identify remote server

dawks

Diamond Member
Oct 9, 1999
5,069
0
81
#1
Hi everyone, I am helping an organization with some things and I was looking at their checkpoint firewall logs. I see a large number of their PC's are regularly trying to connect to a few IPs that seem to be Akamai CDN servers (on this org's ISP network). Their firewall is blocking it however.

Is there a way to find out what they are actually connecting to? On the PC i am using, I see the several connections will be made over a span of 10 minutes a few times throughout the day, so I am unable to just start a packet capture. I happens when a user is logged off as well. it looks like its happening over port 80, but when I visit that that IP over http I just get "Invalid URLThe requested URL "[no URL]", is invalid. "

I suspect is something innocent (like software updates), but I'd still like to figure it out.
 
Last edited:

mxnerd

Diamond Member
Jul 6, 2007
4,335
123
126
#2
Won't Checkpoint Firewall log show what destination server IP and it's resolved name / URL / service or protocol / ports the source PC trying to reach?

And if a web server is not configured to redirect invalid URL to another web page, you are going to get an invalid URL or page not found error even if the web server is running.
 
Last edited:

JackMDS

Elite Member
Super Moderator
Oct 25, 1999
28,858
54
106
#3
Try this portable freeware - http://www.nirsoft.net/utils/live_tcp_udp_watch.html

It should show the local proccesses that generate the connections and where it goes.


:cool:
 

dawks

Diamond Member
Oct 9, 1999
5,069
0
81
#4
Won't Checkpoint Firewall log show what destination server IP and it's resolved name / URL / service or protocol / ports the source PC trying to reach?

And if a web server is not configured to redirect invalid URL to another web page, you are going to get an invalid URL or page not found error even if the web server is running.
It’s does give some info, but it’s just an IP (with reverse DNS), and port 443/80 and I don’t see anything else. The IP and reverse DNS look like servers hosted on our ISP’s network, and are registered to out ISP and Akamai, but I have no idea how to find out anything beyond that.

My PC is making a port 80/443 connection to those IPs over night, without being logged in. How do I narrow down to what it is specifically (again likely just software updates but how can I be sure)?

Thanks for the utility tip Jack, the one challenge is I don’t know when it will happen so short of launching it and staring at it all day I can’t be sure when I’ll see it. The alternative is something that can log, then allow me to do a filter search, but running a PCap all day would probably crash my PC.
 

mxnerd

Diamond Member
Jul 6, 2007
4,335
123
126
#5
If you don't want to use PCap/Wireshark,

Fiddler or mitmproxy might help.

But not familiar with them.

Not sure if they provide summary.

There will be tons of info though.
 
Last edited:

Similar threads



ASK THE COMMUNITY

TRENDING THREADS