Wireshark-dev: [Wireshark-dev] Fixing the problem where Wireshark misdissects the SPNEGO negTok
From: Richard Sharpe <[email protected]>
Date: Fri, 16 May 2014 01:12:26 -0700
Hi folks,

Simo Sorce informed me that there are some other SPNEGO sequences that
Wireshark does not deal with. They turned up in some HTTP traffic.

So, I decided to look at the issue of fixing the problem I am already
aware of (it's in bugzilla somewhere.)

This problem is that [MS-SPNG].pdf defines an negTokenInit2:

NegHints ::= SEQUENCE {
 hintName[0] GeneralString OPTIONAL,
NegTokenInit2 ::= SEQUENCE {
 mechTypes[0] MechTypeList OPTIONAL,
 reqFlags [1] ContextFlags OPTIONAL,
 negHints [3] NegHints OPTIONAL,

and they coyly say:

"Note In the ASN.1 description in the preceding, the NegTokenInit2
message occupies the same context-specific ([X690] section
message ID (0) as does NegTokenInit in SPNEGO. "

They also pointed out that hintAddress is never actually used.

Now, these are only emitted by the server in a NegotiateResponse.

I notice that the spnego.cnf file says this:

#.FN_BODY NegTokenInit/mechListMIC

  gint8 ber_class;
  gboolean pc;
  gint32 tag;
  tvbuff_t *mechListMIC_tvb;

   * There seems to be two different forms this can take,
   * one as an octet string, and one as a general string in a
   * sequence.
   * Peek at the header, and then decide which it is we're seeing.
  get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
  if (ber_class == BER_CLASS_UNI && pc && tag == BER_UNI_TAG_SEQUENCE) {
     * It's a sequence.
    return dissect_spnego_PrincipalSeq(FALSE, tvb, offset, actx, tree,
  } else {


So, the problem is that we have to dissect as if it is a netTokenInit2
if we are in the appropriate context, otherwise as a negTokenInit, and
the above stuff is one giant hack.

Does anyone have any suggestions on how we can massage the .cnf file
to determine this?

I also have to get some captures showing these new SPNEGO things
before making any changes.

Richard Sharpe