Pictures at a VMWare Exhibition

Not really pictures but few notes from recent VMWare Virtualisation Forum – the regional mini-VMWorld. It started with a lot of pictures – trees, water, animals and I think smiling babies.When an event starts with those, expect a lot of marketing dung – and we got plenty in a day. For example, one of the VMWare keynote speakers said that virtualisation is the only way to manage hardware resources efficiently. Or, in BEA’s leaflet words: Virtualization: Same Servers, More capacity. As if the hypervisor and the OS image per each guest take none. Or this apparent inefficiency is compensated by flexibility allocating more resources, should the need be. If you cannot effectively manage resources on physical servers, you’re likely to waste those in virtual. Virtualisation just gives a chance for a fresh start – and some different tools.

VMWare’s updated product line includes a OS patching solution that will allow patching systems that are shut down. Virtually shut down, of course. I believe this is the industry’s first. My concern is that VMWare is losing focus: they shouldn’t really go into patching and software delivery.

Both EMC and Network Appliance were presenting their storage offerings. Virtualisation requires shared storage, and those vendors are ready to sell – at premium price. One thing they aren’t interested in is storage enterprise commoditisation (despite the fact that commoditisation will allow them to enter mass market). But NetApp mentioned something that is definitely worth noting: good old NFS provides solid and viable alternative to Fibre Channel- and iSCSI-conected storage. This blog explains why: VMWare over NFS. Suddenly NFS is making a comeback. Enterprise-class virtualisation with commodity and/or open source storage is coming.

Also both storage vendors presented their backup offerings. Two main points: direct-from-storage backups and data de-duplication. Watch the space – backups may finally become reliable and usable!

IBM was touting new server. While doing that they have admitted that big-iron, multi-CPU approach is much better than using blades. Surprisingly many people believe that blade servers are the best for virtualisation – in fact, the opposite is true.

Wyse and HP pushed their desktop virtualisation solutions – e.g. thin clients. After so many failures, will thin client solutions succeed? I’m sceptical. Virtual desktops tend to be more expensive than traditional desktops. But the functionality is less crippled this time around – thanks to full dedicated OS image per client.

Overall, virtualisation drive is a welcome shakeup of the industry. But promises – and expectations – tend to be overblown.

Capturing Windows user logon traffic

I don’t need to go into many details about the startup process and importance of analysing it in case of problems. Here’s how I do it:

The tools:

Install the tools accepting all defaults (you should always go with defaults unless you have really good reasons not to – and security through obscurity is not one). Follow the Resource kit documentation to install Autoexnt service, use interactive option.

The most important information that is not in the network traffic capture is the process map – the information that allows to identify what processes are making connections.

I’m using c:\tmp folder for the captures and other files. This is the autoexnt.cmd file:

@echo off
move c:\tmp\capture.cap c:\tmp\captureX.cap
move c:\tmp\capturelog.txt c:\tmp\capturelogX.txt
start /D”C:\Program Files\Wireshark\” tshark.exe -i 2 -w c:\tmp\capture.cap
cscript //Nologo c:\tmp\now.vbs >> c:\tmp\capturelog.txt
netstat -ano >> c:\tmp\capturelog.txt
pslist >> c:\tmp\capturelog.txt
sleep 1
goto loop

In the tshark command line options, the interface number (the -i option) may be different on your system – use “tshark -D” to list interfaces on your system. I found that in some cases tshark has visibility of all interfaces on the system whereas Wireshark GUI doesn’t let you choose the right interface. Now.vbs prints current time with seconds. The whole script is:

WScript.Echo Now

After rebooting the computer and the user logon there will be two windows on the screen  – cmd.exe and tshark.exe. Close both -you’ll find the traffic capture in the c:\tmp\capture.cap and process/connection lists in c:\tmp\capturelog.txt. That’s enough information to do analysis.

The beauty of the approach is that no hubs or switches are involved, and all of it can be done remotely. Evidently, both scripts and the approach can be improved in many ways. Suggestions welcome.