Wireshark mailing list archives
Re reply to thread: Accessing the NT ACE Information field from TShark in SMB NT Trans Request, NT SET SECURITY From: Guy other <guy.other@xxxxxxxxx> Date: Sun, 3 Oct 2010 17:44:39 +0200
From: "j.snelders" <j.snelders () telfort nl>
Date: Tue, 5 Oct 2010 17:24:28 +0200
Hi Guy, Which version are you running? You have to run one of the latest releases, if you want to use the -E <fieldsoption> occurrence=f|l|a print first, last or all occurrences of each field I'm running: $ tshark -v TShark 1.4.0 (SVN Rev 34005 from /trunk-1.4) You can download the latest release her: http://www.wireshark.org/download.html Best regards Joke On Mon, 4 Oct 2010 17:04:30 +0200 Guy wrote:
I would like to elaborate: In the attached capture file in packet 1824 you can see under: SMB -> NT Trans Request -> NT SET SECURITY DESC Data -> NT Security Descriptor -> NT User (DACL) ACL 4 different "NT ACE" entries, each one looking something like: "NT ACE: S-1-5-32-544, flags 0x00, Access Allowed, mask 0x001f01ff". Under each one there is the ACE which looks like: "ACE: S-1-5-32-544". This information is mapped under the "nt.sid" field. It can be different for each one of the 4 ACEs, as you can see in the example capture file. Nonetheless, if I capture in TShark and print out the field nt.sid ("-T fields -e nt.sid") I only get the last ACE. How can I access the first 3 ACE fields in TShark? Thanks
$ tshark -r local_permissions_changes.pcap -R "smb.cmd == 0xa0" -T fields -e frame.number -e nt.sid -E occurrence=a -E separator=, > local_permissions_changes.csv ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- reply to thread: Accessing the NT ACE Information field from TShark in SMB NT Trans Request, NT SET SECURITY From: Guy other <guy.other@xxxxxxxxx> Date: Sun, 3 Oct 2010 17:44:39 +0200 Guy other (Oct 05)
- Re reply to thread: Accessing the NT ACE Information field from TShark in SMB NT Trans Request, NT SET SECURITY From: Guy other <guy.other@xxxxxxxxx> Date: Sun, 3 Oct 2010 17:44:39 +0200 j.snelders (Oct 05)