Wireshark-bugs: [Wireshark-bugs] [Bug 5251] NTLMSSP_AUTH domain and username truncated to first
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5251
Bill Meier <wmeier@xxxxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Bill Meier <wmeier@xxxxxxxxxxx> 2010-09-24 17:25:27 EDT ---
The NTLMSSP dissector uses the "negotiate_unicode" bit in the "negotiate flags"
field to determine whether fields such as the user_name, etc are unicode.
It appears that the "Negotiate Flags" field is not always being found/dissected
in NTLM AUTHENTICATE (NTLMSSP_AUTH) messages.
This is normally not a problem since the NTLMSSP dissector uses the flags
previously seen (in NEGOTIATE/CHALLENGE messages) to determine if certain
fields are unicode.
However, in the attached capture the HTTP CONNECTS actually do the NTLM
NEGOTIATE/CHALLENGE exchange on one TCP connection and then open a new TCP
connection to do the AUTHENTICATE.
Since the "negotiate flags" aren't found/dissected in the AUTHENTICATE message
(and since there's no previous history for the new connection) the user_name,
etc fields aren't dissected as unicode.
I'm looking at the dissector code to see how this might be fixed.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.