How to Use Wireshark to Identify a List of Domains Connected via MSIP

  1. Capture the PCAP file using Wireshark
  2. Start Wireshark.
  3. Open the PCAP capture file.
  4. Enter the following query into the display filter, using the relevant port number for the configuration in the environment being investigated

Using SAML SSO on Port 3131

http.request.method == "CONNECT" and tcp.port==3131

Using Menlo Authentication on Port 3129

http.request.method == "CONNECT" and tcp.port==3129