Tony Fortunato shows how the network protocol analyzer helps with firewall and router configuration.
When using network protocol analyzers, analysts may run into problems when they need to recommend a configuration change to the technicians who manage the firewalls or routers. This can happen when a network analyst spots abnormal or suspicious traffic and wants to block it. It also can happen when an analyst determines that a firewall or router configuration is preventing proper communication with a new application.
With either scenario, the analyst who captured the packets has to explain or translate the change to the router or firewall manager. The potential problem is that different technicians from various disciplines might not easily understand what's needed or be on the same page.
This is where a little known Wireshark feature comes in, which I demonstrate in the video below.
When analyzing packets in Wireshark, go to the Tools menu and select the Firewall ACL Rules option and you will see various configuration syntaxes for different firewall and router products such as Cisco IOS, Netfilter (iptables) and Windows Firewall (via netsh). These rules are based on MAC addresses, IPv4 addresses, TCP and UDP ports, and IPv4+port.
Please pay attention to the screen and ensure you have the appropriate deny and inbound options selected to have the expected result.
Finally, feel free to copy and paste several filters into a text editor, but be careful of the order and if the product you're working with needs a deny or permit all at the end.