WIRESHARK like tcpdump uses the same libpcap library. So to that end you can make use of the same filters to capture/show only the traffic that relates to your specific area of concentration. Very often we are looking at a specific problem. It is always good to see the bigger picture and to that end one should be capturing all traffic at first to eliminate all variables (sometimes your traffic it simply being dropped). That would point you in a very different direction than if your packets were getting to the intended host but you were getting the wrong/inappropriate information back. Sometimes a machine will host many different services. You may want to filter out all traffic except the service that you’re having problems with. This is the sort of thing that filters would be great at. So let’s take a look at libpcap filters…
Let’s say we have a user who cannot log into their computer. Authentication is being provided from a server running Mac OSX v10.5. Their home directory also resides on the same host. The key thing here is that this user is trying to login from their Mac to an OpenDirectory server! There are a bunch of tools that you can use such as ping, traceroute, dscl, kinit and nslookup! BUT sometimes they can be deceiving! Based on the above info we need to make sure we are capturing traffic on the following ports: 53 for DNS, 88 for Kerberos, 389 for LDAP.
The first thing we could try is:
port 53
This will yield the results of a DNS query! OK yes you could do that using nslookup or dig… BUT those tools will not tell you how or what a host is sending for lookups. What is the query string that the host is sending? Perhaps you didn’t send the FQDN or better still the host is getting hung up on multiple search domains. DNS can be finicky!
Next filter…
port 88 and host 192.168.1.15
We know our KDC resides at 192.168.1.15 and Kerberos runs on port 88 by default. The granting of tickets should only yield 4 packets. If you’re seeing more than that perhaps the wrong password is being sent. We added the host IP address to make sure that we are actually seeing the right server. Additionally by looking through the packets we can make sure the Kerberos DOMAIN is being sent correctly.
One other really nice feature to Wireshark is that you can apply these same files to all the data already capture (whether it’s still in/tmp or in a pcap file).
