Please upgrade to SVC version 15405 or later.
It fixes the issue in 816fc4.cap where if it once has seen KRB5
traffic from the client source port it assumes all other traffic
from that port is KRB5 as well, including the DNS packets following
a copuple of frames later.
:wq
On 8/16/05, Xiaoguang Liu <syslxg@xxxxxxxxx> wrote:
> Hi all,
>
> When I know ethereal 0.10.12 can decrypt kerberos data, I was so
> excitting. But after testing and research 20+ hours, I failed to work
> this feature out. Now I am wondering what on earth did I do wrong.
>
> Below is my last test, after creating keytab and capture kerberos
> traffic, I still can not see the decrypted kerbers info. Every things
> looks the same as I did not specify a keytab file. ( I did enable the
> "try to decrypt kerberos blob" option)
> I also attach the keytab and cap trace file. Please help me check what
> would be the problem.
>
> It will also be highly appricated if anyone can send me a sample of
> keytab and cap file, so that I can have a look at this cool feature.
>
> OS: Fedora core 4
> Ethereal: ethereal-0.10.12.SVN.15374-1.fc4.i386.rpm from
> http://www.ethereal.com/distribution/buildbot-builds/rpm/
>
> KDC: windows 2003 (IP 10.5.3.1)
> realm: DENYDC.COM
> princ:
> 1. u5@xxxxxxxxxx
> dump NT hash by dumpwd3e.exe, then create keytab file by ktutil on FC4
> ktutil:addent -key -p u5@xxxxxxxxxx -k 3 -e arcfour-hmac-md5
> 2. des@xxxxxxxxxx (
> create keytab file ktpass.exe on windows 2003
>
> file attached:
> 816.key, contains keys for u5 and des
> 816.cap, des and u5 login for a Windows XP
> 816fc4.cap, des and u5 login from FC4 by "kinit -k -t 816.key
> u5@xxxxxxxxxx"
>
>