Hi,
I'm parsing Windows Kerberos traffic with tshark (latest
stable and dev versions), and trying to extract the user name.
It looks like some of the fields are not extracted in full,
and therefore cannot be displayed with the tshark "-e" option, e.g.
"-e kerberos.cname".
Looking at the PDML output, the "show" attribute
for the "kerberos.cname" field is empty (note: some data obscured):
<field name="kerberos.pvno"
showname="Pvno: 5" size="1" pos="16"
show="5" value="05"/>
<field name="kerberos.msg.type"
showname="MSG Type: TGS-REP (13)" size="1"
pos="21" show="13" value="0d"/>
<field name="kerberos.crealm"
showname="Client Realm: AD.ABCDEFGHIJ.COM" size="17"
pos="26" show="AD.ABCDEFGHIJ.COM"
value="41442e444444444444444444442e434f4d"/>
<field name="kerberos.cname"
showname="Client Name (Principal): yaronf" size="19"
pos="45" show="" value="">
<field name="kerberos.name_type"
showname="Name-type: Principal (1)" size="1"
pos="51" show="1" value="01"/>
<field name="kerberos.name_string"
showname="Name: yaronf" size="6" pos="58"
show="yaronf" value="7961726f6e66"/>
</field>
When looking at kerberos.cname, the first contained
"show" value is displayed, i.e. "1". Also, when printing
kerberos.name_string, a different value is printed because name_string occurs
multiple times in the PDU.
Is this a bug in the dissector? Is there any more complex field/filter
syntax that'll give me the user name (formatted as in name_string, or decorated
as in kerberos.cname)?
Thanks,
Yaron
