[cifs-protocol] [REG:111092854890403] RE: double send of command joined from a upstream windows Server
hongweis at microsoft.com
Thu Oct 13 16:48:30 MDT 2011
Can you send me the screenshot you mentioned in your e-mail ? Even I cannot make the decryption work with the correct version, looking at the screen may help me know the scenario.
From: Hongwei Sun
Sent: Tuesday, October 11, 2011 5:27 PM
To: 'mat at samba.org'; pfif at tridgell.net; cifs-protocol at samba.org
Cc: MSSolve Case Email
Subject: [REG:111092854890403] RE: double send of command joined from a upstream windows Server
I downloaded the wireshark 1.6.2 ,which is the latest version I can download. But I still don't see the option for me to provide the file name for keytab file in krb5 screen. What is the minimum version of Wireshark for me to use with your keytab file for decryption ? I am running Windows 64bit version of Wireshark.
From: Matthieu Patou [mailto:mat at samba.org]
Sent: Tuesday, September 27, 2011 10:45 PM
To: Hongwei Sun; pfif at tridgell.net; cifs-protocol at samba.org; Interoperability Documentation Help
Subject: double send of command joined from a upstream windows Server
Following our talk concerning the double send of "command_joined"
packets from a W2K3R2 server when talking to a samba server.
Here is the wireshark capture and the keytab to decrypt it.
By getting a recent version of wireshark is needed. You can get nightly build at http://www.wireshark.org/download/automated/win32/ newer than the revision 38976 (which is ~ 2 weeks old).
The way to use it is:
wireshark -K w2k_2.keytab frs_big_file_samba.pcap.
I attached the screenshot of this packets it's packets 319 and 321.
Thanks for explaining what's going on, and maybe update the doc.
More information about the cifs-protocol