Solved

Wireshark need help with analysis of capture file?

Posted on 2011-02-18
11
1,575 Views
Last Modified: 2012-05-11
I have a user at a hotel, using the hotel's wireless, connecting via a vpn.  When he opens Outlook 2003 he can't connect to our Exchange server (I think it's 5.5).  Outlook displays connecting in the lower right hand corner of the display and it just sits there.  Cache Mode is enabled and he has a 14 gb ost file.

I setup a capture at the firewall and opened it up in Wireshark.

In the Protocol column I see MAPI and in the Info column I see unknown?! request.  The next row in the Protocol column I see MAPI and in the Info column I see [TCP Out-of-order] unknown?! request.

Seems to go on forever. Would someone provide an overview of what this means?  I'd like to know if the problem is on the client or on the server , or on both. If you need additional info let me know.
0
Comment
Question by:Westez
  • 5
  • 4
  • 2
11 Comments
 
LVL 8

Expert Comment

by:Toxacon
ID: 34931918
You can't view VPN traffic with a sniffer (WireShark). VPN traffic is always encrypted.
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 34932527
You should still see packets containing the VPN "envelope".  However see Q8.5 here:-

http://www.wireshark.org/faq.html
0
 

Author Comment

by:Westez
ID: 34934058
Let me rephrase.  The firewall has a utility to capture packets.  I'll need to check to confirm but I believe they're decrypted.  I sftp that capture file off the firewall  and then open it up in Wireshark.  For example I can read the users name in the Info Column, the server names, etc.  Would I be able to see that if it were still encrypted?
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 34934175
I wouldn't have thought that the Firewall could decrypt a VPN session, unless it sits between the clear-text traffic and the VPN encoder.  What is the point of the P (for Private) in the VPN if anywhere en route the packets can be decoded?  I think what's happening is that the Firewall is attempting to decode traffic but is misunderstanding the structure of the packet.  As to why coherent info is appearing in the Firewall log: the Firewall might be using info it has ascertained by other means to display it.  
0
 

Author Comment

by:Westez
ID: 34956601
The traffic is decrypted once it passes through the firewall.   Any comments on my original question?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 31

Expert Comment

by:moorhouselondon
ID: 34958632
>once it passes through the firewall.

I think we need a block diagram to show the path traffic takes, showing the decryption stage with explicit reference to the positioning of the monitoring point.  What Firewall are you using?  Do you not have a Managed Switch with Port Mirroring which would monitor packets without any third-party interpretation taking place, which may be the case using the firewall to do the monitoring?
0
 
LVL 8

Assisted Solution

by:Toxacon
Toxacon earned 50 total points
ID: 34959908
What you should see is:

1. Resolving IP of your Exchange.
2. Connecting with TCP (SYN-ACK-Session-SecondarySession) to Exchange (RPC).
3. Communicating with the Exchange.
0
 

Author Comment

by:Westez
ID: 34965028
Update: My user is back in town, the laptop when connected via vpn, can connect to the Exchange server and update the folders, without a problem, this has been done from multiple locations.  I'd say the problem was on the hotel end for this particular instance.  

Toxacon - I have captures of what I'll call good conversations, that is to say I ran the captures when we didn't experience any problems connecting to Exchange and updating the folders.  I'm using them for comparison between the good and the bad.

moorhouselondon - We do have a Managed Switch with Port Mirroring capabilities.  What do you mean by the explicit reference to the positioning of the monitoring point?  This makes me think of where you would position a hub,  plug the Exchange server and a laptop running Wireshark both into the hub and capture traffic.  Or in your example using a mirrored port.  I'll see what I can about coming up with a block diagram.

0
 
LVL 31

Accepted Solution

by:
moorhouselondon earned 200 total points
ID: 34965176
All I'm saying is that there is a question mark hanging over the Firewall doing the logging as to whether you get sense from the packets.  Using Port Mirroring would overcome that obstacle.  

It sounds like the Hotel Router doesn't support VPN connections if the user is able to VPN from other locations into your system.  
0
 

Author Comment

by:Westez
ID: 34970924
moorhouselondon - Thanks for the clarification, and the suggestion we're going to set that up and give it a go.

0
 

Author Closing Comment

by:Westez
ID: 34970971
Thanks for having a look and the suggestions.  We're going to setup  port spanning and capture traffic.  And compare it against previous captures.  I'll open up another question if needed.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now