On Sun, 1 Sep 2002, Todd Sabin wrote:
> Richard Sharpe <rsharpe@xxxxxxxxxx> writes:
>
> > Hi,
> >
> > I was looking at the NTLMSSP dissector and running it over some data now
> > that SPNEGO is working OK, and I noticed two things:
> >
> > 1. We know that the NTLMSSP blob is NDR encoded, so rather than breaking
> > it out by hand, it would be a lot more useful if the support in
> > packet-dcerpc.c et al was used.
>
> Though they look like NDR, and are quite similar, they're not. I'm
> pretty sure they don't pay attention to the data representation, even
> when they're used with DCERPC. I.e., they're always little endian.
> Also, for uni strings that are "empty", the pointer is non-null and
> indicates the offset where the data would have occurred, if there were
> any. In NDR, if you did that, there'd be a max, offset, and count
> (what samba calls a uni_ldr(?), I think) in the deferred data. There
> isn't any in the NTLMSSP blobs.
OK, now I understand what Todd was saying. Since we did not do a bind,
there is no data representation stuff, so, unless I can fake it up, it
will be hard to use the DCERPC dissector stuff.
However, a couple of us understand lots more about the format now.
Regards
-----
Richard Sharpe, rsharpe@xxxxxxxxxx, rsharpe@xxxxxxxxx,
sharpe@xxxxxxxxxxxx