Sunday, July 25, 2010

Network Linkfest

I decided these links merited a post of their own.

I really like the content on wirewatcher as Alec Waters does a fantastic job showing the capabilities of network traffic analysis along side with system analysis response.  I’m just a kindergartener in network analysis but the concepts and methodologies used by the professors are top-notch introductions to key concepts.  Added to my RSS feed list.

In other news,  our ongoing peak traffic capture work is netting some interesting results.

One of the observations is that our dedicated capture systems may not be robust enough to handle the volume of traffic the spanned port is throwing at them.  We have been using the latest stable Windows version of Wireshark but even though we set captures to run in “chunks” for limited periods of times, there have been multiple occasions when we return to the systems to retrieve the .pcap sets for analysis, it turns out the Wireshark capture crashed mid-way through the run.  I’m almost certain it is a resource issue.

So it was with interest that I read this post:

Recent Network Monitor builds ship with several capture filters, one of which is a “high performance capture” filter.  So I installed NetMon 3.4 on a dedicated capture system, got the latest parser sets, and then configured a test session to run at a peak time (around lunchtime at the remote site), and let it rip.

I came back an hour later and it had captured a tremendous level of frames, with no drops found….and it was still chugging away until I ended the capture session.

Nice.  I was very impressed with the results.

Only Network Monitor saves the captures in the “.cap” format, something NetworkMiner doesn’t handle.

Wireshark does, so I imported the massive .cap file into Wireshark, intending to then convert it into ".pcap” format, which NetworkMiner does recognize.  Unfortunately, I got the oft-seen Wireshark crash do to insufficient memory resources error.  Bummer.  I’ve gotten that before assembling chunks as well and in that case had to use the command line Wireshark tool mergecap to do so without memory errors.

So firstly, I’m wondering if maybe using Wireshark’s dumpcap to do non-GUI captures might be more stable for longer capture runs.  Figure I can make up some batch files for different scenarios and fire at will. And these would be in the .pcap format.

Also, secondly, I could possibly use the command-line tool tshark or editcap to do the .cap to .pcap conversions with fewer overhead resources were I to stick with NMcap as my capture engine?  Looks like I got some experimenting to do.

I’m also going to deploy and try the Wireshark Development Release version as well to see if maybe these builds help with the memory resource crashes I’m running into in processing the .cap/.pcap files in the GUI environment.

Turning back to Network Monitor…

Likewise, I also soon found out from the NetMon 3.4 blog post that for even higher performance captures, it also has a CLI component that can be used for GUI-less captures.  And it is also very sophisticated.

PaulErLong, author of the above tutorial has some other great helpful videos on Network Monitor 3.x usage as well:  YouTube – PaulErLong’s Channel

Definitely worth bookmarking and reviewing if you are new to Network Monitor usage.

As an added bonus, you can type “nmcap /examples” and get a list of pre-provided examples featuring more advanced CLI usage of the tool.

Another NMCap trick: The Quick and Easy on Using NMCap to Create Circular Network Traces Based on File Size - Microsoft Enterprise Networking Team

And the Network Monitor parsers on CodePlex are even more updated than those shipping in the NM 3.4 download package…

Then before you leave, snag the following “Experts” that Network Monitor 3.x supports

  • NMTopUsers - Release: Top Users 2.1 – Look carefully as they have two sets, “Top Users by Conversation” and “Top Users by Endpoint”.  Again, both are available in x32 and x64 depending on which Network Monitor build you are running.

Goodness my head is spinning now!

So much work/learning to do….

--Claus V.

1 comment: