One of the hardest parts of my job as a Network Detective is obtaining demonstration trace files. I'm sure you can imagine the legal ramifications/firestorm, that would brew if I came to your network, captured a few trace files, and then proceeded to share them with the rest of the planet.
In the past, I have set up a small network, configured a few servers, and sniffed my own traffic. Not exactly exciting, but it got the job done. Well all that changed last week when I got to play with a BreakingPoint Storm. For the uninitiated, a BreakingPoint Storm is a box that will fling out any type of traffic onto your network at line rate speeds of either 1 Gbps (what I got to use) or 10 Gbps. My test unit had four 1Gbps copper ports which could be configured to either send or receive traffic.
Now I've used traffic generators before, but never anything as powerful as this. The Storm sends application data of any and every type. I got to test my own network by configuring the Storm to send user requests via one interface and the server responses via another interface connected through a router.
The best part was that I had a Riverbed Cascade Shark appliance capturing the entire meltdown. I watched thousands of unicast packets flood out onto the wrong network as my router tried to keep up.
The Storm wasn't just sending generic HTTP GETs, I could choose from a myriad of applications such as Oracle, Citrix, CIFS/SMB, Active Directory, and VoIP. I like to show multiple TCP issues in my Wireshark classes and BreakingPoint treats TCP like its own application. For example, how would my Web server respond to different TCP handshake options, split handshakes, window scaling discrepancies, or delayed ACKs? I was able to try out every scenario I could think of.
Then I got to test server load and response times on my Web server during a DDoS attack. By using the interactive Views in Riverbed Cascade Pilot, I was able to see the cause and effect relationship between the high TCP connection count and the lags in response time. Talk about a smoking gun. I now know my server can handle 14 thousand connections per second before taking a significant performance hit. I’m not guessing, I’m not hoping, I know.
Then, just to put the cherry on the parfait, I mined the data I had been capturing with my Shark. I now have trace files of malware attacks against my Web server, and every application layer protocol example I could ever want for demos in my Wireshark classes. Life is good, now that I know where my BreakingPoint is.
Author Profile - Betty Dubois is the Principal Consultant for DuBois Training & Consulting, LLC. She has been analyzing networks since 1997, performing fault isolations, application profiles, and network baselines for a wide variety of clients. As an Instructor for Wireshark University, she is known for her ability to make a dry, complex subject fun and interesting by using both humor and real-world examples. She has presented at Networld+Interop, and is an experienced courseware developer and marketing collateral writer. Betty’s industry certifications include Certified Wireshark University Instructor, Wireshark Certified Network Analyst, HP ProCurve AIS, and Sniffer Certified Expert.