Re: [cifs-protocol] [REG:111092854890403] RE: double send of command joined from a upstream windows Server
Hello Hongwei, I made a screencast on a windows machine explaining how to decrypt FRS traffic, I'm sure that following the instruction in this demo you'll succeed. Here is the file: http://athena.matws.net/mat/pres/frs.avi Regards. Matthieu. On 21/10/2011 23:20, Hongwei Sun wrote: Matthieu, Do you get a chance to capture the screen shot with the FRS1 packets displayed ?It will be ideal if I can decrypt myself, but I cannot get a version of wireshark to allow me to do that. So the screen shot at least show me all the packet sequences so I have something to work with.I may need to work with the product team, so I need some information to show them. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Wednesday, October 19, 2011 6:04 PM To: Hongwei Sun Cc: p...@tridgell.net; cifs-proto...@samba.org; MSSolve Case Email Subject: Re: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Hi hongwei I'm planning to work on it tomorrow, the best though would be to catch me tomorrow so that I can show you in a live demo. Matthieu On 20/10/2011 00:59, Hongwei Sun wrote: Matthieu, Do you have a chance to send the information I request below? I have a trouble to see the sequence of the packets without decrypting it. If you don't have time to work on it, I can archive it and we can work on it whenever you get time. Thanks! Hongwei -Original Message- From: Hongwei Sun Sent: Thursday, October 13, 2011 5:49 PM To: 'm...@samba.org'; 'p...@tridgell.net'; 'cifs-proto...@samba.org' Cc: MSSolve Case Email Subject: RE: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Matthieu, Can you send me the screenshot you mentioned in your e-mail ? Even I cannot make the decryption work with the correct version, looking at the screen may help me know the scenario. Thanks! HOngwei -Original Message- From: Hongwei Sun Sent: Tuesday, October 11, 2011 5:27 PM To: 'm...@samba.org'; p...@tridgell.net; cifs-proto...@samba.org Cc: MSSolve Case Email Subject: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Matthieu, I downloaded the wireshark 1.6.2 ,which is the latest version I can download. But I still don't see the option for me to provide the file name for keytab file in krb5 screen. What is the minimum version of Wireshark for me to use with your keytab file for decryption ?I am running Windows 64bit version of Wireshark. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Tuesday, September 27, 2011 10:45 PM To: Hongwei Sun; p...@tridgell.net; cifs-proto...@samba.org; Interoperability Documentation Help Subject: double send of command joined from a upstream windows Server Hello hongwei, Following our talk concerning the double send of command_joined packets from a W2K3R2 server when talking to a samba server. Here is the wireshark capture and the keytab to decrypt it. By getting a recent version of wireshark is needed. You can get nightly build at http://www.wireshark.org/download/automated/win32/ newer than the revision 38976 (which is ~ 2 weeks old). The way to use it is: wireshark -K w2k_2.keytab frs_big_file_samba.pcap. I attached the screenshot of this packets it's packets 319 and 321. Thanks for explaining what's going on, and maybe update the doc. Matthieu. -- Matthieu Patou Samba Team http://samba.org -- Matthieu Patou Samba Team http://samba.org -- Matthieu Patou Samba Team http://samba.org ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] [REG:111092854890403] RE: double send of command joined from a upstream windows Server
Hi, Matthieu, Ahh, you used the 32bit version. I used 64bit version. It is surprising to find that the option for Try to decrypt Kerberos blobs only shows up in 32 bite version. I never expect that there is such a difference. Anyway, I can decrypt it now. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Friday, October 28, 2011 3:32 PM To: Hongwei Sun Cc: p...@tridgell.net; cifs-proto...@samba.org; MSSolve Case Email Subject: Re: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Hello Hongwei, I made a screencast on a windows machine explaining how to decrypt FRS traffic, I'm sure that following the instruction in this demo you'll succeed. Here is the file: http://athena.matws.net/mat/pres/frs.avi Regards. Matthieu. On 21/10/2011 23:20, Hongwei Sun wrote: Matthieu, Do you get a chance to capture the screen shot with the FRS1 packets displayed ?It will be ideal if I can decrypt myself, but I cannot get a version of wireshark to allow me to do that. So the screen shot at least show me all the packet sequences so I have something to work with.I may need to work with the product team, so I need some information to show them. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Wednesday, October 19, 2011 6:04 PM To: Hongwei Sun Cc: p...@tridgell.net; cifs-proto...@samba.org; MSSolve Case Email Subject: Re: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Hi hongwei I'm planning to work on it tomorrow, the best though would be to catch me tomorrow so that I can show you in a live demo. Matthieu On 20/10/2011 00:59, Hongwei Sun wrote: Matthieu, Do you have a chance to send the information I request below? I have a trouble to see the sequence of the packets without decrypting it. If you don't have time to work on it, I can archive it and we can work on it whenever you get time. Thanks! Hongwei -Original Message- From: Hongwei Sun Sent: Thursday, October 13, 2011 5:49 PM To: 'm...@samba.org'; 'p...@tridgell.net'; 'cifs-proto...@samba.org' Cc: MSSolve Case Email Subject: RE: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Matthieu, Can you send me the screenshot you mentioned in your e-mail ? Even I cannot make the decryption work with the correct version, looking at the screen may help me know the scenario. Thanks! HOngwei -Original Message- From: Hongwei Sun Sent: Tuesday, October 11, 2011 5:27 PM To: 'm...@samba.org'; p...@tridgell.net; cifs-proto...@samba.org Cc: MSSolve Case Email Subject: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Matthieu, I downloaded the wireshark 1.6.2 ,which is the latest version I can download. But I still don't see the option for me to provide the file name for keytab file in krb5 screen. What is the minimum version of Wireshark for me to use with your keytab file for decryption ?I am running Windows 64bit version of Wireshark. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Tuesday, September 27, 2011 10:45 PM To: Hongwei Sun; p...@tridgell.net; cifs-proto...@samba.org; Interoperability Documentation Help Subject: double send of command joined from a upstream windows Server Hello hongwei, Following our talk concerning the double send of command_joined packets from a W2K3R2 server when talking to a samba server. Here is the wireshark capture and the keytab to decrypt it. By getting a recent version of wireshark is needed. You can get nightly build at http://www.wireshark.org/download/automated/win32/ newer than the revision 38976 (which is ~ 2 weeks old). The way to use it is: wireshark -K w2k_2.keytab frs_big_file_samba.pcap. I attached the screenshot of this packets it's packets 319 and 321. Thanks for explaining what's going on, and maybe update the doc. Matthieu. -- Matthieu Patou Samba Team http://samba.org -- Matthieu Patou Samba Team http://samba.org -- Matthieu Patou Samba Team http://samba.org ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] [REG:111092854890403] RE: double send of command joined from a upstream windows Server
Matthieu, Do you get a chance to capture the screen shot with the FRS1 packets displayed ?It will be ideal if I can decrypt myself, but I cannot get a version of wireshark to allow me to do that. So the screen shot at least show me all the packet sequences so I have something to work with.I may need to work with the product team, so I need some information to show them. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Wednesday, October 19, 2011 6:04 PM To: Hongwei Sun Cc: p...@tridgell.net; cifs-proto...@samba.org; MSSolve Case Email Subject: Re: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Hi hongwei I'm planning to work on it tomorrow, the best though would be to catch me tomorrow so that I can show you in a live demo. Matthieu On 20/10/2011 00:59, Hongwei Sun wrote: Matthieu, Do you have a chance to send the information I request below? I have a trouble to see the sequence of the packets without decrypting it. If you don't have time to work on it, I can archive it and we can work on it whenever you get time. Thanks! Hongwei -Original Message- From: Hongwei Sun Sent: Thursday, October 13, 2011 5:49 PM To: 'm...@samba.org'; 'p...@tridgell.net'; 'cifs-proto...@samba.org' Cc: MSSolve Case Email Subject: RE: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Matthieu, Can you send me the screenshot you mentioned in your e-mail ? Even I cannot make the decryption work with the correct version, looking at the screen may help me know the scenario. Thanks! HOngwei -Original Message- From: Hongwei Sun Sent: Tuesday, October 11, 2011 5:27 PM To: 'm...@samba.org'; p...@tridgell.net; cifs-proto...@samba.org Cc: MSSolve Case Email Subject: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Matthieu, I downloaded the wireshark 1.6.2 ,which is the latest version I can download. But I still don't see the option for me to provide the file name for keytab file in krb5 screen. What is the minimum version of Wireshark for me to use with your keytab file for decryption ?I am running Windows 64bit version of Wireshark. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Tuesday, September 27, 2011 10:45 PM To: Hongwei Sun; p...@tridgell.net; cifs-proto...@samba.org; Interoperability Documentation Help Subject: double send of command joined from a upstream windows Server Hello hongwei, Following our talk concerning the double send of command_joined packets from a W2K3R2 server when talking to a samba server. Here is the wireshark capture and the keytab to decrypt it. By getting a recent version of wireshark is needed. You can get nightly build at http://www.wireshark.org/download/automated/win32/ newer than the revision 38976 (which is ~ 2 weeks old). The way to use it is: wireshark -K w2k_2.keytab frs_big_file_samba.pcap. I attached the screenshot of this packets it's packets 319 and 321. Thanks for explaining what's going on, and maybe update the doc. Matthieu. -- Matthieu Patou Samba Team http://samba.org -- Matthieu Patou Samba Team http://samba.org ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] [REG:111092854890403] RE: double send of command joined from a upstream windows Server
Matthieu, Do you have a chance to send the information I request below? I have a trouble to see the sequence of the packets without decrypting it. If you don't have time to work on it, I can archive it and we can work on it whenever you get time. Thanks! Hongwei -Original Message- From: Hongwei Sun Sent: Thursday, October 13, 2011 5:49 PM To: 'm...@samba.org'; 'p...@tridgell.net'; 'cifs-proto...@samba.org' Cc: MSSolve Case Email Subject: RE: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Matthieu, Can you send me the screenshot you mentioned in your e-mail ? Even I cannot make the decryption work with the correct version, looking at the screen may help me know the scenario. Thanks! HOngwei -Original Message- From: Hongwei Sun Sent: Tuesday, October 11, 2011 5:27 PM To: 'm...@samba.org'; p...@tridgell.net; cifs-proto...@samba.org Cc: MSSolve Case Email Subject: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Matthieu, I downloaded the wireshark 1.6.2 ,which is the latest version I can download. But I still don't see the option for me to provide the file name for keytab file in krb5 screen. What is the minimum version of Wireshark for me to use with your keytab file for decryption ?I am running Windows 64bit version of Wireshark. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Tuesday, September 27, 2011 10:45 PM To: Hongwei Sun; p...@tridgell.net; cifs-proto...@samba.org; Interoperability Documentation Help Subject: double send of command joined from a upstream windows Server Hello hongwei, Following our talk concerning the double send of command_joined packets from a W2K3R2 server when talking to a samba server. Here is the wireshark capture and the keytab to decrypt it. By getting a recent version of wireshark is needed. You can get nightly build at http://www.wireshark.org/download/automated/win32/ newer than the revision 38976 (which is ~ 2 weeks old). The way to use it is: wireshark -K w2k_2.keytab frs_big_file_samba.pcap. I attached the screenshot of this packets it's packets 319 and 321. Thanks for explaining what's going on, and maybe update the doc. Matthieu. -- Matthieu Patou Samba Team http://samba.org ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] [REG:111092854890403] RE: double send of command joined from a upstream windows Server
Hi hongwei I'm planning to work on it tomorrow, the best though would be to catch me tomorrow so that I can show you in a live demo. Matthieu On 20/10/2011 00:59, Hongwei Sun wrote: Matthieu, Do you have a chance to send the information I request below? I have a trouble to see the sequence of the packets without decrypting it. If you don't have time to work on it, I can archive it and we can work on it whenever you get time. Thanks! Hongwei -Original Message- From: Hongwei Sun Sent: Thursday, October 13, 2011 5:49 PM To: 'm...@samba.org'; 'p...@tridgell.net'; 'cifs-proto...@samba.org' Cc: MSSolve Case Email Subject: RE: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Matthieu, Can you send me the screenshot you mentioned in your e-mail ? Even I cannot make the decryption work with the correct version, looking at the screen may help me know the scenario. Thanks! HOngwei -Original Message- From: Hongwei Sun Sent: Tuesday, October 11, 2011 5:27 PM To: 'm...@samba.org'; p...@tridgell.net; cifs-proto...@samba.org Cc: MSSolve Case Email Subject: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Matthieu, I downloaded the wireshark 1.6.2 ,which is the latest version I can download. But I still don't see the option for me to provide the file name for keytab file in krb5 screen. What is the minimum version of Wireshark for me to use with your keytab file for decryption ?I am running Windows 64bit version of Wireshark. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Tuesday, September 27, 2011 10:45 PM To: Hongwei Sun; p...@tridgell.net; cifs-proto...@samba.org; Interoperability Documentation Help Subject: double send of command joined from a upstream windows Server Hello hongwei, Following our talk concerning the double send of command_joined packets from a W2K3R2 server when talking to a samba server. Here is the wireshark capture and the keytab to decrypt it. By getting a recent version of wireshark is needed. You can get nightly build at http://www.wireshark.org/download/automated/win32/ newer than the revision 38976 (which is ~ 2 weeks old). The way to use it is: wireshark -K w2k_2.keytab frs_big_file_samba.pcap. I attached the screenshot of this packets it's packets 319 and 321. Thanks for explaining what's going on, and maybe update the doc. Matthieu. -- Matthieu Patou Samba Team http://samba.org -- Matthieu Patou Samba Team http://samba.org ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] [REG:111092854890403] RE: double send of command joined from a upstream windows Server
Matthieu, Can you send me the screenshot you mentioned in your e-mail ? Even I cannot make the decryption work with the correct version, looking at the screen may help me know the scenario. Thanks! HOngwei -Original Message- From: Hongwei Sun Sent: Tuesday, October 11, 2011 5:27 PM To: 'm...@samba.org'; p...@tridgell.net; cifs-proto...@samba.org Cc: MSSolve Case Email Subject: [REG:111092854890403] RE: double send of command joined from a upstream windows Server Matthieu, I downloaded the wireshark 1.6.2 ,which is the latest version I can download. But I still don't see the option for me to provide the file name for keytab file in krb5 screen. What is the minimum version of Wireshark for me to use with your keytab file for decryption ?I am running Windows 64bit version of Wireshark. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Tuesday, September 27, 2011 10:45 PM To: Hongwei Sun; p...@tridgell.net; cifs-proto...@samba.org; Interoperability Documentation Help Subject: double send of command joined from a upstream windows Server Hello hongwei, Following our talk concerning the double send of command_joined packets from a W2K3R2 server when talking to a samba server. Here is the wireshark capture and the keytab to decrypt it. By getting a recent version of wireshark is needed. You can get nightly build at http://www.wireshark.org/download/automated/win32/ newer than the revision 38976 (which is ~ 2 weeks old). The way to use it is: wireshark -K w2k_2.keytab frs_big_file_samba.pcap. I attached the screenshot of this packets it's packets 319 and 321. Thanks for explaining what's going on, and maybe update the doc. Matthieu. -- Matthieu Patou Samba Team http://samba.org ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] [REG:111092854890403] RE: double send of command joined from a upstream windows Server
Matthieu, I downloaded the wireshark 1.6.2 ,which is the latest version I can download. But I still don't see the option for me to provide the file name for keytab file in krb5 screen. What is the minimum version of Wireshark for me to use with your keytab file for decryption ?I am running Windows 64bit version of Wireshark. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Tuesday, September 27, 2011 10:45 PM To: Hongwei Sun; p...@tridgell.net; cifs-proto...@samba.org; Interoperability Documentation Help Subject: double send of command joined from a upstream windows Server Hello hongwei, Following our talk concerning the double send of command_joined packets from a W2K3R2 server when talking to a samba server. Here is the wireshark capture and the keytab to decrypt it. By getting a recent version of wireshark is needed. You can get nightly build at http://www.wireshark.org/download/automated/win32/ newer than the revision 38976 (which is ~ 2 weeks old). The way to use it is: wireshark -K w2k_2.keytab frs_big_file_samba.pcap. I attached the screenshot of this packets it's packets 319 and 321. Thanks for explaining what's going on, and maybe update the doc. Matthieu. -- Matthieu Patou Samba Team http://samba.org ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
