www.dambeck.ch

Last week I needed to analyze traffic form a Virtual Server hosted on a ESX machine. Normally this job would be a piece of cake if the server has his own NIC. But the way with an “old” hub or with an port mirror (port spanning) do not work with a vSwich (a virtual switch on the ESX server).

In this blog post I will describe how to Analyze the traffic of an virtual windows server with WireShark (Freeware Packet Analyzer http://www.wireshark.org/ ) on an ESX host . On the UML deployment diagram it is the red dependency witch will be monitored.

I use Wire Shark since many years and I find it one of the best Analyzer in the market. Wire shark is also cross platform it runs on Windows, Linux & OSX. I used Ubuntu (http://www.ubuntu.com/) as host for the sniffer because its free and easy to use. The sniffing software should never installed on the productive system!

The Ubuntu VM (Virtual Machine) must be connected to same vSwich as the server you want to monitor.

After you have installed the sniffing machine we need to edit the Virtual switch from the ESX server. The good news is that you don’t have any interruption on any VM. Its totally save to do on a Productive system (it only sets the switch form Layer 2 Mode in Layer 1 Mode on the OSI/ TCP/IP Modell) . Open  vSphere Client and go to the Network Settings of the vSwitch and click on “Properties…”

Select the vSwitch and click on “edit”.

go to the “Security” tab an change the “Promiscuous Mode:” to “Accept”. The default value is Reject like in the screenshot.

Now the system is reedy to chapter the network traffic. Like you see in the last screenshot the ICMP Traffic (Ping) to an server in the World Wilde Web.

For a project we use some SunRay 3 Plus terminal with the Sun Oracle VDI server. After all I only can say this thin client solution rock!!! But in the project time we hade to debug a problem. The problem was some Sun Ray Clients did unexpected reboots every 2 till 5 minutes. And it comes even stranger, next day the Terminal works without any problem and another terminal reboots. After some vi action we found the following error in the Log of the vdi server.

TIME SERVERNAME utauthd: [ID 197738 user.info] Worker5 UNEXPECTED: during send to: java.net.SocketOutputStream@94c924 error=java.net.SocketException: Broken pipe

After searching the error in the net, we don’t get any step forward. next thing we did analyze the thin client traffic with wire shark. 30 seconds before the Terminal reboots there are many tcp retransmits on the network.

It was “to milk mousses”* after some searching (x>2 Day’s) we find out that the arp Table on the switch with the SunRay attached flips a mac address.

With this additional input it takes 20 seconds and we get the brake trough idea. The problem was a simple IP conflict with a old Printer. So if you ever get this problem don’t waste 3 Day’s of your live.

Regards Konrad

*milk mouse is some German saying for we are working very hard but don’t get any step near the Target.

Did you ever consider learning OOP (Object-oriented programming)? Or maybe you want just writte a little code in Java? But you don’t want build an Enterprise level Project or study 1 Day’s, how to start with a “hello world” Project? If you consider one or more questions with yes, BlueJ may be the solution to you.

continue reading…

In this article i will show you a small tool named “switcher”. Maybe you know the feature expose on mac OS S, Switcher enables this on Windows Vista and Windows 7 Clients. I guess if you install Switcher you never use “alt” & “tab” and “win” & “tab” again.

I use the following settings:

General = Default
Appearance = Default
Windows Style = Default
Filters = Default
Advanced = Default
Shortcuts Keyboard “alt” & “tab” and Shortcuts mouse “mose move at top-left of Monitor 1.

You can download Switcher for free at http://insentient.net/