Monitoring OneDrive Traffic
How to monitor OneDrive traffic
OneDrive is a file hosting service developed by Microsoft that allows users to sync files and later access them from any web browser or mobile device. Presently, their basic OneDrive free package allows for 5GB of storage and you can upgrade to a premium offering which allows for 1TB of storage. This can result in high bandwidth use associated with OneDrive traffic.
A common question asked by our customers is how to provide reports about flow data usage by the Microsoft OneDrive application. The application requires access to a range of external websites and port numbers which can make it tricky to get a top level view of bandwidth use.
From an IP lookup point of view, all of the IP addresses are registered to Microsoft, so you may not be able to definitely say it was OneDrive traffic activity using IP look up alone.
Firstly, all of the traffic is encrypted, ignore the HTTP part as that was me browsing other sites. This would be standard practice for all cloud storage services; I would be very surprised to find one that was not using encryption and if so, I would refuse to use it.
Drilling down on the HTTPS traffic, it revealed that the data was associated with the live.com domain. This would make perfect sense as OneDrive is included in the suite of online services formerly known as Windows Live.
Further analysis highlights that this activity is associated with storage sub domains within live.com. LANGuardian captures this by dissecting the server’s SSL certificate (which is always required to be presented to the client) and at this point, it can extract the server\domain name. By filtering on this sub domain info, it would then be possible to show how much data is associated with OneDrive.
Finally, looking at the GeoIP data, I can see that the IP addresses are registered in the US. Nothing strange here, as I think all of Microsoft’s IP blocks are US registered.
If you want to check for OneDrive traffic volumes on your network, download a 30 day trial of LANGuardian, install on a standard server or VMware and simply connect to a SPAN port or port mirror, to find out what is happening on your network within minutes.