This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am novice user of Wireshark and I am trying to track down a PC where an unauthorized user is trying to logon to our network. I have searched numerous capture files and have not found any Active Directory user accounts. Is this information not contained in a packet? If it, how do I extract the information.

asked 27 Apr '13, 07:23

ThomasJoeP's gravatar image

ThomasJoeP
1111
accept rate: 0%

edited 27 Apr '13, 07:28

Jasper's gravatar image

Jasper ♦♦
23.8k551284


You won't find any. Active Directory uses encryption and hashing to prevent anyone from capturing readable account information - for obvious security reasons.

permanent link

answered 27 Apr '13, 07:28

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I am trying to track down a PC where an unauthorized user is trying to logon to our network.

The security log of Windows is a far better tool to find such an event.

Regards
Kurt

permanent link

answered 28 Apr '13, 03:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×10
×10
×5
×3

question asked: 27 Apr '13, 07:23

question was seen: 3,045 times

last updated: 28 Apr '13, 03:46

p​o​w​e​r​e​d by O​S​Q​A