Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

The filename is not in the write command packets, a GUID is present, which can be mapped to a file name. This is what the dissector shows you, this mapping which it picked up in other SMB2 packets. If you look at the GUID in the write command packet you'll see a link added to where the file was opened. This in turn is a response to a create request and that is the packet containing the filename.