Ask Your Question

Capture network traffic for specific application

asked 2020-01-09 14:24:09 +0000

jlgarnier gravatar image

Dear Community,

I'm new to Wireshark and trying to investigate an issue with an application which synchronizes with OneDrive. I'm therefore expecting the tool to capture all network traffic from/to this application to help the developer fix the issue.

Is this possible? If yes, how shoudl I configure Wireshark to perform the capture?

Thanks in advance for any help!

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2020-01-12 07:01:48 +0000

cal_turney gravatar image

updated 2020-01-12 07:48:26 +0000

OneDrive uses TCP ports 80 (HTTP) and 443 (HTTPS). The latter provides security by encrypting the data thus HTTPS captures are useless without the encryption key. Wireshark is able to decrypt data with the key.

While capture filters are very limited, they can at least filter an IP address and port. For client-side captures there is usually no need to configure a capture filter; however, they can be helpful in server-side captures in reducing or eliminating frames missing from the capture file due to excessive volume. The PC will receive all of the frames transmitted and received on the server's network interface and must be placed in the PC's input buffer before Wireshark can filter it. The PC stores the filtered data and disk latency is the most common cause missing frames because the rate at which data can be stored is usually far slower that the rate at which it can be buffered. If the PC is configured to encrypt data (e.g., due to company policy), latency is worse. Furthermore, we have seen frequent spikes in the incoming data rate cause as much as 99% data loss.

If the application issue is intermittent, Wireshark must be configured to store the packets received within a given time interval among a group of files in a round-robin fashion. A sufficient number of files must be specified for the person monitoring the issue to notice the failure and terminate the capture before any of the relevant capture files are overwritten. If it is not possible to reproduce the problem immediately or within a reasonable period, you may have to employ this method. If so and you need help, let us know.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-01-09 14:24:09 +0000

Seen: 9,948 times

Last updated: Jan 12 '20