This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

We've set up Wireshark on a Windows 7 pro machine. It is connected to a layer 3 Cisco switch and we are using it to look at all packets. I was checking the event logs and noted that since it was put in place it has been logging the following events for all PC's connected to the switch:

Log Name:      Microsoft-Windows-WinRM/Operational   Source:        Microsoft-Windows-WinRM
Date:          1/20/2015 9:45:36 AM  Event ID:      80   Task Category: Request handling
Level:         Information   Keywords:      Client   User:          NETWORK SERVICE
Computer:      Shark.local
Description:   Sending the request for operation Subscription to destination machine and pc.local:5985
Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>     <Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" />     <EventID>80</EventID>      <Version>0</Version>      <Level>4</Level>
    <Task>9</Task>    <Opcode>1</Opcode>     <Keywords>0x4000000000000002</Keywords>
    <TimeCreated SystemTime="2015-01-20T14:45:36.679879800Z" />
    <EventRecordID>108886</EventRecordID>
    <Correlation ActivityID="{02D14C50-F800-0002-7BBA-24BE3931D001}" />
    <Execution ProcessID="1016" ThreadID="1548" />
    <Channel>Microsoft-Windows-WinRM/Operational</Channel>
    <Computer>Shark.LOCAL</Computer>    <Security UserID="S-1-5-20" />  <EventData>
    <Data Name="operationName">Subscription</Data>    <Data Name="url">.local</Data>
    <Data Name="port">5985</Data>

Log Name:      Microsoft-Windows-WinRM/Operational  Source:        Microsoft-Windows-WinRM
Date:          1/20/2015 9:45:36 AM    Event ID:      166   Task Category: User authentication
Level:         Information   Keywords:      Security,Client      User:          NETWORK SERVICE
Computer:      Shark.LOCAL
Description:  The chosen authentication mechanism is Kerberos
Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>     <Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" />     <EventID>166</EventID>     <Version>0</Version>     <Level>4</Level>
    <Task>7</Task>    <Opcode>0</Opcode>       <Keywords>0x400000000000000a</Keywords>
    <TimeCreated SystemTime="2015-01-20T14:45:36.679879800Z" />      <EventRecordID>108887</EventRecordID>
    <Correlation ActivityID="{02D14C50-F800-0002-7BBA-24BE3931D001}" />
    <Execution ProcessID="1016" ThreadID="1548" />       <Channel>Microsoft-Windows-WinRM/Operational</Channel>
    <Computer>Shark. LOCAL</Computer>       <Security UserID="S-1-5-20" />
  </System>  <EventData>    <Data Name="auth">Kerberos</Data>

Log Name:      Microsoft-Windows-WinRM/Operational   Source:        Microsoft-Windows-WinRM
Date:          1/20/2015 9:45:36 AM    Event ID:      129
Task Category: Response handling               Level:         Error        Keywords:      Client
User:          NETWORK SERVICE           Computer:      Shark.local
Description:  Received the response from Network layer; status: 401 (HTTP_STATUS_DENIED)
Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>    <Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" />    <EventID>129</EventID>    <Level>2</Level>     <Task>10</Task>
    <Opcode>1</Opcode>     <Keywords>0x4000000000000002</Keywords>
    <TimeCreated SystemTime="2015-01-20T14:45:36.679879800Z" />
    <EventRecordID>108888</EventRecordID>
    <Correlation ActivityID="{02D14C40-F800-0000-25BD-24BE3931D001}" />
    <Execution ProcessID="1016" ThreadID="1432" />
    <Channel>Microsoft-Windows-WinRM/Operational</Channel>
    <Computer>Shark. </Computer>     <Security UserID="S-1-5-20" />
  </System>   <EventData>     <Data Name="status">401 (HTTP_STATUS_DENIED)</Data>

Is this an error caused by our Wireshark configuration and if so what can we do to eliminate it? The error was not showing on the machine before Wireshark was installed. We also get similar errors on the responding PC.

asked 20 Jan '15, 08:53

KPL's gravatar image

KPL
6112
accept rate: 0%

edited 20 Jan '15, 09:14

grahamb's gravatar image

grahamb ♦
19.8k330205


The event log entries are for WinRM, a remoting mechanism used in newer version of Windows.

I think it's entirely unrelated to Wireshark itself, more likely due to the environment, in that the captures are probably putting the NIC into promiscuous mode to capture all traffic and the switch is set up to span or mirror all traffic onto the capture port.

The usual recommendation for a "pure" capture device is to remove all transport bindings from the NIC used for capture so that "normal" traffic won't be seen in the capture, this might stop the event log entries, but personally I don't think they're worth worrying about.

permanent link

answered 20 Jan '15, 09:21

grahamb's gravatar image

grahamb ♦
19.8k330205
accept rate: 22%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×254
×33
×1

question asked: 20 Jan '15, 08:53

question was seen: 1,421 times

last updated: 20 Jan '15, 09:21

p​o​w​e​r​e​d by O​S​Q​A