?
Solved

need assistance analyzing a netmon trace

Posted on 2016-08-05
12
Medium Priority
?
129 Views
Last Modified: 2016-08-27
hello we have captured a netmon trace as multiple systems are having problems  locating a domain controller.

how can we filter this trace to drill down into the netlogon specific traffic to try and pin point where the issue is?

thx
0
Comment
Question by:siber1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41745433
Can you please confirm the following before going into the netmon trace

How are addresses assigned to the systems ? DHCP or static ?

Are the DNS settings on the systems NICs set to correctly ? They should be to at least one DC and not have any external DNS servers, such as Google configured

Can the systems ping the DNS server ?

Do DNS lookups work ?

Are the systems joined to the domain ?
0
 

Author Comment

by:siber1
ID: 41745442
hello the question posted is specific to the netmon trace. I do not need advice on how to troubelshoot the issue we have already covered that.
0
 
LVL 70

Expert Comment

by:Merete
ID: 41745496
There is no easy answer here thanks for understanding,
Try starting here using Netmonitor 3.2
Using Network Monitor 3.2 to Troubleshoot a Domain Join Failure Caused by a Black Hole Router
Please use latest version
Information about Network Monitor 3
Network Monitor 3.4 can co-exist with Network Monitor 2.x. By default, Network Monitor 3.4 is installed in the "%Program Files%\Microsoft Network Monitor 3" folder. Therefore, conflicts do not occur if an earlier version is installed in a different folder on the computer. When you install Network Monitor 3.4, any previous version of Network Monitor 3 is uninstalled.
https://support.microsoft.com/en-au/kb/933741

May also be of assistance
How to analyze netmon trace Part-1
and Part-2  is about:
how to make sense of the captured data
how to get more information out of the data that’s captured
how to view specific frames in an XML format and in a window by themselves
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41745616
Netmon. Does anybody actually use it? Wireshark is the industry standard. It's free. Lots of documentation because its the industry standard. Easiest thing to do is sniff the workstation,  which will have much less traffic on it than your DC. It will also capture DHCP and DNS traffic from the workstation,  which is possibly where the problem lies.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41746387
I do not need advice on how to troubelshoot the issue we have already covered that.

you might have covered that, but we do not know what you did.

We also do not know how you took the netmon trace, it could be on a client, on a DC, or on a different system connected to a span port.

We also do not know when you took the trace, or what steps you did to reproduce the problem that you are experiencing.

We also do not know what the actual problem you are experiencing is, we know what you have described, but because you have not shown how you came to that conclusion, we do not know if it is accurate.

"setting the scene" is an important part of getting a useful answer.
0
 

Author Comment

by:siber1
ID: 41746496
my question is very specific, I do not need to go into details of our troubleshooting, I specifically am asking how I can filter netmon traces to view "netlogon" specific issues.  I don't need to "set the scene" this is a very specific question
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 1000 total points
ID: 41746513
https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/

I would look at ALL traffic between the endpoint and your DHCP, DNS, and DCs. You have DHCP, NTP, DNS, Kerberos, SMB protocols to worry about just off the top of my head. You also haven't given any indication of what issues you are seeing,  so I cant be more specific other than look at all traffic from the endpoint. Hopefully your capture isn't just at the server, because you won't see the DNS request to the wrong server, or NTP failures, or failure talking to a different DC than the one you are expecting.
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 1000 total points
ID: 41747405
Your "netlogon" issues would probably be time sync, DNS or IP routing related related than something that you are going to see "on the wire".

The built in tools such as nltest are a significantly more powerful diagnostic tool than a network trace, unless you already know and understand how to use a network trace as a diagnostic tool.

Your insistence on saying the netlogon process makes me wonder if this is a NT4 domain with similar age clients rather than a current operating system.

What OS level are the clients and domain controllers ?


If I only had a network trace to go on, and the network trace was captured on a DC using the MAC address of the client, or on a span port (so as to capture all of the traffic from the client from booting onwards) would be DNS lookups for the domain and the SRV lookups to determine the domain controller, by the time you have reached the point of any traffic associated with the logon process, it is encrypted...
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 41752564
Filter, filter and filters !

Check the details you can filter on on this page:

https://technet.microsoft.com/en-us/library/8daead2d-35c1-4b58-b123-d32a26b1f1dd
0
 
LVL 70

Expert Comment

by:Merete
ID: 41773318
Recommend DELETE!!
0
 

Author Comment

by:siber1
ID: 41773379
thx for the suggestions
0
 

Author Closing Comment

by:siber1
ID: 41773380
trying to close this again
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transparency shows that a company is the kind of business that it wants people to think it is.
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question