#DFS Connections in CLI

Hi, so I’m being asked to determine active dfs connections vs UNC paths being used for all cifs shares.
I’ve run a cifs connection show and a cifs session show and did tests via using dfs to access a path vs directly going to the path but I can’t determine if the NetApp is outputting what I think it is correctly.

My tests did not show my DFS connection. Verified by the session id and my user name. It did show my direct path when I used the unc to access the share.

ChatGPT and other internal tests however says that the dfs is referred to the direct path and the NetApp can’t discern the two.

Is there an accurate cmd within the cli I could use to determine this? Fpolicy would be preferred but we’re in a time crunch for a migration and don’t have the bandwidth to set that up within Varonis.

I don't think you can get that detail from the NetApp side. As a workaround, you could create another hidden share to the same data and configure DFS to use the hidden share. You can then monitor connections to the hidden share and know those are referred by DFS.

i dont think there are any differences in the connections. DFS/CIFS/etc are all the same to the NetApp and anything else.
Doing what Lorne said is pretty much the only way to confirm

yeah, there is no difference between connections. DFS is just a redirect. You are not going "through" DFS. DFS tells you the server name and your client (re-)connects to that server transparently. It's a bit like asking whether you connect to a share using its DNS name or its IP address

Thanks for the replies everyone.
Idea we came up with was to create new lifs and reference those directly for dfs.
Then run monitoring and net stats against clients hitting the new ip addresses vs the others used for cifs on the svms. Anything on the new we know is using referrals for dfs