wireshark-users October 2010 archive
Main Archive Page > Month Archives  > wireshark-users archives
wireshark-users: [Wireshark-users] Need help in understanding th

[Wireshark-users] Need help in understanding the "Signature Generation" for SMB packets

From: Narendra Kumar S.S <ssnkumar_at_nospam>
Date: Tue Oct 05 2010 - 08:43:22 GMT
To: wireshark-users@wireshark.org

Hi,

     I have a pcap file with smb traffic and I am trying to understand how
the signature is generated.
     Using wireshark GUI, I have opened the pcap file and have put a filter,
so that I can see the relevant tcp stream only.
     In this stream, the initial authentication is done using NTLMSSP.
     But, after nearly 100 smb packets, suddenly I see a SetupAndX
Request/Response, with krb5 AP_REQ and AP_REP.
     I have used the keytab file to decrypt the AP_REP and get the session
key.
     Now, the sequence number starts with 0 and I have used that counter to
calculate the signature.
     But, the signature that I am getting doesn't match with the original
signature.
     I also, tried to count the sequence number starting from the NTLM
Request/Response and with that also, the signature doesn't match.

     So, can somebody tell me, if this kind of mixup of NTLM and kerberos
packets in a single tcp stream is common?
     And how to get the right signature in this case?

Warm Regards,
Narendra

Visit my blogs at:
http://ssnarendrakumar.blogspot.com/
   ___ ___ __ _
  / __/ / __/ / | / /
_\ \ _ \ \ / /| |/ /
\___/ \___/ /_/ |__/

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe