How to Troubleshoot SQL, Skype, Windows, Active Directory, Exchange and Basic Server issues with one tool! Its called Multi-Perf!

 

5

Figure 1. Perfmon

Hello Everyone,

Well Multi-Perf sounds like it will do a lot! I don’t want to mislead anyone, so I will say up front, Yes it will troubleshoot all those products; One at a time. It is an industry Standard, that you only work on one problem at a time. Therefore, This tool will collect performance information, related to one of the topics of concern. Once the log is collected, you can then review it for specific problems, related to your installation.

1Figure Figure 2. Set-Execution Policy

The benefit of this tool, is That I have been fortunate enough to partner with one of my Best Friends; Tommy Paulk. He is a Master Engineer for Exchange Server. My title Is Skype Architect. See where I am going with this? Tommy created the Exchange Counter set. I created the Skype counter set. Each counter set has been created by a professional in their field of study. The bottom line is you get a script that gives you choices on what set of performance information you need.

So the Multi-Perf is run simply as “Multi-Perf  counter”, where the counters are Basic, Active, SQL, EXCH and Skype

0       Figure 3. Multi-Perf and Readme 

Lets go ahead and get started on explaining what you get for your money here. See Figure 1 at the top of this read? That is the result of any counter set; a sort of mix up of settings that you have to get into, dance with, and somehow survive victoriously. The particulars are beyond the scope of this article; but Begin here. No I take that back, I always make the first link, one I would never read myself. Ok, read this one- Windows Perfmon. Its pretty good.

Now that your up to speed, lets get you some instructions! Figure 2 is set-execution policy. You should open your PowerShell as admin, and run this command : Set-Execution Policy –Execution Policy Unrestricted.

Next you just have to know the syntax of the command:

.\Mult-Perf testname –computer mycomputer –instance my instance. Notice the red lines in figure 4? that represents the 3 data points you are responsible for.

0  Figure 4. Mult-Perf Syntax

If you are not using SQL, then you only have 2 items to put  in!. If you are running on the local computer, you only have to put the test name in! If you forget the test name, you automatically get the Basic counter pack.

So this means this tool will work, regardless of input. You wont get the detail you want, but you get a basic counter log, at a minimum. Let me now give you some example of running syntax.

Figure 5. Run Active test on computer 2

See above, you use the form: .\Program testname –computer computername

If you forget the computer name, it will automatically select the local computer:

 

Figure 6. Run as Program .\Multi-Perf.ps1 only

1

in this case you will have no difference in result, because you are giving the most important test variable in, the test type.

 

Figure 7. with SQL; If you forget to specify the instance, you will get another chance to put it in. 3

If you put the instance in, then that is fine. But if you did not, there is no penalty. This makes the Log tool, infallible and easy to use.

As the last example, I will take you over the case where a person starts the SQL trace, and does not input the Instance:

 

0   Figure A. No instance specified.  

 

Instead of failing, The Script looks up the SQL instances, and presents them for the customer. It also says the user must type the instance name themselves, so there is no accident.

1    Figure B

Once the user types in the instance in Figure B, we move to Figure C and we just ask how many seconds between snapshots. 1-60 is best.

2  Figure C

 

Finally, With Figure D, we are just asking for an Enter, to go ahead and create the counter object. Upon hitting enter, The confirmation that the Counter perfmon is started.

3    Figure D

Finally, with Figure E, you see performance counter is stated. As long as that is the end result, The interceding Steps were all successful. You can see the fruits of your labor in Figure F, which is the running Performance monitor!!

 

4    Figure E

 

Figure F is start-> run-> Perfmon

Untitled Figure F Permon running. Always called Perf.

 

The counter that is created is always called Perf. It will always deleted the old one before another one is created. If you want to keep the old one, just rename it.

 

Ok if you made it this far, you must want your copy. Please have it and go in Peace!

Download Me Here

 

L

 

 

g

Advertisements

On capturing Cyber Attaks 2015

Good day all,

I wanted to take some time to reflect on 2015 and the events we have seen. Obviously this has been a politically  charged year and there has been a lot of unrest globally. In this context, I wanted to take a minute to heighten some awareness about a subject not often detected in support calls. The issue of Cyber-Terrorism or Just plain Virus Detection is something we used to catch pretty easily. However, since 2008 , the attack methods have become more sophisticated, and the methods required to detect criminal behavior on Dell servers has become obtuse. I mean, we are here fix an issue and close a case. But, If we happened to be at the depth in the case, where we are analyzing logs and captures anyway, there becomes, what I feel is a need to  protect our cuosmters from what is observed.  We should be cognizant to  warn the customer if they are in danger of any criminal element, invading their business.

To this goal, I wanted to just send out a few resources to allow you to just look at a few dead giveaways, and provide you with some easy info, to see the packets for the threat that they may pose.

First understand that Attack events happen all the time. They generally match up to Unrest events or even holidays. I guarantee if you look at traffic on your firewall this holiday season, you will see traffic from China and or

North Korea or other countries that have no business being on your system. I don’t know why hackers choose times of civil unrest or holidays to do their hacking, but I have noticed this phenomenon over the course of years. This brings me to my first point:

Look for IP addresses and check to see who owns them.

 Very simply, Do a Who is or even a map lookup- check out this link- http://www.infosniper.net. You get instant feedback on where this external connection is coming from. Frequent visits from foreign soils, especially countries on the

Embargo list, are a telltale sign you’re on a list somewhere. You better get your protection in order when you see this activity.

HTTP communication Gets are a very common way to see rogue behavior

Here is a template you can follow the steps to see how to isolate a PHP attack. This is a trace during the Boston Bombing period. This article ranks at the top of articles I have seen because it can teach you a lot:

  1. How to find suspect HTTP packets.
  2. How to find like .JS or stat.htm
  3. How to extract a script from the trace.
  4. How to analyze a script to see if it is a virus
  5. How to use tools that know what IDs to look for in a trace

There is more to learn from this one link, but have a look for yourself. You can just follow along if you are looking at a trace, and you’re doing the steps in no time.

General Rogue troubleshooting

My final point is another Keeper document. Likely the most important link for you is this article called Wirewhark: a guide to color my packets.  It is a great read as a training cliff note, and can help you look for attacks on  Your customers computer. The resources are plentiful, but you really want to spend at least some time in Wire shark every month. It is a tool that pays back benefits. IT is a tool, who has the loyalties of elements of the Federal Government, FBI, Law enforcement and other like-minded security conscious groups. Let’s help those groups. Get your certification today!

SO what does this PDF cover? 16 points and only 30 pages!! This is a wireshark jump start for sure. It is a good refresher as well.  In just a few pages you will get up to speed on:

 

  1. Profiles
  2. Display filters
  3. Color rules
  4. Packet Details
  5. Network Reconnaissance
  6. DNS reconnaissance
  7. DNS Information
  8. Network Mapping
  9. NPAP scanning
  10. Web Server Scanning
  11. Detect Host Exploitation
  12. FTP brute force attack
  13. Data Recovery
  14. Attachments
  15. Detecting Covet Channels
  16. SSH over ICMP

 

In closing, It is difficult to grasp that this issue is happening on systems we work on. Don’t take it from me. I had do my reading too. I can put you to a good resource . These articles are written by top security experts on threats realized in the United States and around the world:

https://www.sans.org/reading-room

 

 

To all a happy and safe holiday,

Wire shark Troubleshooting TCP latency

Lync is a complex product. There is a saying among Lync professionals that Lync is not usually the problem, its what lync is dropped into; This underlying environment is usually not set to optimally cater to the needs of real time audio. “That is usually the underlying issue”.

I can tell you this is a true statement. Lync is actually somewhat simple in many ways. Lync does ask the Network to do things it normally is not designed for. Lync is a product that asks more of a network, then any product to come before it.

That said, this puts you at odds with the network group on your deployment. you may need to supply the burden of proof that there is a network problem. I have begun a series of videos on wire shark troubleshooting. They were part of a challenge and I cant supply you with the trace file, but I can show you the videos, which contain the methodology to isolate a TCP latency issue. Please enjoy the 3 Video Play list at:

TCP troubleshooting

I hope this may be helpful.

L