Using Wireshark to define firewall rules

I had an application that I need allow through my local firewall but the documentation wasn’t clear what ports I need to open. The normal method I used to finger print the application was the following method:

1) enable firewall logs
2) ask user to start application on the pc
3) check the firewall logs for “denied” traffic from this PC
4) add firewall rules to allow this traffic
5) repeat till there is no denied traffic

I found that wireshark has a very good built in toolto help identify the traffic. Here’s how to use it.

1) On the PC which is running the application, install wireshark
2) Start wireshark and capture all local traffic
3) Start the application and close it as normal
4) Stop wireshark
5) Add a filter to match for traffic to the destination “ip.dst==10.202.13.63”

image_004

 

6) Now click on Statistics -> Endpoint, ensure that the “limit to display filter” tick box is turned on
7) Click address (to sort by address)

image_005

You can then use the tabs to gather the information required for your firewall rules. In my case I already know the destination ip address and clicking TCP showed me that I need to allow the following ports:

TCP 443
TCP 8143
TCP 8443
TCP 80

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s