Log filled with failed fruit!

[statalently]

Hi there,
My /var/log/messages are getting filled with lines such as:

Code:

Dec  5 17:02:24 freenas-wk smbd[90792]: [2019/12/05 17:02:24.715914,  0] ../source3/modules/vfs_fruit.c:4233(fruit_pread_meta_stream)
Dec  5 17:02:24 freenas-wk smbd[90792]:   fruit_pread_meta_stream: Removing [<filename>:AFP_AfpInfo] after short read [0]
Dec  5 17:02:24 freenas-wk smbd[90792]: [2019/12/05 17:02:24.716003,  0] ../source3/modules/vfs_fruit.c:4237(fruit_pread_meta_stream)
Dec  5 17:02:24 freenas-wk smbd[90792]:   fruit_pread_meta_stream: Removing [<filename>:AFP_AfpInfo] failed

(I replaced the file name with <filename>)

Does anyone know what the problem is?

SMB Share settings
VFS Objects:
catia, fruit, streams_xatttr, zfs_space, zfsacl

Auxiliary Parameters:
case sensitive = true
strict sync = no

SMB Service Auxiliary Parameters
strict sync = no

Thanks for any help!

 

[dlavigne]

Were you able to resolve this?

 

[statalently]

I was not, I'm just directing all these messages to their own set of log files. It can be 10MB a day and I haven't found any information online. Is there anywhere else I can go for help?
Thank you.

 

[seanm]

You could always try looking for the answer in the samba community.

 

[artlessknave]

I have nothing to contribute other than that is one of the best post titles ever.

 

[statalently]

Thanks, seanm (and artlessknave of course). I plan to update to 11.3 stable as soon as possible, and it seems like there are lots of changes to SMB so I probably won't spend too much time investigating before then. I will post any follow-up here.

 

[statalently]

A small update for anyone still interested. I tested this on 11.3, same problem. I also noticed that it is only happening when a certain application is doing backup copies of the currently open file. Other than that, still no idea about this. I got a little enthusiastic and looked up the source code for where the error is being sprung, but it's didn't mean much to me.

Code:

static ssize_t fruit_pread_meta_stream(vfs_handle_struct *handle,
                       files_struct *fsp, void *data,
                       size_t n, off_t offset)
{
    ssize_t nread;
    int ret;

    nread = SMB_VFS_NEXT_PREAD(handle, fsp, data, n, offset);
    if (nread == -1 || nread == n) {
        return nread;
    }

    DBG_ERR("Removing [%s] after short read [%zd]\n",
        fsp_str_dbg(fsp), nread);

    ret = SMB_VFS_NEXT_UNLINKAT(handle,
            fsp->conn->cwd_fsp,
            fsp->fsp_name,
            0);
    if (ret != 0) {
        DBG_ERR("Removing [%s] failed\n", fsp_str_dbg(fsp));
        return -1;
    }

    errno = EINVAL;
    return -1;
}

 

[statalently]

UPDATE: I have found the cause of the problem!​

After dipping in and out of research into SMB, searching for the perfect configuration, I have had an illuminating test on a different system (Ubuntu).

In short, the errors were caused by the line in SMB conf:
fruit:metadata = stream
I was able to prevent the errors by using the default:
fruit:metadata = netatalk
I had seen other advice recommending using 'stream' setup (Samba Wiki!), but I guess the defaults are the defaults for a reason.

In long...
From vfs_fruit manual:

The module enables alternate data streams (ADS) support for a share, intercepts the OS X special streams "AFP_AfpInfo" and "AFP_Resource" and handles them in a special way. All other named streams are deferred to vfs_streams_xattr which must be loaded together with vfs_fruit.

So, there are two streams in addition to the main data stream: AfpInfo (metadata) and Resource (extra file resources I think).

Resource stream

fruit:resource = [ file | xattr | stream ]
Controls where the OS X resource fork is stored.
Settings:
file (default) - use a ._ AppleDouble file compatible with OS X and Netatalk
xattr - use a xattr, requires a filesystem with large xattr support and a file IO API compatible with xattrs, this boils down to Solaris and derived platforms and ZFS
stream (experimental) - pass the stream on to the next module in the VFS stack. Warning: this option should not be used with the streams_xattr module due to the extended attributes size limitations of most filesytems.

So, if "streams_xattr... must be loaded together with vfs_fruit", and fruit:resource = stream "should not be used with the streams_xattr module due to the extended attributes size limitations of most filesytems", then that means that we should not use fruit:resource = stream unless we're on ZFS. Great! FreeNAS is ZFS. So the Resource stream gets passed to the streams_xattr module and everything is fine. One more reason to use FreeNAS

Metadata/AfpInfo stream

fruit:metadata = [ stream | netatalk ]
Controls where the OS X metadata stream is stored:
netatalk (default) - use Netatalk compatible xattr
stream - pass the stream on to the next module in the VFS stack

Using 'stream' we see the error in the logs when files are saved:
../../source3/modules/vfs_fruit.c:4218(fruit_pread_meta_stream) fruit_pread_meta_stream: Removing [testiiiing.txt.sb-df65248a-abgu9M/testiiiing.txt:AFP_AfpInfo] failed
So, I tried switching it back to the default, and I stop getting this error in the logs. Instead, I see a file flash briefly in Mac's Finder when I save the file. The file has the same name I think - "testiiiing.txt.sb-df65248a-abgu9M". This seems preferable to gigabytes of log files filled with errors.


If anyone with deeper knowledge of these things has any further explanation, or sees something wrong with the above, I would be keen to learn.

 

[statalently]

Just to add one more minor mystery to this... it seems that FreeNAS is quite keen to have the Fruit:metadata as 'stream', because I had to override this on a share-by-share basis in order to set it. This makes me think that someone at iX made Fruit:metadata = stream the default on FreeNAS (even though it's not the default for the Fruit module itself) for a good reason...

 

[anodos]

It doesn't generate this message by default when streams are enabled. It indicates an abnormally truncated afpinfo xattr (possibly 0 bytes), but It's been a while since I looked at this particular code path.

The reason why we're writing them to streams by default is because most users don't want their filesystem cluttered with ._ files from mac clients if they can avoid it.

 

[anodos]

lsextattr user <filename> for file that is reporting error message should show what xattrs have been written to it.
getextattr -qq user <xattr_name> <filename> | hexdump -C should give a hexdump of one of the problem-child xattrs. Post it here. Due to conventions of how streams get written as xattrs, you may need to enclose <xattr_name> is single-quotes.

 

[statalently]

Thank you for the information, Anodos.

Here is the output from the commands you provided. PTX is the file type, the rest I cannot decode...

Code:

00000000  41 46 50 00 00 00 01 00  00 00 00 00 80 00 00 00  |AFP.............|
00000010  50 54 58 20 50 54 75 6c  00 00 00 00 00 00 00 00  |PTX PTul........|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000030

 

[anodos]

Okay. Let's try this, convert the AFPInfo xattr into a base64 string and post it here
getextattr -qq user <xattr_name> <filename> | b64encode -

 

[statalently]

Here you are:

Code:

QUZQAAAAAQAAAAAAgAAAAFBUWCBQVHVsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA==
====

 

[anodos]

Does the error message get generated when browsing the share in Finder or is it application-specific?

 

[statalently]

I'm pretty sure it is on saves. We mostly use a program that makes backup saves every couple of minutes, and that is what is filling the log files.

 

[anodos]

I'm pretty sure it is on saves. We mostly use a program that makes backup saves every couple of minutes, and that is what is filling the log files.

Are you able to reproduce with a single client outside of that application? If so, I'll provide instructions on gathering a packet capture of the behavior.

 

[statalently]

Yeah I believe so. We get the problem with saving any file type I think (I have seen .txt and MS office files in the logs). I have Wireshark installed on a Mac client. Ready and waiting for instructions.

 

[statalently]

Does this do the trick?

Code:

SMB2    446    Create Request File: ;Find Request SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: testing.txt.sb-b43eba60-Qoi8oa;Close Request

SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 1
        Channel Sequence: 0
        Reserved: 0000
        Command: Create (5)
        Credits requested: 256
        Flags: 0x00000000
            .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000080
        Message ID: Unknown (367493)
        Process Id: 0x0000feff
        Tree Id: 0x5c054d75
        Session Id: 0x000000000e4632d6
        Signature: 00000000000000000000000000000000
        [Response in: 788]
    Create Request (0x05)
        StructureSize: 0x0039
            0000 0000 0011 100. = Fixed Part Length: 28
            .... .... .... ...1 = Dynamic Part: True
        Oplock: No oplock (0x00)
        Impersonation level: Impersonation (2)
        Create Flags: 0x0000000000000000
        Reserved: 0000000000000000
        Access Mask: 0x00100081
            .... .... .... .... .... .... .... ...1 = Read: READ access
            .... .... .... .... .... .... .... ..0. = Write: NO write access
            .... .... .... .... .... .... .... .0.. = Append: NO append access
            .... .... .... .... .... .... .... 0... = Read EA: NO read extended attributes access
            .... .... .... .... .... .... ...0 .... = Write EA: NO write extended attributes access
            .... .... .... .... .... .... ..0. .... = Execute: NO execute access
            .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access
            .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access
            .... .... .... .... .... ...0 .... .... = Write Attributes: NO write attributes access
            .... .... .... ...0 .... .... .... .... = Delete: NO delete access
            .... .... .... ..0. .... .... .... .... = Read Control: Read access is NOT granted to owner, group and ACL of the SID
            .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC
            .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)
            .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O
            .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set
            .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set
            ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set
            ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set
            .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set
            0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set
        File Attributes: 0x00000010
            .... .... .... .... .... .... .... ...0 = Read Only: NOT read only
            .... .... .... .... .... .... .... ..0. = Hidden: NOT hidden
            .... .... .... .... .... .... .... .0.. = System: NOT a system file/dir
            .... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID
            .... .... .... .... .... .... ...1 .... = Directory: DIRECTORY
            .... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive
            .... .... .... .... .... .... .0.. .... = Device: NOT a device
            .... .... .... .... .... .... 0... .... = Normal: Has some attribute set
            .... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file
            .... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file
            .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point
            .... .... .... .... .... 0... .... .... = Compressed: Uncompressed
            .... .... .... .... ...0 .... .... .... = Offline: Online
            .... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed
            .... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file
        Share Access: 0x00000007, Read, Write, Delete
            .... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ
            .... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE
            .... .... .... .... .... .... .... .1.. = Delete: Object can be shared for DELETE
        Disposition: Open (if file exists open it, else fail) (1)
        Create Options: 0x00000001
            .... .... .... .... .... .... .... ...1 = Directory: File being created/opened must be a directory
            .... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing
            .... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially
            .... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed
            .... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous
            .... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous
            .... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory
            .... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set
            .... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set
            .... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes
            .... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names
            .... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly
            .... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed
            .... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set
            .... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create
            .... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create
            .... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set
            .... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open
            .... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set
            .... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query
        Filename:
            Blob Offset: 0x00000078
            Blob Length: 0
        Blob Offset: 0x00000000
        Blob Length: 0
        ExtraInfo: NO DATA
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 1
        Channel Sequence: 0
        Reserved: 0000
        Command: Find (14)
        Credits requested: 256
        Flags: 0x00000004, Chained
            .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .1.. = Chained: This pdu is a CHAINED command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x000000a0
        Message ID: Unknown (367494)
        Process Id: 0x0000feff
        Tree Id: 0x5c054d75
        Session Id: 0x000000000e4632d6
        Signature: 00000000000000000000000000000000
        [Response in: 788]
    Find Request (0x0e)
        StructureSize: 0x0021
            0000 0000 0010 000. = Fixed Part Length: 16
            .... .... .... ...1 = Dynamic Part: True
        Info Level: SMB2_FIND_ID_BOTH_DIRECTORY_INFO (37)
        Find Flags: 0x03, Restart Scans, Single Entry
            .... ...1 = Restart Scans: True
            .... ..1. = Single Entry: True
            .... .0.. = Index Specified: False
            ...0 .... = Reopen: False
        File Index: 0x00000000
        GUID handle
            File Id: ffffffff-ffff-ffff-ffff-ffffffffffff
            [Frame handle closed: 787]
        Output Buffer Length: 65536
        Search Pattern: testing.txt.sb-b43eba60-Qoi8oa
            Blob Offset: 0x00000060
            Blob Length: 60
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 1
        Channel Sequence: 0
        Reserved: 0000
        Command: Close (6)
        Credits requested: 256
        Flags: 0x00000004, Chained
            .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .1.. = Chained: This pdu is a CHAINED command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: Unknown (367495)
        Process Id: 0x0000feff
        Tree Id: 0x5c054d75
        Session Id: 0x000000000e4632d6
        Signature: 00000000000000000000000000000000
        [Response in: 788]
    Close Request (0x06)
        StructureSize: 0x0018
            0000 0000 0001 100. = Fixed Part Length: 12
            .... .... .... ...0 = Dynamic Part: False
        Close Flags: 0x0000
            .... .... .... ...0 = PostQuery Attrib: False
        GUID handle
            File Id: ffffffff-ffff-ffff-ffff-ffffffffffff
            [Frame handle closed: 787]




------------------------------------------------

SMB2    430    Create Response File: ;Find Response, Error: STATUS_NO_SUCH_FILE;Close Response

SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 1
        NT Status: STATUS_SUCCESS (0x00000000)
        Command: Create (5)
        Credits granted: 0
        Flags: 0x00000001, Response
            .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000098
        Message ID: Unknown (367493)
        Process Id: 0x0000feff
        Tree Id: 0x5c054d75
        Session Id: 0x000000000e4632d6
        Signature: 00000000000000000000000000000000
        [Response to: 787]
        [Time from request: 0.000802000 seconds]
    Create Response (0x05)
        StructureSize: 0x0059
            0000 0000 0101 100. = Fixed Part Length: 44
            .... .... .... ...1 = Dynamic Part: True
        Oplock: No oplock (0x00)
        Response Flags: 0x00
            .... ...0 = ReparsePoint: False
        Create Action: The file existed and was opened (1)
        Create: Sep 27, 2019 15:29:21.360806100 EDT
        Last Access: Aug  3, 2020 14:25:56.252135900 EDT
        Last Write: Aug  3, 2020 14:25:56.182332300 EDT
        Last Change: Aug  3, 2020 14:25:56.182332300 EDT
        Allocation Size: 0
        End Of File: 0
        File Attributes: 0x00000010
            .... .... .... .... .... .... .... ...0 = Read Only: NOT read only
            .... .... .... .... .... .... .... ..0. = Hidden: NOT hidden
            .... .... .... .... .... .... .... .0.. = System: NOT a system file/dir
            .... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID
            .... .... .... .... .... .... ...1 .... = Directory: DIRECTORY
            .... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive
            .... .... .... .... .... .... .0.. .... = Device: NOT a device
            .... .... .... .... .... .... 0... .... = Normal: Has some attribute set
            .... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file
            .... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file
            .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point
            .... .... .... .... .... 0... .... .... = Compressed: Uncompressed
            .... .... .... .... ...0 .... .... .... = Offline: Online
            .... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed
            .... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file
        Reserved: 00000000
        GUID handle File:
            File Id: e4167ce8-0000-0000-8aeb-614c00000000
            [Frame handle opened: 788]
        Blob Offset: 0x00000000
        Blob Length: 0
        ExtraInfo: NO DATA
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 1
        NT Status: STATUS_NO_SUCH_FILE (0xc000000f)
        Command: Find (14)
        Credits granted: 0
        Flags: 0x00000005, Response, Chained
            .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .1.. = Chained: This pdu is a CHAINED command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000050
        Message ID: Unknown (367494)
        Process Id: 0x0000feff
        Tree Id: 0x5c054d75
        Session Id: 0x000000000e4632d6
        Signature: 00000000000000000000000000000000
        [Response to: 787]
        [Time from request: 0.000802000 seconds]
    Find Response (0x0e)
        [Info Level: SMB2_FIND_ID_BOTH_DIRECTORY_INFO (37)]
        StructureSize: 0x0009
            0000 0000 0000 100. = Fixed Part Length: 4
            .... .... .... ...1 = Dynamic Part: True
        Error Context Count: 0
        Reserved: 0x00
        Byte Count: 0
        Error Data: 00
Frame 788: 430 bytes on wire (3440 bits), 430 bytes captured (3440 bits) on interface en0, id 0
Ethernet II, Src: SuperMic_6f:00:7b (0c:c4:7a:6f:00:7b), Dst: Apple_ab:1a:5c (78:7b:8a:ab:1a:5c)
Internet Protocol Version 4, Src: 10.150.16.10, Dst: 10.150.16.62
Transmission Control Protocol, Src Port: 445, Dst Port: 52398, Seq: 224415, Ack: 62999, Len: 364
NetBIOS Session Service
    Message Type: Session message (0x00)
    Length: 360
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 1
        NT Status: STATUS_SUCCESS (0x00000000)
        Command: Create (5)
        Credits granted: 0
        Flags: 0x00000001, Response
            .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000098
        Message ID: Unknown (367493)
        Process Id: 0x0000feff
        Tree Id: 0x5c054d75
        Session Id: 0x000000000e4632d6
        Signature: 00000000000000000000000000000000
        [Response to: 787]
        [Time from request: 0.000802000 seconds]
    Create Response (0x05)
        StructureSize: 0x0059
            0000 0000 0101 100. = Fixed Part Length: 44
            .... .... .... ...1 = Dynamic Part: True
        Oplock: No oplock (0x00)
        Response Flags: 0x00
            .... ...0 = ReparsePoint: False
        Create Action: The file existed and was opened (1)
        Create: Sep 27, 2019 15:29:21.360806100 EDT
        Last Access: Aug  3, 2020 14:25:56.252135900 EDT
        Last Write: Aug  3, 2020 14:25:56.182332300 EDT
        Last Change: Aug  3, 2020 14:25:56.182332300 EDT
        Allocation Size: 0
        End Of File: 0
        File Attributes: 0x00000010
            .... .... .... .... .... .... .... ...0 = Read Only: NOT read only
            .... .... .... .... .... .... .... ..0. = Hidden: NOT hidden
            .... .... .... .... .... .... .... .0.. = System: NOT a system file/dir
            .... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID
            .... .... .... .... .... .... ...1 .... = Directory: DIRECTORY
            .... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive
            .... .... .... .... .... .... .0.. .... = Device: NOT a device
            .... .... .... .... .... .... 0... .... = Normal: Has some attribute set
            .... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file
            .... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file
            .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point
            .... .... .... .... .... 0... .... .... = Compressed: Uncompressed
            .... .... .... .... ...0 .... .... .... = Offline: Online
            .... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed
            .... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file
        Reserved: 00000000
        GUID handle File:
            File Id: e4167ce8-0000-0000-8aeb-614c00000000
            [Frame handle opened: 788]
        Blob Offset: 0x00000000
        Blob Length: 0
        ExtraInfo: NO DATA
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 1
        NT Status: STATUS_NO_SUCH_FILE (0xc000000f)
        Command: Find (14)
        Credits granted: 0
        Flags: 0x00000005, Response, Chained
            .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .1.. = Chained: This pdu is a CHAINED command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000050
        Message ID: Unknown (367494)
        Process Id: 0x0000feff
        Tree Id: 0x5c054d75
        Session Id: 0x000000000e4632d6
        Signature: 00000000000000000000000000000000
        [Response to: 787]
        [Time from request: 0.000802000 seconds]
    Find Response (0x0e)
        [Info Level: SMB2_FIND_ID_BOTH_DIRECTORY_INFO (37)]
        StructureSize: 0x0009
            0000 0000 0000 100. = Fixed Part Length: 4
            .... .... .... ...1 = Dynamic Part: True
        Error Context Count: 0
        Reserved: 0x00
        Byte Count: 0
        Error Data: 00
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 1
        NT Status: STATUS_SUCCESS (0x00000000)
        Command: Close (6)
        Credits granted: 3
        Flags: 0x00000005, Response, Chained
            .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .1.. = Chained: This pdu is a CHAINED command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: Unknown (367495)
        Process Id: 0x0000feff
        Tree Id: 0x5c054d75
        Session Id: 0x000000000e4632d6
        Signature: 00000000000000000000000000000000
        [Response to: 787]
        [Time from request: 0.000802000 seconds]
    Close Response (0x06)
        StructureSize: 0x003c
            0000 0000 0011 110. = Fixed Part Length: 30
            .... .... .... ...0 = Dynamic Part: False
        Close Flags: 0x0000
            .... .... .... ...0 = PostQuery Attrib: False
        Reserved: 00000000
        Create: No time specified (0)
        Last Access: No time specified (0)
        Last Write: No time specified (0)
        Last Change: No time specified (0)
        Allocation Size: 0
        End Of File: 0
        File Attributes: 0x00000000
            .... .... .... .... .... .... .... ...0 = Read Only: NOT read only
            .... .... .... .... .... .... .... ..0. = Hidden: NOT hidden
            .... .... .... .... .... .... .... .0.. = System: NOT a system file/dir
            .... .... .... .... .... .... .... 0... = Volume ID: NOT a volume ID
            .... .... .... .... .... .... ...0 .... = Directory: NOT a directory
            .... .... .... .... .... .... ..0. .... = Archive: Has NOT been modified since last archive
            .... .... .... .... .... .... .0.. .... = Device: NOT a device
            .... .... .... .... .... .... 0... .... = Normal: Has some attribute set
            .... .... .... .... .... ...0 .... .... = Temporary: NOT a temporary file
            .... .... .... .... .... ..0. .... .... = Sparse: NOT a sparse file
            .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point
            .... .... .... .... .... 0... .... .... = Compressed: Uncompressed
            .... .... .... .... ...0 .... .... .... = Offline: Online
            .... .... .... .... ..0. .... .... .... = Content Indexed: NOT content indexed
            .... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file