Hi, I was looking at the NTLMSSP dissector and running it over some data now that SPNEGO is working OK, and I noticed two things:
1. We know that the NTLMSSP blob is NDR encoded, so rather than breaking it out by hand, it would be a lot more useful if the support in packet-dcerpc.c et al was used. 2. The challenge field has a top level ref pointer to a string. That is what those unknown1 and unknown2 uint32s are. The first one contains the actual and max len for the string and the second is a buffer ref. I migt get some time next week to rework it if someone else doesn't first. Regards ----- Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
