Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.
How to find what HTTP traffic between exchange servers is
Hello,
We have a high utilization across our MPLS network and when I look at What's up Gold Net Flow it shows 87% of the traffic passed is from the local branch exchange server to the corporate (where all internet goes through). I talked to support and they don't go any deeper than telling us what is the top talker but I need to determine what is exactly going on port 80 between the two. I've run wireshark and see a lot of communication, but how do I narrow it down.
snapshot.docx
We have a high utilization across our MPLS network and when I look at What's up Gold Net Flow it shows 87% of the traffic passed is from the local branch exchange server to the corporate (where all internet goes through). I talked to support and they don't go any deeper than telling us what is the top talker but I need to determine what is exactly going on port 80 between the two. I've run wireshark and see a lot of communication, but how do I narrow it down.
snapshot.docx
Asked:
3-
3
1 Solution
The source is our branch exchange IP the target is our corporate exchange IP protocol TCP Source Port http (80) destination port (21618) so it appears to be some communication between the exchange servers. All internet mail comes through corporate email server but this has been going on for 3 days using 87% of the traffic and causing latency. I'm wondering how to determine what exactly is going on between the 2 servers and I"m not sure how or if I can get that from wireshark
Here is a good how to on wireshark:
http://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/
Once you actually have the packets, it's all easy from there (time consuming but easy :-) )
The link will tell you how to read the packets that will tell you what is happening between the source and destination and what the response are and what is sent.
http://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/
Once you actually have the packets, it's all easy from there (time consuming but easy :-) )
The link will tell you how to read the packets that will tell you what is happening between the source and destination and what the response are and what is sent.
I saw that article which got me to this point. I can see source and target and ports but if I know the source is sending HTTP to the corporate exchange server on port 21618 yet the data is and I'm unsure from here how to see what the branch exchange server (what application) is using port 80 to send to corporate from the below so am unsure how to stop it from sending so much other than reboot and hope. I was wanting to see if I could narrow it down?
000 00 18 8b 48 5b 36 00 17 e0 4a 8d a8 08 00 45 48 ...H[6.. .J....EH
0010 05 dc 04 b7 40 00 7d 06 d8 b2 0a 46 03 05 0a 0a ....@.}. ...F....
0020 03 16 00 50 54 72 7b ed 52 64 a5 8d d2 34 50 18 ...PTr{. Rd...4P.
0030 ff ff 6f c9 00 00 75 6b 4f 79 72 53 6d 62 75 56 ..o...uk OyrSmbuV
0040 58 2b 6a 6a 6d 37 7a 78 58 79 33 45 6c 73 53 61 X+jjm7zx Xy3ElsSa
0050 70 4a 63 72 57 48 33 64 43 32 54 32 44 62 39 32 pJcrWH3d C2T2Db92
0060 67 77 58 45 6e 54 59 63 63 6f 31 6c 72 59 75 75 gwXEnTYc co1lrYuu
0070 37 56 38 0d 0a 64 37 6c 2b 74 33 78 39 38 38 5a 7V8..d7l +t3x988Z
0080 62 45 41 75 51 44 66 4f 65 73 64 45 51 4c 4e 63 bEAuQDfO esdEQLNc
0090 48 4d 39 34 44 59 6a 79 30 52 64 64 38 78 63 76 HM94DYjy 0Rdd8xcv
00a0 6a 2b 5a 71 47 42 2b 71 7a 4a 43 62 4c 79 66 78 j+ZqGB+q zJCbLyfx
00b0 72 30 6a 45 73 57 33 47 44 32 41 77 47 35 46 47 r0jEsW3G D2AwG5FG
00c0 70 0d 0a 76 4e 44 59 33 58 72 46 45 32 4f 63 59 p..vNDY3 XrFE2OcY
00d0 79 67 54 33 63 5a 68 73 6f 39 38 50 56 75 64 76 ygT3cZhs o98PVudv
00e0 52 63 45 61 6c 57 2f 38 63 71 63 62 38 76 61 42 RcEalW/8 cqcb8vaB
00f0 73 4d 71 45 32 2f 53 75 73 4e 42 48 65 72 32 78 sMqE2/Su sNBHer2x
0100 52 6c 69 70 37 49 61 62 39 36 38 65 66 76 71 0d Rlip7Iab 968efvq.
0110 0a 6a 58 59 61 6a 47 31 4d 48 42 71 78 7a 56 32 .jXYajG1 MHBqxzV2
0120 78 48 41 74 77 31 63 47 45 46 4e 4b 37 51 56 72 xHAtw1cG EFNK7QVr
0130 63 49 72 54 72 6c 56 70 75 4a 59 41 76 52 67 79 cIrTrlVp uJYAvRgy
0140 62 6b 38 32 76 4d 69 58 48 34 55 62 43 51 76 50 bk82vMiX H4UbCQvP
0150 77 71 53 73 52 62 39 67 52 41 35 50 75 0d 0a 54 wqSsRb9g RA5Pu..T
0160 47 74 36 50 35 38 71 70 6b 64 77 75 73 78 35 4b Gt6P58qp kdwusx5K
0170 45 35 50 53 76 6f 52 54 77 77 7a 57 31 48 43 6d E5PSvoRT wwzW1HCm
0180 5a 55 73 62 56 35 36 79 64 57 6b 4f 75 6a 6d 68 ZUsbV56y dWkOujmh
0190 68 38 56 64 41 37 43 59 54 32 48 38 52 7a 54 5a h8VdA7CY T2H8RzTZ
01a0 41 65 50 48 38 6d 45 48 69 55 37 0d 0a 79 6a 48 AePH8mEH iU7..yjH
01b0 54 38 6d 58 75 4d 55 56 43 4c 4f 74 4a 58 4a 4d T8mXuMUV CLOtJXJM
01c0 36 72 6b 35 73 4a 38 74 33 68 54 55 79 44 77 33 6rk5sJ8t 3hTUyDw3
01d0 66 6a 79 42 67 37 57 32 43 50 43 6c 34 4a 59 32 fjyBg7W2 CPCl4JY2
01e0 4e 65 57 64 69 43 63 59 54 51 51 69 4b 52 2b 31 NeWdiCcY TQQiKR+1
01f0 71 5a 7a 49 6f 2f 47 71 6f 0d 0a 58 38 6b 58 61 qZzIo/Gq o..X8kXa
0200 31 2f 68 33 43 69 79 79 32 6f 56 55 7a 67 48 76 1/h3Ciyy 2oVUzgHv
I
000 00 18 8b 48 5b 36 00 17 e0 4a 8d a8 08 00 45 48 ...H[6.. .J....EH
0010 05 dc 04 b7 40 00 7d 06 d8 b2 0a 46 03 05 0a 0a ....@.}. ...F....
0020 03 16 00 50 54 72 7b ed 52 64 a5 8d d2 34 50 18 ...PTr{. Rd...4P.
0030 ff ff 6f c9 00 00 75 6b 4f 79 72 53 6d 62 75 56 ..o...uk OyrSmbuV
0040 58 2b 6a 6a 6d 37 7a 78 58 79 33 45 6c 73 53 61 X+jjm7zx Xy3ElsSa
0050 70 4a 63 72 57 48 33 64 43 32 54 32 44 62 39 32 pJcrWH3d C2T2Db92
0060 67 77 58 45 6e 54 59 63 63 6f 31 6c 72 59 75 75 gwXEnTYc co1lrYuu
0070 37 56 38 0d 0a 64 37 6c 2b 74 33 78 39 38 38 5a 7V8..d7l +t3x988Z
0080 62 45 41 75 51 44 66 4f 65 73 64 45 51 4c 4e 63 bEAuQDfO esdEQLNc
0090 48 4d 39 34 44 59 6a 79 30 52 64 64 38 78 63 76 HM94DYjy 0Rdd8xcv
00a0 6a 2b 5a 71 47 42 2b 71 7a 4a 43 62 4c 79 66 78 j+ZqGB+q zJCbLyfx
00b0 72 30 6a 45 73 57 33 47 44 32 41 77 47 35 46 47 r0jEsW3G D2AwG5FG
00c0 70 0d 0a 76 4e 44 59 33 58 72 46 45 32 4f 63 59 p..vNDY3 XrFE2OcY
00d0 79 67 54 33 63 5a 68 73 6f 39 38 50 56 75 64 76 ygT3cZhs o98PVudv
00e0 52 63 45 61 6c 57 2f 38 63 71 63 62 38 76 61 42 RcEalW/8 cqcb8vaB
00f0 73 4d 71 45 32 2f 53 75 73 4e 42 48 65 72 32 78 sMqE2/Su sNBHer2x
0100 52 6c 69 70 37 49 61 62 39 36 38 65 66 76 71 0d Rlip7Iab 968efvq.
0110 0a 6a 58 59 61 6a 47 31 4d 48 42 71 78 7a 56 32 .jXYajG1 MHBqxzV2
0120 78 48 41 74 77 31 63 47 45 46 4e 4b 37 51 56 72 xHAtw1cG EFNK7QVr
0130 63 49 72 54 72 6c 56 70 75 4a 59 41 76 52 67 79 cIrTrlVp uJYAvRgy
0140 62 6b 38 32 76 4d 69 58 48 34 55 62 43 51 76 50 bk82vMiX H4UbCQvP
0150 77 71 53 73 52 62 39 67 52 41 35 50 75 0d 0a 54 wqSsRb9g RA5Pu..T
0160 47 74 36 50 35 38 71 70 6b 64 77 75 73 78 35 4b Gt6P58qp kdwusx5K
0170 45 35 50 53 76 6f 52 54 77 77 7a 57 31 48 43 6d E5PSvoRT wwzW1HCm
0180 5a 55 73 62 56 35 36 79 64 57 6b 4f 75 6a 6d 68 ZUsbV56y dWkOujmh
0190 68 38 56 64 41 37 43 59 54 32 48 38 52 7a 54 5a h8VdA7CY T2H8RzTZ
01a0 41 65 50 48 38 6d 45 48 69 55 37 0d 0a 79 6a 48 AePH8mEH iU7..yjH
01b0 54 38 6d 58 75 4d 55 56 43 4c 4f 74 4a 58 4a 4d T8mXuMUV CLOtJXJM
01c0 36 72 6b 35 73 4a 38 74 33 68 54 55 79 44 77 33 6rk5sJ8t 3hTUyDw3
01d0 66 6a 79 42 67 37 57 32 43 50 43 6c 34 4a 59 32 fjyBg7W2 CPCl4JY2
01e0 4e 65 57 64 69 43 63 59 54 51 51 69 4b 52 2b 31 NeWdiCcY TQQiKR+1
01f0 71 5a 7a 49 6f 2f 47 71 6f 0d 0a 58 38 6b 58 61 qZzIo/Gq o..X8kXa
0200 31 2f 68 33 43 69 79 79 32 6f 56 55 7a 67 48 76 1/h3Ciyy 2oVUzgHv
I
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
If the destination is an actual web server on your end then this makes it easier.
you can do ping -a ip or nslookup ip to see what server that ip is bound to on your internal network.
Simply find the ip address from the trace and see what website that is bound to on the web server in IIS.
You can then do a parse of the logs using log parser to see the top users of the site and match the source ips.