0

We recently ran into an issue whether a tomcat application would not perform a certain Application specific function that it used to perform in the past (basically commit a file).
After days and days of troubleshooting I found that it was because the developer had hard coded the name of a proxy server in his deployment file (I found it out by looking at the application property file). The proxy server had long been replaced with a newer one. Once the developer updated the property file with the correct proxy server name, it started to work fine.
As part of the troubleshooting, I had collected tcpdump's but due to my lack of knowledge with it, I was unable to locate the culprit using tcpdump (+ Wireshark).

My question is this, how would I identify this issue using tcpdump ?

EDIT : Not sure whether its clear but "The old proxy server had long been replaced with a newer one and the old proxy server was unreachable"

souser
  • 5,868
  • 5
  • 35
  • 50

1 Answers1

0

The only way I'd see to identify that issue using traffic captures would be to look at the traffic sent out by the application and note that it's being sent to the wrong proxy server, for example by seeing attempts to look up the wrong proxy server host name or attempts to connect to an IP address that's not the address of the new proxy server.

That probably still would not be sufficient to tell you why it's trying to contact the wrong proxy server; there's probably nothing in the traffic to indicate that it's getting the wrong proxy server host name from some particular file. Analyzing traffic captures can't tell you everything - if it's not on the wire, you can't see it.

  • Does that mean that unless we know the destination server we cannot really determine if its not reachable. – souser Jul 18 '15 at 01:16
  • There are different things that you will need to know before you understand what you are looking for. When a network connection to an IP address is requested within the same subnet, an ARP is sent. If the IP is in another subnet, the ARP request is for the router. But this may not be your case. If the client is looking for the IP of a known DNS name, then you should be looking for the traffic to your DNS server (port 53). In this scenario, the DNS name will send a DNS not found. Therefore connection attempt to the stale IP will not even show up because there won't be any attempt to connect. – alvits Jul 18 '15 at 02:27