Friday, July 10, 2015

Parse-TransportLogs - Which IPs on my network are sending SMTP through that connector?

I get asked this at some point in almost every Hybrid migration. The answer is always to turn up your SMTP logging to get those details. The problem is that parsing that data is difficult. Unlike an HTTP log where each hit was a transaction, SMTP logs contain the entire SMTP conversation, so one transaction can be 10-30 lines in an SMTP log file.

Additionally, SMTP logs store the remote-endpoint as a single field of IP and Port.

This script takes *.log from the directory you specify, and will search for lines containing "Queued" - meaning an email was accepted by the connector and write those to a temporary file.  Then it will parse the data, the Top client IP addresses along with a count!



Depending on the size of your log file data, this can take some time to run!

Download today from the TechNet Gallery!

Wednesday, July 08, 2015

SIP DHCP Option 120 DeMystified

On the surface, Option 120 seems simple - it's the Pool FQDN, encrypted.

Everyone knows to run the DHCPUtil.exe -sipserver server.domain.com and it spits out a long hex value for you.  Option 43 is a little fancier, and gets more press.  Option 120 seems straightforward in comparison.  What if I asked you to create the hex code without DHCPutil?  Sure sounds easy, you take that FQDN, run off to your local hex to asc convertor and punch in your FQDN, you get a non-human readable string, and you set your DHCP options.  Done and done -  What do you mean it's not working?

So, reading through RFC3361 (as I am known to do in front of the fireplace, pouring over dot-matrix printed copies, burning the parts I have already committed to memory) we learn that Option 120 has a VERY particular format.

That format can be seen below - where "##" is the hex code for the length of the ASCII section following it.

00 + ## + HEXCODEHOSTNAME + ## + HEXCODEDOMAINNAME + ## + HEXCODETLDNAME + 00

That's confusing, but for a machine with limited CPU/RAM, that's a pretty sweet input.

So, let's un-Lync this for a minute and pretend our SIP server was www.bing.com Keep in mind, the 00-FF range is 0-255 characters in each section of the FQDN.  I don't know a TLD above 10 characters, but I guess they really wrote this code openly!

Section Characters Hex Code
www 3 03
bing 404
com303

I'll avoid the haiku here but the encoding for this would look like:

00 03 HEXCODE(www) 04 HEXCODE(bing) 03 HEXCODE(com) 00

Or this (bolded the Hex count codes)
00037777770462696E6703636F6D00
Armed with information, I began working in Excel to make it so I could build these codes without having RDP to a Lync or S4B server available to me, or from a place where I might not have DHCPUtil.exe access.

Taking an input in Excel using the FQDN, you need to do some fair complicated text manipulation to break down the sections, perform the ASC to Hex conversions and concatenate the text.  I am pleased to report that in my search for this code already existing, I was able to find this Design Document Generator written by Alessio Giombini.

I have taken the tab and modified it some to release it separately to you here.
Download from the TechNet Gallery!





Here's a quick Office Mix I made on this.