Hi,

I'm parsing Windows Kerberos traffic with tshark (latest stable and dev versions), and trying to extract the user name.

It looks like some of the fields are not extracted in full, and therefore cannot be displayed with the tshark "-e" option, e.g. "-e kerberos.cname".

Looking at the PDML output, the "show" attribute for the "kerberos.cname" field is empty (note: some data obscured):

    <field name="kerberos.pvno" showname="Pvno: 5" size="1" pos="16" show="5" value="05"/>

    <field name="kerberos.msg.type" showname="MSG Type: TGS-REP (13)" size="1" pos="21" show="13" value="0d"/>

    <field name="kerberos.crealm" showname="Client Realm: AD.ABCDEFGHIJ.COM" size="17" pos="26" show="AD.ABCDEFGHIJ.COM" value="41442e444444444444444444442e434f4d"/>

    <field name="kerberos.cname" showname="Client Name (Principal): yaronf" size="19" pos="45" show="" value="">

      <field name="kerberos.name_type" showname="Name-type: Principal (1)" size="1" pos="51" show="1" value="01"/>

      <field name="kerberos.name_string" showname="Name: yaronf" size="6" pos="58" show="yaronf" value="7961726f6e66"/>

    </field>

When looking at kerberos.cname, the first contained "show" value is displayed, i.e. "1". Also, when printing kerberos.name_string, a different value is printed because name_string occurs multiple times in the PDU.

Is this a bug in the dissector? Is there any more complex field/filter syntax that'll give me the user name (formatted as in name_string, or decorated as in kerberos.cname)?

Thanks,

                Yaron