Hi Guy,
Which version are you running?
You have to run one of the latest releases, if you want to use the -E <fieldsoption>
occurrence=f|l|a print first, last or all occurrences of each field
I'm running:
$ tshark -v
TShark 1.4.0 (SVN Rev 34005 from /trunk-1.4)
You can download the latest release her:
http://www.wireshark.org/download.html
Best regards
Joke
On Mon, 4 Oct 2010 17:04:30 +0200 Guy wrote:
>
>I would like to elaborate:
>In the attached capture file in packet 1824 you can see under:
>SMB -> NT Trans Request -> NT SET SECURITY DESC Data -> NT Security
>Descriptor -> NT User (DACL) ACL
>
>4 different "NT ACE" entries, each one looking something like: "NT ACE:
>S-1-5-32-544, flags 0x00, Access Allowed, mask 0x001f01ff".
>Under each one there is the ACE which looks like: "ACE: S-1-5-32-544".
>This information is mapped under the "nt.sid" field.
>It can be different for each one of the 4 ACEs, as you can see in the
>example capture file.
>
>Nonetheless, if I capture in TShark and print out the field nt.sid ("-T
>fields -e nt.sid") I only get the last ACE.
>How can I access the first 3 ACE fields in TShark?
>Thanks
$ tshark -r local_permissions_changes.pcap -R "smb.cmd == 0xa0" -T fields
-e frame.number -e nt.sid -E occurrence=a -E separator=, > local_permissions_changes.csv
