This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Trace outgoing system account

Hi We have an application (IBM Notes) which communicates with several other systems (servers), but we don't know which, although we do know that it uses its system account to communicate.

Is it possible in Wireshark to trace which servers the account communicates with? I've tried to look in Conversations and Endpoint but with no luck.

Thanks

//hp

user trace

asked 22 Sep '12, 14:37

c0zzman
1●1●1●1
accept rate: 0%

edited 22 Sep '12, 18:09

cmaynard ♦♦
9.4k●10●38●142

2 Answers:

If all you need is "which other server does it communicate with?" then the answer is yes. However, it will not let you see "which system or user account" it's using to setup the communication.

Also, in all likelihood, your Notes server will use encrypted communication. Therefore, you'll only know which servers are involved in the communication. But you won't be able to tell anything about the communication.

I don't understand the "Conversations/Endpoints...but no luck" comment. Was there nothing in the trace or do you mean you don't know how to read the chart?

answered 22 Sep '12, 16:47

hansangb
791●2●6●19
accept rate: 12%

edited 22 Sep '12, 18:10

cmaynard ♦♦
9.4k●10●38●142

Hi Thanks for the answer. I know that the server communicates with several servers, but I want to know which servers it communicates with through this system account explicitly.

I was looking in the filter "Conversation", and there was a lot of traffic but I couldn't see the account.

But ok, then I know it isn't possible. Right?

(22 Sep '12, 17:15) c0zzman

This problem might be a bit tricky to solve, but under the right circumstances you might be able to get what you want. Since the notes server may have other communications going in and out that do not relate to the notes application you'll have to determine which communications are related. This is usually done by determining the port numbers in use, which is

simple if the communication is incoming to the server, because then the application port is ususally well known or easily determined by doing a netstat lookup with any parameters necessary to tell you the process ID/process name of the application using a port
complex if the server is opening connections to other servers (which it makes the notes server to be the "client" in this communication), and for that ephemeral ports will usually be used.

So depending on if your notes server is the "client" of the communications to other servers you will have a hard time correlating the communications to the notes application. Wireshark can't help you with this, because it will only see communication from port to port, but not which application it was on the system. Maybe Microsoft NetMon can help you here, because it can do just that if it runs on the notes server (assuming your Notes server is running a windows OS). For linux systems, the Hone Project could help (but I haven't tried it myself yet).

answered 23 Sep '12, 04:54

Jasper ♦♦
23.8k●5●51●284
accept rate: 18%

The manual method (if netmon can't be used) is to use "netstat -aon" and you'll see the process ID as the last column. Then you need to use something like Process Monitor (ex sysinternals tool) to find the info for that PID. I'm not 100% sure if the owner is exposed, but you should be able to verify pretty quickly. Good luck.

(23 Sep '12, 17:10) hansangb