[cifs-protocol] [EXTERNAL] [MS-DNSP] sticky static dns updates - TrackingID#2106070040005009
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Thu Jun 10 22:17:34 UTC 2021
On 11/06/21 6:08 am, Jeff McCashland wrote:
> Hi Douglas,
>
> I added the Keytab file on the Wireshark Preferences page under Protocols -> KRB5, and checked 'Try to decrypt Kerberos blobs', then reloaded the trace.
>
> The LDAP frames still aren't decrypted. Did I miss a step?
Maybe or maybe not.
For me, using '✅ Try to decrypt Kerberos blobs' and
wireshark -K windows.keytab sticky-dns-updates-filtered.pcapng
there is a little tab at the bottom of the screen called "Decrypted data
(NNN bytes)", and when I click on that tab I see data that is definitely
decrypted, but also definitely not parsed, like this:
> 0000 30 81 be 02 01 08 63 81 b8 04 5d 44 43 3d 74 65 0.....c...]DC=te
> 0010 73 74 5f 75 70 64 61 74 65 5f 73 74 61 74 69 63 st_update_static
> 0020 5f 73 74 69 63 6b 69 6e 65 73 73 2c 43 4e 3d 4d _stickiness,CN=M
> 0030 69 63 72 6f 73 6f 66 74 44 4e 53 2c 44 43 3d 44 icrosoftDNS,DC=D
> 0040 6f 6d 61 69 6e 44 4e 53 5a 6f 6e 65 73 2c 44 43 omainDNSZones,DC
> 0050 3d 73 61 6d 62 61 2c 44 43 3d 65 78 61 6d 70 6c =samba,DC=exampl
So I think it is the right keytab and Wireshark is using it correctly,
but is refusing to do anything useful thereafter. Which is quite annoying.
Maybe someone else on the cifs-protocol list knows how to get past this
point?
Douglas
More information about the cifs-protocol
mailing list