wireshark-users October 2010 archive
Main Archive Page > Month Archives  > wireshark-users archives
wireshark-users: [Wireshark-users] reply to thread: Accessing th

[Wireshark-users] reply to thread: Accessing the NT ACE Information field from TShark in SMB NT Trans Request, NT SET SECURITY From: Guy other <guy.other@xxxxxxxxx> Date: Sun, 3 Oct 2010 17:44:39 +0200

From: Guy other <guy.other_at_nospam>
Date: Mon Oct 04 2010 - 15:04:30 GMT
To: wireshark-users@wireshark.org

I would like to elaborate:
In the attached capture file in packet 1824 you can see under:
SMB -> NT Trans Request -> NT SET SECURITY DESC Data -> NT Security
Descriptor -> NT User (DACL) ACL

4 different "NT ACE" entries, each one looking something like: "NT ACE:
S-1-5-32-544, flags 0x00, Access Allowed, mask 0x001f01ff".
Under each one there is the ACE which looks like: "ACE: S-1-5-32-544".
This information is mapped under the "nt.sid" field.
It can be different for each one of the 4 ACEs, as you can see in the
example capture file.

Nonetheless, if I capture in TShark and print out the field nt.sid ("-T
fields -e nt.sid") I only get the last ACE.
How can I access the first 3 ACE fields in TShark?

Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users