Hi Guy,
Are you looking for this:
$ tshark -r dc3-dc4_Stream_8364.pcap -T fields -e kerberos.name_string |
sort | uniq
Output:
Administrator
added key in 4
added key in 5
woohoo decrypted keytype:23 in frame:4
woohoo decrypted keytype:23 in frame:5
HTH
Joan
On Sun, 19 Jul 2009 11:32:56 +0200 Guy Shtub wrote:
>Hi,
>I'm using TShark to capture SMB packets, using the "-T fields" flag to get
>specific fields of the packets that interest me.
>I'm able to decrypt kerberos (krb5) using a keytab file.
>I can not find a way to get the decrypted Client Name (Principal) when using
>the -T fields option.
>If I run TShark in verbose mode -V I can get the client name.
>If I run it with -x mode to display all bytes, I get all the bytes encrypted
>followed by all the bytes decrypted.
>
>Is there a way to get just the client name field decrypted with the -T
>fields option?
>
>Regards,
>Guy.
>___________________________________________________________________________
>Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>Archives: http://www.wireshark.org/lists/wireshark-users
>Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe