This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

high network usage

Hi,

one of our Terminal servers behind the utm shows a high netwerk traffic, I did find out which customer and which user generating the data, but I can not see what application generating this high traffic

I did contact that user and login to his session and he was not doing anything out of ordinary.

any idea how can we findout what genrating the data traffic.

Thanks



This thread was automatically locked due to age.
  • Aresh, try the 'Bandwidth Usage' tab in 'Logging & Reporting >> Network Usage' - "Top applications by client/server."

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Balfson,
    Thank you for the replay,

    This customer access the Terminal server with a non default port and there is a NAT rule that change it back to the default port 3389.
    I already tried what you mentioned and I can only choose uncalssified and then I can see that alot of data has been exchange between the customer IP and the server.
    but I would like to find out what exectly has been exchange? because I did login to the customer session on the terminal server, but I couldn't see nothing there!!

    How can we get more info on what exectly has been exchange between this 2 machine!

    Thanks
  • In that case, I would try 'Top services by client/server'. Any luck with that?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi

    The same thing, it shows me that in the past 24 hours 15 gb on PXC-SPLR service, this service use port 4007 and our customer use this port to access our Terminal server. so still unable to see what kind of data.

    maybe you can answer this question,

    I am abit confuse with the Client and server in the network usage.
    If I choose the top clients in the network usage I can see some external IP address and also some of my internal servers, also if I choose the top servers again I can see some extenal IP address and some of my internal server.

    What is the IP address unders client? are these machine try to access resources behind the utm? then why I see my internal servers there as well?

    Thanks
  • The "Client" is the device that starts the "conversation" with the "Server" as recorded by the Connection Tracker. Apparently, your internal servers are requesting things - probably updates, I guess?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • "alot of data has been exchange between the customer IP and the server.
    but I would like to find out what exectly has been exchange" RDP traffic is encapsulated and encrypted within TCP. The UTM has no way to see the traffic within the session. You'll need to diagnose from the client and server to see the traffic shared between them. See serverfault.com/.../are-there-any-rdp-activity-logs-windows-server-2008-r2 for suggestions.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • Thank you for the update,

    Ok I think I undrestsnd why I see our internal server in the client section as well, we have a 3rd party app that when a web request from internet recieved by our web servers, that 3rd party app get the images of the page from other internal server.