[Dshield] Traffic comparison - looking for tools

Mrcorp mrcorp at yahoo.com
Thu Jun 2 13:33:39 GMT 2005


http://www.eweek.com/article2/0,1759,1815956,00.asp
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=20&rss=Y#307

--- ajnevman <ajnevman at yahoo.com> wrote:

> We are currently in the midst of migrating to a 2k3 environment, that patch you mentioned what
> was it for, we have been having great problems within AD in particular with our exchange servers
> ability to communicate via smtp and our MX records getting hosed..... 
> thanks
> aj
> 
> Mrcorp <mrcorp at yahoo.com> wrote:
> I just experiences this same problem In a windows 2003 environment. It was tied to a patch MS
> released last patch Tuesday. It seems to create problems intermittently impacting email, AD, and
> etc. Contacted Microsoft and they sent a hotfix. A new patch will be release the next patch
> Tuesday.
> 
> Mrcorp
> 
> --- Josh Tolley wrote:
> 
> > Hi, all -
> > 
> > I'm trying to track down a problem with a client-server application 
> > where the app quits responding periodically. After some investigation, 
> > it appears the problem might be caused by dropped packets, though since 
> > the communication is TCP, and TCP is supposed to handle that kind of 
> > thing, I can't be too sure. I'd like to set up a sniffer at the client's 
> > site and one at the server, and just compare to see if what gets sent 
> > matches what is received.
> > 
> > So a couple of questions:
> > 
> > 1) Is there a better way? If the problem is due to lost packets, and if 
> > the packets are being lost in some malfunctioning/congested router 
> > somewhere, I can't count on getting ICMP messages about them, so I can't 
> > look at that. I can't think of too many other options.
> > 
> > 2) Any suggestions as to software I can use to compare these two traffic 
> > streams? My first thought was just load both client- and server-side 
> > captures in Ethereal, look for connections that were reported as having 
> > frozen, find the corresponding stream in the other capture, and see if 
> > all the packets that the client sent actually got there. This will 
> > definitely be time-consuming, but I don't know of other options.
> > 
> > I'd appreciate any suggestions that can be given. I'm getting the 
> > distinct impression, just because of the sheer amount of work I think 
> > I'm setting myself up for, that there must be an easier way I'm just 
> > missing. Thanks...
> > 
> > -- 
> > Josh Tolley
> > Raintree Systems, Inc.
> > http://www.raintreeinc.com
> > Office Phone: (801) 293-3090
> > Corporate Office: (760) 509-9000
> > 
> > -------------- Sponsor Message ------------------------------------
> > Join us at SANSFIRE 2005 in Atlanta!
> > The Internet Storm Center Conference.
> > Details: http://www.sans.org/sansfire2005
> > 
> > _______________________________________________
> > send all posts to list at lists.dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> > 
> 
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 		
> ---------------------------------
> Discover Yahoo!
>  Stay in touch with email, IM, photo sharing & more. Check it out!
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 




More information about the list mailing list