Wireshark · Ethereal-users: [Ethereal-users] SMB NTLMSSP Flags

Ethereal-users: [Ethereal-users] SMB NTLMSSP Flags - help required

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Fri, 14 Oct 2005 13:35:16 +0100

Can someone assist me in a packet analysis of an smb capture. The
issue relates to a dfs flag  been set to zero, when the share being
accessed is a dce_dfs share in a server cluster. I am accessing the
share using ntlmssp and understand very little about the extended
security involved. Therefore I am getting alot of SMB authorisation
failures. Is it possible for me to somehow set the dfs flag in the
setup session and request capabilities to allow for dfs. Or am I
completely on the wrong track.
the following is a extract from the packet showing the capabilities:
Session Setup AndX Request (0x73)
        Word Count (WCT): 12
        AndXCommand: No further commands (0xff)
        Reserved: 00
        AndXOffset: 208
        Max Buffer: 16644
        Max Mpx Count: 50
        VC Number: 1
        Session Key: 0x00000000
        Security Blob Length: 47
        Reserved: 00000000
        Capabilities: 0xa00000d4
            .... .... .... .... .... .... .... ...0 = Raw Mode: Read
Raw and Write Raw are not supported
            .... .... .... .... .... .... .... ..0. = MPX Mode: Read
Mpx and Write Mpx are not supported
            .... .... .... .... .... .... .... .1.. = Unicode: Unicode
strings are supported
            .... .... .... .... .... .... .... 0... = Large Files:
Large files are not supported
            .... .... .... .... .... .... ...1 .... = NT SMBs: NT SMBs
are supported
            .... .... .... .... .... .... ..0. .... = RPC Remote APIs:
RPC remote APIs are not supported
            .... .... .... .... .... .... .1.. .... = NT Status Codes:
NT status codes are supported
            .... .... .... .... .... .... 1... .... = Level 2 Oplocks:
Level 2 oplocks are supported
            .... .... .... .... .... ...0 .... .... = Lock and Read:
Lock and Read is not supported
            .... .... .... .... .... ..0. .... .... = NT Find: NT Find
is not supported
            .... .... .... .... ...0 .... .... .... = Dfs: Dfs is not supported
            .... .... .... .... ..0. .... .... .... = Infolevel
Passthru: NT information level request passthrough is not supported
            .... .... .... .... .0.. .... .... .... = Large ReadX:
Large Read andX is not supported
            .... .... .... .... 0... .... .... .... = Large WriteX:
Large Write andX is not supported
            .... .... 0... .... .... .... .... .... = UNIX: UNIX
extensions are not supported
            .... ..0. .... .... .... .... .... .... = Reserved: Reserved
            ..1. .... .... .... .... .... .... .... = Bulk Transfer:
Bulk Read and Bulk Write are supported
            .0.. .... .... .... .... .... .... .... = Compressed Data:
Compressed data transfer is not supported
            1... .... .... .... .... .... .... .... = Extended
Security: Extended security exchanges are supported
        Byte Count (BCC): 149

Can someone help with this very confusing issue?

Prev by Date: [Ethereal-users] Ethereal + TCAP Messages
Next by Date: [Ethereal-users] Question
Previous by thread: Re: [Ethereal-users] Ethereal + TCAP Messages
Next by thread: [Ethereal-users] Question
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$