So in one previous post, we talked about the importance of using some kind of bandwidth monitoring tool to be able to see bandwidth usage in real time for many reasons… Among those reasons was being able to keep an eye on unexpected bandwidth hoggers which could be malware traffic or unwanted applications, now we will see how to act when an abnormality is observed.
The main problem with password authentication does not lie only in having passwords that are easily guessed but also passwords that are used for more than one online service so when a certain online service security is compromised and their password database has been stolen (passwords are generally salted, hashed and then stored, but there are already rainbow tables for pre-computed hashes), so if you used the same password to sign up for something else more important, then anyone can use your same credentials to login to any other service…
For one customer, the IPS report showed a large number of alerts triggered for TCP probe signatures, we needed to analyze those in order to find out why these packets exist in the network.
One of the most essential Windows (or any OS) tools in my opinion is a simple network usage monitor that displays live network bandwidth usage on your taskbar or anywhere that is visible all the time, the reason for this is to be able to see in real time what’s happening on your device on the network level…
My beautiful home network is an ongoing project that was inspired by my needs, as a network security professional and as someone who is looking at packets for a living, whenever i had any issues with my home network like having no internet, before calling the ISP, it came like second nature to ping the local gateway first (which was my router at the time, then evolved into a Sophos UTM running on an Oracle Virtualbox Virtual Machine on Ubuntu Linux on an Intel NUC located somewhere at home), then check the status of the ADSL modem, the physical line and the status of the router connected to the ADSL modem, check whether the DNS is working correctly and maybe take some packet captures on the router.
Fiddler is a very effective tool when it comes to troubleshooting HTTP & HTTPS issues… It’s basically a local proxy that intercepts all HTTP/HTTPS traffic either from all applications or just the application you configure it to… Fiddler configures itself as a local proxy on port 8888, processes traffic from the client application and then forwards it to the web server so it behaves like any proxy server except that it displays all information in the client application & allows for on the fly HTTPS decryption without the need for server certificate to decrypt traffic.
Troubleshooting a specific TCP session in a Wireshark packet capture should be an easy or difficult task depending on the nature of the problem that’s being investigated, what can be cumbersome is actually finding that session in the middle of a huge capture file or even a running capture with...
Whenever there is slowness issue to be investigated, the first thing to be usually checked is packet drops or high latency along the path, tools like traceroute (or tracert on windows) and nping are usually enough to draw a map of the traffic path and in some cases are enough to find out at which hop of the path we start to see a huge difference in a packet’s RTT (Round Trip Time), while the traditional traceroute may be more than adequate for a lot of cases, there are sometimes when additional proof is needed to confirm the root cause of the problem.
If the primary ADSL connection fails, the failover succeeds to the standby interface with no issues, what doesn’t work as intended is falling back to the primary connection when it is back up…It can be argued that the monitoring for the primary connection is not setup as intended which is not the case… I actually configured the UTM to monitor the default gateway for the WAN connection (the first hop in the traceroute of the primary ADSL connection ISP) because if i monitor the router itself or any public IP it’s going to be up anyways regardless of the WAN connection being used.
Recent Comments