how to find account login source?

asked 2019-03-10 10:01:59 +0000

badbanana gravatar image

hello. just starting with wireshark. i have run the capture for 15 minutes and in that time period, the AD account i'm tracking got an invalid login attempt. in the amount of data captured, how does one find this invalid login attempt?

as a backgroud, i was using Netwrix Account Lockout Examiner and although it can point me to the source of the invalid login attempt IF a workstation name is present, there are times it would show that the offending workstation name is MSTSC which doesn't make sense.

so i got wireshark to find out where this MSTSC is coming from.

appreciate any help.

edit retag flag offensive close merge delete


MSTSC is the name of the Windows executable for Remote Desktop Protocol (RDP), so it seems likely that these auth failures are RDP connection attempts.

grahamb gravatar imagegrahamb ( 2019-03-10 18:59:55 +0000 )edit

so how to find that information in wireshark captured data?

badbanana gravatar imagebadbanana ( 2019-03-11 07:35:00 +0000 )edit