Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 142
  • Last Modified:

need assistance analyzing a netmon trace

hello we have captured a netmon trace as multiple systems are having problems  locating a domain controller.

how can we filter this trace to drill down into the netlogon specific traffic to try and pin point where the issue is?

thx
0
siber1
Asked:
siber1
  • 4
  • 3
  • 2
  • +2
2 Solutions
 
ArneLoviusCommented:
Can you please confirm the following before going into the netmon trace

How are addresses assigned to the systems ? DHCP or static ?

Are the DNS settings on the systems NICs set to correctly ? They should be to at least one DC and not have any external DNS servers, such as Google configured

Can the systems ping the DNS server ?

Do DNS lookups work ?

Are the systems joined to the domain ?
0
 
siber1Author Commented:
hello the question posted is specific to the netmon trace. I do not need advice on how to troubelshoot the issue we have already covered that.
0
 
MereteCommented:
There is no easy answer here thanks for understanding,
Try starting here using Netmonitor 3.2
Using Network Monitor 3.2 to Troubleshoot a Domain Join Failure Caused by a Black Hole Router
Please use latest version
Information about Network Monitor 3
Network Monitor 3.4 can co-exist with Network Monitor 2.x. By default, Network Monitor 3.4 is installed in the "%Program Files%\Microsoft Network Monitor 3" folder. Therefore, conflicts do not occur if an earlier version is installed in a different folder on the computer. When you install Network Monitor 3.4, any previous version of Network Monitor 3 is uninstalled.
https://support.microsoft.com/en-au/kb/933741

May also be of assistance
How to analyze netmon trace Part-1
and Part-2  is about:
how to make sense of the captured data
how to get more information out of the data that’s captured
how to view specific frames in an XML format and in a window by themselves
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
kevinhsiehCommented:
Netmon. Does anybody actually use it? Wireshark is the industry standard. It's free. Lots of documentation because its the industry standard. Easiest thing to do is sniff the workstation,  which will have much less traffic on it than your DC. It will also capture DHCP and DNS traffic from the workstation,  which is possibly where the problem lies.
0
 
ArneLoviusCommented:
I do not need advice on how to troubelshoot the issue we have already covered that.

you might have covered that, but we do not know what you did.

We also do not know how you took the netmon trace, it could be on a client, on a DC, or on a different system connected to a span port.

We also do not know when you took the trace, or what steps you did to reproduce the problem that you are experiencing.

We also do not know what the actual problem you are experiencing is, we know what you have described, but because you have not shown how you came to that conclusion, we do not know if it is accurate.

"setting the scene" is an important part of getting a useful answer.
0
 
siber1Author Commented:
my question is very specific, I do not need to go into details of our troubleshooting, I specifically am asking how I can filter netmon traces to view "netlogon" specific issues.  I don't need to "set the scene" this is a very specific question
0
 
kevinhsiehCommented:
https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/

I would look at ALL traffic between the endpoint and your DHCP, DNS, and DCs. You have DHCP, NTP, DNS, Kerberos, SMB protocols to worry about just off the top of my head. You also haven't given any indication of what issues you are seeing,  so I cant be more specific other than look at all traffic from the endpoint. Hopefully your capture isn't just at the server, because you won't see the DNS request to the wrong server, or NTP failures, or failure talking to a different DC than the one you are expecting.
0
 
ArneLoviusCommented:
Your "netlogon" issues would probably be time sync, DNS or IP routing related related than something that you are going to see "on the wire".

The built in tools such as nltest are a significantly more powerful diagnostic tool than a network trace, unless you already know and understand how to use a network trace as a diagnostic tool.

Your insistence on saying the netlogon process makes me wonder if this is a NT4 domain with similar age clients rather than a current operating system.

What OS level are the clients and domain controllers ?


If I only had a network trace to go on, and the network trace was captured on a DC using the MAC address of the client, or on a span port (so as to capture all of the traffic from the client from booting onwards) would be DNS lookups for the domain and the SRV lookups to determine the domain controller, by the time you have reached the point of any traffic associated with the logon process, it is encrypted...
0
 
vivigattCommented:
Filter, filter and filters !

Check the details you can filter on on this page:

https://technet.microsoft.com/en-us/library/8daead2d-35c1-4b58-b123-d32a26b1f1dd
0
 
MereteCommented:
Recommend DELETE!!
0
 
siber1Author Commented:
thx for the suggestions
0
 
siber1Author Commented:
trying to close this again
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now