This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to filter for Kerberos traffic

0

During Security Log review on a Windows 2003 server I came across a repeated Event ID 531. Event gets logged 11 times every hour and does not have much details other than it’s a network log on/off (Ex. 11 times @ 5:11:15AM, 11 times @ 6:11:15AM, 11 times @ 7:11:15AM)

Logon Failure:

Reason:     Account currently disabled
User Name:  
Domain:     
Logon Type: 3
Logon Process:  Authz   
Authentication Package: Kerberos
Workstation Name:   MAILSRV1
Caller User Name:   MAILSRV1$
Caller Domain:  CORP
Caller Logon ID:    (0x0,0x3E7)
Caller Process ID:  7152
Transited Services: -
Source Network Address: -
Source Port:    -

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Is there a way to create a filter in wireshark what would help identify the computer initiating the logon attempt?

Thanks

asked 07 Jun '11, 06:43

net_tech's gravatar image

net_tech
116303337
accept rate: 13%

edited 07 Jun '11, 06:51

Process ID: 7152 is w3wp.exe

(07 Jun '11, 06:47) net_tech

should my filter look like "tcp.port == 88 or udp.port == 88" ?

(07 Jun '11, 07:02) net_tech

One Answer:

0

Figured it out and found the name of the Disabled Account in AD

(tcp.port == 88 or udp.port == 88) and (kerberos.msg.type == 30)

answered 07 Jun '11, 07:25

net_tech's gravatar image

net_tech
116303337
accept rate: 13%