Wireshark is a packet analyzer that can help you analyze network problems and detect network intrusion attempts and network misuse. It can be downloaded free on Wireshark’s website.

 

When there is an issue with Web Defense, our engineering team may request a packet capture to use in troubleshooting. If you want to troubleshoot issues such as a slow network or application, looking at HTTP traffic is simple. Wireshark allows you set up a capture filter that looks at TCP traffic on a particular port such as 80 or for SSL, 443.  Try " tcp port 80 and host xxx.xxx.xxx.xxx" as a filter to only capture packets on port 80 on a particular host.

You can use a display filter to further reduce the results to see errors and transactions for http only. Try the display filter “http” or to find a specific error code you could try “http.response.code==503” for service unavailable errors or “http.response.code==404” for page not found errors.

Packet captures can also be beneficial in troubleshooting issues with spam generating from your network. Again, Wireshark cannot capture only SMTP traffic, but a capture filter can be set up to capture TCP traffic only from a particular port such as 25. You should be able to determine which host, externally or internally is generating unusual amounts of traffic using these results.

You can also further filter the results by FROM or RCPT to attempt to narrow down a sender  or recipient. Try the filter “smtp.req.parameter contains “from”” to see sending addresses.

If you’re ready to get started with Wireshark, check out the Wireshark Wiki, the wiki includes examples of capture and display filters as well as a wealth of sample captures to try your filters on.