Wireshark mailing list archives
Re: Accessing the NT ACE Information field from TShark in SMB NT Trans Request, NT SET SECURITY
From: "j.snelders" <j.snelders () telfort nl>
Date: Mon, 4 Oct 2010 20:19:40 +0200
Hi Guy, Print all and send the output to a csv file: $ tshark -r local_permissions_changes.pcap -R "smb.cmd == 0xa0" -T fields -e frame.number -e nt.sid -E separator=, > local_permissions_changes.csv Use occurrence=f|l|a to print the first, last or all occurences of each field. To print the first occurence: $ tshark -r local_permissions_changes.pcap -R "smb.cmd == 0xa0" -T fields -e frame.number -e nt.sid -E occurrence=f -E separator=, > local_permissions_changes2.csv More information: tshark -h -E<fieldsoption>=<value> set options for output when -Tfields selected: header=y|n switch headers on and off separator=/t|/s|<char> select tab, space, printable character as separator occurrence=f|l|a print first, last or all occurrences of each field aggregator=,|/s|<char> select comma, space, printable character as aggregator quote=d|s|n select double, single, no quotes for values Hope this helps Joke On Sun, 3 Oct 2010 17:44:39 +0200 Guy other wrote:
Hi, When I capture using TShark, I would like to use the "-T fields -e <fieldname>" flag to get the different NT ACE fields in a SMB NT Trans Request, NT SET SECURITY packet. The thing is that there can be a different number of NT ACE fields in the packet. Is there some syntax to specify which one I want to access? can I somehow iterate over all of the ACE fields? In Wireshark you can see the different fields, My question is how to do
it
from the command line with TShark. I'm attaching an example .pcap file, the request is in packet 1824 Thanks!
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Accessing the NT ACE Information field from TShark in SMB NT Trans Request, NT SET SECURITY Guy other (Oct 04)
- Re: Accessing the NT ACE Information field from TShark in SMB NT Trans Request, NT SET SECURITY j.snelders (Oct 04)