Forum Discussion

5 Replies

  • giltjr's avatar
    giltjr
    Icon for Nimbostratus rankNimbostratus

    I'm pretty sure that http, specifically http 1.1 and newer, is the only service that can send the host name as part of the protocol. That does not even really send the host name, it sends whatever is enter after the //. If you enter http://1.2.3.4, it sends 1.2.3.4 as the "hostname".

     

  • If I may add, almost anything is possible, but you have to think about each situation in terms of the protocol you're dealing with. HTTP is a plain text protocol and a request generally includes a "Host" header that is easily available for logging. Telnet and FTP, however, do not pass host name information in the protocol. They simply connect to an IP address (that may have been resolved from a host name on the client side). You could certainly log the layer 4 data though (source and destination addresses). That would be universally available to all protocols. Telnet and FTP are also, for the most part, clear text, so it wouldn't be too difficult to log activity within the respective sessions.

     

  • giltjr's avatar
    giltjr
    Icon for Nimbostratus rankNimbostratus

    "Dumb" question. For non-HTTP protocols why do you care what host name they may have entered?

     

    For HTTP it matters because of virtual hosting based on host name. For the other protocols since there is no host name passed everything is the same. With the exception of the stuff MS has done for FTP and the FTP server that comes with IIS V7.

     

  • giltjr's avatar
    giltjr
    Icon for Nimbostratus rankNimbostratus

    Do "you" (meaning either you directly or your company) control your DNS server? If so you could turn on query logging and see how many times the names are queried. It would not be perfect, but its better than nothing.

     

    Would logging the ports (21, 22, 23) help you, or do you really want the host names?