Wireshark Packet Analysis for AD
Every Active Directory attack leaves traces on the wire. Learning to read Kerberos, LDAP, NTLM, and replication traffic in Wireshark lets you see attacks in real time -- before the event logs even catch up.
Wireshark is a free, open-source tool that captures and analyzes network traffic. In an Active Directory environment, nearly all operations -- login, authentication, group policy updates, file access, replication -- happen over the network using specific protocols. Kerberos (port 88) handles authentication tickets. LDAP (port 389/636) handles directory queries. SMB (port 445) handles file sharing. DNS (port 53) helps computers find domain controllers. MS-DRSR handles replication between domain controllers. Each AD attack produces distinct network patterns: Kerberoasting sends unusual TGS requests for RC4 encryption, DCSync sends replication requests from a non-domain-controller, and Pass-the-Hash sends NTLM authentication with suspicious characteristics. By learning to recognize these patterns in Wireshark, you can detect attacks at the network level -- even when event logs have been cleared or tampered with.
Event logs are like witness statements -- they tell you what happened after the fact, filtered through the perspective of the witness. Packet captures are like raw security camera footage: they show you exactly what happened, byte by byte, with no interpretation or filtering. A Kerberoasting attack that might appear as a single Event ID 4769 in the logs reveals itself in packet captures as a suspicious TGS-REQ requesting RC4 encryption for a service principal -- and you can see the exact SPN targeted, the encryption types offered, and the full server response.
Try It Yourself
Key Takeaways
- Packet captures provide tamper-proof evidence that complements Windows event logs.
- Kerberoasting is visible as TGS-REQ messages requesting RC4 (etype 23) encryption for service SPNs.
- DCSync appears as DRSUAPI GetNCChanges (opnum 3) replication requests from non-domain-controller IPs.
- NTLM Relay shows NTLM Type 3 messages where the packet source IP differs from the NTLM workstation name.
- Wireshark display filters like "kerberos.msg_type == 13 && kerberos.etype == 23" enable rapid attack triage.
Attackers who gain administrative access often clear Windows event logs to cover their tracks. Network packet captures cannot be retroactively modified once stored -- making them invaluable for forensic investigation and real-time detection of AD attacks.