Analyzing Microsoft IIS Web Logs - Part 1 (by Paul Offord)

Wireshark's new TRANSUM plugin provides a great way to identify slow web site and web service transactions, but there's a problem.  More often than not, web traffic is carried in SSL (TLS) encrypted messages, and so, although we can see slow response times, we can't see the detail.  To prove the cause of a slow response time, ideally we want to see the URI, query strings and, in the case of a web service request, the SOAP Action value.


If we are very lucky, we may be able to get a copy of the private SSL keys and use Wireshark to decrypt the traffic, but what if that's not possible.  The good news is that web logs have much of the information we need, and we can combine this with Wireshark network traces to get a more complete picture.

In this video ...

Continue reading "Analyzing Microsoft IIS Web Logs - Part 1 (by Paul Offord)" »

Palo Alto Packet Latency Case Study Using Workbench and Wireshark (by Paul Offord)

Analyzing packets at two points provides an accurate way to determine the delays across a network.  The team at Advance7 used this technique to find the cause of performance and stability problems with a web application.  The system topology was complex, but very common in today's enterprise environments; users accessing systems using a Windows terminal and ESX VDI-delivered desktops.


Users reported slow response times and intermittent disconnects.  The path through the network from VDI host to application server was 10 GbE all the way, and so link overload was unlikely.  There were various theories about the cause of the problem but solid evidence was needed.

In this video ...

Continue reading "Palo Alto Packet Latency Case Study Using Workbench and Wireshark (by Paul Offord)" »

LMTV LIVE | Advanced Performance and Security Real-time Analysis (Extrahop)


YouTube LIVE start time: 9:30 AM PST, Wednesday, September 20, 2017

Extrahop_logo With 7.0, ExtraHop introduces live activity maps for complete 3D interaction with the hybrid IT environment; enhanced threat anomalies and machine learning-initiated workflows for performance and security; and perfect forward secrecy (PFS) decryption at scale to support next-generation security architectures.

Momma's Boy (by Paul W. Smith)


When I was growing up, you were a Momma’s Boy, a Man’s Man, or something in-between. Most of us belonged to the in-between group. Dare I say life is a bit more complicated these days?

There was a time not long ago when a female voice making an announcement on an airplane was assumed to be a flight attendant, a woman caring for you in a hospital was automatically a nurse, and a lady engineer was an oxymoron. In my lifetime, our culture has evolved to where female pilots, doctors and engineers are no longer notable, at least not for their gender.

While the whole gender identity issue is way above my pay-grade, the transition from the role models of my youth to a culture where humans and jobs are largely interchangeable is of great interest. This is particularly so in the STEM fields, where I have carved out my own career.

Continue reading "Momma's Boy (by Paul W. Smith)" »

TCP Checksum Error Case Study (by Paul Offord)

When I see TCP Retransmissions and Dup ACKs in a trace I naturally think about packet loss, but that's not the only cause.  The TCP Checksum mechanism is used to check the integrity of the TCP payload (or segment) and, although it's rare to see genuine checksum errors in a trace, it's another cause of retransmissions.

  Network topology

For Wireshark users there's good and bad news.  The good news is that Wireshark can check each packet for TCP Checksum errors.  The bad news is that they are not always genuine errors.  So how can we tell the difference?

In this video ...

Continue reading "TCP Checksum Error Case Study (by Paul Offord)" »

Troubleshooting SMB Connection Issue Using Wireshark (by Tony Fortunato)

In this video I walk you through how i worked my way through a Microsoft connectivity problem using Wireshark.

The main point of the video is to pay attention to the methodology where i document the issue, apply a change and re-measure.

Just some text from the slides;

"The problem is with a device running Windows 7 that is configured with some shares to its local drives like a storage server.Every so often no one can connect to the shares, Android users just see a spinning/processing icon and windows users get a variety of connection error messages. The end result is always the same, no connection.

The only solution is to reboot the Windows 7 device and things have gotten so bad that now they have a scheduled script that reboots the computer daily.I asked them to capture some packets from their computer when it happens again.

By noon I had a capture."



Continue reading other LoveMyTool posts by Tony Fortunato »