We are using Wireshark Version 3.4.8. The Wireshark filter is kerberos. The keytab file is specified in KRB5 protocol preference. Keytab file has the encryption type eTYPE-AES256-CTS-HMAC-SHA1-96(18). But while monitoring the Kerberos traffic "missing keytype 18" error shows. It seems wireshark not using the Keytab file. Please help
I am experiencing the same issue. I'm using FreeIPA in a test lab and have tried to use Wireshark both on macOS and Ubuntu 21.10 to decode the pcapng file, thinking maybe there is a difference in the Kerberos libraries used.
Here is the contents of my keytab file which was created with ipa-getkeytab
Keytab name: FILE:keytab.file
KVNO Principal
---- --------------------------------------------------------------------------
3 user1@IDM.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
3 user1@IDM.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM (aes256-cts-hmac-sha384-192)
2 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM (camellia256-cts-cmac)
2 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM (aes128-cts-hmac-sha256-128)
2 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM (camellia128-cts-cmac)Here is what the Wireshark decode looks like
Kerberos
as-rep
pvno: 5
msg-type: krb-as-rep (11)
crealm: IDM.EXAMPLE.COM
cname
ticket
tkt-vno: 5
realm: IDM.EXAMPLE.COM
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: krbtgt
SNameString: IDM.EXAMPLE.COM
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
kvno: 1
cipher: ab1520301d815aa83c1d1d1a02f1582623d9e5d6146115d056e2aef3300ee335c9a26a2c…
Missing keytype 18 usage 2 (id=missing.1)
[Expert Info (Warning/Decryption): Missing keytype 18 usage 2 (id=missing.1)]
[Expert Info (Warning/Decryption): Used keymap=all_keys num_keys=10 num_tries=2)]
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
cipher: bf0a80b204b85200683176877c21d468093beeaab80f182250c1cf6fc6f4133cc77e2474…
Missing keytype 18 usage 3 (id=missing.2)
[Expert Info (Warning/Decryption): Missing keytype 18 usage 3 (id=missing.2)]
[Expert Info (Warning/Decryption): Used keymap=all_keys num_keys=10 num_tries=2)]
Missing keytype 18 usage 2 missing in frame 209 keytype 18 (id=missing.1 same=0) (00000000...)
[Expert Info (Warning/Decryption): Missing keytype 18 usage 2 missing in frame 209 keytype 18 (id=missing.1 same=0) (00000000...)]
Missing keytype 18 usage 3 missing in frame 209 keytype 18 (id=missing.2 same=0) (00000000...)
[Expert Info (Warning/Decryption): Missing keytype 18 usage 3 missing in frame 209 keytype 18 (id=missing.2 same=0) (00000000...)]I launch Wireshark from a terminal and do not see any errors being reported.
Asked: Sep 15 '1
Seen: 1,631 times
Last updated: Sep 16 '21
Check the console output to see if the kerberos library spits out error information.
Sorry, how can I check the console output?