Summary #

The Wireshark Packet Capture feature in SecureSchool allows you to capture traffic on the inside / private interface of the appliance, much like you can using Wireshark on a Windows computer.  The tool in SecureSchool (we use a program called tshark, and present it in the interface) will do a capture for 60 seconds and show you the results.  The tool uses a “filter expression ” to define what packets to capture.  The filter expression uses a very specific language, where you can craft some very elaborate and specific lines to see exactly what you want.

More Information #

Most times you need to do a packet capture, you are trying to watch for one specific computer, and/or one specific port.  You define what you’re looking for using something called “primitives”.  There are many, many available to you, but the most commonly used primitves are:

• host [address] : will match either the source or destination address
• port [number] : will match either the source or destination port
• src port [number] : will match just the source port
• dst port [number] : will match just the destination port
• net [CIDR network address ] : will match the address against a CIDR noted network address
• tcp : will match only tcp packets
• udp : will match only udp packets
• icmp : will match only icmp packets

So for example, so see all traffic from 192.168.100.50, you would use the filter:

host 192.168.100.50

You can also specify multiple primitives, joining them with operators “not”, “and”, and “or”.  So if you wanted to watch both 192.168.100.50 and 192.168.100.51, you would use the filter:

host 192.168.100.50 or host 192.168.100.51

You use the “or” operator because a single packet will have an address of either 192.168.100.50 OR 192.168.100.51…not both.

Most times you use the packet capture tool, you’ll be trying to find traffic that is coming from one particular workstation and is not using the proxy to contact a server on the Internet.  So to see what 192.168.100.50 is doing, ignoring traffic to the appliance itself (192.168.100.253), you would use the filter:

host 192.168.100.50 and not host 192.168.100.253

For troubleshooting a specific program or server process, a web server on your network with an inbound port forward for example, you want to watch for a specific port.  If the web server is at 192.168.100.1, your filter would be:

host 192.168.100.1 and port 80

While doing that test (provided your port forward is setup correctly), you may see traffic from people on the Internet as well as people on your LAN if they are not bypassing the proxy server for local addresses (which is a very good thing to do).  So to exclude the traffic going through SecureSchool, you would use something like:

host 192.168.100.1 and port 80 and not host 192.168.100.253

If you wanted to see all ICMP traffic to or from your web server, you would use:

host 192.168.100.1 and icmp

There are many, many more ways you can filter packets using the Packet Capture tool.  Any packet SecureSchool sees on the inside interface will go through the tool.  In the references section, there’s a link to a page describing how to build filter expressions.  However, there are many filter expressions that will not work how you may think (for example, trying to filter based on a MAC address when there is a router between the computer and SecureSchool), so some care and thought must be put into making the filter expression.

References #

• http://www.unix.com/man-page/FreeBSD/7/PCAP-FILTER/