[Dshield] Traffic comparison - looking for tools

Josh Tolley josh at raintreeinc.com
Wed Jun 1 21:28:14 GMT 2005


David Cary Hart wrote:
> On Wed, 2005-06-01 at 17:00 -0400, Jeff Kell wrote:
> 
> 
>>I had a similar situation where the server was a hosted application services provider, and their response time was miserable.  They blamed our network and/or connectivity, we blamed them, etc.
>>
>>I tried ethereal, tcpdump, etc., which worked to a point, but were painful to separate the signal from the noise in the sea of packets.  I cobbled together a few snort rules to fire on the transaction request (HTTP POST) and the first response packet, using flowbits to isolate the latter.
>>
> 
> What happens if you use appropriate capture rules in ethereal. It's
> pretty easy to isolate only the packets that you are looking for or at
> least to eliminate the obvious noise.

Ethereal rules will definitely cut down the noise -- I'm only interested 
in traffic to a particular server on a particular port. That said, that 
server has thirty or forty users at once using it fairly actively, so 
it's still lots of traffic.

Further investigation indicates that the problem might stem from 
connections being actively reset (eg. RST packets or ICMP messages). If 
I can assure myself that that's the only traffic I'm looking for, it 
will greatly simplify the process. That said, I'm still very open to 
suggestions.

Josh Tolley
Raintree Systems, Inc.
http://www.raintreeinc.com
Office Phone: (801) 293-3090
Corporate Office: (760) 509-9000





More information about the list mailing list