Re: Heimdal / MS kpasswd differences?

["ronnie sahlberg" <ronniesahlberg@gmail.com>]

On 9/4/06, Love Hörnquist Åstrand <lha@kth.se> wrote:
>
> I think that is not normal behavior, I just tried it out on my mac
> and tcpdump tells me this.
>
> 09:34:13.075186 IP hummel.it.su.se.65065 > pal.su.se.kerberos:  v5
> 09:34:13.078695 IP pal.su.se.kerberos > hummel.it.su.se.65065:  v5
> 09:34:26.126523 IP hummel.it.su.se.65068 > pal.su.se.kpasswd: UDP,
> length: 610
> 09:34:26.168186 IP pal.su.se.kpasswd > hummel.it.su.se.65068: UDP,
> length: 274
> 09:34:26.273385 IP hummel.it.su.se.65071 > pal.su.se.kpasswd: UDP,
> length: 576
> 09:34:26.310696 IP pal.su.se.kpasswd > hummel.it.su.se.65071: UDP,
> length: 274
>

That could be due to how different platforms use/reuse ephemeral ports.
(though it would be "questionable" for a host to reuse a ephemeral udp
port before the maximum ip ttl has expired)

the port used on your box if very high, as your high port number suggests.

MAs host is probably different since it uses an ephemeral port from a
much lower/larger range.



I have added a fix to wireshark svn 19129 that will decode the traces
properly.   many thanks for the captures.

It did uncover a bug in the krb5 dissector which used the "wrong"
function to try/spawn a different dissector
(long story, none of you are interested)
that was from the time the api was not heurisdtical-dissector aware.


please use svn 19129 or later which will fix this bug.
it also reduces the probability to misdiagnose a random packet as krb4
from 1/256 to 9/65536


many thanks for the example captures Michael.