Hi, I am having problems with my anti virus on one of my servers. the tech support of the company have asked me to take a capture using wireshark while the anti virus is trying to update. I am however finding a problem with this. For obvious reasons I do not want to send them a full scan of my network...so I was hoping that if I run wireshark off my windows 7 workstation and apply a filter to wireshark so it only gathers packets from the servers IP address, then on the server set the antivurs to update will this collect the information?
If I do this when im RDC'd into the server it only records packets between me and the server not the server and sophos. I am sure this is a problem with the filter I am applying in Wireshark which is "host XX.X.X.X".
I dont supose anyone is experienced with wireshark that would be able to shed any light on where I am going wrong.
Thanks in advance
asked 02 Mar '11, 06:26
I understand from your question that the anti-virus software is not downloading updates. For obvious reasons you don't want to send them a full trace of every juice packet going through your server.
The filter host x.x.x.x would be a capture fiter and limit recorded traffic to the specified ip address.
My personal approach to these situations is capture everything, then apply display filters until only the relevant packets are on the screen. In most cases when sending a trace file to tech support 30 frames or less easily do the job. The proper display filter would be ip.addr == x.x.x.x where x.x.x.x is the IP address for the update server.
As far as your update is concerned a few points to look out for:
Hint: run ipconfig /flushdns on the command line before starting your test run. If you don't see a DNS request check your hosts file for bogus entries.