Wireshark-users: Re: [Wireshark-users] TShark -T fields and kerberos decryption

Date: Sun, 19 Jul 2009 20:10:25 +0200
Hi Guy,

Are you looking for this:
$ tshark -r dc3-dc4_Stream_8364.pcap -T fields -e kerberos.name_string |
sort | uniq

Output:
Administrator
added key in 4
added key in 5
woohoo decrypted keytype:23 in frame:4
woohoo decrypted keytype:23 in frame:5

HTH
Joan


On Sun, 19 Jul 2009 11:32:56 +0200 Guy Shtub wrote:
>Hi,
>I'm using TShark to capture SMB packets, using the "-T fields" flag to get
>specific fields of the packets that interest me.
>I'm able to decrypt kerberos (krb5) using a keytab file.
>I can not find a way to get the decrypted Client Name (Principal) when using
>the -T fields option.
>If I run TShark in verbose mode -V I can get the client name.
>If I run it with -x mode to display all bytes, I get all the bytes encrypted
>followed by all the bytes decrypted.
>
>Is there a way to get just the client name field decrypted with the -T
>fields option?
>
>Regards,
>Guy.
>___________________________________________________________________________
>Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>Archives:    http://www.wireshark.org/lists/wireshark-users
>Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe