ndl aas caused high bandwidth usage

asked 2017-11-13 03:06:12 +0000

Hi Guys,

Good day. User PC (which is on sleep mode) trigger NDL AAS (3128) and access to Proxy server and caused high bandwidth usage.

From wireshark packet capture, the flow is something like this :-

Source Destination Protocol Length Info

User Proxy TCP 60 ndl-ass [ACK]

Proxy User HTTP 1314 Continuation or non-HTTP traffic

Proxy User HTTP 1314 Continuation or non-HTTP traffic

Proxy User HTTP 1314 [TCP out-of-order] Continuation or non-HTTP traffic

Proxy User HTTP 1314 [TCP Retransmission] Continuation or non-HTTP traffic . <keep repeating="" the="" same="" packet="">

Did you guys have any idea ? Why the user will trigger the connection in sleep mode or AFK mode ?

Thanks.

edit retag flag offensive close merge delete

Comments

Can you share us a tracefile?

Christian_R gravatar imageChristian_R ( 2017-11-13 06:48:53 +0000 )edit

The traffic as below :- https://imgur.com/a/IFyTn

lswong91 gravatar imagelswong91 ( 2017-11-13 07:35:05 +0000 )edit

Here you find how you can provide us a trace if you like: https://blog.packet-foo.com/2016/11/t...

As it is important to have a tracefile for answering your question which also includes the SYN Packets of the session.

Christian_R gravatar imageChristian_R ( 2017-11-13 09:57:41 +0000 )edit

Hi Christian

Thanks for your assistance. Here you go.

https://www.dropbox.com/s/2nbregjucg8...

lswong91 gravatar imagelswong91 ( 2017-11-13 10:15:48 +0000 )edit

First of all what you have presented a trace file where a lot of frames occur twice. You can see it by analyzing the IP ID field. They occur twice, because it seem to be related to your wrong capture setup. Because these duplicated Frames use different MAC addresses compared to each other.

Christian_R gravatar imageChristian_R ( 2017-11-13 11:39:41 +0000 )edit