NTLM Sniffing

  • Thread starter Thread starter Carl Hilton
  • Start date Start date
C

Carl Hilton

OK, I am in a WinNT domain (although 99% of my workstations are W2K), I have
a packet capture of about 45 minutes of traffic. This is the time it took
for a user to get locked out.. Now, how can I see what is causing the
lockout? I searched the packets for the USERID, but that did not work Yes, I
had the packet capture for EACH/BOTH DCs. So, what traffic is bouncing
against the DC's so that this user's account is getting locked out?

Carl
 
You may need to enable netlogon logging to identify the workstation in which
the user is trying to log on with and then filter your trace accordingly.

109626 Enabling Debug Logging for the Net Logon Service
http://support.microsoft.com/?id=109626

--Shawn
This posting is provided "AS IS" with no warranties and confers no rights.
 
Wow, I have spent weeks trying to find a solution from MS, and NEVER ran
across this KB Article... Now, where can I get the checked netlogon.dll?
 
You can call us to get one. I don't think they'll give you too much of a
hassle for that file.

--Shawn
This posting is provided "AS IS" with no warranties and confers no rights.
 
Yes it will. Download the checked build version that matches
your sp then extract the contents into a folder using the /x switch
in a dos window.
 
Back
Top