Wireshark-bugs: [Wireshark-bugs] [Bug 5251] New: NTLMSSP_AUTH domain and username truncated to f

Date: Wed, 22 Sep 2010 17:07:56 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5251

           Summary: NTLMSSP_AUTH domain and username truncated to first
                    letter with IE8/Windows7 (generating the NTLM packet)
           Product: Wireshark
           Version: 1.4.0
          Platform: x86
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: denee_f@xxxxxxxxx


Created an attachment (id=5202)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5202)
See problem description for specific info to look at. Trace taken on Win 7
machine with IE8

Build Information:
1.4.0 and 1.2.5
--
While debugging an issue with Windows 7/IE8 and NTLM authentication with our
proxy server, noticed that wireshark (observed in versions 1.2.5 and 1.4.0) is
truncating the domain name and username in NTLMSSP_AUTH messages to the first
letter of each. So... instead of showing the full domain of MYDOMAIN it lists
only "M" and instead of showing the full username USERID, it only lists "U".

This is specific to the NTLMSSP_AUTH (NTLM message type 3) message.

That lead us down the WRONG path troubleshooting-wise... Can you please fix?

Attached is a sample. 

Please note that relevant traffic will be between IP addresses 
192.168.13.92 and 208.87.234.180
It is on TCP/8081 which you will need to decode as HTTP

Frames 3568,3955,3961, 4002, 4050, 4091 illustrates problem - lists M\D for
domain\user (this is an HTTP CONNECT)

Frame 827 illustrates proper domain\username for this same user (this is an
HTTP GET)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.