Back to Blog
Wireshark xp5/21/2023 ![]() Comparing a "working" machine with a "non-working" machine is a valid strategy if the difference between "working" and "non-working" doesn't skew the results too far (i.e. I tend to think that you'll find something sniffing, but you need to have an understanding of what happens during boot and logon (DNS being used to locate a DC, how AD site membership affects DNS and LDAP queries, what Group Policy application looks like, etc) in order to interpret the results. ![]() The situation is similar on Linux, albeit w/o the pretty GUI in a lot of distributions. On a Windows machine it just involves putting two NICs in the capture machine, bridging them w/ the built-in bridging functionality in the Windows GUI, and capturing on the bridge interface. Then you'd capture on either the bridge virtual interface or one of he physical NICs on the dedicated capture machine.ĭoing this capturing on either a Windows-based or Linux-based machine is pretty easy. Your dedicated capture computer will need two physical interfaces, which you would bridge. ![]() If you don't have administrative access to the switch, consider connecting a dedicated capture computer between the client computer and the LAN. If you have administrative access to the switch the client is connected to configure a "monitor" session ("port mirror", "SPAN" port, etc) and capture from another computer on the dedicated monitor port. I'd try and capture the traffic w/o creating any influence on the client computer's behavior. Running software on the client potentially upsets the client computer's configuration and might influence the results. Running Wireshark during boot on the client strikes me as the wrong tool for the job. (If you only have a single DC then you might be better off capturing on the DC end if the problem w/ the clients is intermittent.) ![]() Concentrating on the client-end of the capture is probably going to bear the most fruit since capturing on the domain controller end is going to mean running captures on all the DCs in the network.
0 Comments
Read More
Leave a Reply. |