Wireshark need help with analysis of capture file?

I have a user at a hotel, using the hotel's wireless, connecting via a vpn.  When he opens Outlook 2003 he can't connect to our Exchange server (I think it's 5.5).  Outlook displays connecting in the lower right hand corner of the display and it just sits there.  Cache Mode is enabled and he has a 14 gb ost file.

I setup a capture at the firewall and opened it up in Wireshark.

In the Protocol column I see MAPI and in the Info column I see unknown?! request.  The next row in the Protocol column I see MAPI and in the Info column I see [TCP Out-of-order] unknown?! request.

Seems to go on forever. Would someone provide an overview of what this means?  I'd like to know if the problem is on the client or on the server , or on both. If you need additional info let me know.
WestezAsked:
Who is Participating?
 
moorhouselondonConnect With a Mentor Commented:
All I'm saying is that there is a question mark hanging over the Firewall doing the logging as to whether you get sense from the packets.  Using Port Mirroring would overcome that obstacle.  

It sounds like the Hotel Router doesn't support VPN connections if the user is able to VPN from other locations into your system.  
0
 
ToxaconCommented:
You can't view VPN traffic with a sniffer (WireShark). VPN traffic is always encrypted.
0
 
moorhouselondonCommented:
You should still see packets containing the VPN "envelope".  However see Q8.5 here:-

http://www.wireshark.org/faq.html
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
WestezAuthor Commented:
Let me rephrase.  The firewall has a utility to capture packets.  I'll need to check to confirm but I believe they're decrypted.  I sftp that capture file off the firewall  and then open it up in Wireshark.  For example I can read the users name in the Info Column, the server names, etc.  Would I be able to see that if it were still encrypted?
0
 
moorhouselondonCommented:
I wouldn't have thought that the Firewall could decrypt a VPN session, unless it sits between the clear-text traffic and the VPN encoder.  What is the point of the P (for Private) in the VPN if anywhere en route the packets can be decoded?  I think what's happening is that the Firewall is attempting to decode traffic but is misunderstanding the structure of the packet.  As to why coherent info is appearing in the Firewall log: the Firewall might be using info it has ascertained by other means to display it.  
0
 
WestezAuthor Commented:
The traffic is decrypted once it passes through the firewall.   Any comments on my original question?
0
 
moorhouselondonCommented:
>once it passes through the firewall.

I think we need a block diagram to show the path traffic takes, showing the decryption stage with explicit reference to the positioning of the monitoring point.  What Firewall are you using?  Do you not have a Managed Switch with Port Mirroring which would monitor packets without any third-party interpretation taking place, which may be the case using the firewall to do the monitoring?
0
 
ToxaconConnect With a Mentor Commented:
What you should see is:

1. Resolving IP of your Exchange.
2. Connecting with TCP (SYN-ACK-Session-SecondarySession) to Exchange (RPC).
3. Communicating with the Exchange.
0
 
WestezAuthor Commented:
Update: My user is back in town, the laptop when connected via vpn, can connect to the Exchange server and update the folders, without a problem, this has been done from multiple locations.  I'd say the problem was on the hotel end for this particular instance.  

Toxacon - I have captures of what I'll call good conversations, that is to say I ran the captures when we didn't experience any problems connecting to Exchange and updating the folders.  I'm using them for comparison between the good and the bad.

moorhouselondon - We do have a Managed Switch with Port Mirroring capabilities.  What do you mean by the explicit reference to the positioning of the monitoring point?  This makes me think of where you would position a hub,  plug the Exchange server and a laptop running Wireshark both into the hub and capture traffic.  Or in your example using a mirrored port.  I'll see what I can about coming up with a block diagram.

0
 
WestezAuthor Commented:
moorhouselondon - Thanks for the clarification, and the suggestion we're going to set that up and give it a go.

0
 
WestezAuthor Commented:
Thanks for having a look and the suggestions.  We're going to setup  port spanning and capture traffic.  And compare it against previous captures.  I'll open up another question if needed.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.