Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 4873 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Monitor and analyse traffic of a specific client

Aktuator

Hi all,

we are facing some connection issues with our outlook users. Sometimes they can connect to the local Exchange server and sometimes they don't.

When the problem occurs it seems to me that outlook is trying to connect to an Exchange server outside of our LAN. Like office365 or something.

Is there a way to exactly analyze with our UTM (SG210) which connections the clients are trying to establish?

In other words: I want to see which external http(s) addresses the client 192.168.0.100 is trying to connect to.

Thanks in advance for your support!

Greetings Aktuator



This thread was automatically locked due to age.
Parents
  • +1

    Hi Aktuator

    Just to add to  comment about using Wireshark at the UTM, I've used the very useful instructions in the below linked Sophos tutorial to capture traffic from a specific client (in my case, the traffic from a WLAN connected iPhone) to find out which external site(s) it was [unsuccessfully] trying to connect to when certain apps were started (and thus in my case, it enabled me to create web filter rules to enable them to work).

    https://community.sophos.com/kb/en-us/134286

    So using your example, after first SSH accessing the UTM, the CLI input would be tcpdump -nei any host 192.168.0.100 -n -s0 -w /var/sec/chroot-httpd/var/webadmin/tcpdump.pcap and then after you've stopped it, you can then open (or download) the pcap file via the UTM web interface (at https://<UTM IP:Port>/tcpdump.pcap) and thus view it in Wireshark. I've found this to be an absolutely invaluable feature (in fact, in the case of iThing apps, it was the only way to identify which URL was involved when the UTM logs showed only an "input/output error" as being the problem) so it could also be a very useful way to identify which external server your client is trying to contact.

    Kind regards,

    Briain

Reply
  • +1

    Hi Aktuator

    Just to add to  comment about using Wireshark at the UTM, I've used the very useful instructions in the below linked Sophos tutorial to capture traffic from a specific client (in my case, the traffic from a WLAN connected iPhone) to find out which external site(s) it was [unsuccessfully] trying to connect to when certain apps were started (and thus in my case, it enabled me to create web filter rules to enable them to work).

    https://community.sophos.com/kb/en-us/134286

    So using your example, after first SSH accessing the UTM, the CLI input would be tcpdump -nei any host 192.168.0.100 -n -s0 -w /var/sec/chroot-httpd/var/webadmin/tcpdump.pcap and then after you've stopped it, you can then open (or download) the pcap file via the UTM web interface (at https://<UTM IP:Port>/tcpdump.pcap) and thus view it in Wireshark. I've found this to be an absolutely invaluable feature (in fact, in the case of iThing apps, it was the only way to identify which URL was involved when the UTM logs showed only an "input/output error" as being the problem) so it could also be a very useful way to identify which external server your client is trying to contact.

    Kind regards,

    Briain

Children
Unfiltered HTML