Ask Your Question

Revision history [back]

Hi SunMan,

If you captured the session setup, you should be able to see the username used to connect to the share.

I suggest trying the simple display filter smb2.acct

It should display all SMB2 packets where the session ID shows the Account field.

You can even apply this field as a column to help you sort out the information.

Hope that helps.

Cheers,

JFD