finding who has logged on where using network monitor RRS feed

  • Question

  • Hi !

    I am looking for a way to find where (on which pc) a domain user has logged on

    this should be done without 3rd party programs and instantly ! (i am not going to use logs and auditing and ..., just tell me the user name and i should immediately tell you where he has logged on now)

    this is my original question

    i reached a link which says (i think it says) this can be achieved using network monitor

    but this link is very old and i did not find how to do this with net mon 3.4

    can you please help me in this regard ?

    Saturday, September 1, 2012 7:55 AM

All replies

  • Hi Ganji,

    They may be referring to Network Monitor 2.0 in that KB article, but it's hard to tell.  You could certainly apply that same technique by applying an SMB filter in Network Monitor 3.4.  I'm not an SMB expert, but just looking at the parser; I'd think you'd want to add a filter for this: SMB.CSessionSetupAndXRequest.UnicodeParameters.AccountName (well, there's a few of them, you may need to add the client or the NTLMNorESS one in there too).

    However, just turning on the built-in server auditing and looking at the event log may be your best bet.


    Michael Hawker | Program Manager | Network Monitor

    • Proposed as answer by Paul E Long Monday, September 10, 2012 6:05 PM
    Friday, September 7, 2012 8:26 PM