Skip to main content

How to: Capture Network Traffic with Wireshark

tomchan
  • Updated
  • min read

Overview

 

There are times when you may be asked by Cisco's Support staff for a packet capture of Internet traffic flowing between your computer and the network.   The capture allows Umbrella support to analyse the traffic at a low level and identify potential problems.

In most cases it is useful to compare two sets of packet captures demonstrating both a working and non-working scenario.  

  • Ensure you can replicate the problem and follow these steps whilst the issue is occurring.  Generate a packet capture showing a non-working scenario.  Please note down the date and time with timezone so that this info maybe correlated with other data.
  • If possible, repeat these instructions with Umbrella software (and/or Umbrella DNS forwarding) disabled.  Generate a packet capture showing the working scenario.  lease note down the date and time with timezone so that this info maybe correlated with other data.

 

 

Wireshark Instructions

 

Preparations

  • Download wireshark - https://www.wireshark.org/download.html
  • Disconnect any unnecessary network connections.  
    • Disconnect VPN connections unless they are required to replicate the problem
    • Use only wired or wireless connection and not both together.
  • Close any other software that is not required to replicate the problem.  
  • Clear the Cookies and Cache from your browser.  
  • Flush your DNS Cache.  On Windows this is done with the command:  ipconfig /flushdns

 

Basic Wireshark Capture

  • Launch Wireshark
  • The 'Capture' panel shows your network interfaces.  Select the relevant interfaces.  Multiple interfaces can be selected using the CTRL key (WIndows) or CMD key (Mac) whilst clicking.  
    wireshark_1.png

     

    Alert:

    It is important to select the correct interface(s) that will contain network traffic.  Use the ipconfig command (Windows) or ifconfig command (Mac) to view more details about your network interfaces.

    Roaming Client users must additionally select the 'NPCAP Loopback Adapter' OR 'Loopback: lo0' interfaces.

    If in doubt select all interfaces.

     
     
  • Ensure that "use captured DNS packet data for address resolution" and "Use an external network name resolver" are NOT selected to ensure Wireshark isn't making DNS queries as this can complicate the capture and affect AnyConnect.  Settings are valid as of Wireshark 3.4.9:
    Capture_PNG.png
  • Select Capture > Start or click on the Blue start icon
    wireshark_2.png
  • Leaving Wireshark running in the background, replicate the problem
    wireshark_3.png
  • Once the issue has been fully replicated, select Capture > Stop or use the Red stop icon
  • Lastly, navigate to File > Save As and select a place to save the file. Ensure the file is saved as a PCAPNG type.  The saved file can be submitted to Cisco Umbrella support for review

 

 

Roaming Client - Additional Steps

 

There are additional steps that must be followed for both standalone Roaming Client and AnyConnect Roaming Module users:

Loopback Traffic
When selecting an interface we must also capture traffic on the loopback interface (127.0.0.1) in addition to other network interfaces.  The Roaming Clients' DNS proxy listens on this interface so it is vital to see traffic going between the operating system and the Roaming Client.

  • Windows - Select 'NPCAP Loopback Adapter'
  • Mac - Select 'Loopback: lo0'

     

    Alert:

    Newer Windows versions of wireshark ship with the NPCAP capture driver which supports the loopback driver.  If the loopback adapter is missing, update to the latest version of Wireshark or use the rawcap.exe instructions.

     

Encrypted DNS Traffic
In normal circumstances the traffic between the Roaming Client and Umbrella is encrypted and not human readable.  In some cases Umbrella support may request that you disable DNS encryption to see the DNS traffic between the Roaming Client and Umbrella cloud.  There are two methods to so this. First is to create a local firewall block for UDP 443 to 208.67.220.220 and 208.67.222.222. Alternatively, create the following file, depending on your OS and version of the roaming client:

  • Windows - C:\ProgramData\OpenDNS\ERC\force_transparent.flag
  • Windows AnyConnect - C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\data\force_transparent.flag
  • Windows SecureClient - C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\data\force_transparent.flag
  • macOS - /Library/Application Support/OpenDNS Roaming Client/force_transparent.flag
  • mac OS AnyConnect - /opt/cisco/anyconnect/umbrella/data/force_transparent.flag
  • mac OS SecureClient - /opt/cisco/secureclient/umbrella/data/force_transparent.flag

After doing this restart the service or your computer.

 

Alert:

Newer versions of Wireshark on Windows include NPCAP capture driver which does not support the Umbrella VPN interface.  On Windows you may need to use the rawcap.exe tool as an alternative.

 

 

 

 

 

 

DNSQuerySniffer - Windows Alternative

 

 

DNSQuery Sniffer is a DNS-only network sniffer for Windows which monitors and displays tons of useful data. Unlike Wireshark or Rawcap, it’s only used for DNS, and is much easier to examine and extract relevant information. However, it does not have the powerful filtering tools of Wireshark.

This is a lightweight and easy-to-use tool. A huge advantage of using this, is that you can sniff packets while the Roaming Client service is disabled, start the capture, and suddenly you're seeing every DNS query that the Roaming Client sends from the moment it starts, rather than starting a capture after the Roaming Client has already started.

There are two capture methods:

1. If you select the regular network interface, you will see only queries that are on the Internal Domains list, or that did not specifically go through the dnscryptproxy.

dns_1.png

(Note, these columns appear waaaay to the right in the capture and you'll have to scroll over quite a bit)

    dns_sniffer_reg_queries.png

 

2. If you select the Loopback interface, you will see all DNS queries that are sent through the dnscryptproxy, but you will not see the true destination IP address for domains on the Internal Domains list; it will, however, display the query and answer.

dns_2.jpg

(Note, these columns appear waaaay to the right in the capture and you'll have to scroll over quite a bit)     

     dns_sniffer_loopint.png

The results look like this:

dns_3.png

 

View of an individual lookup

dns_4.png

 

 

RawCap.exe - Windows Alternative

 

 In some circumstances the interface you need to work with is not supported by the packet capture driver included with Wireshark.  This can be a problem for the loopback interface.

In these instances we can use RawCap.exe:

  • Follow the steps above to use Wireshark to capture normal traffic
  • At the same time RawCap.exe
  • Select the interface by specifying the corresponding list number
  • Specify an output filename and off it goes.
  • Press Control-C when you want to stop the capture.
    The saved file is placed in the folder from which you ran RawCap.exe 

rawcap_1.jpg

Was this article helpful?

2 out of 3 found this helpful
Have more questions? Submit a request

Related articles