|Main Archive Page > Month Archives > wireshark-users archives|
I would like to elaborate:
In the attached capture file in packet 1824 you can see under:
SMB -> NT Trans Request -> NT SET SECURITY DESC Data -> NT Security
Descriptor -> NT User (DACL) ACL
4 different "NT ACE" entries, each one looking something like: "NT ACE:
S-1-5-32-544, flags 0x00, Access Allowed, mask 0x001f01ff".
Under each one there is the ACE which looks like: "ACE: S-1-5-32-544".
This information is mapped under the "nt.sid" field.
It can be different for each one of the 4 ACEs, as you can see in the
example capture file.
Nonetheless, if I capture in TShark and print out the field nt.sid ("-T
fields -e nt.sid") I only get the last ACE.
How can I access the first 3 ACE fields in TShark?
Sent via: Wireshark-users mailing list <email@example.com>