This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filter ACL

0

Hi dear,

i am having some kind of troubling to figure out a solution, i cannot identify in which equipment my network is allowing some desktop to access another network, so probably the other technichian did an ACL in some device, i was wondering if i can capture the packet goes to another network and find where the ACL is being allowing it by wireshark.

Att,

asked 20 Oct '16, 05:15

bruno%20trombim's gravatar image

bruno trombim
6223
accept rate: 0%


One Answer:

0

It depends on two things:

  • how verbose the firewall device is,

  • how easy it is for you to capture at different points of your network topology.

Assuming we talk about protocols using TCP as transport (http, https, telnet, ssh, ...):

If the firewall device sends back to the desktop an ICMP "destination unreachable" when it bans the SYN packet, it is easier for you because the ICMP packet's source IP address identifies the firewalling box.

So try to capture at the desktop's LAN interface and see whether there are ICMP packets coming back to your SYN attempts towards the ACLed network. If they are, you've got it.

If the firewall device imitates a no response situation, you cannot identify it by capturing traffic at the desktop which has been banned access to the other network because the firewall won't send anything back in response to the TCP SYN packet sent by the desktop. So in this case, you would have to know the complete route from the desktop to your site uplink and capture at the "inner" and "outer" side of each box along that route to see whether the SYN packet make it from the inner side to the outer side of the box. The box which did not let the SYN through is the firewall. But if you have access rights to the routers and understand their configuration, it is usually a lot easier to check the configurations than to run all over the site capturing.

If we talk about other transports, the situation is essentially the same, except that you look for handling of some other initial packet whose role in that connection protocol is similar to that of TCP SYN.

answered 20 Oct '16, 08:47

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Thanks Sindy,

i got your ideia, thinking out the box !!! for example if wanna a full package information such as (IP,GW, and also which acl was applied on it is that possible through wireshark )?

THanks

(20 Oct '16, 10:45) bruno trombim

if I wanna a full package information such as (IP, GW, and also which acl was applied on it) is that possible through wireshark ?

Wireshark only shows you information from the packets which were physically sent over the network.

So if the firewall device sends back an ICMP packet "destination unreachable":

  • you would see the IP of the firewall device, it would be the source address of that ICMP packet.

  • you wouldn't see the IP address of the GW anywhere because it is somehow completely out of the context. The firewall may be in another IP subnet than the desktop from which the banned packet was sent, and you have to consult the desktop's routing table to find out which gateway is used when sending packets to the final destination. The firewall is somewhere on the path between that gateway and the final destination, and it is even possible that the gateway towards the firewall's own IP is a different one than the gateway towards the final destination if the desktop has more than one gateway configured.

  • you won't see which ACL inside the firewall was the reason of the packet rejection because it is an internal matter of the firewall and no information field of the ICMP protocol is foreseen to convey such information.

If the firewall device does not send back any ICMP and drops the packets silently, you won't see even its IP in the capture taken at the desktop and you will have to capture hop by hop as I've already written before.

(20 Oct '16, 12:58) sindy