It’s important to know your limits. In this case study we find a situation stemming from SMTP being throttled. This is part of the packet capture I received: The top lines show the previous conversation ending. SMTP successfully sent 3 messages. After the 3rd message the mail server stopped responding and retransmits began. This pattern was repeatable. More than that it was repeatable from other EC2 instances. The only thing between the EC2 instances and the mail server was a router and a firewall.
CloudShark released a new packet capture challenge for this Christmas season! Unfortunately, I don’t have the time to participate right now, but I wanted to reshare this for those of you that do. I also wanted this to serve as a reminder for me to come back to it later. Good luck!
One of the most common problems any IT admin faces is a software update. While software updates are generally considered a good thing, because they patch security flaws, fix bugs, try to improve performance, and more, they are also a common source of problems. Every admin knows to be ready for calls after a scheduled maintenance window. This issue was no different. A ticket came in stating users could not access a web app through the backend system after an upgrade to Java 1.
I’ve helped many users who say Fiddler has “fixed” their issue. Unfortunately, this is a bit deceptive. Fiddler is an excellent debugging tool for web apps, but it does not permanently resolve problems. What it does do is act as a proxy with its own connection settings. This allows it to act as a “man in the middle” and even decrypt the traffic to provide better more insight into application behavior.
Everyone needs to do some housekeeping at different points, and I figured it was time I did some a basic security sweep of my setup. To get started, I performed a quick packet capture on the very server that hosts this blog. I decided to give one of CloudShark‘s newer and more distinct features a spin with my recently created account; their Threat Assessment tool. I thought it would be interesting to pit this against PacketTotal as well.
Problem I have come to expect vague error messages that seemingly blame the network. This one is no different. Server Error in ‘/’ Application. The network path was not found Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.ComponentModel.Win32Exception: The network path was not found
Have you ever had a nightmare where you are being chased and you can’t just seem to run away fast enough? No? Well, maybe you’ve tried running through snow up to your knees or swimming while wearing jeans. All of those examples point to situations that feel like something isn’t quite right. Cases where there could be better performance if only something was changed or improved. Sometimes this same thing happens to network devices.
Several hundred users lost network connectivity. They went down randomly, one by one, and over a short period of time. Some users had intermittent connectivity. All of the network devices were online and functional. Users were roaming the halls and getting bored. This called for a packet capture, but with clients offline it had to be done on a network switch. In this instance, the capture was performed at the distribution switch on the layer 3 VLAN.
While the general rule of thumb is to capture at the client, or at least start there, sometimes it’s necessary to take captures at both ends of a connection. The client perspective will allow you to view the problem as it is seen from the client. The server perspective might show the same thing. Or, in some cases like this one, it will provide the reason for the problem. The problem was that a webpage wouldn’t load.
Start the Capture Now that you’ve decided where to capture, and you’ve prepared your interfaces and filters, you are ready to perform the capture. All you have to do at this point is hit the start button or double-click the interface in the list. There are usually multiple interfaces listed, so make sure you know which one you are wanting to use. Generally, this may be indicated by a small moving graph to the right of the device name indicating there is traffic present (the screen shot below currently show no traffic as I was in a lull).
- OLDER POSTS
- page 1 of 2