[Dshield] Traffic comparison - looking for tools

Lauro, John jlauro at umflint.edu
Wed Jun 1 22:19:22 GMT 2005

I recommend argus.  http://www.qosient.com/argus/

It can give fairly detailed flow info, including info on
retransmissions, etc...

> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-
> bounces at lists.dshield.org] On Behalf Of Josh Tolley
> Sent: Wednesday, June 01, 2005 2:59 PM
> To: General DShield Discussion List
> Subject: [Dshield] Traffic comparison - looking for tools
> Hi, all -
> I'm trying to track down a problem with a client-server application
> where the app quits responding periodically. After some
> it appears the problem might be caused by dropped packets, though
> the communication is TCP, and TCP is supposed to handle that kind of
> thing, I can't be too sure. I'd like to set up a sniffer at the
> site and one at the server, and just compare to see if what gets
> matches what is received.
> So a couple of questions:
> 1) Is there a better way? If the problem is due to lost packets, and
> the packets are being lost in some malfunctioning/congested router
> somewhere, I can't count on getting ICMP messages about them, so I
> look at that. I can't think of too many other options.
> 2) Any suggestions as to software I can use to compare these two
> streams? My first thought was just load both client- and server-side
> captures in Ethereal, look for connections that were reported as
> frozen, find the corresponding stream in the other capture, and see
> all the packets that the client sent actually got there. This will
> definitely be time-consuming, but I don't know of other options.
> I'd appreciate any suggestions that can be given. I'm getting the
> distinct impression, just because of the sheer amount of work I
> I'm setting myself up for, that there must be an easier way I'm just
> missing. Thanks...
> http://www.dshield.org/mailman/listinfo/list

