https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5251
Summary: NTLMSSP_AUTH domain and username truncated to first
letter with IE8/Windows7 (generating the NTLM packet)
Product: Wireshark
Version: 1.4.0
Platform: x86
OS/Version: Windows XP
Status: NEW
Severity: Normal
Priority: Low
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: denee_f@xxxxxxxxx
Created an attachment (id=5202)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5202)
See problem description for specific info to look at. Trace taken on Win 7
machine with IE8
Build Information:
1.4.0 and 1.2.5
--
While debugging an issue with Windows 7/IE8 and NTLM authentication with our
proxy server, noticed that wireshark (observed in versions 1.2.5 and 1.4.0) is
truncating the domain name and username in NTLMSSP_AUTH messages to the first
letter of each. So... instead of showing the full domain of MYDOMAIN it lists
only "M" and instead of showing the full username USERID, it only lists "U".
This is specific to the NTLMSSP_AUTH (NTLM message type 3) message.
That lead us down the WRONG path troubleshooting-wise... Can you please fix?
Attached is a sample.
Please note that relevant traffic will be between IP addresses
192.168.13.92 and 208.87.234.180
It is on TCP/8081 which you will need to decode as HTTP
Frames 3568,3955,3961, 4002, 4050, 4091 illustrates problem - lists M\D for
domain\user (this is an HTTP CONNECT)
Frame 827 illustrates proper domain\username for this same user (this is an
HTTP GET)
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.