Neil Carpenter's Blog

Forefront products, WSUS, Security Incident Response, and whatever else comes up.

Browse by Tags

Related Posts
  • Blog Post: Finding Retransmits in Ethereal

    With the full version of Netmon, it's relatively easy to find retransmitted packets with the expert; however, in Ethereal, it's not quite as clear... Ethereal supports analysis of TCP sequence numbers to find retransmits & do other neat things; however, the default is to turn this off (because...
  • Blog Post: Detecting ARP Spoofing Attacks

    After investigating an ARP spoofing incident recently, I started thinking of how we could easily ferret out this sort of information when responding to a potential incident. In this particular case, there were two important parts of the attack: ARP spoofing forced all traffic bound for the default gateway...
  • Blog Post: SMB/CIFS Performance Over WAN Links

    I often have customers who ask me to wrestle with the performance of SMB (otherwise known as CIFS) across a WAN link. Their experience is usually that file transfers from Windows Explorer or from the command prompt don't meet their expectations of their inter-site link, even when FTP (ewwww!) performs...
  • Blog Post: Categorizing Packet Loss

    I've quite frequently run into situations where I've been asked to diagnose packet loss based only on a network trace. While it is almost impossible to find an exact answer, a network trace can provide some valuable clues about the cause of the packet loss. The first step, if possible, is to get network...
  • Blog Post: Network Sniffing Tools

    Intro Network sniffing is a major part of my life -- I've probably pored over, on average, a trace a day every day for the past seven years. This is an area where having the right tool is of the upmost importance as a good tool can cut hours (or even days) off of your work while a bad tool can send...
  • Blog Post: Network Sniffing Tools

    Posted on my favorite network sniffing tools .
  • Blog Post: SMB Perf articles

    I've been working a lot with file sharing performance, and I'm trying to write a few essays on those experiences. The first, on SMB Performance , is up now. When I have some more time, I'm going to write a bit on the impact of packet loss on SMB connections on a WAN link...
  • Blog Post: ARP Cache Poisoning Incident

    I recently worked on an interesting incident response with several of my colleagues. The problem, as defined by the customer, is that the following code is being injected into some websites (both external and internal to his environment) that his users are surfing: <iframe src=http://<redacted>...
  • Blog Post: Quick Figuring Optimal TCP Window Size

    There generally isn't a single correct way to figure out the optimal TCP window for an interface since you're probably connecting to different hosts across different links at different latencies; however, you can roughly guess what the optimal window would be if you're only primarily worried about your...