Wireshark filter to check for problem PC creating random account being lockout in AD

I have a PC that is residing in my office LAN which is causing accounts being lockout in the AD every now and then. The tool I used to trace down the PC is to use WireShark. By default, you could capture tons of information that is being transmit over the LAN but to cut things short, I used the default display filter to narrow down my time in tracing.

The steps being used in wireshark is as follows:-
1. Go to "Capture -> Options". My preference is to "Enable network name resolution" as it just save me time to figure out which computer name it is if it is able to resolve from the DNS/WINS.
2. Press the "Start" in the "Capture -> Options" menu after checking on "Enable network name resolution" will start the capturing of network packet from the default NIC.
3. In the "Filter" (Display Filter), type in this expression -> "kerberos.msg.type == 10"
4. After typing click on "Apply" and hopefully all things are right for you to see the result as show in the image below.

Based on the results, I only refer to the Info that display "AS-REQ" results. If a certain IP address is continuously display in the result, there is a high chance that this PC is the one causing the problem. So track down this PC and disconnect it from the network and make sure that the problem does not persist to confirm that this PC is the one.

Note: If the problem is still there, there might be a chance that there is more then a PC causing the problem or this is not the PC.

Onsite Engineer Toolkit Reference

For all those IT on-site engineers, this would be a good point of reference to gear up yourself before attending to customer calls.

Pls refer to the link below.
http://www.technibble.com/my-onsite-technician-gear/