Ask Your Question
0

transum question

asked 2020-01-02 18:23:14 +0000

quest4answer gravatar image

hello:

i have a question regarding transum capture position. there are three options "client, intermediate, service". client is pretty self explanatory, if you capture from client. but what about intermediate and service. i have client, load Balanncer and server in my environment. so if i get capture from load balancer would it consider as intermediate and server as service? i couldn't find any specific documentation

thanks

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
1

answered 2021-01-14 09:42:36 +0000

PaulOfford gravatar image

Just a quick note to complete this story. I have recreated the TRANSUM User Guide on the Wireshark Wiki - see https://gitlab.com/wireshark/wireshar...

edit flag offensive delete link more
0

answered 2020-01-04 22:21:58 +0000

PaulOfford gravatar image

Hi,

Sorry that the TRANSUM documentation is not accessible at the moment. I'll try to get it uploaded somewhere else and make the link available.

The client, intermediate and server settings change the way that TRANSUM accounts for the time taken for retransmissions. There are several scenarios, but I'll give you two to explain.

With the Client setting and a capture on or close to the client, if we transmit an HTTP request and then need to retransmit it, TRANSUM assigns the retransmission additional time to Request Spread. This is reasonable if we assume that the retransmission was needed because the first instance of the request did not make it to the server. Importantly, we don't assign the retransmission time to Service Time.

Now consider the same scenario but where we are capturing on or adjacent to the server. If we see both the original request packet and the retransmitted request, with the Client setting we would include the retransmission time as request spread. However, it would be more reasonable to assume that the service saw the first request and either there was a prolonged delay in the ACK or the ACK got lost, resulting in the retransmission. Whatever the reason, the Service Time should be judged to start from the receipt of the first instance of the request packet, and so Service Time is increased, rather than the Request Spread. This is the way TRANSUM behaves if you use the Service setting.

The inverse of the above is used for responses from the service:

  • With the Service setting, time for retransmitted responses seen at the service is allocated to Response Spread
  • With the Client setting, time for retransmitted responses seen at the client is ignored

If you choose the intermediate setting, all retransmission time is allocated to Request or Response spread depending on the direction of data flow.

There are many reasons why this treatment is not perfect, but it's a reasonable compromise.

Best regards...Paul

edit flag offensive delete link more

Comments

thank you paul for the explanation and looking forward to see the link for guide/documentation. Also to confirm the answer from my original question and based on your explanation is it safe to assume if i do a capture on server then use service as a capture point and for load balancer use intermediate?

thanks again

quest4answer gravatar imagequest4answer ( 2020-01-07 14:08:46 +0000 )edit

PaloAlto support article - Using Transum with WireShark

Chuckc gravatar imageChuckc ( 2020-07-20 05:06:19 +0000 )edit
0

answered 2020-01-03 15:04:09 +0000

cmaynard gravatar image

updated 2020-01-05 04:44:00 +0000

@PaulOfford is definitely the authority here, but as far as I can tell, the client is the side that initiates the connection, the service is the side offering the service to which the client connects, and intermediate is somewhere in between the two. So, it's my understanding that your assumption is correct, that a capture from the load balancer would be considered as intermediate.

You might want to also have a look at Paul's Transum presentation from the 2015 Sharkfest Conference. There is also a Wireshark Transum wiki page, but unfortunately there's not much more information there, and the link to the Transum User Guide is now broken because tribelab no longer exists, presumably shut down as part of Advance7 being taken over by Northern Trust.

edit flag offensive delete link more

Comments

Please note that in case of a loadbalancer, the TCP session is usually terminated on the clientside of the loadbalancer and then a new TCP session is being set up on the server side of the loadbalancer. This means that when you capture on the loadbalancer, you need to set TRANSUM to service for the client-side connection and to client on for the server side connection.

If the loadbalancer does not terminate the TCP session, then intermediate would be an appropriate setting.

SYN-bit gravatar imageSYN-bit ( 2020-01-05 12:33:27 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-01-02 18:23:14 +0000

Seen: 1,012 times

Last updated: Jan 14 '21