- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-30-2014 02:58 AM
Hi Guys,
When I'm trying to monitor the traffic via Monitor tab on Palo Alto, i can see insufficient-data under Apllication tab(usin tcp protocol) and probe-skype(using udp protocol).
Who can explain me what means that two applications?I need more info about them.
Thanks
10-30-2014 04:38 AM
Hello TigranGevorgyan ,
Insufficient data means that there was not enough data to identify the application. So for example, if the 3-way TCP handshake completed and there was one data packet after the handshake, but that one data packet was not enough to match any of our signatures, then you would see insufficient data in the application field of the traffic log.
If you open the traffic logs and analyze it in details, you will see the number of packets in each direction (server to client and client to server) will be very less.
Secondly, the skype-probe is an application for controlling the probing behaviour of Skype. It is working on a UPD protocol with dynamic port.
Reference DOC
Incomplete, Insufficient data and Not-applicable in the application field
Hope this helps.
Thanks
10-30-2014 05:36 AM
Hi Tigran,
Please refer following document for insufficient-data app.
Incomplete, Insufficient data and Not-applicable in the application field
Refer following doc for SKYPE probe.
Regards,
Hardik Shah
10-30-2014 05:59 AM
Few more related discussion threads for your reference:
Re: Skype & unknown traffic
Skype-probe rule catching other traffic
Hope this helps.
Thanks
10-30-2014 02:02 PM
Good luck controlling skype with the PALO, research using group policy if you are active directory on how to deploy policy to lock things down, this will help you with your attempt to use the PALO app IDS.
10-31-2014 06:14 AM
Guys,
Thanks a lot for your support.I'll observe the documentation you gave to me to understand the issue better.
Huge Thanks
Tigran
10-31-2014 06:33 AM
Guys i would like to clarify one of the Problems, that has happened this week.I received call from another company, they said that they noticed, that it seemed a udp scan or something like attack from our side.they had our real-ip.and they gave me an ip that we "wanted" to scan.In traffic logs i found the host from where went that traffic, in monitor log the protocol udp, application-Skype probe or insufficient-data.And that takes almost 1 week.then i have disconnect and reconnect the host internet and everything works now fine.Since the restarting the network everything is also ok on the other(other Firma's) side.
Who can help me to understand this mystery )
Thanks in Advance
Tigran
10-31-2014 06:48 AM
Could you please let me know what host it was..? As you said "disconnect and reconnect the host internet and everything works fine".
Thanks
10-31-2014 06:57 AM
Host is the Macbook of one of our developers.I reconnect the internet and Everything solved.
10-31-2014 07:12 AM
Hello Tigran,
There is a possibility that one or more process on that Macbook was corrupted and it was flooding packets towards random public IP address. Did you check the utilization on that Mac before re-connect the internet..?
Thanks
10-31-2014 07:24 AM
Hi Hulk,
Now i didn't check anything before reconnecting.But I think the user of that mac would shut down the device after working day.Is it possible, that the corrupted process continue work almost 1 week? how can i check utilization on that Mac?
Huge thanks
Tigran
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!