I have been able to get the sample tracefiles from the Wiki site to decrypt using version 1.0.2 (under Linux only, Windows Wireshark 1.0.2 doesn’t seem to work with keytab sample files).  But I’ve been having a heck of a time getting keytab to work on my test environment with Wireshark.  No matter what I try, Wireshark won’t decrypt using what I think is a valid keytab file.  I am trying to analyze a Vista machine joining a Server 2008 Domain.  Nothing gets decrypted.  I am using keypass that ships with Server 2008.  Here is the command I use to build the keytab file. 

ktpass /out adddn.keytab /princ CIFS/pete-srvr.kbstest.com@xxxxxxxxxxx /pass * /mapuser chris@xxxxxxxxxxx /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL

Targeting domain controller: Pete-srvr.kbstest.com

Using legacy password setting method

Successfully mapped CIFS/pete-srvr.kbstest.com to chris.

Key created.

Output keytab to adddn1.keytab:

Keytab version: 0x502

keysize 89 CIFS/pete-srvr.kbstest.com@xxxxxxxxxxx ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etype 0x12 (AES256-SHA1) keylength 32 (0xf4ddfa2378316e2f63e590adc7c377a9aeef313f5eedba087ada9f9212375983)

Thanks, Chris