Free Wireshark Training Course Online

Take a free Wireshark Jumpstart training class online at http://www.chappellseminars.com/.

Wednesday, April 14, 2010

Baseline Today!

In one of the early book reviews, Marcos Christodonte II states “I’m a firm
believer in baselining network traffic. In this section, Wireshark Network
Analysis details the importance of baselining and the types of traffic to focus on.
Like other sections, this section also provides screenshots, showing how to
analyze traffic and packet statistics.” [Read the full review here.]

Every IT professional should take baselining seriously. It’s not difficult to do and
will save you time, money, frustration and possibly your job when all hell breaks
loose on the network.

Baselines define your network’s vital signs when it is healthy. Baselines are
used to define not only the basic traffic flows of an application or process – they
also help define the number of connections required by a process, the type of
connection, the port numbers, interdependencies with other hosts, typical round
trip times, average packet per second rates, average load time and more.

Chapter 28 includes my baseline checklists - listing the traffic you should be
capturing and what you should be looking for when characterizing "normal"
behavior.

For example, if you want to create a baseline of your login/logout sequences,
consider the following questions:

  • What discovery process takes place during login?
  • What server does the client connect to?
  • What are the processes seen during login?
  • How many packets does a typical login require?
  • Are there any login dependencies?


When someone complains about a slow login process, compare the current
ugly login to the baseline you created.

  • Are there any large gaps in time?
  • Are there any Expert Info notifications?
  • Do you see the same number of conversations as in your baseline?
  • Do you see the same number of endpoints as in your baseline?
  • Do you see the same protocols as in your baseline?
  • Do you see the same number of packets as in your baseline?
  • Do you see the same dependencies as in your baseline?
  • Did the name resolutions process match your baseline?

You don't have to know everything about every packet and protocol in use. Use
the ugly trace and the baseline trace to identify large gaps in time, large
differences in packets, unusual error responses. All of this enables you to point
the finger at the problem.

Remember - in a finger-pointing world, the only finger
that counts is the network analyst's finger!

So… schedule some time to create your baselines now – before you need
them.

Enjoy life... one bit at a time!

Laura
Spewed forth by at
Labels: