How to identify IP Address of a "Victim Port" number?
Under DNS Watch - "Initial connection details"
How do I determine the actual user's IP address using the victim port number? I would like to do this so I can review the user's computer, browser history, perform a scan if needed, etc. In the same window where I see "victim port", it does show "victim ip address" but it is our public facing IP address, not a specific end user's IP address and then the victim hostname is unknown. I would like to try and track these down if possible. 
0
Sign In to comment.
Comments
Hi @Jes_DFS
If you're logging traffic to Dimension, you can search during that time frame for that victim port number.
DNS queries to that dest hostname aren't resolving anymore, so I'm not sure what the destination IP might have been in that case.
-James Carson
WatchGuard Customer Support
Hi James, Logging Traffic to Dimension - Can you provide any steps for me to follow to do this? I wouldn't mind searching during that time frame for the victim port number but I am not sure I know what that is or how to do it? Thank you for the reply.
Search Device Log Messages (Dimension)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/dimension/log-messages_search_d.html
src_port=40638 or whatever the source port is