Just wondering if it is possible to figure out who has read files from a Windows share (using .NET ideally but win32 native will do)?
What I'm try to do is create something like awstats for a windows share so I can see who is accessing what and which are the most popular files.
I'm not interested in changes - I just want to log access (with time) along with ip / hostname and what file.
this is possible using WMI... below the sample c# snippet used to identify whose accessing the shares currenlty
using System.Management;
ManagementObjectSearcher search =
new ManagementObjectSearcher("root\\CIMV2","SELECT * FROM Win32_ConnectionShare");
foreach (ManagementObject MO in search.Get())
{
string antecedent = MO["antecedent"].ToString();
ManagementObject share = new ManagementObject(antecedent);
string dependent = MO["dependent"].ToString();
ManagementObject server = new ManagementObject(dependent);
string userName = server["UserName"].ToString();
string compname = server["ComputerName"].ToString();
string sharename = server["ShareName"].ToString();
}
Am not sure about the core file event listners for WMI. But you can nicely integrate this into the NoramlFileSystemWatcher. And trigger the above code if there is a change detected in the network path.
SMB runs by default on port 445. So you can just log traffic on port 445 (or whatever port(s) you happen to be running it on) and massage that easily enough into whatever data you need.
I'd do it with WinPcap and WinDump (Windows versions of libpcap and tcpdump). Defining custom rules (say, to record data on only one or on a range of ports) is easy. Check out the 'expression' section of the manual. There are parsers available in a lot of different languages for the data files. A quick search will find you what you need.
In order to do it using WinPcap in .NET you can use Pcap.Net. It is a wrapper for WinPcap written in C++/CLI and C# and it includes a packet interpretation framework.
