[Dshield] Traffic comparison - looking for tools

Mrcorp mrcorp at yahoo.com
Wed Jun 1 22:17:17 GMT 2005

I just experiences this same problem In a windows 2003 environment.  It was tied to a patch MS
released last patch Tuesday.  It seems to create problems intermittently impacting email, AD, and
etc.  Contacted Microsoft and they sent a hotfix.  A new patch will be release the next patch


--- Josh Tolley <josh at raintreeinc.com> wrote:

> Hi, all -
> I'm trying to track down a problem with a client-server application 
> where the app quits responding periodically. After some investigation, 
> it appears the problem might be caused by dropped packets, though since 
> the communication is TCP, and TCP is supposed to handle that kind of 
> thing, I can't be too sure. I'd like to set up a sniffer at the client's 
> site and one at the server, and just compare to see if what gets sent 
> matches what is received.
> So a couple of questions:
> 1) Is there a better way? If the problem is due to lost packets, and if 
> the packets are being lost in some malfunctioning/congested router 
> somewhere, I can't count on getting ICMP messages about them, so I can't 
> look at that. I can't think of too many other options.
> 2) Any suggestions as to software I can use to compare these two traffic 
> streams? My first thought was just load both client- and server-side 
> captures in Ethereal, look for connections that were reported as having 
> frozen, find the corresponding stream in the other capture, and see if 
> all the packets that the client sent actually got there. This will 
> definitely be time-consuming, but I don't know of other options.
> I'd appreciate any suggestions that can be given. I'm getting the 
> distinct impression, just because of the sheer amount of work I think 
> I'm setting myself up for, that there must be an easier way I'm just 
> missing. Thanks...
> -- 
> Josh Tolley
> Raintree Systems, Inc.
> http://www.raintreeinc.com
> Office Phone: (801) 293-3090
> Corporate Office: (760) 509-9000
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list