c6f6344437061737331"/>
4981 </field>
4982 </field>
4983 </field>
4984 </field>
4985 </proto>
4986 </packet>
4987
4988
4989 </pdml>
Samba GIT mirror