Hi there, In this blog post, I would like to talk about some facts about network traces. A while ago we were discussing how much we could depend on network trace data when it comes to those question: “The outgoing packet that we see in a network trace, did it really hit the wire?”,…
Year: 2010
Excessive ARP requests, is it malware or legitimate activity?
Hi there, In this blog post, I would like to talk about a network trace analysis scenario where we were requested to find out if excessive ARP requests were legitimate or not. Here are more details about the problem: Problem description: ================== Some Windows Vista clients experience network connectivity problems. After the…
Why does it take too long to retrieve data from SQL server over a WAN connection?
Hi there, In today’s blog post, I’m going to talk about how to troubleshoot a WAN performance problem by using simultaneous network traces. One of customers reported that they were having performance problems when retrieving data from a SQL server running in a remote subnet. Interestingly the problem wasn’t in place when the…
Exchange servers send ICMP and UDP packets to clients or Domain Controllers, why?
Hi, I would like to talk about a few network trace analysis cases where we were requested to find out why certain packets (spefically ICMP and UDP) were sent by Exchange servers. You’ll find below more details about how we found the processes sending those packets: a) Exchange servers sending UDP packets with…
Why should a DC contact clients in the domain?
Hi there, In today’s blog post, I’m going to show you how I found out why a Domain controller was contacting random clients in the domain. This issue was reported by the customer due to security concerns. They suspected that a suspicious process might be running on the DC and the case was raised…
Have you ever wanted to see which Windows process sends a certain packet out to network?
Hi there, We are sometimes requested to find out which process sends a certain packet. This generally stems from security concerns (like seeing some TCP session attempts on firewall/IDS device logs etc). Even though it may not be exactly possible to tell which process sends a certain packet always, most of the time we can…
Why doesn’t Windows 2008 server negotiate TCP MSS smaller than 536 bytes?
Hi, In today’s blog, I’ll talk about an MTU issue that occurs on Windows Vista onwards (Vista/7/2008/2008 R2). One of our customers reported that their SMTP server (running on Windows 2008) was failing to send e-mails to certain remote SMTP servers because e-mail delivery was disrupted at transport layer. After analyzing the network trace collected…
Why can’t we access NLB Clusters from remote subnets?
Hi there, In today’s blog, I would like to talk about NLB cluster access problems that our customers experience most of the time… When Microsoft NLB cluster operates in multicast mode, in certain scenarios you may not be able to access the NLB cluster IP address from remote subnets whereas suame subnet access keeps working…
Why does anonymous PIPE access fail on Windows Vista, 2008, Windows 7 or Windows 2008 R2
Hi there, In this blog post, I would like to talk about a named pipe access issue on Windows 2008 that I had to deal with recently. One of our customers was having problems in accessing named pipes anonymously on Windows 2008 and therefore we were involved in to address the issue. Even the required configuration…
NULL credentials might be used when accessing remote systems from a process running under Local System account
Hi there, In a number of support cases, I was requested to take a look at “access denied” network traces. In some cases the reason of why we get the access denied is related to Kerberos authentication and Local system account so I wanted to touch this subject in today’s blog. A service or application…