This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Monitor and analyse traffic of a specific client

Hi all,

we are facing some connection issues with our outlook users. Sometimes they can connect to the local Exchange server and sometimes they don't.

When the problem occurs it seems to me that outlook is trying to connect to an Exchange server outside of our LAN. Like office365 or something.

Is there a way to exactly analyze with our UTM (SG210) which connections the clients are trying to establish?

In other words: I want to see which external http(s) addresses the client 192.168.0.100 is trying to connect to.

Thanks in advance for your support!

Greetings Aktuator



This thread was automatically locked due to age.
  • Wouldn’t it be better to analyze this at a client?

    Via the tray icon you could display some information about the connections of outlook. As a second tool I would recommend procmon from Sysinternals for example.

    In the UTM you could use the firewall log.

    Best regards

    Alex

    -

  • you may use the firewall live-log and use the following filter 192.168.0.100.*443

    so you only see https traffic for this one client.

    or download the complete firewall-logfile and check these.

    if you use WebFilter you have to check this file too.

    another option is to capture all traffic from these client with wireshark directly at the UTM.

    At the client are some options too.

    first the outlook status icon as explained by alexander.

    Also tcpview from sysinternals is usefull.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi Aktuator

    Just to add to  comment about using Wireshark at the UTM, I've used the very useful instructions in the below linked Sophos tutorial to capture traffic from a specific client (in my case, the traffic from a WLAN connected iPhone) to find out which external site(s) it was [unsuccessfully] trying to connect to when certain apps were started (and thus in my case, it enabled me to create web filter rules to enable them to work).

    https://community.sophos.com/kb/en-us/134286

    So using your example, after first SSH accessing the UTM, the CLI input would be tcpdump -nei any host 192.168.0.100 -n -s0 -w /var/sec/chroot-httpd/var/webadmin/tcpdump.pcap and then after you've stopped it, you can then open (or download) the pcap file via the UTM web interface (at https://<UTM IP:Port>/tcpdump.pcap) and thus view it in Wireshark. I've found this to be an absolutely invaluable feature (in fact, in the case of iThing apps, it was the only way to identify which URL was involved when the UTM logs showed only an "input/output error" as being the problem) so it could also be a very useful way to identify which external server your client is trying to contact.

    Kind regards,

    Briain

  • Thank you very much everyone! This was very useful information for me!!

    Brian, your solution was exactly what I was looking for! :-)

    Thanks again!