This is our old Q&A Site. Please post any new questions and answers at

During Security Log review on a Windows 2003 server I came across a repeated Event ID 531. Event gets logged 11 times every hour and does not have much details other than it’s a network log on/off (Ex. 11 times @ 5:11:15AM, 11 times @ 6:11:15AM, 11 times @ 7:11:15AM)

Logon Failure:

Reason:     Account currently disabled
User Name:  
Logon Type: 3
Logon Process:  Authz   
Authentication Package: Kerberos
Workstation Name:   MAILSRV1
Caller User Name:   MAILSRV1$
Caller Domain:  CORP
Caller Logon ID:    (0x0,0x3E7)
Caller Process ID:  7152
Transited Services: -
Source Network Address: -
Source Port:    -

For more information, see Help and Support Center at

Is there a way to create a filter in wireshark what would help identify the computer initiating the logon attempt?


asked 07 Jun '11, 06:43

net_tech's gravatar image

accept rate: 13%

edited 07 Jun '11, 06:51

Process ID: 7152 is w3wp.exe

(07 Jun '11, 06:47) net_tech

should my filter look like "tcp.port == 88 or udp.port == 88" ?

(07 Jun '11, 07:02) net_tech

Figured it out and found the name of the Disabled Account in AD

(tcp.port == 88 or udp.port == 88) and (kerberos.msg.type == 30)

permanent link

answered 07 Jun '11, 07:25

net_tech's gravatar image

accept rate: 13%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 07 Jun '11, 06:43

question was seen: 31,184 times

last updated: 07 Jun '11, 07:25

p​o​w​e​r​e​d by O​S​Q​A