Protocol Analysis, Data Recorder, CALEA, Lawful Intercept, Application Performance, User Experience, Industrial Ethernet, Data Loss Prevention, Deep Packet Inspection, NetFlow, SOX, HIPAA and PCI Compliance, Switching and Routing, Forensics, VoIP, IPTV ... etc.
This article will be presented as a session at Sharkfest 2014 on June 17th, 2014. For the video of this session, stay tuned to LoveMyTool.
As most people in the network universe know, reading packet captures can be tough. After all, it’s the most detailed form of analysis that we have and can really help get into the guts of an issue. However, the high level of detail and the 10Gbit (and beyond) connections that we capture on can make traces get very big, very fast. If you’ve never had the pleasure of combing through a one-million packet trace looking for a bad SQL call, then take my word for it – it isn’t always fun, or easy.
With that said, there are certain things that we do as analysts that can compound this issue, making traces even harder to read. Even on small links with simple trace files, there are actions that we may take (or not take) that further complicate our efforts to capture, read, and understand a problem. Below we describe a few of the bigger ones.
From the original project that started almost two decades ago as Ethereal, Gerald has been leading the development of the Open Source packet sniffer that has become the standard tool for all network engineers.
Have you ever looked at a Wireshark trace and thought, "There's an awful lot of retransmissions there"? The problem is that the Info field in Wireshark marks a packet as a TCP Retransmission when it truly is one, when the packet is looping or even when a SPAN port has been misconfigured.
Luckily there are a few tell tale signs to help us figure out the true situation.
I listen to Tim, Tony, Chris et al talking on LMTV about networking and I realise how little I know about real networking; you know that layers 1 to 3 stuff. I'm a layer 4 to 7 type of guy, and so I'm always going to push the boundaries on this forum. Have I gone too far this time? Let's see.
I saw a post on another forum this week from a guy who had a particular problem with files on a Windows server. A user deleted a file, but when he came back in the following day it had reappeared. So he deleted it again and blow me if it didn't pop back up the next day.