SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Protocol Analysis in a Complex Enterprise April 2 nd, 2008 Hansang Bae Senior VP | Citigroup.

Slides:

Advertisements

Similar presentations

Bentley Water and Wastewater 2004 Edition. Rule-based annotation Cell placement with annotation Bulk assignment of attribute to like elements Automatic.

Advertisements

SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Exposing VoIP problems with Wireshark April 2, 2008 Sean Walberg Network Guy | Canwest SHARKFEST.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

By Inquiry and By Popularity

SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008 Patrick.

Top Causes for Poor Application Performance Case Studies Mike Canney.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

Enterprise Traffic Management Challenges Performance Management for Converged Networks.

Financial Information Forum, Distribution limited to FIF Members1 Past FIF Latency Discussions Discussion Topics: Definitions and Dependencies:  Low latency.

Troubleshooting Guide for Ethernet Switch FAE. Yen Ru.

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireshark in the Large Enterprise June 16, 2010 Hansang Bae Senior Vice President | Citi (f.k.a.

Introduction to Network Analysis and Sniffer Pro

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 The Shark Distributed Monitoring System: Distributing Wireshark Deep Packet Analysis to LAN/WAN.

CS335 Networking & Network Administration Tuesday, April 20, 2010.

Network Measurement Bandwidth Analysis. Why measure bandwidth? Network congestion has increased tremendously. Network congestion has increased tremendously.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

Internet Traffic Management Prafull Suryawanshi Roll No - 04IT6008.

Networking Components By: Michael J. Hardrick. HUB  A low cost device that sends data from one computer to all others usually operating on Layer 1 of.

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 

1 Version 3.1 Module 4 Learning About Other Devices.

SHARKFEST '09 | Stanford University | June 15–18, 2009 Protocol Analysis in a Complex Enterprise: The Importance of “The Art of Recognition.” June 16 th,

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 To the Terabyte and Beyond! Leveraging Pilot and Wireshark to Analyze Truly Massive Packet Traces.

Unit 4, Lesson 11 How Data Travels the Internet

What is FORENSICS? Why do we need Network Forensics?

Internet Traffic Management. Basic Concept of Traffic Need of Traffic Management Measuring Traffic Traffic Control and Management Quality and Pricing.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 8 TCP/IP Suite Error and Control Messages.

Introduction to Wireshark Making Sense of the Matrix

Using Novell GroupWise ® 6 Monitor Duane Kuehne Software Engineer Novell, Inc. Danita Zanre Senior Consultant NSC Sysop,

1 Internet Control Message Protocol (ICMP) Used to send error and control messages. It is a necessary part of the TCP/IP suite. It is above the IP module.

(c) University of Technology, Sydney Firewall Architectures.

TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.

Network Components By: Zach Przybilla CECS 5460 Fall 2015.

October 11, Getting the Most Out of Your USB Bus/Protocol Analyzer Michael Pasumansky CATC.

Copyright © Lopamudra Roychoudhuri

NETWORKING PROTOCOLS How do Networks Talk? THE PROTOCOL Rules that define how network devices communicate with each other Ensures that products from.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

1 Root-Cause VoIP Troubleshooting Optimizing the Process Tim Titus CTO, PathSolutions.

Internet Control Message Protocol (ICMP) Chapter 7.

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Spring 2009CSE Congestion Control Outline Resource Allocation Queuing TCP Congestion Control.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 8 TCP/IP Suite Error and Control Messages.

Wireshark In the Large Enterprise Hansang Bae Director – Product Architecture

ECE 4110 – Internetwork Programming

Networking Components

1 Connectivity with ARP and RARP. 2 There needs to be a mapping between the layer 2 and layer 3 addresses (i.e. IP to Ethernet). Mapping should be dynamic.

LSNDI RMRA 1 Design and troubleshooting M Clements.

Ethernet WireShark Utkarsh Mahajan Id: A1238. Download: Referance:

WIRESHARK Lab#3. Computer Network Monitoring  Port Scanning  Keystroke Monitoring  Packet sniffers  takes advantage of “friendly” nature of net. 

Network Layer Protocols COMP 3270 Computer Networks Computing Science Thompson Rivers University.

Computer Networks 1000-Transport layer, TCP Gergely Windisch v spring.

1 Root-Cause Network Troubleshooting Optimizing the Process Tim Titus CTO PathSolutions.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

COURSE OUTLINE 1 Introduction(History) Key functions Interface analysis 2 Traffic Analysis/OSI Review Protocol Filtering 3 IP and port filtering Wireshark.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

CCNA 2 Router and Routing Basics Module 8 TCP/IP Suite Error and Control Messages.

Networks without SDN Challenges facing network managers.

Solving Real-World Problems with Wireshark

Instructor Materials Chapter 8: Network Troubleshooting

Troubleshooting a Network

Advanced Troubleshooting with Cisco Prime NAM-3: Use Case

Network Tools and Utilities

Domain 4 – Communication and Network Security

Wireshark Lab#3.

Troubleshooting IP Communications

Wireshark CSC8510 David Sivieri.

Scrumium NetBrain Thursday, May 09, 2019.

Protection Mechanisms in Security Management

Office 365 Performance Management

Presentation transcript:

SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Protocol Analysis in a Complex Enterprise April 2 nd, 2008 Hansang Bae Senior VP | Citigroup SHARKFEST '08 Foothill College March 31 - April 2, 2008

SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Challenges:  As it turns out, size does matter!  Citi’s branch network spans 5,000+ locations in the US  Citi’s network infrastructure includes 30,000+ devices  300,000 users located in over 100 countries.  Compliance/Security Quagmire  It’s for your own protection, or so I’m told!  Doing a full packet capture is difficult  Wireshark is the only approved protocol analyzer at Citi. It dislodged past market leaders.

Challenges (con’t):  Capturing and Analyzing: Two pieces to the same puzzle  Enormous amounts PCAP data are involved.  In most cases, header analysis is adequate.  Wireshark/WinPCAP is not well suited for this much volume  Citi uses a commercial product for packet capturing. Working with the vendor, it took over three years of development before it was deemed “Citi-ready”

Example One: Path MTU  Infrastructure size makes it interesting.  Very difficult problem without a proper protocol analyzer

Example One: (Con’t)  In depth understanding of routers and protocols were required.  Usenet to the rescue!  ICMP and IP.ADDR filters were key!  So which side am I on in the “religious debate” about whether ICMP messages should be included in the “ip.addr” display filter?..\..\..\Traces\Consumer\CBNA\ICMPRateLimit.pcap  In retrospect, it was an easy problem to solve. Yet the sheer size made it difficult to spot.

Example Two: Clock Drift  MarketData driven business complains of extreme delays from UK to US.  At first glance, application logs seem to confirm delays in the 200+ms delays. RTT is 70ms.  Because it’s easy, let’s blame the firewall and the network!  SLA tracking and further investigation of routers/switches gets us nowhere with problem resolution.  Our analysis shows that something is not right!

Example Two (Con’t)  Due to mis-matched traffic flow, pcap data itself yield unreliable data.  For example, we would see and an ACK for a packet that was not yet delivered. This was traced to the output buffer of the SPAN on the switch.  The SPAN issue forced us to look a the packets in detail, including the data timestamp

Example Two (Con’t)  Charting the pcap timestamp with the data timestamp showed a peculiar pattern.  By spotting the pattern above, we were able to show the vendor that their clock was drifting!

Lessons Learned/Feature Request  Picture really is worth a thousand words.  The two pictures above show the same event!  Bounce diagrams can quickly pinpoint issues.

Lessons Learned (Con’t)  Allow zoom in feature from the bounce diagram for even easier troubleshooting.  The above shows the slow start in action. It’s immediately obvious what’s going on with one look at the chart!  Increase performance for TCP/IP dissection. Although Wireshark’s support for protocols is impressive, most folks in the enterprise deal with TCP/IP problems.