Protocol Analysis, Data Recorder, CALEA, Lawful Intercept, Application Performance, User Experience, Industrial Ethernet, Data Loss Prevention, Deep Packet Inspection, NetFlow, SOX, HIPAA and PCI Compliance, Switching and Routing, Forensics, VoIP, IPTV ... etc.
Wireshark is a great way to capture network packets, but it's not always practical to use it. In an enterprise environment, at the very least, we need to get a change approved to install the software. Often it is just not possible to get approval to install Wireshark onto a desktop or server. So packet capture isn't possible - or is it?
Windows includes a rarely-used command line tool that has many of the capabilities of Wireshark dumpcap. It's there ready and waiting, on every Windows machine! Let's take a look at how we can use it.
Windows 2000 introduced a command line utility called netsh (network shell). As the name suggests, netsh is a shell environment that provides commands that address network issues. One of the commands it provides is netsh trace, a simple command line packet capture tool.
In the wake of current security issues, I thought it would be a good exercise to review my social media security and application settings.
To be honest, I have only heard of such an exercise but never actually done it.
I started with Yahoo since it was in the recent news. I was surprised how simple it was. I simply clicked on my account avatar and selected the only option, “Account Info”.
Once there, I clicked on “Recent activity” and reviewed what devices accessed my account and from where. A quick glance at the recent activity revealed nothing suspicious confirming that all is well.
I moved on to review the various apps or sites that I have used my yahoo login to access. I honestly don’t remember authorizing Google and can’t figure out why I authorized it back in 2012, so I removed it.
I give Yahoo credit for their reports that report ‘last used’ and location which I used to validate the application or site in question. Since I travel quite a bit, that little tidbit was extremely helpful.
Be careful with what you play with. A good example was when I disabled the “Allow apps that use less secure sign in” option and my Outlook suddenly failed when trying to retrieve emails from my Yahoo email. Oops..
If you’ve ever owned a pair of Adadas shoes or worn a Rollex watch, you probably grasp the appeal of fake stuff. The Chinese are well-known for their addiction to fake stuff, although no one is really sure why. It might be simple economics (fake stuff is cheaper), or it could be the lack of effective laws to combat faking. Whether to impress or save money - or both - fake stuff is big in China as well as the rest of the world.
The people who make fake stuff also grasp this, and they have parlayed that understanding into a $461 billion industry. When it comes to shoes or handbags, it is a substantial economic threat that erodes innovation and dilutes brands. When extended to pharmaceuticals or children’s toys, it can be dangerous.
The Internet hasn’t made this any simpler. Start searching for a new camera online, and you will quickly find a wide range of prices for what seems to be the same model. Closer inspection might show that some of the good deals are actually grey market items, which can have more shades than Christian’s ties but are typically legal (though unauthorized by the original manufacturer.) Most serious photographers are smart enough to avoid the remarkably good deal on a Nikkon.
In this video, we will look at how to quickly apply a display filter that will isolate all slow web transactions in a trace file. It is a good button to add to the top of your Wireshark profile, especially when identifying whether slowness is caused by the network or application.
Author Profile - Chris Greer is a Network Analyst for Packet Pioneer LLC and a Certified Wireshark Network Analyst. Chris regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. Chris also delivers training and develops technical content for several analysis vendors.
There seems to be much mystique and confusion over Cisco’s ACI and how we as network analysts will troubleshoot in this new network environment. It’s an architecture to which few seem to have completed the move, but many are planning to do so in the near future. Now is the time to architect with visibility in mind.
With Cisco ACI there has been some misunderstanding based on early claims of ‘not needing packets anymore’ to discussions on ’how the heck are we going to do this?’ Eager to confirm my beliefs about ACI, I attended many sessions at the Cisco Live conference this year. There was a lot of clarification and confirmation of how to best instrument new networks for full visibility.
The Short Answer: Not much has changed as far as building a visibility fabric. If you have familiarity with building such a fabric in the VMware Nexus ‘Top of the Rack’ design, you will have no issue capturing in an ACI environment. Wherein the Nexus model, to get east-west traffic, you would simply tap the uplinks between the top of the rack and the aggregation layer, in an ACI environment you tap between the spine and leaf switches to obtain traffic.
It was accompanied by four capture files that recorded the writing and reading of a one-gigabyte file and later a 200-Mbyte file to and from a NetApp file server, using SMB2 over a WAN. Why was there such variation in the respective transfer speeds, well below what the bandwidth and window sizes should allow? In the absence of a published solution we present our analysis that finds different causes for the slow transfers. The analysis is interesting because it highlights a little-known characteristic of the Cisco ASA.
Here we present an analysis of the slow 200-MB file-read operation, illustrated with our analysis tool NetData. The solution depends not only on an understanding of packet contents, but also, critically, on an accurate grasp of the relative times of many packets, and it is almost impossible to achieve that by looking at numbers in columns.
I want to start by saying that I’ve been using and training Wireshark classes from pretty well day one and appreciate all the hard work that goes into an always evolving product.
In my last article I wrote about Wireshark’s Fileset issue and how to work around it. I was surprised when I received several emails asking me if there were other examples of ‘workarounds’. I also want to explain that I do these write ups so users don’t think they are doing anything wrong and give up learning.
As I’ve mentioned in previous articles, this goes back to my point about learning your tools. That includes the cool and not so cool stuff.
A great analogy is that I have an old drill that I love and use for everything. Unfortunately the reverse button broke and I have to use a screwdriver to flip the switch, but I don’t care because I know exactly how to use it.
Does lossless visibility really matter for monitoring tools?
They’re supposed to be able to handle lost packets, corrupt packets, data gaps, etc., right?
Well, the answer is kinda, sorta, absolutely NO!
Security and monitoring tools are only as good as the data they see, or don’t see. Some tools have capabilities to help them “tolerate” missing data but that is a flawed theory and here’s why.
Missing data can lead to missed or false positive security threats, longer and more costly troubleshooting efforts, and lower customer satisfaction ratings. According to the 2016 Verizon Data Breach Investigation Report, most victimized companies don’t discover security breaches themselves. Approximately 75% have to be informed by law enforcement and 3rd parties (customers, supplier, business partners, etc.) that they have been breached—they had no idea the breach had happened. It’s hard enough to defeat modern network security threats, you don’t want to start off with limited network visibility. But that’s exactly what happens if your monitoring solution (which includes your taps, SPANs, and network packet brokers) does not feed your security and monitoring tools the correct data. For instance, check out this report from the Tolly Group about how one network packet broker drops packets and doesn’t even report it.
Other than missing your target reason for network visibility!
The following list shows some examples of why lossless visibility is important: