[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [REG:111092854890403] RE: double send of
From: Hongwei Sun <hongweis () microsoft ! com>
Date: 2011-10-28 20:54:25
Message-ID: 3BB1B69706070E4D8CF623CF69DE544E195AB1DA () TK5EX14MBXC291 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]
Hi, Matthieu,
Ahh, you used the 32bit version. I used 64bit version. It is surprising to find \
that the option for "Try to decrypt Kerberos blobs" only shows up in 32 bite \
version. I never expect that there is such a difference. Anyway, I can decrypt \
it now. Thanks!
Hongwei
-----Original Message-----
From: Matthieu Patou [mailto:mat@samba.org]
Sent: Friday, October 28, 2011 3:32 PM
To: Hongwei Sun
Cc: pfif@tridgell.net; cifs-protocol@samba.org; MSSolve Case Email
Subject: Re: [REG:111092854890403] RE: double send of command joined from a upstream \
windows Server
Hello Hongwei,
I made a screencast on a windows machine explaining how to decrypt FRS traffic, I'm \
sure that following the instruction in this demo you'll succeed.
Here is the file:
http://athena.matws.net/mat/pres/frs.avi
Regards.
Matthieu.
On 21/10/2011 23:20, Hongwei Sun wrote:
> Matthieu,
>
> Do you get a chance to capture the screen shot with the FRS1 packets displayed ? \
> It will be ideal if I can decrypt myself, but I cannot get a version of wireshark \
> to allow me to do that. So the screen shot at least show me all the packet \
> sequences so I have something to work with. I may need to work with the product \
> team, so I need some information to show them.
> Thanks!
>
> Hongwei
>
> -----Original Message-----
> From: Matthieu Patou [mailto:mat@samba.org]
> Sent: Wednesday, October 19, 2011 6:04 PM
> To: Hongwei Sun
> Cc: pfif@tridgell.net; cifs-protocol@samba.org; MSSolve Case Email
> Subject: Re: [REG:111092854890403] RE: double send of command joined
> from a upstream windows Server
>
> Hi hongwei I'm planning to work on it tomorrow,
>
> the best though would be to catch me tomorrow so that I can show you in a live \
> demo.
> Matthieu
> On 20/10/2011 00:59, Hongwei Sun wrote:
> > Matthieu,
> >
> > Do you have a chance to send the information I request below? I have a trouble \
> > to see the sequence of the packets without decrypting it. If you don't have \
> > time to work on it, I can archive it and we can work on it whenever you get \
> > time.
> > Thanks!
> >
> > Hongwei
> >
> >
> > -----Original Message-----
> > From: Hongwei Sun
> > Sent: Thursday, October 13, 2011 5:49 PM
> > To: 'mat@samba.org'; 'pfif@tridgell.net'; 'cifs-protocol@samba.org'
> > Cc: MSSolve Case Email
> > Subject: RE: [REG:111092854890403] RE: double send of command joined
> > from a upstream windows Server
> >
> > Matthieu,
> >
> > Can you send me the screenshot you mentioned in your e-mail ? Even I cannot \
> > make the decryption work with the correct version, looking at the screen may help \
> > me know the scenario.
> > Thanks!
> >
> > HOngwei
> >
> > -----Original Message-----
> > From: Hongwei Sun
> > Sent: Tuesday, October 11, 2011 5:27 PM
> > To: 'mat@samba.org'; pfif@tridgell.net; cifs-protocol@samba.org
> > Cc: MSSolve Case Email
> > Subject: [REG:111092854890403] RE: double send of command joined from
> > a upstream windows Server
> >
> > Matthieu,
> >
> > I downloaded the wireshark 1.6.2 ,which is the latest version I can download. \
> > But I still don't see the option for me to provide the file name for keytab file \
> > in krb5 screen. What is the minimum version of Wireshark for me to use with \
> > your keytab file for decryption ? I am running Windows 64bit version of \
> > Wireshark.
> > Thanks!
> >
> > Hongwei
> >
> > -----Original Message-----
> > From: Matthieu Patou [mailto:mat@samba.org]
> > Sent: Tuesday, September 27, 2011 10:45 PM
> > To: Hongwei Sun; pfif@tridgell.net; cifs-protocol@samba.org;
> > Interoperability Documentation Help
> > Subject: double send of command joined from a upstream windows Server
> >
> > Hello hongwei,
> >
> > Following our talk concerning the double send of "command_joined"
> > packets from a W2K3R2 server when talking to a samba server.
> >
> > Here is the wireshark capture and the keytab to decrypt it.
> >
> > By getting a recent version of wireshark is needed. You can get nightly build at \
> > http://www.wireshark.org/download/automated/win32/ newer than the revision 38976 \
> > (which is ~ 2 weeks old).
> > The way to use it is:
> > wireshark -K w2k_2.keytab frs_big_file_samba.pcap.
> >
> > I attached the screenshot of this packets it's packets 319 and 321.
> >
> > Thanks for explaining what's going on, and maybe update the doc.
> >
> > Matthieu.
> >
> > --
> > Matthieu Patou
> > Samba Team
> > http://samba.org
> >
>
> --
> Matthieu Patou
> Samba Team
> http://samba.org
>
>
--
Matthieu Patou
Samba Team
http://samba.org
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic