Ethereal-dev: [Ethereal-dev] ntlmssp decoding
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Devin Heitmueller <dheitmueller@xxxxxxxxxxx>
Date: 07 Jul 2002 18:20:48 -0400
I have split the NTLMSSP code into its own dissector. Also merged the revised negotiation flags field from the Samba source tree, and added the bits that are unknown. As a result, a couple of questions: 1. Before splitting the code into it's own dissector, I relied on the DCE/RPC "data representation" field to determine the Endianness of various fields. Now that I have created an independent dissector, is there any way to pass arguments into the dissector from further up the stack? For example, it might be helpful to pass certain fields from the DCE dissection into the NTLMSSP dissector. 2. Should I make my own versions of dissect_dcerpc_uintXXX? I have attached a patch file containing my changes to packet-dcerpc.c, as well as the new packet-ntlmssp.c. Comments/suggestions appreciated. Thanks, -- Devin Heitmueller Senior Software Engineer Netilla Networks Inc
Index: Makefile.am
===================================================================
RCS file: /cvsroot/ethereal/Makefile.am,v
retrieving revision 1.441
diff -u --unified -r1.441 Makefile.am
--- Makefile.am 2002/06/13 07:18:47 1.441
+++ Makefile.am 2002/07/07 22:11:27
@@ -226,6 +226,7 @@
packet-nisplus.c \
packet-nlm.c \
packet-nntp.c \
+ packet-ntlmssp.c \
packet-ntp.c \
packet-null.c \
packet-osi.c \
Index: Makefile.nmake
===================================================================
RCS file: /cvsroot/ethereal/Makefile.nmake,v
retrieving revision 1.194
diff -u --unified -r1.194 Makefile.nmake
--- Makefile.nmake 2002/06/13 07:18:47 1.194
+++ Makefile.nmake 2002/07/07 22:11:27
@@ -167,6 +167,7 @@
packet-nisplus.c \
packet-nlm.c \
packet-nntp.c \
+ packet-ntlmssp.c \
packet-ntp.c \
packet-null.c \
packet-osi.c \
Index: packet-dcerpc.c
===================================================================
RCS file: /cvsroot/ethereal/packet-dcerpc.c,v
retrieving revision 1.64
diff -u --unified -r1.64 packet-dcerpc.c
--- packet-dcerpc.c 2002/06/24 09:23:39 1.64
+++ packet-dcerpc.c 2002/07/07 22:11:28
@@ -391,6 +391,8 @@
static gint ett_dcerpc_fragments = -1;
static gint ett_dcerpc_fragment = -1;
+static dissector_handle_t ntlmssp_handle=NULL;
+
fragment_items dcerpc_frag_items = {
&ett_dcerpc_fragments,
&ett_dcerpc_fragment,
@@ -1304,6 +1306,7 @@
int offset;
guint8 auth_pad_len;
guint8 auth_level;
+ guint8 auth_type;
/*
* Initially set "*auth_level_p" to -1 to indicate that we haven't
@@ -1327,7 +1330,7 @@
offset = hdr->frag_len - (hdr->auth_len + 8);
offset = dissect_dcerpc_uint8 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
- hf_dcerpc_auth_type, NULL);
+ hf_dcerpc_auth_type, &auth_type);
offset = dissect_dcerpc_uint8 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
hf_dcerpc_auth_level, &auth_level);
if (auth_level_p != NULL)
@@ -1339,7 +1342,16 @@
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, dcerpc_tree, hdr->drep,
hf_dcerpc_auth_ctx_id, NULL);
- proto_tree_add_text (dcerpc_tree, tvb, offset, hdr->auth_len, "Auth Data");
+ /* Dissect NTLMSSP Parameters if the auth_type is 10 and this is a
+ BIND request or BIND response)
+ */
+ if ((auth_type == 10) &&
+ ((hdr->ptype == PDU_BIND) || (hdr->ptype == PDU_BIND_ACK))) {
+ tvbuff_t *ntlmssp_tvb;
+ ntlmssp_tvb=tvb_new_subset(tvb, offset, hdr->auth_len,
+ hdr->auth_len);
+ call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, dcerpc_tree);
+ }
/* figure out where the auth padding starts */
offset = hdr->frag_len - (hdr->auth_len + 8 + auth_pad_len);
@@ -3466,4 +3478,5 @@
heur_dissector_add ("netbios", dissect_dcerpc_cn_pk, proto_dcerpc);
heur_dissector_add ("udp", dissect_dcerpc_dg, proto_dcerpc);
heur_dissector_add ("smb_transact", dissect_dcerpc_cn_bs, proto_dcerpc);
+ ntlmssp_handle = find_dissector("ntlmssp");
}
/* packet-data.c
* Routines for NTLM Secure Service Provider
* Devin Heitmueller <dheitmueller@xxxxxxxxxxx>
*
* $Id: packet-data.c,v 1.29 2002/05/10 23:20:38 guy Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@xxxxxxxxxxxx>
* Copyright 1998 Gerald Combs
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
#ifdef HAVE_CONFIG_H
# include "config.h"
#endif
#ifdef HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
#include <glib.h>
#include <epan/packet.h>
#include "packet-data.h"
static const value_string ntlmssp_message_types[] = {
{ 1, "NTLMSSP_NEGOTIATE" },
{ 2, "NTLMSSP_CHALLENGE" },
{ 3, "NTLMSSP_AUTH" },
{ 4, "NTLMSSP_UNKNOWN" }
};
typedef struct e_ntlmssp_hdr_t {
guint8 drep[4];
guint32 ntlmssp_message_type;
} e_ntlmssp_hdr_t;
static const true_false_string flags_set_truth = {
"Set",
"Not set"
};
/*
* NTLMSSP negotiation flags
* Taken from Samba
*/
#define NTLMSSP_NEGOTIATE_UNICODE 0x00000001
#define NTLMSSP_NEGOTIATE_OEM 0x00000002
#define NTLMSSP_REQUEST_TARGET 0x00000004
#define NTLMSSP_NEGOTIATE_00000008 0x00000008
#define NTLMSSP_NEGOTIATE_SIGN 0x00000010
#define NTLMSSP_NEGOTIATE_SEAL 0x00000020
#define NTLMSSP_NEGOTIATE_DATAGRAM_STYLE 0x00000040
#define NTLMSSP_NEGOTIATE_LM_KEY 0x00000080
#define NTLMSSP_NEGOTIATE_NETWARE 0x00000100
#define NTLMSSP_NEGOTIATE_NTLM 0x00000200
#define NTLMSSP_NEGOTIATE_00000400 0x00000400
#define NTLMSSP_NEGOTIATE_00000800 0x00000800
#define NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED 0x00001000
#define NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED 0x00002000
#define NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 0x00004000
#define NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0x00008000
#define NTLMSSP_CHAL_INIT_RESPONSE 0x00010000
#define NTLMSSP_CHAL_ACCEPT_RESPONSE 0x00020000
#define NTLMSSP_CHAL_NON_NT_SESSION_KEY 0x00040000
#define NTLMSSP_NEGOTIATE_NTLM2 0x00080000
#define NTLMSSP_NEGOTIATE_00100000 0x00100000
#define NTLMSSP_NEGOTIATE_00200000 0x00200000
#define NTLMSSP_NEGOTIATE_00400000 0x00400000
#define NTLMSSP_CHAL_TARGET_INFO 0x00800000
#define NTLMSSP_NEGOTIATE_01000000 0x01000000
#define NTLMSSP_NEGOTIATE_02000000 0x02000000
#define NTLMSSP_NEGOTIATE_04000000 0x04000000
#define NTLMSSP_NEGOTIATE_08000000 0x08000000
#define NTLMSSP_NEGOTIATE_10000000 0x10000000
#define NTLMSSP_NEGOTIATE_128 0x20000000
#define NTLMSSP_NEGOTIATE_KEY_EXCH 0x40000000
#define NTLMSSP_NEGOTIATE_80000000 0x80000000
static int proto_ntlmssp = -1;
static int hf_ntlmssp = -1;
static int hf_ntlmssp_auth = -1;
static int hf_ntlmssp_message_type = -1;
static int hf_ntlmssp_negotiate_flags = -1;
static int hf_ntlmssp_negotiate_flags_01 = -1;
static int hf_ntlmssp_negotiate_flags_02 = -1;
static int hf_ntlmssp_negotiate_flags_04 = -1;
static int hf_ntlmssp_negotiate_flags_08 = -1;
static int hf_ntlmssp_negotiate_flags_10 = -1;
static int hf_ntlmssp_negotiate_flags_20 = -1;
static int hf_ntlmssp_negotiate_flags_40 = -1;
static int hf_ntlmssp_negotiate_flags_80 = -1;
static int hf_ntlmssp_negotiate_flags_100 = -1;
static int hf_ntlmssp_negotiate_flags_200 = -1;
static int hf_ntlmssp_negotiate_flags_400 = -1;
static int hf_ntlmssp_negotiate_flags_800 = -1;
static int hf_ntlmssp_negotiate_flags_1000 = -1;
static int hf_ntlmssp_negotiate_flags_2000 = -1;
static int hf_ntlmssp_negotiate_flags_4000 = -1;
static int hf_ntlmssp_negotiate_flags_8000 = -1;
static int hf_ntlmssp_negotiate_flags_10000 = -1;
static int hf_ntlmssp_negotiate_flags_20000 = -1;
static int hf_ntlmssp_negotiate_flags_40000 = -1;
static int hf_ntlmssp_negotiate_flags_80000 = -1;
static int hf_ntlmssp_negotiate_flags_100000 = -1;
static int hf_ntlmssp_negotiate_flags_200000 = -1;
static int hf_ntlmssp_negotiate_flags_400000 = -1;
static int hf_ntlmssp_negotiate_flags_800000 = -1;
static int hf_ntlmssp_negotiate_flags_1000000 = -1;
static int hf_ntlmssp_negotiate_flags_2000000 = -1;
static int hf_ntlmssp_negotiate_flags_4000000 = -1;
static int hf_ntlmssp_negotiate_flags_8000000 = -1;
static int hf_ntlmssp_negotiate_flags_10000000 = -1;
static int hf_ntlmssp_negotiate_flags_20000000 = -1;
static int hf_ntlmssp_negotiate_flags_40000000 = -1;
static int hf_ntlmssp_negotiate_flags_80000000 = -1;
static int hf_ntlmssp_negotiate_workstation_strlen = -1;
static int hf_ntlmssp_negotiate_workstation_maxlen = -1;
static int hf_ntlmssp_negotiate_workstation_buffer = -1;
static int hf_ntlmssp_negotiate_workstation = -1;
static int hf_ntlmssp_negotiate_domain_strlen = -1;
static int hf_ntlmssp_negotiate_domain_maxlen = -1;
static int hf_ntlmssp_negotiate_domain_buffer = -1;
static int hf_ntlmssp_negotiate_domain = -1;
static int hf_ntlmssp_ntlm_challenge = -1;
static int hf_ntlmssp_reserved = -1;
static int hf_ntlmssp_challenge_unknown1 = -1;
static int hf_ntlmssp_challenge_unknown2 = -1;
static gint ett_ntlmssp = -1;
static gint ett_ntlmssp_negotiate_flags = -1;
static int
dissect_ntlmssp_negotiate_flags (tvbuff_t *tvb, int offset,
packet_info *pinfo,
proto_tree *ntlmssp_tree,
guint32 negotiate_flags)
{
proto_tree *negotiate_flags_tree = NULL;
proto_item *tf = NULL;
if (ntlmssp_tree) {
tf = proto_tree_add_uint (ntlmssp_tree,
hf_ntlmssp_negotiate_flags,
tvb, offset, 4, negotiate_flags);
negotiate_flags_tree = proto_item_add_subtree (tf, ett_ntlmssp_negotiate_flags);
}
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_80000000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_40000000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_20000000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_10000000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_8000000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_4000000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_2000000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_1000000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_800000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_400000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_200000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_100000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_80000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_40000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_20000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_10000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_8000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_4000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_2000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_1000,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_800,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_400,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_200,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_100,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_80,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_40,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_20,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_10,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_08,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_04,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_02,
tvb, offset, 4, negotiate_flags);
proto_tree_add_boolean (negotiate_flags_tree,
hf_ntlmssp_negotiate_flags_01,
tvb, offset, 4, negotiate_flags);
return (offset + 4);
}
static int
dissect_ntlmssp_negotiate (tvbuff_t *tvb, int offset,
packet_info *pinfo,
proto_tree *ntlmssp_tree,
e_ntlmssp_hdr_t *hdr)
{
guint32 negotiate_flags;
guint16 workstation_length;
guint16 domain_length;
/* NTLMSSP Negotiate Flags */
negotiate_flags = tvb_get_letohs (tvb, offset);
offset = dissect_ntlmssp_negotiate_flags (tvb, offset, pinfo,
ntlmssp_tree,
negotiate_flags);
/* Calling workstation domain name length */
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, ntlmssp_tree,
hdr->drep,
hf_ntlmssp_negotiate_domain_strlen,
&domain_length);
/* Calling workstation domain name max length */
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, ntlmssp_tree,
hdr->drep,
hf_ntlmssp_negotiate_domain_maxlen,
NULL);
/* Calling workstation domain name buffer? */
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, ntlmssp_tree,
hdr->drep,
hf_ntlmssp_negotiate_domain_buffer,
NULL);
/* Calling workstation name length */
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, ntlmssp_tree,
hdr->drep,
hf_ntlmssp_negotiate_workstation_strlen,
&workstation_length);
/* Calling workstation name max length */
offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, ntlmssp_tree,
hdr->drep,
hf_ntlmssp_negotiate_workstation_maxlen,
NULL);
/* Calling workstation name buffer? */
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, ntlmssp_tree,
hdr->drep,
hf_ntlmssp_negotiate_workstation_buffer,
NULL);
/* Calling workstation name */
proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_negotiate_workstation,
tvb, offset, workstation_length, FALSE);
offset += workstation_length;
/* Calling domain name */
proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_negotiate_domain,
tvb, offset, domain_length, FALSE);
offset += domain_length;
return offset;
}
static int
dissect_ntlmssp_challenge (tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *ntlmssp_tree,
e_ntlmssp_hdr_t *hdr)
{
guint32 negotiate_flags;
/* Skip over the two unknown fields */
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, ntlmssp_tree,
hdr->drep,
hf_ntlmssp_challenge_unknown1,
NULL);
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, ntlmssp_tree,
hdr->drep,
hf_ntlmssp_challenge_unknown2,
NULL);
/* NTLMSSP Negotiate Flags */
negotiate_flags = tvb_get_letohs (tvb, offset);
offset = dissect_ntlmssp_negotiate_flags (tvb, offset, pinfo,
ntlmssp_tree,
negotiate_flags);
/* NTLMSSP NT Lan Manager Challenge */
proto_tree_add_item (ntlmssp_tree,
hf_ntlmssp_ntlm_challenge,
tvb, offset, 8, FALSE);
offset += 8;
/* Reserved (function not completely known) */
proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_reserved,
tvb, offset, 8, FALSE);
offset += 8;
return offset;
}
static void
dissect_ntlmssp(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree)
{
int offset = 0;
int payloadsize = 0;
proto_tree *ntlmssp_tree = NULL;
proto_item *tf = NULL;
e_ntlmssp_hdr_t hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.drep[0] = 0x10;
/* Compute the total size of the data to be parsed */
payloadsize = tvb_length_remaining(tvb, 0);
/* Setup a new tree for the NTLMSSP payload */
if (tree) {
tf = proto_tree_add_item (tree,
hf_ntlmssp,
tvb, offset, payloadsize, FALSE);
ntlmssp_tree = proto_item_add_subtree (tf,
ett_ntlmssp);
}
/* NTLMSSP constant */
proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_auth,
tvb, offset, 8, FALSE);
offset += 8;
/* NTLMSSP Message Type */
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, ntlmssp_tree,
hdr.drep,
hf_ntlmssp_message_type,
&hdr.ntlmssp_message_type);
/* Call the appropriate dissector based on the Message Type */
if (hdr.ntlmssp_message_type == 1)
offset = dissect_ntlmssp_negotiate (tvb, offset, pinfo,
ntlmssp_tree, &hdr);
else if (hdr.ntlmssp_message_type == 2)
offset = dissect_ntlmssp_challenge (tvb, offset, pinfo,
ntlmssp_tree, &hdr);
else {
/* Unrecognized message type */
proto_tree_add_text (ntlmssp_tree, tvb, offset,
(payloadsize - 12),
"Unrecognized NTLMSSP Message");
}
}
void
proto_register_ntlmssp(void)
{
static hf_register_info hf[] = {
{ &hf_ntlmssp,
{ "NTLMSSP", "ntlmssp", FT_NONE, BASE_NONE, NULL, 0x0, "NTLMSSP", HFILL }},
{ &hf_ntlmssp_auth,
{ "NTLMSSP identifier", "dcerpc.ntlmssp_ntlmssp", FT_STRING, BASE_NONE, NULL, 0x0, "NTLMSSP Identifier", HFILL }},
{ &hf_ntlmssp_message_type,
{ "NTLM Message Type", "ntlmssp.messagetype", FT_UINT32, BASE_HEX, VALS(ntlmssp_message_types), 0x0, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags,
{ "Flags", "dcerpc.negotiateflags", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_01,
{ "Negotiate UNICODE", "ntlmssp.negotiateunicode", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_UNICODE, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_02,
{ "Negotiate OEM", "ntlmssp.negotiateoem", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_OEM, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_04,
{ "Request Target", "ntlmssp.requesttarget", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_REQUEST_TARGET, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_08,
{ "Request 0x00000008", "ntlmssp.negotiate00000008", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_00000008, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_10,
{ "Negotiate Sign", "ntlmssp.negotiatesign", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_SIGN, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_20,
{ "Negotiate Seal", "ntlmssp.negotiateseal", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_SEAL, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_40,
{ "Negotiate Datagram Style", "ntlmssp.negotiatedatagramstyle", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_DATAGRAM_STYLE, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_80,
{ "Negotiate Lan Manager Key", "ntlmssp.negotiatelmkey", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_LM_KEY, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_100,
{ "Negotiate Netware", "ntlmssp.negotiatenetware", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_NETWARE, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_200,
{ "Negotiate NTLM key", "ntlmssp.negotiatentlm", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_NTLM, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_400,
{ "Negotiate 0x00000400", "ntlmssp.negotiate00000400", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_00000400, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_800,
{ "Negotiate 0x00000800", "ntlmssp.negotiate00000800", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_00000800, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_1000,
{ "Negotiate Domain Supplied", "ntlmssp.negotiatedomainsupplied", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_2000,
{ "Negotiate Workstation Supplied", "ntlmssp.negotiateworkstationsupplied", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_4000,
{ "Negotiate This is Local Call", "ntlmssp.negotiatethisislocalcall", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_8000,
{ "Negotiate Always Sign", "ntlmssp.negotiatealwayssign", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_ALWAYS_SIGN, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_10000,
{ "Negotiate Challenge Init Response", "ntlmssp.negotiatechallengeinitresponse", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_CHAL_INIT_RESPONSE, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_20000,
{ "Negotiate Challenge Accept Response", "ntlmssp.negotiatechallengeacceptresponse", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_CHAL_ACCEPT_RESPONSE, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_40000,
{ "Negotiate Challenge Non NT Session Key", "ntlmssp.negotiatechallengenonntsessionkey", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_CHAL_NON_NT_SESSION_KEY, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_80000,
{ "Negotiate NTLM2 key", "ntlmssp.negotiatentlm2", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_NTLM2, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_100000,
{ "Negotiate 0x00100000", "ntlmssp.negotiatent00100000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_00100000, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_200000,
{ "Negotiate 0x00200000", "ntlmssp.negotiatent00200000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_00200000, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_400000,
{ "Negotiate 0x00400000", "ntlmssp.negotiatent00400000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_00400000, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_800000,
{ "Negotiate Target Info", "ntlmssp.negotiatetargetinfo", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_CHAL_TARGET_INFO, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_1000000,
{ "Negotiate 0x01000000", "ntlmssp.negotiatent01000000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_01000000, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_2000000,
{ "Negotiate 0x02000000", "ntlmssp.negotiatent02000000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_02000000, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_4000000,
{ "Negotiate 0x04000000", "ntlmssp.negotiatent04000000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_04000000, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_8000000,
{ "Negotiate 0x08000000", "ntlmssp.negotiatent08000000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_08000000, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_10000000,
{ "Negotiate 0x10000000", "ntlmssp.negotiatent10000000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_10000000, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_20000000,
{ "Negotiate 128", "ntlmssp.negotiate128", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_128, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_40000000,
{ "Negotiate Key Exchange", "ntlmssp.negotiatekeyexch", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_KEY_EXCH, "", HFILL }},
{ &hf_ntlmssp_negotiate_flags_80000000,
{ "Negotiate 0x80000000", "ntlmssp.negotiatent80000000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_80000000, "", HFILL }},
{ &hf_ntlmssp_negotiate_workstation_strlen,
{ "Calling workstation name length", "ntlmssp.negotiate.callingworkstation.strlen", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_ntlmssp_negotiate_workstation_maxlen,
{ "Calling workstation name max length", "ntlmssp.negotiate.callingworkstation.maxlen", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_ntlmssp_negotiate_workstation_buffer,
{ "Calling workstation name buffer", "ntlmssp.negotiate.callingworkstation.buffer", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_ntlmssp_negotiate_workstation,
{ "Calling workstation name", "ntlmssp.negotiate.callingworkstation", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
{ &hf_ntlmssp_negotiate_domain_strlen,
{ "Calling workstation domain length", "ntlmssp.negotiate.domain.strlen", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_ntlmssp_negotiate_domain_maxlen,
{ "Calling workstation domain max length", "ntlmssp.negotiate.domain.maxlen", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_ntlmssp_negotiate_domain_buffer,
{ "Calling workstation domain buffer", "ntlmssp.negotiate.domain.buffer", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_ntlmssp_negotiate_domain,
{ "Calling workstation domain", "ntlmssp.negotiate.domain", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
{ &hf_ntlmssp_ntlm_challenge,
{ "NTLM Challenge", "ntlmssp.ntlmchallenge", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_ntlmssp_reserved,
{ "Reserved", "ntlmssp.reserved", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_ntlmssp_challenge_unknown1,
{ "Unknown1", "ntlmssp.challenge.unknown1", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_ntlmssp_challenge_unknown2,
{ "Unknown2", "ntlmssp.challenge.unknown2", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
};
static gint *ett[] = {
&ett_ntlmssp,
&ett_ntlmssp_negotiate_flags,
};
proto_ntlmssp = proto_register_protocol (
"NTLM Secure Service Provider", /* name */
"NTLMSSP", /* short name */
"ntlmssp" /* abbrev */
);
proto_register_field_array (proto_ntlmssp, hf, array_length (hf));
proto_register_subtree_array (ett, array_length (ett));
register_dissector("ntlmssp", dissect_ntlmssp, proto_ntlmssp);
}
- Prev by Date: Re: [Ethereal-dev] minor bug in ethereal 0.9.5
- Next by Date: Re: [ak@xxxxxxxxxxxx: Re: [Ethereal-dev] FW1 monitor dissector patch]
- Previous by thread: Re: [Ethereal-dev] ntlmssp decoding
- Next by thread: [Ethereal-dev] User Info (0x10 == 16) is an ACB struct.
- Index(es):
