Monday, 2 June 2014

Using Wireshark to define firewall rules

I had an application that I need allow through my local firewall but the documentation wasn't clear what ports I need to open. The normal method I used to finger print the application was the following method:

1) enable firewall logs
2) ask user to start application on the pc
3) check the firewall logs for "denied" traffic from this PC
4) add firewall rules to allow this traffic
5) repeat till there is no denied traffic

I found that wireshark has a very good built in toolto help identify the traffic. Here's how to use it.

1) On the PC which is running the application, install wireshark
2) Start wireshark and capture all local traffic
3) Start the application and close it as normal
4) Stop wireshark
5) Add a filter to match for traffic to the destination "ip.dst=="

6) Now click on Statistics -> Endpoint, ensure that the "limit to display filter" tick box is turned on
7) Click address (to sort by address)

You can then use the tabs to gather the information required for your firewall rules. In my case I already know the destination ip address and clicking TCP showed me that I need to allow the following ports:

TCP 443
TCP 8143
TCP 8443
TCP 80

No comments:

Post a Comment