none
Capturing/Filtering UserID with MS-Network-Monitor.

    Question

  • PROBLEM: A couple of user's accounts keep getting locked in our domain controller (Win2008R2). The users are very mobile - that means they use their laptop, multiple PC, iPad and or Smart-Phone to connect to the domain. They also remain logged-in simultaneously from multiple machines.

    QUESTION: What I am trying is to find out from which IP address they are actually getting locked. The DC's Security log is not showing the workstation for [Source=Microsoft Windows security, Task Category: Account Lockout , Event-IS:4625 , Keyword: Audit Failure]. I have to run MS Network Monitor from DC which, of course, receives too many packets from all domain machines. So I have to run MS Network Monitor with a filter to capture only packets from a certain USER-ID (i.e. Domain\JohnDoe or  JohnDoe@domain.com).
    Among all the list of filters available, is there a filter for user-ID ?  If not, what is the other best bet ?
    Thanks in advancd.

    Monday, April 09, 2012 2:18 PM

Answers

  • Filtering on user name might be challenging based on the DC's load. Parsing the user name means processing every packet and looking for a match. Network Monitor basically takes the same blob the OS processes, and processes it again. If your DC is busy, the only way to lower the load on the parsing engine is to use an pattern offset match.

    First you'll need to find an example of the frame you are interested in from the DC you want to capture on. This way you can determine what the filter would be, and if the offset from the beggining of the packet will be consistent. Once you locate a frame you are interested in, right click the field and add as a filter. If you DC can handle that, then perhaps that's all you need. But over time memory will grow and you probably won't be able to capture a more than a few hours.

    If you need more time time, then use NMCap to get the capture instead. You can use the same filter, but add /disableconversations. Now depending on the filter, conversations might be required. If that's the case, then pattern offset is your only other option. For that case, look at the filter you created and convert to a pattern offset. That means looking at the offset in the hex details and taking the first 4 bytes to build a DWORD. Then use a filter like Blob(FrameData, 30, 4) == 0x01020304 (look at http://blogs.technet.com/b/netmon/archive/2010/08/05/using-high-performance-filtering.aspx for more details).

    Let me know if you need more details.

    Paul

    Friday, April 13, 2012 9:33 PM
    Owner

All replies

  • Filtering on user name might be challenging based on the DC's load. Parsing the user name means processing every packet and looking for a match. Network Monitor basically takes the same blob the OS processes, and processes it again. If your DC is busy, the only way to lower the load on the parsing engine is to use an pattern offset match.

    First you'll need to find an example of the frame you are interested in from the DC you want to capture on. This way you can determine what the filter would be, and if the offset from the beggining of the packet will be consistent. Once you locate a frame you are interested in, right click the field and add as a filter. If you DC can handle that, then perhaps that's all you need. But over time memory will grow and you probably won't be able to capture a more than a few hours.

    If you need more time time, then use NMCap to get the capture instead. You can use the same filter, but add /disableconversations. Now depending on the filter, conversations might be required. If that's the case, then pattern offset is your only other option. For that case, look at the filter you created and convert to a pattern offset. That means looking at the offset in the hex details and taking the first 4 bytes to build a DWORD. Then use a filter like Blob(FrameData, 30, 4) == 0x01020304 (look at http://blogs.technet.com/b/netmon/archive/2010/08/05/using-high-performance-filtering.aspx for more details).

    Let me know if you need more details.

    Paul

    Friday, April 13, 2012 9:33 PM
    Owner
  • Hey Paul, thanks for the guidance on this - A little tricky but now I know I am not missing anything simple. Thanks Again.<o:p></o:p>

    Tuesday, April 17, 2012 5:52 PM