ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Running Wireshark for Email Security.cloud

book

Article ID: 161481

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

You want to Wireshark to capture infromation about your traffic through the Email Security.cloud service.

Resolution

To run Wireshark

  1. Refer to the official Wireshark documentation, How To Set Up a Capture. http://wiki.wireshark.org/CaptureSetup 
  2. Ensure that you are familiar with this information before proceeding. 
  3. Downloaded and install Wireshark on to a suitable packet capturing computer 
  4. Run Wireshark, and configure it for capturing packets. 
  5. The configuration can be comprehensive (e.g. "capture everything") but we advise using filters to remove irrelevant packet data. For example, you could exclude HTTP traffic if you are only interested in SMTP or email-related traffic. 
  6. From the main screen of the application, click on Capture > Options. 
  7. Set the Interface to the active interface on your computer that acts as a packet capture device. If the computer has more than one network interface, the IP address of the selected interface is shown. You can determine which network range it connects to. 
  8. Check the box to turn on Capture packets in "promiscuous" mode so that it passes all traffic it receives. Most network cards normally use this feature specifically for packet capture. 
  9. Set the capture filter to the TCP/IP port number being captured. For email traffic, use port 25. 
  10. Click on Start to begin the packet capture. You can watch the packet capture in progress. If you do not see any data after a few seconds, verify that you have selected the correct network interface. It may be easy to confuse the wired and wireless Ethernet interfaces, or accidentally chose the wrong interface on a computer with multiple network interfaces. We usually recommend running the packet capture for 10 to 15 minutes, to collect sufficient information for analysis. Consult with the Support team representative in case a longer capture is required. After you have collected enough data, stop the capture. 
  11. Use the Wireshark follow the TCP stream feature to apply a filter to your capture and show only the packets that are related to and following from the first packet you see. A good packet to start with is the EHLO or HELO from an email (SMTP) "conversation". To follow the TCP stream, right-click on a packet, and then click on Follow TCP Stream. When you select the TCP Stream, Wireshark takes a few minutes to filter out the packets. Then a window showing sent and received data is displayed. Wireshark shows the SMTP conversation completely. 
  12. Create the capture file, archive it into a compressed file and email it to the Support team. We can use this information to pinpoint any problems that would otherwise be impossible to troubleshoot.  

Notes:
If any packets miss or information is garbled, it is clear that something was lost in transit. Packets that are displayed in red text on a black background usually indicate a problem.

"TCP RETRANSMISSION" error means that a packet was lost in transit, and TCP had to recover by resending the packet. Too many retransmission may indicate a larger problem such as poor link quality or latency. 

"DUPLICATE ACK" indicates a more serious problem as it means that the ‘ACK’ (acknowledgment) packet took so long to travel that another one was sent. Now the receiver sees the packet again.