Wireshark-bugs: [Wireshark-bugs] [Bug 5251] NTLMSSP_AUTH domain and username truncated to first

Date: Fri, 24 Sep 2010 14:25:31 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5251

Bill Meier <wmeier@xxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Bill Meier <wmeier@xxxxxxxxxxx> 2010-09-24 17:25:27 EDT ---
The NTLMSSP dissector uses the "negotiate_unicode" bit in the "negotiate flags"
field to determine whether fields such as the user_name, etc are unicode.

It appears that the "Negotiate Flags" field is not always being found/dissected
in NTLM AUTHENTICATE (NTLMSSP_AUTH) messages.

This is normally not a problem since the NTLMSSP dissector uses the flags
previously seen (in NEGOTIATE/CHALLENGE messages) to determine if certain
fields are unicode.

However, in the attached capture the HTTP CONNECTS actually do the NTLM
NEGOTIATE/CHALLENGE exchange on one TCP connection and then open a new TCP
connection to do the AUTHENTICATE.

Since the "negotiate flags" aren't found/dissected in the AUTHENTICATE message
(and since there's no previous history for the new connection) the user_name,
etc fields  aren't dissected as unicode.

I'm looking at the dissector code to see how this might be fixed.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.