Author Topic: How To: Use Wireshark to troubleshoot network issues  (Read 17674 times)

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13543
  • Retired - Volunteer Moderator
How To: Use Wireshark to troubleshoot network issues
« on: July 19, 2010, 04:26:31 AM »
Sometimes when running in to complicated issues and CIS is blaming your internet connection you need to see more details about what's going wrong, that's where a Network Packet Capture comes in.

This How-To will help you guide you trough the steps of making this capture, It will not explain what's going wrong cause that's far more complicated then making the capture. But once we have this capture it can be analyzed by someone who has more experience with Wireshark to help figure out what went wrong.

We start with downloading the correct version of wireshark from this page here

Once you have installed this software we can start to setup the system to make a clean capture.

With clean capture I mean that one should preferably exit all other applications running, also those in the system-tray, there are two reasons for this, the applications could be polluting the capture with non interesting traffic, and other applications could be sending sensitive information that should not end up in the capture.

Once this is done start Wireshark.
Next thing we need to do is find the Network Adapter that's currently active.
Press the Icon circled Red and a list with adapters shows up.



Cause some network traffic by having Comodo check for AV updates for example.
Look in the "packets" column and press "Options" for the adapter that has the increasing counter



Next we need to apply a packet filter to the capture so it only monitors traffic on TCP port 80/HTTP
In the field for Capture filter type Port 80 and press the Start button to start the capture.



Now switch to CIS and press the Check for AV updates link and wait till the error occurs. Once it does wait like 60 seconds and then try again, once that check is also ending in an error we can stop the Capture.
Press the button circled RED to stop the capture.



This is an example of how a normal "Check for AV updates" looks
Now let's save this capture so you can send it to someone who can examine what's going wrong.
Press the Save button and save the capture to disk.



Give it a name and save the file as .pcap



Once that's done it's advisable to compress it as a zip file and after that contact the one who will be analyzing the file by PM (Personal Message) don't post the capture on the board as it could be exposing to much details about your connection to others.

If you have any questions regarding this How-To please feel free to send me a PM


End of How-To

[attachment deleted by admin]
« Last Edit: July 19, 2010, 04:50:40 AM by Ronny »
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek