(Another question from @Shakti S.)
We can see active transaction communicating with various nodes. In
actual it should not happen this way and should communicate to server
that specific transaction hitting.
In the screenshot you can see that transaction should communicate to bldirosapp11.strykercorp.com only.
But it's communicating to other nodes specially bldtanpoc01.strykercorp.com. This
Tanium is a security client used in Endpoint Detection and Response (EDR).
Script so simple just launching the URL nothing else captured as can be seen.
ShowStatusBox ("IROS site launching....")
WaitForText "Internet Explorer MainWindow", "Basic Filter", True
Answer by Benjamin W. ·
The network trace is taken for the duration of the measurement, but it is not limited to the traffic caused by it - the entire network traffic to and from the client happening at the time of your measurement will be captured and will show up in your trace.
So any other service you have running on that machine that has some kind of communication in the background going on during the time of your measurement will show up in the network trace as well. Typical examples would be antivirus definitions that are updated, clock synchronizations with a time server, automated Windows updates etc.
Depending on what your use case is, this may be helpful for you or not.
In case you're only interested in the traffic related to the measurement, then I agree with Tomasz that you could move these "noise" applications to another machine.
However, if you're interested in simulating end users then these end users may have similar applications running in the background on their machines as well, and these process may affect the network in a similar way. In this case it is helpful to leave these applications installed to get a full picture of what's going on.
And you can always do both - run one Agent in ideal conditions and one in real-life conditions so you can compare the two.
I think there is also a way to filter out certain hosts from the network traces (support can advise you on how to do that), but I don't generally recommend it, because the knowledge of filtering taking place tends to be forgotten and the filtered network reports can then later cause confusion because it was forgotten that they were filtered.
Answer by Tomasz S. ·
Thanks @Shakti S. for sharing the trace. What I wanted to find out was whether there was any background traffic happening at the same time as the scheduled script run.
When you open one of the traces in DNA console and use Thread Analysis split with Packet Trace, you can see that the client is not only talking to the web server hosting your application (10.50.111.177:80), but also has to contact a DNS server first (10.80.0.211:53). The conversations to/from the other node (10.117.14.44: 52817) must have been initiated before the capture start time and should probably be considered a noise thread. I would advise cleaning the agent machine from such background network activity because they may affect calculations.
I’m not sure if there is a way to filter them out in ESM in a way similar to how it is achieved in the full DNA installation, so please move applications talking to such servers to another hosts to avoid spoiling Synthetic test script results.
Search Field selection of value 2 Answers