Tools to capture network traffic

Similar Messages

• Trying to capture SIP traffic via a Network Protocol Analyzer

  Hello
  I am trying to use WireShark to capture n/w traffic.
  Im running my OCMS instance on 127.0.0.1:5060, and am able to see the SIP msgs in the traffic.log and system.log files.
  However, the same doesnt show up in the protocol analyzer as a registered interface.
  Hence, is it possible to capture this traffic on the loopback IP?
  Furthermore, I changed my OCMS instance to my ethernet IP, since WireShark listens to it.
  However, I see that only SIP msgs sent from another box are recorded. Hence, if 2 clients talk on the same machine, the sip msgs r not registered. Why should that be the case?
  Message was edited by:
  A.J.

  Hi A.J,
  There is no way to capture any packages in a loopback. This is a limitation of Windows OS.
  And you can't capture network traffic within the same machine (or network interface)
  Regards,
  Juan

• [SOLVED] wireshark - capturing a traffic as a non-root user

  Hi,
  I want to capture a traffic as a non-root user using a wireshark
  I'm a member both of wireshark and network groups.
  In spite of that I get the following error message:
      The capture session could not be initiated on interface 'enp0s25' (You don't have permission to capture on that device).
      Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.
  The interface enp0s25 exists in my system.
  What else should I do.
  thanks for help
  Last edited by jaro (2014-11-10 16:31:45)

  open terminal as regular user and type
  $ groups
  check if it prints out those 2 groups. Then if it doesn't, try this:
  $ sudo su
  # usermod -aG additional_groups username
  and then reboot pc.
  If still doesn't - Am out of ideas. Try to run it as root. If you don't want to always type "sudo wireshark" just follow these steps:
  Step 0. Be happy
  Step 1. Edit /etc/sudoers file as root
  Step 2. Put this line into that file:
  <your_username> ALL = NOPASSWD: /usr/bin/wireshark
  and save
  Step 3. Change your launcher, menu or whatever from "wireshark" to "sudo wireshark" (or gksudo/kdesu instead of sudo, if needed).
  Step 4. Have a break. Thats it.
  I also checked arch wiki about permissions - have no idea what could be wrong. Try my steps, it might help you.

• Tool for Airport network statistics per connected device ?

  I'm in search of a tool that would help me identify network traffic load per connected device to my Airport network.
  My network is made of
  * WiFi infra: one main Airport Extreme base station connected thru Ethernet to my SP's cable-modem + 2 Airport Express as relays, all interconnected with WDS.
  * WiFi clients : 2 Macs + 2 PCs + 1 printer + 1 WiFi PDA-Phone, all connected thru WiFi only
  * I suspect misuse by one of the Macs or PCs (or alien ?) of WiFi network as sometimes network performance is really low, impacting all end-points' network performance
  * ideal tool could be based on SNMP stats of Ethernet/TCP/UDP/ports & packets per connected device. Should cover each Airport Express relay, the main Airport Extreme, possibly the cable-modem, and bring help for root cause analysis to go up the chain to faulty client and application (at least port/protocol)
  any idea of such kind of tool (preferably run on Mac OS X)
  thx in advance

  I apologize for taking up your time. I had bought this to use with my PS3 (60GB Launch model with 802.11b) but hadn't used the PS3 in the equation yet. I kind of gave up on the project for awhile and unplugged the Express. Just for giggles I plugged it in later and cabled it up to the PS3 for the first time. Worked perfectly. Now my PS3 downloads are flying.
  I'm not sure what solved the problem but it is working great now! Thanks again for the help.

• Weird - Activity Monitor Network Traffic vs iStat Traffic

  With no applications running on my MacBook Pro, the Network tab of the Activity monitor is showing 'Data received/sec" toggling every second or so between 1.38 KB/s and 2.75 KB/s.  It's showing the same numbers for 'Data sent/sec' as well.  I can't figure out what is causing this network traffic.  But if it's real, it's adding up to about 5 GB a month of bandwidth usage.  My cap is only 60 GB so it's significant.
  But when I use iStat or the Net Monitor app to monitor throughput, they show 0.0 traffic when the system is idle.  Also, since last night Activity Monitor shows 322 MB data received and 99 MB data sent.  While iStat shows 239 MB received and 16 MB sent.
  So which is correct?  Does Activity Monitor also include traffic that is internal to my network?  Or do I have a phantom bandwidth hog somewhere?
  Thanks for any insight to the weirdness.
  Jim

  The switches at home and at work generally corroborate the activity shown by tcpdump / atMonitor / MenuMeters, not the continuous data flow shown by Activity Monitor. The MacBook Air I'm sitting at right now shows similar discrepancies, with traffic totals in Activity Monitor about 40x higher than those shown with the other tools and a steady and inexplicable (and by other means invisible) 29-34 KB/sec of both sent & received traffic. tcpdump shows periods of network silence between 2-15 seconds in length (in between DNS lookups; netbios syncs; ntp queries; ipp messages; http, pop, and imap messages; etc. happening in bursts as one would expect).
  Changing Activity Monitor to refresh every half second shows the mystery traffic as a burst of 112 KB sent & received every two seconds--and no, that's not the same throughput as the 29-34 KB seen at 2-second refresh intervals. When I set refresh to every 5 seconds, the mystery throughput drops to 22 KB / sec. As the throughput varies depending on refresh interval, I wonder if I'm seeing internal loopback queries (or something of that sort) contributing to the totals. Is it possible that the mystery traffic is of AM's own creation, and only exists within the machine and is not actually sent on the network?
  Lest we digress further into general network troubleshooting techniques, let me restate the question, perhaps a bit more clearly: has anyone else seen this traffic-volume discrepancy between the Activity Monitor's Network tab and other network monitoring tools, and does anyone have an explanation for it?

• Very high network traffic to printer

  I am seeing very high network traffic between my Mac (iMac, running Mavericks) and my printer, a Canon MP640, connected via Ethernet. This is when the printer is idle. According to Little Snitch, the traffic is on the order of about 50 kB/s! The network traffic comes from mDNSresponder, and is directed to canonmp640.local; it is using UDP port 5353, which seems to be the mDNS port (again, according to Little Snitch). The traffic of course goes away if the printer is off, but it needs to remain on because it is being used as a printer for other computers/devices around the house.
  Is this amount of network traffic for an idle printer normal? Anyone has any idea how to stop it from doing that? I even captured some of that traffic using Little Snitch, but nothing that provided any insight to me...
  Thanks in advance for any help or suggestion!

  mDNSresponder is the Bonjour agent. Perhaps your printer is connecting as a Bonjour printer. See Disable Bonjour by turning off mDNSResponder - OS X Daily and OS X: How to disable Bonjour service advertising without .... I would also do a little Google search on "mdnsresponder." Also, you may want to contact Canon tech support.

• Oracle oleDB generates lots of network traffic than Microsoft Oledb

  Hi,
  When calling the same stored proc. that returns a ref cursor, Oracle Oledb (1.34 MB) generates alot of network traffic than Microsoft Oledb (0.06 MB). The statistic is gathered using Windows 2000 Network Monitoring tools.
  Calling the same stored proc. that returns a ref cursor
  Oracle OleDB Microsoft Oledb
  Byte Received: 1408026 (1.34 M) 71032 (0.06 M)
  Byte Sent: 306468 (0.29M) 69914 ( 0.067M)
  Frame: 1263 414
  Network Utilization: 6%-14% 1%-3%
  Anyone know why is this case?
  Joe

  When working with ADO and VB6, I looked at the database server with SQL Trace and found that each dynamic SQL statement was parsed twice per execution. REF CURSORs certainly require several network round-trips in order to retrieve schema information for the dataset to be created. This behaviour probably increases network load.
  Unfortunately, I have not found any description of Oracle's OLEDB implementation. Hopefully, things will get better with the new, native OleDb data adapter.
  /Armin
  Previous post:
  multiple parsing of SELECTs O/S : N/A POST: REPLY (W/QUOTE)
  Author : Armin Type : N/A
  Date : Apr 7, 2001 12:51 PT
  System: OLEDB provider 8.1.7, server 8.1.7.
  Our VB code dynamically assembles SELECT statements and fetches recordsets with ADO function Recordset::Open. SQL TRACE shows that those SELECTs are parsed twice per execution. SELECTs embedded in stored procedures are parsed only once during the SP's life time (but then the stored procedure call itself is parsed once per execution).
  Parsing twice per execution consumes a lot of CPU. REF Cursors might reduce parsing but cause additional network roundtrips.
  How could I reduce the parse count?

• I need a clarification : Can I use EJBs instead of helper classes for better performance and less network traffic?

  My application was designed based on MVC Architecture. But I made some changes to HMV base on my requirements. Servlet invoke helper classes, helper class uses EJBs to communicate with the database. Jsps also uses EJBs to backtrack the results.
  I have two EJBs(Stateless), one Servlet, nearly 70 helperclasses, and nearly 800 jsps. Servlet acts as Controler and all database transactions done through EJBs only. Helper classes are having business logic. Based on the request relevant helper classed is invoked by the Servlet, and all database transactions are done through EJBs. Session scope is 'Page' only.
  Now I am planning to use EJBs(for business logic) instead on Helper Classes. But before going to do that I need some clarification regarding Network traffic and for better usage of Container resources.
  Please suggest me which method (is Helper classes or Using EJBs) is perferable
  1) to get better performance and.
  2) for less network traffic
  3) for better container resource utilization
  I thought if I use EJBs, then the network traffic will increase. Because every time it make a remote call to EJBs.
  Please give detailed explanation.
  thank you,
  sudheer

  <i>Please suggest me which method (is Helper classes or Using EJBs) is perferable :
  1) to get better performance</i>
  EJB's have quite a lot of overhead associated with them to support transactions and remoteability. A non-EJB helper class will almost always outperform an EJB. Often considerably. If you plan on making your 70 helper classes EJB's you should expect to see a dramatic decrease in maximum throughput.
  <i>2) for less network traffic</i>
  There should be no difference. Both architectures will probably make the exact same JDBC calls from the RDBMS's perspective. And since the EJB's and JSP's are co-located there won't be any other additional overhead there either. (You are co-locating your JSP's and EJB's, aren't you?)
  <i>3) for better container resource utilization</i>
  Again, the EJB version will consume a lot more container resources.

• Share network traffic between 2 parallel wireless bridges - What kit?

  Dear All,
  I'm a technology professional, but mainly in electronic design rather than high end networking. Hence my request for your advice.
  I wish to specify some items of kit that I can ask a networking professional to fit and configure to solve my particular application.
  I would like to use (and already have in place) two parallel wireless bridges between 2 buildings. One is on 2.4GHz and the other is on 5GHz. In my simple testing so far (of each link in turn), they both work brilliantly. So far, these are in place just for test purposes, but soon I will be required to make the system "live".
  The reason I'm doing this is to split network traffic over both links (to possibly get enhanced bandwidth) but to mainly build in redundancy should one link fail.
  What kit is required to do this (apart from the 4 access points configured as bridges)?
  I imagine I may need a load balancing device(s) or possibly something more suitable for this task.
  I'd like the solution to be very transparent to the rest of the system, I'd like it to "look" like it's a simple wireless bridge (but really it's a highly robust dual bridge). I hope my waffle makes sense.
  Any thoughts?
  Best regards,
  L.O.

  You can certainly copy the addresses from one machine to the other - the contact files are held in user/Library/Application Support/AddressBook. Copy all files into the same respective location on the other machine (they will overwrite any existing contacts).
  If you want the address books kept in sync, take a look at SyncTogether or SeeCard Rendezvous.
  Matt

• Server admin not showing network traffic graph

  This topic was posted a while ago with no solution, and it has been [archived|http://discussions.apple.com/thread.jspa?messageID=6953359]. I have just experienced the same problem with Leopard Server Admin (SA). It seems to be a problem on the server, not in the client admin, since it occurs both when I use SA on the server itself and a client, and deleting client prefs. has not helped. I'm presuming that there is a corrupted database or prefs. file for this graph.
  All the other SA graphs show just fine. Fixing permissions has not helped, either.
  Anyone have any idea where to look on the server? Thanks.
  Message was edited by: Trevor Jacques

  I'm pretty sure I have since I have a few Mac Mini's on the network with their home directory residing on the server and my Windows users are sharing a few daily use files on the server including a MYOB data file, also our intranet web site is hosting on the same server, not to mention I have 3 print queues there and all the outgoing mails from both of our all-in-one scan to email machines are using the same server. All of these services and users are using their computer as if nothing is wrong, so I have to assume that there is network traffic unless server admin interprets the term "network traffic" differently.

• How do I time out my thread if there is no network traffic

  How do I time out my thread if there is no network traffic for a given time? I have the following code listening for data:
  StringBuffer requestLine = new StringBuffer();
  int c;
  while(true) {
      c = in.read();
      if(c == '\r' || c == '\n') {//Not sure here???
          break;
      requestLine.append((char)c);
  }But how do I time this out if there has been no traffic for lets say 5 minutes?

  Have you redefined 'in'?
  If it's a raw socket connection, you can use the Socket.setSoTimeout method before you open the connection to specify how long it should hold it open if there is no data available.

• Unknown network traffic / router traffic monitoring

  So I got a new PC with windows 7 on it, and I installed this gadget that monitors network traffic, and it shows a lot of traffic that my local PC isn't showing, so I am thinking there is something running on the LAN that I can't see. I was looking to find a live, better program to monitor the actiontec router, for traffic. anyone know of anything that can maybe show me who is using all the bandwidth on my network?
  i have found software for Linksys, but nothing for the Actiontec.
  Thanks,
  Quasimodem
  Fios in Florida
  Solved!
  Go to Solution.

  Keep in mind that when looking at Wireshark (sniffer) software there are different types of traffic:
  Unicast
  Broadcast
  Multicast
  Unicast is traffic between two devices.  You will see the traffic between the PC with wireshark and another device on your local network such as a printer, another PC or the Router.  You should not see traffic between another PC and the Internet for example.  Using a phone as an example some calls you and the conversation is between you and the person on the other end of the phone.  This is unicast traffic.  Using defaults of the actiontec, IP address seen will be 192.168.1.1 for the router and 192.168.1.2-99 for devices on your network.  If you have the TV service, 192.168.1.100-1xx is used for the cable boxes.
  Broadcast traffic is traffic sent to all devices.  Its not directed toward a particular PC but rather usually looking for information.  In a sniffer trace you will see broadcast traffic. Going back to the phone example, someone makes an announcement on an overhead intercom system that is broadcast traffic.  Broadcast traffic will be seen as 192.168.255.255
  Multicast traffic is traffic from one device for many devices.  Usually used in video feeds.   Using the phone system as an example someone wishes to tell a group of people something so instead of calling each person up and telling them each person who wants the information joins a conference bridge.  Anyone is allowed to listen but only those that wish to get the information receive it.  Generally how multicast works.  Multicast traffic will be seen as IP address 224.x.x.x or something of the sorts where the address will be 2xx.x.x.x.  
  I hope this makes sense.  Probably more information than you needed but at least it will help you understand what wireshark is telling you.

• SAP DMS - SAP ECC network traffic

  Hi all,
  I have the following situation:
  The SAP ECC servers are hosted outside my company and we are planning to install a SAP DMS server.
  We have 2 options: host the SAP DMS outside or install SAP DMS in our datacenter.
  When the SAP user attaches or reads a file to/from SAP DMS, how is the network traffic ?
  Is there any traffic fom SAP ECC to SAP DMS or the file goes to/from DMS from/to end-user ?
  How SAP DMS impacts my WAN ?
  Best Regards,
  Leonardo.

  Leonardo,  I have done some research /  trouble shooting and architectural changes to raise the upload / download speeds, there are several dependencies like Network, Application, hardware etc but to your question:
  First of all, DMS is a core functionality of ECC and utilizes both ECC for execution and Content Servers (recommended for Obvious performance reasons) for Data Storage. For your case I recommend that you host Content Server at the Data Center (assuming you have no other option) and have a Cache Server installed Onsite. (This requires minimal maintenance). When the user uploads a file the traffic is high as the entire File needs to be transferred to the data center, on the other hand Cache server (if installed onsite) considerably reduces the retrieval time.
  Again having said above there are several other parameters that could affect your upload / download speeds.
  Hope you'll find this useful, let me know if you have further questions.
  regards
  C

• MDNSResponder problem / network traffic reduction measures in effect

  [Part I in a series of "Why Does My Machine Randomly Shut Down And Related Oddities" :-D ]
  Below you can see a bunch of log output which seems to show a network problem. My connection is not too fast, which I've blamed on my low tier of U-Verse, but this makes me wonder. And it seems to occur each wakeup.
  "network traffic reduction measures in effect" I've found mentioned as an AirPort problem.
  BUT, my AirPort is OFF.
  (Plus, why is it changing the host name and then back again?)
  Mar 1 08:41:43 al-pines-imac-g5 kernel[0]: System Wake
  Mar 1 08:41:43 al-pines-imac-g5 kernel[0]: Wake event 0020
  Mar 1 08:41:43 al-pines-imac-g5 kernel[0]: UniNEnet::monitorLinkStatus - Link is up at 100 Mbps - Full Duplex (PHY regs 5,6:0x41e1,0x0007)
  Mar 1 08:37:49 al-pines-imac-g5 configd[36]: setting hostname to "al-pines-imac-g5.local"
  Mar 1 08:41:43 unknown000D93C8E73A configd[36]: setting hostname to "unknown000D93C8E73A"
  Mar 1 08:56:49 unknown000D93C8E73A kernel[0]: IOPMSlotsMacRISC4::determineSleepSupport has canSleep true
  Mar 1 08:56:50 unknown000D93C8E73A kernel[0]: System Sleep
  Mar 1 09:06:10 unknown000D93C8E73A kernel[0]: System Wake
  Mar 1 08:56:50 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 22: Error 50 Network is down
  Mar 1 09:06:10 unknown000D93C8E73A kernel[0]: Wake event 0020
  Mar 1 08:56:50 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 22: Error 50 Network is down
  Mar 1 09:06:10 unknown000D93C8E73A kernel[0]: UniNEnet::monitorLinkStatus - Link is up at 100 Mbps - Full Duplex (PHY regs 5,6:0x41e1,0x0007)
  Mar 1 08:56:50 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 22: Error 50 Network is down
  Mar 1 08:56:50 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 9: Error 50 Network is down
  Mar 1 09:06:03 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 22: Error 50 Network is down
  Mar 1 09:06:03 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 9: Error 50 Network is down
  Mar 1 09:06:03 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 22: Error 50 Network is down
  Mar 1 09:06:03 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 9: Error 50 Network is down
  Mar 1 09:06:03 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 22: Error 50 Network is down
  Mar 1 09:06:03 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 9: Error 50 Network is down
  Mar 1 09:06:03 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 22: Error 50 Network is down
  Mar 1 09:06:10: --- last message repeated 1 time ---
  Mar 1 09:06:03 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 9: Error 50 Network is down
  Mar 1 09:06:10: --- last message repeated 2 times ---
  Mar 1 09:06:03 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 22: Error 50 Network is down
  Mar 1 09:06:03 unknown000D93C8E73A mDNSResponder[24]: ERROR: mDNSPlatformTCPConnect - connect failed: socket 9: Error 50 Network is down
  Mar 1 09:06:11 al-pines-imac-g5 configd[36]: setting hostname to "al-pines-imac-g5.local"
  Mar 1 09:06:11 al-pines-imac-g5 mDNSResponder[24]: Note: Frequent transitions for interface en0 (192.168.1.67); network traffic reduction measures in effect
  Mar 1 09:06:26 unknown000D93C8E73A configd[36]: setting hostname to "unknown000D93C8E73A"
  Mar 1 09:09:08 unknown000D93C8E73A ntpd[14]: time reset +2.174483 s

  Is that an actual dump from your logs? If so, I find it strange - not least because the timestamps are not consecutive. That certainly makes it harder to trace what's going on.
  Deciphering it as best I can, I'd say you have a flaky network. This could be due to cabling or some process on the machine that's interrupting sleep - I find it strange that many of the mDNSResponder messages are timestamped while the machine is asleep. That could be related to the various wake-on-LAN options - are they enabled in System Preferences -> Energy Saver?

• Tools for capture database design based on multiple  schema

  My database is 11.2.0.1
  please suggest me a tools to capture database design.
  i tested toad,but this tools only capture based on table!

  sql developer data modeller.
  http://www.oracle.com/technetwork/developer-tools/datamodeler/index.html