44 posts categorized "Data Visualization" Feed

The Dark Side of Packet Slicing (by Mike Canney)



Packet or frame slicing our captures can be a great way to hide information in trace files if done correctly.  However, you have to really understand the reason for the captures in the first place.  For example, often times application performance issues leave many clues at layer 4 (specifically TCP).  What happens when you 'hard" slice a trace file and now cannot follow the TCP sequence numbers because the incorrect frame size value is written in the pcap file?

Other times you may need to see the specific application call (SQL/Oracle) to actually fix the problem but you no longer have that data because you've sliced it away.  

Continue reading "The Dark Side of Packet Slicing (by Mike Canney)" »

Give me PACKETS!! (by Mike Canney)

Give me Packets!

I have been troubleshooting “network” problems for over two decades.  From mom and pop small businesses to Fortune 10.  Literally thousands of companies.  As far as tools go, I’ve used just about all of them.  From the Network General Sniffer, Novell LanAlyzer, Optimal’s Application Expert/Vantage, Compuware Ecoscope, Cinco NetXray to Wireshark and back.  

You would be hard pressed to find something that is somewhat mainstream that analyzes packets that I haven't used to find and solve network and application issues. Flower issueI’ve have also used the majority of the popular APM/NPM tools on the market for monitoring Network and Application Performance (I won’t list them).  The one thing in common is that they’ve all been useful in their own right.  Understanding at a high level of what traffic is on the network and an inclining of ‘potential’ application performance issues. 


Continue reading "Give me PACKETS!! (by Mike Canney)" »

What Do TCP/IP Selective Acknowledgments (SACKs) Look Like? (by Phillip Storey)

Part 1: Investigating Simple Selective Acknowledgements (SACKs)

In this video, the aim is to help improve our understanding of TCP/IP Selective Acknowledgements (SACKs) and how they are different to “Normal” TCP/IP Acknowledgements (ACKs). 

How does Wireshark tell us about them and how should we interpret that information?


Wireshark SACKs view - Click on to enlarge image - 

Wireshark SACKs

SACKs are much easier to understand if we have a diagram. I’ll be using charts from a packet analysis application called NetData to help me explain.

 This is the first article of a proposed series that I have called:

Understanding Wireshark Outputs with NetData Charts


Continue reading "What Do TCP/IP Selective Acknowledgments (SACKs) Look Like? (by Phillip Storey)" »

Metadata - We all need it now! (by Darragh Delaney)

Metadata – we all need it now!

Not so long ago, flow analysis was one of the tools of choice when it came to troubleshooting security or operational problems on networks. Many vendors developed tools which could take these flow records and store them in a data base, so that you could get real-time and historical reports.

However, metadata analysis is now seen as the must have pieces of technology for keeping modern networks running both securely and efficiently. Metadata analysis systems typically use network traffic or packets as a data source. You can typically source these via SPAN, mirror ports or TAPs. The clever part of metadata analysis involves data reduction. This is where you take raw network traffic and capture interesting pieces of data like IP addresses, website names or filenames. In some instances, you end up with a 4000:1 compression ratio. For example, if I transfer a 4MB file across the network, I may capture 1KB of metadata.

See your network

The screen shot below from our own (NetFort) LANGuardian system is a good example of this data reduction.


Continue reading "Metadata - We all need it now! (by Darragh Delaney)" »

How To Combat Monitoring & Security Tool Overload! (by Keith Bromley)

How To Combat Monitoring & Security Tool Overload 

I have a fundamental question for you. Are you managing your security and monitoring tools or are they managing you? We all want to say that WE are in control, correct? Unfortunately, data from two EMA investigations shows that this might not be the case. It is summarized in this infographic – How to Combat Monitoring and Security Tool Overload.

The number of security and monitoring tools that IT personnel use is increasing. According to the EMA Network Management Megatrends 2016 Report, the average number of security and monitoring tools used by an “average” enterprise (1,000 to 4,999 employees) ranges anywhere from 4 to 15 different tools. In 2014, the average enterprise used 3 to 10 different tools (according to EMA). So in two years, there has been an increase of around 25 to 30% in the number of tools being used.

This causes IT several problems like:  

  • Getting the proper access to good quality monitoring data
  • The sheer volume of tools makes it hard for IT to manage them
  • And a mixture of virtual and physical tools is making the situation even more confusing

Continue reading " How To Combat Monitoring & Security Tool Overload! (by Keith Bromley)" »

Cisco ASA Behaviour with Packet Losses and Overtaking - Using NetData visibility (by Bob Brownell)

Cisco ASA Behaviour with Packet Losses and Overtaking

Using NetData Visibility

A question posed to ask.wireshark by wdurand in September asked why reading a file across a WAN from a NetApp file server was slower than the equivalent writing operation:


The network path included a Cisco ASA, and an explanation for the slow transfer requires an understanding of ASA behaviour. We present here our analysis of similar ASA behaviour, drawing on a pair of concurrent captures taken from both ends of a network path that traversed an ASA, from an Oracle database server to a client workstation. System behaviour is illustrated with NetData charts.


Click on Charts/Graphics to expand!

Continue reading "Cisco ASA Behaviour with Packet Losses and Overtaking - Using NetData visibility (by Bob Brownell)" »