I am attempting to capture a security exchange between a device and a provisioning server. Part of the exchange involves requesting and receiving a Kerberos key from a KDC. In the live capture I can see the AS REQ ( key request from the device to the KDC ), but the AS RES (response from the KDC) show as a UDP packet. The KDC responds on a random port so this may be causing the issue, but previously this was not a problem. I can decode the packet after the trace has run using the dissector, but this will not allow for automated parsing of the capture file. This issue only occurs using Windows 7. I'm using the latest release of Wireshark (32 bit) and the associated version of WinPcap. Thanks, m asked 18 Feb '11, 16:28 matclab retagged 23 Mar '11, 08:59 packethunter |
One Answer:
I am surprised that you mention an AS Response coming in over UDP. Usually Win 7 sends KRB requests over TCP, and the server sends the responds within the same session. When the client sends the request over UDP the response should be a UDP packet to the source port seen in the request. Windows 2000 or XP attempt to obtain the Kerberos ticket via UDP. The server response may be fragmented. The threshold is controlled through the registry parameter: In HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters you find the parameter MaxPacketSize as a DWORD . Do you see any Kerberos error messages? Filter for kerberos.msg.type == 30 Is there a active device in the network path that could mangle your TCP sessions, like a load balancer, bandwidth enforcer, ACE module etc? Can you post a screenshot / text dump of the packets? answered 23 Mar '11, 08:57 packethunter edited 23 Mar '11, 09:12 |
Latest release? Which specific version of Wireshark are you using? Note that there are latest stable, development and automated releases, so "latest" is a bit ambiguous. I'll assume you were using the latest stable release at the time you posted your query, but there may have been fixes in the other releases that were not in the stable release. You can download the latest stable and development releases from http://www.wireshark.org/download.html, and the latest automated release from https://www.wireshark.org/download/automated/win32/. Maybe one of them will work for you?