[Dshield] Traffic comparison - looking for tools

Jeff Kell jeff-kell at utc.edu
Wed Jun 1 21:00:03 GMT 2005


Josh Tolley wrote:

> I'm trying to track down a problem with a client-server application
> where the app quits responding periodically. 

> 2) Any suggestions as to software I can use to compare these two traffic
> streams? 

I had a similar situation where the server was a hosted application services provider, and their response time was miserable.  They blamed our network and/or connectivity, we blamed them, etc.

I tried ethereal, tcpdump, etc., which worked to a point, but were painful to separate the signal from the noise in the sea of packets.  I cobbled together a few snort rules to fire on the transaction request (HTTP POST) and the first response packet, using flowbits to isolate the latter.

If you have obvious packets you can identify as "request" and "response" the same plan might work for you.  Let me know offline and I'll send you the isolated snort.conf with rules inline (you don't need an existing snort, or elaborate configuration and signatures, just a precompiled binary will do, windows included).

But to turn your query around, if anyone has any better tools for this type of analysis I'm all ears; I still had to sort-of manually calculate the response time metrics.  You can use ethereal raw to get rtt times, but that only applies to the network transit, and not application delays; you can have snort log the binary packets and redo your timestamps in "time since last packet" and it helps, but some more concrete analysis of the times would be nice (graphs, histograms, percentiles, partridge in a pear tree, etc).

Jeff




More information about the list mailing list