Kerberos parsing issue and field syntax

[Yaron Sheffer <yaronf () checkpoint com>]

Hi,

I'm parsing Windows Kerberos traffic with tshark (latest stable and dev versions), and trying to extract the user name.

It looks like some of the fields are not extracted in full, and therefore cannot be displayed with the tshark "-e" 
option, e.g. "-e kerberos.cname".

Looking at the PDML output, the "show" attribute for the "kerberos.cname" field is empty (note: some data obscured):

    <field name="kerberos.pvno" showname="Pvno: 5" size="1" pos="16" show="5" value="05"/>
    <field name="kerberos.msg.type" showname="MSG Type: TGS-REP (13)" size="1" pos="21" show="13" value="0d"/>
    <field name="kerberos.crealm" showname="Client Realm: AD.ABCDEFGHIJ.COM" size="17" pos="26" 
show="AD.ABCDEFGHIJ.COM" value="41442e444444444444444444442e434f4d"/>
    <field name="kerberos.cname" showname="Client Name (Principal): yaronf" size="19" pos="45" show="" value="">
      <field name="kerberos.name_type" showname="Name-type: Principal (1)" size="1" pos="51" show="1" value="01"/>
      <field name="kerberos.name_string" showname="Name: yaronf" size="6" pos="58" show="yaronf" value="7961726f6e66"/>
    </field>

When looking at kerberos.cname, the first contained "show" value is displayed, i.e. "1". Also, when printing 
kerberos.name_string, a different value is printed because name_string occurs multiple times in the PDU.

Is this a bug in the dissector? Is there any more complex field/filter syntax that'll give me the user name (formatted 
as in name_string, or decorated as in kerberos.cname)?

Thanks,
                Yaron

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe