[Dshield] Traffic comparison - looking for tools

Jim O'Gorman jogorman at gmail.com
Wed Jun 1 21:10:18 GMT 2005


Argus might handle it for you. http://www.qosient.com/argus/

However, I would be tempted to just run tcpdump (tcpdump 'port 80') on
each machine and then compare the output when the problem shows up.

Closer you get to the problem, easier it will be to tell exactly what
is going on.

On 6/1/05, Josh Tolley <josh at raintreeinc.com> wrote:
> Hi, all -
> 
> I'm trying to track down a problem with a client-server application
> where the app quits responding periodically. After some investigation,
> it appears the problem might be caused by dropped packets, though since
> the communication is TCP, and TCP is supposed to handle that kind of
> thing, I can't be too sure. I'd like to set up a sniffer at the client's
> site and one at the server, and just compare to see if what gets sent
> matches what is received.
> 
> So a couple of questions:
> 
> 1) Is there a better way? If the problem is due to lost packets, and if
> the packets are being lost in some malfunctioning/congested router
> somewhere, I can't count on getting ICMP messages about them, so I can't
> look at that. I can't think of too many other options.
> 
> 2) Any suggestions as to software I can use to compare these two traffic
> streams? My first thought was just load both client- and server-side
> captures in Ethereal, look for connections that were reported as having
> frozen, find the corresponding stream in the other capture, and see if
> all the packets that the client sent actually got there. This will
> definitely be time-consuming, but I don't know of other options.
> 
> I'd appreciate any suggestions that can be given. I'm getting the
> distinct impression, just because of the sheer amount of work I think
> I'm setting myself up for, that there must be an easier way I'm just
> missing. Thanks...
> 
> --
> Josh Tolley
> Raintree Systems, Inc.
> http://www.raintreeinc.com
> Office Phone: (801) 293-3090
> Corporate Office: (760) 509-9000
> 
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 


-- 
Jim
jameso at elwood.net
jogorman at gmail.com
http://www.elwood.net




More information about the list mailing list