How to Use Wireshark to Identify a List of Domains Connected via MSIP
- Capture the PCAP file using Wireshark
- Start Wireshark.
- Open the PCAP capture file.
- Enter the following query into the display filter, using the relevant port number for the configuration in the environment being investigated
Using SAML SSO on Port 3131
http.request.method == "CONNECT" and tcp.port==3131
Using Menlo Authentication on Port 3129
http.request.method == "CONNECT" and tcp.port==3129