Wireshark mailing list archives

Re: Accessing the NT ACE Information field from TShark in SMB NT Trans Request, NT SET SECURITY

From: "j.snelders" <j.snelders () telfort nl>
Date: Mon, 4 Oct 2010 20:19:40 +0200

Hi Guy,

Print all and send the output to a csv file:
$ tshark -r local_permissions_changes.pcap -R "smb.cmd == 0xa0" -T fields
-e frame.number -e nt.sid -E separator=, > local_permissions_changes.csv


Use occurrence=f|l|a to print the first, last or all occurences of each field.


To print the first occurence:
$ tshark -r local_permissions_changes.pcap -R "smb.cmd == 0xa0" -T fields
-e frame.number -e nt.sid -E occurrence=f -E separator=, > local_permissions_changes2.csv

More information:
tshark -h
  -E<fieldsoption>=<value> set options for output when -Tfields selected:
     header=y|n            switch headers on and off
     separator=/t|/s|<char> select tab, space, printable character as separator
     occurrence=f|l|a      print first, last or all occurrences of each field
     aggregator=,|/s|<char> select comma, space, printable character as aggregator
     quote=d|s|n           select double, single, no quotes for values

Hope this helps
Joke

On Sun, 3 Oct 2010 17:44:39 +0200 Guy other wrote:


Hi,
When I capture using TShark, I would like to use the "-T fields -e
<fieldname>" flag to get the different NT ACE fields in a
SMB NT Trans Request, NT SET SECURITY packet.

The thing is that there can be a different number of NT ACE fields in the
packet.
Is there some syntax to specify which one I want to access? can I somehow
iterate over all of the ACE fields?

In Wireshark you can see the different fields, My question is how to do

it

from the command line with TShark.
I'm attaching an example .pcap file, the request is in packet 1824
Thanks!



       


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Accessing the NT ACE Information field from TShark in SMB NT Trans Request, NT SET SECURITY Guy other (Oct 04)
- Re: Accessing the NT ACE Information field from TShark in SMB NT Trans Request, NT SET SECURITY j.snelders (Oct 04)