This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using wireshark to solve anti virus problem, question about filters?

0

Hi, I am having problems with my anti virus on one of my servers. the tech support of the company have asked me to take a capture using wireshark while the anti virus is trying to update. I am however finding a problem with this. For obvious reasons I do not want to send them a full scan of my network...so I was hoping that if I run wireshark off my windows 7 workstation and apply a filter to wireshark so it only gathers packets from the servers IP address, then on the server set the antivurs to update will this collect the information?

If I do this when im RDC'd into the server it only records packets between me and the server not the server and sophos. I am sure this is a problem with the filter I am applying in Wireshark which is "host XX.X.X.X".

I dont supose anyone is experienced with wireshark that would be able to shed any light on where I am going wrong.

Thanks in advance

asked 02 Mar '11, 06:26

Ben%20Marks's gravatar image

Ben Marks
1112
accept rate: 0%


One Answer:

2

I understand from your question that the anti-virus software is not downloading updates. For obvious reasons you don't want to send them a full trace of every juice packet going through your server.

The filter host x.x.x.x would be a capture fiter and limit recorded traffic to the specified ip address.

My personal approach to these situations is capture everything, then apply display filters until only the relevant packets are on the screen. In most cases when sending a trace file to tech support 30 frames or less easily do the job. The proper display filter would be ip.addr == x.x.x.x where x.x.x.x is the IP address for the update server.

As far as your update is concerned a few points to look out for:

  • Is your server sending out DNS requests to obtain an IP address for the download server? The DNS request will not go to the anti-virus company.
  • Are your server and the remote system completing the TCP handshake?
  • If the download uses plaintext protocols: Do you see error messages? A good candidate can be "HTTP Proxy authentication required"
  • Do you have a firewall in your network that blocks "ICMP fragmentation needed" messages? (aka a "Blackhole router") This would allow your system to complete the handshake, but would interrupt the bulk data transfer.

Hint: run ipconfig /flushdns on the command line before starting your test run. If you don't see a DNS request check your hosts file for bogus entries.

Good luck!

answered 02 Mar '11, 13:35

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

edited 02 Mar '11, 13:39