Access mask constant 0x01000000 (SYSTEM_SECURITY_ACCESS) is in SACL ACE list for auditing or alarming access to SACL itself. --- epan/dissectors/packet-windows-common.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/epan/dissectors/packet-windows-common.c b/epan/dissectors/packet-windows-common.c index 5709c6e7c31b..056579b027a4 100644 --- a/epan/dissectors/packet-windows-common.c +++ b/epan/dissectors/packet-windows-common.c @@ -2203,6 +2203,7 @@ static int hf_access_generic_read; static int hf_access_generic_write; static int hf_access_generic_execute; static int hf_access_generic_all; +static int hf_access_system_security; static int hf_access_standard_delete; static int hf_access_standard_read_control; static int hf_access_standard_synchronise; @@ -2285,6 +2286,7 @@ dissect_nt_access_mask(tvbuff_t *tvb, int offset, packet_info *pinfo, &hf_access_generic_execute, &hf_access_generic_all, &hf_access_maximum_allowed, + &hf_access_system_security, NULL }; @@ -3361,6 +3363,11 @@ proto_do_register_windows_common(int proto_smb) FT_BOOLEAN, 32, TFS(&tfs_set_notset), MAXIMUM_ALLOWED_ACCESS, NULL, HFILL }}, + { &hf_access_system_security, + { "System security", "nt.access_mask.system_security", + FT_BOOLEAN, 32, TFS(&tfs_set_notset), + SYSTEM_SECURITY_ACCESS, NULL, HFILL }}, + { &hf_access_standard_read_control, { "Read control", "nt.access_mask.read_control", FT_BOOLEAN, 32, TFS(&tfs_set_notset), -- 2.20.1 _______________________________________________ Wireshark-dev mailing list -- wireshark-dev@wireshark.org To unsubscribe send an email to wireshark-dev-le...@wireshark.org