Running Wireshark for Web Security.cloud

book

Article ID: 161435

calendar_today

Updated On:

Products

Web Security.cloud

Issue/Introduction

You want to use Wireshark to capture information about your traffic through the Web Security.cloud service.

Resolution

 To run Wireshark

  1. Refer to the official Wireshark documentation, How To Set Up a Capture. http://wiki.wireshark.org/CaptureSetup
  2. Ensure that you are familiar with this information before proceeding.
  3. Downloaded and install Wireshark on to a suitable packet capturing computer
  4. Run Wireshark, and configure it for capturing packets.
  5. The configuration can be comprehensive (e.g. "capture everything") but we advise using filters to remove irrelevant packet data. For example, you could exclude HTTP traffic if you are only interested in SMTP or email-related traffic.
  6. From the main screen of the application, click on Capture > Options.
  7. Set the Interface to the active interface on your computer that acts as a packet capture device. If the computer has more than one network interface, the IP address of the selected interface is shown. You can determine which network range it connects to.
  8. Check the box to turn on Capture packets in "promiscuous" mode so that it passes all traffic it receives. Most network cards normally use this feature specifically for packet capture.
  9. Set the capture filter to the TCP/IP port number being captured. For email traffic, use port 25. For Web (HTTP) traffic, we suggest that no filter is set, and that all traffic is captured. We can see if Web pages make any kind of "back channel" connections on non-standard ports (for example, to database servers).
  10. Click on Start to begin the packet capture. You can watch the packet capture in progress. If you do not see any data after a few seconds, verify that you have selected the correct network interface. It may be easy to confuse the wired and wireless Ethernet interfaces, or accidentally chose the wrong interface on a computer with multiple network interfaces. We usually recommend running the packet capture for 10 to 15 minutes, to collect sufficient information for analysis. Consult with the Support team representative in case a longer capture is required. After you have collected enough data, stop the capture.
  11. Save the .cap file with an appropriate file name. Create a compressed archive of it, and send it to the Support team for analysis.