Hi Brian, If jobs are at stake, I'd get onto the machines initiating the traffic and see what they are running.
The Nessus Client connects to the Nessus scanner on port 1241 by default. Typically, the client sends very little traffic except for the start of the scan. As a scan proceeds, more traffic is sent from the scanner back to the client. If you are seeing 50/50 upload/download, anything that does not look encrypted, or are seeing upload traffic, it is likely not Nessus. Also, consider if it is one host connecting to many (100s) of remote systems. This is likely P2P or some other traffic. You can of course, connect to more than one remote Nessus scanner with the Nessus client, but manually doing this to 100s of hosts isn't normal. One other test you could do is to get the Nessus Client, and try to connect to one of the remote connection points and see if you get a login prompt. Ron Gula Tenable Network Security ASG - Brian Adams wrote: > I need to know as soon as possible - jobs are at stake - if there are > any other apps that might use port 1241. I use an app called Scrutinizer > to monitor network traffic, usage trends and application use. I'm seeing > activity coming from several machines on the inside of my network > through port 1241. The activity is in the area of 300K at peak and > mostly 80k or so. It starts at around 3:00 pm PDT and runs until around > midnight. The activity is from machines in our Shanghai office so that'd > be starting at 6: am until 3:00 pm their time. > > The activity is between the remote stations and both of our Citrix > servers > > Brian Adams > Information Security Officer > Ashland Partners & Co. LLP > 209-848-0798 _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
