Solved

need assistance analyzing a netmon trace

Posted on 2016-08-05
12
101 Views
Last Modified: 2016-08-27
hello we have captured a netmon trace as multiple systems are having problems  locating a domain controller.

how can we filter this trace to drill down into the netlogon specific traffic to try and pin point where the issue is?

thx
0
Comment
Question by:siber1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41745433
Can you please confirm the following before going into the netmon trace

How are addresses assigned to the systems ? DHCP or static ?

Are the DNS settings on the systems NICs set to correctly ? They should be to at least one DC and not have any external DNS servers, such as Google configured

Can the systems ping the DNS server ?

Do DNS lookups work ?

Are the systems joined to the domain ?
0
 

Author Comment

by:siber1
ID: 41745442
hello the question posted is specific to the netmon trace. I do not need advice on how to troubelshoot the issue we have already covered that.
0
 
LVL 70

Expert Comment

by:Merete
ID: 41745496
There is no easy answer here thanks for understanding,
Try starting here using Netmonitor 3.2
Using Network Monitor 3.2 to Troubleshoot a Domain Join Failure Caused by a Black Hole Router
Please use latest version
Information about Network Monitor 3
Network Monitor 3.4 can co-exist with Network Monitor 2.x. By default, Network Monitor 3.4 is installed in the "%Program Files%\Microsoft Network Monitor 3" folder. Therefore, conflicts do not occur if an earlier version is installed in a different folder on the computer. When you install Network Monitor 3.4, any previous version of Network Monitor 3 is uninstalled.
https://support.microsoft.com/en-au/kb/933741

May also be of assistance
How to analyze netmon trace Part-1
and Part-2  is about:
how to make sense of the captured data
how to get more information out of the data that’s captured
how to view specific frames in an XML format and in a window by themselves
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41745616
Netmon. Does anybody actually use it? Wireshark is the industry standard. It's free. Lots of documentation because its the industry standard. Easiest thing to do is sniff the workstation,  which will have much less traffic on it than your DC. It will also capture DHCP and DNS traffic from the workstation,  which is possibly where the problem lies.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41746387
I do not need advice on how to troubelshoot the issue we have already covered that.

you might have covered that, but we do not know what you did.

We also do not know how you took the netmon trace, it could be on a client, on a DC, or on a different system connected to a span port.

We also do not know when you took the trace, or what steps you did to reproduce the problem that you are experiencing.

We also do not know what the actual problem you are experiencing is, we know what you have described, but because you have not shown how you came to that conclusion, we do not know if it is accurate.

"setting the scene" is an important part of getting a useful answer.
0
 

Author Comment

by:siber1
ID: 41746496
my question is very specific, I do not need to go into details of our troubleshooting, I specifically am asking how I can filter netmon traces to view "netlogon" specific issues.  I don't need to "set the scene" this is a very specific question
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 250 total points
ID: 41746513
https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/

I would look at ALL traffic between the endpoint and your DHCP, DNS, and DCs. You have DHCP, NTP, DNS, Kerberos, SMB protocols to worry about just off the top of my head. You also haven't given any indication of what issues you are seeing,  so I cant be more specific other than look at all traffic from the endpoint. Hopefully your capture isn't just at the server, because you won't see the DNS request to the wrong server, or NTP failures, or failure talking to a different DC than the one you are expecting.
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
ID: 41747405
Your "netlogon" issues would probably be time sync, DNS or IP routing related related than something that you are going to see "on the wire".

The built in tools such as nltest are a significantly more powerful diagnostic tool than a network trace, unless you already know and understand how to use a network trace as a diagnostic tool.

Your insistence on saying the netlogon process makes me wonder if this is a NT4 domain with similar age clients rather than a current operating system.

What OS level are the clients and domain controllers ?


If I only had a network trace to go on, and the network trace was captured on a DC using the MAC address of the client, or on a span port (so as to capture all of the traffic from the client from booting onwards) would be DNS lookups for the domain and the SRV lookups to determine the domain controller, by the time you have reached the point of any traffic associated with the logon process, it is encrypted...
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 41752564
Filter, filter and filters !

Check the details you can filter on on this page:

https://technet.microsoft.com/en-us/library/8daead2d-35c1-4b58-b123-d32a26b1f1dd
0
 
LVL 70

Expert Comment

by:Merete
ID: 41773318
Recommend DELETE!!
0
 

Author Comment

by:siber1
ID: 41773379
thx for the suggestions
0
 

Author Closing Comment

by:siber1
ID: 41773380
trying to close this again
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WatchGuard T50 - Internet Priority Based on VLAN or User 1 78
Download Logs File from Cisco Switch 1 76
asset tags - importance 3 55
No IP Address Assigned to VM 10 88
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Is your computer hacked? learn how to detect and delete malware in your PC
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question