On any computer, that has DNS configured to use AD's DNS server do:
Replace DOMAIN_NAME with the actual domain name e.g. example.com. Read more here.
Ping packets should use an ICMP type of 8 (echo) or 0 (echo reply), so you could use a capture filter of:
icmp
and a display filter of:
icmp.type == 8 || icmp.type == 0
For HTTP, you can use a capture filter of:
tcp port 80
or a display filter of:
tcp.port == 80
or:
http
Note that a filter of http
is not equivalent to the other two, which will include handshake and termination packets.
If you want to measure the number of connections rather than the amount of data, you can limit the capture or display filters to one side of the communication. For example, to capture only packets sent to port 80, use:
dst tcp port 80
Couple that with an http
display filter, or use:
tcp.dstport == 80 && http
For more on capture filters, read "Filtering while capturing" from the Wireshark user guide, the capture filters page on the Wireshark wiki, or pcap-filter (7) man page. For display filters, try the display filters page on the Wireshark wiki. The "Filter Expression" dialog box can help you build display filters.
Best Answer
Capturing login information can be tricky. There are a couple of ways of getting at this information, but part of it depends on how replicable the problem is. If it is wide-spread, spinning up a virtual-machine and doing the sniffing on the host-machine will get you what you need. If it is limited to certain areas or certain machines, you'll probably have to set up a span-port on your network switch and sniff from another machine on the same switch. I've done it both ways.
Another method is possible, and that's to run the sniffer on all of your domain controllers with a capture filter of the IP address of the machine in question. It isn't as optimal as using a span-port would, but it would at least profile machine/DC communication.
Microsoft Netmon is a pretty powerful tool for capturing Microsoft login problems, though in my opinion Wireshark's decode suite is better equipped overall.