How to identify IP Address of a "Victim Port" number?

Jes_DFSJes_DFS
in DNSWatch - General

Under DNS Watch - "Initial connection details"
How do I determine the actual user's IP address using the victim port number? I would like to do this so I can review the user's computer, browser history, perform a scan if needed, etc. In the same window where I see "victim port", it does show "victim ip address" but it is our public facing IP address, not a specific end user's IP address and then the victim hostname is unknown. I would like to try and track these down if possible.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Jes_DFS
    If you're logging traffic to Dimension, you can search during that time frame for that victim port number.

    DNS queries to that dest hostname aren't resolving anymore, so I'm not sure what the destination IP might have been in that case.

    -James Carson
    WatchGuard Customer Support

  • Jes_DFSJes_DFS

    Hi James, Logging Traffic to Dimension - Can you provide any steps for me to follow to do this? I wouldn't mind searching during that time frame for the victim port number but I am not sure I know what that is or how to do it? Thank you for the reply.

  • Bruce_BriggsBruce_Briggs
    edited July 9

    Search Device Log Messages (Dimension)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/dimension/log-messages_search_d.html

    src_port=40638 or whatever the source port is

Sign In to comment.