9

I'm trying to track down a problem where something is causing my active directory account to get locked out. I think that I could figure it out if I can log all connections to 2 specific servers.

I want to log all outgoing TCP connections (maybe UDP also) to servers X and Y along with what process initiated the connection (PID, EXE path, & full command used to start the process). How do I do that?

I tried TCPView, but that only shows me current TCP connections. I want connections from the past 15 minutes, even if they've already died.

Improve this question
3
  • It'd probably be better to watch the incoming requests on the servers, in case the process that's failing to log in as you until you get locked out isn't coming from your computer. Have you enabled Logon Auditing on the DC to try and figure out what's failing to log on?
    – Ƭᴇcʜιᴇ007
    Commented Jan 30, 2013 at 1:46
  • @techie007 Yeah, but that's for the IT department to do. I don't have that kind of access.
    – kelloti
    Commented Jan 30, 2013 at 17:35
  • Then it should be up to the IT department to figure out what's locking you out. :)
    – Ƭᴇcʜιᴇ007
    Commented Jan 31, 2013 at 12:21

2 Answers 2

Reset to default
10

I would reccomend using Process Monitor. It is made by the same people who made TCPView but it shows a lot more. It also allows you to log the information to disk so you can look at it later.

Note: The program will need to be open and running for it to record the logs, but if you set it up to save the logs to disk as it records them you can always review them later.

Improve this answer
1
  • I am trying to use ProcessMonitor to log SSH outbound connections. I was able to filter for putty, but using WSL, I couldn't find the connection. Could you take a look at my question superuser.com/questions/1798186/…
    – Master DJon
    Commented Jul 26, 2023 at 15:20
4

Wireshark is a good place to start. Its a pretty versatile, and widely used tool. One shortfall, however, is that the process information never makes it past the NIC, meaning that it might not be suitable for your specific asking. Check out here for a few suggestions on what can be done. Another tool which might help is netmon direct from M$.

Improve this answer
1
  • 1
    I think all of these are good suggestions, but honestly Process Monitor is the best suggestion since it has exactly what I'm looking for OOTB
    – kelloti
    Commented Jan 30, 2013 at 17:50

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .