Archive for 7th February 2014

¡Ay CRAMBA There’s Signs!

 

Sunday’s ¡Ay CRAMBA It’s Cold Out! event is going to feature both a hard and easy route, and to support this I needed to make signs. Here they are, made from white Coroplast (liberated from a roadside) covered with green gaffer tape, and nailed to wooden stacks from the Massive Fallout marking supplies. Marking was done by hand, but seems to have worked out fairly well.

I anticipate it being fairly easy to push these into the snow, allowing the bright green 6″ x 9″ signs to guide people along the routes. They bundle up small enough that I should have no difficulty fitting them all in one backpack, making for an pre-event trail marking session.

(The easy route will cut off the hilliest parts of the trail; a section which many find too frustrating to ride in deep snow.)

Microsoft Network Monitor Filter for Hidden Attribute

Today I had to troubleshoot how some files/folders on a share are ending up hidden, so this took some digging into SMB and display filters in Microsoft Network Monitor. Since this wasn’t particularly easy to find I wanted to share it here. This is the filter for displaying when a file or folder is having its hidden attribute set (check box via Properties in Explorer or via attrib +h) over SMB:

SMB.CTransaction2.FileBasicDataBlock.Attributes.Hidden == 0x1

This can be combined with a search through the Description to find specific file or folder names. For example:

SMB.CTransaction2.FileBasicDataBlock.Attributes.Hidden == 0x1
AND
Contains(Property.Description, “handle.exe”)

For SMB2 the filter string is as follows:

SMB2.CSetInfo.FileInfo.FileBasicInformation.FileAttributes.FSSCFileAttribute.Hidden == 0x1

Unfortunately, with SMB2 the file/path info will not be included in the frame shown by the aforementioned filter. This can be identified by looking up the session ID (SMB2.SMB2Header.SessionId == NNNN)  and filtering on that, looking at either the CREATE or CLOSE operations near the beginning and end of each session. So, I also capture the CREATE operations for the path I’m looking for, then manually correlate them (with a bit of filtering) after observing the issue. This results in the SMB2 portion of the filter looking something like this once combined with the related SMB filter:

( SMB.CTransaction2.FileBasicDataBlock.Attributes == 0x1
  AND
  Contains(Property.Description, “file_of_interest.txt”)
)
OR
SMB2.CSetInfo.FileInfo.FileBasicInformation.FileAttributes.FSCCFileAttribute.Hidden == 0x1
OR
( SMB2.SMB2Header.Command == 0x5
  AND
  Contains(SMB2.CCreate.Name, “file_of_interest.txt”)
)