Once you have captured packets you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.
How to Extract a keytab containing your domain's passwords
The keytab, a standard format for the storage of Kerberos keys, is also the input required by Wireshark to decrypt encrypted traffic
There are two ways to obtain a keytab from a Windows domain, with Samba:
To join the domain, run:
net vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator
Or, for a recent GIT checkout (later than 2010/10/23):
samba-tool vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator
If everything is set up correctly, it should just work. If not, check /etc/krb5.conf in particular - ensure it can reach the KDC by setting:
[libdefaults] dns_lookup_kdc = true
Then, to extract the keytab run
net export keytab PATH_TO_KEYAB
samba-tool export keytab PATH_TO_KEYAB
It will write out a keytab in the path specified, containing the current keys for every host.
To dump a keytab, join the domain and then run:
net rpc vampire keytab /path/to/keytab/file
Note that the path to the keytab file needs to be an absolute path.