Locating Password Attempts in Wireshark

When looking through network traffic in order to find password attempts you will need to look at FTP traffic to find credentials for these attempts as shown below in the screenshot

You can see on the right field the mention of 'USER anonymous' which indicates the username used in the password attempt when logging into the device of the user. Now in order to see the password attempt that was used alongside with the username, you will select the packet with the USER field and right-click>follow>TCP Stream and then you will get a closer view into the specific packet.

In here you can see in the 'PASS IEUser@' field shows that the password attempt was IEUser@. After that you can also see that the authentication failed meaning the password was incorrect. This will help you differentiate between correct/incorrect credentials used in attempts to log into a user's system.