How to find what HTTP traffic between exchange servers is
Hello,
We have a high utilization across our MPLS network and when I look at What's up Gold Net Flow it shows 87% of the traffic passed is from the local branch exchange server to the corporate (where all internet goes through). I talked to support and they don't go any deeper than telling us what is the top talker but I need to determine what is exactly going on port 80 between the two. I've run wireshark and see a lot of communication, but how do I narrow it down. snapshot.docx
Network ManagementNetworking ProtocolsNetworking
Last Comment
bergquistcompany
8/22/2022 - Mon
becraig
In the wireshark trace you will see source and destination.
If the destination is an actual web server on your end then this makes it easier.
you can do ping -a ip or nslookup ip to see what server that ip is bound to on your internal network.
Simply find the ip address from the trace and see what website that is bound to on the web server in IIS.
You can then do a parse of the logs using log parser to see the top users of the site and match the source ips.
bergquistcompany
ASKER
The source is our branch exchange IP the target is our corporate exchange IP protocol TCP Source Port http (80) destination port (21618) so it appears to be some communication between the exchange servers. All internet mail comes through corporate email server but this has been going on for 3 days using 87% of the traffic and causing latency. I'm wondering how to determine what exactly is going on between the 2 servers and I"m not sure how or if I can get that from wireshark
Once you actually have the packets, it's all easy from there (time consuming but easy :-) )
The link will tell you how to read the packets that will tell you what is happening between the source and destination and what the response are and what is sent.
I saw that article which got me to this point. I can see source and target and ports but if I know the source is sending HTTP to the corporate exchange server on port 21618 yet the data is and I'm unsure from here how to see what the branch exchange server (what application) is using port 80 to send to corporate from the below so am unsure how to stop it from sending so much other than reboot and hope. I was wanting to see if I could narrow it down?
If the destination is an actual web server on your end then this makes it easier.
you can do ping -a ip or nslookup ip to see what server that ip is bound to on your internal network.
Simply find the ip address from the trace and see what website that is bound to on the web server in IIS.
You can then do a parse of the logs using log parser to see the top users of the site and match the source ips.