First the better way is to get access from you firewall server to check logs.
You need to do some investigation if you did not have this kind of access.
Wireshark can confirm what is happening but it is not a proper tool to do it. You need to use more tools to check it out.
Lets assume you have a scenario:
- You have access to server and no access to firewall.
In this case I recommend you to run both nmap and nc tools in Linux to probe ports.
░▒▓ │ /mnt/sda1/backup_home ▓▒░ nmap -Pn -v -v 10.1.1.20 ░▒▓ ✔ │ at 17:38:37 ▓▒░
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-24 17:39 -03
Initiating Parallel DNS resolution of 1 host. at 17:39
Completed Parallel DNS resolution of 1 host. at 17:39, 0.08s elapsed
Initiating Connect Scan at 17:39
Scanning 10.1.1.20 [1000 ports]
Discovered open port 8080/tcp on 10.1.1.20
Discovered open port 22/tcp on 10.1.1.20
Discovered open port 111/tcp on 10.1.1.20
Discovered open port 8000/tcp on 10.1.1.20
Discovered open port 9001/tcp on 10.1.1.20
Completed Connect Scan at 17:39, 0.49s elapsed (1000 total ports)
Nmap scan report for 10.1.1.20
Host is up, received user-set (0.047s latency).
Scanned at 2023-01-24 17:39:28 -03 for 1s
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
111/tcp open rpcbind syn-ack
8000/tcp open http-alt syn-ack
8080/tcp open http-proxy syn-ack
9001/tcp open tor-orport syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
nc -vnz 10.1.1.20 22 ░▒▓ 1 ✘ │ took 10s │ at 17:38:23 ▓▒░
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Connected to 10.1.1.20:22.
Ncat: 0 bytes sent, 0 bytes received in 0.05 seconds.
As you can see I probed all opened ports on my server and confirm that 22 is open for use and not get blocked by a firewall.
But it could have a problem. Let me show to you.
░▒▓ │ /mnt/sda1/backup_home ▓▒░ ssh root@10.1.1.20 ░▒▓ ✔ │ at 17:39:29 ▓▒░
kex_exchange_identification: read: Connection reset by peer
Connection reset by 10.1.1.20 port 22
░▒▓ │ /mnt/sda/backup_home ▓▒░
I cannot get into this host. The problem is some rule in firewall is blocking ssh key exchange. How can I confirm it? I use wireshark to confirm that.
I selected "any" as my interface and then I tried to connect to server and discovered that a firewall at xxx.244 is blocking my entrance. I use this filter in wireshark.
!(http or ssdp) && tcp.flags.reset==1
first part is to filter trash and second part is to get resets.
[wireshark filter and hidden firewall on my way][1]
The second part confirm a problem cause when I do ping to that host and I use tracepath command too at same capture. this trace got some blocking on it's way, as you can see in the second part of captured packets.
[first is ping and second is tracepath output][2]
As you can see you need to use more tools to understand what is happening. You must check your application too if it has some logs, or you could have some reverse proxy in the middle of the path or something else.
You can use nc to simulate a simple server in one side to transfer files using each one port you need to use in your application.
Create a file in a clientand put some trash inside or it.
:>test.
cat <<EOF> test
asd
asdas
asd
asd
EOF
Your server is 10.1.1.20 in this exemple.
run a netcat in this server on port 3333, for exemple:
nc -lv 3333 > test
run netcat in cliente to send a file to this server:
nc -v 10.1.1.20 3333 <test
Monitor on your server and client for results. Try this with all necessary ports. If you firewall is blocking you some of those ports you cannot transfer this file.
Good luck!
[1]: https://i.stack.imgur.com/avf0y.png
[2]: https://i.stack.imgur.com/p5ylM.png
