5

we have some issues with a client-server based application and we would like to better understand client-server communication without going to the software company that sold the application. At least we would like to perform the analysis in parallel.

Can you suggest to me a dummy proof application that we can easily get and install to analyze client-server traffic?

Many thanks!

Dennis Williamson
  • 60,515
  • 14
  • 113
  • 148

5 Answers5

7

Presumably your "client-server communications" occur over a network, so a network snffer, like Wireshark, is probably a good start. Hopefully the particular protocol that your application is using is one that Wireshark can decode. If not, then you'll need to save the captured traffic and analyze it with a tool that can decode the protocols in the stack, preferrably up to layer 7. (If any of the protocol stack along the way is proprietary you're probably in trouble for anything other than traffic analysis.)

If your protocol is HTTP(S) based, Fiddler might also be up your alley, though it's very easy to encapsulate an ugly, proprietary protocol inside HTTP(S) such that it's as incomprehensible as a binary protocol (Sage "ACT!" HTTP-based replication, I'm talking to you).

It's difficult to respond to your "dummy proof" request. To use a tool like Wireshark effectively (especially some of the nice advanced features like following TCP streams or detecting anomalies) you really need to have an understand of the protocol layer stack and what's going on. Until computers can get to the point of being "intelligent" there's no good software substitute for human knowledge.

Edit:

I've done some analysis for Customers who were experiencing "slowness" issues with opaque, proprietary layer 7 protocols (hello, Bentley "AutoPlant", I'm talking to you) and I can say that there's some good value in even simple traffic analysis (who talks to who when, and how much). The insinuation was that "the network" was being a bottleneck, so a little sniffing of the traffic in combination with running a "Process Monitor" trace on a client PC produced some nice graphs that showed comparisons of client CPU load, server CPU load, network I/O, and back-end SAN I/O. In the end, this was all just traffic analysis of a sort, but it helped identify a nasty "looping" bug in the client software that had nothing to do with "the network".

As another example, there was a question on here yesterday about slow logons with roaming user profiles where the caching behaviour of roaming user profiles Windows XP came into question. Not having access to the Windows source code (as I so often don't), I opted to perform traffic analysis to determine what the caching behaviour was. The client/server protocol, SMB, isn't opqaue, but I treated it as such since what I was really looking for was a data transferred metric.

How deep down the rabbit-hole you go just depends on what you're looking for.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • 1
    In addition (maybe Evan is implying this), it's not enough to know the OSI stack in order to analyze a packet capture. You need to know the details of the communication or application protocol\mechanism in use. If you're troubleshooting SMTP, for instance, you need to know the SMTP command set and how commands are issued and acted upon in order to know where a particular client\server session is going wrong. – joeqwerty Mar 24 '10 at 22:58
  • (completely OT comment): The funny thing about AI development is that every time we make an advancement, it's by breaking down the problem into something that can be solved via a logical process. So every time an advance is made, it's not really viewed as an advancement, rather a discovery that something believed to be 'intelligence' ended up being just a series of reproducible rules and processes. tl;dr - The goalposts for what is 'intelligence' are redefined with each AI advancement. – Chris Thorpe Mar 24 '10 at 23:20
  • @joeqwerty (man, that's odd to type): I dropped on an edit to elucidate on that point a bit. Knowing about the layer 7 is certainly important if what you're looking for is in layer 7. Reverse-engineering a proprietary (worse-- binary and proprietary) layer 7 protocol is definitely way outside the real of "dummy proof"... (yeah-- with some ASN.1 encoded data, and some architecture-dependend byte order... yeah-- gimmie some of that...) – Evan Anderson Mar 25 '10 at 00:40
  • What? You don't have access to the Windows source code? Have they seen your rep points? ;) – joeqwerty Mar 25 '10 at 02:05
0

Try http://www.wireshark.org/ -

WARNING! This tool may be illegal in some countries and under some circumstances.

lajuette
  • 761
  • 6
  • 16
0

You can try Charles, http://www.charlesproxy.com. It's not entirely free but their free trial will get you pretty far. You get a half hour of traffic recording at a time. It is also much easier to use than something like WireShark. It is also reasonably priced if you decide to go with the full version. WireShark will most likely give you the most feedback but I wouldn't consider it dummy proof. http://www.wireshark.org/.

Manny T
  • 68
  • 1
  • 6
0

if this is windows download the newest netmon from download.microsoft.com.

tony roth
  • 3,844
  • 17
  • 14
0

tcpview is as basic a tool as you'll find, while still retaining some measure of usefulness:

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

As for the broader question - You can't break complex troubleshooting down into anything 'dummy proof'. That notion is a bit insulting.

Chris Thorpe
  • 9,903
  • 22
  • 32