1 | initial version |
Hi SunMan,
If you captured the session setup, you should be able to see the username used to connect to the share.
I suggest trying the simple display filter smb2.acct
It should display all SMB2 packets where the session ID shows the Account field.
You can even apply this field as a column to help you sort out the information.
Hope that helps.
Cheers,
JFD