Solved

How to find what HTTP traffic between exchange servers is

Posted on 2013-01-08
6
716 Views
Last Modified: 2013-01-08
Hello,

We have a high utilization across our MPLS network and when I look at What's up Gold Net Flow it shows 87% of the traffic passed is from the local branch exchange server to the corporate (where all internet goes through).  I talked to support and they don't go any deeper than telling us what is the top talker but I need to determine what is exactly going on port 80 between the two.  I've run wireshark and see a lot of communication, but how do I narrow it down.
snapshot.docx
0
Comment
Question by:bergquistcompany
  • 3
  • 3
6 Comments
 
LVL 28

Expert Comment

by:becraig
Comment Utility
In the wireshark trace you will see source and destination.

If the destination is an actual web server on your end then this makes it easier.

you can do ping -a ip or nslookup ip to see what server that ip is bound to on your internal network.

Simply find the ip address from the trace and see what website that is bound to on the web server in IIS.

You can then do a parse of the logs using log parser to see the top users of the site and match the source ips.
0
 

Author Comment

by:bergquistcompany
Comment Utility
The source is our branch exchange IP the target is our corporate exchange IP protocol TCP Source Port http (80) destination port (21618) so it appears to be some communication between the exchange servers.  All internet mail comes through corporate email server but this has been going on for 3 days using 87% of the traffic and causing latency.  I'm wondering how to determine what exactly is going on between the 2 servers and I"m not sure how or if I can get that from wireshark
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Here is a good how to on wireshark:

http://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/

Once you actually have the packets, it's all easy from there (time consuming but easy :-) )

The link will tell you how to read the packets that will tell you what is happening between the source and destination and what the response are and what is sent.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:bergquistcompany
Comment Utility
I saw that article which got me to this point.  I can see source and target  and ports but if I know the source is sending HTTP to the corporate exchange server on port 21618  yet the data is and I'm unsure from here how to see what the branch exchange server (what application) is using port 80 to send to corporate from the below so am unsure how to stop it from sending so much other than reboot and hope.  I was wanting to see if I could narrow it down?
 
000  00 18 8b 48 5b 36 00 17  e0 4a 8d a8 08 00 45 48   ...H[6.. .J....EH
0010  05 dc 04 b7 40 00 7d 06  d8 b2 0a 46 03 05 0a 0a   ....@.}. ...F....
0020  03 16 00 50 54 72 7b ed  52 64 a5 8d d2 34 50 18   ...PTr{. Rd...4P.
0030  ff ff 6f c9 00 00 75 6b  4f 79 72 53 6d 62 75 56   ..o...uk OyrSmbuV
0040  58 2b 6a 6a 6d 37 7a 78  58 79 33 45 6c 73 53 61   X+jjm7zx Xy3ElsSa
0050  70 4a 63 72 57 48 33 64  43 32 54 32 44 62 39 32   pJcrWH3d C2T2Db92
0060  67 77 58 45 6e 54 59 63  63 6f 31 6c 72 59 75 75   gwXEnTYc co1lrYuu
0070  37 56 38 0d 0a 64 37 6c  2b 74 33 78 39 38 38 5a   7V8..d7l +t3x988Z
0080  62 45 41 75 51 44 66 4f  65 73 64 45 51 4c 4e 63   bEAuQDfO esdEQLNc
0090  48 4d 39 34 44 59 6a 79  30 52 64 64 38 78 63 76   HM94DYjy 0Rdd8xcv
00a0  6a 2b 5a 71 47 42 2b 71  7a 4a 43 62 4c 79 66 78   j+ZqGB+q zJCbLyfx
00b0  72 30 6a 45 73 57 33 47  44 32 41 77 47 35 46 47   r0jEsW3G D2AwG5FG
00c0  70 0d 0a 76 4e 44 59 33  58 72 46 45 32 4f 63 59   p..vNDY3 XrFE2OcY
00d0  79 67 54 33 63 5a 68 73  6f 39 38 50 56 75 64 76   ygT3cZhs o98PVudv
00e0  52 63 45 61 6c 57 2f 38  63 71 63 62 38 76 61 42   RcEalW/8 cqcb8vaB
00f0  73 4d 71 45 32 2f 53 75  73 4e 42 48 65 72 32 78   sMqE2/Su sNBHer2x
0100  52 6c 69 70 37 49 61 62  39 36 38 65 66 76 71 0d   Rlip7Iab 968efvq.
0110  0a 6a 58 59 61 6a 47 31  4d 48 42 71 78 7a 56 32   .jXYajG1 MHBqxzV2
0120  78 48 41 74 77 31 63 47  45 46 4e 4b 37 51 56 72   xHAtw1cG EFNK7QVr
0130  63 49 72 54 72 6c 56 70  75 4a 59 41 76 52 67 79   cIrTrlVp uJYAvRgy
0140  62 6b 38 32 76 4d 69 58  48 34 55 62 43 51 76 50   bk82vMiX H4UbCQvP
0150  77 71 53 73 52 62 39 67  52 41 35 50 75 0d 0a 54   wqSsRb9g RA5Pu..T
0160  47 74 36 50 35 38 71 70  6b 64 77 75 73 78 35 4b   Gt6P58qp kdwusx5K
0170  45 35 50 53 76 6f 52 54  77 77 7a 57 31 48 43 6d   E5PSvoRT wwzW1HCm
0180  5a 55 73 62 56 35 36 79  64 57 6b 4f 75 6a 6d 68   ZUsbV56y dWkOujmh
0190  68 38 56 64 41 37 43 59  54 32 48 38 52 7a 54 5a   h8VdA7CY T2H8RzTZ
01a0  41 65 50 48 38 6d 45 48  69 55 37 0d 0a 79 6a 48   AePH8mEH iU7..yjH
01b0  54 38 6d 58 75 4d 55 56  43 4c 4f 74 4a 58 4a 4d   T8mXuMUV CLOtJXJM
01c0  36 72 6b 35 73 4a 38 74  33 68 54 55 79 44 77 33   6rk5sJ8t 3hTUyDw3
01d0  66 6a 79 42 67 37 57 32  43 50 43 6c 34 4a 59 32   fjyBg7W2 CPCl4JY2
01e0  4e 65 57 64 69 43 63 59  54 51 51 69 4b 52 2b 31   NeWdiCcY TQQiKR+1
01f0  71 5a 7a 49 6f 2f 47 71  6f 0d 0a 58 38 6b 58 61   qZzIo/Gq o..X8kXa
0200  31 2f 68 33 43 69 79 79  32 6f 56 55 7a 67 48 76   1/h3Ciyy 2oVUzgHv
I
0
 
LVL 28

Accepted Solution

by:
becraig earned 500 total points
Comment Utility
So from here on the server generating the traffic I would take a look at netstat to see what is sending on that port
also possibly look into using netmon to monitor traffic on port 80 going out on that server and see what is the volume driver.
0
 

Author Closing Comment

by:bergquistcompany
Comment Utility
Excellent that is the part I needed so I could find the PID and kill the process
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now