I'm trying to debug NTLM
authentication issue. One of my ideas was to capture the network traffic and look thougth it. In my case NTLM
authentication is going over non-stardart port (6901). Of course, Wireshark can't detect it. But there is no NTLM
(NTLMSSP
) protocol in the list in Decode as
menu. I can't do like here.
Is there a way to ask Wireshark to decode traffic as NTLM
?
Or I need to modify captured traffic, e.g. change TCP
port or somehow another?
How to decode traffic as NTLM protocol in Wireshark
ntlmwireshark
Related Topic
- Wireshark Display Filter protocol==TLSV1? (and PacketLength)
- Wireshark – How to Filter HTTPS Traffic
- How to sniff the traffic of remote machine with wireshark
- Layer 3 Protocol only in wireshark
- TCP Handshake error: SYN and SYN/ACK packets are not recognised
- Wifi – How to capture all packets on local wifi network using Wireshark settings –
Best Answer
I'm not quite sure which ports NTLMSSP actually uses, but you could try this Lua-script to register the NTLMSSP-dissectors to your custom port.
Save this to a file - e.g. ntlmssp.lua - and tell Wireshark to load it, e.g.
You might have to change the port 445 to what's really needed or register additional ports by adding additional lines like
tcp_port_table:get_dissector(4711)
. If you need UDP as well, do the same for UDP.