[Dshield] Traffic comparison - looking for tools

Deb Hale haled at pionet.net
Wed Jun 1 21:53:57 GMT 2005

Josh,  If you find anything I would like to know about it.  I am
experiencing similar problems at a location. It appears that TCP packets
just disappear from the network - totally stop.  I am using Ethereal and
Packetyzer to capture packets and analyze what we are seeing.  I captured
about an hours work of packets today direct from the inside port on the
router and am going to take a look and see if anything jumps out at me. I
will let you know.  Deb 

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Josh Tolley
Sent: Wednesday, June 01, 2005 1:59 PM
To: General DShield Discussion List
Subject: [Dshield] Traffic comparison - looking for tools

Hi, all -

I'm trying to track down a problem with a client-server application where
the app quits responding periodically. After some investigation, it appears
the problem might be caused by dropped packets, though since the
communication is TCP, and TCP is supposed to handle that kind of thing, I
can't be too sure. I'd like to set up a sniffer at the client's site and one
at the server, and just compare to see if what gets sent matches what is

So a couple of questions:

1) Is there a better way? If the problem is due to lost packets, and if the
packets are being lost in some malfunctioning/congested router somewhere, I
can't count on getting ICMP messages about them, so I can't look at that. I
can't think of too many other options.

2) Any suggestions as to software I can use to compare these two traffic
streams? My first thought was just load both client- and server-side
captures in Ethereal, look for connections that were reported as having
frozen, find the corresponding stream in the other capture, and see if all
the packets that the client sent actually got there. This will definitely be
time-consuming, but I don't know of other options.

I'd appreciate any suggestions that can be given. I'm getting the distinct
impression, just because of the sheer amount of work I think I'm setting
myself up for, that there must be an easier way I'm just missing. Thanks...

Josh Tolley
Raintree Systems, Inc.
Office Phone: (801) 293-3090
Corporate Office: (760) 509-9000

-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list