Wireshark · Ethereal-dev: Re: [Ethereal-dev] ntlmssp decoding

Ethereal-dev: Re: [Ethereal-dev] ntlmssp decoding

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Ronnie Sahlberg" <sahlberg@xxxxxxxxxxxxxxxx>

Date: Sun, 7 Jul 2002 10:16:02 +1000

Hi
looks very good.

One thing.
Where you use :   if (ntlmssp_tree) {   in
dissect_dcerpc_ntlmssp_negotiate_flags()
currently this if statement encapsulates everything, including the
proto_tree_add_boolean() calls.
Change this so the if statement only encaspulates the tf= and
negotiate_flags_tree=  statements
and leave the proto_tree_add_boolean()s outside the if statement.

If you dont do this, display filters searching for specific flag values will
not work.

(The if statement is only a microoptimization to get rid of one
proto_tree_add_xxx() and one
proto_item_add_subtree() for the cases when we dont need a tree since we
only decode the packet
in order to match it with a display filter)

For the same reason, getting displayfilters to work, you should get rid of
the other if(ntlmssp_tree) ifstatements
and get it to do the proto_tree_add_item() for workstation/domain
unconditionally.





----- Original Message -----
From: "Devin Heitmueller"
Sent: Sunday, July 07, 2002 9:27 AM
Subject: Re: [Ethereal-dev] ntlmssp decoding


> Ok, here is where I am now.
>
> Made all the changes that were recommended, I think.  I have not yet
> broken it into a separate dissector.  That is next on my list.  In the
> meantime, please review the revised patch.
>
> * Changed all comments to /* */ notation
> * Reversed order of boolean dissection
> * Broke flags field dissection into it's own function
> * NTLMSSP code now only runs if auth_type is 10, and the DCE/RPC request
> type is BIND or BIND act.  This is because the auth_type is set for all
> subsequent packets in the stream regardless of the presence of the
> NTLMSSP payload.  If anyone know of something better to key off of, let
> me know.
> * Added checks for proto_tree before calling proto_tree_add_xxx
> * Properly decode strings
> * Additional dissection of workstation name, domain name
> * Separated NTLMSSP into it's own subtree
> * Lots of cleanup
>
> Still a work in progress, but getting closer....
>
> Thanks to everyone who has offered feedback,
>
> Devin
>
> --
> Devin Heitmueller
> Senior Software Engineer
> Netilla Networks Inc
>

References:
- [Ethereal-dev] ntlmssp decoding
  - From: Devin Heitmueller
- Re: [Ethereal-dev] ntlmssp decoding
  - From: Ronnie Sahlberg
- Re: [Ethereal-dev] ntlmssp decoding
  - From: Todd Sabin
- Re: [Ethereal-dev] ntlmssp decoding
  - From: dheitmueller
- Re: [Ethereal-dev] ntlmssp decoding
  - From: Ronnie Sahlberg
- Re: [Ethereal-dev] ntlmssp decoding
  - From: Devin Heitmueller

Prev by Date: Re: [Ethereal-dev] ntlmssp decoding
Next by Date: [Ethereal-dev] Disabling NTLMSSP negotiation in Windows
Previous by thread: Re: [Ethereal-dev] ntlmssp decoding
Next by thread: Re: [Ethereal-dev] ntlmssp decoding
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$