Wireshark-users: Re: [Wireshark-users] Decoding custom application traffic as NTLMSSP
On 11/3/2012 8:28 AM, mikethomson@xxxxxxxxxxx wrote:
Hi all,
I captured the traffic of a custom windows application that is
communicating via WCF TCP (not HTTP).
The application uses Windows NTLMSSP authentication. This can quite easily
spotted by the packets starting with the "NTLMSSP" string. For now I
"decoded" the NTLMSSP handshake manually to extract challenge and response
because I was not able to tell wireshark that it should decode that
payload as ntlmssp, but that is not very convenient on the long run.
Is it possible to tell wireshark to decode certain traffic as ntlmssp?
My first try was to choose "Decode as..." but there is no ntlmssp option
to choose.
"decode as" really only allows selection of one of a list of protocols
already known to run "over" a specified protocol (e.g., over tcp).
Although I don't know how WCF TCP and NTLMSSP fit together I do note
that Wireshark does not have a dissector for WCF TCP.
So: the short answer: AFAIKT not in your case.
Suggestion: Since WCF & NTLMSSP are Microsoft protocols I expect that
the Microsoft Netmon ("Network Monitor") program may be able to dissect
this traffic.
---------
I'm curious to see how WCF TCP and NTLMSSSP fit together.
Are you able to provide a capture file for public availability ?
If so, it would be appreciated if you could file an enhancement request
(for an WCF dissector) at bugs.wireshark.org attaching the capture file.
Someone may ventually become interested in implementing such a dissector.
Thanks