NETASQ Technical Support Training Session 11 Capture and traff

Captures entirely, on the dialup interface, any packet, involving ports 500 or 4500 or the ESP .... 10.1.15.2.500 > 10.1.15.63.500: isakmp: phase 1 I ident: [|sa].
Télécharger le PDF
1MB taille 129 téléchargements 382 vues
commentaire
Report
NETASQ Technical Support Training Session 11

Capture and traffic Analysis

© NETASQ 2006

Summary • tcpdump command and its alias tcpd • Study of practical cases using tcpdump • Presentation of Wireshark • Study of practical cases using Wireshark

NETASQ – CORPORATE PRESENTATION

2

Introduction Traffic capture allows: quick display of network exchanges between correspondents easy identification of sources, destinations IP addresses, MAC addresses, ports, protocols,… involved in exchanges binary capture of the raw traffic into files for later analysis assisted by a graphical software (Wireshark) diagnosis of problems with the NETASQ UTM, or more general network traffic problems provided that this traffic is seen by the interfaces of the firewall.

NETASQ – CORPORATE PRESENTATION

3

Introduction What is Wireshark ? Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. Features: • • • • • • • • •

Available for UNIX and Windows. Capture live packet data from a network interface. Display packets with very detailed protocol information. Open and Save packet data captured. Import and Export packet data from and to a lot of other capture programs. Filter packets on many criteria. Search for packets on many criteria. Colorize packet display based on filters. Create various statistics.

NETASQ – CORPORATE PRESENTATION

4

Introduction

After some reminders, this presentation will concretely illustrate Some common situations

NETASQ – CORPORATE PRESENTATION

5

tcpdump: Reminders For capturing to a file, always use the options -s0 et -w: -s0: captures the whole packet (size unlimited); by default only the first 96 bytes would be captured. -w path-to-capture-file.pcap : will capture the raw traffic into a binary pcap formatted file Captures must be performed simultaneously on the different network interfaces the traffic will go through, to get the client and the server sides and point-of-view... Captures must be prepared and launched before initiating the test connections and stopped after the connections have ended up. The NETASQ command ifinfo will display the correspondence between the system name and the common name of each network interface NETASQ – CORPORATE PRESENTATION

6

tcpdump: Reminders Some common arguments for tcpdump : -n : avoid resolving IP to hostname and port number to service name -i ifname : specifies the interface to capture on -s0 : captures the complete packet regardless of its size -w /log/dbg/filename : saves the captures into a file tcpdump filters: tcpdump –ni sis1 –s0 –w /log/dbg/InPort80.pcap port 80 Captures entirely, on the interface sis1, any packet involving the port 80 tcpdump –ni ng0 –s0 –w /log/dbg/Ng500or4500orESP.pcap port 500 or port 4500 or ESP Captures entirely, on the dialup interface, any packet, involving ports 500 or 4500 or the ESP protocol tcpdump –ni sis0 –s0 –w /log/dbg/OutNet192.168.10.pcap net 192.168.10 and not host 192.168.10.10 and port \( 25 or 110 \) Captures entirely, on the external interface, any packet from or destinated to an IP address belonging to the network 192.168.10.0/24 except 192.168.10.10 and to or from ports 25 or 110

NETASQ – CORPORATE PRESENTATION

7

tcpdump: Advanced Filter Advanced tcpdump filters: Some exemples : fisrt one F200XA105410400601>tcpdump -ni sis0 \( port \(500 or 4500\) or esp \) and host 10.1.15.63 tcpdump: listening on sis0 17:10:58.216148 10.1.15.63.500 > 10.1.34.200.500: isakmp: phase 1 I ident: [|sa] 17:10:58.267823 10.1.34.200.500 > 10.1.15.63.500: isakmp: phase 1 R ident: [|sa] 17:10:58.570174 10.1.15.63.500 > 10.1.34.200.500: isakmp: phase 1 I ident: [|ke] 17:10:58.777456 10.1.34.200.500 > 10.1.15.63.500: isakmp: phase 1 R ident: [|ke] 17:10:59.006554 10.1.15.63.500 > 10.1.34.200.500: isakmp: phase 1 I ident[E]: [encrypted id] 17:10:59.029460 10.1.34.200.500 > 10.1.15.63.500: isakmp: phase 1 R ident[E]: [encrypted id] 17:10:59.031075 10.1.15.63.500 > 10.1.34.200.500: isakmp: phase 2/others I inf[E]: [encrypted hash]

NETASQ – CORPORATE PRESENTATION

8

tcpdump: Advanced Filter Advanced tcpdump filters: Some exemples : fisrt one 17:11:00.331247 10.1.15.63.500 > 10.1.34.200.500: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash] 17:11:00.572524 10.1.34.200.500 > 10.1.15.63.500: isakmp: phase 2/others R oakley-quick[E]: [encrypted hash] 17:11:00.574619 10.1.15.63.500 > 10.1.34.200.500: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash] 17:11:01.221584 10.1.15.63 > 10.1.34.200: ESP(spi=0x0f2d4170,seq=0x1) 17:11:01.222134 10.1.34.200 > 10.1.15.63: ESP(spi=0x00edc369,seq=0x1) We need “\” in order to escape the character “(“ and avoid its interpretation by the shell. Instead of “\” you can also write the tcpdump filter using quote “ ' “ tcpdump -ni sis0 '( port ( 500 or 4500 ) or esp ) and host 10.1.15.63' NETASQ – CORPORATE PRESENTATION

9

tcpdump: Advanced Filter Advanced tcpdump filters: Some exemples : second one: filter vlan [vlan_id] F200XA105410400601>tcpdump -ni sis0 vlan 5 tcpdump: listening on sis0 11:24:41.896258 802.1Q vlan#5 P0 192.168.40.34.8586 > 192.168.40.15.1300: S 90862913:90862913(0) win 57344 (DF) 11:24:41.896795 802.1Q vlan#5 P0 192.168.40.34.8586 > 192.168.40.15.1300: . ack 1546383726 win 57760 (DF) 11:24:41.897024 802.1Q vlan#5 P0 192.168.40.34.8586 > 192.168.40.15.1300: P 0:9(9) ack 1 win 57760 (DF) 11:24:41.998393 802.1Q vlan#5 P0 192.168.40.34.8586 > 192.168.40.15.1300: . ack 32 win 57760 (DF)

NETASQ – CORPORATE PRESENTATION

10

tcpdump: Advanced Filter Advanced tcpdump filters: Some exemples : second one: filter vlan [vlan_id] 11:24:42.007187 802.1Q vlan#5 P0 192.168.40.34.8586 > 192.168.40.15.1300: P 9:54(45) ack 85 win 57760 (DF) 11:24:42.096308 802.1Q vlan#5 P0 192.168.40.34.8586 > 192.168.40.15.1300: . ack 1560 win 56285 (DF) 11:24:42.197529 802.1Q vlan#5 P0 192.168.40.34.8586 > 192.168.40.15.1300: . ack 2701 win 57760 (DF)

This exemple allows to insist on the fact we don't see incoming tagged packets on physical interface

NETASQ – CORPORATE PRESENTATION

11

tcpdump: Advanced Filter Advanced tcpdump filters: Some exemples : third one: dump HA connections F200XA105410400601>tcpdump -ni fxp2 '(src host 172.16.32.2 and dst port 1300)' or '(src host 172.16.32.1 and src port 1300)'

Allows to capture only the serverd connection from the slave (172.16.32.2) to the master (172.16.32.1) Be aware with the use of the filters « src » and « dst »!

NETASQ – CORPORATE PRESENTATION

12

tcpdump: Interesting Options Option -X : print the headers and the data of each packet, in hex and ASCII F200XA105410400601>tcpdump -ni sis1 -X port 80 tcpdump: listening on sis0 09:14:17.693397 10.1.34.119.48019 > 63.245.213.21.80: P 1:683(682) ack 1 win 365 (DF) 0x0000 4500 02de d70f 4000 4006 1f88 0a01 2277 E.....@.@....."w 0x0010 3ff5 d515 bb93 0050 e7e2 c02f f618 952e ?......P.../.... 0x0020 8018 016d d251 0000 0101 080a 1c1a 1723 ...m.Q.........# 0x0030 7a41 5546 4745 5420 2f65 6e2d 5553 2f66 zAUFGET./en-US/f 0x0040 6972 6566 6f78 2f68 6561 646c 696e 6573 irefox/headlines 0x0050 2e78 6d6c 2048 5454 502f 312e 310d 0a48 .xml.HTTP/1.1..H 0x0060 6f73 743a 2065 6e2d 7573 2e66 7866 6565 ost:.en-us.fxfee ...

The Option -r of tcpdump allows to read a file in pcap format

NETASQ – CORPORATE PRESENTATION

13

tcpdump: Interesting Options Option -C file_size (in MB) : check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one This is an interesting option to cut a big PCAP file in several little files. Can be used with the option -r Exemple of command if you want to split a big file in several ones F200XA105410400601>tcpdump -r em0.pcap -C 1 -w em0_ This command allows to cut the file em0.pcap in several file (em0_, em0_2,...), each file having a size of 1 MB.

Option -ttt : print a delta (micro-second resolution) between current and previous line on each dump line.

NETASQ – CORPORATE PRESENTATION

14

tcpd : an alias of tcpdump command You can see the different parameters by executing the command alias: F200XA106530400601>alias tcpd set i=`ifinfo !:1 mac_name`;set argv=(!*);shift;tcpdump -vvv -n -s0 -i ${i} ${argv}

Uses by default the following options: -vvv, -n, -s0 -vvvv : more verbose output

Especially, takes in parameter the NETASQ interface name instead of System interface name using the command ifinfo in the alias F200XA106530400601>ifinfo sis0 mac_name sis0F200XA106530400601>

We don't need to execute a ifinfo before to see the correspondance between NETASQ and System name. NETASQ – CORPORATE PRESENTATION

15

IP fragmentation on ISAKMP negociations Authentification by certificate Authenticating with a certificate generates bigger negociation packets than when using a PreSharedKey The UTM firewall MTU is limited to 1500 bytes

NETASQ – CORPORATE PRESENTATION

16

IP fragmentation on ISAKMP negociations Authentification by certificate Capture filter "host" (no port specified) F200XA106530400601>tcpdump -tni sis0 host 10.1.15.2 tcpdump: listening on sis0 10.1.15.2.500 > 10.1.15.63.500: isakmp: phase 1 I ident: [|sa] 10.1.15.63.500 > 10.1.15.2.500: isakmp: phase 1 R ident: [|sa] 10.1.15.2.500 > 10.1.15.63.500: isakmp: phase 1 I ident: [|ke] 10.1.15.63.500 > 10.1.15.2.500: isakmp: phase 1 R ident: [|ke] 10.1.15.2.500 > 10.1.15.63.500: isakmp: phase 1 I ident[E]: [encrypted id] (frag 37726:1360@0+) 10.1.15.2 > 10.1.15.63: udp (frag 37726:212@1360) 10.1.15.63.500 > 10.1.15.2.500: isakmp: phase 1 R ident[E]: [encrypted id] (frag 48087:1480@0+) 10.1.15.63 > 10.1.15.2: udp (frag 48087:28@1480)

• •

Fragmentation is handled at IP level The second fragments are displayed with such tcpdump filter; They are identified by TCPDUMP as simple raw UDP packets as only the first fragment contains the header with the port specified NETASQ – CORPORATE PRESENTATION

17

IP fragmentation on ISAKMP negociations Authentification by certificate Capture filter "host" (no port specified) 1st fragment: 10.1.15.63.500 > 10.1.15.2.500: isakmp: phase 1 R ident[E]: [encrypted id] (frag 48087:1480@0+) frag 48087 the ID of the fragmented UDP packet 1480@0 number of bytes @ offset = 1480 bytes the first of which is the bytes number 0 of the original UDP datagram + means that other fragment will follow 2nd fragment: 10.1.15.63 > 10.1.15.2: udp (frag 48087:28@1480) frag 48087 the ID of the fragmented UDP packet 28@1480 28 bytes the first fragment of which is the byte number 1480 of the original UDP packet NETASQ – CORPORATE PRESENTATION

18

IP fragmentation on ISAKMP negociations Authentification by certificate WARNING: in this case, using "port 500" as a tcpdump filter wouldn't have captured the fragments; the capture would have been then incomplete and thus probably unexploitable. F200XA106530400601>tcpdump -tvni sis0 host 10.1.15.2 and port 500 tcpdump: listening on sis0 … 10.1.15.2.500 > 10.1.15.63.500: isakmp 1.0 msgid 00000000: phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1564/ip 1352) (frag 39102:1360@0+) (ttl 128, len 1380) 10.1.15.63.500 > 10.1.15.2.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted id] (len mismatch: isakmp 1500/ip 1472) (frag 64798:1480@0+) (ttl 64, len 1500) NETASQ – CORPORATE PRESENTATION

19

Bounce routing Context

UTM NETASQ GW: 10.0.0.254 IN: 10.1.34.254

Client Switch 10.1.34.9 GW: 10.1.34.254

10.0.0.254

Router

SRV-SSH

192.168.200.2

NETASQ – CORPORATE PRESENTATION

20

Bounce routing ICMP issue Ping from the client 10.1.34.9 to the SSH server 192.168.200.2 => the client receives the echo replies F200XA105410400601>tcpdump -eni sis1 icmp tcpdump: listening on sis1 08:58:48.206044 0:15:f2:76:3b:3e 0:2:b6:33:e5:bc 0800 74: 10.1.34.9 > 192.168.200.2: icmp: echo request 08:58:48.206210 0:2:b6:33:e5:bc 0:30:48:80:e9:e9 0800 74: 10.1.34.9 > 192.168.200.2: icmp: echo request 08:58:53.687390 0:15:f2:76:3b:3e 0:2:b6:33:e5:bc 0800 74: 10.1.34.9 > 192.168.200.2: icmp: echo request 08:58:53.687572 0:2:b6:33:e5:bc 0:30:48:80:e9:e9 0800 74: 10.1.34.9 > 192.168.200.2: icmp: echo request

The NETASQ UTM only sees the “icmp: echo request“ For the case of "pings", the fact the ASQ will only see half of the communication is not a problem; to the ASQ point-of-view the client doesn't receive any echo reply; and as long as each echo request is independent; these packets can not be considered out of context.

NETASQ – CORPORATE PRESENTATION

21

Bounce routing TCP issue A TCP connection initiated by the client 10.1.34.9 to the SSH server 192.168.200.2 F200XA105410400601>tcpdump -eni sis1 -s0 port 22 and host 192.168.200.2 tcpdump: listening on sis1 08:16:35.841484 0:15:f2:76:3b:3e 0:2:b6:33:e5:bc 0800 62: 10.1.34.9.2297 > 192.168.200.2.22: S 3659603812:3659603812(0) win 65535 (DF) 08:16:35.841725 0:2:b6:33:e5:bc 0:30:48:80:e9:e9 0800 62: 10.1.34.9.2297 > 192.168.200.2.22: S 3659603812:3659603812(0) win 65535 (DF) 08:16:35.842564 0:15:f2:76:3b:3e 0:2:b6:33:e5:bc 0800 60: 10.1.34.9.2297 > 192.168.200.2.22: . ack 2020030132 win 65535 (DF) 08:16:38.841805 0:15:f2:76:3b:3e 0:2:b6:33:e5:bc 0800 60: 10.1.34.9.2297 > 192.168.200.2.22: . ack 1 win 65535 (DF) 08:16:44.841552 0:15:f2:76:3b:3e 0:2:b6:33:e5:bc 0800 60: 10.1.34.9.2297 > 192.168.200.2.22: . ack 1 win 65535 (DF) 1st packet is the SYN for connection request 2nd packet is simply the first packet that is being rerouted by the NETASQ UTM to its default gateway : the router 10.0.0.254 3rd packet is the Ack, third packet of a handshake, sent by the initiator ; it is blocked by the ASQ NETASQ – CORPORATE PRESENTATION

22

Bounce routing TCP issue The alarm "Invalid TCP packet for current connection state" is reported by the ASQ

The ASQ hasn't seen the SYN+Ack packet replied by the SSH server and that was directly routed by the router to the client

NETASQ – CORPORATE PRESENTATION

23

Bounce routing TCP issue So when using bounce routing for communication types for which the IPS-Firewall is able to analyse the context an ASQ bypass must be set between the source and destination network With an ASQ Bypass: F200XA105410400601>tcpdump -eni sis1 -s0 port 22 and host 192.168.200.2 tcpdump: listening on sis1 08:13:43.332915 0:15:f2:76:3b:3e 0:2:b6:33:e5:bc 0800 62: 10.1.34.9.2262 > 192.168.200.2.22: S 434555569:434555569(0) win 65535 (DF) 08:13:43.333056 0:2:b6:33:e5:bc 0:30:48:80:e9:e9 0800 62: 10.1.34.9.2262 > 192.168.200.2.22: S 434555569:434555569(0) win 65535 (DF) 08:13:43.334214 0:15:f2:76:3b:3e 0:2:b6:33:e5:bc 0800 60: 10.1.34.9.2262 > 192.168.200.2.22: . ack 2542266360 win 65535 (DF) 08:13:43.334304 0:2:b6:33:e5:bc 0:30:48:80:e9:e9 0800 54: 10.1.34.9.2262 > 192.168.200.2.22: . ack 1 win 65535 (DF) 08:13:43.342110 0:15:f2:76:3b:3e 0:2:b6:33:e5:bc 0800 82: 10.1.34.9.2262 > 192.168.200.2.22: P 0:28(28) ack 41 win 65495 (DF) 08:13:43.342156 0:2:b6:33:e5:bc 0:30:48:80:e9:e9 0800 82: 10.1.34.9.2262 > 192.168.200.2.22: P 0:28(28) ack 41 win 65495 (DF) 08:13:43.342258 0:15:f2:76:3b:3e 0:2:b6:33:e5:bc 0800 566: 10.1.34.9.2262 > 192.168.200.2.22: P 28:540(512) ack 41 win 65495 (DF) 08:13:43.342270 0:15:f2:76:3b:3e 0:2:b6:33:e5:bc 0800 158: 10.1.34.9.2262 > 192.168.200.2.22: P 540:644(104) ack 41 win 65495 NETASQ – CORPORATE PRESENTATION

24

Bounce routing TCP issue With the ASQ Bypass: 08:13:43.342306 0:2:b6:33:e5:bc 0:30:48:80:e9:e9 0800 566: 10.1.34.9.2262 > 192.168.200.2.22: P 28:540(512) ack 41 win 65495 (DF) 08:13:43.342360 0:2:b6:33:e5:bc 0:30:48:80:e9:e9 0800 158: 10.1.34.9.2262 > 192.168.200.2.22: P 540:644(104) ack 41 win 65495 (DF) 08:13:43.343991 0:15:f2:76:3b:3e 0:2:b6:33:e5:bc 0800 70: 10.1.34.9.2262 > 192.168.200.2.22: P 644:660(16) ack 577 win 64959 (DF) 08:13:43.344057 0:2:b6:33:e5:bc 0:30:48:80:e9:e9 0800 70: 10.1.34.9.2262 > 192.168.200.2.22: P 644:660(16) ack 577 win 64959 (DF)

Notice:

Only half of the communication is seen by the firewall but the ASQ is bypassed Notice the MSS option isn't modified even if it is set in the profile to 1300 Bytes. We used the tcpdump argument "-e" to have the MAC addresses displayed NETASQ – CORPORATE PRESENTATION

25

Wireshark: The main Window

NETASQ – CORPORATE PRESENTATION

26

The Menu File : This menu contains items to open and merge capture files, save / print / export capture files in whole or in part, and to quit from Wireshark Edit : This menu contains items to find a packet, time reference or mark one or more packets, set your preferences, (cut, copy, and paste are not presently implemented). View : This menu controls the display of the captured data, including colorization of packets, zooming the font, showing a packet in a separate window, expanding and collapsing trees in packet details Go : This menu contains items to go to a specific packet. Capture : This menu allows to start and stop captures and to edit capture filters. Analyze : This menu contains items to manipulate display filters, enable or disable the dissection of protocols, configure user specified decodes and follow a TCP stream. Statistics : This menu contains items to display various statistic windows, including a summary of the packets that have been captured, display protocol hierarchy statistics and much more.

NETASQ – CORPORATE PRESENTATION

27

Common tcp problems detected by Wireshark Zero Window : TCP header contains the value zero in the window size field and neither the RST nor FIN bits are set in the header. its is an indication that the sender’s TCP received buffer is full Window is Full : the packet will completely fill the remaining TCP buffer space on the receiver’s side of the communications Keep-Alive : one side of a communication is trying to maintain the TCP connection Window Update : new TCP window size is being advertised. Typically this packet contains no data, uses the same sequence and acknowledgment number as the previous packet and contains a new window size field value.. Previous Segment Lost (Common at Capture Start) : if you started a capture in the middle of a file download , this notification is expected. You should not see the Previous Segment Lost notification unless there is packet loss. The normal recovery process for this problem would include duplicate ACKs and retransmissions. Retransmissions : the ACKs are lost in the other direction, Wireshark sees packets that contain data using the same sequence number and notes that this is a retransmission. Duplicate ACKs : the sender has noted a missing packet in an inbound data transfer. High number of duplicate ACKs may indicate high latency problems. A continuous stream of duplicate ACKs are sent until the retransmission is received. NETASQ – CORPORATE PRESENTATION

28

NETASQ – CORPORATE PRESENTATION

29

Wireshark : study of DHCP case

NETASQ – CORPORATE PRESENTATION

30

Wireshark : study of DHCP case In the second packet, we can see that the IP address in the IP header is the IP which is being given to the dhcp client by the dhcp server. This can cause troubles if the DHCP transaction is done through a NETASQ UTM in bridge mode. Why? Because this IP address is not registered in the ASQ table. The UTM won't know from which interface the packet has to live. The solution in bridge mode is to enable the option preserv initial routing on the interfaces containing in the bridge. NETASQ – CORPORATE PRESENTATION

31

Wireshark : case study 2: Your Customer has a problem with http connexions. Some websites are very slow. The customer provided you with a network dump captured on internal interface. As described in the first part, it would be useful to have the network dump on the out interface too. But before ask more information to the customer, let have a look on this capture with Wireshark.

NETASQ – CORPORATE PRESENTATION

32

NETASQ – CORPORATE PRESENTATION

33

Identify and isolate specific connexion The first thing we have to do is to find and isolate a connexion on this website. Our customer explain he has lots of problem when he tries to access on the website www.voyages-sncf.com By using Statistics -> Conversation tab TCP, we can see that there are several http connexions => the customer didn’t use a specific filter to capture only the HTTP traffic to this website.

NETASQ – CORPORATE PRESENTATION

34

Identify and isolate specific connexion we can use a specific filter to isolate all the HTTP requests with a field host containing the website www.voyages-sncf.com http.host == www.voyages-sncf.com

Wireshark shows several HTTP requests and for each http request, there is a retransmission. Lets focus on a specific connexion to understand why we have retransmissions.

NETASQ – CORPORATE PRESENTATION

35

Follow tcp stream A very useful feature of Wireshark is the ability from one packet, to create specific filter to show all packets regarding a specific TCP connexion just by right clicking on this packet and select follow tcp stream. In our case we will use this feature on a retransmitted packet. Filter created by this function is in this case : (ip.addr eq 10.1.20.1 and ip.addr eq 80.67.85.137) and (tcp.port eq 2892 and tcp.port eq 80)

NETASQ – CORPORATE PRESENTATION

36

NETASQ – CORPORATE PRESENTATION

37

Whireshark configuration tips Activate Relative sequence numbers Edit -> Preferences -> Protocols -> TCP

Modify Time display format to highlight delay View -> Time display Format -> Seconds since previous captured packet and set time reference on the first packet

NETASQ – CORPORATE PRESENTATION

38

TCP Analyse Frame 184 is Duplicate Ack with Ack=1 so it seems that the server doesn’t receive the first packet of data (frame 182). This packet is retransmit with 3 second of delay and the communication continue. Frame 190 is duplicate Ack of the frame 187 so it seems that the server doesn’t receive the packet with the sequence number 1236. This packet is also retransmit in the frame 195 with 6 seconds of delay GET requests seems to be blocked at the first sent and need to be retransmitted to pass through the firewall. Lets have look in details in this get request

NETASQ – CORPORATE PRESENTATION

39

NETASQ – CORPORATE PRESENTATION

40

HTTP Analyse This request contains a very long cookie field. We don’t see the end of line for this cookie field ( no \r\n) The end of this cookie field is contained in the next packet. Each blocked packet contains this cookie field and have to be retransmitted, causes few seconds of latency. This blocking could be explained by the HTTP plugin analyse. ASQ need to have the complete header for the analysis. So ASQ block the first packet and memorize HTTP context. After having received the complete HTTP header, analysis is done and ASQ let pass the retransmission. This behaviour could be modified by fixing in console mode the token Passonfail to 1 in the HTTP section (ASQ configuration file ) or by using the Manager by unticking the “block until data has been reconstructed” option. NETASQ – CORPORATE PRESENTATION

41

HTTP Analyse Passonfail option is available on most of Plugins

NETASQ – CORPORATE PRESENTATION

42

Conclusion • be aware with the option -w in /tmp, could easily fill in a partition, prefer capture in /log partition • In some cases tcpdump command will be enough to diagnose problems • In others cases the analyse using a graphical analyzer like Wireshark will be required • In most of time, this has to be completed with verboses, alarms,…

NETASQ – CORPORATE PRESENTATION

43