The Missing Manual Part 1: TIM Analysis, Monitoring, and Other Tools
Introduction
This Tech Tip (#61) starts a new series about various tools that can help with analyzing SSL and TIM processing, monitoring the TIM's health, and other various TIM-related concerns..
This may be different because it ranges somewhere between a Tech Tip and a Blog. I want to also present these in a historical context and discuss what we are doing today in these areas.
Capturing TIM Artifacts
If you have opened even one TIM-related support case, you know that you are typically requested to provide a packet capture and ssldump output. I outlined the reasons for this in TEC596476 -- Why am I being requested to provide a SSLDump/packet capture (PCAP) for the TIMSoft/MTP?
. More on SSL and private keys.
TIM Analysis Tools
What are the tools typically used to analyze these artifacts?
* On the TIM, the packet capture is created using tshark or tcpdump. (Originally tethereal ). How to use these tools to analyze network traffic is presented in the TIM Readiness Guide
* Generally we request a 25-30 minute pcap of TIM traffic and the corresponding TIM logs. Sometimes the packet captures are too large to analyze. So using the free tools splitcap or( editcap ) can create smaller pcap files based on various criteria such as pairs of IP addresses.
* Wireshark or NetQos Observer can be used to analyze pcap files. In a relatively short period of time, you can determine:
- The quality of network data including number of packets that are out-of-order, missing data, duplicate ACKs, are empty. This can be done through following TCP streams, Expert Info mode, and Conversations. Most of these are available under Analyze or Statistics menu options.
- Number of protocols (Analyze>Protocol Hierarchy), http servers, and requests (Analyze>HTTP or Analyze>HTTP2).
- SSL cipher suites available/used on server and client, alert codes, and more..
- And much more
* For Domainconfig files, I use the internal tool TimConfigTool.jar to do a simple graphical depiction of a domainconfig.xml. Since these files can grow quite large, it can be useful in determining issues with this important file.
* The TIM configuration/log compressed file displays the TIM settings in a helpful text format. However, if this was not the case, you could run configtool in the TIM console as outlined in https://communities.ca.com/message/241784125.
*SSLdump was last updated in 2004. https://sourceforge.net/projects/ssldump/files/ssldump/0.9b3/ It will show the cipher suits used and if a transaction is decoded or not. The TIM uses a modified version of ssldump to decode HTTPS transactions. SInce it is so old, it does not understand many of the current cipher suites and protocols. Use TEC1667615 to learn about your application(s) SSL setup.
I hope this has been of help. Next month, we will get into TIM Monitoring.
Questions for Discussion:
1. Which TIM-related tools/utilities do you use?
2. How are they helpful?