Alik Levin's : Tools

Free Web Performance Tools From Microsoft, Google, Yahoo, And IBM

alikl — Thu, 11 Jun 2009 11:56:53 GMT

This post is a quick overview of free performance tools available from Microsoft, Yahoo, Google, and IBM. It also contains a pointers to related articles that go deeper regarding the best practices and how the tools can help in identifying compliance to the best practices.

Quick Resource Box:

Microsoft’s Fiddler (Performance Tuning with Fiddler)
Microsoft’s VRTA (12 Steps To Faster Web Pages With Visual Round Trip Analyzer)
Yahoo’s YSlow (rules for high performance web pages.)
IBM’s Page Detailer
Google’s Page Speed (Web Performance Best Practices)

Microsoft’s Fiddler

Fiddler is a free web performance tool, it is not really a property of Microsoft rather a side project by Eric Lawrence, a PM with Microsoft. I used Fiddler for both security testing and now for performance. I love it a lot. Must mention it requires Net Fx 2.0 as a prerequisite so it is limited to Windows OS. Recently Eric added support to Firefox – Fiddler Hook For Firefox, so the tool is great for both IE and FF. My related posts:

Microsoft’s VRTA

VRTA is a free web performance tool and it stands for Visual Round Trip Analyzer created by Microsoft’s Jim Pierson and used internally for sometime. It was made available for public use during last PDC 2008. Jim has written very detailed article about the tool and how it solves performance problems - 12 Steps To Faster Web Pages With Visual Round Trip Analyzer. VRTA installs and uses under the hood free Microsoft Network Monitor (Netmon) to capture and analyze network captures.

Yahoo’s YSlow

YSlow is a free performance analysis tool created by Steve Souders when he was with Yahoo. Steve created another good tool called Cuzilion. YSlowl comes with extremely good set of performance guidance that can be found here - rules for high performance web pages. YSlow requires Firebug as a prerequisite, meaning it is restricted to Firefox only.

IBM’s Page Detailer

Page Detailer is a free web performance tool from IBM. I was not able to identify any good articles that cover it – if you share with me please, or better off publish one. It does not have any prerequisites, consider it as an advantage.

Google’s Page Speed

Recently I stumbled on Page Speed from Google. It reminds me a Yahoo’s YSlow lot that makes me believe it comes from Steve Souders that works now for Google. It also requires Firebug as a prerequisite and works with FireFox only. It comes with nice guidance found here - Web Performance Best Practices. Must admit – I adore the concept of the tool although in most cases I cannot use it as I work for customers that IE is their target browser. Nevertheless the guidance is tool agnostic and I recommend bookmarking it for quick reference.

Security Code Review – String Search Patterns For Finding Input Validation Vulnerabilities

alikl — Fri, 11 Jul 2008 14:24:53 GMT

Well defined set of search patterns helps significantly reduce time (cost) when performing security code inspections. This post focuses on input validation vulnerabilities commonly found in ASP.NET web applications.

SQL Injection and Cross Site Scripting (XSS) String search patterns

SQL Injections and XSS attacks are most common that exploit improper data access and lack of output encoding. Following are the how-to’s on finding these vulnerabilities:

Input Validation vulnerabilities String Search Patterns

To search and find security vulnerabilities you start asking questions or better yet create a list of the questions. Here is the example how - Generate Your Own Security Code Review Checklist Document Using Outlook 2007.

Use search utility similar to FindStr to perform your searches (look at Performing Text Searches). When Visual Studio is available then you can use it - Visual Studio 2005 As General Code Search Tool. Any other search tool is just fine. Following are the most common questions and search patterns.

Does the code rely on client-side validation?

If the code does not use Validators or Regex there is a potential vulnerability. Review each control how it is validated for type, length, range, string format. In the searches I assume there is no inline code and developers use code behind technique to separate markup from code.

ASP.NET pages

findstr /S /I ".Validator" *.aspx

User Controls

findstr /S /I ".Validator" *.ascx

Source code

findstr /S /I "Regex" *.cs

Is the code susceptible to canonicalization attacks?

Review that there is no external input involved in building paths and file names.

findstr /S /I “File" *.cs

findstr /S /I “Path" *.cs

Does the code validate data from all sources?

Using Cookies and QueryStrings poses a risk of the tampering threat (review STRIDE Explained to understand threats). If there is a use of Params property there is a chance for CSRF attack - Cross-Site Request Forgery Attack explained

Cookies

findstr /S /I “Cookies" *.*

Query Strings

findstr /S /I “QueryString" *.*

Params

findstr /S /I “Params" *.*

Does the code use MapPath?

If there is a usage of MapPath review that it does not use external input parameters and it is restricted to access only application file space. Make sure its third parameter set to false.

findstr /S /I “MapPath" *.*

How To Mitigate Input And Data Validation Vulnerabilities

Below are detailed step-by-step guidelines for writing code that is not vulnerable to SQL Injections and XSS attacks:

How To: Prevent Cross-Site Scripting in ASP.NET

How To: Protect From Injection Attacks in ASP.NET

How To: Protect From SQL Injection in ASP.NET

How To: Use Regular Expressions to Constrain Input in ASP.NET

Microsoft Anti-Cross Site Scripting Library V1.5

Share Your Practices

If you’ve got more search patterns to suggest – please do so! Let’s make the World [Wide Web] a more secure place together.

My Related Posts

ASP.NET Performance Sin - Serving Images Dynamically (Or Another Reason To Love Fiddler)

alikl — Fri, 02 May 2008 16:12:19 GMT

Serving images dynamically may cause performance hit. Dynamically served images require more HTTP requests which violates Steve Souders' performance rule #1 - Make Fewer HTTP Requests. The latency is also caused by parallelism (or parallel downloading) limitations as described in detail here Performance Research, Part 4: Maximizing Parallel Downloads in the Carpool Lane

Static Images

Below are the series of images that served dynamically and static.

Static images displayed using GridView's ImageFiled column type. ImageField generates the following HTML mark-up:

<img src="IMAGES/Birds/icon-penguin.gif" style="border-width:0px;" />

Browser interprets it as a static image and is ready to cache it for further reuse.

Serving Images Dynamically

Below is the sample code that implements dynamic image serving. I witness in the field different variation but the pattern (I'd call it anti-pattern) remains the same. ASP.NET and HTML mark-up that is usually part of repeater control looks similar to the following:

<img src="ServeImage.ashx?FN = 
<%#DataBinder.GetPropertyValue(Container.DataItem, "Image")%>" />

ASHX file's code that actually serves the image looks similar to this:

public void ProcessRequest(HttpContext context)
{
    string imageFileName = 
           context.Request.MapPath(@"IMAGES\" + context.Request.QueryString["FN"]);

    context.Response.ContentType = "image/jpeg";
    context.Response.WriteFile(imageFileName);
    context.Response.Flush();
    context.Response.Close();

}

Network Analysis

Using one of my most favorite tools - Fiddler - it is easy to reveal browser's view on the traffic:

There is expiration attribute attached to static images while dynamically served images do not have such attribute.

Subsequent call the the same page that gets the same images reveals the following:

All dynamically served images are not cached and utilize the network on each request.

Further investigation shows, using Fiddler's P and C fantastic feature, that overall network utilization caused by these dynamically served images is about 350 KB, which could be saved by caching the images.

Recommendations

Avoid serving images dynamically. Follow best practices outlined at Exceptional Performance:

My relative posts

Free Performance Tool - Analyze IIS Logs Like A Pro With Funnel Web Analyzer

alikl — Mon, 21 Apr 2008 13:16:00 GMT

These free performance tools will save you time and money identifying performance bottlenecks. Your customers will thank you for building fast and responsive applications.

Funnel Web Analyzer 5.0 for Windows

Download the tool here.

Analyzer gives insight into everything from server load and customer usage to intranet analysis. It allows you to gain vital feedback on visitor behaviour and preferences, so you can more accurately customize your site to meet the needs of your clients

How- to use

After you download and install the tool - run it. Just drag and drop log files onto it and then click on View icon:

You will be presented with nice array of summary and detailed reports:

Usage Scenarios

There are few scenarios I can see this tool would be very useful:

Developer analyzes the module she developed during development phase just before submitting for holistic performance testing.
IT support personnel probes production applications to get a quick view on potential performance hotspots.
Performance team analyzes the data after running load/stress tests.

My related posts

Quickly Find And Fix Cross Site Scripting (XSS) Vulnerabilities In Your ASP.NET Application.

alikl — Mon, 17 Mar 2008 15:56:00 GMT

Want to quickly check your ASP.NET Web application for Cross Site Scripting (XSS) vulnerability?

It is pretty easy with the knowledge and tools you already have. This post describes how to quickly find and fix most of XSS vulnerabilities in your code.

Why XSS vulnerabilities are possible

XSS vulnerabilities are possible when un-sanitized data printed out on the page. From what I witness when I do security code inspections most cases can be summarized to two most common:

Using DataBinder.Eval function:

<%#DataBinder.Eval(Container.DataItem, "TEXT") %>

Assigning to Text property of the control:

Label1.Text = TextBox1.Text;

[Update 20.7.08] Assigning to Text property of the control:

<%=myStringGoesHere...

How to quickly find XSS vulnerabilities

Above patterns are easily identifiable using any strings search utility. I use Visual Studio 2005 As General Code Search Tool to find such vulnerabilities. When Visual Studio is not an option, just use FindStr, here is an example - Code Inspection - First Look For What To Look For.

Run your search for ".Eval(" and then for ".Text =". You might want to modify slightly it as some folks omit space before "=" or other minor changes.

Use searches similar to these:

findstr /S /I ".Text =" *.cs
findstr /S /I ".Eval(" *.aspx
findstr /S /I ".Eval(" *.ascx
[Update 20.7.08] findstr /S /I "<%=" *.aspx

Ran your search yet? What do you see? Scared?

How to quickly fix XSS vulnerabilities

The fix is pretty simple - just apply Html Encoding to both cases. The best is using freely available Microsoft Anti-Cross Site Scripting Library V1.5. Note that ASP.NET’s Server.HtmlEncode is not the safest one as it only encodes <,>,",& characters which is not sufficient to protect against all possible attacks.

My related posts

Performance Development Lifecycle (PDL) Session Materials

alikl — Wed, 12 Mar 2008 00:16:20 GMT

Yesterday I gave a talk about the subject during Performance Open House

First off, thanks for attending my talk. The materials are published here.

Enjoy.

Stress Test ASP.NET Web Application With Free WCAT Tool

alikl — Sun, 09 Mar 2008 10:59:00 GMT

Building ASP.NET web applications? Plan to serve thousands of users? Would you like to see how your application would behave [misbehave] under stress?

Use simple-to-use and freely available WCAT tool to generate the load and get detailed report for expected throughput (requests/sec) and other important performance-wise information.

Summary of steps

Install WCAT
Create configuration files
Run the test
Examine results

Next section describes each step in details. Note, this post is a how-to, a jump start - not the guidelines or best practices of how to use the tool.

Install WCAT

Download and install Internet Information Services (IIS) 6.0 Resource Kit Tools. For the purpose of our exercise there is no need to install all the tools included with the resources kit, only WCAT.

Create configuration files

There are three textual files one needs to create and configure (you can give any name and extension of your choice):

script.txt - this file defines the requests, in other words what pages to request and how to request it. Following is an example of simple script.txt file:

NEW TRANSACTION
    classId = 1
    NEW REQUEST HTTP
        Verb = "GET"
        URL = "http://localhost/BankingShmanking/Default.aspx"

distribution.txt - defines weights among different requests. For example, if I need to generate request to page1.aspx twice as to page2.aspx, I will define it in this file. In case of loading only one page, the file is meaningless. Following is an example of simple distribution.txt file (1 refers to classId in script.txt file, and 50 is that 50% of the load should got this file which is meaningless since there is only one page to request, thus it will get the whole 100% load):

1 50

config.txt - determines the duration of the test, number of clients that will generate the requests against the web application. Following is the example of simple config.txt file:

Warmuptime 5s
Duration 30s
CooldownTime 5s
NumClientMachines 1
NumClientThreads 20

Save the files in "C:\Program Files\IIS Resources\WCAT Controller" folder.

Run the test

To run the stress test open command prompt by opening Run window(Windows + R) type cmd and hit Enter. Change current directory to "C:\Program Files\IIS Resources\WCAT Controller>" and run the following command to test the page hosted on the localhost:

wcctl -c config.txt -d distribution.txt -s script.txt -a localhost

then open second command prompt, change current folder to "C:\Program Files\IIS Resources\WCAT Client" and run the following command to actually launch the virtual client's requests from local machine:

wcclient.exe localhost

Examine results

The results are displayed interactively in the command line windows

The tool also generates log file that includes logged metrics - look for it in "C:\Program Files\IIS Resources\WCAT Controller" folder.

WCAT tool is actively developed by IIS team and recently they released new version of the tool - WCAT 6.3, download it from here, free.

Related materials

This post was mainly based on this article - IIS 7.0 Output Caching
WCAT: Easy, Magical, Stress Testing for IIS Web Applications
WCat 6.3 (x86)

My related posts

Performance Sin - Using Exceptions To Control Flow

alikl — Sat, 02 Feb 2008 16:19:50 GMT

Want to spot coding anti-patterns from performance perspective without actually looking in the code?

One of the common performance coding anti-patterns I’ve noticed lately is using Exception Handling to control program flow.

The anti-patterns

Most common anti-pattern is just using exception handling to control flow, in some cases it was even nested exception handling – that means the exception is thrown anyway.

In other cases there were empty “catch” exception statements. That means that precious cycles .Net consumes to handle the exception spent for nothing.

The last case was where exception handling was done to catch simple types parsing. That was done on each request.

How to identify Exception Handling anti-pattern

To identify exception handling anti-pattern set “.NET CLR Exceptions/# of Excepts Thrown” perf counter. If you see the graph constantly climbs on each request chance are Exception Handling is used to control the flow which is performance anti-pattern:

Look at the relevant source code to spot try/catch blocks. If the source code is not available use Reflector to reverse engineer the compiled assemblies into C# sources – I used it very successfully during my latest performance review.

Best practices

Do not use exception handling to control the flow. Try to reduce catching exceptions to only most upper component/class. Catching exceptions is expensive from both CPU and memory perspective.

Use TryParse method instead Parse method to avoid throwing exceptions .

Use simple "if" statement to check for nulls.

Tools

Use perfmon to spot the anti-pattern with Exception handling. Run perfmon in command line and add “.NET CLR Exceptions/# of Excepts Thrown” counter. Then run few scenarios to see the graph.

Use Practice Checker for static code analysis. The tool scans the code and reveals excessive usage of exception handling.

My related posts

Performance Code Review Tool – Practices Checker

Security Code Review – Use Visual Studio Bookmarks To Capture Security Findings

alikl — Thu, 24 Jan 2008 16:38:46 GMT

How to streamline the process of capturing security flaws during security code review? How to save time and avoid switching between the tools? How to stay focused?

In this post I will show my simple technique to capture security flaws using Bookmarks in Visual Studio.

Create bookmark folders. Hit Ctrl + K and then Ctrl + W to bring Bookmarks window up. Create 10 folders according to security frame categories:

Focus on one category. Grab security checklist document you created using Guidance Explorer. Choose one category from the security frame, Authentication for example, and inspect the code manually. Do not pay attention to anything else on your way but Authentication issues. One category a time.

Bookmark security bugs. Once you find security bug hit Ctrl + K and then Ctrl +K again. You just created the bookmark. Drag it into the appropriate folder in Bookmarks window. Move on. When you finish the inspection using your checklist you should have something like this:

Copy to the report in one run. Just run through the bookmarks and paste the findings to your final report. One run. Mechanical work. Done. Peace of mind.

My related posts

Performance Code Review Tool – Practices Checker

alikl — Tue, 22 Jan 2008 00:37:50 GMT

Care about performance? Do you write your code with performance in mind? Want little help to spot performance bottlenecks automatically?

Practices Checker to the rescue.

The goal of the tool is

“Help you perform a manual code inspection by analyzing your application for potential coding and configuration settings that do not adhere to the patterns & practices ASP.NET Performance Checklist.”

The tool is available as free download here. Download, install, point to your web application solution folder and hit “Analyze” button. You will get the report for potential performance issues and recommendations on how to fix. I am sure you will be surprised by few findings.

Performance rules:

Case Study

I used Practices Checker with one of my recent engagements . The tool spotted in no time web pages where there were 30 loops, enormous amount of serialization issues, and few more.

My related posts

Profiling JavaScript With Ajax View Tool: Spot Poor Performance Client Script In No Time

alikl — Thu, 17 Jan 2008 07:19:09 GMT

Ever wondered why your application unreasonably slow? You have it all - most powerful hardware, your database is tuned, SQL queries are optimized, network is barely utilized, and .Net code is super efficient. So why on earth response time is so slow?

The answer might lie in recently developing area – client script. I’ve witnessed few over-AJAX’ed applications with poor performance and far from the best user experience. Quite the contrary what AJAX and other client script flavors are for…

In this post I will show how Ajax View – JavaScript profiler project from Microsoft Research – helped me to spot client side script bottlenecks in no time and make the customer happy.

Ajax View – the tool. Ajax View is available for download here. The tool's goal:

"The goal of the Ajax View project is to improve developer's visibility into and control over their web applications' behaviors on end-user's desktops."

Profiling process. The creators of the tool, Emre Kıcıman and Ben Livshits, provided simple and very useful walk through on how to install and use the tool.
Recommendations to improve client side script. Eric Lawrence, Fiddler tool creator, kindly pointed me to useful recommendations how to make JavaScript run faster:
Customer's story. During recent application performance review we identified in no time the following problems using Ajax View:

Issue	Recommendation
1200 lines of inline JavaScript	Make JavaScript and CSS External
Using XmlHttp object with its async property set to true while performing time consuming call to the server	Do not re-invent the wheel, use ready to-go, proven AJAX Libraries like ASP.NET AJAX
Manipulating large XML islands inefficiently	Do not use large XML documents - neither client side nor server side. Use lazy approach of downloading the data on demand.

My related posts

Create Your Own Guidance Explorer Items Inside Outlook 2007

alikl — Thu, 10 Jan 2008 07:52:54 GMT

Want to create your own nuggets of wisdom? Want it to look and feel like patterns&practices nuggets of wisdom look and feel? Want to reuse it, mix and match with existing ones? It is easy and fast with Outlook 2007.

I will show how I extend my knowledge base with a snap using Outlook 2007’s Quick Parts feature and predefined item templates that come with patterns&practices Guidance Explorer [GE].

I must thank Dor Rotman who pointed me to Quick Parts feature.

Summary of steps

Step #1 – Create Quick Parts templates
Step #2 – Compose new items based on the templates
Step #3 – Test your work

Following section describes each step in details

Step #1 – Create Quick Parts templates. Start GE – refer to Consume patterns&practices Guidance Explorer Via RSS Using Outlook 2007 for details. Right click on “My Library” node in the treevew on the left and choose “Question and Answer” template:
Highlight entire text in the editor and copy it into clipboard [ctrl + C]. Switch to Outlook 2007. Click on any folder in the treeview. Press Ctrl + Shift + S to bring up new “Post in This Folder” and paste the text in the clipboard. Add attributes part to the end – you can copy and paste it from existing GE items

While in the post, highlight the entire text [Ctrl + A] and click on Insert tab, then click on “Quick Parts” ribbon to expand it. Click “Save Selection to Quick Part Gallery” found in the bottom. Give it a name “Question & Answer”, create new category “GE” and hit OK to save it as a Quick Part template:

Close the post – do not save it.

Create few other templates following the procedure.

Step #2 – Compose new items based on the templates. Switch to Outlook 2007. Click on “Guidance Explorer Library” folder found in Favorites Folder [I assume you followed instructions in Consume patterns&practices Guidance Explorer Via RSS Using Outlook 2007]. Press Ctrl + Shift + S to bring new “Post in This Folder”. In the Subject line type “How To Call Police”. Click on Insert tab and then click on “Quick Parts” ribbon to expand it. Locate “Question & Answer” quick part you just created in Step #1 and click it. The content of the part fills in into the body of the post. Modify it to your needs, make sure to update the category found under Attributes:

Press Ctrl + Enter to post it to the folder.

Step #3 – Test your work. Click on “Security” folder found in Favorite Folders, you should see the newly created item there:

You’ve just created new how-to item that is part of your own GE library managed inside Outlook 2007

Consume patterns&practices Guidance Explorer Via RSS Using Outlook 2007

alikl — Fri, 04 Jan 2008 00:43:00 GMT

patterns&practices recently released new version of Guidance Explorer [GE]. One of the most important addition was enabling RSS on the online GE store. What does that mean? It means you can consume distilled security, performance, and Visual Studio wisdom in any RSS reader of your choice. It means you can leverage familiar environment to consume close to 4000 technical gold nuggets.

This post describes how to set up RSS feed inside Outlook 2007 to read GE’s content.

Summary of steps

Step 1 – Download latest GE bits
Step 2 – Create designated offline PST file
Step 3 – Subscribe to GE’s RSS feed in Outlook 2007
Step 4 – Test drive GE’s content using Outlook 2007

Next section describes each step in detail

Step 1 – Download latest GE bits. Navigate to GE’s releases page and review latest release notes. Also review GE’s FAQ’s. Download latest release – it appears in upper right corner of the page. Extract downloaded zip file and navigate to bin folder. Double click GuidanceExplorer.exe file. GE appears on your screen.
Step 2 – Create designated offline PST file. Switch to Outlook 2007. Open “Data File Management…” found in “File” menu. Click “Add…” in “Data Files” tab to create new PST file. Name it GE [or whatever you like]. Saving GE’s items in dedicated offline PST file will keep your Outlook’s online store from overflowing and it is easier to back up too.
Step 3 – Subscribe to GE’s RSS feed in Outlook 2007. Switch to GE. Right click on “patterns & practices Library” node in GE and choose subscribe to RSS feed:

Internet Explorer will open and will try to display the feed. Do not get scared by the message telling you that IE cannot show the feed as follows:

Just grab the URL from the address bar – highlight it and copy it to clipboard [ctrl+C]. Switch to Outlook 2007. Right click “RSS Subscriptions” node and choose “Add a New RSS Feed” as depicted below:

Paste [ctrl+V] the URL from the clip board into the dialog and hit OK. Hit “Advanced…” button in the next dialog box and configure the feed to sore the items inside the newly created PST file:
Step 4 – Test drive GE’s content using Outlook 2007. After Outlook 2007 finishes downloading the items you can test drive familiar functionality such as instant searching or forwarding the items as an emails.

Heaven.

My related posts

Related materials

JD Meier on Guidance Explorer

Identify ASP.NET, Web Services, And WCF Performance Issues By Examining IIS Logs

alikl — Sat, 03 Nov 2007 00:49:33 GMT

Simple examination of IIS logs can reveal potential performance issues related to ASP.NET web applications, ASP.NET web services, and IIS hosted WCF services. Fast, easy, cheap.

These are the simple steps I take:

Time-Taken & W3C Logs: Turn it on...
Collect the data in the IIS logs
Open IIS logs in MS Excel 2007
Analyze the logged data using Excel 2007 Data Filtering and Pivot Tables
Pitfalls

The following are the detailed explanation for each step

Time-Taken & W3C Logs: Turn it on... by Chris Adams

The most valuable friend to an IT Professional or Developer who uses IIS is a little-bitty check-mark field that is not enabled by default...
1). Open IIS Manager (Start – Run – Inetmgr)
2). Right-click on the Web Sites tab (IIS 6 only — IIS 5 customers right-click on Server)
3). Choose Properties
4). On the General tab, select the Properties for Logging
5). On the advanced tab, scroll down and check “Time-Taken”
6). Click Ok, Ok

Collect the data in the IIS logs.

The most easiest way would be collecting the data in QA environment. When a new app version is deployed to QA environment the application is used constantly and there is no special logistics needed to conduct the test. QA team runs its scenarios and IIS logs the data.

Open IIS logs in MS Excel 2007.

At the end of the QA test collect the log files and copy them to your place of choice - I copy it locally to my laptop. The log files are usually located in C:\Windows\System32\LogFiles\W3SVC1. The location, of course, is customizable though IIS MMC:

Start Excel 2007, hit ctrl+O [for Open] to open the log file. Chose "Delimited" for file type in the "Text Import Wizard" and hit Next button:

Tick "Space" on for "Delimiters" in the next step of the wizard and hit Next button:

After the log file is opened in Excel it should look something like this:

Analyze the logged data using Excel 2007 Data Filtering and Pivot Tables

Following are the properties that deserve most attention

sc-bytes - The number of bytes that the server sent.
cs-bytes - The number of bytes that the server received.
time-taken - The length of time that the action took, in milliseconds.

Use Excel's Data Sort functionality immediately spot the trouble makers:

Check the corresponding cs-uri-stem property values that contains the URL (usually ASPX, ASMX, or SVC file). In the above sample first row shows acceptable network utilization - client sent about 3Kb and server sent back about 2 Kb. But it took quite a lot to process it - almost 2 minutes. Seems like IIS consumes time (for example, authentication can take quite a lot of time in case where communication to DC is not the best) or ASP.NET code is written inefficiently (for example dynamically built server controls, nested loops and recursion, or inefficient DB access). Second to fourth rows show that the server returns about 9 Mb of data - it naturally takes quite a lot of time to process it - about 35 seconds.

Excel 2007 has even cooler functionality - pivot tables. Insert pivot table into the spread sheet:

Drag cs-uri-stem to "Row Labels" area and time-taken to "Values" area twice. Configure to show average and count for time-taken property:

The end result is nice summary table:

Same can be done with sc-bytes or cs-bytes to examine the http traffic averages.

Pitfalls

Be careful when calculating averages for time-taken property. Double click on any row in the pivot table presents the detailed tabular data. For example, here is the data behind the first row in the above example:

Notice sc-status column. It is the HTTP status code. 401 is out of our interest thus must be filtered out to calculate the actual response processing time. Use Excel Data Filter functionality to do so. Finally, the more realistic average - about 27 seconds - calculated for HTTP 200 responses:

Enjoy.

My related posts

Related resources

Security Tools From Microsoft ACE Team

alikl — Thu, 25 Oct 2007 17:35:34 GMT

Mark covers arsenal of security tools available from Microsoft ACE team. The tools are:

Threat Analysis & Modeling Enterprise (TAM-E)
CAT.NET (Code Analysis Tool)
Spider TCM (Assessment and compliance tool)

Alik Levin's : Tools

Free Web Performance Tools From Microsoft, Google, Yahoo, And IBM

Microsoft’s Fiddler

Microsoft’s VRTA

Yahoo’s YSlow

IBM’s Page Detailer

Google’s Page Speed

Security Code Review – String Search Patterns For Finding Input Validation Vulnerabilities

SQL Injection and Cross Site Scripting (XSS) String search patterns

Input Validation vulnerabilities String Search Patterns

Does the code rely on client-side validation?

Is the code susceptible to canonicalization attacks?

Does the code validate data from all sources?

Does the code use MapPath?

How To Mitigate Input And Data Validation Vulnerabilities

Share Your Practices

My Related Posts

ASP.NET Performance Sin - Serving Images Dynamically (Or Another Reason To Love Fiddler)

Static Images

Serving Images Dynamically

Network Analysis

Recommendations

My relative posts

Free Performance Tool - Analyze IIS Logs Like A Pro With Funnel Web Analyzer

Funnel Web Analyzer 5.0 for Windows

How- to use

Usage Scenarios

My related posts

Quickly Find And Fix Cross Site Scripting (XSS) Vulnerabilities In Your ASP.NET Application.

Why XSS vulnerabilities are possible

How to quickly find XSS vulnerabilities

How to quickly fix XSS vulnerabilities

My related posts

Performance Development Lifecycle (PDL) Session Materials

Stress Test ASP.NET Web Application With Free WCAT Tool

Summary of steps

Install WCAT

Create configuration files

Run the test

Examine results

Related materials

My related posts

Performance Sin - Using Exceptions To Control Flow

Security Code Review – Use Visual Studio Bookmarks To Capture Security Findings

Performance Code Review Tool – Practices Checker

Profiling JavaScript With Ajax View Tool: Spot Poor Performance Client Script In No Time

Create Your Own Guidance Explorer Items Inside Outlook 2007

Consume patterns&practices Guidance Explorer Via RSS Using Outlook 2007

Identify ASP.NET, Web Services, And WCF Performance Issues By Examining IIS Logs

Security Tools From Microsoft ACE Team