We host a bunch of ASP.NET sites on an IIS7 server. Occasionally, we'd like to be able to log HTTP POST data to troubleshoot problems. IIS lets us log the query string, but not the POST data - at least, we haven't found a way.
Do you think it's safe to use Wireshark (or Netmon or another sniffer) on a production server? My gut feeling says "no" but I'd like to hear what others think.
It would be better to use port mirroring, and run the sniffer on a different box on the same switch. Unfortunately though, all the servers on that switch are production servers... so we'd have to affect one of them.
Thanks for your help,
Richard
Well over a decade later, disregard the original post from 2009 and consider that in 2020 Microsoft is referring people to use WireShark. Thanks to Justin in the comments below for the tip.
Microsoft Pro Support will often request that you install Netmon on a production server to help track down problems. If MSFT themselves want you to use a packet capture utility (in this case, Netmon) on a production server then that's a good indication that it's okay. (I suppose there's at least a few logical fallacies in that statement, but it sounded good to me. =) ) To my knowledge, there is nothing destabilizing about placing a packet capture utility on a production server.
Personally, I would use Netmon on a Windows server over Wireshark. The first reason is because in my experience Pro Support will not support Wireshark captures. The second reason is because... well... I like Netmon better, but that's subjective. =)
IMHO, there's no inherent risk or harm in running a packet capture program on a production server. In many cases, the problem is such that you need to run it on the "source" server to determine the cause of the problem.
If you consider staff running sniffs a risk - security, performance or outside their skill level you have a greater problem.
You WANT staff to know how to do things like this - it makes them think better and it raises the level of questions they bring to the table - unless of course you are afraid of job security by having server folks be able to read SRC/DST data.
It sounds like you want something like SmartSniff .
Wireshark will do the job since it also uses WinPcap, but I think Smart Sniff is a lot simpler and easier to use if your not doing advanced tracing.
(source: nirsoft.net)
Our environment prevents network capture solutions on production servers for the primary reason that you don't want it to be overly easy for tier'd admins to perform network captures.
The actual files necessary to run WireShark and/or NetMon don't themselves present much of a risk, rather the ability of admins to perform captures can be considered a risk.