This might not be an exact NTA question but more of, how do I do my job question heh. One of our offices in Mexico has a small 50 MB connection and we implemented a Citrix environment to work around the small bandwidth. All the Citrix traffic goes over port 443 and in the Netflow I can see this being represented. What im trying to pinpoint is the traffic happening outside of Citrix which should be anything not going over 443, for example ive been looking on our ASA Outside Interface and motioning port 80. (Screenshot of what im look at attached). Using 184.108.40.206 as an example, ive been going to google and searing "Who is 220.127.116.11" and I see the IP belongs to Microsoft Corporation: Azure and can see the users communicating with it... but I have no clue what its related to. Not sure if there is a way I can find our more info to pinpoint if its updates or something similar and was hoping you all might have some advise. Either in NTA or outside. Thanks much!
If your edge device supports it NBAR2 is another netflow-like protocol that Cisco has that gives more granular information about conversations, but in this case it sounds like you already know what the endpoint the hosts are connected to is, so it really is more of a question of pinning down what processes on those machines are pushing the traffic. That may be more of a wireshark/packet capture kind of investigation since you need details more than you need summary data.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.