Export (0) Print
Expand All

10.4.1.4 Netmon Trace Digest

In this task, a file is printed from a Windows Vista operating system client to a print server (printer directly attached to a Windows Server 2003 R2 operating system machine). By default, notification from the client to server of the status of print jobs is disabled. This means that traffic is not generated from the Print System Asynchronous Remote Protocol (as specified in [MS-PAR]) and the Print System Asynchronous Notification Protocol (as specified in [MS-PAN]). If traffic is present from the notification protocols, it will be sent asynchronously, with the primary data stream sent via MS-RPRN. As the default status is used in this scenario, all related traffic is therefore generated via the Print System Remote Protocol (as specified in [MS-RPRN]).

  • As shown below, the initial traffic from the client to the server is the creation of the spool file via Server Message Block (SMB).

    VistaClient	W2K3ServerR2	SMB	SMB: C; Nt Create Andx, FileName = 
    \spoolss
  • Using RPC calls, the client requests the selected printer.

    W2K3ServerR2	VistaClient	MSRPC	MSRPC: c/o Bind Ack:  Call=0x1  Assoc
     Grp=0x6EF8  Xmit=0x10B8  Recv=0x10B8
    VistaClient	W2K3ServerR2	Winspool	Winspool: RpcOpenPrinterEx Request,
     Printer = \\192.161.1.4\HP LaserJet 6P
    W2K3ServerR2	VistaClient	Winspool	Winspool: RpcOpenPrinterEx Response,
     Handle: {01000000-00000000-0000-0000-0000-000000000000}, Status = 
    ERROR_SUCCESS
    VistaClient	W2K3ServerR2	Winspool	Winspool: RpcClosePrinter Request
    W2K3ServerR2	VistaClient	Winspool	Winspool: RpcClosePrinter Response,
     Status = ERROR_SUCCESS
    
  • RpcRemoteFindFirstPrinterChangeNotificationEx creates a remote change notification object that monitors changes to printer objects and sends change notifications to the client.

    VistaClient	W2K3ServerR2	Winspool	Winspool: 
    RpcRemoteFindFirstPrinterChangeNotificationEx Request, LocalMachine: 
    \\VistaClient, Flags: 0x00000000, Printer: 
    {01000000-00000000-0000-0000-0000-000000000000} 
    W2K3ServerR2	VistaClient	Winspool	Winspool: 
    RpcRemoteFindFirstPrinterChangeNotificationEx Response, Status = 
    ERROR_ACCESS_DENIED
    VistaClient	W2K3ServerR2	Winspool	Winspool: 
    RpcRouterRefreshPrinterChangeNotification Request, Printer: 
    {01000000-00000000-0000-0000-0000-000000000000}
    W2K3ServerR2	VistaClient	Winspool	Winspool: 
    RpcRouterRefreshPrinterChangeNotification Response, Status = 
    ERROR_INVALID_HANDLE
    
  • Because the notification services are disabled by default, the notification fails.

  • Data is transferred to the spooler file, as necessary, until the entire print job has been passed to the server.

  • RpcWritePrinter sends the data to the print server. Status-ERROR_SUCCESS indicates successful command execution in all of these remote procedure calls.

    VistaClient	W2K3ServerR2	Winspool	Winspool: RpcWritePrinter Request
    W2K3ServerR2	VistaClient	Winspool	Winspool: RpcWritePrinter Response,
     Status = ERROR_SUCCESS
    
  • RpcEndPagePrinter notifies the print server that the application is at the end of a page in the print job.

    VistaClient	W2K3ServerR2	Winspool	Winspool: RpcEndPagePrinter Request
    W2K3ServerR2	VistaClient	Winspool	Winspool: RpcEndPagePrinter 
    Response, Status = ERROR_SUCCESS
  • RpcEndDocPrinter notifies the print server that the application has finished its print job.

    VistaClient	W2K3ServerR2	Winspool	Winspool: RpcEndDocPrinter Request
    W2K3ServerR2	VistaClient	Winspool	Winspool: RpcEndDocPrinter Response,
     Status = ERROR_SUCCESS
    
  • RpcClosePrinter closes the handle being used by the print job.

    VistaClient	W2K3ServerR2	Winspool	Winspool: RpcClosePrinter Request
    W2K3ServerR2	VistaClient	Winspool	Winspool: RpcClosePrinter Response,
     Status = ERROR_SUCCESS
    
  • The print session ends with an SMB message that closes the print spooler file.

    W2K3ServerR2	VistaClient	SMB	SMB: R; Close, FID = 0x400F 
    (\spoolss@#258)
 
Show:
© 2014 Microsoft