Wireshark-users: [Wireshark-users] Re reply to thread: Accessing the NT ACE Information field fro
From: "j.snelders" <[email protected]>
Date: Tue, 5 Oct 2010 17:24:28 +0200
Hi Guy,

Which version are you running?
You have to run one of the latest releases, if you want to use the -E <fieldsoption>

occurrence=f|l|a      print first, last or all occurrences of each field

I'm running: 
$ tshark -v
TShark 1.4.0 (SVN Rev 34005 from /trunk-1.4)

You can download the latest release her:
http://www.wireshark.org/download.html

Best regards
Joke

On Mon, 4 Oct 2010 17:04:30 +0200 Guy wrote:
>
>I would like to elaborate:
>In the attached capture file in packet 1824 you can see under:
>SMB -> NT Trans Request -> NT SET SECURITY DESC Data -> NT Security
>Descriptor -> NT User (DACL) ACL
>
>4 different  "NT ACE" entries, each one looking something like: "NT ACE:
>S-1-5-32-544, flags 0x00, Access Allowed, mask 0x001f01ff".
>Under each one there is the ACE which looks like: "ACE: S-1-5-32-544".
>This information is mapped under the "nt.sid" field.
>It can be different for each one of the 4 ACEs, as you can see in the
>example capture file.
>
>Nonetheless, if I capture in TShark and print out the field nt.sid ("-T
>fields -e nt.sid") I only get the last ACE.
>How can I access the first 3 ACE fields in TShark?
>Thanks

$ tshark -r local_permissions_changes.pcap -R "smb.cmd == 0xa0" -T fields
-e frame.number -e nt.sid -E occurrence=a -E separator=, > local_permissions_changes.csv