Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] NEGOEX Dissection ...

From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Wed, 27 Jun 2012 21:20:46 -0700
Hi folks,

During the SMB/CIFS presentation, an unknown OID was seen in the SPNEGO stuff.

It turns out to be NEGOEX, and the question as to why the server went
straight to NTLMSSP is answered. The server seems to have been some
version of Samba and it does not understand NEGOEX.

More info here:
http://msdn.microsoft.com/en-us/library/cc247030%28v=PROT.13%29.aspx

Here is the beginnings of a dissector, but it is very wrong. It
probably needs a separate packet-negoex.c:

Index: epan/dissectors/packet-ntlmssp.c
===================================================================
--- epan/dissectors/packet-ntlmssp.c	(revision 43186)
+++ epan/dissectors/packet-ntlmssp.c	(working copy)
@@ -3012,6 +3012,9 @@
   gssapi_init_oid("1.3.6.1.4.1.311.2.2.10", proto_ntlmssp, ett_ntlmssp,
                   ntlmssp_handle, ntlmssp_wrap_handle,
                   "NTLMSSP - Microsoft NTLM Security Support Provider");
+  gssapi_init_oid("1.3.6.1.4.1.311.2.2.30", proto_ntlmssp, ett_ntlmssp,
+		  ntlmssp_handle, ntlmssp_wrap_handle,
+		  "NEGOEX - Extended GSS-API Negotiation Mechanism");

   /* Register authenticated pipe dissector */



-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)