Wireshark mailing list archives
Re: Decoding custom application traffic as NTLMSSP
From: mikethomson () tormail org
Date: Tue, 6 Nov 2012 22:22:28 -0000
Is it possible to tell wireshark to decode certain traffic as ntlmssp? My first try was to choose "Decode as..." but there is no ntlmssp option to choose."decode as" really only allows selection of one of a list of protocols already known to run "over" a specified protocol (e.g., over tcp).
well then in my case it would be NTLMSSP 'over TCP' because inside that TCP connection there is nothing else but NTLMSSP (at least until the NTLMSSP handshake is completed)
Although I don't know how WCF TCP and NTLMSSP fit together I do note that Wireshark does not have a dissector for WCF TCP. So: the short answer: AFAIKT not in your case.
Thanks for your answer. To be honest I'm a bit surprised that wireshark can not decode NTLMSSP when manually instructed to do so (given the TCP payload).
Suggestion: Since WCF & NTLMSSP are Microsoft protocols I expect that the Microsoft Netmon ("Network Monitor") program may be able to dissect this traffic.
A got that hint also from another person and I did try it but appearently network monitor is unable to dissect it.
I'm curious to see how WCF TCP and NTLMSSSP fit together. Are you able to provide a capture file for public availability ?
I'm sorry but I can't publish that data.
If so, it would be appreciated if you could file an enhancement request (for an WCF dissector) at bugs.wireshark.org attaching the capture file. Someone may ventually become interested in implementing such a dissector.
If wireshark has no dissector for WCF TCP I assume it is very rarely used protocol? ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Decoding custom application traffic as NTLMSSP mikethomson (Nov 03)
- Re: Decoding custom application traffic as NTLMSSP Bill Meier (Nov 03)
- Re: Decoding custom application traffic as NTLMSSP mikethomson (Nov 06)
- Re: Decoding custom application traffic as NTLMSSP Guy Harris (Nov 03)
- Re: Decoding custom application traffic as NTLMSSP Bill Meier (Nov 03)