How to determine NTLMv1 VS NTLMv2 traffic in netmon RRS feed

  • Question

  • Hi,

    We have two servers with the local security set to Send NTLMv2 response only/refuse LM and NTLM, however as best I can tell in the Netmon output I can see NTLMv1 traffic.  I see an initial authentication attempt which is NTLMv1, the rejection and a second authentication attempt which isn't so clearly marked as v1 or v2. 

    The traffic is between two web servers, the one making the call is https, the one receiving the authentication requests is currently http.  The filter I'm using is just NLMP OR NLMP_Struct

    Given that I am also very new to Netmon, I have just 2 questions:

    1. How do I easily identify if traffic is NTLMv1 or NTLMv2 traffic in Netmon?  
    2. What will clearly identify authentication/response traffic as NTLMv2 so I'll know it when I see it in Netmon?

    Thanks in advance.

    Dave F

    • Edited by AussieDaveF Wednesday, March 26, 2014 2:36 AM more detail
    Wednesday, March 26, 2014 1:53 AM