ndl aas caused high bandwidth usage
Hi Guys,
Good day. User PC (which is on sleep mode) trigger NDL AAS (3128) and access to Proxy server and caused high bandwidth usage.
From wireshark packet capture, the flow is something like this :-
Source Destination Protocol Length Info
User Proxy TCP 60 ndl-ass [ACK]
Proxy User HTTP 1314 Continuation or non-HTTP traffic
Proxy User HTTP 1314 Continuation or non-HTTP traffic
Proxy User HTTP 1314 [TCP out-of-order] Continuation or non-HTTP traffic
Proxy User HTTP 1314 [TCP Retransmission] Continuation or non-HTTP traffic . <keep repeating="" the="" same="" packet="">
Did you guys have any idea ? Why the user will trigger the connection in sleep mode or AFK mode ?
Thanks.
Can you share us a tracefile?
The traffic as below :- https://imgur.com/a/IFyTn
Here you find how you can provide us a trace if you like: https://blog.packet-foo.com/2016/11/t...
As it is important to have a tracefile for answering your question which also includes the SYN Packets of the session.
Hi Christian
Thanks for your assistance. Here you go.
https://www.dropbox.com/s/2nbregjucg8...
First of all what you have presented a trace file where a lot of frames occur twice. You can see it by analyzing the IP ID field. They occur twice, because it seem to be related to your wrong capture setup. Because these duplicated Frames use different MAC addresses compared to each other.
The tracefile is a little bit complicated as some packet have captured twice but with different Mac Adresses. How was your capture setup?
Hi Christian
Sorry for late reply. 1. Yes, i can see that source IP and destination IP are same but with different MAC address. 2. This traffic is coming from branch to HQ, i do a port mirroring in HQ between HQ router and HQ firewall.