Wireshark · Ethereal-dev: Re: [Ethereal-dev] NTLMSSP decode in sessionsetup and X etc ...

Ethereal-dev: Re: [Ethereal-dev] NTLMSSP decode in sessionsetup and X etc ...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Devin Heitmueller <dheitmueller@xxxxxxxxxxx>

Date: 26 Aug 2002 10:24:00 -0400

Sorry about that.  I've been crazy busy the last two weekends, and have
not had a chance to get back to the dissector.  

Guy sent me two traces on Aug 10th (both broken in my dissector), and
based on them it seems clear that we do indeed need to reference the
flags field from the previous frame.  I have not had the opportunity to
make the necessary changes to the dissector to address the problems Guy
mentioned.  

If Richard's patch does make NTLMSSP stateful, this will help
significantly, since I had not yet gone through the ethereal docs to
learn how to maintain state by tcp session.

-Devin

On Mon, 2002-08-26 at 04:57, Guy Harris wrote:
> On Mon, Aug 26, 2002 at 03:42:00PM +0930, Richard Sharpe wrote:
> > I am pretty close to having NTLMSSP and SPNEGO fixed to dissect
things 
> > properly.
> 
> Presumably this includes making the handling of GSS-API stuff using
> SPNEGO stateful, so that the security blob on packets *after* the
first
> Session Setup andX doesn't get dissected as a GSS-API token, but gets
> dissected as, I suspect, an RFC 2478 NegotiationToken?
> 
> Note that if this is the generic GSS-API token dissector stuff, that
is
> also used by the ONC RPC dissector, as well as both the SMB and the
DCE
> RPC dissector, and I have some changes to the LDAP dissector that I'll
> be checking in to make it use that dissector as well; if you're making
> the handling stateful, that mechanism should also be made usable by
> non-SMB and non-DCE RPC dissectors.
> 
> Presumably this also includes making NTLMSSP handling stateful, as I
> think Devin Heitmueller said that the dissection of the NTLMSSP blob
in
> NTLMSSP_AUTH may depend on the flags from earlier NTLMSSP_NEGOTIATE or
> NTLMSSP_CHALLENGE packets.  The NTLMSSP blob dissector is also used
> outside the DCE RPC code, in the HTTP dissector.
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev

-- 
Devin Heitmueller
Senior Software Engineer
Netilla Networks Inc

References:
- [Ethereal-dev] NTLMSSP decode in sessionsetup and X etc ...
  - From: Richard Sharpe
- Re: [Ethereal-dev] NTLMSSP decode in sessionsetup and X etc ...
  - From: Guy Harris

Prev by Date: RE: [Ethereal-dev] moving proto_hier_stats.c to common base (enab ling term-based sta ts)
Next by Date: [Ethereal-dev] Two small tree window summary line patches
Previous by thread: Re: [Ethereal-dev] NTLMSSP decode in sessionsetup and X etc ...
Next by thread: Re: [Ethereal-dev] NTLMSSP decode in sessionsetup and X etc ...
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$