广告登录和网络流量

上周我们查看了使用Wireshark工具的许多介绍性问题。现在我想让我们注意一些特定于Windows的一些问题。似乎感兴趣的区域之一是用户和管理员都在登录，因此让我们来看看用户登录到服务器2003或2008域时可能发生的一些流量类型。（任何给定网络中的实际流量都会根据许多因素而有所不同，尽管这里提到的协议和序列相当典型，但它们可能与您在网络上看到的完全相同。）现在您可能会问“我怎么样？to capture network traffic before I even log on” given that in our examples so far, you’ve been running Wireshark on the PC itself, and need to be logged on to start the program. This might not be a bad time to mention that you can run Wireshark in many different configurations. For example, you can connect a laptop running the sniffer to a port on a full-duplex “aggregating” switch. You can also install the tool on a server and use a capture filter to limit captured traffic to a specific workstation. And you can run Wireshark in one logon session on a workstation and then use the “switch user” capability of (say) Vista to capture logon traffic associated with a second user on the same workstation. The traffic that you’re likely to see during a domain logon spans several protocols. Early in the process you are likely to see some Kerberos traffic (protocol KRB5 for example) which has to do with authentication and the issuance of “tickets” that grant access to the network. A bit later you may see some SMB traffic (Server Message Block) that sets up network drive mappings for the client. Around this time you may also see some DNS traffic designed to retrieve information about Active Directory site configuration. Some LDAP traffic will also show up, for example, so that the client can learn about the various “naming contexts” it should use when communicating with AD; you’ll need to do a lot of drilling down to find the “meat” of some of these LDAP requests and responses. (You may also see CLDAP which stands for “connectionless” LDAP.) Then, towards the end of the logon process, you’re likely to see some more SMB messages connecting to the SYSVOL share on the domain controller and checking the version numbers of Group Policy objects, so that the client knows which GPO’s have changed and might therefore need to be reapplied. Give it a try and spend a few minutes noodling around with a Wireshark capture of an AD logon. You’ll gain a new understanding of what is going on behind the scenes, and you’ll prepare yourself for troubleshooting logon problems in the future – for example, by identifying unusual delays at different points in the logon process.