From 4ec6014964f7c2ffbdada7c5de120e8f0dceb1f8 Mon Sep 17 00:00:00 2001
From: David Fort <contact@hardening-consulting.com>
Date: Thu, 20 May 2021 14:54:36 +0200
Subject: [PATCH] RDPUDP dissector: cookie hash is present in SYN packet
 instead of SYN/ACK

---
 tools/wireshark/rdp-udp.lua | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/tools/wireshark/rdp-udp.lua b/tools/wireshark/rdp-udp.lua
index b6e95da1d..ce80ece4b 100644
--- a/tools/wireshark/rdp-udp.lua
+++ b/tools/wireshark/rdp-udp.lua
@@ -289,13 +289,15 @@ function dissectV1(tvbuf, pktinfo, tree)
 			local versionVal = tvbuf:range(startAt, 2):uint()
 			startAt = startAt + 2
 			
-			if haveAck and versionVal == 0x101 then				
-				synexItem:add(pf_udp_synex_cookiehash, tvbuf:range(startAt, 32))
-				startAt = startAt + 32
-				
-				-- switch to UDP2
-				tableRecord.switchToUdp2 = pktinfo.number
-			end			
+			if versionVal == 0x101 then
+				if not haveAck	then
+					synexItem:add(pf_udp_synex_cookiehash, tvbuf:range(startAt, 32))
+					startAt = startAt + 32
+				else
+					-- switch to UDP2
+					tableRecord.switchToUdp2 = pktinfo.number
+				end
+			end
 		end
 		
 		local mask = RDPUDP_SYN + RDPUDP_ACK