Yeah Ngrep and Wireshakr Pcap files, you can basically dig a lot out of network traffic and be on your way to figuring out what this POS app is doing to you.
Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Thursday, October 06, 2011 12:12 AM To: NT System Admin Issues Subject: Re: strange hosted app issue +1 billion... On Wed, Oct 5, 2011 at 20:58, Steve Kradel <[email protected]> wrote: > Without knowing any detail at all about this situation, my first > instinct would be to fire up Wireshark and observe what protocols and > patterns the client and server use to communicate. Perhaps someone > has decided to brew up an UDP-based RPC protocol "because it's > faster"... and which poops itself on a congested network. Almost > anything is fair game if this thing is "thicker" than a web app. > > Read enough Wireshark captures and it will start to make sense to > you--and you'll learn a lot about all sorts of (eventually) useful > topics along the way. > > --Steve > > On Wed, Oct 5, 2011 at 5:29 PM, [email protected] > <[email protected]> wrote: >> some good info here edward, thanks. i will look at the fiddler app you >> mentioned. >> >> i've also used wireshark from time to time, but have a hard to following >> the network conversations and have it provide anything meaningful to me >> (due to lack of knowledge of what to be looking for in the conversation). >> I've used wireless successfully for determine issues with ping/dhcp, etc. >> but, for application monitoring, there's where my knowledge level isn't >> quite as handy when looking at wireshark. >> >> but good info here nonetheless, appreciate it. >> >> >> Original Message: >> ----------------- >> From: Ziots, Edward [email protected] >> Date: Wed, 5 Oct 2011 16:15:46 -0400 >> To: [email protected] >> Subject: RE: strange hosted app issue >> >> >> OK if the apps is hosted on the internet, is it safe to assume it's a >> web-based application? If so, it probably invokes Java on the >> workstation to do some of its function. Java, Unfortuntely, is a >> notorious PIG of an application, which could be leading to some of your >> application issues ( especially if the code being called within the web >> session and interacting with the java instance to do its bidding isn't >> optimized) >> >> You can look at the web-traffic happening on a client by using the >> FIDDLER HTTP Debugging Browser plugin for IE/Firefox, >> >> www.fiddler2.com >> >> Which if it's a web application will let you know exactly what is >> happening in the browser, and the response from the server ( or if you >> are seeing 400x or 500x errors ( Client side and Server side issues) >> >> The other thing you will probably want to put on a representative >> workstation is Wireshark, and do a sniff while you are working with the >> web application, and see if you are getting timeouts, a high number of >> retransmissions, or resets ( which means you got congestion, bandwidth >> issues, drive issues, packet loss etc etc, that you need to deal with at >> Layer 2-3, before you really see what is happening at layer 7) >> >> Also the thing you really need to see is what the traffic metrics and >> types for what is coming in and out of the internet pipe ( maybe using >> NTOP or other bandwidth analysis tools) which could give some insight >> about the traffic types, and the source IP's. Could be a lot of >> bit-torrent activity or dropbox, or Audit Streaming, or Malicious >> malware based traffic ( someone is using you as a amplifying site, or >> with Skype you might have just become a SUPERNODE and others are pointed >> your way which you might not know) >> >> Again a lot of possibilities, I am sure these aren't the only things you >> could look at but it's a good start. >> >> Z >> >> >> Edward E. Ziots >> CISSP, Network +, Security + >> Security Engineer >> Lifespan Organization >> Email:[email protected] >> Cell:401-639-3505 >> >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> Sent: Wednesday, October 05, 2011 2:26 PM >> To: NT System Admin Issues >> Subject: strange hosted app issue >> >> Finding this issue to be a bit perplexing. >> >> Have an application that is hosted on the internet. App uses a java >> interface run on the client machines (both PC and Mac and even iPads). >> The >> app sometimes takes forever to load up and users often get booted from >> it >> during normal use of the app (if they can even get into the app). Using >> the hosted app off-hours never shows any slowness. >> >> The internet pipe is 10mb up/down. Their doesn't SEEM to be an issue >> with >> bandwidth conjestion, but we're still determining that (customer had NO >> tools in place to monitor that traffic - live). When people are having >> problems running that application, they can still browse anything else >> on >> the internet without problem -- which makes it seem like bandwidth isn't >> an >> issue, possibly. >> >> The customer even tried swapping out to a different firewall for test >> purposes, and completely removing the web filter too. Neither helped. >> >> Aside from bandwidth, is there anything else worth looking at here? >> Something overlooked? App provider isn't helpful as the site in quetion >> is >> the only place experiecing the issue it seems. Perhaps trying a >> different >> java version, etc.? Grasping straws. Thanks! >> >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
