Ask Your Question
0

How to find what user accessed \\computerName\Folder?

asked 2019-07-11 16:04:54 +0000

SunMan gravatar image

Hello guys,

I am trying to figure out how to find who accessed my share folder if I take traces on destination machine. I can see smb2 with what was accessed on the local server but not who did access.

thanks, SunMan

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2019-07-11 23:59:34 +0000

Spooky gravatar image

Hi SunMan,

If you captured the session setup, you should be able to see the username used to connect to the share.

I suggest trying the simple display filter smb2.acct

It should display all SMB2 packets where the session ID shows the Account field.

You can even apply this field as a column to help you sort out the information.

Hope that helps.

Cheers,

JFD

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-07-11 16:04:54 +0000

Seen: 1,087 times

Last updated: Jul 11 '19

Related questions

Wireshark 2.4.1 GTK Crash on long run

Why redirection of VoIP calls to voicemail fails?

Capture incoming packets from remote web server

How do I get and display packet data information at a specific byte from the first byte?

Client is waiting for FIN flag from server for 30 sec

wifi disconnects as wireshark starts

How do I add "child item" to an item in the subtree?

What is the syntax for wireshark custom column

Getting error MSB4018 when trying to build wireshark sources

Monitoring UDP data on wireshark shows ARP packet