Apparently, the Mode and Error of TKey were highlighting a word off of
where they should have.
Attached diff contains a fix for this as well as my previous patch (for
TKEY with NTLMSSP data).
Index: packet-dns.c
===================================================================
--- packet-dns.c (revision 12561)
+++ packet-dns.c (working copy)
@@ -82,6 +82,7 @@
/* Dissector handle for GSSAPI */
static dissector_handle_t gssapi_handle;
+static dissector_handle_t ntlmssp_handle;
/* DNS structs and definitions */
@@ -1886,20 +1887,20 @@
if (rr_len < 2)
goto bad_rr;
tkey_mode = tvb_get_ntohs(tvb, cur_offset);
- cur_offset += 2;
- rr_len -= 2;
proto_tree_add_text(rr_tree, tvb, cur_offset, 2, "Mode: %s",
val_to_str(tkey_mode, tkey_modes,
"Unknown (0x%04X)"));
+ cur_offset += 2;
+ rr_len -= 2;
if (rr_len < 2)
goto bad_rr;
tkey_error = tvb_get_ntohs(tvb, cur_offset);
- cur_offset += 2;
- rr_len -= 2;
proto_tree_add_text(rr_tree, tvb, cur_offset, 2, "Error: %s",
val_to_str(tkey_error, rcode_vals,
val_to_str(tkey_error, tsigerror_vals, "Unknown error (%x)")));
+ cur_offset += 2;
+ rr_len -= 2;
tkey_keylen = tvb_get_ntohs(tvb, cur_offset);
proto_tree_add_text(rr_tree, tvb, cur_offset, 2, "Key Size: %u",
@@ -1935,8 +1936,10 @@
*/
gssapi_tvb = tvb_new_subset(
tvb, cur_offset, tkey_keylen, tkey_keylen);
-
- call_dissector(gssapi_handle, gssapi_tvb, pinfo,
+ if(tvb_strneql(gssapi_tvb, 0, "NTLMSSP", 7) == 0)
+ call_dissector(ntlmssp_handle, gssapi_tvb, pinfo, key_tree);
+ else
+ call_dissector(gssapi_handle, gssapi_tvb, pinfo,
key_tree);
break;
@@ -2623,4 +2626,5 @@
dissector_add("tcp.port", TCP_PORT_MDNS, dns_tcp_handle);
gssapi_handle = find_dissector("gssapi");
+ ntlmssp_handle = find_dissector("ntlmssp");
}