I have a VMware View Security server that periodically 'pings' or communicates to a View Connect server on 8009. There are connections shown in Netstat:
[ws_TunnelService.exe]
TCP 10.3.0.13:55487 10.1.0.21:4001 ESTABLISHED
[ws_TunnelService.exe]
TCP 10.3.0.13:55764 10.1.0.21:8009 ESTABLISHED
The port 4001 traffic shows up in a wireshark trace:
238 26.776074000 10.1.0.21 10.3.0.13 TCP 73 4001→53416 [PSH, ACK] Seq=30 Ack=135 Win=4025 Len=19
239 26.778194000 10.3.0.13 10.1.0.21 TCP 2814 53416→4001 [ACK] Seq=135 Ack=49 Win=32597 Len=2760
But the 8009 traffic does not. I do tcp.port=8009 filter and get nothing. I have evidence that traffic should be going across in a view log file (from the 10.3.0.13 server):
2014-12-02T20:10:05.271-05:00 DEBUG (0550-0484) <AJP connection pool monitor> [a] /10.1.0.21:8009
2014-12-02T20:10:05.271-05:00 TRACE (0550-0484) <AJP connection pool monitor> [b] Fetching connection from pool: /10.1.0.21:8009
2014-12-02T20:10:05.271-05:00 TRACE (0550-0484) <AJP connection pool monitor> [b] Total pool size: 5
2014-12-02T20:10:05.271-05:00 TRACE (0550-0484) <AJP connection pool monitor> [b] Sending test CPing request...
2014-12-02T20:10:05.474-05:00 TRACE (0550-0484) <AJP connection pool monitor> [b] Received test CPong.
2014-12-02T20:10:05.474-05:00 TRACE (0550-0484) <AJP connection pool monitor> [b] Returning connection to pool: /10.1.0.21:8009
2014-12-02T20:10:05.474-05:00 TRACE (0550-0484) <AJP connection pool monitor> [b] Total pool size: 6
It looks like the traffic is being tunneled... but my question is why is the 4001 traffic showing up in a trace and the 8009 is not??
Thanks much for any ideas. I can provide more info if needed...
asked 03 Dec '14, 07:44
hatari
1●1●1●1
accept rate: 0%
