-
December 23rd, 2009, 08:01 AM
#1
wireshark captures!
Hey guys,
Need some serious help here. one of our clients are complaining that our software is eating their bandwidth. the software updates from a particular URL.
The issue I am having is that it only updates every 4 hours. I would like to only capture HTTP, TCP, and UDP to this particular URL within say 5 hours of running wireshark on the particular windows machine.
As you can imagine without this filter the capture will be too huge for the client to email it to us.
So basically only capture HTTP, TCP and UDP to this particular URL, nothing else.
Can anyone help me out with this. Im tried to get it going within wireshark but cant seem to.
Thanks
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
December 23rd, 2009, 11:25 AM
#2
Hi Cider,
Do you really need to do that? after all I assume your software is well enough written not to apply an update more than once, and you must know how big the updates are. Give or take a bit of communication traffic that will be the amount of bandwidth used? Are there any logs to indicate that the updates are completing successfully or not?
Does your product update incrementally or do a full install of the files each time? Is there an option to do a full or incremental update?
Does your client really understand what bandwidth is? or are they just moaning that when an update runs it slows their system down to a crawl?
So basically only capture HTTP, TCP and UDP to this particular URL, nothing else.
Don't you want the traffic from the update server, not to it.
Anyway, has the client given you any values for bandwidth allegedly consumed and does this stack up with what you must know is the size of the updates?
Please remember that clients' perceptions and reality are frequently poles apart, and I cannot think of how bandwidth consumption could be significantly grater than the volume of data transmitted.
-
December 23rd, 2009, 11:31 AM
#3
Hey Nihil,
Thanks for the feedback.
The updates are incremental so it is relatively small on a daily basis. The client has given us logs from there smooth wall software showing that the machines are pulling data from our servers in huge amounts. Im talking about a few hundred MB per machine which is insane.
Ive seen this issue with ISA and have caching on.
My understanding is that the update is not completing and just keeps re downloading. We have tools in place to see where it is getting the updates from etc.
This is a "cloud" interface. If the p2p functionality fails then that machine will download from the internet versus the peer.
So basically the client has shown us logs indicating a couple of Gigs per day if our servers are not blocked via the proxy.
The only way for us to determine if this is the case is if we get wireshark captures on one of the machines in question during a 4-5 hour period so we can see what it is doing. But as I said in the first post, 4-5 hours of wireshark captures on an open line will give an insane amount of code so I would need to filter to either the IP of our servers or via protocal / port.
What ya think?
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
December 23rd, 2009, 11:50 AM
#4
Hi,
This is a "cloud" interface. If the p2p functionality fails then that machine will download from the internet versus the peer.
I am afraid that I am not familiar with that architecture. Would I be right in thinking that one server is supposed to get the update and then distribute it locally; if that fails the other servers will "do their own thing" over the internet?
I don't know your product but could they try a manual download and distribute that..............it might show where the problem is occurring?
Do you know if it is the download that is failing to complete or if it falls over at the update phase?
-
December 23rd, 2009, 12:09 PM
#5
Originally Posted by nihil
Hi,
I am afraid that I am not familiar with that architecture. Would I be right in thinking that one server is supposed to get the update and then distribute it locally; if that fails the other servers will "do their own thing" over the internet?
I don't know your product but could they try a manual download and distribute that..............it might show where the problem is occurring?
Do you know if it is the download that is failing to complete or if it falls over at the update phase?
Spot on there Nihil,
Step 1: Look on local Lan for Update via broadcast
Step 2: Go to internet if no update is availble or there is no connectivity within the LAN.
I will have to just capture 4 hours and then filter it after.
Thanks for the effort
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
December 23rd, 2009, 12:34 PM
#6
Hmmm,
I guess my first move would be to check if the nominated update server is receiving the updates properly. If it is then your firewall logs should only show traffic once every 4 hours. If the answer is "yes" then the problem lies with the data being broadcast to the other servers.
If the answer is "no" then you need to look at the connectivity between your server and the client update server.
That still leaves the issue of the other servers apparently failing to update over the internet? hence the cycling and high bandwidth?
Personally I would try a manual update of the client update server if it is not updating automatically.
I think that the client update server is key to solving this. If it is receiving updates correctly then the problem is with the other servers and it looks as if they can neither update from their peer nor from the internet, which seems to be the case?
Are their any useful error messages?
-
December 23rd, 2009, 06:28 PM
#7
Cider:
If the client is going to run wireshark, have them do a full capture. Save the file - re open filtering only traffic to your URL do a save as and email. Don't filter just UDP HTTP and TCP - you will miss something. Also the filtered pcap of traffic going to your URL from a single PC is not going to be that big.
Let me know if you want any help on exact filter settings
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
December 24th, 2009, 05:27 AM
#8
dinowuff said fvck your client!
-
December 24th, 2009, 06:31 AM
#9
LO,
I think that it is up to us grey haired professionals to help our young friend in SA?
My guess is that it is some sort of permissions problem with the update program? might even be settings ?
1. Wireshark will report on traffic, but we know we have that?
2. The system doesn't update, so keeps re-trying?
3. So try a manual update and see where it falls down?
Incidentally, I like your avatar........... my tabby tomcat says "six no trumps".........??????????????????//
Last edited by nihil; December 24th, 2009 at 06:35 AM.
-
December 24th, 2009, 08:45 AM
#10
Originally Posted by dinowuff
Cider:
If the client is going to run wireshark, have them do a full capture. Save the file - re open filtering only traffic to your URL do a save as and email. Don't filter just UDP HTTP and TCP - you will miss something. Also the filtered pcap of traffic going to your URL from a single PC is not going to be that big.
Let me know if you want any help on exact filter settings
I agree. You will probably want to capture all traffic related to that host. Have them perform the capture, then have them run the filter... 'ip.addr == xxx.xxx.xxx.xxx' [the address of the server, of course]. Alternatively, you can use ip.dst or ip.src if you only want inbound or outbound. Once you filter it, you just do a save as, and then you should have the option to save all packets, or just displayed packets.
Sorry if you already know all of this, I wasn't sure how much experience you have with wireshark filters.
There is a way to capture based on certain rules, but I haven't messed too much with that, and from what I can tell, the syntax is different. It is in the capture options if you want to take a look.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
Similar Threads
-
By bradlesliect in forum Network Security Discussions
Replies: 13
Last Post: June 26th, 2009, 09:57 AM
-
By Ignatius in forum Network Security Discussions
Replies: 6
Last Post: October 31st, 2007, 10:22 AM
-
By Irongeek in forum The Security Tutorials Forum
Replies: 1
Last Post: June 8th, 2007, 02:59 PM
-
By mmkhan in forum Security News
Replies: 11
Last Post: June 13th, 2006, 01:01 PM
-
By intruder in forum AntiOnline's General Chit Chat
Replies: 7
Last Post: July 16th, 2002, 05:13 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|