Thursday, July 30, 2009 sponsors Wireshark 101 Jumpstart Seminar

Today we had the privilege of sponsoring one of Laura Chappell's free Wireshark 101 for Newbies Jumpstart Seminars. This is a live webinar that runs about 75 minutes. You can read my July 12 review below on the last one I attended. Very good info!

The next one is scheduled for August 18 at 10am PDT/GMT-7. Register at Over 2000 people registered for today's seminar and only the first 1000 lucky people actually get to listen in, so be sure to login early on the day of the seminar.

Laura is doing a seminar devoted to NetScanTools Pro on August 12 and 12 noon PDT/GMT-7. Register at Cost is $99. Current NetScanTools Pro customers can email our sales department for a 50% off coupon.

Monday, July 27, 2009

NetScanTools is now a Registered Trademark

On July 21, 2009 Northwest Performance Software, Inc. was issued a trademark by the US Patent and Trademark office for the word "NetScanTools".

Sunday, July 12, 2009

Review of Laura Chappell's Wireshark 101 Jumpstart

Last Tuesday I took part in Laura Chappell's live online seminar about Wireshark. It's really for those who are new to Wireshark (which I'm not), but I wanted to see how the seminar was presented and I wanted to see if there was something I could learn about Wireshark that I didn't know. I was pleasantly surprised on both accounts. In case you don't know who Laura is, you should know that she has many years of network training to her credit.

The class was free (always a good price) and Laura had a limit of 1000 attendees. I think over 1700 signed up. I was able to make it in under the cutoff a half an hour ahead of time. The class was conducted using a Citrix viewing program that I had to install. This was required so that we could see slides and Wireshark in action. The quality of the audio was similar to that of a phone call, not super high but very intelligible. I used DSL (1.2 mb) which was fast enough for both the video portion and the audio. Laura also provided the slides as a downloadable PDF so you could follow along (I did).

There was a way to communicate back to the Laura and her assistants using both instant messaging and phone or audio link if you need to ask a question. Many people did ask questions. Yesterday I received the complete list of questions and answers by email.

Laura started the seminar by covering Wireshark on a general level, explaining how it can be integrated into the various packet capturing methods and explaining how it could open 'trace files' offline at a later time. Then she covered the various Wireshark placement options with their advantages and disadvantages. This included both tapping into wired network streams, mirroring them and even using wireless capture devices to see traffic on a wireless network.

Laura then moved directly into using Wireshark live to capture data into the file sets. Filesets allow you to create a large capture in multiple smaller files. Then she showed how to alter the time column so that you could see the relative time between packets rather than the default seconds since the beginning of the capture. Of course there were discussions about defining both capture filters to eliminate unwanted packets from our capture file and post capture filtering of the packets in the file. Since post-capture filtering can be complex in this program, Laura also covered changing the coloration of the rows of captured packets depending on the data in the packet. Laura also touched on following streams of TCP or UDP data. This is helpful when you are following communications between a client and server -- especially if the client is compromised by a trojan or something similar.

Even though Laura talked quicker than I ever can (though still slower than my 19 year old daughter), she ran out of time -- 75 minutes quickly ran into nearly 90 minutes. But she did leave us with a "to-do" list. First and foremost was to get the latest version of Wireshark, version 1.2. This version now includes optional GeoIP locating for IP addresses which is quite helpful (NetScanTools Pro does this too!). They take it one step further and display the IPs on a world map, which is always good (NetScanTools Pro will have this soon).

I learned that Laura puts on a very professional and well thought out seminar. This one was free and since Laura is the training business, she also has others that are not free. The other seminars are reasonably priced. They go into detail on many networking subjects, so please consider them. You can find Laura's seminars at You can follow her on Twitter at -- she posts usually every day -- not just business posts!

I also learned things about Wireshark that I didn't know -- particularly that GeoIP option and the colorizing methods.

If you are interested in seeing one of Laura's seminars, she will be repeating this same FREE seminar live on July 30 at 12pm Pacific Time. Please consider it. Go and sign up, then have a look at the other seminars Laura offers because with travel and training budgets tight like they are, having a live seminar delivered to your desk should be something your business should strongly consider. You can sign up for the next Wireshark Jumpstart seminar here.

Friday, July 3, 2009

Symantec Endpoint Protection 11 Didn't Start Today

Today I turned on the computer with Symantec Endpoint Protection Manager on it and came back half an hour later to login and use the computer (Windows XPsp3). Cursor moved OK, but it didn't give me the login prompt. Oh no, not today! I have way too many other things to do. So I rebooted and was able to login.

The first thing I notice is the little Endpoint Protection shield didn't have the green dot, it had the red circle with a slash. So I tried to use the Endpoint client. It said Proactive Threat Protection was down and needed to be fixed, but more ominously was the virus definitions were yesterday's and not today's...After awhile it hung up and I had to manually kill it. Bad news...

So next I tried logging into Symantec Endpoint Protection Manager Console. The login window appeared fine, but when I tried to login, I got a message "Failed to connect to the server". So off to Google. I found a page in Symantec's very detailed support knowledgebase that told me how to turn on"FINE" level debugging. I then opened Control Panel Service Manager and found that the Endpoint Protection Service Manager service was not running. When I attempted to restart the service, it kept stopping, so I looked in the "catalina.out" file to see what was happening. This file is the tomcat web server log file and it shows the interactions between java and the server. I could see at least one place where the server port 8443 had a bind failure. To a sockets level programmer, this tells me that the server was not starting properly because it could not start listening on a port. The fascinating (and frustrating) thing about this was that NetScanTools Pro connection endpoint list was NOT showing anything else using port 8443 tcp or udp.

So next I tried modifying tomcat\conf\server.xml to a different port 8445. That didn't work. The service would exit after a few seconds. So back to Google. I found another knowledgebase article that said the tomcat uses ports 8005 and 9090 as well. Then I remembered that I saw the HP Toolbox icon on the taskbar near the Endpoint Protection shield. I wonder...

I had installed the HP Toolbox as part of a printer install a couple of years ago, long BEFORE I put this AV product on there. And I had noticed that the Toolbox had vanished and I forgot about it. So off to Windows Explorer and I searched the Program Files/Hewlett Packard and found Toolbox and Toolbox 2.0. Both had an Apache Tomcat 4.0 subdirectory. OK -- this must be it!!!

I started NetScanTools Pro and looked again at the connection endpoint list and saw that java.exe was using port 8005. So I started msconfig and found HP's Toolbox startup entry and disabled it. Then I rebooted...

The shield was back with the GREEN DOT!

The two programs interfered with each other. I don't know why the HP Toolbox was loaded first after not being loaded first for a whole year. Nothing changed yesterday---that I know of.

I wasted 2.5 hours, hopefully you won't after reading this. It really applies to any two programs that are both using tomcat.

Wednesday, July 1, 2009

NetScanTools (TM) Pro 10.92 USB Version Patch Ready

The USB upgrade patch is ready for those of you who have NetScanTools Pro USB version. If you have Wireshark Portable version installed on that same USB stick, you can now use the left panel Optional Tools menu to start Wireshark from within NetScanTools Pro. This has always worked for the installed version and now the USB version can do the same thing. When you first launch it, we provide a File Open navigation window where we ask you to locate and select the wiresharkportable.exe file. We then save that relative location for the next time you start Wireshark.

Everything else, including TCP Ping, is also included in the upgrade.

If you have NetScanTools Pro USB, click on Help/Check for New Version and login to get the patch. You must have an active maintenance plan to login.