Checking for valid HTTP POST traffic when no HTTP traffic seen on Monitor

book

Article ID: 159573

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

Applies to:

Network Monitor (all versions)

 

HTTP traffic is shown in packet capture from Monitor, but Enforce shows no traffic at all for box.

Resolution

First you'll need to download and install Wireshark (http://www.wireshark.org/) on the Network Monitor where traffic should be going.

On Linux systems, you can install wireshark to do a packet capture, but using the built in tool tcpdump will work, too.  For details on using tcpdump, please see TECH221427.  Just open the packet capture created by tcpdump in wirehark to filter it.

If customers are using an Endace card follow this KB to create a packet capture that is readable by Wireshark: TECH221214.

Open the capture in Wireshark, and apply a filter for HTTP POST to the pcap file:

http.request.method == "POST"

 

If none of the packets remain after applying the above filter, then no HTTP Post data is seen. There is valid HTTP traffic, but not traffic which needs to be examined by DLP - that is, the traffic only contains GET requests or HTTP responses.

Confirm that the SPAN or TAP is configured to send traffic of the correct type (and direction) to the Monitor.

 

When HTTP POSTs are seen in the captured packets, traffic will be reported. If results are returned, you should be able to right click on any of the entries and choose "Follow TCP Stream".  In this view you will see the specific HTTP Post data that was sent.

 

Another thing to verify is the traffic feed the monitor is getting is clean.  Use the Traffic Feed Analyzer Tool (TFAT) to verify this.  See TECH221639 for details how to use TFAT.