Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Wireshark need help with analysis of capture file?

Posted on 2011-02-18
11
Medium Priority
?
1,591 Views
Last Modified: 2012-05-11
I have a user at a hotel, using the hotel's wireless, connecting via a vpn.  When he opens Outlook 2003 he can't connect to our Exchange server (I think it's 5.5).  Outlook displays connecting in the lower right hand corner of the display and it just sits there.  Cache Mode is enabled and he has a 14 gb ost file.

I setup a capture at the firewall and opened it up in Wireshark.

In the Protocol column I see MAPI and in the Info column I see unknown?! request.  The next row in the Protocol column I see MAPI and in the Info column I see [TCP Out-of-order] unknown?! request.

Seems to go on forever. Would someone provide an overview of what this means?  I'd like to know if the problem is on the client or on the server , or on both. If you need additional info let me know.
0
Comment
Question by:Westez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 8

Expert Comment

by:Toxacon
ID: 34931918
You can't view VPN traffic with a sniffer (WireShark). VPN traffic is always encrypted.
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 34932527
You should still see packets containing the VPN "envelope".  However see Q8.5 here:-

http://www.wireshark.org/faq.html
0
 

Author Comment

by:Westez
ID: 34934058
Let me rephrase.  The firewall has a utility to capture packets.  I'll need to check to confirm but I believe they're decrypted.  I sftp that capture file off the firewall  and then open it up in Wireshark.  For example I can read the users name in the Info Column, the server names, etc.  Would I be able to see that if it were still encrypted?
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 
LVL 31

Expert Comment

by:moorhouselondon
ID: 34934175
I wouldn't have thought that the Firewall could decrypt a VPN session, unless it sits between the clear-text traffic and the VPN encoder.  What is the point of the P (for Private) in the VPN if anywhere en route the packets can be decoded?  I think what's happening is that the Firewall is attempting to decode traffic but is misunderstanding the structure of the packet.  As to why coherent info is appearing in the Firewall log: the Firewall might be using info it has ascertained by other means to display it.  
0
 

Author Comment

by:Westez
ID: 34956601
The traffic is decrypted once it passes through the firewall.   Any comments on my original question?
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 34958632
>once it passes through the firewall.

I think we need a block diagram to show the path traffic takes, showing the decryption stage with explicit reference to the positioning of the monitoring point.  What Firewall are you using?  Do you not have a Managed Switch with Port Mirroring which would monitor packets without any third-party interpretation taking place, which may be the case using the firewall to do the monitoring?
0
 
LVL 8

Assisted Solution

by:Toxacon
Toxacon earned 200 total points
ID: 34959908
What you should see is:

1. Resolving IP of your Exchange.
2. Connecting with TCP (SYN-ACK-Session-SecondarySession) to Exchange (RPC).
3. Communicating with the Exchange.
0
 

Author Comment

by:Westez
ID: 34965028
Update: My user is back in town, the laptop when connected via vpn, can connect to the Exchange server and update the folders, without a problem, this has been done from multiple locations.  I'd say the problem was on the hotel end for this particular instance.  

Toxacon - I have captures of what I'll call good conversations, that is to say I ran the captures when we didn't experience any problems connecting to Exchange and updating the folders.  I'm using them for comparison between the good and the bad.

moorhouselondon - We do have a Managed Switch with Port Mirroring capabilities.  What do you mean by the explicit reference to the positioning of the monitoring point?  This makes me think of where you would position a hub,  plug the Exchange server and a laptop running Wireshark both into the hub and capture traffic.  Or in your example using a mirrored port.  I'll see what I can about coming up with a block diagram.

0
 
LVL 31

Accepted Solution

by:
moorhouselondon earned 800 total points
ID: 34965176
All I'm saying is that there is a question mark hanging over the Firewall doing the logging as to whether you get sense from the packets.  Using Port Mirroring would overcome that obstacle.  

It sounds like the Hotel Router doesn't support VPN connections if the user is able to VPN from other locations into your system.  
0
 

Author Comment

by:Westez
ID: 34970924
moorhouselondon - Thanks for the clarification, and the suggestion we're going to set that up and give it a go.

0
 

Author Closing Comment

by:Westez
ID: 34970971
Thanks for having a look and the suggestions.  We're going to setup  port spanning and capture traffic.  And compare it against previous captures.  I'll open up another question if needed.
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question