How to decode traffic as NTLM protocol in Wireshark

ntlmwireshark

I'm trying to debug NTLM authentication issue. One of my ideas was to capture the network traffic and look thougth it. In my case NTLM authentication is going over non-stardart port (6901). Of course, Wireshark can't detect it. But there is no NTLM (NTLMSSP) protocol in the list in Decode as menu. I can't do like here.
Is there a way to ask Wireshark to decode traffic as NTLM?
Or I need to modify captured traffic, e.g. change TCP port or somehow another?

Best Answer

I'm not quite sure which ports NTLMSSP actually uses, but you could try this Lua-script to register the NTLMSSP-dissectors to your custom port.

local tcp_port_table = DissectorTable.get("tcp.port")
local tcp_ntlmssp_dis = tcp_port_table:get_dissector(445)
tcp_port_table:add(6901, tcp_ntlmssp_dis)

Save this to a file - e.g. ntlmssp.lua - and tell Wireshark to load it, e.g.

$ wireshark -X lua_script:ntlmssp.lua -r trace.pcap

You might have to change the port 445 to what's really needed or register additional ports by adding additional lines like tcp_port_table:get_dissector(4711). If you need UDP as well, do the same for UDP.

Related Topic