What type of network traffic can be sniffed to obtain credentials when mounting a file share and authenticating to a domain?

During SMB-based domain authentication, the client proves its identity through a challenge/response handshake. The domain controller sends a random challenge to the client, and the client responds with a value derived from that challenge and the user’s password hash. This challenge and response travel over the network, so a sniffer can capture them. With those captured values, an attacker can offline-crack the password or use the hash directly to impersonate the user (pass-the-hash). That’s why this traffic is the one that can yield credentials. DNS queries and ICMP echo requests don’t carry authentication proofs, and while SMB traffic is involved in the session, the actual credential material is in the challenge/response portion of the NTLM (or similar) authentication exchange. For protection, prefer Kerberos where possible and disable NTLM, enable SMB signing, and enforce strong authentication practices to reduce exposure.