- Jamf Nation Community
- Products
- Jamf Pro
- Re: Lion background traffic
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Lion background traffic
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-10-2011 06:52 AM
Our internet is behind a pac flie proxy. When I login as a non AD account I'm getting the prompt for proxy creds. I'm trying to figure out where this traffic is going. I know when we roll this out users won't exactly know how to handle this so I'm hoping to get a better understanding of what and why of this traffic.
Software update is assigned internally so that shouldn't flag anything. Dashboard has no widgets that would use network traffic either.
I attempted to install little snitch, but after rebooting I can no longer get logged in. I have to use >console and manually remove the app.
Anyone know of a network trace tool for mac I can use to identify this traffic? Activity monitor only shows traffic, no the details of where its going to/coming from.
Thanks,
Noah Swanson
Imaging Specialist
Enterprise Desktop Services
Phone: 309-765-3153
SwansonNoah at johndeere.com
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-10-2011 12:09 AM
Best to look at wireshark for mac. Prepare for a bit of a mare though. Last time I packaged that up it was a mission.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-10-2011 06:57 AM
Do you have adobe air installed?
Regards,
Ben.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-10-2011 07:00 AM
Nope. Clean Vanilla install.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-10-2011 07:02 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-10-2011 07:04 AM
you could use Wireshark, but it's not very user friendly.... you have to
really know what you're doing, and I don't, so I find it uncomfortable.
*ben** janowski*
Senior Macintosh Support Technician
*Kohl's Mac Support Team *| 262.703.1396
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-10-2011 07:26 AM
We user wireshark for windows, didn't think to check for a mac version.
I ended up using an Apple KB: http://support.apple.com/kb/HT3994
After looking at the trace the response from the proxy says that an attempt was made to connect to "help.apple.com:443". The proxy kicked it back saying no creds specified. This was the only outside site on the report. Anyone know why this happened or how I should handle it?
Thanks,
Noah
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-10-2011 07:28 AM
Sorry. Helposx.apple.com:443
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-10-2011 07:31 AM
it's possible that it might not be 'proxy aware traffic.' I'm told there are
a couple things from apple and adobe that 'won't ever work with a proxy.'
Being able to confirm/deny that is outside of my skill sets at this point...
but it's what i've been told in the past.
If that is the case, you could try to work with the folks that admin your
proxy to whitelist that stuff.
*ben** janowski*
Senior Macintosh Support Technician
*Kohl's Mac Support Team *| 262.703.1396
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-10-2011 07:58 AM
Looks the built in help center attempts to update. https://helposx.apple.com:443 takes me to the Apple help Library site.
As you said, we'll have lockouts because of this since our users never sync their keychain after a password change. Love it...
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-10-2011 07:59 AM
Anyone know of a network trace tool for mac I can use to identify this traffic? Activity monitor only shows traffic, no the details of where its going to/coming from.
On Oct 10, 2011, at 9:52 AM, Swanson Noah wrote:
ssh in as a local admin account, then
sudo tcpdump -n -i en0 ether host [mac address]
where [mac address] is the ethernet address of the computer. For example,
sudo tcpdump -n -i en0 ether host 04:0c:ce:22:be:ef
Decoding the full tcpdump output takes a considerable understanding of on-wire network protocols, but you can get an idea looking at the addresses:
10:54:47.702358 IP 10.31.47.191.55602 > 17.158.28.36.https: Flags [.], ack 86, win 65535, length 0
10:54:47.705682 IP 17.158.28.36.https > 10.31.47.191.55602: Flags [P.], seq 86:123, ack 185, win 35320, length 37
The format is [time] [protocol] [source address] > [remote address] [miscellaneous]
So in this case you can see my IP (10.31.47.191 on ephemeral port 55602) talked to 17.158.28.36 on port https, and then got a reply back. Using host and whois, 17.158.28.36 is something at Apple.
--Jim
