This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing at two interfaces with distinct capture filters to debug NAT with port forwarding

0

I would like to capture traffic between two interfaces to debug NAT with port forwarding on a Windows Server 2012 R2, which shall translate requests to TCP port 817[0..9] on the "internet" interface (IP 192.168.88.252, behind another NAT router board) to TCP ports 80 on devices (IP 192.168.0.17[0..9]) connected to the "intranet" interface (IP 192.168.0.1).

Currently, requests over the internet in a web browser using an URL with port number (e.g. "http://dynamic.dns:8171") return a "connection refused" error, so I have to suspect that the port forwarding in the Windows Server was not configured correctly, and I hope that a multi-interface capture with a narrow filter would help discovering where and why the connection fails.

Capturing the "internet" interface alone already proved that requests from the internet through a router board arrive in the server, so the "transparent" port forwarding in the router board (same port pass-through for the given range) appears to be correct...

How do I set up WireShark 2.0.5(+) x86-64 to capture two interfaces at once, and select filters per interface (a port range for the "internet" interface, an IP address range for the "intranet" interface)?

asked 22 Aug '16, 02:39

LigH's gravatar image

LigH
6114
accept rate: 0%

edited 22 Aug '16, 04:52

sindy's gravatar image

sindy
6.0k4851

One Answer:

1

At the welcome screen, click once at one of the interfaces, and fill in the capture filter form field with the filter expression for the interface currently chosen.

Then, click once at the other interface you want to capture at, and fill in the same capture filter form field with the filter expression for that interface.

Next, hold Ctrl and click once the first interface. Both will become selected (and highlighted accordingly). Don't touch the capture filter form field, and press the "start capture" button (the blue fin symbol right below File in the upper left corner). Double-clicking on one of the interfaces is also possible but requires a special sequence of Ctrl and click.

answered 22 Aug '16, 03:30

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

You can also use the Capture Options dialog to set per interface filter expressions and then capture on multiple interfaces.

(22 Aug '16, 03:40) grahamb ♦

Thank you, sindy, that worked well so far. And unfortunately, it shows that the port forwarding does not happen inside the Windows Server, so this is a useful anchor for the following countermeasures.

I just hope there is a more efficient filter than a sequence of single hosts when an IP range does not easily match a subnet mask (host 192.168.0.170 or host 192.168.0.171 or [...] or host 192.168.0.179).

(22 Aug '16, 04:02) LigH

Unfortunately, your hope is in vain. If you insist that the filtering is done using a capture filter, the answer to this Question provides all the details.

But if you could live with a display filter further narrowing the packet list, the answer to this Question may be helpful.

(22 Aug '16, 04:16) sindy

By using some CIDR ranges with the net primitive you could use a filter of:

host 192.168.0.170 or host 192.168.1.171 or net 192.168.1.172/30 or net 192.168.1.176/30

If you don't mind .168 & .169 being included, then you could use:

net 192.168.1.168/29 or net 192.168.1.176/30
(22 Aug '16, 04:20) grahamb ♦