Solved

Wireshark need help with analysis of capture file?

Posted on 2011-02-18
11
1,581 Views
Last Modified: 2012-05-11
I have a user at a hotel, using the hotel's wireless, connecting via a vpn.  When he opens Outlook 2003 he can't connect to our Exchange server (I think it's 5.5).  Outlook displays connecting in the lower right hand corner of the display and it just sits there.  Cache Mode is enabled and he has a 14 gb ost file.

I setup a capture at the firewall and opened it up in Wireshark.

In the Protocol column I see MAPI and in the Info column I see unknown?! request.  The next row in the Protocol column I see MAPI and in the Info column I see [TCP Out-of-order] unknown?! request.

Seems to go on forever. Would someone provide an overview of what this means?  I'd like to know if the problem is on the client or on the server , or on both. If you need additional info let me know.
0
Comment
Question by:Westez
  • 5
  • 4
  • 2
11 Comments
 
LVL 8

Expert Comment

by:Toxacon
ID: 34931918
You can't view VPN traffic with a sniffer (WireShark). VPN traffic is always encrypted.
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 34932527
You should still see packets containing the VPN "envelope".  However see Q8.5 here:-

http://www.wireshark.org/faq.html
0
 

Author Comment

by:Westez
ID: 34934058
Let me rephrase.  The firewall has a utility to capture packets.  I'll need to check to confirm but I believe they're decrypted.  I sftp that capture file off the firewall  and then open it up in Wireshark.  For example I can read the users name in the Info Column, the server names, etc.  Would I be able to see that if it were still encrypted?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 31

Expert Comment

by:moorhouselondon
ID: 34934175
I wouldn't have thought that the Firewall could decrypt a VPN session, unless it sits between the clear-text traffic and the VPN encoder.  What is the point of the P (for Private) in the VPN if anywhere en route the packets can be decoded?  I think what's happening is that the Firewall is attempting to decode traffic but is misunderstanding the structure of the packet.  As to why coherent info is appearing in the Firewall log: the Firewall might be using info it has ascertained by other means to display it.  
0
 

Author Comment

by:Westez
ID: 34956601
The traffic is decrypted once it passes through the firewall.   Any comments on my original question?
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 34958632
>once it passes through the firewall.

I think we need a block diagram to show the path traffic takes, showing the decryption stage with explicit reference to the positioning of the monitoring point.  What Firewall are you using?  Do you not have a Managed Switch with Port Mirroring which would monitor packets without any third-party interpretation taking place, which may be the case using the firewall to do the monitoring?
0
 
LVL 8

Assisted Solution

by:Toxacon
Toxacon earned 50 total points
ID: 34959908
What you should see is:

1. Resolving IP of your Exchange.
2. Connecting with TCP (SYN-ACK-Session-SecondarySession) to Exchange (RPC).
3. Communicating with the Exchange.
0
 

Author Comment

by:Westez
ID: 34965028
Update: My user is back in town, the laptop when connected via vpn, can connect to the Exchange server and update the folders, without a problem, this has been done from multiple locations.  I'd say the problem was on the hotel end for this particular instance.  

Toxacon - I have captures of what I'll call good conversations, that is to say I ran the captures when we didn't experience any problems connecting to Exchange and updating the folders.  I'm using them for comparison between the good and the bad.

moorhouselondon - We do have a Managed Switch with Port Mirroring capabilities.  What do you mean by the explicit reference to the positioning of the monitoring point?  This makes me think of where you would position a hub,  plug the Exchange server and a laptop running Wireshark both into the hub and capture traffic.  Or in your example using a mirrored port.  I'll see what I can about coming up with a block diagram.

0
 
LVL 31

Accepted Solution

by:
moorhouselondon earned 200 total points
ID: 34965176
All I'm saying is that there is a question mark hanging over the Firewall doing the logging as to whether you get sense from the packets.  Using Port Mirroring would overcome that obstacle.  

It sounds like the Hotel Router doesn't support VPN connections if the user is able to VPN from other locations into your system.  
0
 

Author Comment

by:Westez
ID: 34970924
moorhouselondon - Thanks for the clarification, and the suggestion we're going to set that up and give it a go.

0
 

Author Closing Comment

by:Westez
ID: 34970971
Thanks for having a look and the suggestions.  We're going to setup  port spanning and capture traffic.  And compare it against previous captures.  I'll open up another question if needed.
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to fid Policy on particular IP Address 5 47
WDS can't PXE boot 3 28
Network assessment tools like Network Detective? 4 21
CentOS 7 wireless 2 28
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question