This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Active Directory User Account Capture

I am novice user of Wireshark and I am trying to track down a PC where an unauthorized user is trying to logon to our network. I have searched numerous capture files and have not found any Active Directory user accounts. Is this information not contained in a packet? If it, how do I extract the information.

active directory account user

asked 27 Apr '13, 07:23

ThomasJoeP
1●1●1●1
accept rate: 0%

edited 27 Apr '13, 07:28

Jasper ♦♦
23.8k●5●51●284

2 Answers:

1	You won't find any. Active Directory uses encryption and hashing to prevent anyone from capturing readable account information - for obvious security reasons. answered 27 Apr '13, 07:28 Jasper ♦♦ 23.8k●5●51●284 accept rate: 18%

1	I am trying to track down a PC where an unauthorized user is trying to logon to our network. The security log of Windows is a far better tool to find such an event. Regards Kurt answered 28 Apr '13, 03:46 Kurt Knochner ♦ 24.8k●10●39●237 accept rate: 15%