This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

When I try to fetch ntlm fields from a sniff file the fields are truncated to the first byte.
tshark -r file.pcap -T fields -e ntlmssp.auth.domain -e ntlmssp.auth.username -R ntlmssp.auth.username
output:
NULL NULL
B A
E A
D a
NULL NULL
B A
A A
D A
E a
For other string fields, this works fine, also in Wireshark itself, I get the complete string. Is this a bug or am I missing something.

asked 03 May '11, 07:42

ruwi's gravatar image

ruwi
1111
accept rate: 0%

edited 03 May '11, 19:18

cmaynard's gravatar image

cmaynard ♦♦
9.3k1038142

What version of tshark are you using and upon what platform/OS are you running it?

(03 May '11, 08:42) cmaynard ♦♦

sorry for the late feedback Wireshark 1.4.6 OS Win XP

(13 May '11, 07:15) ruwi

OK, that's a new enough version of Wireshark, so I would expect this to work, but unfortunately I can't think of any reason why it wouldn't work. Unless someone else on this forum has any idea, you will probably need to post a capture file somewhere for someone to take a look at.

(13 May '11, 08:40) cmaynard ♦♦

It looks like we may be trying to print wide characters. After glancing through the code I don't see any obvious reason for this.

(13 May '11, 09:07) Gerald Combs ♦♦
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×33
×13

question asked: 03 May '11, 07:42

question was seen: 3,314 times

last updated: 13 May '11, 09:07

p​o​w​e​r​e​d by O​S​Q​A