Frame 5321: Packet, 306 bytes on wire (2448 bits), 306 bytes captured (2448 bits) Encapsulation type: Ethernet (1) Arrival Time: Mar 19, 2019 02:11:09.417532000 UTC UTC Arrival Time: Mar 19, 2019 02:11:09.417532000 UTC Epoch Arrival Time: 1552961469.417532000 [Time shift for this packet: 0.000000000 seconds] [Time delta from previous captured frame: 1.293000 milliseconds] [Time since reference or first frame: 26 minutes, 13.780766000 seconds] Frame Number: 5321 Frame Length: 306 bytes (2448 bits) Capture Length: 306 bytes (2448 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:dcerpc:spnego-krb5:spnego-krb5] Character encoding: ASCII (0) Ethernet II, Src: Intel_57:2b:42 (64:32:a8:57:2b:42), Dst: Dell_c2:09:6a (a4:1f:72:c2:09:6a) Destination: Dell_c2:09:6a (a4:1f:72:c2:09:6a) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Intel_57:2b:42 (64:32:a8:57:2b:42) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) [Stream index: 1] Internet Protocol Version 4, Src: 10.0.90.215, Dst: 10.0.90.9 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 292 Identification: 0x07e7 (2023) 010. .... = Flags: 0x2, Don't fragment 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set ...0 0000 0000 0000 = Fragment Offset: 0 Time to Live: 128 Protocol: TCP (6) Header Checksum: 0xb55d [validation disabled] [Header checksum status: Unverified] Source Address: 10.0.90.215 Destination Address: 10.0.90.9 [Stream index: 1] Transmission Control Protocol, Src Port: 49231, Dst Port: 49155, Seq: 2119, Ack: 389, Len: 252 Source Port: 49231 Destination Port: 49155 [Stream index: 75] [Stream Packet Number: 10] [Conversation completeness: Incomplete, DATA (15)] ..0. .... = RST: Absent ...0 .... = FIN: Absent .... 1... = Data: Present .... .1.. = ACK: Present .... ..1. = SYN-ACK: Present .... ...1 = SYN: Present [Completeness Flags: ··DASS] [TCP Segment Len: 252] Sequence Number: 2119 (relative sequence number) Sequence Number (raw): 3543316655 [Next Sequence Number: 2371 (relative sequence number)] Acknowledgment Number: 389 (relative ack number) Acknowledgment number (raw): 1634378442 0101 .... = Header Length: 20 bytes (5) Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Accurate ECN: Not set .... 0... .... = Congestion Window Reduced: Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······AP···] Window: 255 [Calculated window size: 65280] [Window size scaling factor: 256] Checksum: 0x1184 [unverified] [Checksum Status: Unverified] Urgent Pointer: 0 [Timestamps] [Time since first frame in this TCP stream: 3.336000 milliseconds] [Time since previous frame in this TCP stream: 1.293000 milliseconds] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 5320] [The RTT to ACK the segment was: 1.293000 milliseconds] [iRTT: 351.000 microseconds] [Bytes in flight: 252] [Bytes sent since last PSH flag: 252] [Client Contiguous Streams: 1] [Server Contiguous Streams: 1] TCP payload (252 bytes) [PDU Size: 252] Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 252, Call: 2, Ctx: 1 Version: 5 Version (minor): 0 Packet type: Request (0) Packet Flags: 0x03 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .0.. = Cancel Pending: Not set .... ..1. = Last Frag: Set .... ...1 = First Frag: Set Data Representation: 10000000 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Frag Length: 252 Auth Length: 76 Call ID: 2 Alloc hint: 144 Context ID: 1 Opnum: 0 Auth Info: SPNEGO, Packet privacy, AuthContextId(0) Auth type: SPNEGO (9) Auth level: Packet privacy (6) Auth pad len: 0 Auth Rsrvd: 0 Auth Context ID: 0 GSS-API Generic Security Service Application Program Interface krb5_blob: 050406ff0010001c0000000000111b05b0f3155e581977df7de915ed1f46216f4753164773af527f5eff33e51809b05b1fbcd59e98d27f9c40f7e5f4919b1c45c11f9cf19058249416fb6e3b krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405) krb5_cfx_flags: 0x06, AcceptorSubkey, Sealed .... .1.. = AcceptorSubkey: Set .... ..1. = Sealed: Set .... ...0 = SendByAcceptor: Not set krb5_filler: ff krb5_cfx_ec: 16 krb5_cfx_rrc: 28 krb5_cfx_seq: 1121029 krb5_sgn_cksum: b0f3155e581977df7de915ed1f46216f4753164773af527f5eff33e51809b05b1fbcd59e98d27f9c40f7e5f4919b1c45c11f9cf19058249416fb6e3b Active Directory Replication, DsBind Operation: DsBind (0) Encrypted stub data […]: ca50ce96ac45d9c44bb8d719ccc92c5fc1994129034138c29407998471ea264df976da96d981f88c571758552c492060cc6b384e1b197d9eb582c68419d565ff55b178ad72f188de2f20ef0371ddc7def857fe868e59b4d2f026c42355cee4296f7c42855e9a5ed1d82a