diff --git a/src/analyzer/protocol/gssapi/gssapi-protocol.pac b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
index a2df047ffd..3436f29b06 100644
--- a/src/analyzer/protocol/gssapi/gssapi-protocol.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
@@ -1,6 +1,16 @@
-
-type GSSAPI_NEG_TOKEN(is_orig: bool) = record {
+type GSSAPI_SELECT(is_orig: bool) = record {
 	wrapper  : ASN1EncodingMeta;
+	token: case tok_id of {
+		0x0404 -> mic_blob: bytestring &restofdata;
+		0x0504 -> wrap_blob: bytestring &restofdata;
+		default -> neg_token: GSSAPI_NEG_TOKEN(is_orig, is_init);
+	} &requires(is_init) &requires(tok_id);
+} &let {
+	is_init: bool = wrapper.tag == 0x60;
+	tok_id: uint32 = (wrapper.tag << 8) | wrapper.len;
+} &byteorder=littleendian;
+
+type GSSAPI_NEG_TOKEN(is_orig: bool, is_init: bool) = record {
 	have_oid : case is_init of {
 		true  -> oid    : ASN1Encoding;
 		false -> no_oid : empty;
@@ -13,8 +23,6 @@ type GSSAPI_NEG_TOKEN(is_orig: bool) = record {
 		true  -> init : GSSAPI_NEG_TOKEN_INIT;
 		false -> resp : GSSAPI_NEG_TOKEN_RESP;
 	};
-} &let {
-	is_init: bool = wrapper.tag == 0x60;
 } &byteorder=littleendian;
 
 type GSSAPI_NEG_TOKEN_INIT = record {
diff --git a/src/analyzer/protocol/gssapi/gssapi.pac b/src/analyzer/protocol/gssapi/gssapi.pac
index 3e56c7424e..dda39cf337 100644
--- a/src/analyzer/protocol/gssapi/gssapi.pac
+++ b/src/analyzer/protocol/gssapi/gssapi.pac
@@ -23,7 +23,7 @@ connection GSSAPI_Conn(zeek_analyzer: ZeekAnalyzer) {
 
 # Now we define the flow:
 flow GSSAPI_Flow(is_orig: bool) {
-	datagram = GSSAPI_NEG_TOKEN(is_orig) withcontext(connection, this);
+	datagram = GSSAPI_SELECT(is_orig) withcontext(connection, this);
 };
 
 %include gssapi-analyzer.pac