Dear all, Currently, I face a big problem that cause my internet slow during window 10 auto update. How can I use the wireshark to determine the sources can block the traffic in firewall please? asked 13 Jul '16, 21:27  sophea edited 14 Jul '16, 00:37  sindy |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Your question is not clear. Do you want to identify a cause of the slowdown or to block the Windows update download using a firewall, so you want to use Wireshark to find out which traffic to block?
Wireshark can show you what happens but not why. So if you can capture the traffic at both sides of the firewall, you can find out which packets the firewall has filtered out by comparing the traces. You can also use wireshark capture at your PC to estimate the real downlink speed of your internet connection - a slow real downlink speed may be the actual reason of the slowdown during Windows upgrade download, as the other data hardly squeeze into the bandwidth almost fully occupied by the file transfer.
Dear sir,
Yes, I am a beginner using wireshark. I just want to know command/filter option how to find the window update package and its sources?
If I know the sources that window client download from, so I can block the port, services or its source IP address in my firewall filter rule.
In the first step, a filter option is not what you need. You'd have to close all applications except Wireshark so that background updates would be the only cause of network traffic (Windows update but possibly also non-Microsoft applications), take a capture and see the list of conversations (in GUI Wireshark, you'd go
Statistics -> Conversations -> TCP). The Windows update should be the conversation which shows the most bytes towards your PC's IP address.Alternatively, you might disconnect the PC from the LAN, reboot it and start capturing right after connecting the LAN back, so that you could inspect the DNS requests sent and possibly find some queries containing
microsoftas part of the queried fqdn. The reboot is necessary to make sure that the upgrade will start from the very beginning, using a dns query first in order to determine the server IP.But I suspect Microsoft engineers to use a resiliency scheme, i.e. to run multiple sites hosting the files to be downloaded for upgrade, so that the PC could use another site if the chosen one is unreachable. So preventing access to a single IP may not be sufficient to stop the Windows upgrade. And there may be tens to hundreds of them in various subnets.