[Dshield] Traffic comparison - looking for tools

Stryc9 _ stryc9 at gmail.com
Thu Jun 2 14:27:23 GMT 2005


I am guessing above poster is referring to MS05-019 which included
many TCP/IP vuln fixes and killed raw sockets, etc, etc.  It has hosed
our domain as well.  The URL for the KB article describing the
problems with the patch and how to get the hotfix:

http://support.microsoft.com/kb/898060/

We even removed the hotfix sometime last month as I thought it may
have been the patch causing all the RPC troubles but it didn't change
anything.  I don't think removing the patches does more than remove
them from the Add/Remove Programs list.  But reinstalling MS05-019 and
installing the hotfix obtained from MS seems to have fixed all of our
problems.  BTW SP1 for Server 2003 can cause the same issue.

HTH

On 6/2/05, ajnevman <ajnevman at yahoo.com> wrote:
> We are currently in the midst of migrating to a 2k3 environment, that patch you mentioned what was it for, we have been having great problems within AD in particular with our exchange servers ability to communicate via smtp and our MX records getting hosed.....
> thanks
> aj
> 
> Mrcorp <mrcorp at yahoo.com> wrote:
> I just experiences this same problem In a windows 2003 environment. It was tied to a patch MS
> released last patch Tuesday. It seems to create problems intermittently impacting email, AD, and
> etc. Contacted Microsoft and they sent a hotfix. A new patch will be release the next patch
> Tuesday.
> 
> Mrcorp
> 
> --- Josh Tolley wrote:
> 
> > Hi, all -
> >
> > I'm trying to track down a problem with a client-server application
> > where the app quits responding periodically. After some investigation,
> > it appears the problem might be caused by dropped packets, though since
> > the communication is TCP, and TCP is supposed to handle that kind of
> > thing, I can't be too sure. I'd like to set up a sniffer at the client's
> > site and one at the server, and just compare to see if what gets sent
> > matches what is received.
> >
> > So a couple of questions:
> >
> > 1) Is there a better way? If the problem is due to lost packets, and if
> > the packets are being lost in some malfunctioning/congested router
> > somewhere, I can't count on getting ICMP messages about them, so I can't
> > look at that. I can't think of too many other options.
> >
> > 2) Any suggestions as to software I can use to compare these two traffic
> > streams? My first thought was just load both client- and server-side
> > captures in Ethereal, look for connections that were reported as having
> > frozen, find the corresponding stream in the other capture, and see if
> > all the packets that the client sent actually got there. This will
> > definitely be time-consuming, but I don't know of other options.
> >
> > I'd appreciate any suggestions that can be given. I'm getting the
> > distinct impression, just because of the sheer amount of work I think
> > I'm setting myself up for, that there must be an easier way I'm just
> > missing. Thanks...
> >
> > --
> > Josh Tolley
> > Raintree Systems, Inc.
> > http://www.raintreeinc.com
> > Office Phone: (801) 293-3090
> > Corporate Office: (760) 509-9000
> >
> > -------------- Sponsor Message ------------------------------------
> > Join us at SANSFIRE 2005 in Atlanta!
> > The Internet Storm Center Conference.
> > Details: http://www.sans.org/sansfire2005
> >
> > _______________________________________________
> > send all posts to list at lists.dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> >
> 
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 
> 
> ---------------------------------
> Discover Yahoo!
>  Stay in touch with email, IM, photo sharing & more. Check it out!
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list