Using WiresharkIssue Overview This article provides basic information for using Wireshark and useful filters. Starting Wireshark Download and install Wireshark from https://www.wireshark.org/download.html. Once installed, double-click the application icon to start the application. Select the interface that will be used to collect traffic. In the following image, Ethernet is selected. Example Filters In the following image, note the packets from multiple IP addresses. Filtering the packets provides better troubleshooting focus. The following sections illustrate some useful filters. Note: All IP addresses in the examples are from a lab environment. Protocol filter In the following example, typing "TCP" into the filter displays TCP-only traffic. You would use "!TCP" to filter out TCP traffic. IP filter The following example includes traffic only from IP addresses 10.127.242.60 and 10.127.212.70. Other useful filters More useful filters can be found under Capture > Capture filters and seen in the following image. Filters can also be combined as seen in the previous image. Failed connection The following screenshot shows packets from a failed telnet attempt to 10.127.212.70 on port 55. Note the connection resets as red and retransmissions as black. Coloring Rules Coloring rules settings are found under View > Coloring rules. Example Use Case [Discovery] When trying to discover a Windows server, an error such as "The RPC server is unavailable" might be returned. To troubleshoot such error, you can execute a PowerShell command against the target server to attempt to gather information while collecting traffic. The command would simulate what discovery does. In this example, note that the information is retrieved successfully. This information is a required prerequisite in order for a discovery using WMI to succeed. The following image shows Wireshark packet capture and no errors, timeouts, or resets. However, when attempting the same on a target server where the RPC error is returned, the following image shows the output that is returned. In Wireshark, the Kerberos errors and packets reset and timeouts are displayed. Note: These errors are not related to discovery but rather bring to light an environment issue. Troubleshooting, in this case, should be done by the Windows/network team managing the target server. Investigation on event logs on the target server revealed errors such as the following: Log Name: System Source: Microsoft-Windows-Security-Kerberos Event ID: 4 Task Category: None Level: Error Keywords: Classic User: N/A Computer: computerName.domain Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server serverName. The target name used was domain/serverName. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. Further investigation showed that the DNS name for the IP address did not match the target server. Therefore, Kerberos could not authenticate. Once the DNS team corrected the name/IP mismatch, the error was resolved. Additional Information For more in-depth information about how to use Wireshark, see Wireshark User's Guide.