wireshark-users October 2010 archive
Main Archive Page > Month Archives  > wireshark-users archives
wireshark-users: Re: [Wireshark-users] Accessing the NT ACE Info

Re: [Wireshark-users] Accessing the NT ACE Information field from TShark in SMB NT Trans Request, NT SET SECURITY

From: j.snelders <j.snelders_at_nospam>
Date: Mon Oct 04 2010 - 18:19:40 GMT
To: "Community support list for Wireshark" <wireshark-users@wireshark.org>

Hi Guy,

Print all and send the output to a csv file:
$ tshark -r local_permissions_changes.pcap -R "smb.cmd == 0xa0" -T fields
-e frame.number -e nt.sid -E separator=, > local_permissions_changes.csv

Use occurrence=f|l|a to print the first, last or all occurences of each field.

To print the first occurence:
$ tshark -r local_permissions_changes.pcap -R "smb.cmd == 0xa0" -T fields
-e frame.number -e nt.sid -E occurrence=f -E separator=, > local_permissions_changes2.csv

More information:
tshark -h
  -E<fieldsoption>=<value> set options for output when -Tfields selected:
     header=y|n switch headers on and off
     separator=/t|/s|<char> select tab, space, printable character as separator
     occurrence=f|l|a print first, last or all occurrences of each field
     aggregator=,|/s|<char> select comma, space, printable character as aggregator
     quote=d|s|n select double, single, no quotes for values

Hope this helps
Joke

On Sun, 3 Oct 2010 17:44:39 +0200 Guy other wrote:
>
>Hi,
>When I capture using TShark, I would like to use the "-T fields -e
><fieldname>" flag to get the different NT ACE fields in a
>SMB NT Trans Request, NT SET SECURITY packet.
>
>The thing is that there can be a different number of NT ACE fields in the
>packet.
>Is there some syntax to specify which one I want to access? can I somehow
>iterate over all of the ACE fields?
>
>In Wireshark you can see the different fields, My question is how to do
it
>from the command line with TShark.
>I'm attaching an example .pcap file, the request is in packet 1824
>Thanks!

       

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe