Re reply to thread: Accessing the NT ACE Information field from TShark in SMB NT Trans Request, NT SET SECURITY From: Guy other <guy.other@xxxxxxxxx> Date: Sun, 3 Oct 2010 17:44:39 +0200

["j.snelders" <j.snelders () telfort nl>]

Hi Guy,

Which version are you running?
You have to run one of the latest releases, if you want to use the -E <fieldsoption>

occurrence=f|l|a      print first, last or all occurrences of each field

I'm running: 
$ tshark -v
TShark 1.4.0 (SVN Rev 34005 from /trunk-1.4)

You can download the latest release her:
http://www.wireshark.org/download.html

Best regards
Joke

On Mon, 4 Oct 2010 17:04:30 +0200 Guy wrote:
> I would like to elaborate:
> In the attached capture file in packet 1824 you can see under:
> SMB -> NT Trans Request -> NT SET SECURITY DESC Data -> NT Security
> Descriptor -> NT User (DACL) ACL
>
> 4 different  "NT ACE" entries, each one looking something like: "NT ACE:
> S-1-5-32-544, flags 0x00, Access Allowed, mask 0x001f01ff".
> Under each one there is the ACE which looks like: "ACE: S-1-5-32-544".
> This information is mapped under the "nt.sid" field.
> It can be different for each one of the 4 ACEs, as you can see in the
> example capture file.
>
> Nonetheless, if I capture in TShark and print out the field nt.sid ("-T
> fields -e nt.sid") I only get the last ACE.
> How can I access the first 3 ACE fields in TShark?
> Thanks

$ tshark -r local_permissions_changes.pcap -R "smb.cmd == 0xa0" -T fields
-e frame.number -e nt.sid -E occurrence=a -E separator=, > local_permissions_changes.csv


       


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe