Solved

need assistance analyzing a netmon trace

Posted on 2016-08-05
12
74 Views
Last Modified: 2016-08-27
hello we have captured a netmon trace as multiple systems are having problems  locating a domain controller.

how can we filter this trace to drill down into the netlogon specific traffic to try and pin point where the issue is?

thx
0
Comment
Question by:siber1
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 36

Expert Comment

by:ArneLovius
ID: 41745433
Can you please confirm the following before going into the netmon trace

How are addresses assigned to the systems ? DHCP or static ?

Are the DNS settings on the systems NICs set to correctly ? They should be to at least one DC and not have any external DNS servers, such as Google configured

Can the systems ping the DNS server ?

Do DNS lookups work ?

Are the systems joined to the domain ?
0
 

Author Comment

by:siber1
ID: 41745442
hello the question posted is specific to the netmon trace. I do not need advice on how to troubelshoot the issue we have already covered that.
0
 
LVL 69

Expert Comment

by:Merete
ID: 41745496
There is no easy answer here thanks for understanding,
Try starting here using Netmonitor 3.2
Using Network Monitor 3.2 to Troubleshoot a Domain Join Failure Caused by a Black Hole Router
Please use latest version
Information about Network Monitor 3
Network Monitor 3.4 can co-exist with Network Monitor 2.x. By default, Network Monitor 3.4 is installed in the "%Program Files%\Microsoft Network Monitor 3" folder. Therefore, conflicts do not occur if an earlier version is installed in a different folder on the computer. When you install Network Monitor 3.4, any previous version of Network Monitor 3 is uninstalled.
https://support.microsoft.com/en-au/kb/933741

May also be of assistance
How to analyze netmon trace Part-1
and Part-2  is about:
how to make sense of the captured data
how to get more information out of the data that’s captured
how to view specific frames in an XML format and in a window by themselves
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41745616
Netmon. Does anybody actually use it? Wireshark is the industry standard. It's free. Lots of documentation because its the industry standard. Easiest thing to do is sniff the workstation,  which will have much less traffic on it than your DC. It will also capture DHCP and DNS traffic from the workstation,  which is possibly where the problem lies.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 41746387
I do not need advice on how to troubelshoot the issue we have already covered that.

you might have covered that, but we do not know what you did.

We also do not know how you took the netmon trace, it could be on a client, on a DC, or on a different system connected to a span port.

We also do not know when you took the trace, or what steps you did to reproduce the problem that you are experiencing.

We also do not know what the actual problem you are experiencing is, we know what you have described, but because you have not shown how you came to that conclusion, we do not know if it is accurate.

"setting the scene" is an important part of getting a useful answer.
0
 

Author Comment

by:siber1
ID: 41746496
my question is very specific, I do not need to go into details of our troubleshooting, I specifically am asking how I can filter netmon traces to view "netlogon" specific issues.  I don't need to "set the scene" this is a very specific question
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 42

Accepted Solution

by:
kevinhsieh earned 250 total points
ID: 41746513
https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/

I would look at ALL traffic between the endpoint and your DHCP, DNS, and DCs. You have DHCP, NTP, DNS, Kerberos, SMB protocols to worry about just off the top of my head. You also haven't given any indication of what issues you are seeing,  so I cant be more specific other than look at all traffic from the endpoint. Hopefully your capture isn't just at the server, because you won't see the DNS request to the wrong server, or NTP failures, or failure talking to a different DC than the one you are expecting.
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
ID: 41747405
Your "netlogon" issues would probably be time sync, DNS or IP routing related related than something that you are going to see "on the wire".

The built in tools such as nltest are a significantly more powerful diagnostic tool than a network trace, unless you already know and understand how to use a network trace as a diagnostic tool.

Your insistence on saying the netlogon process makes me wonder if this is a NT4 domain with similar age clients rather than a current operating system.

What OS level are the clients and domain controllers ?


If I only had a network trace to go on, and the network trace was captured on a DC using the MAC address of the client, or on a span port (so as to capture all of the traffic from the client from booting onwards) would be DNS lookups for the domain and the SRV lookups to determine the domain controller, by the time you have reached the point of any traffic associated with the logon process, it is encrypted...
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 41752564
Filter, filter and filters !

Check the details you can filter on on this page:

https://technet.microsoft.com/en-us/library/8daead2d-35c1-4b58-b123-d32a26b1f1dd
0
 
LVL 69

Expert Comment

by:Merete
ID: 41773318
Recommend DELETE!!
0
 

Author Comment

by:siber1
ID: 41773379
thx for the suggestions
0
 

Author Closing Comment

by:siber1
ID: 41773380
trying to close this again
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now