Wireshark mailing list archives
Need help in understanding the "Signature Generation" for SMB packets
From: "Narendra Kumar S.S" <ssnkumar () gmail com>
Date: Tue, 5 Oct 2010 14:13:22 +0530
Hi, I have a pcap file with smb traffic and I am trying to understand how the signature is generated. Using wireshark GUI, I have opened the pcap file and have put a filter, so that I can see the relevant tcp stream only. In this stream, the initial authentication is done using NTLMSSP. But, after nearly 100 smb packets, suddenly I see a SetupAndX Request/Response, with krb5 AP_REQ and AP_REP. I have used the keytab file to decrypt the AP_REP and get the session key. Now, the sequence number starts with 0 and I have used that counter to calculate the signature. But, the signature that I am getting doesn't match with the original signature. I also, tried to count the sequence number starting from the NTLM Request/Response and with that also, the signature doesn't match. So, can somebody tell me, if this kind of mixup of NTLM and kerberos packets in a single tcp stream is common? And how to get the right signature in this case? Warm Regards, Narendra Visit my blogs at: http://ssnarendrakumar.blogspot.com/ ___ ___ __ _ / __/ / __/ / | / / _\ \ _ \ \ / /| |/ / \___/ \___/ /_/ |__/
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Need help in understanding the "Signature Generation" for SMB packets Narendra Kumar S.S (Oct 05)