NTLM Sniffing

C

Carl Hilton

OK, I am in a WinNT domain (although 99% of my workstations are W2K), I have
a packet capture of about 45 minutes of traffic. This is the time it took
for a user to get locked out.. Now, how can I see what is causing the
lockout? I searched the packets for the USERID, but that did not work Yes, I
had the packet capture for EACH/BOTH DCs. So, what traffic is bouncing
against the DC's so that this user's account is getting locked out?

Carl
 
S

Shawn Rabourn \(MS\)

You may need to enable netlogon logging to identify the workstation in which
the user is trying to log on with and then filter your trace accordingly.

109626 Enabling Debug Logging for the Net Logon Service
http://support.microsoft.com/?id=109626

--Shawn
This posting is provided "AS IS" with no warranties and confers no rights.
 
C

Carl Hilton

Wow, I have spent weeks trying to find a solution from MS, and NEVER ran
across this KB Article... Now, where can I get the checked netlogon.dll?
 
S

Shawn Rabourn \(MS\)

You can call us to get one. I don't think they'll give you too much of a
hassle for that file.

--Shawn
This posting is provided "AS IS" with no warranties and confers no rights.
 
M

Michael Giorgio - MS MVP

Yes it will. Download the checked build version that matches
your sp then extract the contents into a folder using the /x switch
in a dos window.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top