In most cases, clients are talking to servers to support services requested by users. We typically should not see clients communicating directly with other clients on our subnets, unless there is some file sharing or other type of expected activity.
In this video, we will look at how to filter for intra-subnet conversations - clients talking directly to other clients - and examine what normal vs. abnormal traffic looks like. We will see one client performing a TCP port scan and how to filter for open ports.
Hope this helps you in tracking down strange client behavior.
Leave a Reply