Solved

Wireshark need help with analysis of capture file?

Posted on 2011-02-18
11
1,571 Views
Last Modified: 2012-05-11
I have a user at a hotel, using the hotel's wireless, connecting via a vpn.  When he opens Outlook 2003 he can't connect to our Exchange server (I think it's 5.5).  Outlook displays connecting in the lower right hand corner of the display and it just sits there.  Cache Mode is enabled and he has a 14 gb ost file.

I setup a capture at the firewall and opened it up in Wireshark.

In the Protocol column I see MAPI and in the Info column I see unknown?! request.  The next row in the Protocol column I see MAPI and in the Info column I see [TCP Out-of-order] unknown?! request.

Seems to go on forever. Would someone provide an overview of what this means?  I'd like to know if the problem is on the client or on the server , or on both. If you need additional info let me know.
0
Comment
Question by:Westez
  • 5
  • 4
  • 2
11 Comments
 
LVL 8

Expert Comment

by:Toxacon
Comment Utility
You can't view VPN traffic with a sniffer (WireShark). VPN traffic is always encrypted.
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
You should still see packets containing the VPN "envelope".  However see Q8.5 here:-

http://www.wireshark.org/faq.html
0
 

Author Comment

by:Westez
Comment Utility
Let me rephrase.  The firewall has a utility to capture packets.  I'll need to check to confirm but I believe they're decrypted.  I sftp that capture file off the firewall  and then open it up in Wireshark.  For example I can read the users name in the Info Column, the server names, etc.  Would I be able to see that if it were still encrypted?
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
I wouldn't have thought that the Firewall could decrypt a VPN session, unless it sits between the clear-text traffic and the VPN encoder.  What is the point of the P (for Private) in the VPN if anywhere en route the packets can be decoded?  I think what's happening is that the Firewall is attempting to decode traffic but is misunderstanding the structure of the packet.  As to why coherent info is appearing in the Firewall log: the Firewall might be using info it has ascertained by other means to display it.  
0
 

Author Comment

by:Westez
Comment Utility
The traffic is decrypted once it passes through the firewall.   Any comments on my original question?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
>once it passes through the firewall.

I think we need a block diagram to show the path traffic takes, showing the decryption stage with explicit reference to the positioning of the monitoring point.  What Firewall are you using?  Do you not have a Managed Switch with Port Mirroring which would monitor packets without any third-party interpretation taking place, which may be the case using the firewall to do the monitoring?
0
 
LVL 8

Assisted Solution

by:Toxacon
Toxacon earned 50 total points
Comment Utility
What you should see is:

1. Resolving IP of your Exchange.
2. Connecting with TCP (SYN-ACK-Session-SecondarySession) to Exchange (RPC).
3. Communicating with the Exchange.
0
 

Author Comment

by:Westez
Comment Utility
Update: My user is back in town, the laptop when connected via vpn, can connect to the Exchange server and update the folders, without a problem, this has been done from multiple locations.  I'd say the problem was on the hotel end for this particular instance.  

Toxacon - I have captures of what I'll call good conversations, that is to say I ran the captures when we didn't experience any problems connecting to Exchange and updating the folders.  I'm using them for comparison between the good and the bad.

moorhouselondon - We do have a Managed Switch with Port Mirroring capabilities.  What do you mean by the explicit reference to the positioning of the monitoring point?  This makes me think of where you would position a hub,  plug the Exchange server and a laptop running Wireshark both into the hub and capture traffic.  Or in your example using a mirrored port.  I'll see what I can about coming up with a block diagram.

0
 
LVL 31

Accepted Solution

by:
moorhouselondon earned 200 total points
Comment Utility
All I'm saying is that there is a question mark hanging over the Firewall doing the logging as to whether you get sense from the packets.  Using Port Mirroring would overcome that obstacle.  

It sounds like the Hotel Router doesn't support VPN connections if the user is able to VPN from other locations into your system.  
0
 

Author Comment

by:Westez
Comment Utility
moorhouselondon - Thanks for the clarification, and the suggestion we're going to set that up and give it a go.

0
 

Author Closing Comment

by:Westez
Comment Utility
Thanks for having a look and the suggestions.  We're going to setup  port spanning and capture traffic.  And compare it against previous captures.  I'll open up another question if needed.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Decrypting SSL traffic in wireshark 7 27
MAC Needs 2 Domains 2 42
not output on the show arp command 5 42
Network Config 9 53
Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now