This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- RE: How to apply fingerprint to all traffic on a p...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to apply fingerprint to all traffic on a particular network for a particular port
How to apply fingerprint to all traffic on a particular network for a particular port
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā05-15-2017 06:11 PM
I would like to be able to categorize all CIFS traffic on a particular network using fingerprints within Netsight/purview (7.0.4.29) into a given Application/Application Group. The problem I'm having is that we have a network for backups that talks to another production storage network to grab files for the backup.
When I look at my flows, I try to add a fingerprint by right clicking on the flow and specifying add fingerprint for Address with Port. When I do this, the address is the server for the production storage network, not the backup network. I thought I would get smart and edit the myappid.xml file and manually enter the backup network IP/CIDR, but that doesn't seem to be foolproof, as I'm still seeing flows incorrectly categorized.
I believe this has to do with how purview handles client/server communications - in this case, the backup network initiates the communication, which is categorized as the client. It seems purview only wants to apply fingerprints for networks based on the server side of the communication.
In short, how can I use fingerprints to say all traffic from "client" network A on port 445 belongs to a particular application/application group?
When I look at my flows, I try to add a fingerprint by right clicking on the flow and specifying add fingerprint for Address with Port. When I do this, the address is the server for the production storage network, not the backup network. I thought I would get smart and edit the myappid.xml file and manually enter the backup network IP/CIDR, but that doesn't seem to be foolproof, as I'm still seeing flows incorrectly categorized.
I believe this has to do with how purview handles client/server communications - in this case, the backup network initiates the communication, which is categorized as the client. It seems purview only wants to apply fingerprints for networks based on the server side of the communication.
In short, how can I use fingerprints to say all traffic from "client" network A on port 445 belongs to a particular application/application group?
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā06-15-2017 11:43 AM
Hi Andrew.
Hope this went well for you.
Regards
Jeff
Hope this went well for you.
Regards
Jeff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā05-17-2017 08:03 AM
Hi Jeff,
Given these are backup jobs, your theory of a long running flow is absolutely possible. I'll give it some more time and report back.
Thanks,
Andrew
Given these are backup jobs, your theory of a long running flow is absolutely possible. I'll give it some more time and report back.
Thanks,
Andrew
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā05-16-2017 03:09 PM
Hi Andrew,
The product is client based when it comes to reporting but from identification point of view, I don't think so. The options you mentioned; IP and Port don't even have source or destination values.
If we are viewing the flow grid, perhaps the old CIFS application is hitting on a long running flow?
If available I am happy to run a remote session and take a look at this together.
Outside of a remote perhaps try and identify what flows are hitting on the new and which are hitting on the old.
Thanks
Jeff
The product is client based when it comes to reporting but from identification point of view, I don't think so. The options you mentioned; IP and Port don't even have source or destination values.
If we are viewing the flow grid, perhaps the old CIFS application is hitting on a long running flow?
If available I am happy to run a remote session and take a look at this together.
Outside of a remote perhaps try and identify what flows are hitting on the new and which are hitting on the old.
Thanks
Jeff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā05-16-2017 10:01 AM
Hi Jeff,
Thanks for the reply, I appreciate it. I originally started down this path by creating the fingerprints from scratch. I still had traffic that was showing up in the generic CIFS group though. After reading the manual, I went the path of right clicking on the actual flow to fingerprint it that way.
Essentially, what I've done is created fingerprints for TCP 139, 445 on network A and UDP 137, 138 on network A, categorize as Backup CIFS. When I say network A, I'm adding a fingerprint by address, mask and port. So I say 12.34.56.78/24 on 445 is Backup CIFS.
However, when I look at the flows, I see traffic on TCP 445 on network A as generic CIFS. Some of the traffic does match as it should, which is where I start to scratch my head. Is there a gotcha to fingerprinting client traffic? I think the issue is that the backup software initiates a CIFS connection, which tells purview that it's the client. I'm not sure if fingerprints have a bias towards identifying the server side of the traffic?
Thanks much.
Andrew
Thanks for the reply, I appreciate it. I originally started down this path by creating the fingerprints from scratch. I still had traffic that was showing up in the generic CIFS group though. After reading the manual, I went the path of right clicking on the actual flow to fingerprint it that way.
Essentially, what I've done is created fingerprints for TCP 139, 445 on network A and UDP 137, 138 on network A, categorize as Backup CIFS. When I say network A, I'm adding a fingerprint by address, mask and port. So I say 12.34.56.78/24 on 445 is Backup CIFS.
However, when I look at the flows, I see traffic on TCP 445 on network A as generic CIFS. Some of the traffic does match as it should, which is where I start to scratch my head. Is there a gotcha to fingerprinting client traffic? I think the issue is that the backup software initiates a CIFS connection, which tells purview that it's the client. I'm not sure if fingerprints have a bias towards identifying the server side of the traffic?
Thanks much.
Andrew
