Solved

need assistance analyzing a netmon trace

Posted on 2016-08-05
12
108 Views
Last Modified: 2016-08-27
hello we have captured a netmon trace as multiple systems are having problems  locating a domain controller.

how can we filter this trace to drill down into the netlogon specific traffic to try and pin point where the issue is?

thx
0
Comment
Question by:siber1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41745433
Can you please confirm the following before going into the netmon trace

How are addresses assigned to the systems ? DHCP or static ?

Are the DNS settings on the systems NICs set to correctly ? They should be to at least one DC and not have any external DNS servers, such as Google configured

Can the systems ping the DNS server ?

Do DNS lookups work ?

Are the systems joined to the domain ?
0
 

Author Comment

by:siber1
ID: 41745442
hello the question posted is specific to the netmon trace. I do not need advice on how to troubelshoot the issue we have already covered that.
0
 
LVL 70

Expert Comment

by:Merete
ID: 41745496
There is no easy answer here thanks for understanding,
Try starting here using Netmonitor 3.2
Using Network Monitor 3.2 to Troubleshoot a Domain Join Failure Caused by a Black Hole Router
Please use latest version
Information about Network Monitor 3
Network Monitor 3.4 can co-exist with Network Monitor 2.x. By default, Network Monitor 3.4 is installed in the "%Program Files%\Microsoft Network Monitor 3" folder. Therefore, conflicts do not occur if an earlier version is installed in a different folder on the computer. When you install Network Monitor 3.4, any previous version of Network Monitor 3 is uninstalled.
https://support.microsoft.com/en-au/kb/933741

May also be of assistance
How to analyze netmon trace Part-1
and Part-2  is about:
how to make sense of the captured data
how to get more information out of the data that’s captured
how to view specific frames in an XML format and in a window by themselves
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41745616
Netmon. Does anybody actually use it? Wireshark is the industry standard. It's free. Lots of documentation because its the industry standard. Easiest thing to do is sniff the workstation,  which will have much less traffic on it than your DC. It will also capture DHCP and DNS traffic from the workstation,  which is possibly where the problem lies.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41746387
I do not need advice on how to troubelshoot the issue we have already covered that.

you might have covered that, but we do not know what you did.

We also do not know how you took the netmon trace, it could be on a client, on a DC, or on a different system connected to a span port.

We also do not know when you took the trace, or what steps you did to reproduce the problem that you are experiencing.

We also do not know what the actual problem you are experiencing is, we know what you have described, but because you have not shown how you came to that conclusion, we do not know if it is accurate.

"setting the scene" is an important part of getting a useful answer.
0
 

Author Comment

by:siber1
ID: 41746496
my question is very specific, I do not need to go into details of our troubleshooting, I specifically am asking how I can filter netmon traces to view "netlogon" specific issues.  I don't need to "set the scene" this is a very specific question
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 250 total points
ID: 41746513
https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/

I would look at ALL traffic between the endpoint and your DHCP, DNS, and DCs. You have DHCP, NTP, DNS, Kerberos, SMB protocols to worry about just off the top of my head. You also haven't given any indication of what issues you are seeing,  so I cant be more specific other than look at all traffic from the endpoint. Hopefully your capture isn't just at the server, because you won't see the DNS request to the wrong server, or NTP failures, or failure talking to a different DC than the one you are expecting.
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
ID: 41747405
Your "netlogon" issues would probably be time sync, DNS or IP routing related related than something that you are going to see "on the wire".

The built in tools such as nltest are a significantly more powerful diagnostic tool than a network trace, unless you already know and understand how to use a network trace as a diagnostic tool.

Your insistence on saying the netlogon process makes me wonder if this is a NT4 domain with similar age clients rather than a current operating system.

What OS level are the clients and domain controllers ?


If I only had a network trace to go on, and the network trace was captured on a DC using the MAC address of the client, or on a span port (so as to capture all of the traffic from the client from booting onwards) would be DNS lookups for the domain and the SRV lookups to determine the domain controller, by the time you have reached the point of any traffic associated with the logon process, it is encrypted...
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 41752564
Filter, filter and filters !

Check the details you can filter on on this page:

https://technet.microsoft.com/en-us/library/8daead2d-35c1-4b58-b123-d32a26b1f1dd
0
 
LVL 70

Expert Comment

by:Merete
ID: 41773318
Recommend DELETE!!
0
 

Author Comment

by:siber1
ID: 41773379
thx for the suggestions
0
 

Author Closing Comment

by:siber1
ID: 41773380
trying to close this again
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
fabric 1 80
HTTPSendRequest with WinINet delays on first call 11 119
SMB Packet - File Data 4 76
Cisco 4400 will not take SFP module ? SFP 10 GB module 1 89
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question