Capturing/Filtering UserID with WireShark


#1

PROBLEM: A couple of user’s accounts keep getting locked in our domain controller (Win2008R2). The users are very mobile - that means they use their laptop, multiple PC, iPad and or Smart-Phone to connect to the domain. They also remain logged-in simultaneously from multiple machines.

QUESTION: What I am trying is to find out from which IP address they are actually getting locked. The DC’s Security log is not showing the workstation for [Source=Microsoft Windows security, Task Category: Account Lockout , Event-IS:4625 , Keyword: Audit Failure]. I have to run WireShark from DC which already received too many packets from all domain machines. So I have to run WireShark with a filter to capture only packets from a certain USER-ID (i.e. Domain\JohnDoe or JohnDoe@domain.com).
Among all the list of filters available, is there a filter for user-ID ?

Thanks in advancd.


#2

I do not believe you can filter based on user accounts or domain accounts, however if you can obtain the MAC addresses of the systems the users are using to connect with, that may serve your purposes. By filtering using the MAC addresses you will get the packets just from that particular device and it will not vary like the IP addresses will. An example filter would be eth.addr == 08.00.08.15.ca.fe You can read more about MAC address filtering here http://wiki.wireshark.org/Ethernet#Display_Filter