On Fri, Jul 05, 2002 at 11:30:35PM -0400, Devin Heitmueller wrote:
> I now have a newfound appreciation for how much work goes into writing
> dissectors.
> 
> I have made a few changes to further decode the DCERPC bind message to
> show ntlmssp fields.  It has taken me about four hours to add three or
> four fields.  I suspect this is either because I am doing something
> seriously wrong, or I am still in the learning curve.
Isn't open source wonderful.  I was worrying about the new type of
encryption/authentication for DCERPC in Windows 2000 but decided it was
either spnego/kerberos or ntlmssp.  Either way I was interested in
getting NTLMSSP dissections happening in ethereal.  (-:
> Would it be possible for someone to review my attached changes, and
> provide feedback?  In particular, I am interested in knowing if I am
> using the correct primitives to decode the various data types, etc (for
> example, I still can't figure out how to display strings).
Looks good!  I think Ronnie covered some of the points I was going to
make.
> I am very interested in going further, but I would appreciate a sanity
> check on what I have done thus far, so my patches do not get rejected.
The ntlmssp code is not specific to the dcerpc code.  I know of another
couple of places within SMB where it is used.  It would be nice to see
these routines in something like packet-smb-ntlmssp.c or something
similar.
I'm slightly biased, but I think the latest code in Samba CVS is in a
much better state thant the Samba TNG code.  You may want to refer to
both codebases for a different point of view.
Tim.