Today on HakTip, Shannon explains how to fix a network or connection problem based on the information you receive from Wireshark.
How to tell if a website is down via Wireshark: This is a pretty common problem, and sometimes the issue can be within your network, sometimes outside it. If several people are having the same issue, it's either because the website is down, or your network is messed up.
In my case, I want to visit threatwire.com (which I know is currently down). Each time I try, I'm sent back an error saying the site isn't available. If I try to find it in Wireshark, it's tough to tell. Do a cmd ping of threatwire.com and you should see a bunch of requests timed out, but you'll also see the IP address of the site. So let's search for that IP address in Wireshark, we see that I have 4 ping requests for the IP address. If I searched for it in the browser, I'd get a bunch of synchronize packets, but no answer, so it keeps trying to retransmit up to three times.
If we take a closer look at the info dialogue, the ping requests all say "no response found" while the TCP packets just say 'retransmission'.
If we look at other packets in this capture for other sites and within my network, we can prove that the problem only occurs when trying to visit this one site, not the entire network.
What else can we figure out? I've run into a problem where I couldn't access the internet but all my coworkers could. We used a single router and IP addresses came from DHCP. By using Wireshark I was able to determine that the problem was with DNS. I was able to reach my router and my computer had no problem connecting to it, but couldn't figure out the DNS request. Everyone else could log onto the net, so it must've been my computer. We were able to find the problem was because I had to manually set my default gateway address instead of letting it be DHCP-assigned. Switched it back, and it worked!
What if you can access the net but keep getting a 'can't display webpage' error in your browser? If you're on a small network, and pull up Wireshark, this would show you sending the site a TCP packet, but getting an RST error back (reset packet). That packet terminates the communication, and after a few seconds the browser gives you an error. If you're able to send a TCP packet through your router to the net but have trouble sending a DNS query, it could be because the host file for your device already has the DNS mapped to that IP or because it's mapped in the DNS cache. Check your computers host file for the easiest solution, and remove the DNS mapping if it's in there.
By checking Wireshark and understanding the packets, you can fix problems faster for your network. There are a ton of other problems that can occur when trying to establish a connection to the outside would, so read up on some of them with all the resources available on the internets!
Let me know what you think. Send me a comment below or email us at firstname.lastname@example.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.
Please watch: "Bash Bunny Primer - Hak5 2225"