While I haven't done anything specifically with SMB, I did come up with the following a few years back: it might prove useful in your research:<br><br><a href="http://www.adminprep.com/articles/default.asp?action=show&articleid=52">
http://www.adminprep.com/articles/default.asp?action=show&articleid=52</a><br><br>It covers taking an ethereal data cap, and taking portions of it to come up with the original content, i.e. .wav's, .mov's, .zip's, .jpg's, etc. You get the idea.
<br><br>If you have any sanitized caps you want to send my way, I'd be happy to play around with them, as well.<br><br>Mike<br><br><div><span class="gmail_quote">On 2/26/07, <b class="gmail_sendername">Jim O'Gorman
</b> <<a href="mailto:jogorman@gmail.com">jogorman@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I have been working with extracting files from full-content SMB packet captures. I would like to compare what I have found with other sources to see how right/wrong I am about a few things.
<br><br>Does anyone have good sources of examples on pulling files out of SMB packet captures I can use as a reference? Tools or write ups would be great.
<br><br>Thanks <br><span class="sg">Jim<br>
</span><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>
</blockquote></div><br>