[shaun <shaun@xxxxxxxxxxxxx>]

Hello - I'm looking for a way to log the IP addresses that connect to my 
Windows 2000 servers via Windows Networking (SMB / CIFS).  And, if 
possible, to separate those addresses into 2 categories:  those that 
authenticated successfully and those that didn't (as reported in my 
Security Event Logs).  My intent is to use this data to establish firewall 
rules.

I've been looking at Ethereal & Snort for this, and from what I've read, it 
looks like Ethereal knows more about Windows Networking than Snort does, so 
I'm hoping it can interpret the server's responses to requests and separate 
the successes from the failures.  Can anyone help get me started on 
this?  Or suggest which parts of the Ethereal manual to read?

thanks much,

Shaun Fischer
University of Wisconsin - Madison
Division of Information Technology
Production Services
Platforms & Operating Systems
1210 W Dayton St.  Room 3293
Madison, WI 53706
(608) 262-2773  shaun@xxxxxxxxxxxxx