Hi Guy,
Print all and send the output to a csv file:
$ tshark -r local_permissions_changes.pcap -R "smb.cmd == 0xa0" -T fields
-e frame.number -e nt.sid -E separator=, > local_permissions_changes.csv
Use occurrence=f|l|a to print the first, last or all occurences of each field.
To print the first occurence:
$ tshark -r local_permissions_changes.pcap -R "smb.cmd == 0xa0" -T fields
-e frame.number -e nt.sid -E occurrence=f -E separator=, > local_permissions_changes2.csv
More information:
tshark -h
-E<fieldsoption>=<value> set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s|<char> select comma, space, printable character as aggregator
quote=d|s|n select double, single, no quotes for values
Hope this helps
Joke
On Sun, 3 Oct 2010 17:44:39 +0200 Guy other wrote:
>
>Hi,
>When I capture using TShark, I would like to use the "-T fields -e
><fieldname>" flag to get the different NT ACE fields in a
>SMB NT Trans Request, NT SET SECURITY packet.
>
>The thing is that there can be a different number of NT ACE fields in the
>packet.
>Is there some syntax to specify which one I want to access? can I somehow
>iterate over all of the ACE fields?
>
>In Wireshark you can see the different fields, My question is how to do
it
>from the command line with TShark.
>I'm attaching an example .pcap file, the request is in packet 1824
>Thanks!