This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Proxy authentication failure. Want to find out which machine.

0

I installed wireshark in my proxy server. I want to know which client is throwing out bad password. Is there away I can use wireshark to find out which client it is ?

asked 14 Mar '17, 15:42

gnynot's gravatar image

gnynot
6112
accept rate: 0%

I'm using NTLM authentication. I see that ntlmssp.auth.username == user1 doesn't help with anything am I using wrong syntax?

(14 Mar '17, 17:26) gnynot

Is your proxy a HTTP proxy?

Is your connection to the proxy dissected as HTTP? Maybe you have to use 'Decode as' HTTP first?

If the connection is dissected as HTTP, 'ntlmssp.auth.username==foobar' lists the packets with a NTLM auth for user foobar (at least with my setup).

(15 Mar '17, 07:26) Uli