Sniffer Pro Network Optimization & Troubleshooting Handbook

TICSA

Chapter 1

Introduction to Sniffer Pro

Solutions in this chapter:

. Understanding Network Analysis

. The OSI Model, Protocols, and Devices

. Sniffer Pro Fundamentals

. Sniffer Pro: The Exam

. Summary

. Solutions Fast Track

. Frequently Asked Questions

Introduction

Imagine it is 4:00 P.M. and you are sitting at your desk with three books spread across your lap. You are hard at work trying to figure out why performance on your company’s file server has dropped sharply over the past eight hours. Of the 200 users in your company, nearly 100 of them have called to complain about slow connection times and hung sessions. You are highly stressed because one of the callers today was the CEO. The company’s main file server (a NetWare 5 server) performed without issue for the past year. This box never gave you a problem. You examine the system monitor, CPU utilization, and cache buffers and determine that all three are within their normal limits. You even run brand-new virus updates and signatures on the box, just to be sure. You have now resorted to cracking open all the reference books you shelved a year ago. Blowing the dust off them, you dig in, ready for a long night trying to figure out the source of this dilemma.

What if figuring out this problem were as easy as popping open a laptop and running an application to look at the connection between your server and the switch port? What if you saw from your analysis that the network interface card has a problem because it is old and is now chattering or malfunctioning, which in turn is inhibiting connections? You might even be surprised to know that someone on your internal network could be sending your server a Ping of Death or some other type of Denial of Service (DoS) attack. How in the world could you even figure that out? Quite easily, it turns out—with the Network Associates Sniffer Pro product, that’s how.

Understanding Network Analysis

Electronic distribution of information is becoming increasingly important, and the complexity of the data exchanged between systems is increasing at a rapid pace. Computer networks today carry all kinds of data, voice, and video traffic. Network applications require full availability without interruption or congestion.

As the information systems in a company grow and develop, more networking devices are deployed, resulting in large physical ranges covered by the networked system. It is crucial that this networked system operate as effectively as possible, because downtime is both costly and an inefficient use of available resources.

Network analysis is a range of techniques that network engineers and designers employ to study the properties of networks, including connectivity, capacity, and performance. Network analysis can be used to estimate the capacity of an existing network, look at performance characteristics, or plan for future applications and upgrades.

One of the best tools for performing network analysis is a network analyzer such as Sniffer Pro. A network analyzer is a device that gives you a very good idea of what is happening on a network by allowing you to look at the actual data that travels over it, packet by packet. A typical network analyzer understands many protocols, which enables it to display conversations taking place between hosts on a network.

Network analyzers typically provide the following capabilities:

 Capture and decode data on a network

 Analyze network activity involving specific protocols

 Generate and display statistics about the network activity

 Perform pattern analysis of the network activity

Network Analysis Fundamentals

How many times has a customer come to you and said that the network is slow? Or has a programmer claimed that there is a network problem? Even if it is not a network problem, how do you prove it’s not? This is where the art of network analysis comes in.

A network analyzer is a troubleshooting tool that is used to find and solve network communication problems, plan network capacity, and perform network optimization. Network analyzers can capture all the traffic that is going across your network and interpret the captured traffic to decode and interpret the different protocols in use. The decoded data is shown in a format that makes it easy to understand. A network analyzer can also capture only traffic that matches only the selection criteria as defined by a filter. This allows a technician to capture only traffic that is relevant to the problem at hand. A typical network analyzer displays the decoded data in three panes:

 Summary Displays a one-line summary of the highest-layer protocol contained in the frame, as well as the time of the capture and the source and destination addresses.

 Detail Provides details on all the layers inside the frame.

Hex Displays the raw captured data in hexadecimal format.

A network professional can easily use this type of interface to analyze this data. An example of the three-pane display is shown in Figure 1.1.

Figure 1.1 The Sniffer Pro Decode Screen’s Three-Pane Display

Network analyzers further provide the ability to create display filters so that a network professional can quickly find what he or she is looking for.

Advanced network analyzers provide pattern analysis capabilities. This feature allows the network analyzer to go through thousands of packets and identify problems. The network analyzer can also provide possible causes for these problems and hints on how to resolve them.

NOTE

Sniffer Pro comes with a feature known as the Expert that analyzes frames on the network, compares them against its database of protocols and standards, and finds potential problems on the network. The Sniffer Pro Expert also provides possible causes of problems as well as potential solutions. You will learn about the Expert in Chapter 3, Exploring the Sniffer Pro Interface.

Troubleshooting Methodology

The key to successful troubleshooting is knowing how the network functions under normal conditions. This knowledge allows a network professional to quickly recognize abnormal operations. Using a strategy for network troubleshooting, the problem can be approached methodically and resolved with minimum disruption to customers. Unfortunately, sometimes even network professionals with years of experience have not mastered the basic concept of troubleshooting; a few minutes spent evaluating the symptoms can save hours of time lost chasing the wrong problem.

A good approach to problem resolution involves these steps:

1. Recognizing symptoms and defining the problem

2. Isolating and understanding the problem

3. Identifying and testing the cause of the problem

4. Solving the problem

5. Verifying that the problem has been resolved

NOTE

A very important part of troubleshooting is performing research. The Internet can be a valuable source of information on a variety of network topics and can provide access to tutorials, discussion forums, and reference materials. As a part of your troubleshooting methodology, you can use the Internet as a tool to perform searches on errors or symptoms that you see on your network.

The first step toward trying to solve a network issue is to recognize the symptoms. You might hear about a problem in one of many ways: an end user might complain that he or she is experiencing performance or connectivity issues, or a network management station might notify you about it. Compare the problem to normal operation. Determine whether something was changed on the network just before the problem started. In addition, check to make sure you are not troubleshooting something that has never worked before. Write down a clear definition of the problem.

Once the problem has been confirmed and the symptoms identified, the next step is to isolate and understand the problem. When the symptoms occur, it is your responsibility to gather data for analysis and to narrow down the location of the problem. The best approach to reducing the problem’s scope is to use divide-and-conquer methods. Try to figure out if the problem is related to a segment of the network or a single station. Determine if the problem can be duplicated elsewhere on the network.

The third step in problem resolution is to identify and test the cause of the problem and test your hypothesis. You can use network analyzers and other tools to analyze the traffic. After you develop a theory about the cause of the problem, you must test it.

Once a resolution to the problem has been determined, it should be put in place. The solution might involve upgrading hardware or software. It may call for increasing LAN segmentation or upgrading hardware to increase capacity. The final step is to ensure that the entire problem has been resolved by having the end customer test for the problem. Sometimes a fix for one problem creates a new problem. At other times, the problem you repaired turns out to be a symptom of a deeper underlying problem. If the problem is indeed resolved, you should document the steps you took to resolve it. If, however, the problem still exists, the problem-solving process must be repeated from the beginning. The problem resolution flowchart is shown in Figure 1.2.

Figure 1.2 Problem Resolution Flowchart

The OSI Model, Protocols, and Devices

To understand network analysis, it is very important to learn the theory behind how networks operate. For a network to work, the computers running on it need to agree on a set of rules. Such a set of rules is known as a protocol. A protocol in networking terms is very similar to a language in human terms. Two computers using different protocols to talk to each other would be like someone trying to communicate in Japanese to another person who did not understand that language. It simply would not work!

Many protocols exist in today’s world of network communication. In the early days of networking, each networking vendor wrote their own protocols. Eventually, standards were developed so that devices from multiple vendors could communicate with each other using a common protocol. Examples of these protocols include Transmission Control Protocol/Internet Protocol (TCP/IP), Internetwork Packet Exchange/Sequence Packet Exchange (IPX/SPX), and AppleTalk.

NOTE

To be a successful network troubleshooter, you need a strong understanding of network protocols. Understanding different protocols and their characteristics will help you recognize abnormal behavior when it occurs in your network.

Network protocols can be classified as connection-oriented or connectionless. Connection-oriented protocols establish a channel between the source and destination machines before any data is transmitted. The protocol ensures that packets arrive at the receiving station in the same sequence in which they were transmitted. If a packet is lost in transit, it is retransmitted by the source. The destination host acknowledges data sent from the source to the destination. Because of all these features, connection-oriented protocols are also known as reliable protocols. Connectionless protocols provide no assurance that data sent from the source will reach the destination. They provide best-effort delivery. There is no guarantee that a packet will reach its destination or that it will be in order. These details are handled by upper-layer protocols. Connection-less protocols are known as unreliable protocols. However, they require less overhead and are generally faster than connection-oriented protocols.

NOTE

This book will show you, in detail, how to capture, view, decode, filter, and dissect many different protocol suites with the Sniffer Pro network analyzer.

The OSI Model and the DOD Model

In the early 1980s, the International Standards Organization (ISO) created the Open Systems Interconnection (OSI) model, which describes how network protocols and components work together. The OSI reference model divides network protocol functions into seven layers. Each layer represents a group of related specifications, functions, and activities.

The seven layers of the OSI model are shown in Figure 1.3. A layer in the OSI model provides services to the layer above it and, in turn, relies on the services provided by the layer below it. Encapsulation is the process by which information from an upper layer of the model is inserted into the data field of a lower layer. As a message leaves a networked station, it travels from Layer 7 to Layer 1. Data created by the application layer is passed down to the presentation layer. The presentation layer takes the data from the application layer and adds its own header and trailer to it. This data is then passed down to the session layer, which adds its own header and trailer and passes it down to the transport layer. The process repeats itself until the data reaches the physical layer. The physical layer does not care about the meaning of the data. It simply converts the data into bits and places it on the transmission media.

Figure 1.3 The OSI Reference Model’s Seven Layers

NOTE

The data that comes from an upper layer to a lower layer, including the upper layer headers and trailers, is known as the payload for the lower layer.

When the data arrives at its destination, the receiving station’s physical layer picks it up and performs the reverse process (also known as decapsulation). The physical layer converts the bits back into frames to pass on to the data link layer. The data link layer removes its header and trailer and passes the data on to the network layer. Once again, this process repeats itself until the data reaches all the way to the application layer.

The layers of the OSI model are:

 Application layer This topmost layer of the OSI model is responsible for managing communications between network applications. This layer is not the application itself, although some applications may perform application layer functions. Examples of application layer protocols include File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), and Telnet.

 Presentation layer This layer is responsible for data presentation, encryption, and compression.

 Session layer The session layer is responsible for creating and managing sessions between end systems. The session layer protocol is often unused in many protocols. Examples of protocols at the session layer include NetBIOS and Remote Procedure Call (RPC).

 Transport layer This layer is responsible for communication between programs or processes. Port or socket numbers are used to identify these unique processes. Examples of transport layer protocols include Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Sequence Packet Exchange (SPX).

 Network layer This layer is responsible for addressing and delivering packets from the source node to the destination node. The network layer takes data from the transport layer and wraps it inside a packet or datagram. Logical network addresses are generally assigned to nodes at this layer. Examples of network layer protocols include IP and IPX.

 Data link layer This layer is responsible for delivering frames between network interface cards (NICs) on the same physical segment. Communication at the data link layer is generally based on hardware addresses. The data link layer wraps data from the network layer inside a frame. Examples of data link layer protocols include Ethernet, Token Ring, and Point-to-Point Protocol (PPP). Devices that operate at this layer include bridges and switches.

 Physical layer This layer defines connectors, wiring, and the specifications on how voltage and bits pass over the wired (or wireless) media. Devices at this layer include repeaters, concentrators, and hubs. Devices that operate at the physical layer do not have an understanding of paths.

The OSI model is very generic and can be used to explain virtually any network protocol. Various protocol suites are often mapped against the OSI model for this purpose. A solid understanding of the OSI model aids tremendously in network analysis, comparison, and troubleshooting. However, it is also important to remember that not all protocols map nicely to the OSI model. For example, TCP/IP was designed to map to the U.S. Department of Defense (DoD) model.

In the 1970s, the DoD developed its four-layer model. The core Internet protocols adhere to this model. The DoD model is merely a condensed version of the OSI model. Its four layers are:

 Process layer This layer defines protocols that implement user-level applications such as mail delivery, remote login, and file transfer.

 Host-to-host layer This layer handles the connection, data flow management, and retransmission of lost data.

 Internet layer This layer is responsible for delivering data from source host to destination host across a set of different physical networks that connect the two machines.

 Network access layer This layer handles the delivery of data over a particular hardware media.

TCP/IP

TCP/IP, developed by the Defense Advanced Research Projects Agency (DARPA), is the most widely used routed protocol today. Figure 1.4 shows how the layers of the TCP/IP stack map against the seven layers of the OSI reference model.

Figure 1.4 The TCP/IP Protocol Stack Layers

Internet Protocol (IP) is a Layer 3 protocol that contains addressing and control information that allows packets to be routed. IP is a connectionless protocol, therefore, it provides unreliable best-effort packet delivery service. Since IP only provides best effort delivery, a packet may be discarded during transmission. All IP packets consist of a header and a payload (data from upper layers). Figure 1.5 shows the format of an IP packet.

Figure 1.5 The Format of an IP Packet

NOTE

If reliable, guaranteed transfer is needed, IP depends on TCP to provide this functionality. TCP is a connection-oriented protocol that runs on top of IP and provides sequencing and acknowledgments.

At the transport layer of the TCP/IP stack, the two commonly used protocols are TCP and UDP. The headers for both of these protocols include a source and destination port number, which are used to determine the application or process that the TCP segment or UDP datagram originate from and destined to. TCP is a connection-oriented protocol, and UDP is a connectionless protocol. The TCP header includes sequence and acknowledgment numbers for reliable delivery. TCP can also use the sliding window principle. The sliding window algorithm allows a buffer to be placed between the application program and the network data flow. Data received from the network is placed into this buffer until the application is ready to read it. The window is the amount of data that can be fetched into the buffer before an acknowledgment must be sent.

Examples of applications that use TCP include FTP, Telnet, Network File System (NFS), SMTP, HTTP, Domain Name System (DNS), and Network News Transfer Protocol (NNTP). Examples of applications that use UDP include DNS, Routing Information Protocol (RIP), NFS, Simple Network Management Protocol (SNMP), and Dynamic Host Configuration Protocol/Boot Protocol (DHCP/BOOTP). As you can see, some applications (such as DNS and NFS) can use both protocols.

IP Addressing

TCP/IP uses IP addresses to send messages to their proper destinations. Every TCP/IP host in the network requires a unique IP address on each of its NICs. IP addresses are assigned by the network administrator, either manually or through a dynamic addressing protocol such as Reverse Address Resolution Protocol (RARP), BOOTP, or DHCP. The current IP addressing scheme (IPv4) defines an IP address as a 32-bit binary number—for example:

11000111 00011010 10101100 01010011

To make it more convenient for us, the IP address is divided into four 8-bit octets (bytes):

11000111.00011010.10101100.01010011

These octets are then converted from binary to decimal numbers and written as follows (four decimal digits separated by periods):

199.26.172.83

When this number is entered into a computer, the machine automatically converts it to a 32-bit binary number, with no regard for the individual octets or the decimals.

An IP address has two portions, a network ID and a host ID. The network ID is shared amongst all the stations on a segment and must be unique across the entire network. The host ID identifies a specific device (host) within a segment and must be unique on a particular segment.

NOTE

The IP system in common use today is known as IPv4, for Internet Protocol version 4. A newer system, IPv6, or Internet Protocol version 6, has been developed and exists today in small deployments. IPv6 allows for more addresses by increasing the address size from 32 bits to 128 bits.

Classes

When the original IP routing scheme was developed, IP addresses were divided into five classes. IP addresses most commonly come as Class A, B, or C. Class D addresses are used for multicasting, and Class E addresses are reserved for experimental and future use. The classes of IP addresses are shown in Table 1.1. Please note that in the table, N = Network and H = Host.

Table 1.1

IP Address Classes

The values of the leftmost four bits of an IP address determine its class. All Class A addresses, for example, have the leftmost bit set to 0, but each of the remaining 31 bits may be set to a 0 or 1 independently (as represented by x in these bit positions):

0xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx

This specifies the range of Class A addresses as 0.0.0.0 to 127.255.255.255. Class B addresses must have the leftmost bit set to 1 and the next bit set to 0; all other bits may vary:

10xxxxxx xxxxxxxx xxxxxxxx xxxxxxxx

Based on this rule, Class B addresses have a range of 128.0.0.0 to 191.255.255.255. Similarly, Class C, D, and E addresses set the second, third, and fourth bits (respectively) to 1.

NOTE

The 127.0.0.0 network is part of Class A but is reserved. The IP address of 127.0.0.1 is typically used for loopback purposes on a TCP/IP host. The network address of 0.0.0.0 is reserved for default routes.

Classes A, B, and C define a default subnet mask for the addresses in their ranges. A subnet mask separates the network portion of an IP address from the host portion. In a Class A address, the first octet represents the network ID, and the last three octets represent the host ID. In a Class B address, the first two octets represent the network ID, and the last two octets represent the host ID. In Class C addresses, the first three octets are used for the network ID, and the last octet is the host ID.

NOTE

Classless interdomain routing (CIDR) was introduced on the Internet to improve the scalability of the Internet routing system and to allow for more efficient allocation of addresses. CIDR uses variable-length subnet masks (VLSMs) and eliminates the concept of classful networks. This is also known as classless routing.

Binary to Hex to Decimal Translation

We generally use the base10 (also known as decimal) numbering system, which uses 10 values (0, 1, 2, 3, 4, 5, 6, 7, 8, 9) to represent numbers.

Computers use the base2 (also known as binary) numbering system to represent data. The binary numbering system uses two values, 0 and 1, to represent numbers. This is because a computer only recognizes two states: the presence or absence of an electrical charge. Even if a computer is showing you decimal numbers, it is merely a translation of the binary numbers inside the machine. A single binary digit (0 or 1) is called a bit. The term octet is used to describe a unit of 8 bits. Most modern computers also have 8 bits in a byte. In the early days of computers, the word byte was also used to describe other quantities of bits. The term nibble is equal to half a byte and is therefore 4 bits, in most cases.

Hexadecimal is base16 and therefore uses 16 values (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F) to represent numbers. The hexadecimal system is useful because a byte (8 bits) of binary data can be represented using just two hexadecimal digits. This makes it easier for humans to read or write large numbers in hexadecimal rather than binary format.

We will first learn how to convert a decimal number into binary. A popular method for converting a decimal number into binary is to divide the number by 2 repeatedly. Let’s take the decimal number 35 as an example. Figure 1.6 shows how this decimal number can be converted into binary format. Here are the steps:

Figure 1.6 Conversion of the Decimal Number 35 into Binary Format

1. Divide the original number by 2. The remainder becomes the least significant bit in the binary number.

2. Divide the result of the division from Step 1 by 2. The remainder becomes the next most significant bit of the binary number.

3. Repeat the division process until the result is 0. The remainders form the binary number.

Let’s now look at binary-to-decimal conversion. Here we simply multiply the binary digits by increasing powers of 2, starting from the right. Let’s walk through the steps involved in converting the binary number 101 into decimal format:

1. The rightmost digit is a 1, so you multiply it by 2 to the 0th power (or 1): 1 × 1 = 1.

2. Multiply the next digit to the left (0) by 2 to the first power (or 2): 0 × 2 = 0.

3. Multiply the next digit to the left (1) by 2 to the second power (or 4): 1 × 4 = 4.

4. Now, to find the decimal number, you find the sum of these products: 1 + 0 + 4 = 5. Therefore, 101 in binary equals 5 in base 10.

Hexadecimal-to-binary conversion is easily accomplished by converting each hexadecimal digit to decimal first and then converting each of these decimal values into binary. As an example, take the hexadecimal number 05DC:

1. Convert each digit to decimal, one by one. This results in the decimal values 0, 5, 13, and 12.

2. Convert each of these decimal numbers into 4 bits of binary. This gives us the binary values 0000, 0101, 1101, and 1100.

3. Put these binary values next to each other. We get 0000010111011100.

To convert binary to hexadecimal, reverse this method. Group the binary number into 4-bit nibbles, and convert each group into decimal. Finally, replace each decimal number with its hex equivalent. As an example, take the binary value 1101101101010110:

1. When we divide the value into 4-bit nibbles, we get 1101, 1011, 0101, and 0110 (the first line in Figure 1.7).

Figure 1.7 Converting the Binary Number 1101101101010110 into Hex Format

2. Convert each nibble into its decimal equivalent. This results in 13, 11, 5, and 6 (the second line in Figure 1.7).

3. Replace each decimal number with its hex equivalent. This results in the final value of DB56 (the third line in Figure 1.7).

NOTE

You will find that knowing how to perform base conversion is essential to a network analyst’s job. Computer data, including networking protocols, is often represented in binary or hexadecimal format.

IPX/SPX

Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) is a Novell communications protocol suite derived from the Xerox Network System (XNS) protocol. Figure 1.8 shows how the IPX/SPX protocol stack maps against the OSI reference model.

Figure 1.8 Layers of the IPX/SPX Protocol Stack

IPX is a connectionless Layer 3 network protocol. Although multiple Novell protocols operate at Layer 4, SPX is the most common one. SPX, a reliable, connection-oriented protocol, was derived from the XNS Sequenced Packet Protocol (SPP). Network Core Protocol (NCP) provides interaction between clients and servers by defining connection control and service request/reply. Service Advertisement Protocol (SAP) allows servers to advertise their addresses and the services they provide.

Figure 1.9 shows an example of an IPX packet captured with Sniffer Pro.

Figure 1.9 IPX Packet Captured on Sniffer Pro

IPX Addressin

An IPX address consists of two parts: the network number and the node number. IPX addresses are 80 bits long, with 32 bits for the network number and 48 bits for the node number. IPX simplifies mapping between Layer 3 and Layer 2 addresses, using the Layer 2 address as the host portion of the Layer 3 address. This eliminates the need for an address resolution protocol such as Address Resolution Protocol (ARP) for IP. IPX addresses are generally written as hexadecimal digits in the network.node format.

Unlike IP, IPX has no concept of subnetworking. The IPX network number is manually assigned and must be unique for each network segment. Each node number on a given IPX network segment must be unique.

NOTE

IPX supports multiple Ethernet frame types: Ethernet II, IEEE 802.3, IEEE 802.3 SNAP, and Novell 802.3 RAW. (Frame types are discussed in detail later in the chapter.) It is possible to use multiple encapsulation types on a single network segment as long as a unique network number is assigned to each encapsulation type. It is important to note that hosts that use different encapsulation types will not be able to directly communicate with each other.

Node numbers do not have to be unique across networks because the network number and node number are used together to identify a particular host.

Internal Network Numbering and Server