Thanks for reading & let’s continue to be good network citizens!

The case study won the 2009 Best Deployment Scenario – VPN/IPSec/SSL and was featured in the Info Security Products Guide. The winning case study and announcement can be found at Manufacturing Company Achieves Security and Performance Goals with Virtela’s Remote Access Services from the Cloud.

See all 2009 Best Deployment Scenarios and Case Studies. This would be a good time to look at these and see if any of the solutions may meet some of the information security needs of your organization. Consider putting the solutions in your 2010 budgets.

Feel free to leave comments here or contact me through ITKE if you would like more information. Thanks for reading & let’s continue to be good network citizens.

If you manage a network and have taken packet captures to work on a problem and have seen RST packets or if you need to do this at some point in your career, you need to understand the purpose and source of the RST packets. Take a few minutes, read this excellent article that is the best explanation that I have seen on this topic. You will become better informed and better able to understand the nature of the network beast.

Where do resets come from? (No, the stork does not bring them.)

Thanks for reading and let’s continue to be good network citizens.

The URL ping tool is described in the Microsoft IT Showcase: sharepoint Performance Optimization Technical White Paper. It is a C# script that will need to be compiled using the proper include files and configuration for your environment. I configured the script to log in CSV format the date, time and time to first byte from the webserver in question. Using the console output redirect pipe, I logged the information to a text log file. I configured a Windows scheduled task to run the URLping command over the time period of interest. The URLping command ran every 30 seconds logging the results to the specified text file.

During the same period, ever 30 seconds, I ran the fping utility from Kwakkelflap.com. The fping utility is much more flexible than the ping tool that is part of the Windows operating system. Some of the features that make fping so useful includes:

• Time between pings can be adjusted as needed from 1ms to 5s.
• Beep on every successful or unsuccessful reply allowing you to test your network status in the background.
• Ping multiple hosts with one simple command.
• Read a hostlist from a file
• Output redirection to a file for parsing.
• Ping with random data, or data you provide

The results from these two utilities were logged into two separate CSV files. Since the tests were running every 30 seconds, I could take the fping results and the urlping results and combine them into one spreadsheet for analysis. I wanted the units for the urlping and fping response times to be the same. I had to divide the fping results, which were in milliseconds (ms), by 1000 to convert the results to seconds to match the units of the urlping results. I then graphed the results. This information is shown below. The blue data points are the urlping results. The pink data points are the ping times.

URLping vs fping

During this sample period of 54 hours, the maximum urlping response time was about 30 seconds. The maximum fping response time was 0.4857 seconds (or 485.7 ms). The average urlping response time was 2.75 seconds and the average fping response time was 0.06 seconds (or 60 ms). As you can see, the network ping response times are much lower than the webserver response times.

We found it very interesting that there was an elevation in webserver response times from about 15:45 on 9/23/09 until just after 01:30 on 9/24/09. Note that the ICMP ping times were not elevated in a similar manner during this period. Further investigation on this issue would be required.

I ran a correlation statistical analysis to see if the fping (icmp) response times and url ping times were related. The graph below has the ICMP ping time as the X-axis and the url ping time as the Y-axis. As you can see, there is very little correlation (0.251) between the two measurements.

URL pings vs ICMP pings correlation

Based on this information, I was able to convince the team that the webserver response is  not related to the network response.

These tools are simple to use and should be in your toolkit as a network administrator. How often are you told that the network is having a problem yet you know that there is something else happening? Stay tuned… more to come!

So for now – share with the other ITKE readers ways that you look at network/application performance. What tools do you use to instrument and diagnose network issues?

Thanks for reading and let’s continue to be good network citizens.

The number 1 and 2 tools that can find out if there is a potential problem are ping and pathping (Windows XP). To test a network path between a client and host for latency and packet loss use a command something like:

ping -n 100 -l 1000 host.com

The -l is a LOWER case L. This command will send 100 pings of 1000 bytes each to host.com. This will give you latency for larger packets and also if there is any packet loss along the path. To get more details about where along the path packet loss is happening, use the command:

pathping host.com

This also does some pings along the path but will inform you of where along a traceroute the pings are getting lost. Note that ICMP must be enabled along the path for these commands to give you the information you may need to resolve the problems.

If the network path and hosts are all on your private network, you may need to capture some additional performance data. This is where network diagrams and service diagrams come into play. In a typical webserver farm environment, there are potentially a lot of “moving” parts along the path between a client and an application. The application path between a client might go something like this:

client -> LAN switch -> router -> WAN link -> router -> LAN switch -> web server -> database/index server

And then return through the same or similar path. This example has 8-9 various connections/hosts that could impact client application performance. This is no longer just a network data traffic issue.  I won’t be getting into the LAN switch or the router performance monitoring at this time. I will leave that for another posting. I will also make another entry discussing more about reviewing the server performance issues. Stay tuned.

So for now – share with the other ITKE readers ways that you look at network/application performance. What tools do you use to instrument and diagnose network issues?

Thanks for reading & let’s continue to be good network citizens.

According to Wikipedia:

Nmap is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich).^[1] Nmap is a “Network Mapper”, used to discover computers and services on a computer network, thus creating a “map” of the network. Just like many simple port scanners, Nmap is capable of discovering passive services on a network despite the fact that such services aren’t advertising themselves with a service discovery protocol. In addition Nmap may be able to determine various details about the remote computers. These include operating system, device type, uptime, software product used to run a service, exact version number of that product, presence of some firewall techniques and, on a local area network, even vendor of the remote network card.

If you have not used Nmap before, you should become add it to your toolbox and become familiar with this extremely useful network administration and testing tool. Some of the additions in v5 include:

<!– /* Font Definitions */ @font-face {font-family:”Cambria Math”; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-alt:”Calisto MT”; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-1610611985 1107304683 0 0 159 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-alt:”Century Gothic”; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:”"; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:”Calibri”,”sans-serif”; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:”Times New Roman”; mso-bidi-theme-font:minor-bidi;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {mso-style-noshow:yes; mso-style-priority:99; color:purple; mso-themecolor:followedhyperlink; text-decoration:underline; text-underline:single;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} –>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:”";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}

1. Ncat included with Nmap. If you are familiar with netcat, then enough said. If not, ncat is a “reinvention” of the infamous netcat tool. Ncat is defined as the ‘swiss army knife’ for security testing and admin functions and can be considered a ‘piece of clay’ as you’ll find it’s range of uses is only limited by the user’s imagination and technical skills.

See http://nmap.org/ncat/

2. Ndiff scan comparison tool can be used to compare two Nmap XML files – in essence,  you can scan a host today and scan it tomorrow and use Ndiff to compare the two to see differences in the results.

See http://nmap.org/ndiff/man.html

3. Performance enhancements have been made possible by the numerous scans Fyodor made of the internet last summer  and finding the most commonly-open ports and reduce the number of ports scanned by default. In addition, you can define your own scan rate and bypass Nmaps congestion control algorithms.

4. The Nmap Scripting Engine (NSE) scripts have been improved and 32 new scripts added including scripts for MSRPC/NetBIOS atacks, queries and vulnerability probes, brute force attack scripts against SNMP and POP3 and more. NSE scripts/modules are defined at http://nmap.org/nsedoc/

5. The Nmap Book – this is a MUST HAVE for anyone involved in network troubleshooting or security! This is the best technical book that has come out in many years!

Get this right now at http://nmap.org/book/

I have a copy of the Nmap book that I ordered from Amazon. It is a great reference addition to your technical library and will be of great use. Nmap is a very technical tool but there are graphical interfaces for its use.

Let other ITKE members know how you use Nmap. Leave some tips/tricks here for our readers.

Thanks for reading and let’s continue to be good network citizens.