We are trying to find a way to identify applications that are using NTLM and was thinking DCRUM might be able to do it as we can inspect the Packet headers. The problem is I am not seeing NTLM identifiers any where, and was wondering if that is by design that DCRUM filters away that traffic.
For HTTP traffic, I usually follow the 401 (unauthorized) errors. As the 3-way handshake NTLM uses to authenticate a web user each server response has a 401 response code, so services using NTLM authentication will have high numbers of 401 errors (2 per authentication). Once authenticated, the server responds with the requested content and (typically) a 200 response code.
Proxy servers will start with a 407 (proxy authentication required) error. But that isn't specific enough to determine NTLM - it'll behave the same for basic authentication too.
If you wanted to be more specific, you'd have to configure your software services to extract the header info into a misc parameter to count them.
You'll want to look for the header: