Is it safe to run Wireshark on a production IIS7 server? Is there a good alternative?
We host a bunch of ASP.NET sites on an IIS7 server. Occasionally, we'd like to be able to log HTTP POST data to troubleshoot problems. IIS lets us log the query string, but not the POST data - at least, we haven't found a way.
Do you think it's safe to use Wireshark (or Netmon or another sniffer) on a production server? My gut feeling says "no" but I'd like to hear what others think.
It would be better to use port mirroring, and run the sniffer on a different box on the same switch. Unfortunately though, all the servers on that switch are production servers... so we'd have to affect one of them.
Thanks for your help,
Richard
Well over a decade later, disregard the original post from 2009 and consider that in 2020 Microsoft is referring people to use WireShark. Thanks to Justin in the comments below for the tip.
Microsoft Pro Support will often request that you install Netmon on a production server to help track down problems. If MSFT themselves want you to use a packet capture utility (in this case, Netmon) on a production server then that's a good indication that it's okay. (I suppose there's at least a few logical fallacies in that statement, but it sounded good to me. =) ) To my knowledge, there is nothing destabilizing about placing a packet capture utility on a production server.
Personally, I would use Netmon on a Windows server over Wireshark. The first reason is because in my experience Pro Support will not support Wireshark captures. The second reason is because... well... I like Netmon better, but that's subjective. =)
IMHO, there's no inherent risk or harm in running a packet capture program on a production server. In many cases, the problem is such that you need to run it on the "source" server to determine the cause of the problem.