how to find account login source?
hello. just starting with wireshark. i have run the capture for 15 minutes and in that time period, the AD account i'm tracking got an invalid login attempt. in the amount of data captured, how does one find this invalid login attempt?
as a backgroud, i was using Netwrix Account Lockout Examiner and although it can point me to the source of the invalid login attempt IF a workstation name is present, there are times it would show that the offending workstation name is MSTSC which doesn't make sense.
so i got wireshark to find out where this MSTSC is coming from.
appreciate any help.
MSTSC is the name of the Windows executable for Remote Desktop Protocol (RDP), so it seems likely that these auth failures are RDP connection attempts.
so how to find that information in wireshark captured data?