Ask Your Question
0

How do I watch traffic to and from exactmetrics.com on my Mac. Newbie

asked 2020-07-04 12:11:55 +0000

RobertChalmers gravatar image

Ok, complete newbie here. I'm running Wireshark, lates and latest OSX (10.15.5) but can't get a grip of filters.. I either see everything or nothing? I'm trying to see why my Mac is being denied a connection to exactmetircs.com by cURL. cURL error 28. Meaning it's either blocked or not resolving. But - I can't figure out how to tell Wireshark to see what's going on?

Could someone point me in the right direction please. Thanks

edit retag flag offensive close merge delete

Comments

Before digging in with Wireshark, have you tried basic connectivity checks?

$ nslookup exactmetrics.com
Server:         192.168.200.1
Address:        192.168.200.1#53

Non-authoritative answer:
Name:   exactmetrics.com
Address: 34.107.243.79

$ ping -c 2 34.107.243.79
PING 34.107.243.79 (34.107.243.79) 56(84) bytes of data.
64 bytes from 34.107.243.79: icmp_seq=1 ttl=119 time=57.9 ms
64 bytes from 34.107.243.79: icmp_seq=2 ttl=119 time=57.6 ms

--- 34.107.243.79 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 57.621/57.735/57.850/0.114 ms

$ ping -c 2 exactmetrics.com
PING exactmetrics.com (34.107.243.79) 56(84) bytes of data.
64 bytes from 79.243.107.34.bc.googleusercontent.com (34.107.243.79): icmp_seq=1 ttl ...
(more)
Chuckc gravatar imageChuckc ( 2020-07-04 16:22:42 +0000 )edit

Is this a typo?
"to exactmetircs.com" - is it exactmetrics?

Chuckc gravatar imageChuckc ( 2020-07-04 16:26:52 +0000 )edit

Thanks for the help, but yes, done all that. I get the same answers as you did. In answer to Chuck, it is 'exactmetrics.com'

RobertChalmers gravatar imageRobertChalmers ( 2020-07-04 20:23:11 +0000 )edit

Thank for the suggestions guys. I'm now a lot closer to finding what I want to track down. As mentioned - I am tracking the exactmetrics.com site, 34.107.243.79 and used both ping and curl request. Both work and finally I got the right combination of filters and its working, showing me traffic to and from the address. ip.addr==34.107.243.79 and on the WiFi interface. (I discover that I'm using the WiFi rather than the eth0) although both are connected. but that's my setup. not related.

Very nice. Thanks for all the help. Very much appreciated. Robert

RobertChalmers gravatar imageRobertChalmers ( 2020-07-05 10:16:03 +0000 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2020-07-05 10:46:56 +0000

RobertChalmers gravatar image

So, unless I'm wrong this is telling me that the connection is working.

151334  1910.883343     192.168.0.15    34.107.243.79   TCP     78      55506 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=218080453 TSecr=0 SACK_PERM=1
151335  1910.907105     34.107.243.79   192.168.0.15    TCP     74      443 → 55506 [SYN, ACK] Seq=0 Ack=1 Win=60192 Len=0 MSS=1380 SACK_PERM=1 TSval=942866260 TSecr=218080453 WS=256
151336  1910.907237     192.168.0.15    34.107.243.79   TCP     66      55506 → 443 [ACK] Seq=1 Ack=1 Win=131328 Len=0 TSval=218080475 TSecr=942866260
151337  1910.923766     192.168.0.15    34.107.243.79   TLSv1.3 583     Client Hello
151338  1910.944775     34.107.243.79   192.168.0.15    TCP     66      443 → 55506 [ACK] Seq=1 Ack=518 Win=61440 Len=0 TSval=942866298 TSecr=218080490
151339  1910.946885     34.107.243.79   192.168.0.15    TLSv1.3 1484    Server Hello, Change Cipher Spec
151340  1910.947141     34.107.243.79   192.168.0.15    TCP     1484    443 → 55506 [ACK] Seq=1419 Ack=518 Win=61440 Len=1418 TSval=942866299 TSecr=218080490 [TCP segment of a reassembled PDU]
151341  1910.947144     34.107.243.79   192.168.0.15    TLSv1.3 333     Application Data
151342  1910.947210     192.168.0.15    34.107.243.79   TCP     66      55506 → 443 [ACK] Seq=518 Ack=2837 Win=129600 Len=0 TSval=218080513 TSecr=942866299
151343  1910.947210     192.168.0.15    34.107.243.79   TCP     66      55506 → 443 [ACK] Seq=518 Ack=3104 Win=129344 Len=0 TSval=218080513 TSecr=942866299
151344  1910.947921     192.168.0.15    34.107.243.79   TLSv1.3 146     Change Cipher Spec, Application Data
151345  1910.948048     192.168.0.15    34.107.243.79   TCP     1434    55506 → 443 [ACK] Seq=598 Ack=3104 Win=131072 Len=1368 TSval=218080514 TSecr=942866299 [TCP segment of a reassembled PDU]
151346  1910.948052     192.168.0.15    34.107.243.79   TLSv1.3 1041    Application Data
151347  1910.970559     34.107.243.79   192.168.0.15    TCP     66      443 → 55506 [ACK] Seq=3104 Ack=1966 Win=64000 Len=0 TSval=942866324 TSecr=218080513
151348  1910.975796     34.107.243.79   192.168.0.15    TCP     66      443 → 55506 [ACK] Seq=3104 Ack=2941 Win=66816 Len=0 TSval=942866330 TSecr=218080514
151367  1911.494144     34.107.243.79   192.168.0.15    TLSv1.3 1484    Application Data
151368  1911.494387     34.107.243.79   192.168.0.15    TLSv1.3 630     Application Data
151369  1911.494443     34.107.243.79   192.168.0.15    TLSv1.3 1484    Application Data
151370  1911.494447     34.107.243.79   192.168.0.15    TLSv1.3 903     Application Data
151371  1911.494483     192.168.0.15    34.107.243.79   TCP     66      55506 → 443 [ACK] Seq=2941 Ack=5086 Win=129600 Len=0 TSval=218081054 TSecr=942866847
151372  1911.494538     192.168 ...
(more)
edit flag offensive delete link more

Comments

That's a pretty text book connection - TCP 3-way handshake, TLS setup, app data, FIN/ACK teardown.
There is about a half second (~500 msec) delay here:

151348  1910.975796     34.107.243.79   192.168.0.15    TCP     66      443 → 55506 [ACK] Seq=3104 Ack=2941 Win=66816 Len=0 TSval=942866330 TSecr=218080514

151367  1911.494144     34.107.243.79   192.168.0.15    TLSv1.3 1484    Application Data<br>

To investigate that you will need to look inside TLS.
Check the documentation for the version of cURL you're using to see if it supports SSLKEYLOGFILE.

Chuckc gravatar imageChuckc ( 2020-07-05 13:51:51 +0000 )edit

Thanks. It certainly looks ok to me. 500ms is well inside the limits. I can do TLS inspection but I'm wondering if I will. Seems overkill. I'm using curl 2.71.1 so it should be ok. I might have mentioned that this problem is buried in a Wordpress website. It's Site Health is telling me that cURL error 28 is timing out after 2 seconds. Due to a fire wall... Which it's obviously not. So I'll continue the hunt. Thanks a bunch for your help. Much appreciated. robert

RobertChalmers gravatar imageRobertChalmers ( 2020-07-05 14:55:58 +0000 )edit
0

answered 2020-07-04 14:09:27 +0000

grahamb gravatar image

There are 2 filter syntaxes in use with Wireshark:

  • Capture filters - these control the packets that are actually captured, details here.
  • Display filters - these control the packets tat are displayed, details here.

What filters are you using?

edit flag offensive delete link more

Comments

Thanks, I am using like "host 34.107.243.79", and ip.addr==34.107.243.79

RobertChalmers gravatar imageRobertChalmers ( 2020-07-04 20:24:53 +0000 )edit

Since the ping is successful, have you tried making a capture of the ICMP traffic as a test?
That would confirm that you are capturing on the correct interface and that the filters are working.

Chuckc gravatar imageChuckc ( 2020-07-04 21:04:26 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-07-04 12:11:55 +0000

Seen: 312 times

Last updated: Jul 05 '20