cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Tracking Down Transmitters.

This might not be an exact NTA question but more of, how do I do my job question heh. One of our offices in Mexico has a small 50 MB connection and we implemented a Citrix environment to work around the small bandwidth. All the Citrix traffic goes over port 443 and in the Netflow I can see this being represented. What im trying to pinpoint is the traffic happening outside of Citrix which should be anything not going over 443, for example ive been looking on our ASA Outside Interface and motioning port 80. (Screenshot of what im look at attached). Using 13.107.4.50 as an example, ive been going to google and searing "Who is 13.107.4.50" and I see the IP belongs to Microsoft Corporation: Azure and can see the users communicating with it... but I have no clue what its related to. Not sure if there is a way I can find our more info to pinpoint if its updates or something similar and was hoping you all might have some advise. Either in NTA or outside. Thanks much!

0 Kudos
2 Replies

If your edge device supports it NBAR2 is another netflow-like protocol that Cisco has that gives more granular information about conversations, but in this case it sounds like you already know what the endpoint the hosts are connected to is, so it really is more of a question of pinning down what processes on those machines are pushing the traffic.  That may be more of a wireshark/packet capture kind of investigation since you need details more than you need summary data.

- Marc Netterfield, Github

I don't know why I didn't even think of using Wireshark, thanks much!

0 Kudos