--- Guy Harris <guy@xxxxxxxxxx> wrote:
> > I have been trying to find documentation on how to
>
> > filter out packets based only on the hostname of a
> > failed windows netlogon but has been unsuccessful.
>
> > Specifically, I set display filter to:
> > netlogon.computer_name == "some-windows-hostname"
>
> I.e., if you have a capture in which a Netlogon
> packet has some name in
> the "Computer Name" field, and you try filtering on
> that name with that
> expression, it doesn't find that packet?
This is my setup:
I have two win2k Professional machines and one runs
ethereal and is being attempted with windows logons by
the other. I have set ethereal to capture only
netlogon and netbios protocols on the Edit-Protocols
menu and set the display filters to a blank field and
all I get are the following:
type of packets: data packets with varying size
usually between 60 to 150 bytes.
Source = blank/no value
Destination = blank/novalue
Protocol = "UNKNOWN"
Info = WTAP_ENCAP = 0x1
Toggle on the display filter to have a value of
*netlogon.computer_name == "windowshostname"* and
there are no packets displayed on the first window.
Am I doing it right or is there a better way of
capturing these packets?
The main issue is that we would want to identify rouge
hosts by their windows hostname alone, because this is
what can be gleaned from the windows logs, and try to
get at their actual IP address and eventually, the
persons behind them. We cannot get to the IP address
part until we can capture these logon packets and be
able to identify them.
Thanks.
Bong
__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com