This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Who’s got the wrong password?

0

Hi (wireshark newbee here), I work in a school where we occasionally have to update client software from an external local education authority source. This means we have to use a mapped drive to a server on a different subnet thus requiring a different domain\username and password. As this update applies to more than 30 members of staff the mapped drive is connected via batch script with one username and password. The problem occurs after 30days when the password is due for renewal. Some of the pc's seem to have cached the login details thus giving the wrong passord after the 30days. Three tries of the wrong password and it's a lockout resulting in multiple phone calls to our LEA!! I can use wireshark to find all the source ip addresses contacting the destination ip but is there a way of using the capture window to see when the password is failing so that I can identify the ip address (therefore hostname)of the rogue pc's?

Thanks in advance for any suggestions

asked 24 Sep '12, 08:19

xenolith5's gravatar image

xenolith5
1222
accept rate: 0%


One Answer:

0

I'm guessing you're using SMB for your folder sharing, if not then please specify which protocol your looking at.

If it is SMB you're using then then you could try putting this in the Filter command box smb.nt_status != STATUS_SUCCESS for a general view of what's going wrong or smb.nt_status == STATUS_WRONG_PASSWORD for the packets you really want.

Cheers,

Craig.

answered 25 Sep '12, 03:36

CTNOBLE's gravatar image

CTNOBLE
11236
accept rate: 0%

Thanks for the filters and sorry for the slow reply. I've been off site so couldn't test. Will see how it goes asap

(26 Sep '12, 03:27) xenolith5