We have a device that is infected and has caused our email to be blacklisted. I've downloaded wireshark to see if we can capture the device. We don't have network support on staff, so this is all new to me. I want to make sure I have the correct set up and syntax. I checked promiscuous mode, then selected capture filter. I get an error trying to set up the filter. Can someone tell me what the correct syntax is to capture the IP? Here's my steps: I select my "LAN" interface, then went to capture options, then select "IP only" and then in the capture filter string I tried "ip 87.225.51.229", "87.225.51.229", "ip : 87.225.52.229" and "ip = 87.225.51.229". All of these without the quotes of course. Thanks in advance for your help. asked 17 Sep '13, 05:59  jslaymon edited 17 Sep '13, 08:49  cmaynard ♦♦ |
One Answer:
See the Capture Filter reference on the Wiki which has suitable examples and links to other references. answered 17 Sep '13, 06:20  grahamb ♦ showing 5 of 10 show 5 more comments |
I tried using "port 25" as the filter, but at the bottom of the screen I have the following error message, "Invalid filter: "port" is neither a field nor a protocol name.
I think I figured out what was causing the message.
Sounds as though you have confused Capture Filters and Display Filters, unfortunately they use a different syntax so you have to be careful.
port 25is a capture filter that will only allow Wireshark to capture traffic to and from port 25. The equivalent display filter would be(tcp.port == 25) or (udp.port == 25)I assume I would use the display filter to look through the results that the capture filter provides?
Correct. Depending on your capturing environment capture filters aren't always used and if you aren't careful they can exclude the very traffic you want to capture.
I placed a laptop with Wireshark on the switch that goes into the router. I set it for promiscuous and set the capture filter as (dst host 87.255.51.229). This IP is the one that the virus is supposed to be pointing to. If we don't get any results from this, I guess I should set the capture filter for port 25 and then review the results.
I have a second laptop running to capture port 25. I'm not seeing any real time messaging coming through the display area, yet when I look at the interface I can see packet info changing. I even sent a test e-mail to my home account and it didn't show up. How do I get the results to display?....thx
Just connecting a capture device (i.e. your laptop) to the same switch that is connected to the router doesn't mean that you'll see all data that goes through the switch. That's why it's called a switch, as it switches data between ports. Traffic (apart from broadcast messages) between the router and the "infected" device will only be switched between the ports those devices are connected to.
You will have to "Span" or "Mirror" the router port to the port you are running the capture device on. See the Wiki page on Ethernet Capture Setup for more info.
I appreciate your help, but I'm not sure which is the correct setup for us. Remember, we have no real network expertise on staff, so this is new to us. We have several switches on our network and they are daisy chained together. That's why I put the one laptop on the switch tied to the router. My second laptop not on the same switch was set to capture port 25 traffic in promiscuous mode, yet this morning it showed nothing. Given that we don't know what machine is the problem it looks like "Switched Ethernet" scenario is what we need? On a side note, Wireshark on the laptop by the router was running when I left last night and wasn't this morning. I locked the laptop, but it looks like Wireshark can't run in the background? Thx
A number of questions, hopefully here are some answers:
On a switched network you can't just connect to a port on a switch and then capture traffic flowing through other ports as switches just don't work like that by design. Some switches (often known as managed) allow you to set a "monitor" mode to span or mirror traffic from ports that you are interested in to another port where your capture device is connected. You'll need to determine if your switches allow you to do this (Switch + monitor port). If not, you'll need one of the other approaches for a switched network, or buy another switch that does allow monitor mode, see the Wiki page Switch Reference for more info on some switches that support monitor mode.
Leaving Wireshark running for a long period of time will often cause the application to run out of memory, due to all the captured data. See the blog entry from @jasper here for more info.