Wireshark-users: Re: [Wireshark-users] Decoding custom application traffic as NTLMSSP
Date: Tue, 6 Nov 2012 22:22:28 -0000
>> Is it possible to tell wireshark to decode certain traffic as ntlmssp?
>> My first try was to choose "Decode as..." but there is no ntlmssp option
>> to choose.
>>
>
> "decode as" really only allows selection of one of a list of protocols
> already known to run "over" a specified protocol (e.g., over tcp).

well then in my case it would be NTLMSSP 'over TCP' because inside that
TCP connection there is nothing else but NTLMSSP (at least until the
NTLMSSP handshake is completed)

> Although I don't know how WCF TCP and NTLMSSP fit together I do note
> that Wireshark does not have a dissector for WCF TCP.
>
> So: the short answer: AFAIKT not in your case.

Thanks for your answer. To be honest I'm a bit surprised that wireshark
can not decode NTLMSSP when manually instructed to do so (given the TCP
payload).

> Suggestion: Since WCF & NTLMSSP are Microsoft protocols I expect that
> the Microsoft Netmon ("Network Monitor") program may be able to dissect
> this traffic.

A got that hint also from another person and I did try it but appearently
network monitor is unable to dissect it.

> I'm curious to see how WCF TCP and NTLMSSSP fit together.
> Are you able to provide a capture file for public availability ?

I'm sorry but I can't publish that data.

> If so, it would be appreciated if you could file an enhancement request
> (for an WCF dissector) at bugs.wireshark.org attaching the capture file.
>
> Someone may ventually become interested in implementing such a dissector.

If wireshark has no dissector for WCF TCP I assume it is very rarely used
protocol?