Troubleshooting Bandwidth Consumption Using Wireshark

Problem
Customer calls first thing on a  Monday morning saying that something is consuming all 12Mbps of their Internet bandwidth.

Background
Customer is an ASP and hosts several services including financial and billing, email, and document management applications.  Clients connect via remote desktop encrypted in a site-to-site VPN tunnel.  The tunnel endpoint is a pair of Cisco ASA5510’s in fail-over mode.  The internet facing router is a Cisco 2801.  All application servers are virtual machines running in VMware vSphere on a cluster of Dell blades.

Troubleshooting
A quick check of the ASA revealed that outbound internet traffic was a constant 8Mbps with bursts as high a 14Mbps.  Everyone agreed that the overnight increase in bandwidth use was likely caused by a trojan or virus.  But with over 90 virtual servers as potential hosts, isolating the problem server could prove time consuming.

The customer had already spent some time trying to isolate the source by looking through logs on the ASA and analyzing bandwidth consumption on particular virtual machines.  Since they hadn’t found anything obvious we decided to take a different approach and look at packets exiting the firewall.

Using Wireshark, we captured traffic on the internet facing interface of the ASA.  (Note – I’ve removed the source and destination IP columns)

The first thing that looks a little abnormal is the amount SMTP traffic.  The customer hosts a few Exchange servers, but there seems to be an inordinate amount SMTP activity relative to the number of mail servers and clients.  Not to mention the strange payload in some of the SMTP packets.

Wireshark can provide a statistical breakdown of the contents of a packet capture.  Click on Statistics>Protocol Hierarchy.  After processing the capture file you’ll be presented with a chart outlining the protocol statistics.

SMTP packets made up a little over 21% of this capture and accounted for ~ 9Mbps of bandwidth used during the capture window.

From here we can use another Wireshark feature to view the data in the same way the application layer would see it.  Locate an SMTP packet in the capture, then click on Analyze>Follow TCP Stream.

Now we have a better view of this particular email transaction and noted the following:
Received from is not one of the customer’s domains.
To: is in the .mx domain.
The email client is Outlook Express 6
Email Subject: hi friend
Content-Disposition: attachment;.filename=”t658657.zip”

The same thing was found in a couple of other streams that were analyzed.  The attachment turned out to be a 40Meg zip file.  That helped explain what was consuming all of the internet bandwidth.

Using this information, we applied a rule to the ASA that denied all outbound SMTP traffic not originating from one of the mail servers.  (a good idea on any network!!)  This immediately restored the internet bandwidth consumption to normal.

Logging was enabled on the rule to provide a quick visual indication in the ASDM as to the number of matches on that rule.  Within a few minutes, it had logged over 400 hits.

An examination of the logs on the ASA pointed us to the offending terminal server which was subsequently scanned with Trend Micro House Call and the trojan removed.

Conclusions
Wireshark  is a phenomenal tool and it’s worth investing time in the lab to understand it’s many features.  In this particular instance, it helped identify the problem quickly thanks to it’s embedded packet analysis capability.

Besides the numerous books and on-line tutorials, a good place to start getting familiar with Wireshark is to take a look at the Wireshark Users Guide, capture some packets and experiment.

Problems With Context Menu Handlers

Symptom
When right-clicking on a file in Windows XP, the context menu takes over four minutes to be displayed.  Right-clicking on a folder exhibited normal behavior and was not affected.

Background
Context Menu Handlers can load from several areas in the registry.  One set of keys that control the menu creation when right-clicking on a file is located in:
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Troubleshooting
In this particular case, the end user had been putting up with this for a couple of weeks and was at wits end by the time he finally pulled me aside and asked me to take a look.  I was to happy oblige  as I  was tired of troubleshooting Citrix issues and was ready to look at something different for a few minutes. 

Start by making a backup copy of the entire ContextMenuHandlers subkey by right-clicking on the key and selecting Export.
Remove each key subkey under ContextMenuHandlers until you locate the offending entry.
It’s probably a good idea to export a copy of each subkey before you delete it.  That makes it easier to re-add the non-offending subkey after you’ve isolated the issue.

In my case, it was the “Open With” subkey that was causing the problem.  As soon as it was removed, the menu displayed immediately when right-clicking a file.

After rebooting the PC, I tried importing the “Open With” key back into it’s proper location.  Much to my surprise everything still worked correctly.

Reassign a vswif to a new vmnic

The VMware host in my lab is a Dell GX620 running ESX3.51 U2.  It has three NIC’s:
The embedded Broadcom BCM5751 Gigabit Adapter  (vmnic0)
3Com 3C905C-TX 10/100 Adapter  (vmnic1)
Intel 8254N Dual Port Gigabit Adapter  (vmnic2 and vmnic3)

The 3C905 isn’t entirely VMware compatible.  It can be used as a service console connection but will not function as a virtual machine uplink on a vSwitch.  It will always show disconnected.

I want to reassign the service console vswif to the 3Com adapter, keep the same IP address and move the service console port group to a new vSwitch.

VMware doesn’t like having two service console connections with different IP addresses in the same subnet, so I have two options.

1.  Create a service console connection in a different subnet and access the host from that subnet using the VIclient.
2.  Enter the commands directly on the host console.

I recommend option two.  Keep in mind that this process temporarily disrupts network communications to the host via the service console IP.

After obtaining physical access to the host’s console (or network access via a DRAC or ILO), log in and su - to establish root.

Remove vswif0 from vSwitch0
esxcfg-vswif -d vswif0  –ip=192.168.68.35  –netmask=255.255.255.0  –portgroup=SCX

Remove the SCX port group from vSwitch0
esxcfg-vswitch –del-pg=SCX vSwitch0

Create a new vSwitch for the service console;
esxcfg-vswitch -a vSwitch3

Assign the 3Com adapter to the newly created vSwitch
esxcfg-vswitch -L vmnic1 vSwitch3

Add the SCX port group to vSwitch3
esxcfg-vswitch -A SCX vSwitch3

Add vswif0 to the SCX port group and assign the IP address and subnet mask
esxcfg-vswif –add –ip=192.168.68.35 –netmask=255.255.255.0 –Portgroup=SC2 vswif0

Restart the VMware management service
service mgmt-vmware restart

Here’s vSwitch0, still connected to vmnic0 but minus the service console

And here’s the new vSwitch3 with the service console reassigned to vmnic1