This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi We have an application (IBM Notes) which communicates with several other systems (servers), but we don't know which, although we do know that it uses its system account to communicate.

Is it possible in Wireshark to trace which servers the account communicates with? I've tried to look in Conversations and Endpoint but with no luck.

Thanks

//hp

asked 22 Sep '12, 14:37

c0zzman's gravatar image

c0zzman
1111
accept rate: 0%

edited 22 Sep '12, 18:09

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


If all you need is "which other server does it communicate with?" then the answer is yes. However, it will not let you see "which system or user account" it's using to setup the communication.

Also, in all likelihood, your Notes server will use encrypted communication. Therefore, you'll only know which servers are involved in the communication. But you won't be able to tell anything about the communication.

I don't understand the "Conversations/Endpoints...but no luck" comment. Was there nothing in the trace or do you mean you don't know how to read the chart?

permanent link

answered 22 Sep '12, 16:47

hansangb's gravatar image

hansangb
7912619
accept rate: 12%

edited 22 Sep '12, 18:10

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

Hi Thanks for the answer. I know that the server communicates with several servers, but I want to know which servers it communicates with through this system account explicitly.

I was looking in the filter "Conversation", and there was a lot of traffic but I couldn't see the account.

But ok, then I know it isn't possible. Right?

(22 Sep '12, 17:15) c0zzman

This problem might be a bit tricky to solve, but under the right circumstances you might be able to get what you want. Since the notes server may have other communications going in and out that do not relate to the notes application you'll have to determine which communications are related. This is usually done by determining the port numbers in use, which is

  1. simple if the communication is incoming to the server, because then the application port is ususally well known or easily determined by doing a netstat lookup with any parameters necessary to tell you the process ID/process name of the application using a port
  2. complex if the server is opening connections to other servers (which it makes the notes server to be the "client" in this communication), and for that ephemeral ports will usually be used.

So depending on if your notes server is the "client" of the communications to other servers you will have a hard time correlating the communications to the notes application. Wireshark can't help you with this, because it will only see communication from port to port, but not which application it was on the system. Maybe Microsoft NetMon can help you here, because it can do just that if it runs on the notes server (assuming your Notes server is running a windows OS). For linux systems, the Hone Project could help (but I haven't tried it myself yet).

permanent link

answered 23 Sep '12, 04:54

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

The manual method (if netmon can't be used) is to use "netstat -aon" and you'll see the process ID as the last column. Then you need to use something like Process Monitor (ex sysinternals tool) to find the info for that PID. I'm not 100% sure if the owner is exposed, but you should be able to verify pretty quickly. Good luck.

(23 Sep '12, 17:10) hansangb
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×36
×10

question asked: 22 Sep '12, 14:37

question was seen: 2,360 times

last updated: 23 Sep '12, 17:10

p​o​w​e​r​e​d by O​S​Q​A