Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
6481
Views
1
Helpful
0
Comments

ThousandEyes Page Load test: NTLM communication example

oatroshc
Cisco Employee
Cisco Employee

‎06-28-2024 06:26 AM - edited ‎02-24-2025 12:19 PM

Welcome to a series of articles about ThousandEyes!

ThousandEyes is a powerful SaaS platform that gives a digital picture of enterprise infrastructure, formed by test views, alerts, dashboards, and other components.

This article aims to dig deeper into the communication between a client and a server using the ThousandEyes Web Page Load test with NTLM authentication.

This article will cover:
  • What NTLM is;
  • A quick recap on how ThousandEyes Web Page Load or HTTP tests work with NTLM;
  • Executing the test round while capturing the packets;
  • Analyzing the packet capture from the test round.

 

What is NTLM?

In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. (Source: Wikipedia).

ThousandEyes Tests & NTLM:

Need a refresh on creating a Web-Page Load or HTTP test? Watch this 1-minute video:

(view in My Videos)

Test-round execution, packet capture, and analysis

Now let's examine a successful test and how it appears in the tool. In the screenshot below, we see an HTTP response from the server showing "200 OK," confirming successful interaction.

We've added a red box outlining the area to viewWe've added a red box outlining the area to view

To fully understand the interaction between the client and server, we captured the data from a test round. We filtered using cookie data to ensure we focused on the correct round and then followed the HTTP stream. This resulted in the following output (a fragment from the packet capture):

A screenshot with numbered areas we will reference in the next sections of the articleA screenshot with numbered areas we will reference in the next sections of the article

Let's highlight the most interesting parts of the communication:

In line item [1] from the image, we see that Client 10.x.x.x sent the initial request in the frame 13:

7 packet 13.png

In line item [2] we see server 172.x.x.x responded with HTTP 401 Unauthorized with NTLM Challenge (frame 15):

8 packet 15.png

In line item [3], frame 17, we see the client is now sending NTLM AUTH message, passing credentials, and the response should be in frame 350. 

9 packet 17.png

 

Finally, in line item [4] frame 350 we see the server respond with HTTP 200 OK:

10 packet 350.png

 

If you have any issues with ThousandEyes tests - open a chat with ThousandEyes Customer Support, we'll be happy to help! Here is an article on getting in touch with us in only a few seconds.

Reference to useful ThousandEyes resources:

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents