|Main Archive Page > Month Archives > wireshark-users archives|
I have a pcap file with smb traffic and I am trying to understand how
the signature is generated.
Using wireshark GUI, I have opened the pcap file and have put a filter,
so that I can see the relevant tcp stream only.
In this stream, the initial authentication is done using NTLMSSP.
But, after nearly 100 smb packets, suddenly I see a SetupAndX
Request/Response, with krb5 AP_REQ and AP_REP.
I have used the keytab file to decrypt the AP_REP and get the session
Now, the sequence number starts with 0 and I have used that counter to
calculate the signature.
But, the signature that I am getting doesn't match with the original
I also, tried to count the sequence number starting from the NTLM
Request/Response and with that also, the signature doesn't match.
So, can somebody tell me, if this kind of mixup of NTLM and kerberos
packets in a single tcp stream is common?
And how to get the right signature in this case?
Visit my blogs at:
___ ___ __ _
/ __/ / __/ / | / /
_\ \ _ \ \ / /| |/ /
\___/ \___/ /_/ |__/
Sent via: Wireshark-users mailing list <firstname.lastname@example.org>