Showing results for 
Show  only  | Search instead for 
Did you mean: 

Has anyone found a good way to track NTLM traffic in DCRUM


We are trying to find a way to identify applications that are using NTLM and was thinking DCRUM might be able to do it as we can inspect the Packet headers. The problem is I am not seeing NTLM identifiers any where, and was wondering if that is by design that DCRUM filters away that traffic.




Dynatrace Pro
Dynatrace Pro

For HTTP traffic, I usually follow the 401 (unauthorized) errors. As the 3-way handshake NTLM uses to authenticate a web user each server response has a 401 response code, so services using NTLM authentication will have high numbers of 401 errors (2 per authentication). Once authenticated, the server responds with the requested content and (typically) a 200 response code.

Proxy servers will start with a 407 (proxy authentication required) error. But that isn't specific enough to determine NTLM - it'll behave the same for basic authentication too.

If you wanted to be more specific, you'd have to configure your software services to extract the header info into a misc parameter to count them.

You'll want to look for the header:

NTLMAuthorization: NTLM