I am trying to get Filemon and filespy generate logs for network share
access, but without luck.
If I have a share like \<directory>
in a machine, and I connct to it from another machine with ipaddr2 as IP
Address, and copy some files, shouldn’t filemon/filespy generate logs for
these requests?
I have tried enabling these two tools for Network traffic also, in filemon
in the “Volumes” menu Network was ticked, and in filespy I attached it to
\Device\LanmanRedirector, but no logs were generated of this operation.
Am i looking in the wrong place?
–
- amitr0
> If I have a share like \<directory>
> in a machine, and I connct to it from another machine
> with ipaddr2 as IP Address, and copy some files,
> shouldn’t filemon/filespy generate logs for these requests?
Yes. But in this case, you must attach not to a network volume
(coz this is if you are sending requests to a network,
not if the request come form the network).
You will see the requests coming from the “system”
process.
L.
Ladislav,
Thanks for the reply and clarification, I will try this out.
I read the OSR paper on SRV, and also a veteran told me that the Lanman
component bypasses calls like ntread( ), NtWrite( ) and NtCreate( ). Is this
true. I did an experiment on this. I set a break point on the kernels
ntCreate( ) and tried to access a share on the same machien from another.
there were no calls.
I read that ntCreate( ) and friends are implemented in the ntExec, and file
systems lie below it, so why don’t I get any calls? Can you please explain.
thanks in advance,