question

Toshimasa S. avatar image
Toshimasa S. asked ·

Creating a list of client IP addresses using the SMB protocol using DMI (NAM2018)

I created a list of client IP addresses using the SMB protocol using DMI, but I cannot get individual user names or client IP addresses. Since "Client form nn.nn.nn.nn / 24" is displayed, I think that the information is aggregated.


However, if the software service was changed to HTTP, individual user names and IP addresses could be obtained.

Then I tried it in DCRUM2017, but I was able to get individual user names and IP addresses here.

I want to know if there is a solution.

nam serverNAM 2018
1566534047013.png (37.1 KiB)
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Toshimasa S. avatar image
Toshimasa S. answered ·

Hi,

I contacted support. SMB protocol → Detailed settings →

When data aggregation was turned off, individual IPs could be obtained.


1566811936142.png (50.3 KiB)
Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Kris Z. avatar image
Kris Z. answered ·

Hi,

Indeed aggregation occurs, on report server. There are several settings that control aggregation; it looks that your CAS 2017 and 2018 settings differ. Start with looking at Settings > NAM Server configuration and see which user aggregation options are enabled.

Also, have a look at on-demand data (just drill down into "client from..." on standard CAS reports" to see what client IP addresses are reported, exactly, and how many of them.

Best regards

2 comments Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Hi

Thank you for your reply.

I also thought "NAM Server configuration" was involved right after I realized the problem.


However, after several tests, I noticed the following.

1.If the same list is created by setting the software service "HTTP", individual IP addresses are displayed without being aggregated.


2. You can check individual user names by filtering to SMB from the "Operation Explorer" screen and jumping to "All Active User List" in "User Explorer".


So I guess the following situation.

3. This problem is limited to SMB.

4. NAMServer holds information about individual IP addresses of SMB.


Best regards

0 Likes 0 · ·

Hi,

No, the problem won't be SMB-specific, as there is no per-decode aggregation logic. It is specific to decodes set to report user names versus those that don't report them.

If, for HTTP, you have usernames reported, then IP addresses of those users come up as a consequence of individual user names tracked.

If, for SMB, you don't have user names, only IP addresses - then the server extrapolates user names by simply showing IP address when user name is not present. But it still aggregates all clients to locations (manual or "client from"). You can see this in our case - user name is "client from". In the other words - server aggregated the clients to a location "client from", then server uses this location's IP address as the user name for all users from this location.

Now, there is indeed a difference between 2017 and 2018 versions when it comes to representing the name of the "client from" aggregate location. For technical reasons, CAS database needs to keep at least one reference IP address per location after aggregation has been done. In 2017, we simply showed that IP address as the client IP address for all clients from this location. This is misleading, as this IP address may be random. So in 2018 we show "-" client IP address for aggregate locations.

Long story short - if aggregation settings are exactly the same between 2018 and 2017 servers, and aggregation takes place in both cases (i.e. in both cases you've seen user names like "client from" for SMB), then the client IP addresses in 2017 were just random representations of the locations, not real client IPs.

If this string of "if's" doesn't represent your case, then a Support call may be needed to analyze and explain what exactly is going on there.

Independently of that, indeed NAM server holds individual IP addresses of clients, available for on-demand reporting of the activity upon drill down from the "client from" level. This data is kept separately from the main data set and is available for limited number of days (it is controlled by the user activity detail on-demand setting in aforementioned server configuration).

0 Likes 0 · ·