On 12/1/05, D'Alessandro, Dan <Dan.D'Alessandro@xxxxxxx> wrote:
>
>
>
> All,
>
>
>
> I am working with a remote network administrator who for the last couple weeks have had his server receiving numerous login attempts from what appears to be infected machines elsewhere within our company. Thinking it was a virus, we had the admin of the machines listed in the event properties run a full on demand scan and found nothing. I have asked the remote admin of the attacked servers to run ethereal to capture the traffic when this happens.
>
>
>
> My question is two-fold:
>
>
>
> Is there any way to filter on this type of traffic (ie: Event ID: 529 as shown below) ?
>
>
yes. try "ntlmssp"
>
> How large can a capture sequence get?
only for the logon attemp, it is small. an smb packege with NTLMssp
should be less than 1500B I think.
>
> Thanks for any help.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Thank You,
>
> Dan D'Alessandro
>
> Network Specialist
>
> ITT Industries- Enterprise Infrastructure
>
> 847.470.4956************************************
This e-mail and any files transmitted with it are proprietary and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this e-mail in error please notify
the sender. Please note that any views or opinions presented in this
e-mail are solely those of the author and do not necessarily represent
those of ITT Industries, Inc. The recipient should check this e-mail
and any attachments for the presence of viruses. ITT Industries
accepts no liability for any damage caused by any virus transmitted by
this e-mail.
************************************
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>
>