Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] tshark -K option not handled correctly in --disable-wireshark bu

From: "Jonathan Schilling" <jschilling@xxxxxxxxxx>
Date: Fri, 29 Jan 2010 17:35:59 -0500
Hello,

I'm building Wireshark 1.2.5 (but the same situation appears to exist in
1.2.6 and 1.3.2).  I'm using it for a special purpose, and only need the
command-line tshark, and I don't have the environment set up to build the
GTK-based code.  So I configured the build with --disable-wireshark.

When I run the resulting tshark with the -K keytab option to decrypt/dissect
some Kerberos packets, they fail to decrypt.  I tracked this down to the
code in epan/dissectors/packet-kerberos.c.  The bool krb_decrypt is never
set to TRUE, thus causing the decrypt routines to exit without doing
anything.  As I understand it, in normal circumstances that bool is set via
its address being passed into the register_preference mechanism, which then
sets it via the Wireshark GUI and whatever times the user selects that.  I
don't quite see how it gets set from the wireshark -K option, but I didn't
follow that code.  But from the tshark -K option alone, certainly when the
Wireshark code is excluded by the --disable-wireshark setting, the bool
never gets set.

As a fix, it seems to me that whenever the read_keytab_file() function is
called in packet-kerberos.c, and the function gets past its various error
checks to its normal return point at the end, the krb_decrypt bool should be
set to TRUE before the return.  Because use of the -K option (which calls
read_keytab_file) implicitly states that the user wants Kerberos decryption.
I made this change and my tshark began decrypting/dissecting a Kerberos
ticket correctly.

Am I right about this?

Thanks,

Jonathan Schilling