This response tells us that the client and the server are negotiating an NTLM connection. 'What does this tell us? We can see that the Authorization header is set to 'Negotiate' and we can see a long string of characters sent in that header. HTTP: Authorization = Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAA HTTP: User-Agent = Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.1 SV1. HTTP: Accept = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd. HTTP: Uniform Resource Identifier = /webapplication1/webform1.aspx
HTTP: GET Request (from client using port 3135) Here is a snippet from the frame that sends authentication information from the client: 23 4294967263.4294641621 LOCAL 00045A420DBC HTTP GET Request (from client using port 3135) 192.168.0.2 192.168.0.4 IP 'Since we are looking over this trace to see if the client is sending authentication information, we can use the TCP segments to track the HTTP GET requests and the response from the server. Determine if HTTP authentication is NTLM or Kerberos
