RDP Direct Connection with NLA Remote Desktop Client Network Trace
Summary:
This article contains network traces from client machine for the Remote Desktop Protocol connection sequence for a direct connection (not through an RDS Gateway) to server machine. Please see parent articles [[articles:Remote Desktop Services RDS Logon Connectivity Overview]] and [[articles:RDP Direct Connection Process with NLA Enabled]] for additional information.
RDS client network relevant traces:
LOGON
RDS Client queries DNS for RDS Server
Time Of Day |
TCP Frame Flags |
Source |
Source Port |
Destination |
Destination Port |
Protocol |
Description |
21:21:05.693 |
|
RDS Client |
62562 (0xF462) |
AD Server |
53 (0x35) |
DNS |
DNS:QueryId = 0x67B6, QUERY (Standard query), Query for ara-rds-2.rds-ms.lab of type Host Addr on class Internet |
21:21:05.696 |
|
AD Server |
53 (0x35) |
RDS Client |
62562 (0xF462) |
DNS |
DNS:QueryId = 0x67B6, QUERY (Standard query), Response - Success, 10.0.0.7 |
RDS Client connects via tcp to port 3389 on RDS Server and sets up secure connection
Time Of Day |
TCP Frame Flags |
Source |
Source Port |
Destination |
Destination Port |
Protocol |
Description |
21:21:05.815 |
Connected |
RDS Client |
49964 (0xC32C) |
RDS Server |
3389 (0xD3D) |
TCP |
TCP: [Bad CheckSum]Flags=CE....S., SrcPort=49964, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=2744352433, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
21:21:05.823 |
Connected |
RDS Client |
49964 (0xC32C) |
RDS Server |
3389 (0xD3D) |
X224 |
X224:Connection Request |
21:21:05.832 |
Connected |
RDS Server |
3389 (0xD3D) |
RDS Client |
49964 (0xC32C) |
X224 |
X224:Connection Confirm |
User enters credential on RDS Client and connects to AD Server using Kerberos to request Kerberos ticket for connection to RDS Server.
Time Of Day |
TCP Frame Flags |
Source |
Source Port |
Destination |
Destination Port |
Protocol |
Description |
21:21:05.992 |
Connected |
RDS Client |
49965 (0xC32D) |
AD Server |
135 (0x87) |
TCP |
TCP: [Bad CheckSum]Flags=CE....S., SrcPort=49965, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2250817025, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
21:21:11.733 |
Connected |
RDS Client |
49967 (0xC32F) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=CE....S., SrcPort=49967, DstPort=Kerberos(88), PayloadLen=0, Seq=4159590075, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
21:21:11.736 |
FinWait1 |
RDS Client |
49967 (0xC32F) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=...A...F, SrcPort=49967, DstPort=Kerberos(88), PayloadLen=0, Seq=4159590292, Ack=754768760, Win=514 (scale factor 0x8) = 131584 |
21:21:11.766 |
Connected |
RDS Client |
49968 (0xC330) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=CE....S., SrcPort=49968, DstPort=Kerberos(88), PayloadLen=0, Seq=1072050558, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
21:21:11.773 |
FinWait1 |
RDS Client |
49968 (0xC330) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=...A...F, SrcPort=49968, DstPort=Kerberos(88), PayloadLen=0, Seq=1072050855, Ack=1478771567, Win=4121 (scale factor 0x8) = 1054976 |
21:21:11.774 |
Connected |
RDS Client |
49969 (0xC331) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=CE....S., SrcPort=49969, DstPort=Kerberos(88), PayloadLen=0, Seq=301489683, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
21:21:11.780 |
FinWait1 |
RDS Client |
49969 (0xC331) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=...A...F, SrcPort=49969, DstPort=Kerberos(88), PayloadLen=0, Seq=301491173, Ack=1497100681, Win=4121 (scale factor 0x8) = 1054976 |
21:21:11.909 |
Connected |
RDS Client |
49970 (0xC332) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=CE....S., SrcPort=49970, DstPort=Kerberos(88), PayloadLen=0, Seq=1465008613, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
21:21:11.916 |
FinWait1 |
RDS Client |
49970 (0xC332) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=...A...F, SrcPort=49970, DstPort=Kerberos(88), PayloadLen=0, Seq=1465011160, Ack=3860900224, Win=4121 (scale factor 0x8) = 1054976 |
RDS Client connects via TCP to port 3389 on RDS Server. UDP is enabled by default and is initialized.
Time Of Day |
TCP Frame Flags |
Source |
Source Port |
Destination |
Destination Port |
Protocol |
Description |
21:21:12.067 |
|
RDS Client |
56532 (0xDCD4) |
RDS Server |
3389 (0xD3D) |
UDP |
UDP:SrcPort = 56532, DstPort = MS WBT Server(3389), Length = 1240 |
21:21:12.069 |
|
RDS Client |
56533 (0xDCD5) |
RDS Server |
3389 (0xD3D) |
UDP |
UDP:SrcPort = 56533, DstPort = MS WBT Server(3389), Length = 1240 |
21:21:12.075 |
|
RDS Server |
3389 (0xD3D) |
RDS Client |
56532 (0xDCD4) |
UDP |
UDP:SrcPort = MS WBT Server(3389), DstPort = 56532, Length = 1240 |
21:21:12.075 |
|
RDS Server |
3389 (0xD3D) |
RDS Client |
56533 (0xDCD5) |
UDP |
UDP:SrcPort = MS WBT Server(3389), DstPort = 56533, Length = 1240 |
21:21:20.320 |
FinWait1 |
RDS Client |
49965 (0xC32D) |
AD Server |
135 (0x87) |
TCP |
TCP: [Bad CheckSum]Flags=...A...F, SrcPort=49965, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2250817354, Ack=981629007, Win=4119 (scale factor 0x8) = 1054464 |
DISCONNECT
Client Disconnects.
Time Of Day |
TCP Frame Flags |
Source |
Source Port |
Destination |
Destination Port |
Protocol |
Description |
21:22:15.408 |
Disconnected |
RDS Client |
49964 (0xC32C) |
RDS Server |
3389 (0xD3D) |
TCP |
TCP: [Bad CheckSum]Flags=...A.R.., SrcPort=49964, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=2744392872, Ack=823247208, Win=0 (scale factor 0x8) = 0 |
RECONNECT
RDS Client connects via TCP to port 3389 on RDS Server and sets up secure connection.
Time Of Day |
TCP Frame Flags |
Source |
Source Port |
Destination |
Destination Port |
Protocol |
Description |
21:23:06.018 |
Connected |
RDS Client |
49972 (0xC334) |
RDS Server |
3389 (0xD3D) |
TCP |
TCP: [Bad CheckSum]Flags=CE....S., SrcPort=49972, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=1621480644, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
21:23:06.019 |
Connected |
RDS Client |
49972 (0xC334) |
RDS Server |
3389 (0xD3D) |
X224 |
X224:Connection Request |
21:23:06.037 |
Connected |
RDS Server |
3389 (0xD3D) |
RDS Client |
49972 (0xC334) |
X224 |
X224:Connection Confirm |
User enters credential on RDS Client and connects to AD Server using Kerberos to request Kerberos ticket for connection to RDS Server.
Time Of Day |
TCP Frame Flags |
Source |
Source Port |
Destination |
Destination Port |
Protocol |
Description |
21:23:11.836 |
Connected |
RDS Client |
49973 (0xC335) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=CE....S., SrcPort=49973, DstPort=Kerberos(88), PayloadLen=0, Seq=3599623916, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
21:23:11.848 |
FinWait1 |
RDS Client |
49973 (0xC335) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=...A...F, SrcPort=49973, DstPort=Kerberos(88), PayloadLen=0, Seq=3599624133, Ack=1364588059, Win=514 (scale factor 0x8) = 131584 |
21:23:11.877 |
Connected |
RDS Client |
49974 (0xC336) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=CE....S., SrcPort=49974, DstPort=Kerberos(88), PayloadLen=0, Seq=2217913339, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
21:23:11.880 |
FinWait1 |
RDS Client |
49974 (0xC336) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=...A...F, SrcPort=49974, DstPort=Kerberos(88), PayloadLen=0, Seq=2217913636, Ack=1079976554, Win=4121 (scale factor 0x8) = 1054976 |
21:23:11.994 |
Connected |
RDS Client |
49975 (0xC337) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=CE....S., SrcPort=49975, DstPort=Kerberos(88), PayloadLen=0, Seq=1138254554, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
21:23:11.996 |
FinWait1 |
RDS Client |
49975 (0xC337) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=...A...F, SrcPort=49975, DstPort=Kerberos(88), PayloadLen=0, Seq=1138256044, Ack=3862101505, Win=4121 (scale factor 0x8) = 1054976 |
21:23:12.103 |
Connected |
RDS Client |
49976 (0xC338) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=CE....S., SrcPort=49976, DstPort=Kerberos(88), PayloadLen=0, Seq=4171954483, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
21:23:12.112 |
FinWait1 |
RDS Client |
49976 (0xC338) |
AD Server |
88 (0x58) |
TCP |
TCP: [Bad CheckSum]Flags=...A...F, SrcPort=49976, DstPort=Kerberos(88), PayloadLen=0, Seq=4171957030, Ack=3872059930, Win=4121 (scale factor 0x8) = 1054976 |
RDS Client connects via TCP to port 3389 on RDS Server. UDP is enabled by default and is initialized.
Time Of Day |
TCP Frame Flags |
Source |
Source Port |
Destination |
Destination Port |
Protocol |
Description |
21:23:12.247 |
|
RDS Client |
51187 (0xC7F3) |
RDS Server |
3389 (0xD3D) |
UDP |
UDP:SrcPort = 51187, DstPort = MS WBT Server(3389), Length = 1240 |
21:23:12.249 |
|
RDS Client |
51188 (0xC7F4) |
RDS Server |
3389 (0xD3D) |
UDP |
UDP:SrcPort = 51188, DstPort = MS WBT Server(3389), Length = 1240 |
21:23:12.255 |
|
RDS Server |
3389 (0xD3D) |
RDS Client |
51187 (0xC7F3) |
UDP |
UDP:SrcPort = MS WBT Server(3389), DstPort = 51187, Length = 1240 |
21:23:12.255 |
|
RDS Server |
3389 (0xD3D) |
RDS Client |
51188 (0xC7F4) |
UDP |
UDP:SrcPort = MS WBT Server(3389), DstPort = 51188, Length = 1240 |
21:23:14.429 |
Disconnected |
RDS Client |
49971 (0xC333) |
AD Server |
445 (0x1BD) |
TCP |
TCP: [Bad CheckSum]Flags=...A.R.., SrcPort=49971, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=2541375903, Ack=813263356, Win=0 (scale factor 0x8) = 0 |
LOGOFF
RDS Client connects via TCP to port 3389 on RDS Server. UDP is enabled by default and is initialized.
Time Of Day |
TCP Frame Flags |
Source |
Source Port |
Destination |
Destination Port |
Protocol |
Description |
21:24:22.139 |
Disconnected |
RDS Client |
49972 (0xC334) |
RDS Server |
3389 (0xD3D) |
TCP |
TCP: [Bad CheckSum]Flags=...A.R.., SrcPort=49972, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=1621534491, Ack=2510014433, Win=0 (scale factor 0x8) = 0 |