This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Persistent connection from questionable IP address on port 443

0

For a small business setup, I have a Windows 2008 server acting as AD domain controller and Exchange 2007 server. I've recently begun to look further into all network activity and notice something unusual to me involving this server. There is a persistent connection between it and a Verizon wireless IP address (174.254.24.191, 174.240.0.73, 174.254.1.124 to name a few) always geolocated in Las Vegas. This connection uses port 443 on my server. The service name being used is "SYSTEM". This connection is using the same public IP address as our MX record. I do use Exchange active-sync for a few users. Any suggestions as to further identify EXACTLY what this IP address is doing with my server? Thanks.

asked 03 Apr '13, 09:28

steveg's gravatar image

steveg
1111
accept rate: 0%


One Answer:

0

Well, if you want to know EXACTLY what these IP's are doing on your server, you can use the private key of the server to decrypt the traffic in Wireshark and see which HTTPS requests they are sending. My guess would indeed be that it is Exchange active-sync traffic.

answered 03 Apr '13, 10:26

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

OK, thanks for your advice. Unfortunately, due to my lack of experience, I don't know how to do what you suggest. I'd appreciate further instructions, or your pointing me to exact instructions as to how to accomplish this. Thanks again.

(03 Apr '13, 11:44) steveg