Wireshark mailing list archives
Re: Decoding custom application traffic as NTLMSSP
From: Bill Meier <wmeier () newsguy com>
Date: Sat, 03 Nov 2012 14:44:36 -0400
On 11/3/2012 8:28 AM, mikethomson () tormail org wrote:
Hi all, I captured the traffic of a custom windows application that is communicating via WCF TCP (not HTTP). The application uses Windows NTLMSSP authentication. This can quite easily spotted by the packets starting with the "NTLMSSP" string. For now I "decoded" the NTLMSSP handshake manually to extract challenge and response because I was not able to tell wireshark that it should decode that payload as ntlmssp, but that is not very convenient on the long run. Is it possible to tell wireshark to decode certain traffic as ntlmssp? My first try was to choose "Decode as..." but there is no ntlmssp option to choose.
"decode as" really only allows selection of one of a list of protocols already known to run "over" a specified protocol (e.g., over tcp).
Although I don't know how WCF TCP and NTLMSSP fit together I do note that Wireshark does not have a dissector for WCF TCP.
So: the short answer: AFAIKT not in your case.Suggestion: Since WCF & NTLMSSP are Microsoft protocols I expect that the Microsoft Netmon ("Network Monitor") program may be able to dissect this traffic.
--------- I'm curious to see how WCF TCP and NTLMSSSP fit together. Are you able to provide a capture file for public availability ?If so, it would be appreciated if you could file an enhancement request (for an WCF dissector) at bugs.wireshark.org attaching the capture file.
Someone may ventually become interested in implementing such a dissector. Thanks ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Decoding custom application traffic as NTLMSSP mikethomson (Nov 03)
- Re: Decoding custom application traffic as NTLMSSP Bill Meier (Nov 03)
- Re: Decoding custom application traffic as NTLMSSP mikethomson (Nov 06)
- Re: Decoding custom application traffic as NTLMSSP Guy Harris (Nov 03)
- Re: Decoding custom application traffic as NTLMSSP Bill Meier (Nov 03)