netmon for Kerberos

Dec 17, 2009 at 11:54 AM

Hi,

Can some one assist me what is going on in my case ?

We keep on getting Kerberose 3,4,5 errors and I captured it through netmon.

 

Can some one analyze and let me know ?

517      1.093750                     {TCP:257, IPv4:254}  10.1.37.167     10.10.218.151 SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

520      1.093750                     {TCP:257, IPv4:254}  10.10.218.151 10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

561      1.125000                     {TCP:257, IPv4:254}  10.1.37.167     10.10.218.151 SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

731      1.671875                     {NbtSS:326, TCP:325, IPv4:324}       10.1.37.167     10.10.204.65   SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

735      1.703125                     {NbtSS:326, TCP:325, IPv4:324}       10.10.204.65   10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

754      1.796875                     {NbtSS:326, TCP:325, IPv4:324}       10.1.37.167     10.10.204.65   SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

1214    2.890625                     {TCP:438, IPv4:337}  BEL002731.dir.ucb-group.com            10.1.37.167     SMB            SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

1215    2.890625                     {TCP:438, IPv4:337}  10.1.37.167     BEL002731.dir.ucb-group.com            SMB            SMB:C; Session Setup Andx, Krb5ApReq (0x100)

1260    2.906250                     {TCP:438, IPv4:337}  BEL002731.dir.ucb-group.com            10.1.37.167     SMB            SMB:R; Session Setup Andx, Krb5ApRep (0x200)

1706    4.609375                     {NbtSS:501, TCP:500, IPv4:499}       10.1.37.167     10.10.140.56   SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

1707    4.609375                     {NbtSS:501, TCP:500, IPv4:499}       10.10.140.56   10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

1710    4.609375                     {NbtSS:501, TCP:500, IPv4:499}       10.1.37.167     10.10.140.56   SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

1839    4.765625                     {TCP:519, IPv4:518}  10.1.37.167     10.10.228.245 SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

1840    4.765625                     {TCP:519, IPv4:518}  10.10.228.245 10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

1860    4.765625                     {TCP:519, IPv4:518}  10.1.37.167     10.10.228.245 SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

2390    6.015625                     {TCP:566, IPv4:564}  10.1.37.167     10.1.38.180     SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

2392    6.015625                     {TCP:566, IPv4:564}  10.1.38.180     10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

2396    6.015625                     {TCP:566, IPv4:564}  10.1.37.167     10.1.38.180     SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

2598    6.046875                     {TCP:613, IPv4:564}  10.1.38.180     10.1.37.167     SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

2601    6.046875                     {TCP:613, IPv4:564}  10.1.37.167     10.1.38.180     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

2606    6.062500                     {TCP:613, IPv4:564}  10.1.38.180     10.1.37.167     SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

7098    8.625000                     {TCP:811, IPv4:810}  10.1.37.167     10.10.228.131 SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

7139    8.640625                     {TCP:811, IPv4:810}  10.10.228.131 10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

7154    8.656250                     {TCP:811, IPv4:810}  10.1.37.167     10.10.228.131 SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

8390    9.218750                     {TCP:848, IPv4:254}  10.10.218.151 10.1.37.167     SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

8397    9.218750                     {TCP:848, IPv4:254}  10.1.37.167     10.10.218.151 SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

8409    9.218750                     {TCP:848, IPv4:254}  10.10.218.151 10.1.37.167     SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

9605    10.968750                   {TCP:926, IPv4:925}  10.1.37.167     10.10.218.134 SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

9606    10.984375                   {TCP:926, IPv4:925}  10.10.218.134 10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

9609    10.984375                   {TCP:926, IPv4:925}  10.1.37.167     10.10.218.134 SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

11548  13.593750                   {TCP:1071, IPv4:860}            BEL003181     10.1.37.167     SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

11549  13.593750                   {TCP:1071, IPv4:860}            10.1.37.167     BEL003181     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

11670  13.718750                   {TCP:1071, IPv4:860}            BEL003181     10.1.37.167     SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

14322  17.859375                   {TCP:1267, IPv4:518}            10.1.37.167     10.10.228.245 SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

14323  17.859375                   {TCP:1267, IPv4:518}            10.10.228.245 10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

14326  17.859375                   {TCP:1267, IPv4:518}            10.1.37.167     10.10.228.245 SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

14881  18.156250                   {NbtSS:1298, TCP:1297, IPv4:1296} 10.1.37.167     10.10.218.83   SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

14882  18.156250                   {NbtSS:1298, TCP:1297, IPv4:1296} 10.10.218.83   10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

14890  18.156250                   {NbtSS:1298, TCP:1297, IPv4:1296} 10.1.37.167     10.10.218.83   SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

15991  19.000000                   {TCP:1446, IPv4:1445}          10.1.37.167     10.10.214.65   SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

15992  19.000000                   {TCP:1446, IPv4:1445}          10.10.214.65   10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

15995  19.015625                   {TCP:1446, IPv4:1445}          10.1.37.167     10.10.214.65   SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

17511  21.828125                   {TCP:1578, IPv4:65}  10.1.37.167     10.1.38.194     SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

17521  21.828125                   {TCP:1576, IPv4:1575}          10.1.37.167     10.10.228.69   SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

17522  21.828125                   {TCP:1578, IPv4:65}  10.1.38.194     10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

17526  21.843750                   {TCP:1576, IPv4:1575}          10.10.228.69   10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

17529  21.843750                   {TCP:1576, IPv4:1575}          10.1.37.167     10.10.228.69   SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

17530  21.843750                   {TCP:1578, IPv4:65}  10.1.37.167     10.1.38.194     SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

17680  21.968750                   {TCP:1605, IPv4:1601}          10.1.37.167     10.10.178.126 SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

17728  21.968750                   {TCP:1605, IPv4:1601}          10.10.178.126 10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

17741  21.968750                   {TCP:1605, IPv4:1601}          10.1.37.167     10.10.178.126 SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

18044  22.609375                   {TCP:1630, IPv4:1575}          10.10.228.69   10.1.37.167     SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

18045  22.609375                   {TCP:1630, IPv4:1575}          10.1.37.167     10.10.228.69   SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

18048  22.609375                   {TCP:1630, IPv4:1575}          10.10.228.69   10.1.37.167     SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

18413  23.656250                   {TCP:1817, IPv4:1815}          10.1.37.167     BEL006823     SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

18429  23.671875                   {TCP:1819, IPv4:1533}          10.18.10.161   10.1.37.167     SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

18430  23.671875                   {TCP:1819, IPv4:1533}          10.1.37.167     10.18.10.161   SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

18434  23.718750                   {TCP:1819, IPv4:1533}          10.18.10.161   10.1.37.167     SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

18465  23.750000                   {TCP:1817, IPv4:1815}          BEL006823     10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

18474  23.750000                   {TCP:1825, IPv4:1815}          10.1.37.167     BEL006823     SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

18476  23.765625                   {TCP:1817, IPv4:1815}          10.1.37.167     BEL006823     SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

18542  23.859375                   {TCP:1825, IPv4:1815}          BEL006823     10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

18559  23.890625                   {TCP:1825, IPv4:1815}          10.1.37.167     BEL006823     SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

18910  24.828125                   {TCP:1880, IPv4:1815}          BEL006823     10.1.37.167     SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

18911  24.828125                   {TCP:1880, IPv4:1815}          10.1.37.167     BEL006823     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

18943  24.921875                   {TCP:1880, IPv4:1815}          BEL006823     10.1.37.167     SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

19683  27.078125                   {TCP:1994, IPv4:65}  10.1.37.167     10.1.38.194     SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

19684  27.078125                   {TCP:1994, IPv4:65}  10.1.38.194     10.1.37.167     SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

19688  27.078125                   {TCP:1994, IPv4:65}  10.1.37.167     10.1.38.194     SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

20379  27.828125                   {TCP:2065, IPv4:1141}          10.1.37.167     BEL006820.dir.ucb-group.com            SMB    SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit

20385  27.828125                   {TCP:2065, IPv4:1141}          BEL006820.dir.ucb-group.com            10.1.37.167            SMB    SMB:C; Session Setup Andx, Krb5ApReq (0x100)

20532  27.859375                   {TCP:2065, IPv4:1141}          10.1.37.167     BEL006820.dir.ucb-group.com            SMB    SMB:R; Session Setup Andx, Krb5ApRep (0x200)

Dec 17, 2009 at 9:35 PM

Hi,

Thanks for using Netmon, could you please share us the full capture, while give us more context information? Such as what's your OS/software configuration, what scenario you are trying etc.

Thanks,

Luther

Jan 14, 2010 at 1:04 PM

Hi,

We received kerberos event id 4 errors. we took captures. Can some one guid me what is the meaning of it ?

 

 

10555 36.656826  {TCP:1404, IPv4:1403} ATL017784.dir.ucb-group.com 10.1.37.167 SMB SMB:KrbError: KRB_AP_ERR_MODIFIED (41) R; Session Setup Andx, Krb5Error (0x300) - NT Status: System - Error, Code = (22) STATUS_MORE_PROCESSING_REQUIRED