No. Time Source Destination Protocol Length Info 1 0.000000000 10.200.7.80 10.200.8.231 KRB5 1430 AS-REP Frame 1: 1430 bytes on wire (11440 bits), 1430 bytes captured (11440 bits) Arrival Time: Jun 18, 2015 17:41:47.503924000 CEST Epoch Time: 1434642107.503924000 seconds [Time delta from previous captured frame: 0.000000000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds] Frame Number: 1 Frame Length: 1430 bytes (11440 bits) Capture Length: 1430 bytes (11440 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: sll:ip:tcp:kerberos] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Linux cooked capture Packet type: Sent by us (4) Link-layer address type: 1 Link-layer address length: 6 Source: RealtekU_6c:88:c2 (52:54:00:6c:88:c2) Protocol: IP (0x0800) Internet Protocol Version 4, Src: 10.200.7.80 (10.200.7.80), Dst: 10.200.8.231 (10.200.8.231) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 1414 Identification: 0x8a07 (35335) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x85a4 [correct] [Good: True] [Bad: False] Source: 10.200.7.80 (10.200.7.80) Destination: 10.200.8.231 (10.200.8.231) Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 56364 (56364), Seq: 1, Ack: 1, Len: 1374 Source port: kerberos (88) Destination port: 56364 (56364) [Stream index: 0] Sequence number: 1 (relative sequence number) [Next sequence number: 1375 (relative sequence number)] Acknowledgement number: 1 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgement: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 237 [Calculated window size: 237] [Window size scaling factor: -1 (unknown)] Checksum: 0x2b3f [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [Bytes in flight: 1374] [PDU Size: 1374] Kerberos AS-REP Record Mark: 1370 bytes 0... .... .... .... .... .... .... .... = Reserved: Not set .000 0000 0000 0000 0000 0101 0101 1010 = Record Length: 1370 Pvno: 5 MSG Type: AS-REP (11) padata: Unknown:133 Type: Unknown (133) Value: 3050a030302ea0153013a003020101a10c300a1b0857494e... Client Realm: FOUR.TEST Client Name (Principal): WIN7PRO$ Name-type: Principal (1) Name: WIN7PRO$ Ticket Tkt-vno: 5 Realm: FOUR.TEST Server Name (Service and Instance): krbtgt/FOUR.TEST Name-type: Service and Instance (2) Name: krbtgt Name: FOUR.TEST enc-part rc4-hmac Encryption type: rc4-hmac (23) Kvno: 1 enc-part: d940ec56a7e58254d93f0812c8d21310692ed46e39184a43... [Decrypted using: keytab principal krbtgt@FOUR.TEST] EncTicketPart Padding: 0 Ticket Flags (Forwardable, Renewable, Initial, Pre-Auth) .1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated .... ...0 .... .... .... .... .... .... = Invalid: This ticket is NOT invalid .... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE .... .... .1.. .... .... .... .... .... = Initial: This ticket was granted by AS and not TGT protocol .... .... ..1. .... .... .... .... .... = Pre-Auth: The client was PRE-AUTHenticated .... .... ...0 .... .... .... .... .... = HW-Auth: The client was NOT authenticated using hardware .... .... .... 0... .... .... .... .... = Transited Policy Checked: Kdc has NOT performed transited policy checking .... .... .... .0.. .... .... .... .... = Ok As Delegate: This ticket is NOT ok as a delegated ticket key rc4-hmac Key type: rc4-hmac (23) Key value: bc465084e8a073b750b20bfee0df0821 Client Realm: FOUR.TEST Client Name (Principal): WIN7PRO$ Name-type: Principal (1) Name: WIN7PRO$ TransitedEncoding DOMAIN-X500-COMPRESS Type: DOMAIN-X500-COMPRESS (1) Contents: Authtime: 2015-06-18 15:41:47 (UTC) End time: 2015-06-19 01:41:47 (UTC) Renew-till: 2015-06-25 15:41:47 (UTC) HostAddresses: WIN7PRO<20> HostAddress WIN7PRO<20> Addr-type: NETBIOS (20) NetBIOS Name: WIN7PRO<20> (Server service) AuthorizationData AD-IF-RELEVANT Type: AD-IF-RELEVANT (1) Data: 3082023a30820236a00402020080a182022c048202280400... IF_RELEVANT AD-Win2k-PAC Type: AD-Win2k-PAC (128) Data: 040000000000000001000000900100004800000000000000... Num Entries: 4 Version: 0 Type: Logon Info (1) Size: 400 Offset: 72 PAC_LOGON_INFO: 01100800cccccccc80010000000000000000020000000000... MES header Version: 1 DREP Byte order: Little-endian (1) HDR Length: 8 Fill bytes: 0xcccccccc Blob Length: 384 PAC_LOGON_INFO: Referent ID: 0x00020000 Logon Time: No time specified (0) Logoff Time: Infinity (absolute time) Kickoff Time: Infinity (absolute time) PWD Last Set: Jun 18, 2015 13:56:36.000000000 CEST PWD Can Change: Jun 18, 2015 13:56:36.000000000 CEST PWD Must Change: Infinity (absolute time) Acct Name: WIN7PRO$ Length: 16 Size: 16 Character Array: WIN7PRO$ Referent ID: 0x00020004 Max Count: 8 Offset: 0 Actual Count: 8 Acct Name: WIN7PRO$ Full Name Length: 0 Size: 0 Character Array Referent ID: 0x00020008 Max Count: 0 Offset: 0 Actual Count: 0 Logon Script Length: 0 Size: 0 Character Array Referent ID: 0x0002000c Max Count: 0 Offset: 0 Actual Count: 0 Profile Path Length: 0 Size: 0 Character Array Referent ID: 0x00020010 Max Count: 0 Offset: 0 Actual Count: 0 Home Dir Length: 0 Size: 0 Character Array Referent ID: 0x00020014 Max Count: 0 Offset: 0 Actual Count: 0 Dir Drive Length: 0 Size: 0 Character Array Referent ID: 0x00020018 Max Count: 0 Offset: 0 Actual Count: 0 Logon Count: 0 Bad PW Count: 0 User RID: 1110 Group RID: 515 Num RIDs: 0 (NULL pointer) GROUP_MEMBERSHIP_ARRAY User Flags: 0x00000000 .... .... .... .... .... ..0. .... .... = Resource Groups: The resource_groups is NOT set .... .... .... .... .... .... ..0. .... = Extra SIDs: The extra_sids is NOT set User Session Key: 00000000000000000000000000000000 Server: MASTER Length: 12 Size: 14 Character Array: MASTER Referent ID: 0x0002001c Max Count: 7 Offset: 0 Actual Count: 6 Server: MASTER Domain: FOUR Length: 8 Size: 10 Character Array: FOUR Referent ID: 0x00020020 Max Count: 5 Offset: 0 Actual Count: 4 Domain: FOUR SID pointer: SID pointer Referent ID: 0x00020024 Count: 4 Domain SID: S-1-5-21-1528294070-983756076-781214264 (Domain SID) Revision: 1 Num Auth: 4 Authority: 5 Subauthorities: 21-1528294070-983756076-781214264 Dummy1 Long: 0x00000000 Dummy2 Long: 0x00000000 User Account Control: 0x00000080 .... .... .... ...0 .... .... .... .... = Don't Require PreAuth: This account REQUIRES preauthentication .... .... .... .... 0... .... .... .... = Use DES Key Only: This account does NOT have to use_des_key_only .... .... .... .... .0.. .... .... .... = Not Delegated: This might have been delegated .... .... .... .... ..0. .... .... .... = Trusted For Delegation: This account is NOT trusted_for_delegation .... .... .... .... ...0 .... .... .... = SmartCard Required: This account does NOT require_smartcard to authenticate .... .... .... .... .... 0... .... .... = Encrypted Text Password Allowed: This account does NOT allow encrypted_text_password .... .... .... .... .... .0.. .... .... = Account Auto Locked: This account is NOT auto_locked .... .... .... .... .... ..0. .... .... = Don't Expire Password: This account might expire_passwords .... .... .... .... .... ...0 .... .... = Server Trust Account: This account is NOT a server_trust_account .... .... .... .... .... .... 1... .... = Workstation Trust Account: This account is a WORKSTATION_TRUST_ACCOUNT .... .... .... .... .... .... .0.. .... = Interdomain trust Account: This account is NOT an interdomain_trust_account .... .... .... .... .... .... ..0. .... = MNS Logon Account: This account is NOT a mns_logon_account .... .... .... .... .... .... ...0 .... = Normal Account: This account is NOT a normal_account .... .... .... .... .... .... .... 0... = Temp Duplicate Account: This account is NOT a temp_duplicate_account .... .... .... .... .... .... .... .0.. = Password Not Required: This account REQUIRES a password .... .... .... .... .... .... .... ..0. = Home Directory Required: This account does NOT require_home_directory .... .... .... .... .... .... .... ...0 = Account Disabled: This account is NOT disabled Dummy4 Long: 0x00000000 Dummy5 Long: 0x00000000 Dummy6 Long: 0x00000000 Dummy7 Long: 0x00000000 Dummy8 Long: 0x00000000 Dummy9 Long: 0x00000000 Dummy10 Long: 0x00000000 Num Extra SID: 0 (NULL pointer) SID_AND_ATTRIBUTES_ARRAY: SID pointer: (NULL pointer) SID pointer ResourceGroup count: 0 (NULL pointer) ResourceGroupIDs Type: Client Info Type (10) Size: 26 Offset: 472 PAC_CLIENT_INFO_TYPE: 806feb48dda9d0011000570049004e003700500052004f00... ClientID: Jun 18, 2015 17:41:47.000000000 CEST Name Length: 16 Name: WIN7PRO$ Type: Server Checksum (6) Size: 20 Offset: 504 PAC_SERVER_CHECKSUM: 76ffffff37313972849103dd4babe27c72458572 Type: -138 Signature: 37313972849103dd4babe27c72458572 Type: Privsvr Checksum (7) Size: 20 Offset: 528 PAC_PRIVSVR_CHECKSUM: 76ffffff188c84768636bc56b88af0a54730e124 Type: -138 Signature: 188c84768636bc56b88af0a54730e124 AuthorizationData AD-IF-RELEVANT Type: AD-IF-RELEVANT (1) Data: 3031302fa00402020200a12704253023a003020117a11c30... IF_RELEVANT 0x200 Type: Unknown (512) Data: 3023a003020117a11c301aa0040202ff76a11204101d95d8... enc-part rc4-hmac Encryption type: rc4-hmac (23) Kvno: 2 enc-part: ee36e7f885480cebfb328323949c719844246c477c88fb7a... [Decrypted using: keytab principal WIN7PRO$@FOUR.TEST] EncKDCRepPart key rc4-hmac Key type: rc4-hmac (23) Key value: bc465084e8a073b750b20bfee0df0821 LastReqs: LastReq Lr-type: No information available (0) Lr-time: 1970-01-01 00:00:00 (UTC) Nonce: 1230888471 Padding: 0 Ticket Flags (Forwardable, Renewable, Initial, Pre-Auth) .1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated .... ...0 .... .... .... .... .... .... = Invalid: This ticket is NOT invalid .... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE .... .... .1.. .... .... .... .... .... = Initial: This ticket was granted by AS and not TGT protocol .... .... ..1. .... .... .... .... .... = Pre-Auth: The client was PRE-AUTHenticated .... .... ...0 .... .... .... .... .... = HW-Auth: The client was NOT authenticated using hardware .... .... .... 0... .... .... .... .... = Transited Policy Checked: Kdc has NOT performed transited policy checking .... .... .... .0.. .... .... .... .... = Ok As Delegate: This ticket is NOT ok as a delegated ticket Authtime: 2015-06-18 15:41:47 (UTC) End time: 2015-06-19 01:41:47 (UTC) Renew-till: 2015-06-25 15:41:47 (UTC) Realm: FOUR.TEST Server Name (Service and Instance): krbtgt/FOUR.TEST Name-type: Service and Instance (2) Name: krbtgt Name: FOUR.TEST HostAddresses: WIN7PRO<20> HostAddress WIN7PRO<20> Addr-type: NETBIOS (20) NetBIOS Name: WIN7PRO<20> (Server service)