We help IT Professionals succeed at work.

Network Analysis

9K

Solutions

12K

Contributors

Network analysis is the process of identifying and remediating the processes and systems within a network, including performance, connectivity and security. The process is performed through the use of tools developed for monitoring and analyzing network activity. Network problems that involve finding an optimal way of doing something are studied under the name combinatorial optimization. Examples include network flow, shortest path problem, transport problem, transshipment problem, location problem, matching problem, assignment problem, packing problem, routing problem, Critical Path Analysis and PERT (Program Evaluation & Review Technique).

Is there a way on a Linux Server to set up a monitor to watch all incoming and outgoing traffic?

Kind of like watching a running log of all of the inbound requests and then what is being sent out?
0
I was hoping that you can point me in the right direction, and provide some instructions on how to complete switch port mapping.
I would like to discover MAC and possibly IP addresses of all devices connected, and match each with a specific switch port.

- Cisco SNMP configuration
- Recommended network tool (paid version is fine)

We are dealing with multiple Cisco network switches, mostly SG-500s and SG-250s.
Simple flat network for now, two VLANs default and voice.

Please let me know, your help is much appreciated.

Thank you,
0
I need to create a white paper based on actual usage in the field for monitoring traffic.  In particular, monitoring encrypted traffic.  Our data center is receiveing netflow and IPFIX data from a few dozen client enterprises that we are serving.  The netflow/IFIX data that is being sent to us real-time but we do not have control over where our clients are sourcing.  It is up to them.   In other words, the "tap' they use is most likely outside their firewall, and probably outside their boundary router, but may not always be.  So in the case of encrypted traffic, obviously we are not reading their payload, but we need to be able to detect whether specific traffic is encrypted.  For both cases, for SSL traffic and for IPSEC VPN traffic, we need to identify as much as we can for our clients sake, without deciphering the payload.

Can you point me to explanations and scenarios (preferably real case scenarios) where this is done, and how the security techs, who are monitoring this in our data center, are handling this?  Especially, as is most like the cases, if the data we are receiving is from the encrypted data flow.
0
Have a 2008 R2 server that we are trying to move away from, however there seems to be some obscure process or script either coming from that server or some other server that is writing to a share on this server.  Its same time every day. Can't find any task or script on that machine that is doing it so I'm wondering if this is coming from another server. Is there something that can tell me or something i can leave running and log it?
0
What "Network discovery .... software" do you recommend that will do something like https://www.solarwinds.com/engineers-toolset ?

Details
 1. Users =50
 2. VLAN = 1
 3. OS = Windows 10 Pro
 4. Switches = HP, willing to purchase NEWER models since mine are OLD
 5. Cost = under $500 if possible, but OK if more
0
What "Network device tracking software" do you recommend that will do something like https://www.solarwinds.com/user-device-tracker ?

Details
 1. Users =50
 2. VLAN = 1
 3. OS = Windows 10 Pro
 4. Switches = HP, willing to purchase NEWER models since mine are OLD
 5. Cost = under $500 if possible, but OK if more
0
After reading several articles, I have not found a simple answer to a simple question.  I want to setup a sniffer.  I what to use one server with two NICs, one NIC will be receiving mirrored traffic and the other NIC will allow me to remote into the server and view the Wireshark captures.  My fear is that I will create a loop.  I have read several articles.  One the sticks out is not giving a gateway address to the receiving NIC.  How would I properly setup my NICs to prevent creating a loop?
0
A client of ours has two windows web application servers (virtual on VMware) and a DB server (physical) with MSSQL 13.0.5366.0, all three located at a hosting provider. Few weeks back the app servers started periodically having trouble to login to the DB server (They use OLEDB "SQL Server native Client 11.0"). That happens not always but periodically, 3-4 times a day.
Running "ping -t db" does not show any interruptions.

I wrote a simple script which tries to execute a simple SQL query every 10 seconds, and if it fails record the error the OLEDB produces to a log file plus it runs the command "ping db" redirecting the output to the same log file. The script is  running on all three servers (2 apps and 1 db). Only the app servers have records of lost connectivity, not the db server!

Here is a record stored recently:
1/2/2020 9:47:44 AM Error: Login timeout expired (80004005) Microsoft SQL Server Native Client 11.0

Pinging db [172.16.30.80] with 32 bytes of data:
Reply from 172.16.30.80: bytes=32 time<1ms TTL=128
Reply from 172.16.30.80: bytes=32 time<1ms TTL=128
Reply from 172.16.30.80: bytes=32 time<1ms TTL=128
Reply from 172.16.30.80: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.30.80:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Open in new window

So, it shows that ping is just fine right after the login error occurs. Also, I tried manually do the command "telnet db 1433", a connection was established just fine.

Again, no errors from the same script running on the db server.

Connection string:
Provider=SQLNCLI11.1;Password=<password>;Persist Security Info=True;User ID=<user id>;Data Source=db;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=STG-WEB;Use Encryption for Data=False;Tag with column collation when possible=False;MARS Connection=False;DataTypeCompatibility=0;Trust Server Certificate=False;Application Intent=READWRITE

Open in new window


Please help!
0
Hi, I have been dealing with a problem that was not set before but now I need to do it. How can I track what and where a user in my AD have been opening, remote log, and log, and file or any change on the network. is there a script or a small app that can show me this?
0
One of our staff users  is having an issue with any website on any of our 3 dedicated Pair networks servers being unusable slow, almost to non-functionality.... none of the rest of us are seeing any issue whatsoever. She says all other websites load fine... its just websites on our 3 web servers that are very very slow, almost unusable. Have you ever heard of something like that? She uses a Mac, has emptied all cache, rebooted, speed tests, the works, everything is fine for her except the sites she visits on our 3 web servers. We are not all at the same IP... she works from home, like a few of us do, and shes the only one with an issue. Pair says they see nothing wrong.
0
I'm experiencing a Linux routing problem.

Environment is SLES 12 SP2, running on some HP server machine with 8 physical, used network interfaces, running in a non-internet local network.

Most physical network interfaces (eth0 ... eth3 and eth5 ... eth7) have (local unique) static IP addresses in non-overlapping networks, and the routing table looks ok. The interface eth4 is on DHCP.

The problem is that sometimes packets seem to be sent over the wrong interface - a packet that is expected to fly thru eth6 is spit out on eth0. This happens erratic and causes to application software (managing measurement data) to loose the data stream after max ~15 minutes .

As fa s I can see,

  • the exit interface of the wrong-routed packets is always eth0
  • there are packets of at least 2 interfaces routed wrong
  • the configuration of eth0 (viewed by YaST and by inspection of /etc/sysconfig/network/ifcfg-eth0) shows no IP addresses from the other interfaces networks

If I take down eth0, the application runs smooth (but that's only acceptable for testing matters).

If I record the network traffic of the network addresses for eth2 (tcpdump), I find i.e. suspicious ARP requests originating from address on eth6 with an originating MAC address of eth0.

Any idea what happens here ?
Any idea how to fix it ?

P.S.: Due to some policies demands, I can't do any driver etc. updates on the system. Same appies to ideas like "do DHCP on all interfaces" ... I can't change that.
0
We are troubleshooting  and phantom problem on our WAN, where the network drops off for some of our school districts about 1 time a day for less than a couple minutes. We are using  wireshark/tshark to run packet captures, via  a script that launches if a ping response fails to any of our targets. Support for the network indicates they are seeing warnings by wireshark  of duplicate IP addresses for a few IPs. They feel that issue is part of our problem but the conflicting IPs are on entirely different vlans from point A to point B. Is this simply a limitation of wireshark not recognizing the separate vlans? Is there a way to make wireshark aware with the proper capture flags, or is there really a concern about the conflicting IPs.  According to Fortinet, we have set things up correctly and it makes sense to me that there should not be an issue as long as different vlans are used. (many of our school districts use the same LAN subnet addressing)

I appreciate any insight on this issue.
0
Hi, we use haproxy with round robin on a few servers which works amazingly well
However now we need to use it for tcp sessions from different ports

basically, gps iot devices create connections to our server via TCP
When I run a netstat, I see lots of devices sending data from same IP address but different port
here is a snap shot
TCP myServerIp:9001 141.86.25.16:60046 ESTABLISHED
TCP myServerIp:9001 141.86.25.16:62084 ESTABLISHED
These are not the same device, they are using a mobile/cell network with same IP but different ports

So I would need a configuration for HA proxy to route to different servers based on IP and PORT
All the examples I’ve seen so far just use IP, which would not work well for me as it would batch a bunch of devices to same server.
I guess it would work, but it may overload one server and under-load another (if that makes sense)

Something else i’m not sure about, some devices also send data using UDP, and these would also need to be routed to same server, not sure if this would work or if i would just have to route all UDP devices to 1 server

Any feedback, pointers and help appreciated
Thanks
0
Dear Ladies and Gentlemen

we need to find whether D-Link DWM-222 Dongles have any security vulnerability (with latest firmware update).
Do you know any? If not where should I start?

Thanks
0
I am visiting a client tomorrow (50 WAPs, 5 Switches) to assist them in their wireless dropout issues.
They have cordless wireless phones which were on 2ghz, they upgraded it 5ghz, it didnt resolve the issue.
They have meraki switches and waps, and cisco asa.
Meraki waps they are using are MR 42;
https://meraki.cisco.com/products/wireless/mr42 

I have worked on Meraki SWs and WAPs but never had any issues with them.
Should i start with disabling SSIDs and enable one by one?
Which tools / apps i can install on my computer to diagnose an issue like this?
Thanks.
0
Hi,

We have 2 x Aruba 8320s (Core Switches) We also have 11 x Aruba 2540 edge switches

Each switch has 2 x 10Gbe SFP modules which connect to the cores via fibre in a LAG.

The switches are split up in 5 separate racks across our building. We also have 1 x Meraki switch in each of the cabinets capable of have 10Gbe SFP modules.

My question is what is the best way to get the Meraki switches to communicate with our Cores? We want to utilise them.

1. Direct connection to the Cores (like the Aruba's)
2. Setup a trunk 10Gbe between the edge switches and Aruba's
3. Any other way?

Could you please advise?

Thanks
0
I have a huge number of messages in my VPN router LAN access from remote. And I do not know where are they coming from. No email server is setup, it does not seems to have any games on it. the only thin I have created a port for RDP  and forward that port so I can access the server from ouitside

Please advice
0
We provide IT to a fairly large car dealership. For the past several months they've had the internet slow to a crawl. They pay for 40/40mbs. During the slow down they'll see speedtests of .2-1mb down and 30up. These slow downs are not everyday. And when they happen, it's first thing in the morning. Usually 8am - 1030am and then it just goes back to normal.

We've talked multiple times with the ISP. They say it's not on their end. They have sent us a screenshot showing our network is saturated but no details as to what could be causing it.

We have a sonicwall in place and have recently purchased Bandwidth Monitoring. I've been able to check slow downs twice with the BWM. The top initiators change almost every time i refresh. They are all devices or workstations. Not seeing any servers or a single workstation as the top "bandwidth hog." The top Application in the app flow is "General HTTPS".

We've been able to use the IPs to nslookup the workstations and run some anti-malware, check browsing history. Some have needed malware/PUPs cleaned up but nothing has ultimately resolved the issue. We're running out of things to look for and try. Just looking for tools, suggestions, more tests to try and track this issue down.
0
Hello, I am aware that classful network addressing is a thing of the past and there are 5 classes.
            Prefix
Class A       0
Class B       10
Class C       110
Class D       1110
Class E       1111

If we wanted 9 Classes I’m trying to find the leading bits. Is this possible?

Thanks.
0
I would like to know what caused this to happen? WMI usage was very high in task manager which resulted in extreme slowness in over all performance in my PC. When I rebooted the computer it went to 0% as it's supposed to be. What was the culprit and and how can I prevent that from happening in the future?
WMI Usage Very High.JPG
0
Hi, I ran this wireshark network protocol analyzer with no programs open, including no background programs. I ran it for three minutes. I have the report in csv and in pcapng format.(I've changed the latter to a .txt extension to upload).

Can someone let me know if there's any odd network activity going on? Thanks. If you need more information, let me know, this is way over my head.
packet-dissection.csv
packets---Copy.txt
0
I need to analyze PCAP files and APIs for an MVNE I am working with.  I can definitely see some things in the PCAP files they sent, but I would like to be able to do a lot more and more deeply analyze it.  I have been using wireshark to break it down but what is the best way to attack analyzing these files.  Is there a resource out there, program, best practice, etc.
0
Plugged in two network switches to my LAN. They were being used for Comcast Voice previous to today. Now, I have workstations that are having their DNS server address changed to the firewall IP address. The DHCP scope tells them to go to 192.168.1.210, but they are changing to 192.168.1.1.
I can't find any rogue DHCP servers on the network.
Any ideas on areas I could check to see what is telling the computers to change their IP on the DNS server through DHCP?

When we connect via Wireless, those computers aren't impacted.
Only happening on the LAN (ethernet) segment from what I can tell.

Have a Fortigate Firewall
Have Fortiswitches
Have a Cisco SG300-24P
Have a TP Link T1600-52P switch

I checked both switches and both have DHCP server disabled
Both are set to DHCP to pick up a IP
I did have to login to change the IP on the TP-Link
It was defaulted to 192.168.0.1
I had to alter that to 192.168.1.1

Verified firmware is up to date.

The only thing I did yesterday was to plug the phone switches into the Ethernet LAN as the phones would now be using our LAN for IP Addressing and such.
Is there a way to see what's handing out or distributing the 192.168.1.1 for "DNS Server" setting to workstations?

The DHCP server has been 192.168.1.210
But now, on the clients (anything not statically assigned) its showing up as 192.168.1.1

I don't see any other DHCP servers on the network. I am trying to use Wireshark to examine the LAN to see if this is the …
0
How can I setup a remote  wireshark capture?  I want to capture traffic on a particular switchport, but I can't be onsite.


I have a cisco 2960g and a fortigate 60d
0
I have an Extreme Switch that is capable of port monitoring.
I'll be using a laptop to connect to port 11 on this switch.  I'll be monitoring port 13 that has a VOIP switch plugged in to it.  The purpose is to capture the traffic of the VOIP switch because that VOIP switch is losing connectivity to our network at random.
On the Extreme switch, all I have to do is select port 11 as the "monitoring" port and select port 13 as the port I want to monitor.  This part is easy enough.
I'd like to use Wireshark as the utility to capture the traffic.  Installing Wireshark on the laptop I'll be plugging in to port 11 is no problem.  However, tutorials I've seen so far are not specific enough to tell me "how to" set up Wireshark to capture/store the traffic that's traveling across port 13.
Please advise.
1

Network Analysis

9K

Solutions

12K

Contributors

Network analysis is the process of identifying and remediating the processes and systems within a network, including performance, connectivity and security. The process is performed through the use of tools developed for monitoring and analyzing network activity. Network problems that involve finding an optimal way of doing something are studied under the name combinatorial optimization. Examples include network flow, shortest path problem, transport problem, transshipment problem, location problem, matching problem, assignment problem, packing problem, routing problem, Critical Path Analysis and PERT (Program Evaluation & Review Technique).

Top Experts In
Network Analysis
<
Monthly
>