Wireshark mailing list archives
NEGOEX Dissection ...
From: Richard Sharpe <realrichardsharpe () gmail com>
Date: Wed, 27 Jun 2012 21:20:46 -0700
Hi folks, During the SMB/CIFS presentation, an unknown OID was seen in the SPNEGO stuff. It turns out to be NEGOEX, and the question as to why the server went straight to NTLMSSP is answered. The server seems to have been some version of Samba and it does not understand NEGOEX. More info here: http://msdn.microsoft.com/en-us/library/cc247030%28v=PROT.13%29.aspx Here is the beginnings of a dissector, but it is very wrong. It probably needs a separate packet-negoex.c: Index: epan/dissectors/packet-ntlmssp.c =================================================================== --- epan/dissectors/packet-ntlmssp.c (revision 43186) +++ epan/dissectors/packet-ntlmssp.c (working copy) @@ -3012,6 +3012,9 @@ gssapi_init_oid("1.3.6.1.4.1.311.2.2.10", proto_ntlmssp, ett_ntlmssp, ntlmssp_handle, ntlmssp_wrap_handle, "NTLMSSP - Microsoft NTLM Security Support Provider"); + gssapi_init_oid("1.3.6.1.4.1.311.2.2.30", proto_ntlmssp, ett_ntlmssp, + ntlmssp_handle, ntlmssp_wrap_handle, + "NEGOEX - Extended GSS-API Negotiation Mechanism"); /* Register authenticated pipe dissector */ -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- NEGOEX Dissection ... Richard Sharpe (Jun 27)