wireshark captures!
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: wireshark captures!

  1. #1
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683

    wireshark captures!

    Hey guys,

    Need some serious help here. one of our clients are complaining that our software is eating their bandwidth. the software updates from a particular URL.

    The issue I am having is that it only updates every 4 hours. I would like to only capture HTTP, TCP, and UDP to this particular URL within say 5 hours of running wireshark on the particular windows machine.

    As you can imagine without this filter the capture will be too huge for the client to email it to us.

    So basically only capture HTTP, TCP and UDP to this particular URL, nothing else.

    Can anyone help me out with this. Im tried to get it going within wireshark but cant seem to.

    Thanks
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi Cider,

    Do you really need to do that? after all I assume your software is well enough written not to apply an update more than once, and you must know how big the updates are. Give or take a bit of communication traffic that will be the amount of bandwidth used? Are there any logs to indicate that the updates are completing successfully or not?

    Does your product update incrementally or do a full install of the files each time? Is there an option to do a full or incremental update?

    Does your client really understand what bandwidth is? or are they just moaning that when an update runs it slows their system down to a crawl?

    So basically only capture HTTP, TCP and UDP to this particular URL, nothing else.
    Don't you want the traffic from the update server, not to it.

    Anyway, has the client given you any values for bandwidth allegedly consumed and does this stack up with what you must know is the size of the updates?

    Please remember that clients' perceptions and reality are frequently poles apart, and I cannot think of how bandwidth consumption could be significantly grater than the volume of data transmitted.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Hey Nihil,

    Thanks for the feedback.

    The updates are incremental so it is relatively small on a daily basis. The client has given us logs from there smooth wall software showing that the machines are pulling data from our servers in huge amounts. Im talking about a few hundred MB per machine which is insane.

    Ive seen this issue with ISA and have caching on.

    My understanding is that the update is not completing and just keeps re downloading. We have tools in place to see where it is getting the updates from etc.

    This is a "cloud" interface. If the p2p functionality fails then that machine will download from the internet versus the peer.

    So basically the client has shown us logs indicating a couple of Gigs per day if our servers are not blocked via the proxy.

    The only way for us to determine if this is the case is if we get wireshark captures on one of the machines in question during a 4-5 hour period so we can see what it is doing. But as I said in the first post, 4-5 hours of wireshark captures on an open line will give an insane amount of code so I would need to filter to either the IP of our servers or via protocal / port.

    What ya think?
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi,

    This is a "cloud" interface. If the p2p functionality fails then that machine will download from the internet versus the peer.
    I am afraid that I am not familiar with that architecture. Would I be right in thinking that one server is supposed to get the update and then distribute it locally; if that fails the other servers will "do their own thing" over the internet?

    I don't know your product but could they try a manual download and distribute that..............it might show where the problem is occurring?

    Do you know if it is the download that is failing to complete or if it falls over at the update phase?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Quote Originally Posted by nihil View Post
    Hi,



    I am afraid that I am not familiar with that architecture. Would I be right in thinking that one server is supposed to get the update and then distribute it locally; if that fails the other servers will "do their own thing" over the internet?

    I don't know your product but could they try a manual download and distribute that..............it might show where the problem is occurring?

    Do you know if it is the download that is failing to complete or if it falls over at the update phase?
    Spot on there Nihil,

    Step 1: Look on local Lan for Update via broadcast
    Step 2: Go to internet if no update is availble or there is no connectivity within the LAN.

    I will have to just capture 4 hours and then filter it after.

    Thanks for the effort
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hmmm,

    I guess my first move would be to check if the nominated update server is receiving the updates properly. If it is then your firewall logs should only show traffic once every 4 hours. If the answer is "yes" then the problem lies with the data being broadcast to the other servers.

    If the answer is "no" then you need to look at the connectivity between your server and the client update server.

    That still leaves the issue of the other servers apparently failing to update over the internet? hence the cycling and high bandwidth?

    Personally I would try a manual update of the client update server if it is not updating automatically.

    I think that the client update server is key to solving this. If it is receiving updates correctly then the problem is with the other servers and it looks as if they can neither update from their peer nor from the internet, which seems to be the case?

    Are their any useful error messages?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,250
    Cider:

    If the client is going to run wireshark, have them do a full capture. Save the file - re open filtering only traffic to your URL do a save as and email. Don't filter just UDP HTTP and TCP - you will miss something. Also the filtered pcap of traffic going to your URL from a single PC is not going to be that big.

    Let me know if you want any help on exact filter settings
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  8. #8
    Banned
    Join Date
    Nov 2002
    Posts
    677
    dinowuff said fvck your client!

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    LO,

    I think that it is up to us grey haired professionals to help our young friend in SA?

    My guess is that it is some sort of permissions problem with the update program? might even be settings ?

    1. Wireshark will report on traffic, but we know we have that?
    2. The system doesn't update, so keeps re-trying?
    3. So try a manual update and see where it falls down?



    Incidentally, I like your avatar........... my tabby tomcat says "six no trumps".........??????????????????//
    Last edited by nihil; December 24th, 2009 at 06:35 AM.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    Quote Originally Posted by dinowuff View Post
    Cider:

    If the client is going to run wireshark, have them do a full capture. Save the file - re open filtering only traffic to your URL do a save as and email. Don't filter just UDP HTTP and TCP - you will miss something. Also the filtered pcap of traffic going to your URL from a single PC is not going to be that big.

    Let me know if you want any help on exact filter settings

    I agree. You will probably want to capture all traffic related to that host. Have them perform the capture, then have them run the filter... 'ip.addr == xxx.xxx.xxx.xxx' [the address of the server, of course]. Alternatively, you can use ip.dst or ip.src if you only want inbound or outbound. Once you filter it, you just do a save as, and then you should have the option to save all packets, or just displayed packets.

    Sorry if you already know all of this, I wasn't sure how much experience you have with wireshark filters.

    There is a way to capture based on certain rules, but I haven't messed too much with that, and from what I can tell, the syntax is different. It is in the capture options if you want to take a look.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

Similar Threads

  1. Wireshark
    By bradlesliect in forum Network Security Discussions
    Replies: 13
    Last Post: June 26th, 2009, 10:57 AM
  2. Wireshark capture problem
    By Ignatius in forum Network Security Discussions
    Replies: 6
    Last Post: October 31st, 2007, 11:22 AM
  3. Video:Intro to the AirPcap USB adapter, Wireshark, and using Cain to crack WEP
    By Irongeek in forum The Security Tutorials Forum
    Replies: 1
    Last Post: June 8th, 2007, 03:59 PM
  4. ethereal now wireshark
    By mmkhan in forum Security News
    Replies: 11
    Last Post: June 13th, 2006, 02:01 PM
  5. what are screen captures ????
    By intruder in forum AntiOnline's General Chit Chat
    Replies: 7
    Last Post: July 16th, 2002, 06:13 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •