?
Solved

How to find what HTTP traffic between exchange servers is

Posted on 2013-01-08
6
Medium Priority
?
769 Views
Last Modified: 2013-01-08
Hello,

We have a high utilization across our MPLS network and when I look at What's up Gold Net Flow it shows 87% of the traffic passed is from the local branch exchange server to the corporate (where all internet goes through).  I talked to support and they don't go any deeper than telling us what is the top talker but I need to determine what is exactly going on port 80 between the two.  I've run wireshark and see a lot of communication, but how do I narrow it down.
snapshot.docx
0
Comment
Question by:bergquistcompany
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 38755784
In the wireshark trace you will see source and destination.

If the destination is an actual web server on your end then this makes it easier.

you can do ping -a ip or nslookup ip to see what server that ip is bound to on your internal network.

Simply find the ip address from the trace and see what website that is bound to on the web server in IIS.

You can then do a parse of the logs using log parser to see the top users of the site and match the source ips.
0
 

Author Comment

by:bergquistcompany
ID: 38755806
The source is our branch exchange IP the target is our corporate exchange IP protocol TCP Source Port http (80) destination port (21618) so it appears to be some communication between the exchange servers.  All internet mail comes through corporate email server but this has been going on for 3 days using 87% of the traffic and causing latency.  I'm wondering how to determine what exactly is going on between the 2 servers and I"m not sure how or if I can get that from wireshark
0
 
LVL 29

Expert Comment

by:becraig
ID: 38755822
Here is a good how to on wireshark:

http://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/

Once you actually have the packets, it's all easy from there (time consuming but easy :-) )

The link will tell you how to read the packets that will tell you what is happening between the source and destination and what the response are and what is sent.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:bergquistcompany
ID: 38755864
I saw that article which got me to this point.  I can see source and target  and ports but if I know the source is sending HTTP to the corporate exchange server on port 21618  yet the data is and I'm unsure from here how to see what the branch exchange server (what application) is using port 80 to send to corporate from the below so am unsure how to stop it from sending so much other than reboot and hope.  I was wanting to see if I could narrow it down?
 
000  00 18 8b 48 5b 36 00 17  e0 4a 8d a8 08 00 45 48   ...H[6.. .J....EH
0010  05 dc 04 b7 40 00 7d 06  d8 b2 0a 46 03 05 0a 0a   ....@.}. ...F....
0020  03 16 00 50 54 72 7b ed  52 64 a5 8d d2 34 50 18   ...PTr{. Rd...4P.
0030  ff ff 6f c9 00 00 75 6b  4f 79 72 53 6d 62 75 56   ..o...uk OyrSmbuV
0040  58 2b 6a 6a 6d 37 7a 78  58 79 33 45 6c 73 53 61   X+jjm7zx Xy3ElsSa
0050  70 4a 63 72 57 48 33 64  43 32 54 32 44 62 39 32   pJcrWH3d C2T2Db92
0060  67 77 58 45 6e 54 59 63  63 6f 31 6c 72 59 75 75   gwXEnTYc co1lrYuu
0070  37 56 38 0d 0a 64 37 6c  2b 74 33 78 39 38 38 5a   7V8..d7l +t3x988Z
0080  62 45 41 75 51 44 66 4f  65 73 64 45 51 4c 4e 63   bEAuQDfO esdEQLNc
0090  48 4d 39 34 44 59 6a 79  30 52 64 64 38 78 63 76   HM94DYjy 0Rdd8xcv
00a0  6a 2b 5a 71 47 42 2b 71  7a 4a 43 62 4c 79 66 78   j+ZqGB+q zJCbLyfx
00b0  72 30 6a 45 73 57 33 47  44 32 41 77 47 35 46 47   r0jEsW3G D2AwG5FG
00c0  70 0d 0a 76 4e 44 59 33  58 72 46 45 32 4f 63 59   p..vNDY3 XrFE2OcY
00d0  79 67 54 33 63 5a 68 73  6f 39 38 50 56 75 64 76   ygT3cZhs o98PVudv
00e0  52 63 45 61 6c 57 2f 38  63 71 63 62 38 76 61 42   RcEalW/8 cqcb8vaB
00f0  73 4d 71 45 32 2f 53 75  73 4e 42 48 65 72 32 78   sMqE2/Su sNBHer2x
0100  52 6c 69 70 37 49 61 62  39 36 38 65 66 76 71 0d   Rlip7Iab 968efvq.
0110  0a 6a 58 59 61 6a 47 31  4d 48 42 71 78 7a 56 32   .jXYajG1 MHBqxzV2
0120  78 48 41 74 77 31 63 47  45 46 4e 4b 37 51 56 72   xHAtw1cG EFNK7QVr
0130  63 49 72 54 72 6c 56 70  75 4a 59 41 76 52 67 79   cIrTrlVp uJYAvRgy
0140  62 6b 38 32 76 4d 69 58  48 34 55 62 43 51 76 50   bk82vMiX H4UbCQvP
0150  77 71 53 73 52 62 39 67  52 41 35 50 75 0d 0a 54   wqSsRb9g RA5Pu..T
0160  47 74 36 50 35 38 71 70  6b 64 77 75 73 78 35 4b   Gt6P58qp kdwusx5K
0170  45 35 50 53 76 6f 52 54  77 77 7a 57 31 48 43 6d   E5PSvoRT wwzW1HCm
0180  5a 55 73 62 56 35 36 79  64 57 6b 4f 75 6a 6d 68   ZUsbV56y dWkOujmh
0190  68 38 56 64 41 37 43 59  54 32 48 38 52 7a 54 5a   h8VdA7CY T2H8RzTZ
01a0  41 65 50 48 38 6d 45 48  69 55 37 0d 0a 79 6a 48   AePH8mEH iU7..yjH
01b0  54 38 6d 58 75 4d 55 56  43 4c 4f 74 4a 58 4a 4d   T8mXuMUV CLOtJXJM
01c0  36 72 6b 35 73 4a 38 74  33 68 54 55 79 44 77 33   6rk5sJ8t 3hTUyDw3
01d0  66 6a 79 42 67 37 57 32  43 50 43 6c 34 4a 59 32   fjyBg7W2 CPCl4JY2
01e0  4e 65 57 64 69 43 63 59  54 51 51 69 4b 52 2b 31   NeWdiCcY TQQiKR+1
01f0  71 5a 7a 49 6f 2f 47 71  6f 0d 0a 58 38 6b 58 61   qZzIo/Gq o..X8kXa
0200  31 2f 68 33 43 69 79 79  32 6f 56 55 7a 67 48 76   1/h3Ciyy 2oVUzgHv
I
0
 
LVL 29

Accepted Solution

by:
becraig earned 2000 total points
ID: 38756020
So from here on the server generating the traffic I would take a look at netstat to see what is sending on that port
also possibly look into using netmon to monitor traffic on port 80 going out on that server and see what is the volume driver.
0
 

Author Closing Comment

by:bergquistcompany
ID: 38756568
Excellent that is the part I needed so I could find the PID and kill the process
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question