While I was working on my presentation about “Secure DNS” for this year’s SharkFest, the Wireshark Developer and User Conference, I recognised that I’m still missing some DNS-related packet captures in the Ultimate PCAP, that is DNS over TLS and DNS over HTTPS. And while working on it with the DNSDiag toolkit (thanks, Babak!), I came across DNS over QUIC and DNS over HTTP/3. đ Here we go:
The other day, I was troubleshooting an issue where users reported that “some websites are working while some are not“. Uh. This is almost the worst scenario to face from a networker’s perspective. It’s way easier if things do or don’t work at all, but not this “some don’t” situation.
The scenario: Using Zscaler for outbound Internet connections, connected via a GRE tunnel from a Palo Alto Networks firewall. TL;DR: If it’s not DNS, it’s MTU. đ The “Suppress ICMP Frag Needed” option within the ICMP Drop section of the Zone Protection Profile did what it is meant to do: block “ICMP fragmentation needed” messages. Unfortunately, this killed *some* sessions which had the “Don’t fragment” bit set but exceeded the (lower) MTU of the GRE tunnel.
Continue reading It was MTU! Zscaler over GRE behind Palo, blocking ICMP Frag Needed
For a few weeks, our PlayStation stopped downloading game updates. I figured it was just a temporary issue with the PS4. Since it didnât affect me directly but only the kids, I didnât pay much attention at first. I planned to wait for a firmware update from Sony. When such an update eventually came but didnât solve the issue, I started getting suspicious – especially when I found almost no relevant results online for the official error code, which reads “(HTTP Status Code : 416) (CE-40862-0)”.
After conducting further detailed searches, I finally came across a post in the Palo Alto Networks LIVEcommunity. That definitely caught my attention. If thereâs one thing that sets my home network apart from most ânormalâ households, itâs the fact that I have a Palo Alto firewall running – not your average consumer-grade router. đ
Continue reading Palo vs. PlayStation: How a Security Feature Blocked Our PlayStation Updates
Itâs really just a small thing, but very practical for me: In Wireshark, a feature request I submitted has been implemented. Now, when you click on an ICMP error, the corresponding (original) packet is highlighted.
Previously, clicking on a packet belonging to a flow would show all related packets, including any ICMP errors. However, if you selected an ICMP error packet itself, nothing happened. If you had many ICMP errors from different sessions, you had to go through the cumbersome process of figuring out which sessions they actually belonged to.
Now, you can simply scroll through the packet list as usual and immediately see whether related packets are present â and if so, which ones. Very handy.
Continue reading Wireshark Feature Added: Connecting ICMP Errors
Die Fehlersuche in IP-Netzwerken fĂ€llt nicht leicht, denn einem Netzwerkschluckauf können viele Ursachen zugrunde liegen. Profi-Admins kennen aber Wege, um das klassische und meist aufwendige Troubleshooting abzukĂŒrzen. Beispielsweise kann man Fehlerquellen anhand von ICMP-RĂŒckmeldungen der NetzwerkgerĂ€te eingrenzen, die an einem fehlgeschlagenen IP-Dialog beteiligt sind. Welche Meldungen das sind und wie man sie interpretiert, haben wir hier ausfĂŒhrlich beschrieben.
Am Ende dieses Beitrags haben wir vier Netzwerkanalyse-Aufgaben gestellt. Die Grundlage dafĂŒr bildet ein Verkehrsmitschnitt, den man mit dem Analysetool Wireshark öffnet und mit einem Display-Filter siebt. Hier folgen die Antworten zu den Aufgaben.
Continue reading Quizauflösung: Fehlersuche mittels ICMP-RĂŒckmeldungen
Sie sind Admin und Ihr Netz krĂ€nkelt. Wo fangen Sie an mit der Fehlersuche? Unser Tipp: Tasten Sie Ihre Netzwerkpatienten mal nach ICMP-Symptomen ab. Viele fĂŒhren direkt zur Ursache.
Wenn man Netzwerkschluckauf behandeln muss, gilt Wireshark als eines der Lieblingswerkzeuge von Netzwerkadmins. Denn falsch angestöpselten oder fehlkonfigurierten Servern kommt man oft schon anhand eines Netzwerkmitschnitts auf die Spur und erspart sich so den Adminzugriff auf Abteilungsrouter oder -switches. Als behandelnder Admin mĂŒssen Sie das aufgefangene Paketkonfetti nur noch mit einem geeigneten Display-Filter sieben, um jene Paketsorte im Kescher zu behalten, die Fehlerhinweise gratis unter Ihre wissenden Augen bringt: die ICMP-PĂ€ckchen.
Continue reading ICMP-Meldungen zur Fehlersuche im Netz einspannen
I did a presentation at SharkFest’24 EU in Vienna, the “Wireshark Developer and User Conference“, about the topic: “Unveiling Network Errors – A Deep Dive into ICMP ‘Destination Unreachable’ Messages“. It covers the following:
“Effective troubleshooting of network issues is a critical concern for network technicians. While many are familiar with basic ICMP tools like ping and traceroute, the breadth of ICMP capabilities often goes underutilised. This session delves into ICMP messages, specifically the ‘Destination Unreachable’ type, and the insights they provide into network errors.
We will explore methods for capturing and analysing network traffic, highlighting practical tips and tricks for using Wireshark to diagnose and resolve issues efficiently. Attendees will gain a deeper understanding of ICMP message functions and how to leverage them for improved network troubleshooting.”
You can watch the whole session and download the slides. And you can do the six challenges at the end of the session as well. (The answers are not in the PDF, but shown in the video.)
Continue reading ICMP ‘Destination Unreachable’ Messages @ SharkFest’24 EU
One of the mysteries for me in IP networks was the Path MTU Discovery (PMTUD) process. I’ve seldom seen any problems with the MTU at all. Fortunately, while troubleshooting some router issues, I captured several ICMP “packet too big” errors along with the original packets. đđ»
Let’s have a look at those PMTUD processes for IPv6 and legacy IP with Wireshark. Of course, these captured connections are part of the Ultimate PCAP as well, hence, you can download the most current version of it and analyze it by yourself.
You can use a FortiGate to connect to the Internet (that is: Dual-Stack!) directly in various ways. In my current setup, I’m using a PPPoE residential xDLS connection. It’s not that easy to configure everything correctly since it requires the use of many different protocols such as PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. But here it is:
I got DHCPv6-PD aka prefix delegation up and running on a FortiGate. Yes! â Configuring it is tricky since it’s not always clear which options to use. You cannot see everything in the GUI (it even changes depending on other options made later on or selects hidden and wrong default values), hence, you must set specific options via the CLI. I navigated around some bugs and finally got it running. Here we go:
Continue reading DHCPv6 Prefix Delegation on a FortiGate Firewall
If you want to establish an Internet connection (that is: IPv6 and IPv4) right away from your firewall through xDSL connections, you need quite some technologies: PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. Fortunately, with PAN-OS 11.0 and 11.1, those missing IPv6 links were finally added by PANW to their Strata firewalls. (I have been awaiting them since 2015!)
So, here it is: Connecting a Palo through an xDSL modem to a residential ISP:
This time (2023) at the yearly Wireshark Developer and User Conference in Europe, I gave a talk about DNS. How could it have been any different –> The title simply had to be ‘It’s Always DNS‘. đ
“This session dives deeper into the Domain Name System, covering recursive vs. iterative DNS queries, resource records types, TTL & caching, DNS errors, a little DNSSEC, flags, and of course: Wireshark with its useful display filters, custom columns, colouring rules, and so on. And we will explore some other tools to analyze and troubleshoot DNS even further.”
You can watch the whole session and download the slides. And you can do the six challenges at the end of the session as well. (The answers are not in the PDF, but shown in the video.)
What happens on the network if you’re joining a Microsoft Active Directory domain? Which protocols are used? As I suspected, it’s a bit more complex than just seeing a single known protocol like HTTPS. ;)
Since a PCAP is worth a thousand words, I captured the process of a Windows PC joining an AD. Let’s have a look at it with Wireshark and NetworkMiner. And, as always, you’re welcome to download the packet capture to analyse it by yourself.
Continue reading Joining an Active Directory: A Packet Capture
Email is still the most common communication protocol on the Internet. And since I was missing some variants of the related protocols, IMAP, POP3, and SMTP in the Ultimate PCAP, I did some captures. â Here are a few details.
Finally! With PAN-OS 11.0 a long missing IPv6 feature was introduced: DHCPv6-PD aka prefix delegation. For the first time, we can now operate a PAN-OS firewall directly on the Internet (the IPv6-Internet that is) on many kinds of ISP connections. Remember: To get a routed IPv6 prefix requires DHCPv6-PD (if you’re not a BGP-homed enterprise). Hence, without that feature, we could not connect to the Internet with a Palo directly.
With DHCPv6-PD, the firewall can receive a prefix from the ISP (commonly a /48 or a /56), while handing out /64s to downstream layer 3 interfaces. Here we go:
Continue reading DHCPv6 Prefix Delegation on Palo Alto’s NGFW