Ethernet Network Analysis and Troubleshooting

1-1
Ethernet
Network Analysis
and Troubleshooting
Sniffer University
© Network Associates Ethernet Network Analysis and Troubleshooting

Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting
Slide Title: Ethernet Network Analysis and Troubleshooting–

Section 1 of TNV-202-GUI
Section Timing: Start: Day 1 Approx. 9am

Finish: Day 1 Approx. 12:00 noon
Section 1 title slide.
Files: 01_frm_g.PPT 01_frm_g.DOC
Traces: Mixed01.cap Mixed02.cap
Exercises: Which Frames are on the Network?

Isolating Frame Types with Pattern Matching (optional)
A Surprise at 23:00
Note:
Be sure to practice before you teach this new version! You will
need to tighten up on all the sections so you will have time to
cover the new materials. It will be a challenge! Pace it
carefully.
There are several new concepts and exercises, so go through the

class very carefully before you teach it. Practice all the exercises
and look at the trace beyond what we focus on in the exercises so
you are not blindsided by questions outside of the exercise.
Please remember this instructor guide is a living document. It is not
complete to start and is intended to grow with time. Add to your
own copy as you gain experience. Please e-mail suggestions to the
course Subject Matter Expert (SME) for future updates to the
course material.
Page 1 - 1
1-2
Sniffer University

Slide Title:NAI – Sniffer University
Important
Points to
Cover: Logo page. Skip past this quickly.
Original Traces for the Course: (all were saved as .CAP files – none were
recaptured)
01.CAP 02.CAP 03.CAP 04.CAP

21.CAP (giant.enc) 100MBFIL.CAP BACKPRES.CAP BACKPRES2.CAP
BAD03.CAP BADCABLE.CAP BADCRC.CAP BADCRC-1.CAP
BUSY-JAM.CAP COL100_3.CAP FRAGS.CAP HUB6ARC.CAZ
HUBPORT1.CAP HUBPORT2.CAP JABBER.CAP MIXED-01.CAP
MIXED-02.CAP SCBRIDGE.CAP TCPDEMO6.CAP
New traces added in version 4.0
Name Source Speed Course Location

GB.CAP Sniffer Pro 4.0 Samples 1000 Screen caps
Gigabit data trace Directory 2 Exercises
GBAUTONEGOTIATION. HQ server 1000 Screen caps
CAP 2 exercises
Gigabit autonegotiation
VLANProb.caz HQ lab trace – filtered to 100 Screen caps
Cisco ISL VLAN remove HQ names & info & exercise
VLANprob2.cap HQ lab trace – filtered to 100 Screen Cap
Cisco ISL VLAN remove HQ names & info Demo
Hawk10b.enc & Steve Hammill – classroom 10 Exercise
Hawk100b.enc setup traces 100
Jabtest.enc (1 frame) HQ engineering 10 Screen shot
Overtest.cap HQ Engineering 10 Extra-demo
Big_Bad_Rich.caz Don Prefontaine created in 100 Exercise
an on-site class
Llcnetb2.cap Bev Mannes home network 100 LLC exercise
Bcast.cap 303 trace file 10 Exercise
8021Q-gig.cap HQ engineering 1000 Demo, screen
(Subset of dc_01.caz) cap
8021q.cap HQ engineering 100 Screen caps
& exercise
Page 1 - 2
1-3
Housekeeping
BREAKS
LUNCH
TELEPHONES
Call the
office
BEEPERS IN SILENT MODE

Net Down!!!
CELL PHONES IN SILENT MODE

Sniffer University
REST ROOMS
EMERGENCY INFORMATION
QUESTIONS
?
All phone calls must be made outside the classroom during breaks.

Slide Title: Housekeeping

Important
Points to
Cover: Use your normal way of presenting this information.
Instructor History
Paperwork (Student information forms)
Student Introductions:
Company name
Operating systems
Connection technologies at their site
Networking experience, etc.
Location of:
Exits
Washrooms
Telephones
Lunchroom or lunch arrangements
Time intervals
Break
Lunch
Start
Finish
Note: You may negotiate different start and end
times provided it does not place undue hardship
on anyone in the class.
Instructor availability
Page 1 - 3
1-4
Sniffer University
Use Your Trace File

CD for the exercises
in this class
Thank You!
Students are not permitted to audio or video tape the course presentation.
Duplication of Course Materials or the Trace File CD is strictly prohibited by
copyright.
The Trace File CD that comes with this manual contains:
• All Class Traces - which can be copied to the C:\ drive or

used in the CD-ROM Drive
• Reference materials- ATM Forum Docs, RFCs, Product Guides and
other Documentation

Slide Title:Thank You!
Important
Points to
Cover: Keep going
Briefly review the policy.
The trace files for this class are placed in the 202GUI directory on
the trace file CD in the student manual.
Mention that there are additional trace files that are copied to
Sniffer Pro’s program directory if they would like to practice with
those samples.
Page 1 - 4
1-5
Sniffer University's Total Network Visibility Curriculum

• Interconnection Concepts & Troubleshooting
• Microsoft Windows NT & Windows 2000 Network
Upper-Layer Analysis & Troubleshooting
Technologies • TCP/IP Applications: Concepts & Troubleshooting
• TCP/IP Network Analysis & Troubleshooting
• ATM Network Analysis & Troubleshooting
Network
• WAN Analysis & Troubleshooting
Sniffer University
Interfaces
• Token Ring Network Analysis & Troubleshooting
• Ethernet Network Analysis & Troubleshooting
Tools & • Implementing Distributed Sniffer System / RMON Pro
Systems • Troubleshooting with the Sniffer Pro Network Analyzer
• Sniffer Pro for DOS Sniffer Experts
Visit our website for more information on our classes and a current schedule:
www.sniffer.com >> follow the Sniffer University Links

Slide Title:Sniffer University's TNV Curriculum
Important
Points to
Cover: These are the 11 active courses in the curriculum as of Oct 2, 2000
for Version 4.0.
Point out where you are in the curriculum.
Mention other GUI courses available and highlight next step

courses such as:
3 day WAN- TNV-207-GUI
5day TCP/IP curriculum – TNV-303-GUI and TNV-304-GUI.
5day ATM- TNV-218-GUI
Keep going.
Page 1 - 5
Table of Contents
• Course Overview Page 1-7 Day 1
1-6
• Ethernet Frame Formats Page 1-18

• Ethernet Sniffer Pro Hardware Page 2-1
• Ethernet Physical and Data Link Layers Page 3-1
• Timing Specifications Page 3-25
• Troubleshooting Tips Page 4-1
• Ethernet Bridging and Switching Concepts Page 5-1 Day 2
• Bridges Page 5-3
• Switches Page 5-15
• VLAN Tagging Page 5-27
Sniffer University
• 100 Mbps Fast Ethernet Page 6-1

• Full Duplex Ethernet Page 7-1
• Gigabit Ethernet Page 8-1
• Optional Technologies - LLC and Coax Page 9-1
• Glossary of Terms Page 9-41
• Student Exercises Page 10-1

Slide Title:Table of Contents
Important
Points to
Cover: Run down the list of topics. Mainly here for student reference.
Use this to let them know what we will cover in class. The
redundant list after this was removed.
A dotted line has been added to give the students an indication of

when the topics will be covered.
Timing: A guideline for timing:

Day one: Morning: Section 1 and 2.
Afternoon: Section 3.
Day two: Morning: Section 4 and Section 5 (Bridges).

Afternoon: Section 5 (Switches), Sections 6-8.
Optional: Logical Link Control
Page 1 - 6
1-7
Course
Overview
Sniffer University

Slide Title:Course Overview
Important
Points to
Cover: Standard title slide only.
Page 1 - 7
1-8
Course Objectives
Upon completion of the course, you will be able to:

• Discuss the details of the Ethernet (802.3)
specification
• Effectively use the Sniffer Pro analyzer to manage
and troubleshoot Ethernet LANs
Sniffer University
• Use practical hands-on troubleshooting methods and

partner with the Network Associates Sniffer Pro
Network Analyzer in Ethernet environments

Slide Title:Course Objectives
Important
Points to
Cover: We are here to learn something about Ethernet technology, how to
use the Sniffer Pro analyzer in an Ethernet environment, and how
to interpret the data captured.
State the course objectives.
Page 1 - 8
1-9
Prerequisites
• Basic LAN knowledge and experience using the

Sniffer Pro Analyzer
• TNV-101-GUI: Troubleshooting with the Sniffer Pro
Network Analyzer
Sniffer University
or
• TNV-112-GUI: Sniffer Pro for DOS Sniffer Experts

Slide Title: Prerequisites
Important
Points to
Cover: Cover quickly.
Determine if all of the students meet the prereqs and discuss any
problems if you have some that have not taken TNV-101-GUI or
TNV-112-GUI.
Page 1 - 9
1-10
OSI Functional Protocol Layers
• The Session, Presentation, and Application layers

are not clearly differentiated in most network protocols
• The Transport layer provides for communications
between programs
• The Network layer provides for communications
between devices
Ethernet Layers
Sniffer University
The Data Link layer provides for communications

between electrical end-points (network interface cards)
The Physical layer provides the conductive path that
includes media, connectors, electrical or optical signaling
levels and coding characteristics

Slide Title:OSI Functional Protocol Layers
Important
Points to
Cover: This is now a build slide that builds on mouse clicks. The Ethernet
layers are set off to emphasize this is where the Ethernet
specifications reside. Everything else is “upper layer” to Ethernet.
Review the functions of each layer, so the students may apply the
binary search method against the OSI stack.
Upper Layer protocols control the communications between the

applications themselves. They are connection-oriented and take
care of any error handling not done by the lower layers.
Transport protocols can be connection or connectionless. If
connection oriented, then we can determine whether or not the
network is good by simply following the sequence numbers.
Network layer protocols are also connectionless.
All of the protocols in the layers above Ethernet are taught in many
other Sniffer University courses. We will not focus on them here.
Physical and data link are the layers directly involved in Ethernet.
All these processes (without LLC) are connectionless.
Page 1 - 10
1-11
IEEE 802 Standards
802.2 – Logical Link Control (LLC) describes peer-to-peer procedures
for the transfer of information and control between any pair
802.10 LAN/MAN
of Service Access Points on any 802.X LAN
802.1B – LAN/MAN Management

802.1D – MAC Bridging
Security
802.1E – System Load Protocol

802.1F – Common Definitions & procedures
802.1G – Remote Media Access Control Bridging
802.1H – MAC Bridging of Ethernet in V2.0 in LANs
Data
Link
Sniffer University
802.3 802.4 802.5 802.6 802.9 802.11 802.12 Layer

CSMA/CD Token Token Dristrib- Integra- Wireless Demand
Medium Passing Passing uted ted Medium Priority
Access Queue Services Access Medium
Medium Medium Dual Bus at Access
Access Access Medium Medium
over bus over Access Access
ring
Physical Physical Physical Physical Physical Physical Physical Physical

Layer Layer Layer Layer Layer Layer Layer Layer
The lower part of the Data Link Layer is called the MAC layer, an abbreviation
for Media Access Control.
In addition, 802.14 Standard Protocol for Cable-TV-based Broadband
Communication Network is another protocol in development in 1998.
802.7 standard is a recommended practice for common Physical Layer
technologies, IEEE Recommended Practice for Broadband Local Area Networks.
The ANSI number for the 802.3 1996 edition of the specs is 8802-3:1996
IEEE Specifications can be purchased through http://www.ieee.com

Slide Title:IEEE 802 Standards
Important
Points to
Cover: History of where the Standards came from. The relationship among
the standards committees.
This is the official IEEE diagram based on the drawing in the IEEE
Std 802.3ab -1999. The 802.1 layer has the bridging standards
listed individually and 802.14 for Cable-TV based broadband is not
on this drawing due to space constraints.
Page 1 - 11
1-12
Major IEEE Ethernet Standards
802.3 1985 Carrier Sense Multiple Access with Collision
Detection (Original Ethernet Specification)
802.3u 1995 Media Access Control (MAC) Parameters, Physical
Layer, Medium Attachment Units and Repeater for
100 Mb/s Operation, Type 100BASE-T
802.3x 1997 Specification for Full Duplex Operation
802.3z 1998 Media Access Control Parameters, Physical
Layers, Repeater and Management Parameters for
1000 Mb/s (Gigabit) Operation
802.3ab 1999 Physical Layer parameters for 1000 Mb/s Operation
over 4-Pair Cat 5 Balanced Copper Cabling, Type
Sniffer University
1000BASE-T
802.3ac 1998 Carrier Sense Multiple Access with Collision
Detection (CSMA/CD) frame extensions for Virtual
Bridged Local Area Networks (VLAN) tagging on
802.3 networks
802.3ad 2000 Carrier Sense Multiple access with Collision
Detection (CSMA/CD) access method and physical
layer specification- Aggregation of Multiple Link
Segments (Parallel Point-to-Point link segments)
Many other specification documents cover many facets of the Ethernet

specifications. A complete list is available from the IEEE web site.
WIP = Work in Process

Slide Title:Major IEEE Ethernet Standards
Important
Points to
Cover: This is a quick list of the Ethernet standards we will cover in this
class.
It is not a comprehensive list, since there are numerous other

addenda as seen by the lettering of the standard.
You might want to note the large gap between the original 802.3
standard approved in 1985 and the u standard approved in 1995.
This does not mean to indicate there was no change in 10 years.
Quite the contrary: as the original spec was improved for thin coax,
then twisted pair with all the other changes to devices were defined
in the “a” through “t” addenda.
Page 1 - 12
1-13
Ethernet Evolution
1972 1982 1983 1985 1990 1993 1995 1996 1997 1998 2000
Work on Novell 10Base-T Fast Full Duplex Terabit

Ethernet Ethernet
NetWare (802.3x) stds in
begins at
Xerox Proprietary (802.3u) process
Frame Gigabit
PARC Ethernet Gigabit standard
V2 Switching Ethernet (802.3z)
Ethernet IEEE proposed. VLANs
Spec 802.3 Switch sales
Sniffer University
completed exceed
by DEC, shared hubs
Intel and
Xerox Design Goals:
1. Definition simplicity
2. Efficient use of shared resources
3. Ease of reconfiguration and maintenance
4. Compatibility
5. Low cost
V1 Ethernet: Used an unbalanced signaling method (+5 volts referenced

against ground).
V2 Ethernet: Used a balanced signaling method (+5, -5 volts).
Added SQE (Heartbeat).
802.3: Added jabber inhibit.
Specified thick coax, thin coax, twisted pair cabling and fiber.
V1 and V2: Specified thick coax cable.
Cannot co-exist on the same segment due to the different
signaling methods.
V2 and 802.3: Can co-exist on the same segment, as the same signaling
methods are used.

Slide Title:Ethernet Evolution
Important
Points to
Cover: Discuss the milestones and the Design Goals.
New dates and milestones have been added.
All frame types that use CSMA/CD are now valid 802.3.
Page 1 - 13
1-14
Media Evolution
Thick Thin Twisted Optical
Coax Coax Pair Fiber
Sniffer University
DB15 Connectors
attaches to BNC Connectors RJ45 RJ45
External transceiver with T connectors Connectors Connectors
with AUI cable
& Twinax..

Slide Title:Media Evolution
Important
Points to
Cover: New Slide.
Do just a quick review of how Ethernet media has changed over the
years.
We started with the old thick cable in the ceiling.
Then thin coax took over.
Twisted pair changed the whole layout of the network structure,

bring all the connections back to wiring closet. Cat 3 evolved to
cat4, evolved to cat 5, now on to cat 6, 7 ????
Cables attach to connectors in the wall or cube, the wire then goes
to a punch-down block and finally to a hub or switch.
Dedicated wires for receive and transmit meant that cards could no
longer listen on the same wire, so new ways of learning of
collisions had to be developed.
The latest is optical fiber. This is generally used as a backbone or

for high-speed servers. Our diagram shows the ordinary users
connected with cat 5 cabling with an uplink on the hub or switch to
the high-speed optical backbone. High performance servers may
be connected directly with optical cable.
There is mention of Twinax on the bottom. It is used in one Gigabit

Ethernet configuration.
Page 1 - 14
1-15
Media Access Evolution
Hub or Concentrator
Dedicated RX/TX lines

Shared media half- Shared media half-
duplex with collisions duplex with collisions
Sniffer University
Switch Switch
Dedicated RX/TX lines Dedicated RX/TX lines

Dedicated media full-duplex Dedicated media half-duplex
without carrier sense or with carrier sense and collision
collision detection detection - (collisions avoided)
Coax cables are broadcast in nature. Every station sees every signal on the wire.
Each must wait its turn to use the wire and only one signal can be on the wire
at a time.
Twisted pair cabling provides dedicated receive and transmit wires in the cable,
but only one wire can be active at a time. Concentrators or hubs repeat the
signals out to all stations attached, so each station must sense whether the wire
is busy, wait the interframe gap and sense collisions and retransmit if a collision
occurs.
The introduction of full duplex connections allowed bandwidth to double, since
each direction can be busy simultaneously.
The advent of the switch allowed dedicated connections between two devices in
a switched temporary point-to-point connection. Even though collisions are
avoided in this configuration, the same adapter cards are used, so the devices
still sense for carrier, wait the interframe gap and sense collisions.
When faster technologies were introduced, full duplex switched point-to-point
connections allowed signals on each wire simultaneously. Since the links are
point-to-point, there is no need to sense carrier or detect collisions.

Slide Title: Media Access Evolution
Important
Points to
Cover: New Slide.
This attempts to show how access to the wire has changed over
the years.
The birth of CSMA/CD meant everyone listening, waiting their turn,

then transmitting while listening for collisions. The cards can either
send or receive, not both simultaneously.
All of the newer technologies still have this as the basis for their
specifications.
The introduction of twisted pair wiring to a central repeater still

maintained the need for CSMA/CD, since everything received on
one port was repeated out to all the others.
When full duplex was developed, each device had two lines in a
point-to-point connection to the other end. There was no need to
wait for the line- you always had access to the receive port on the
other side. But the listen-and-wait and retry was maintained for
backward compatibility.
With the introduction of switches, every port is its own collision

domain. Collisions are almost non-existent. But there still is the little
matter of being able to talk to the older NICs and devices, so even
the faster devices know how to deal with CSMA/CD.
Page 1 - 15
1-16
Summary of Ethernet Features
• Uses Carrier Sense Multiple Access/Collision

Detection (CSMA/CD) for its media access control
– Switches and faster technologies avoid collisions with
dedicated and/or full-duplex connections
• Original specifications defined as a bus
technology
– Usually installed as a star topology today
Sniffer University
• Variable size frames

• Best effort delivery
• Various data encoding techniques are used
The minimum frame size is 64 bytes. This includes 4 bytes of frame check
sequence but does not include the 8 bytes of preamble sequence. The
maximum frame size is 1518 bytes including CRC.

Slide Title:Summary of Ethernet Features
Important
Points to
Cover: Original specifications are based on bus technology and
CSMA/CD. CSMA/CD has always been the defining feature of
Ethernet. With the introduction of switches and Full Duplex
Ethernet, this can no longer be the feature common to all varieties,
since some don’t use carrier sense (CS), are not multiple access
(MA), and do not have collisions to detect (CD).
Nevertheless, there are other details that have been maintained

through all the iterations, so the name has stuck.
This is the beginning of the real class.
Page 1 - 16
1-17
Digital Signal Encoding
0 1 0 0 1 1
TTL
Manchester
(10 Mbps
Ethernet)
Sniffer University
Differential
Manchester
(Token Ring)
Bit Cell Bit Cell Bit Cell Bit Cell Bit Cell Bit Cell
Bit Cell Boundaries

• TTL is used on circuit boards
• Manchester Encoding is used in 10 Mb/s Ethernet/802.3
• Differential Manchester Encoding is used by Token Ring/802.5
• Faster Technologies use different encoding schemes
Manchester and Differential Manchester encoding are methods of embedding

the clock into the data stream so the adapter can determine whether a bit is a
one or a zero.
TTL has no timing encoded in the data. It is used on circuit boards where
synchronized clocking can be applied to multiple circuits.
The encoding techniques for Fast Ethernet and Gigabit Ethernet are covered in
section five.

Slide Title:Digital Signal Encoding
Important
Points to
Cover: Don’t dwell on this slide. It is only really important for the students
to understand that the timing is imbedded in the data stream so
that adapters can tell a 1 from a 0.
Fast Ethernet and Gigabit Ethernet use different encoding

methods. They will be covered in their respective sections.
Page 1 - 17
1-18
Ethernet Frame Formats

Sniffer University

Slide Title:Ethernet Frame Formats
Important
Points to
Cover: Topic Title slide only. Keep going.
Page 1 - 18
1-19
Section Objectives
Upon completion of this section, you will be able to:

• Describe protocol concepts
• Differentiate between Ethernet Frame Formats
• Recognize network configuration issues with different
Sniffer University
frame formats
• Identify frame format incompatibilities

Slide Title:Section Objectives
Important
Points to
Cover: State the objectives for this section. This prepares the students and
set expectations about the desired outcome of learning this
information.
Page 1 - 19
1-20
Ethernet Frame Formats
Frame Type Detail Window Label Expert DLC

Label
Version 2 Ethertype Ethertype
Novell Raw 802.3 length but no LLC header 802.3
802.3 802.3 length and LLC header 802.3
Sniffer University
802.3 SNAP SAP = AA, then SNAP Header 802.3
LLC: Logical Link Control. A protocol that provides connection control and
multiplexing to subsequent embedded protocols; standardized as IEEE 802.2
and ISO/DIS 8802/2.
SAP: Service Access Point.
(1) A small number used by convention or established by a standards group,
that defines the format of subsequent LLC data; a means of demultiplexing
alternative protocols supported by LLC.
(2) Service Advertising Protocol. Used by NetWare servers to broadcast the
names and locations of servers and to send a specific response to any station
that queries it.
SNAP: Sub-Network Access Protocol (also sometimes called Sub-Network
Access Convergence Protocol). An extension to IEEE 802.2 LLC that permits a
station to have multiple network-layer protocols. The protocol specifies that
DSAP and SSAP addresses must be AA hex. A field subsequent to SSAP identifies
one specific protocol. Interpreted in the TCP/IP PI suite and the AppleTalk PI
suite. (See RFC 1042 for further information on SNAP.)
MAC frames are used in Full Duplex Ethernet
The Expert Detail Panel shows the frame type associated with each device at the
DLC layer.

Slide Title:Ethernet Frame Formats
Important
Points to
Cover: This is a list of what we will cover in the next set of slides.
Ethertype, LLC DSAP and SSAP are addresses.

SNAP defines a different location in the frame for the address of
the receiving process.
NetWare originally started with a proprietary frame but now
supports everything.
Carrier extend and MAC Control are mentioned in this section, but
will be explained fully in section five.
Page 1 - 20
1-21
Ethernet Version 2 Frame
Preamble Dest Source Type Data CRC

8 6 6 2 46 - 1500 4
1010...10101011
Sniffer Pro Capture Range
Sniffer University
• Preamble: 64 bits (8 bytes) of synchronization

• Destination: (6 bytes) address of destination node
• Source: (6 bytes) address of source node
• Type: (2 bytes) specifies upper-layer protocol
• Data: Data link layer views all information handed to it by higher
layers as data, whether it is protocol information or user data
• CRC: Cyclic Redundancy Check Frame Check Sequence (FCS), or
checksum value
Ethertypes are managed by Xerox.

Slide Title:Ethernet Version 2 Frame Format
Important
Points to
Cover: Emphasize the preamble and its function.
Hit the bit pattern and reference the AAAAs and 55555s.
Demo:Demonstrate frame structure with TCPDEMO6.CAP.
Walk the students through performing a pattern match on a version

two Ethertype. Repeat this for each frame type, each time using a
different match. Be sure to name the matches. After the last frame
type in this section, walk the students through saving setups so that
they now have a predefined filter that can be used later.
Page 1 - 21
1-22
Ethernet Version 2 Data Link Layer
Network Layer
Data Link Control

Layer
Physical Layer
Non-IEEE Networks
(e.g., Ethernet, ARCNET, Local Talk)
Sniffer University
• Pre-dates IEEE specs

• Identifies the hardware address of the adapters for both receiving and
sending stations
• Identifies the receiving process with a two byte Type field in the DLC
header
• Requires the Network Layer to ensure a minimum packet size of 46
bytes of data
• Only provides connectionless services

Slide Title:Ethernet Version 2 Data Link Layer
Important
Points to
Cover: Information on slide should suffice.
Page 1 - 22
1-23
Novell NetWare 802.3 “Raw” Frame
Preamble Dest Source Length Data CRC
8 6 6 2 FFFF 4
1010...10101011
Sniffer University

• Destination: (6 bytes) address of destination node
• Source: (6 bytes) address of source node
• Length: (2 bytes) specifies the number of bytes (46-1500) in the
data field
• Data: IPX Header starting with 2 bytes checksum (usually FFFF)
followed by NetWare higher layers (‘data’)
• CRC: Cyclic Redundancy Check Frame Check Sequence (FCS),
or checksum value
Novell developed their frame type before the IEEE committee was finished. As a
result, they identified the length but did not use LLC.
This is not a problem provided all stations use the same frame type.
It does have a negative impact on IEEE compliant implementations when Novell
issues broadcast frames. Service Access Point of FF is the broadcast SAP. All
stations have to copy.

Slide Title:Novell NetWare 802.3 “Raw” Frame Format
Important
Points to
Cover: Use a third match as you take the students through this process. If
performed correctly, you will certainly speed up the exercises at the
end of this section, if not eliminate them.
Point out that Novell’s frame type was defined while the IEEE
committees were still meeting. It really did not matter, since one
only installed a single operating system. We were not designing
enterprise networks with LANs and we certainly were not
interfacing a lot of dissimilar systems.
In today’s environment however, it is definitely an issue.
Page 1 - 23
1-24
802.3 “Raw” Data Link Layer
Network Layer
Data Media Access Control

Link Sublayer
Layer
Physical Layer
IEEE Networks
(e.g., 1BASE5, 802.3, 802.5)
Sniffer University
• Only uses the bottom half of the DLC Layer

• MAC layer contains hardware addresses of destination and sending
stations
• Uses a two byte length identifier
• Does not use LLC
• Specified while IEEE was formulating 802.3 specs
• MAC Layer ensures minimum frame length

Slide Title: 802.3 “Raw” Data Link Layer
Important
Points to
Cover: NetWare IEEE 802.3. Information on slide should suffice.
Page 1 - 24
1-25
IEEE 802.3 Frame
Logical Link Control
(LLC) 802.2
Preamble SFD DA SA Length DSAP SSAP Control Data +Pad CRC
7 1 6 6 2 1 1 1 or 2 42 - 1497 4
1010...10101011

• SFD: (1 byte) start frame delimiter (transition from synch to DA)
Sniffer University
• DA: (6 bytes) Destination Address: address of destination node

• SA: (6 bytes) Source Address: address of source node
• Length: (2 bytes) specifies the number of bytes (3-1500) in the LLC and data fields
• DSAP: (1 byte) Destination Service Access Point; receiving process at destination
• SSAP: (1 byte) Source Service Access Point; sending process in source
• Control: (1 byte) Various control information (2 bytes for connection-oriented LLC)
• Data/Pad: The upper-layer protocol information, if any. The MAC layer pads the field
to ensure overall 64-byte minimum frame size requirement
checksum value
Stations know if a frame is Version 2 or 802.3 by evaluating the 2 bytes

following the source address. If they are greater than 05DC hex (1500 decimal),
then the frame is Version 2; if they are less, they are assumed to be a length
field.
IEEE defines the preamble as 56 bits (7 bytes) of alternating 10101010...etc.,
followed by 8 bits (1 byte) of starting delimiter with bit pattern of 10101011.

Slide Title:IEEE 802.3 Frame Format
Important
Points to
Cover: Repeat of previous page. Be sure to select a different match and to
disable the first match.
Stations know if a frame is Version 2 or 802.3 by evaluating the 2
bytes following the source address. If they are greater than 05DC
hex (1500 decimal), then the frame is Version 2; if they are less,
they are assumed to be a length field. Note: the exception is PUP,
which uses Ethertype 2ØØ. (PUP stands for PARC Universal
Packet.)
Page 1 - 25
1-26
IEEE 802.3 Data Link Layer
Network Layer

Data Sublayer
Link
Layer Media Access Control
Sublayer
Physical Layer
IEEE Networks
(e.g., 1BASE5, 802.3, 802.5)
Sniffer University
• Splits the DLC layer into two distinct sublayers

• MAC layer contains hardware addresses of destination and sending stations
• Provides LLC services
– Receiving and sending processes identified by SAP addressing
– Accommodates both connectionless and connection oriented
implementations
– Provides for the use of SNAP

Slide Title:IEEE 802.3 Data Link Layer
Important
Points to
Cover: Information on slide should suffice.
Page 1 - 26
1-27
IEEE 802.3 SNAP Frame
Logical Link
Control (LLC) SNAP Header
802.2
Preamble SFD DA SA Length Control Type CRC
7 1 6 6 2 AA AA 1 3 2 38 - 1492 4
1010...10101011 DSAP SSAP Vndr Code Data +Pad

• SFD: (1 byte) start frame delimiter
• DA: (6 bytes) Destination Address: address of destination node
• SA: (6 bytes) Source Address: address of source node
Sniffer University
• Length: (2 bytes) specifies the number of bytes (3-1500) in the LLC and data fields
• DSAP: (1 byte) Destination Service Access Point; receiving process at destination
• SSAP: (1 byte) Source Service Access Point; sending process in source
• Control: (1 byte) Various control information
• SNAP: (5 bytes) First three bytes identify the vendor. Last two bytes identify the
protocol
• Data: The data link layer views all information handed to it by higher layers as
data, whether it is protocol information or user data
• Pad: Pads frame to minimum of 46 bytes total for the data and LLC (so collisions
can be detected)
checksum value
SNAP allows vendors who do not have an assigned Service Access Point to
become IEEE compliant.
Service Access Point of AA identifies a SNAP header immediately following the
LLC header.
A Snap header is five bytes. The first three bytes identify the vendor and the
last two bytes identify the protocol used. The first three bytes (the vendor ID)
are usually padded with zeroes. The version 2 Ethertype is generally used as the
identifier.

Slide Title:IEEE 802.3 SNAP Format
Important
Points to
Cover: Finish with the pattern match and save “setups.”
TIP: TCPDEMO6 is a good trace to use to show this.
Page 1 - 27
1-28
IEEE 802.3 SNAP Data Link Layer
Network Layer
SNAP
Data LLC
Link
Layer Media Access Control
Sublayer
Physical Layer
IEEE Networks
Sniffer University
(e.g., 1BASE5, 802.3, 802.5)

• SNAP (Sub-Network Access Protocol)
• SNAP is a sub-set of LLC
• Allows Protocols without an assigned IEEE SAP to implement an IEEE
compliant MAC layer
• Provides for an additional 5 byte header to specify the receiving process
(three bytes identify the vendor and two bytes identify the protocol)
• MAC layer contains hardware addresses of destination and sending
stations

Slide Title:IEEE 802.3 SNAP Data Link Layer
Important
Points to
Cover: Is a subset of LLC.
Page 1 - 28
1-29
IEEE Ethernet Frame Evolution
• Version 2 was historically not an IEEE recognized

frame
• As of 1997, it is a part of the Ethernet frame formats
• The field formerly called the “length” field by IEEE is
now labeled “length/type” field
– This provides backward compatibility for version 2
Sniffer University
Preamble SFD DA SA X DSAP SSAP Control Data +Pad CRC

Length
7 1 6 6 2 1 1 1 or 2 42 - 1497 4
Length/Type
0-1500 = Length
1536 - 65,535 = Type
1501-1535 reserved
+

Slide Title:IEEE Ethernet Frame Evolution
Important
Points to
Cover: This is an automated build slide that will display on a timer. Don’t
click until you’re ready for the next slide!
A “+” in the lower left corner of the build slides tells you how many
clicks you need before it goes to the next slide. When there is no
number after the “+”, the slide is totally automated. The next click
shows the next slide.
This brings the previous information into the present definition of

the Ethernet frame type.
Point out the field values at the bottom that devices use to tell what
type of frame is arriving. Of course, they’ve always done it this way,
but now the specification matches the process.
Page 1 - 29
1-30
Ethertypes and SAPs
E-Type Value SAP Value

NetWare 8137 NetWare E0
XNS 0600, 0807 XNS 80
IP 0800 NetBIOS F0
IP (VINES) 0BAD, 80C4 IP 06
ARP 0806 BPDU 42
RARP 8035 SNA 04, 05, 08, 0C
Sniffer University
DRP 6003 X.25 7E

LAT 6004 ISO 20, 34, EC,
LAVC 6007 FE, 14, 54
ARP (ATalk) 80F3 SNAP AA
Note: A comprehensive listing of Ethertypes and SAPs is in the appendix.

Http://www.iana.org keeps an updated list of Ethertypes.
SnifferPro maintains a list of the Ethertypes and SAPs and decodes the Upper
Layer Protocols (ULP) based on the Ethertype or SAP found in the Data Link
header.

Slide Title: Ethertypes and SAPs
Important
Points to
Cover: There is a more complete list from the Sniffer Pro analyzer’s main
menu.
Demo: Go to Define Filters and demonstrate for the students the protocol
filters.
Use data pattern matching to filter on specific SAPs and

Ethertypes.
Page 1 - 30
1-31 Determining Ethernet Frame Types
Start here
Observe the hex value of

the field following the
DLC source address
STOP You have just
determined Look at the
Is the value of the field YES
that the frame Ethertype values
greater than Ø5DC hex? is an Ethernet to determine
version 2 what ULP the
NO frame is carrying
frame
Look at the 2 bytes at
offset ØE
STOP
Sniffer University
YES You have just determined

Are the 2 bytes equal to that the frame is a Novell
FF FF hex? 802.3 raw frame
NO
STOP
YES
You have just Look at the
Are the 2 bytes at offset determined that the Ethertype values to
ØE equal to AA AA hex? frame is an 802.3 determine what ULP
SNAP frame the frame is carrying
NO
You have just determined
STOP that the frame is a Look at the SAP values to determine
standard 802.3 frame what ULP the frame is carrying
+3

Slide Title: Determining Ethernet Frame Types
Important
Points to
Cover: Student reference.
This is a semi-automated build slide.
There are 3 clicks; one at each stop sign after each determination
has been made.
Page 1 - 31
Expert Shows Frame Types
• The DLC Layer Objects show the frame types
1-32
received and transmitted
– Shows only as Ethertype or 802.3
Sniffer University
Version 2 frames are shown as Ethertype Frames.

All others are shown as 802.3 Frames.

Slide Title:Expert Shows Frame Types
Important
Points to
Cover: Student reference.
You may want to demonstrate this with a trace file.

Beware, only Ethertype frames are differentiated in this window. All
the other frames show up as 802.3
Page 1 - 32
1-33
Examine the DLC Details
Version 2 Frame
Sniffer University
802.3 Frame

Slide Title:Examine the DLC Details
Important
Points to
Cover: This is a quick visual shot of how version 2 and 802.3 frames
appear in the Detail window.
802.3 Ethernet II Demo: Mixed01.cap frame 1
802.3 Frame Demo: Mixed01.cap frame 75
Page 1 - 33
1-34
Examine the DLC Details
NetWare “Raw” Frame

Sniffer University
SNAP Frame

Slide Title:Examine the DLC Details

Important
Points to
Cover: This is a quick visual shot of how NetWare “raw” and SNAP frames
appear in the Detail window.
802.3 SNAP Demo: TCPDEMO6.CAP frame 547
802.3 “Raw” Demo: Mixed01.cap frame 22
Page 1 - 34
1-35
Sniffer Pro Filter Elimination Patterns
• To filter Version 2, use the Ethertype

• To filter 802.3, use the SAP
• To filter NetWare, use the FFFF checksum bytes
– If the checksum is in use, use the IPX Packet Type (but be
careful, because a one-byte pattern match may be ambiguous)
Sniffer University
• To filter SNAP, use DSAP and SSAP equal to AA

• By determining what frame formats are in use on the
network, you can make sure no incompatibilities exist
Highlight frame in Summary window

before accessing this window 3
Create a new profile
Summary of the match will
build here 2
Choose your operand first
then click Add Pattern 1
2
1 Change
4
Frame
1) Highlight the data in the Detail window
2) Click Set Data
3) Data will be pasted into the pattern area
4) Click OK
Summary of the match Choose your next operand

and repeat the
steps until all your matches
are pasted in

Slide Title:Sniffer Pro Filter Elimination Patterns
Important
Points to
Cover: This replaces the several data pattern match slides in the previous
version of the course.
Those screen shots are placed in the student notes on this page
for their reference.
The exercise that used pattern matching has been replaced by one
using the Expert.
Page 1 - 35
1-36
So How Does This Matter?
• Devices using different frame formats will not
be able to communicate directly
– They must send their frames to a translating bridge
or router which converts and forwards the frames
– This creates a local router situation which doubles
the traffic
• Devices configured with multiple unnecessary
frame formats load the network
Sniffer University
– NetWare servers RIP and SAP for each frame type

• Upper Layer Protocols expect a certain frame
type and may not be able to communicate if
the wrong frame type is in use

Slide Title: So How Does This Matter?
Important
Points to
Cover: New Slide.
This helps to link this information to practical uses for the

information.
Page 1 - 36
1-37
Exercise: Which Frames Are on the Network?
Turn to the lab section

to complete this exercise
Sniffer University

Slide Title:Exercise: Which Frames Are on the Network?
Important
Points to
Cover: This exercise has been modified. It no longer uses data pattern
matching.
Be sure to practice this before class so you are ready for it!
Page 1 - 37
1-38
If
you have no questions about
the previous exercise
then
continue with the next exercise
or
Sniffer University
if you need a demonstration or

explanation
ask your instructor to help you
now

Slide Title:Yield
Important
Points to
Cover: This slide is here so you can control the exercise process.
Page 1 - 38
1-39
Exercise: A Surprise at 23:00

Sniffer University

Slide Title:Exercise: A Surprise at 23:00
Important
Points to
Cover: This exercise is unchanged.
Page 1 - 39
1-40 Summary
In this section, you learned how to:

• Differentiate between Ethernet Frame Formats
– Ethernet Version 2
– Novell 1983 proprietary frame format
– IEEE 802.3
– IEEE 802.3 SNAP
Sniffer University
• Recognize network configuration issues with different

frame formats
• Identify frame format incompatibilities

Slide Title:Summary
Important
Points to
Cover: Wrap up the section by reviewing the labs and the objectives. Ask
the students if they have any questions.
Target Time: Breaktime of Day 1
Page 1 - 40
2-1
Ethernet Sniffer Pro

Hardware
Sniffer University

Ethernet Sniffer Pro Hardware
Slide Title: Ethernet Sniffer Pro Hardware -
Section 2
Section Timing: Start: Day 1 Approx. ______
Finish: Day 1 Early afternoon
Important
Points to
Cover: Section 2 title slide only.
Files: 02_snf_g.PPT 02_snf_g.DOC
Traces: bcast.cap 100mbfile.caz GB.cap
Exercises: Comparing Ethernet Data
This is a new section.

We hope that by putting this information at the front of the course,
the students will feel this is an up-to-date course. They get to see
the new faster Ethernet products right away and see in an exercise
that Ethernet looks almost the same on the Sniffer, no matter what
the speed of the network.

course material.
Page 2 - 1
2-2
Section Objectives

• Select the appropriate Sniffer configuration for each type of
Ethernet network
• Ensure system requirements are met for each type of Sniffer
• Attach Sniffer Pro to the various Ethernet networks
Sniffer University

Slide Title: Section Objectives
Important
Points to
Cover: State the objectives.
Page 2 - 2
2-3
10/100 Ethernet
Sniffer University

Slide Title: 10/100 Ethernet
Important
Points to
Cover: Title Slide Only.
Page 2 - 3
2-4
10/100 Portable System Requirements
• PAC 64 or 65 or CardBus compatible notebook PC
– Can also be loaded on a desktop PC
– Pentium 200 MHz CPU or higher
• Windows 95c*/98 or NT SP3 server or workstation
• Sniffer 10/100 Ethernet adapter
• 85 MB Disk space for software
– Much more for traces
Sniffer University
• 64 MB RAM
– Some topologies require more
• Keyboard and Pointing Device
PAC 64
Windows 95c requires Winsock 2. Windows NT has been tested through SP 6a.
Consult the Sniffer documentation for a list of the adapters supported with this release.
On heavily loaded Ethernet networks, increase the receive buffer size and capture rate on the
Ethernet adapter.
In Windows 95/98:
1.In the Windows control panel, select the Network icon.
2.In the list box at the top of the Configuration tab, select the adapter, then click Properties.
3.Click the Advanced tab.
4.In the Property list box, select Receive Buffers and increase the value to a larger number. We
recommend you increase the buffer size in increments of 10 to the highest possible setting,
which still enables the card to load.
5.Change the Capture Rate to High - No CPU Throttling.
In Windows NT:
1.In the Windows control panel, select the Network icon.
2.Click the Adapter tab.
3.Select the adapter, then click Properties.
4.Increase the Receive Buffers value to a larger number. We recommend you increase the
buffer size in increments of 10 to the highest possible setting, which still enables the card to
load.
5.Change the Capture Rate to High - No CPU Throttling.
Slide Title: 10/100 Portable System Requirements
Important
Points to
Cover: New Slide.
Quickly review the three options

Notebook
Desktop (this means that desktops are included in the NAI suite of
portable software, though desktops are not really portable!)
Dolch
Review the system requirements
The readme instructions for setting the Ethernet card parameters
for heavily loaded networks in included in the student notes.
Page 2 - 4
2-5
Attaching Sniffer Pro to the Network
• Attach the RJ45 jack into

a port on the hub
Ethernet Hub
– All signals are seen on the
Sniffer
• Attach the RJ45 jack into
a port on the switch
PAC 64
– Use the Switch Expert or Ethernet Switch

switch software to mirror
Sniffer University
the port(s) to the Sniffer

port
• Attach in series on coax
cable segments
PAC 64

Slide Title: Attaching Sniffer Pro to the Network
Important
Points to
Cover: Discuss the various ways they can attach the Sniffer. It doesn’t
matter if it is notebook, Dolch or desktop. All attach the same way.
Page 2 - 5
DSPro Agents
• DS Pro consists of two computers:
2-6
• Agents permanently installed in DSPro Agent

production networks
– Attach the Agent’s Ethernet monitor card
to the production network to be analyzed
– Attach the transport Ethernet card to Ethernet
either a dedicated network or the Network
production network
• A console to access Agents remotely
Optional
Sniffer University
– Attach the Console to a network that has Transport

access to the networks where the DS Pro Network
Agents are installed
– SniffView application accesses them
remote Sniffers and controls them with
the familiar user interface
Ethernet
Network DSPro Agent DSPro Console
Sniffer University has a two day TNV-012-DSP class that teaches the unique
configuration processes required for the DS Pro system.

Slide Title: DSPro Agents
Important
Points to
Cover: Don’t get sidetracked into explaining the DS Pro system.
Direct them to the TNV-201-DSP class!
Page 2 - 6
2-7
Full Duplex
Sniffer Pro
Sniffer University

Slide Title: Full Duplex Sniffer Pro
Important
Points to
Cover: Title Slide Only.
Page 2 - 7
2-8
System Requirements
• PAC 63, 64 or 65 or CardBus compatible notebook PC

• Windows 95c/98 or NT SP3 server or workstation
• Sniffer 10/100 Ethernet adapter
– Set to 100 Mbps
• Full Duplex pod
Sniffer University
• 85 MB Disk space for software

– Much more for traces
• 64 MB RAM (128 is better)
• DSPro also has a 4 port Ethernet adapter you can
configure in several modes
A Fast Ethernet Full Duplex Pod installation consists of the following major
components:
A PC with Sniffer Pro or Sniffer agent (Distributed Sniffer) software installed on
the hard disk (the Sniffer PC).
A supported Fast Ethernet network adapter installed in the Sniffer PC. Consult
the Sniffer documentation for a list of the adapters supported with this release
of the Full Duplex Pod.
A Fast Ethernet Full Duplex Pod is connected to the Sniffer PC via the Fast
Ethernet adapter and the Ethernet port on the Fast Ethernet Full Duplex Pod
labeled, "Host Channel 10/100 UTP.”

Slide Title: System Requirements
Important
Points to
Cover: Slide moved here from section five of the previous version.
Needs a 10/100 adapter in the main PC

Pod attaches through the Ethernet cable
Pod attaches into the network
Needs lots of buffer and disk space, since the traffic load is very
high and will create large trace files.
Page 2 - 8
2-9
Full Duplex Pod
• Troubleshoots and analyzes all traffic on 10/100 full-

duplex backbone connections
• 148,800 Packets per Second (PPS) wire speed packet
capture
Sniffer University
– Full line rate on two channels in High Speed mode

– Near 100 Mbps in streaming mode
– Stores to a hardware buffer configurable to 512 MB
• Full-duplex Dual-channel Synchronous capture
The Fast Ethernet Full Duplex Pod is a separate network interface pod provided
by Network Associates for use with Sniffer Pro and the Distributed Sniffer. The
Fast Ethernet Full Duplex Pod provides two separate receive channels (one for
each side of a full duplex Fast Ethernet network) and can capture at full Fast
Ethernet line rate speeds in either a passthrough mode or a terminated mode.
The Fast Ethernet Full Duplex Pod lets you use the Sniffer with a Fast Ethernet
card installed to monitor or capture data from Ethernet, Fast Ethernet, Full
Duplex Fast Ethernet, and Half Duplex Fast Ethernet.
This is called the “Pod-FEDC-NA-100” for Fast Ethernet Dual Channel in the NAI
order book.

Slide Title: Full Duplex Pod
Important
Points to
Buffer is in the pod.

Frames captured on the pod are encapsulated into Ethernet
frames, then delivered to the PC for analysis.
This is listed in the order list as “Pod-FEDC-NA-100” for “Fast
Ethernet Dual Channel Pod.”
Page 2 - 9
2-10
Full Duplex Pod Connectors
• Connects to High-Speed 100Base-TX and 100Base-FX

Ethernet Networks
– RJ-45 ports offer a power-off pass-through
– Fiber and T4 supported through MII connectors
Host
Probe Channel B Probe Channel A
Channel
Power Synch Synch Serial 10/100 10/100 10/100
Connector MII MII
Sniffer University
In Out Port UTP UTP UTP
Connection
Connection button Channel B Channel A Connect straight-

selects between connections to connections to the through Ethernet
Pass-through and the network (UTP network (UTP and cable to the laptop
Terminate Modes and MII) MII)
The Fast Ethernet Full Duplex Pod captures network data off the connected
circuit and stores it in its own internal buffer. The captured data is then
encapsulated in Ethernet frames and sent to the Sniffer PC over a Fast Ethernet
connection. There, the analyzer strips the encapsulated capture data out of the
Ethernet frame, making it available to the full set of Sniffer features.
The pod can capture frames up to 4082 bytes in length (including CRC). Frames
larger than 4082 bytes will be treated as illegal frames. Normal Ethernet frames
are 1518 bytes maximum.

Slide Title: Full Duplex Pod Connectors
Important
Points to
Point out the separate channel connector. They can attach to TX

via UTP or FX via the MII (Media Independent Interface)
connectors.
The connection button allows you to set pod to either pass-through
or terminate mode.
The right-most UTP connector attaches the pod to the 10/100 card
in the PC.
The Synch In and Out connectors are not used.
Page 2 - 10
2-11
Full Duplex Pod LEDs
• Separate LNK (Link) and ACT (Activity) LEDs show the

status of each port
– The LNK LED illuminates when the indicated prt is connected
and working properly
– The ACT LED blinks when there is activity on the indicated
port
Sniffer University
Pass- HW
Host Channel A Channel B Terminate Clock Activity Power
through Chk
LINK
ACT
LED Description
Passthrough Lit when pod is in passthrough mode. Switch with the
button on the back of the pod
Terminate Lit when pod is in terminate mode
Clock Lit periodically to indicate the pod’s software is alive and
active
Activity Lit when there is potential loss of data.The data may be
lost when there is more data than the pod can handle
Power Lit when the pod is receiving power
HW Chk Lit when there is pod hardware or software failure
Flashes in test mode

Slide Title: Full Duplex Pod LEDs

Important
Points to
Review quickly. Mainly for reference.
Page 2 - 11
2-12
Connecting the Pod to the Sniffer
• Power down the Sniffer and unplug the pod

• Attach the pod to the Sniffer with a standard Ethernet
cable
Sniffer University
– Connect between the Ethernet port on the PC and the Host

Channel 10/100 UTP port on the pod
• Power on the PC
• Connect the power to the pod
• Connect the pod to the network
When the pod is powered on before the host, pod initialization may fail. Turn
the pod off, then on if this occurs.
The pod provides a pass-through mode. When you remove power from the pod
in pass-through mode, the link will go down! You may wish to install a splitter in
the line that will enable you to attach the pod when needed without bringing
down the link. Be sure it meets the dB loss specifications so the link is not
degraded.

Slide Title: Connecting the Full Duplex Pod to the Sniffer
Important
Points to
Cover: New Slide.
Emphasize that this pod has a different power adapter from the
rest.
It is huge and heavy and nicknamed “the brick” for good reason –
it’s as big and heavy as a brick.
It’s important they follow this order. They may damage the pod
and/or PC if they don’t or the Sniffer may not be able to see the
pod.
Page 2 - 12
2-13
Attaching FDX Pod to the Network
Channel A
• Insert directly in the link Channel B
– Copper pass-through Ethernet
prevents losing link, even Hubs or
Switches
when powered off
• Tap into the line with a Routers /Switches

splitter
– Can leave the splitter in at
all times and tap the line
Sniffer University
Beam Splitters Tap

when necessary Optical Signal from
Channels A and B and
– Use a copper or fiber Send to Pod
splitter/transceiver
• Tap into the line through

a monitor port on a
switch or hub Ethernet Hub
To Channel A

Slide Title: Attaching Full Duplex Pod to the Network
Important
Points to
Three ways:
Break open the link and insert the pod. Push the button to place it
in pass-through mode.
Keep splitters in the line at all times so you won’t need to break the
connection to attach the Sniffer. Set the button to terminate mode
so the signals are not repeated back onto the wire!
Attach to a monitor port on the switch. This is vendor-specific, but
will probably allow you to select which channels you want to
monitor.
Page 2 - 13
2-14
Attaching FDX Pod to DSPro Agents
DSSPro
• When using the Distributed Agent
Sniffer System, attach the Full
Duplex pod to the Agent and use
the remote console to configure Transport
Monitor
Cable
the options. Cable
Channel
• Attach using the diagrams on B
the previous page

Sniffer University
Ethernet Channel
A
Network
DSPro Console

Slide Title: Attaching Full Duplex Pod to DSPro Agents
Important
Points to
Cover: New Slide.
Included here mainly to emphasize this pod can be used on the DS

Pro system.
There is also a 4 port Ethernet card that can be used in the DS Pro
to monitor several different full-duplex connections, including 400
MB pipes that combine full-duplex channels.
It is covered in the 201-DSP class.
Page 2 - 14
2-15
Gigabit Sniffer
Sniffer University
There are several paragraphs of information in the 4.0 Readme.wri that is

copied to the Sniffer Pro program directory when you load the Sniffer Pro
software. Read them before you use the Sniffer!

Slide Title: Gigabit Sniffer
Important
Points to
Cover: Title slide.
Page 2 - 15
2-16
Gigabit Sniffer Pro Minimum Host CPU
• Microsoft Windows 98 or NT4.0 SP6

• 233 MHz Pentium or better
• 128 MB RAM for traffic generation PAC 64
• 800 x 600 Screen 256 Color Monitor

• Large GB disk for huge trace files
• Full length PCI slot for Gigabit Ethernet card
Sniffer University
• Half length ISA slot for power adapter if CPU doesn’t

have 3.3v power available
• PCI to PCI bridge support v2.1
• Plug and Play v1.0a
• AMI or Award BIOS xx0617
Windows 95 is not supported for the Gigabit Sniffer. Use a compatible portable
(Dolch) or desktop that has a Peripheral Component Interconnect (PCI ) slot.
AMI and Award are popular BIOS chips. The BIOS version should be AI5TV-
D2-0617 You can contact DOLCH to get the BIOS Flash upgrade. There should
be two files:
awdflash.exe, size=7,847 Bytes, Dated 3/8/96
Dolch-2.bin, size=131,072 Bytes, Dated 6/19/97
Upgrade the Flash BIOS for PAC-64
To Upgrade the Flash BIOS for PAC-64, follow these instructions:
1. Insert the Flash BIOS upgrade diskette into driver A:
2. Run the awdflash.exe file.
3. You will be prompted to enter bios file name, enter Dolch-2.bin and save the
BIOS.
4. You then will be prompted to save a file. Give this file the name
Dolch-1.bin.
5. Save and program the BIOS.
6. Reboot after update.
Slide Title: Gigabit Sniffer Pro Minimum Host CPU
Important
Points to
Cover: Slide moved here from section five of the previous version
Slide is adequate.
Page 2 - 16
2-17
Hardware Included
• Xyratex 1250 SX or LX Protocol Analyzer Adapter Card

– SC connectors
• Long and Short External Trigger Cables
• Duplex Fiber Optic Cable
• 3.3v Voltage Regulator Card
Sniffer University
• PC Power Supply ‘Y’ cable

• Voltage Regulator to Protocol Analyzer Power Cable
SX Short Wave 850 nm

LX Long Wave
The Xyratex Gigabit card is designed to analyze network; on installing the card,
it will not bind to the TCP/IP binding, in other words, no IP address should be
assigned for the card.

Slide Title: Hardware Included
Important
Points to
Slide is adequate.
Page 2 - 17
2-18
Interfaces
• 1000 Base -SX

• 1000 Base -LX
• 1000 Base -CX through external adapter
• 1000 Base -T
• Can analyze both sides of full-duplex
Sniffer University
connection or two separate single links

• Captures and analyzes raw bits from the link
– Sees 10-bit codes, autonegotiation, error
propagation, collisions, preambles, packet
encapsulation, idles and code violations
SX and LX transceivers are available.

Slide Title: Interfaces
Important
Points to
Cover: New slide.
Just run down the list.
Page 2 - 18
2-19
3.3v Power
• Two sources:
• Mother boards in newer CPUs have 3.3v power supply
connector
– Dolch PAC 65 and newer has 3.3 v power, PAC 64 needs the
card (PAC 63 and older are not supported for Gigabit)
– Attach to the Protocol Analyzer card
• 3.3v Voltage Regulator half-slot ISA card for CPUs
Sniffer University
without the 3.3v power supply

– Generates 3.3v from PC’s 5v power supply
– Drives up to 3 Protocol Analyzer cards
– Y cable inserts between power supply and CD-ROM/floppy
disk
– Connects to Protocol Analyzer boards with short cable
ATX mother boards include the 3.3 v connector.

Slide Title: 3.3V Power
Important
Points to
Needs 3volts power. If the motherboard doesn’t have it, you need
another card that supplies it.
Jumper from this card to the PacketMaster card.
Page 2 - 19
2-20
Xyratex 1250 Connectors
Rx 2
• Two
1000Base-SX Connector 1 to Device 1 Tx 1
Channel 2
or LX Gigabit
Ethernet SC Rx 1
Channel 1
Connections
Connector 2 to Device 2 Tx 2
• External
Sniffer University
trigger in and
trigger out PacketMaster
Sync In (Trigger In) 1250 Card
connections Sync Out (Trigger Out)
Available external connections are:

• two 1000Base SX Short Wave Fiber Optic connector pairs
• a single micro coax external trigger input
• a single micro coax external trigger output
Trigger conditions can be independently defined for each channel or combined
for both channels, just as for filtering. The system can accept external inputs
and can also be synchronized to other test equipment. The system can also
provide external TTL output from a trigger.
Interfaces available:
• 1000 Base -SX
• 1000 Base -LX
• 1000 Base -CX through an external adapter
• 1000 Base -T* coming later
• SX and LX transceivers are available.
* T Specification under development

Slide Title: Xyratex 1250 Connectors
Important
Points to
Slide is adequate.
Page 2 - 20
2-21
Connecting the Analyzer
Tx
Full Duplex Rx1
connection between PA C 62
Rx2 Tx
2 hubs, switches
Tx
Rx1
Full Duplex Tx2
Rx
Rx2
Tx1 Tx
end nodes Rx
Tx
Rx1
Full Duplex
Sniffer University
Rx2
Tx
switch and end node
Attached to hub or
switched port (can Rx1 Tx
be a SPAN port) PA C 62
Loopback between
Use this for traffic Tx1 & Rx2
generation also

Slide Title: Connecting the Analyzer
Important
Points to
This will help those students who have the Sniffer now. (They are
very lucky- they are in high demand and short supply.)
Slide is self-explanatory.
Page 2 - 21
2-22
Gigabit DSPro
• The Xyratex card is

also supported in the DSPro
DSPro Agent Agent
• Attach this card to

the Gigabit network Transport
Monitor
as you do for the

Cable
Cable
portable Sniffer
Sniffer University
• Attach the 10/100 10/100 Gigabit

Ethernet
monitor adapter to Network
Network
the transport network

Slide Title: Gigabit DSPro
Important
Points to
Cover: New Slide.
Mainly FYI
Screens still look the same when you connect to the Agent.
Page 2 - 22
2-23
Exercise: Comparing Ethernet Data
Turn to the lab section to

complete this exercise. Use
the diagram on the next
page as a reference to the
network layout
Sniffer University

Slide Title: Exercise: Comparing Ethernet Data
Important
Points to
Cover: New Exercise.
This exercise is here to let them see right up front how the data
looks in almost all speeds of the Sniffer. I was unable to get a 100
MB full-duplex trace file, so it has been mentioned briefly.
Do not mention the 10 bit hex decode in the Gigabit screens now!
Wait until they have been explained in the Gigabit section.
Page 2 - 23
2-24
Summary

• Select the appropriate Sniffer configuration for each type of
Ethernet network
• Ensure system requirements are met for each type of Sniffer
• Attach Sniffer Pro to the various Ethernet networks
More details on using these Sniffers are in the sections
following
Sniffer University

Slide Title: Summary
Important
Points to
Cover: Review the section objectives and answer any remaining
questions.
Target Time: Day 1 at noon or earlier if possible.
Page 2 - 24
3-1
Ethernet Physical and Data Link

Layers
Sniffer University

Ethernet Physical and Data Link Layers
Slide Title: Ethernet Physical and Data Link Layers –

Section 3
Section Timing: Start: Day 1 Approx. 1pm

Finish: Day 1 End of day
Important
Points to
Files: 03_phy_g.PPT 03_PHY_g.DOC
Traces: HUB6ARC.caz
Exercise: Cable Specifications
This is a critical section that must be covered thoroughly so the

students understand the basis of all Ethernet standards. The
exercise comes close to the end, so your challenge will be to keep
the students engaged through the lecture.
The 10BASE5 and 10BASE2 specific slides are now in the

Optional Technologies section. Be prepared to jump there if you
have students who still want to see the physical components of the
old technologies.
The diagrams have been spiffed up so they show mainly star

configurations.

course material.
Page 3 - 1
3-2 Section Objectives

• Describe the access method used in Ethernet
• Discuss the responsibilities of the MAC layer
• Differentiate the various types of Physical Layer devices
Sniffer University
• Explain the importance of the physical size limitations of the

Ethernet networks
• Determine when the physical characteristics of the Physical
Layer have been extended beyond the specifications

Important
Points to
The focus of the prior revision was on the new components most
customers have in their environments.
The specifications for 10BASE2 and 10BASE5 are still the basis for
the newer environments and need to be covered.
We’ve tried to make it as painless as possible while still giving them

everything they need to know to understand the buzz words and
more importantly why collision domains and timing specifications
are still important!
Most of our students think they know the Ethernet “nitty gritty”
details, but they invariably learn new things in this section.
Page 3 - 2
Ethernet Components Today
Switched Segment
3-3
Dedicated Connections:
Only Broadcasts are propagated to all
• There is a wide variety of
Switches Switches configurations and options available
• All still adhere to core concepts that
define Ethernet
• Segments are extended logically by
chaining hubs or switches, or by
using bridges
• Networks are segmented using
Sniffer University
Broadcast Segment routers Switches

Everything broadcast to all
OFF
ON
Router
Hubs
Network Interface
OFF
ON
Card (NIC) Hubs

Network A Network B
Ethernet networks are undergoing unprecedented change. Standard hubs and

switching hubs are becoming commonplace. Fast Ethernet is being included.
Full Duplex Ethernet may be installed. Fast transmit adapters enable large
amounts of data to be transmitted and received.

Slide Title: Ethernet Components Today
Important
Points to
Cover: Today networks are undergoing change. We are installing switches
and hubs now. No one is really installing 10BASE5 or 10BASE2
today.
Fast Ethernet
Full duplex
Fast transmit adapters
Gigabit Ethernet
Yesterday, hubs were the new devices in networks, pushing out the
older 10BASE5 and 10BASE2 networks.
Today, switches may start to push out hubs. The only constant we
really have is change.
Emphasize the fact that whether we are talking about 10BASE5 or

switches, Ethernet is still contention-based, designed to a bus
concept.
Page 3 - 3
3-4 Ethernet Contention Access Control
• Broadcast environment
• All network stations contend for available network bandwidth
• Simultaneous transmissions cause collisions, which produce
runt frames
• Contention Access Control works well with bursty traffic
Sniffer University
Concentrator or Hub

Slide Title: Ethernet Contention Access Control
Important
Points to
Cover: No inherent line control is used. The only requirement to transmit
data is that the wire is quiet for 9.6 bit times.
Page 3 - 4
CSMA/CD
The Basis for Ethernet Specifications
3-5
• Carrier Sense
– Listen until no carrier is sensed, then transmit after a delay
• Multiple Access
– Designed for a broadcast environment
– Every station hears every frame
• with Collision Detection
Sniffer University
– Listen for a collision while you transmit

• Designed for a bus, usually implemented as a star
– The rules are observed in half-duplex switched networks even
though collisions are usually avoided by using dedicated
connections

Slide Title: CSMA/CD The Basis for Ethernet Specifications
Important
Points to
Cover: The basics. Preparing the students for what is to come later.
Page 3 - 5
3-6 MAC Frame Transmission
• Construct a frame from data supplied by upper-layer

– A legal frame must be at least 64 bytes long and no longer
than 1518 bytes (counting the CRC, but not the Preamble)
– If necessary, the 802.3 MAC layer adds a pad so that the
frame is at least 64 bytes
• Calculate and append the CRC
• Sense Carrier: Defer to stations already transmitting
• Observe Interframe spacing: There is always at least a
Sniffer University
96 bit time delay between frame transmission

– 9.6 µs for 10 Mbps, .96 µs for 100 Mbps, 96 ns for 1000 Mbps
• Transmit and listen
• Detect collisions
• Backoff and retransmit if collisions occur
All adapters are manufactured to the Ethernet specifications. The card has no
knowledge of whether it is plugged into a switch or hub port.
These specifications apply to all speeds of Ethernet. The interframe spacing is
always 96 bit times. The actual time between frames is dependant on the
speed of the network and shrinks in proportion to the increase in speed.
Specifications dictate that there be a minimum 9.6 micro-second delay
between frames in 10 Mbps Ethernet. An adapter must sense that the wire has
been quiet at least 9.6 micro-seconds before it can transmit.
In Fast Ethernet, the interframe gap is .96 microseconds.
The gap in Gigabit Ethernet is 96 nanoseconds.

Slide Title: Media Access Control (MAC) Frame Transmission
Important
Points to
Cover: With IEEE MAC layer, it is the MAC’s job to ensure the minimum
frame length.
This is a departure from the V2 specifications, which forced the
network layer protocol to guarantee the minimum frame size. Now
the version two frames have been brought under the IEEE, so all
versions must pad.
The MAC layer is responsible for accessing the channel and
ensuring correct transmission of the data.
MAC functions reside on the adapter on the chipset.
Import change: The Interframe gap has been changed from 96

microseconds to 96 bit times to imply this is used in all
speeds. Use this term throughout this section.
The Interframe Gap is 9.6 microseconds in 10 Mbps, 960

nanoseconds in 100 Mbps and 96 nanoseconds in Gigabit
1000 Mbps.
Page 3 - 6
Frame Transmission
• After sensing that there is no carrier on the wire during the
3-7
interframe gap period, stations with data to send transmit the

frame
• The signal is propagated everywhere
• The source station listens while transmitting
• It assumes the frame was delivered if it sensed no interference
101..101
10
Sniffer University
10
..
10
0101
10
Concentrator or Hub
1
1010101..0101
0101
1001000110101101..0101 10101
Dest Address Preamble
0 1..
Dest Address Preamble

..010
01 01
Source
Station
+ *Timing slowed to show process
Even in switched environments, stations must wait the interframe time after
the line goes silent before they start transmitting.

Slide Title: Frame Transmission
Important
Points to
Cover: This is a timed build slide and covers only the transmission part of
the process. It builds automatically.
The station that wants to transmit listens for carrier
When it senses there is no carrier, it waits the interframe gap time,

then begins to transmit.
This is a good time to discuss the adapters that jump the gun
and start transmitting before the interframe gap time. This is
mentioned in the student notes and should be discussed in
class.
When the signal is transmitted, it is intended to go everywhere.
All stations hear it.
Stations continue to listen while they transmit.
Page 3 - 7
3-8 Collisions
• When two stations with data to transmit sense that the media is
available at the same time, they both transmit and a collision occurs
Transmit Collision Transmit
Jam Jam
Concentrator or Hub
Sniffer University
• The transmitting adapters sense the collision and continue to

transmit a 32-bit jam signal, and wait a random amount of time
before retransmitting
• If there are repeated collisions, the adapter tries again (up to a
total of 16 times)
• It uses truncated binary exponential backoff to ensure that two
stations will not collide with each other again during the wait cycle
– Each time it retries, it waits a random amount of time
+3 *Timing slowed to show process
Stations continue to listen as they transmit.

Twisted pair environments are basically point-to-point communications. While
an adapter is transmitting, it listens on its receive pair. If a receive signal is
detected, the adapter has detected a collision.
On a bus, the transceiver detects an increase in voltage on the wire if another
station transmits at the same time. The transceiver notifies the adapter of a
collision.
Any other stations with frames queued sense the wire is busy and they wait
until the interframe gap has passed after the wire goes silent.

Slide Title: Collisions
Important
Points to
Cover: This is a timed build slide. Some is automated on a timer, and
some requires a mouse click to activate.
Wait to click until the first collision occurs.
There are three clicks for the slide.
--------------------------------------------------------------------------------
The signal from the transmitting station will not be heard by the
second station some distance from it, so it begins to send its frame.
If a collision occurs, the participating stations output a minimum of
32 bits as a jam.
Its purpose is simply to busy out the wire on a 500 meter segment.
Import change: The wording was changed slightly to indicate
it does not stop transmitting, but just continues to transmit the
jam signal instead of the frame.
IEEE states a minimum jam of 32 bits but does not specify a
maximum jam period past 150 ms.
There is no specified jam pattern for the adapters.
Manufacturers can do what they want as long as it is not the CRC
of the bits that were just transmitted.
The transmitting adapters back off a random amount of time. The
first station to timeout tries again. In the meantime, a totally
different station may have gotten a frame out onto the network.
Each time the adapter is involved in a collision trying to transmit the
same frame, it waits a longer period of time before listening for
carrier.
It gives up after 16 unsuccessful attempts and purges the frame
from its transmit buffer. The upper layer protocol must queue it
again. This of course involves more delay than the collisions and
backoff induced.
Page 3 - 8
3-9 Truncated Binary Exponential Backoff
Retry Random Time Range Retry Random Time Range
1 21 = 0....2 x 51.2µsec 9 29 = 0...512 x 51.2 µsec
2 22 = 0....4 x 51.2 µsec 10 210 = 0....1024 x 51.2 µsec
3 23 = 0....8 x 51.2 µsec 11 210 = 0....1024 x 51.2 µsec
4 24 = 0....16 x 51.2 µsec 12 210 = 0....1024 x 51.2 µsec
5 25 = 0....32 x 51.2 µsec 13 210 = 0....1024 x 51.2 µsec
6 26 = 0....64 x 51.2 µsec 14 210 = 0....1024 x 51.2 µsec
Sniffer University
7 27 = 0....128 x 51.2 µsec 15 210 = 0....1024 x 51.2 µsec

8 28 = 0...256 x 51.2 µsec 16 210 = 0....1024 x 51.2 µsec
(1024 x .0000512 = 52.4 milliseconds)
The backoff time is measured using the propagation delay of the media (slot
time). The figures above are for 10 Mbps Ethernet. 100 Mbps times are one
1/10th these times, gigabit are 1/100th of these times.

Slide Title: Truncated Binary Exponential Backoff

Important
Points to
Cover: For student reference. Don’t spend any time here.
The previous two slides are now combined on this single slide.
Page 3 - 9
3-10 Half Duplex MAC Transmit
Data
to
send
No Pad to 60
< 60 bytes? bytes
Yes
Calculate
and add CRC Compute backoff.
Sniffer University
Wait backoff time No
Too many
Carrier No Transmit Detect Yes Send attempts?
Sense? Wait Data Collision? Jam
96 bit Listen for Yes
Yes No
times collision Done.
Defer Transmit No End of Yes Done. Excessive
Until End data? Transmit errors
OK!
All speeds of Ethernet follow this flowchart. Only the timing changes.

Slide Title: Half Duplex MAC Transmit
Important
Points to
Cover: Spend time taking the students through the process. Make sure
they understand.
There is a new diagram similar to this in the Full Duplex section

now.
Page 3 - 10
3-11
Frame Reception
• All adapters synchronize clocks to the preamble bit pattern

• Upon receipt of “end of preamble flag,” adapters copy the DLC
destination address
• If the destination DLC address is equal to their own or a
broadcast, stations continue to copy, otherwise they stop
copying and release the buffer
Destination
080069020FD3
Sniffer University
..AAAAA ..AAAAA
C788CD8097823DF020960080BAAAAAA..AAAAAAAAA
..AAAAA Concentrator ..AAAAA
Source Address Dest Address Preamble
or Hub
C788CD809782
Source *Timing slowed to show process
+1

Slide Title: Frame Reception
Important
Points to
Cover: This is an automated build slide. Click the mouse when you are
ready to show the action after you have covered the bullets.
Stations hear the preamble and synchronize their clocks to it. The
Start if Frame delimiter indicates the destination field is coming
next.
Stations listen for as long as it takes to determine if the frame is

addressed to them or not.
If it is addressed to them, they copy it.
If the frame is not intended for them, they discard the bits from their
receive buffer and passively wait for a new signal or the quiet time
so that they may send their own data.
Page 3 - 11
3-12 Assessment of Received Frames
>512 Yes Good Frame!

Yes CRC
Bits? Valid? Pass to higher
layer protocol
No No
Sniffer University
Runt Frame End on Yes

8-bit CRC Error
Boundary?
No
Alignment Error
Discard Frame
MAC Frame Reception:

• Recognize if frame is destined for this station
• Discard frame if it is too short (runt)
• If frame does not end on an 8-bit boundary, truncate it to the nearest 8-bit
boundary
• Calculate CRC. If the calculated CRC does not match the CRC in the frame,
discard the frame (If the discarded frame does not end on an 8-bit boundary,
report Alignment Error; otherwise report CRC error)
• Pass good data to upper-layer
Frames are always truncated because transmitters have a hard time stopping
immediately after the last data bit. Transmitters are allowed 1.6 bit times after the
final data bit to let their transmission level reach 0.
Any bits whose signal level is less than the receiving adapter’s minimum level
requirements will be disregarded. It is possible for a transmitting adapter to send an
extra bit or two after sending the CRC field, and for these bits to be of sufficient
amplitude to be seen as bits by a receiving adapter. In these circumstances, the bits
are referred to as dribble bits and will be truncated by the receiving adapter to the
nearest 8-bit boundary. Dribble bits become more evident in Fast Ethernet and Gigabit
Ethernet networks, due to the increased number of bit times required for transmitting
adapters to return to zero.

Slide Title: Assessment Of Received Frames
Important
Points to
Cover: Cover well.
A similar diagram is in the Full Duplex section.
Page 3 - 12
3-13 Repeaters
Repeater
10BASE5 10BASE5
OFF
AUI AUI
ON
Multiport Repeater
OFF
ON
10BASE2 10BASE5
10BASE-T
Hub or Concentrator 1 2 3 4 5 6 AUI
Sniffer University
• A repeater is a physical layer device that extends the network length

and topology by regenerating and retiming the signal one bit at a
time
• A repeater repeats every signal that comes in on one port onto every
other port. A repeater does not isolate traffic or collisions
• A repeater is transparent to other stations on the network. A repeater
is not addressable. It does not store and forward data
• A 10BASE-T hub acts as a multiport repeater
A repeater can cause more collisions, since a collision signal is propagated out
all ports.Hubs managed through SNMP have an IP address assigned to the
interface that communicates with the management application. This address is
NOT used in frame regeneration.

Slide Title: Repeaters
Important
Points to
Cover: Repeaters are required to quickly forward data from one port onto
all others.
A repeater doesn’t isolate collisions, it propagates them.
A hub graphic has been added to the slide.
Page 3 - 13
3-14 Repeaters are Responsible For:
• Preamble Regeneration
– Remove preamble from received frame and regenerate it on
sending frame
• Data Repeat
– Repeat all signals received on one segment to all other
segments attached to the repeater
• Signal Amplification
Sniffer University
– Ensure the amplitude of signals is correct

• Signal Retiming
– Ensure encoded data output is within jitter tolerances
• Fragment Extension
– Extend repeated signal if less than 96 bits (including
preamble)
Preamble: 8 bytes of 1010101...10101011 at the beginning of each Ethernet

frame. The preamble is discussed in more detail in the data link layer section.
A repeater uses the preamble to sync up to bits, just like any station does.
Some bits may be lost, in which case the repeater regenerates a new
preamble.
If a repeater receives a little fragment (runt) frame that is less than 32 bits
plus preamble, the repeater will extend the bits to at least 96 bits. This
ensures that the signal meets the next repeater while the repeater is still
transmitting, so that the attached segments are “busied out” for the duration
of the original collision.

Slide Title: Repeaters Are Responsible For:
Important
Points to
Cover: Repeaters do not repeat preamble. They create a new preamble.
When they see the “11” indicating the end of preamble, they go into
repeat mode.
Repeaters jam out all ports on detection of a collision.
They are the only devices for which IEEE has defined a jam pattern
(documented in the student notes).
Page 3 - 14
3-15 10BASE-T Ethernet Cabling
Concentrator or Hub
RJ-45 jacks
UTP RJ-45 jack

100 meters
Internal max
Older External
Transceiver on NIC Transceiver
and RJ-45 jack Implementations
AUI cable
Sniffer University
• Media = .4 to .6 mm diameter (26 to 22 AWG) unshielded wire in a multi-

pair cable
• Maximum distance from hub to transceiver = 100 meters
• A hierarchical star topology is allowed, with up to four levels of
concentrators
Telephone wire meets the requirements because it is usually unshielded

twisted-pair cable composed of .5 mm (24 AWG) twisted pairs. When
unshielded twisted pair cabling is used, you must be concerned with
electromagnetic and radio interference, as well as cross-talk. Cross-talk is
caused by excessive coupling of signals from one line to another, due to the
geometry of the twist. Use a cable scanner to test for cross talk.
The 10BASE-T specification states that any two stations communicating cannot
traverse more than four hubs. This follows the four repeater rule contained in
the IEEE 802.3 specification. Each hub contains repeater functionality.
The limit of 100 meters is for the worst case of 11.5dB of signal attenuation.
Many manufacturers now use transceiver chips that drive typically from 125
meters to 200 meters (626 feet). However, the moment you attach a hub with
these cable lengths to another hub, overall propagation delay comes into play.
If you're using a standalone hub AND your new and improved TDR says all of
the requirements for segment signal conformance are being met, you don't
have to worry about using the longer UTP cable.

Slide Title: 10BASE-T Ethernet Cabling
Important
Points to
Cover: Hubs are repeaters.
Cover the cable distance specifications.
Page 3 - 15
3-16 10/100Base-T Frame Transmission
10/100Base-T Hub or Concentrator

• A group of multiport
repeaters
• Signal received off of a
Inbound Flooded port is repeated onto the
signal from out to all backplane, then flooded
transmitting other out all other ports
station ports
Sniffer University
Workstation
Workstation
File Server File Server
Concentrators (hubs) are the equivalent of a bus in a box and function like
multiport repeaters. A signal received from a transmitting station is repeated
onto the backplane and then repeated (flooded) out all other ports. Hubs and
repeaters do not repeat preamble. They regenerate a new one. When the end
of preamble is reached, repeaters then go into repeat mode. Fragments are
extended to the minimum of 96 bits. Concentrators (hubs) do not segment
collision domains. Upon detection of a collision, hubs jam out all ports.
Repeaters are the only devices that have an IEEE-specified jam pattern. The
first 62 bits (of 96) must be 10101010...etc.
The concentrator may partition any port with 32 consecutive collisions.
Unmanaged hubs will re-enable the port upon receipt of any good data frame.
Managed hubs tend to require that the administrator re-enable the port
through the elemental manager.

Slide Title: 10/100Base-T Frame Transmission
Important
Points to
Cover: Note the edition of 100Base info here.
This is an automated build slide showing the signal propagation.
It’s still a bus with the backplane propagating the signal

everywhere.
Page 3 - 16
3-17 The Hierarchy of Ethernet Hubs
Simple, low-cost Desktop Hubs
• Standalone hubs typically support 8-16 ports
• Some larger multi-slot hubs support from 4-12
“line cards,” each containing 12-24 ports, for a
total of about 288 physical ports
• All users are connected to same backplane,
hence the same LAN
• 10/100 Autosensing
Sniffer University
Workgroup Hubs
• The need for autonomous work groups requires
backplane segmentation of larger hubs
• Hub backplanes are physically separated into 2
or 3 or 4 different Ethernet segments
• 10/100 Autosensing
Interconnection of these separate LANs is accomplished by the inclusion of

bridge-on-a-card or router-on-a-card modules to one of the segmented LANs.
Standalone bridges and routers are also used, but the trend is toward space-
conserving configurations. Some vendors offer tiny “micro” bridges to connect
one Ethernet to another. All networking components reside within the hub or
networking platform, which makes them ideal for locked wiring closets.
Workgroup hubs typically have an element manager that will support both in-
band (Telnet via TCP/IP on Ethernet) and out-of-band (RS232 for modems)
access. These element managers provide physical level data about the health
of the LAN and can send SNMP “traps” to, or respond to SNMP polls from
integrated network management systems or “umbrella” managers. Some hubs
are equipped with redundant hot-standby power supplies for maximum up-
time. Power supply or line card “swaps” can be performed during off-peak
times.
The reality: although hubs have evolved into the heterogeneous networking
platform, they have also become the single point-of-failure for many
workgroups.

Slide Title: The Hierarchy of Ethernet Hubs
Important
Points to
Cover: Student notes and slide are adequate.
The names of the hubs have changed to reflect how they are
marketed today.
Page 3 - 17
3-18 Backbone Hubs
OFF
ON
OFF
ON
• Multiple “flavors” of backbone hubs proliferate today. Some offer

dedicated functions, while others offer add-in functionality via line
cards like:
– Multiple media Ethernet segments: AUI, BNC, 10/100BASE-T, FOIRL
– Multiple media Token Ring segments: STP, UTP, fiber repeaters
Sniffer University
– Multiport local and remote bridges with FDDI backbone interfaces

– Multiport, multi-protocol local and remote routers
– Ethernet packet switches. These are discussed in more detail later
– LAT and TCP/IP terminal servers for RS232-based devices
– X.25 gateways, SNA gateways
– Novell NetWare file servers
– Etc. The list continues to grow
SNMP Management applications are used to control these sophisticated hubs.

Many offer click and drag operations to logically move stations.
SNMP agents collect port, backplane and other statistics. The management
stations periodically poll the devices for the statistics. Data is collected and
reports are generated to track the health of the device and network.

Slide Title: Backbone Hubs
Important
Points to
Page 3 - 18
Link Test Pulse
TX
3-19
RX TX
COL RX
LINK COL
RX
LINK
TX
TX
RX NIC
• Many transceivers and hub ports feature a Link LED (usually green
in color) that provides a confidence check of wire pair integrity
• A pulse is transmitted on one end’s transmit pair to the other end’s
receive pair every 201 µs. The pulse is unique and will not be
Sniffer University
mistaken for a data frame or a collision

• It provides status of the hub’s transmit wire pair to the node’s
receive wire pair (node Link LED), and the node’s transmit pair to
the hub’s receive pair (hub Link LED)
• An illuminated Link LED is not a guarantee that the wire pair is
polarized or phased correctly (TX+ to RX+, TX- to RX-) or that the
wire pair is twisted together end-to-end (pin 3 twisted with pin 6,
for example: orange/white wire twisted with white/orange wire)
10Mbps link test pulses are 100 nanoseconds (100 nanoseconds = 0.1
microseconds = 1 bit time) in size, and are transmitted every 201
microseconds. Unless there is a regular link test pulse, data is not transferred
from the wire to the receiver, or from the transmitter to the wire.
Polarization or phase is the correct match of TX+ to RX+ instead of TX+ to
RX-. Some early 10BASE-T products did not incorporate auto-polarity and auto-
phase matching capabilities. The wires connecting these devices must be
oriented correctly. Subsequent products do incorporate these features.
100BASE-T Link Integrity pulses are sent continuously on the T4 primary
transmit pair about 1 ms apart. Failure to detect these pulses generates an
error.

Slide Title: Link Test Pulse
Important
Points to
Cover: The link pulse test does check for correct phasing of the signal.
It is simply a continuity test.
If the pulse is not there, the devices will not communicate.
We are going to be doing some comparisons of these link pulses

as we discuss Fast and Gigabit Ethernet.
The characteristics of the 10 Mbps links pulses is important to

mention here.
One pulse
Evenly spaced at 201 microseconds
Page 3 - 19
3-20 10 Base T Ethernet Pinouts
Jack RJ-45
at NIC Plug 8
1
Contact Signal X-over
1 white/orange Transmit + 3 white/orange
2 orange/white Transmit - 6 orange/white
3 white/green Receive + 1 white/green
4 Not used
Sniffer University
5 Not used
6 green/white Receive - 2 green/white
7 Not used
8 Not used
The 8-pin connector is used as the mechanical interface to the twisted pair
cable. The connector is used on the hub as well as the NIC. Typically the NIC
connects to a wall outlet using a twisted pair patch cord. Wall outlets connect
through building wiring and a cross-connect function to the repeater hub. The
cross connect (or crossover) function connects the transmitter at one end of
the twisted pair link to the receiver at the other end of the twisted pair link.
The cross connect can be built into the receiving end.
There are two pairs used for each station attachment. Two wires (one pair)
are used to receive data from the hub to which it is attached. The second pair
is used to transmit data to the hub. Normally a light on the hub indicates the
pair from the station to the hub are attached correctly (this is the TX+ and TX-
from the station to the RX+ and RX- on the hub). A light (Link LED) on the
card indicates the pair from the hub to the station are correct (this is the TX+
and TX- from the hub to the RX+ and RX- on the station).
Most 10 and 100 MBPS twisted-pair Ethernet is still half duplex: a station is
either transmitting or receiving, not both.

Slide Title: 10BASE-T Ethernet Pinouts
Important
Points to
Cover: Ethernet hubs used to require correct phasing. You could not get
away with reversing the leads.
Most hubs today will auto-sense and compensate if the polarity is

reversed.
Pins 4 and 5 are not used. They were reserved for tip and ring.
Pins 7 and 8 were used in the old days for a second line or to
power a phone with auxiliary features.
Page 3 - 20
3-21 Which Wires are Paired at the Jack/Plug?
Wire #
1 white/green white/orange
pair 3 pair 2 T+
2 green orange
T- Ethernet
3 white/orange white/green (802.3)
R+
4 blue blue
white/blue 1 2 white/blue 1 3
5
6 orange green
R-
white/brown white/brown
7
4 4
Sniffer University
brown brown Token ring

8
(802.5)
568A 568B
wiring wiring
standard standard
• If you suspect noise is damaging data to a station, check to see if the
receive pair has been “split out”
• If the receive pair is not twisted together, the wires will not be mutually
affected by the same noise, thus Common Mode Rejection will not be
effective
How will you know if noise is affecting data to a station? For one thing, you will
see lots of CRC errors on the Sniffer with that station as the destination
address. There will also be various other errors (especially retransmissions)
associated with the station.
The EIA/TIA 568 wiring standards shown above is somewhat different from
the widely used “USOC” wiring scheme (not shown) for telephone signals.
Because of the wire-pair layouts, a 568 link can be used for voice signals;
however, USOC wiring is not properly paired for Ethernet signals.
EIA/TIA 568 standards specify an 8-pin connector (RJ-45), pinned out in one
of the two options--568A or 568B--shown above. Today’s connecting hardware
is color-coded to match the wires, and modern cable testers can quickly
determine if the link is capable of carrying a 10 or 100 Megabit Ethernet signal.

Slide Title: Which Wires are Paired at the Jack/Plug?
Important
Points to
Cover: 10BASE-T requires the transmit leads and the receive leads to be
discreet pairs.
It does not matter how your plant is cabled, but you need to know
so that the pairing can be maintained.
10BASE-T will not work if the pairs are not maintained.
Page 3 - 21
3-22 Common Mode Rejection (CMR)
TX+ +2.5v +2.5v RX+

0 volts 0 volts
TX- -2.5v -2.5v RX-
RX+ +2.5v +2.5v

TX+
0 volts 0 volts
RX- -2.5v -2.5v TX-
Sniffer University
• For CMR to function properly, a pair of wires need to be twisted around

each other
• CMR uses the voltage differences between each signal (TX+) and its mirror
image (TX-) to determine the logic state of each bit. (The differential
voltage is typically either 5v or 0v)
• Voltage spikes, when they occur, will induce themselves onto the wire pair
but the difference in voltage (5v or 0v) will remain the same
• CMR is not perfect, as excessive electrical “noise” may defeat the
cancellation process and destroy the transceivers at the hub and the node
For Common Mode Rejection (balanced signaling, or longitudinal voltages) to

work properly, the signal and its reference need to be subject to the same
interference. For the signals to be subject to the same interference, they are
treated as a pair and mutually twisted. There are several different schemes of
pairings. Unshielded twisted pair wiring that is correct for Ethernet may not be
correct for telephony, or wire that is correct for Token Ring may not be correct
for Ethernet.
Observe standard wiring guidelines such as NOT routing UTP over florescent
lights, near high-voltage or high-current sources, etc.
The diagram above depicts the hex pattern of 6E, which Intel uses as the
cable test pattern.

Slide Title: Common Mode Rejection (CMR)
Important
Points to
Cover: This is what allows 10BASE-T to work.
The important concept is that you want the same amount of noise
on the receive minus wire as the noise on the receive plus wire.
Equal noise maintains the relationship of the signal and can be

filtered out so that the chips can still determine a one from a zero.
When wires are not twisted together and noise hits, the
relationship is not constant and common mode rejection doesn’t
work.
Page 3 - 22
3-23 Cabling Installations
NIC Card Punch Down

Connection 4 Block 5
Wall Plate
1 2 3
TX+ TX- RX+ TX+
RX- TX- RX+ TX+
RX- TX- RX+ TX+
RX- TX- RX+ TX+
RX- TX- RX+ TX+
RX- TX- RX+ RX-
TX+ TX- RX+ TX+

RX- TX- RX+ TX+
RX- TX- RX+ TX+
RX- TX- RX+ TX+
RX- TX- RX+ TX+
RX- TX- RX+ RX-
TX+ TX- RX+ TX+

RX- TX- RX+ TX+
RX- TX- RX+ TX+
RX- TX- RX+ TX+
RX- TX- RX+ TX+
RX- TX- RX+ RX-
7 6
0 1 2 3 4 5 6 7 8 9 10 11
0 1 2 3 4 5 6 7 8 9 10 11
OFF
Sniffer University
8
ON
9
0 1 2 3 4 5 6 7 8 9 10 11
OFF 0 1 2 3 4 5 6 7 8 9 10 11
ON
10 Port Patch Panels
Beware of too many connections. Each one contributes to signal

attenuation and represents a potential failure point
The diagram above can apply to Ethernet or Token Ring. The connections in
the diagram are:
1) PC NIC and UTP patch cord
2) UTP patch cord and wall plate
3) Wall plate and UTP cable
4) UTP cable and punchdown block
Punch down blocks include BIX 1A, Telco 66, and/or AT&T MT 110
(for level 5)
5) Punchdown block and 25-pair cable
6) 25-pair cable and first patch panel
7) First patch panel and UTP patch cord
8) UTP patch cord and second patch panel
9) Second patch panel and 25-pair cable
10) 25-pair cable and interface module
This cabling diagram may be simplified in most locations. The shaded area
from points 4-9 are the equivalent of a harmonica, a device in common usage
in many installations.

Slide Title: Cabling Installations
Important
Points to
Cover: This cabling diagram does not represent the ideal, but rather is an
example of how things should NOT be done. Unfortunately, this is
the cabling found in some environments.
Each mechanical connection induces loss and an opportunity for a
failure point.
This cabling diagram represents the way things were done in the
past -- to meet category 3 standards. Most new installations DO
NOT install wiring this way. Each mechanical connection induces
loss and an opportunity for a failure point.
New installations wire the network to category 5 specifications. An
example would be to connect the wallplate (3) to the back of the
patch panel (8). Cross connects are made directly to the hub.
Page 3 - 23
3-24 Hub-to-Hub Connections
• Hubs typically cross internally over the transmit and receive pairs
from the nodes
• Hub-to-hub connections must be “crossed over” so that the
transmit pair of one hub’s port goes to the receive pair of the
other hub’s port and vice-versa
• This can be done with a “crossover cable,” or at the punchdown
block, or via an “MDI-X” port that internally crosses the pairs
Sniffer University
OFF OFF
ON ON
TX+ RX+
1 3
OFF
ON
TX- 2 6 RX-
OFF
ON
RX+ 3 1 TX+
RX- 6 2 TX-
Some manufacturers do not support hubs being connected via node ports.
Some of these manufacturers are circumventing the IEEE rules by using
special connections for hub-to-hub connections, and advertise themselves as
half-hop hubs, that may be cascaded further (to more hops) than the IEEE
rules allow, using the special connections, and no crossovers.
Some hub manufacturers are now offering proprietary higher speed
synchronous links between THEIR hubs. Other manufacturers have developed
Full Duplex Ethernet hubs.
MDI-X should only be enabled on one end.

Slide Title: Hub-to-Hub Connections
Important
Points to
Page 3 - 24
3-25
Timing Specifications
Sniffer University

Slide Title: Timing Specifications
Important
Points to
Cover: Title slide only.
Page 3 - 25
3-26 Collision Domain
A transmission
on this segment...
...and news of a
problem, if any,
Sniffer University
must propagate all

...is propagated the way back,
through repeaters while the original
all the way to all station is still
segments! transmitting
Repeaters
A "collision domain" is defined as the physical area within which a collision is

propagated. Repeaters propagate everything, even bad frames.

Slide Title: Collision Domain
Important
Points to
Cover: This is an automated build slide.
This slide was updated to show repeaters (hubs) instead of coax

cable. The rule still applies, whether we’re using thick, thin or
twisted pair as long as the media is shared.
Extremely important concept.

All equipment (old and new) must follow this rule.
All timing specifications are based on the collision domain.
The round-trip time for the worst-case scenario must be less than
the time to transmit the minimum-sized frame, since the card only
listens while it is transmitting.
Cable lengths, repeater rules and propagation delay all must reach
this target.
Page 3 - 26
3-27 Ethernet Signal Propagation Speed
• Determination of the maximum topology and minimum frame size

depends on information about the speed that data travels
• Data travels at less than the speed of light (c)
• c = speed of light in a vacuum = 300,000 kilometers per second
(approximately 1 foot per nanosecond)
• Thick Coax Cable: Signal travels at .77c (231,000 km/sec)
Sniffer University
• Thin Coax Cable: Signal travels at .65c (195,000 km/sec)

• Twisted Pair Cable: Signal travels at .59c (177,000 km/sec)
• Fiber Cable: Signal travels at .66c (198,000 km/sec)
• AUI Cable: Signal travels at .65c (195,000 km/sec)
It’s important to be aware of this information (though not memorize the

numbers) to gain an understanding of the maximum Ethernet topology and
the minimum Ethernet frame size.
Twisted pair cable is the slowest data mover. We must be concerned about
over-extending the network length, which will exceed the propagation budget,
and contribute to late collisions, which in turn results in extremely slow
response to most network users.

Slide Title: Ethernet Signal Propagation Speed
Important
Points to
Cover: This is a lead-in to the next slide.
This information comes from the 802.3 spec.
It is an auto build slide.
Page 3 - 27
3-28 So, How Long is a Bit?
For thick Ethernet, the basis of the specification:
• 231,000 km/sec divided by 10 million bits per second = 23.1
meters
• A bit occupies 23.1 meters on thick Ethernet, slightly fewer
meters for thin and twisted pair Ethernet
• An extension of 32 bits would cause an additional 32 x 23.1
meters or 739 meters to be busy, which makes it possible to busy
out a maximum size Ethernet segment
• This explains why a repeater extends a fragment frame by at
Sniffer University
least 32 bits. It also explains the 32 bit jam added to a collision

frame
For 10Base-T:
• 177,000 km/sec÷10 million bits per second = 17.7 meters
• 32 x 17.7 meters = 566.4 meters are busy on jam, easily
exceeding the maximum length between end devices
This information is used to determine where a collision can reasonably be

expected to occur in a worst case scenario in your specific network. Collisions
that occur past this point are the result of defective hardware somewhere in
the network. For example: If your maximum latency is 300 meters (includes
delay in hubs and all equipment), would you expect to see a collision 20 bytes
into the frame?
On thick Ethernet, 1 bit = 23 meters. 300 meters total. 300 divided by 23 =
approx. 13 bits. Multiply by 2 for the round trip. A collision in a network with
latency equivalent to 300 meters should never occur past bit number 26. You
should not see a collision past the preamble.
[(300 / 23) = 13] x 2 = 26 bits.
(This information is taken from the 1992 edition of the 802.3 specification.)
On twisted pair Ethernet, the maximum cable length from hub port to
transceiver is 100 meters (200 meters from end device to end device).
[(200 / 17.7) = 11.3] x 2 = ~23 bits.
In twisted pair, then, a collision should never occur beyond bit number 23,
still within the preamble.

Slide Title: So, How Long is a Bit?
Important
Points to
Cover: Our favorite slide. (Lightbulb goes on.)
The pictures you see of a tiny frame on a big network are all wrong.
The frame quickly envelopes the entire cable segment, thus
collisions are much more rare than you have been led to believe.
Page 3 - 28
3-29 Historical IEEE 802.3 Maximum Topology (5-4-3 Rule)
Segment Segment Segment Segment Segment

1 2 3 4 5
Repeater Repeater Repeater Repeater

Station 1 Set 1 Set 2 Set 3 Set 4 Station 2
• The maximum transmission path permitted between any two stations is five
segments and four repeater sets
• Of the five segments, a maximum of three may be coax segments; the
Sniffer University
remainder are link segments

• A coax segment is a cable terminated at both ends in its characteristic
impedance, with a maximum end-to-end propagation delay of 2165 Ns for
10BASE5 and 950 Ns for 10BASE2
• A point-to-point link segment is a non-coax segment, terminated in a repeater
set at each end, with a maximum end-to-end propagation delay of 2570 Ns. A
10BASE-T connection between a hub and station is also considered a point-to-
point link
• If there are no link segments on a transmission path, there may be a maximum
of three coax segments on that path given current repeater technology.
This information is taken from the 1992 edition of the 802.3 specification.
Maximum end-to-end propagation delay is derived by dividing the maximum
length by the speed. See previous page for speed.
For thick coax, this is 500 m divided by 231,000 km/sec = 2165 nanoseconds.
For thin coax, this is 185 meters divided by 195,000 km/sec = 950
nanoseconds.
Each tap and each device adds additional delay, so the total network must not
introduce more than 51.2 micro seconds of delay.
Even though these rules are specified for coax cable, the 5-4-3 rule still applies
to the newer fast technologies. Cable lengths are modified and delay
characteristics are calculated to obtain the maximum topology rules.

Slide Title: Historical IEEE802.3 Maximum Topology (5-4-3

Rule)
Important
Points to
Cover: These rules are derived from the collision domain concept.
They are taken directly from the IEEE specs that have been in
place for many, many years.
The slide is a lead-in to the new concept of transmission models

explained on the next pages.
Explain the 5-4-3 rule so they understand it fully.
The newer transmission models 1 and 2 slides have been moved

to the Optional Technologies section since most people are not
using equipment where it is important. You can still go there to
show them if you think a student needs them for clarification.
Page 3 - 29
3-30 Minimum Frame Length Determination
Segment Segment Segment Segment Segment
1 2 3 4 5
Station Station Repeater Repeater Repeater Repeater Station

1 2 Set 1 Set 2 Set 3 Set 4 3
• The minimum length for an Ethernet frame is 64 bytes or 512 bits. This is
based on the round-trip propagation delay on a frame for the worst-case
scenario
• Station 1 transmits to adjacent Station 2 on Segment 1
Sniffer University
• Station 3 just misses hearing Station 1’s transmission and also transmits.
Station 3’s transmission collides with Station 1’s transmission
• The damaged frame travels back down the network to inform Station 1 that a
collision has occurred. This takes approximately 50 microseconds or 500 bit
times
• The minimum frame length is defined such that the:
–Message from Station 1 is long enough so that Station 1 is still sending when the
collision is detected
–The resulting runt message from Station 1 is short enough such that Station 2 (the
receiver) can throw out the message on the basis of it being too short (less than 64
bytes)
The node needs to know it had a collision, so the damaged frame can be re-
sent at the MAC level. Retransmitting at the MAC level is very fast: within
microseconds. A retransmission at the LLC level takes a few milliseconds. A
retransmission at upper-layers can take a few seconds per frame.

Slide Title: Minimum Frame Length Determination
Important
Points to
Cover: These rules are derived from the collision domain concept.
Page 3 - 30
3-31
So How Does this Apply to TP?
1 5
R4
R1
Populating one of
2 these repeaters 4
R2 would break the
rule
3
R3
Sniffer University
The frames must be long enough

so that stations 1 and 5 are still
transmitting when the collision Repeaters
signal gets back to them Hubs or
Count the repeaters between the Concentrators
furthest end stations to ensure
you have not broken the 5-4-3
+ rule
A "collision domain" is defined as the physical area within which a collision is

propagated. Repeaters propagate everything, even bad frames.

Slide Title: So How Does This Apply to TP?
Important
Points to
Cover: New Slide.
Automated build slide.
Shown to emphasize that hubs / concentrators must follow the 5-4-

3 rule. It’s easy to inadvertently break the rule when you have them
all stacked in racks in a wiring closet.
Perhaps they should label the devices so unused ports are not
used incorrectly.
Page 3 - 31
3-32 Is this a Valid Application of 5-4-3?
ACME 10BASE-T Concentrator
ACME 10BASE-T Concentrator ACME 10BASE-T Concentrator ACME 10BASE-T Concentrator

Sniffer University
ACME 10BASE-T Concentrator ACME 10BASE-T Concentrator

Slide Title: Is This a Valid Application of 5-4-3 with 10BASE-T?
Important
Points to
Cover: Yes. This is a 10BASE-T network with a 3-level cascade. The
topmost concentrator serves as the “backbone” to the other hubs.
The middle-end hubs are populated, whereas the middle-center
hub is not: it is a link segment to the two lower populated hubs.
Note that no frame needs to traverse more than 5 segments or 4
repeaters (hubs) to its destination.
This is the recommended configuration by the 10BASE-T vendor SMC.Follow

the path of every station to ensure that it obeys the 5-4-3 rule.
The development of the 5-4-3 rule can be summarized as follows.
(1) The length of any given segment of a network is limited by the electrical and
physical properties of the cable type employed. The primary characteristic is the
rate of attenuation over a given length of the cable. For example, for thick coax,
500 meters is considered to be the maximum length over which we can transmit
a signal while ensuring that the signal does not attenuate or otherwise degrade
to the point of being unacceptable to a receiver.
(2) Based on section 13.4.2 of the 802.3 specification, the number of repeaters
that can be used is limited by the potential for shrinkage of the interframe gap. If
the interframe gap is reduced, the potential for misinterpretation of frames
increases. Shrinkage of the gap will likely prevent receiving network interfaces
from having sufficient time to perform housekeeping functions such as posting
interrupts, managing the buffer, and updating statistical counters, etc.
Specifically the IEEE specifications say, "The worst-case variabilities of
transmission elements in the network plus some of the signal reconstruction
facilities required in the 10 Mbps baseband repeated specification combine in
such a way that the gap between two packets travelling across the network may
be reduced below the interframe gap specified in section 4.4.2.1. This parameter
limits the equipment (i.e. number of repeaters) between any two DTEs."
(3) Knowing the facts as given in (1) and (2) above, we can now see how the
minimum frame length of 64 bytes was calculated. We have segments of 500 m
due to the signal characteristics of the cable. We can have a maximum of 4
repeaters and, therefore, 5 segments between any two stations. This creates a
maximum topology as described in the text. Then, knowing that we must
guarantee collision detection while the stations participating in the collision are
still transmitting, we must specify a minimum frame length of 64 bytes due to the
inherent normal propagation delay of the maximum topology size described
above.
Page 3 - 32
3-33 Exercise: Cable Specifications

complete this exercise. Use
the diagram on the next
page as a reference to the
network layout
Sniffer University

Slide Title: Exercise: Cable Specifications
Important
Points to
Cover: Use the instructor notes in the back of the instructor manual to
review the exercise.
Go over the diagram on the next page before they begin.
Page 3 - 33
3-34 Exercise: Cable Specifications
Network Diagram
Thin Ethernet
Node 1 UTP ?? coax RG58 coax
WstDig178C4
Node 2 Hub Hub Hub Hub Hub Hub

WstDig96EC2 1 2 3 4 5 6
Node
3
Sniffer University
File Server Sniffer

COFFEE.1 Bridge
WstDigFF965F
50 meters

Slide Title: Exercise: Cable Specifications-network diagram
Important
Points to
Cover: Review the network configuration.
Note that the picture is not complete. For example, there probably
were other stations on the thin Ethernet. The Sniffer analyzer was
connected somewhere near the end of the thin Ethernet.
(Otherwise the Sniffer technician probably would have noticed the
ARCNET cable!?!) We don’t know exactly what was on the other
side of the bridge shown on the left.
Originally the Sniffer analyzer was placed at the end of the topology
and saw no errors. In the actual trace, the Sniffer analyzer was
placed at the junction and saw errors. The node was moved to the
end of the topology and worked without incident.
Client addresses in the trace all exist off of the Concentrator with
the Server Coffee.1
Since the transmission model slides were moved to the back, you
will probably not cover this with the class. The calculations are left
here just in case you need them.
To calculate the p v v, we calculate from right to left:
50 meters
N
N
H H H H H H
FS
N S
B
8+8+8+8+8+16 = 56
This does not exceed the delay, but it is higher than the 49 p v v
allowed in Model 2.
Page 3 - 34
3-35 Degree of Degradation
• Ethernet retransmission occurs, typically, within a few

hundred microseconds
• Type II LLC retransmissions may occur within
milliseconds
• Transport layer retransmissions may occur within
seconds
Sniffer University
• Application layer retransmissions may occur within

tens of seconds
• User programs may wait minutes before timing out
• Conclusion: The higher the layer responsible for
retransmission, the longer the user has to wait

Slide Title: Degree of Degradation
Important
Points to
Cover: Important concept.
Physical layer recovery is fast.

Each layer higher takes more time to recover from an error.
Page 3 - 35
Retransmissions
MAC Layer vs. Application Layer
3-36
Sniffer University
943: NFS request. 950: Frame 949 is collided and is retransmitted 24.2mS later.
944: Unanswered request (943) is retransmitted 0.7s later. 951: Frame 950 is collided and is retransmitted 11.4mS later.
945: Unanswered request (944) is retransmitted 3s later. 952: Frame 951 is collided and is retransmitted 50mS later.
946: Frame 945 is collided and is retransmitted 0.2mS later. 953: Unanswered request (952) is retransmitted 12.3s later.
947: Frame 946 is collided and is retransmitted 0.3mS later. 954: Frame 953 is collided and is retransmitted 0.3mS later.
948: Frame 947 is collided and is retransmitted 0.2mS later. 955: pc150 times out after request is unanswered and ARPs
949: Frame 948 is collided and is retransmitted 2.6mS later. for natco-4 26.9s later.
Trace file FRAGS.ENC.

Note that all frames with a CRC flag are actually collided. At the time that the
trace was taken, Network Associates was using an adapter which was
incapable of counting or flagging frames as collided.
The client NFS request to look up the file wp50 in the directory handle
E71D is retransmitted four times without answer for a total of 43.4 seconds
before the user application gives up and ARPs to see if its server is still alive.
The Truncated Binary Exponential Backoff Algorithm (progressively larger
multiples of the slot time) is demonstrated in frames 945 to 952: the random
backoff timer is lengthening until the first good request in frame 952. Once
NFS retransmits in frame 953, which is collided, we see the algorithm start
over again at the beginning.
The NFS retransmissions occur at 0.7s, 3s, 12.2s, and 26.8s or so, when the
client finally gives up.

Slide Title: MAC Layer vs. Application Layer Retransmissions
Important
Points to
Cover: Retransmission timer as revealed in the Sniffer Pro analyzer
screens.
Demo: FRAGS.CAP
Frames 945-952 show the retransmission timer in action.
Page 3 - 36
3-37 Summary

• Describe the access method used in Ethernet
• Discuss the responsibilities of the MAC layer
• Differentiate the various types of Physical Layer
devices
• Explain the importance of the physical size limitations
of the Ethernet networks
Sniffer University
• Ensure the physical characteristics of the Physical

Layer have not been extended beyond the
specifications

Important
Points to
Cover: Wrap up the section by reviewing the objectives and answering any
questions the students may have.
Target Time: End of Day 1.

Go further is you can, since the stuff that’s coming is what
they want to hear.
Page 3 - 37
Page 3 - 38
4-1
Troubleshooting Methodologies
Sniffer University

Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting
Slide Title: Troubleshooting Methodologies

Section 4
Section Timing: Start: Day 2 Beginning of the day

Finish: Day 2 Late morning if possible!
Important
Points to
Files: 04_tbls_g.PPT 04_tbls_g.DOC
Traces:
HUBPORT1.CAP HUBPORT2. CAP BADCABLE. CAP
BAD03. CAP FRAGS. CAP 01.CAP
05.CAP 06.CAP 16.CAP
17.CAP 19.CAP 20.CAP
Badcrc.cap Badcrc-1.cap 21.CAP (was
GIANT.ENC)
Exercises: Hubports
More Problems
Test Your Skill
Errors
Optional- Evaluating Hub Jams
Ethernet Physical Errors
Modifications were made for the new software version. Some

answers have changed. Be sure to review them before you
teach!
There are too many to do all and have time to cover the newer
technologies. Choose those you feel will meet your student’s
needs.
Page 4 - 1
4-2
Section Objectives

• Recognize and isolate failures in the network using the Sniffer
Pro Network Analyzer
• Examine Monitor Statistics to determine whether there are
problems
Sniffer University
• Use the Expert symptoms and diagnoses to get the details

• Gather Monitor statistics for trend analysis and baselining

Important
Points to
This section is just troubleshooting with lots of suggestions and

practice.
Page 4 - 2
4-3 Capturing Error Frames
• You must use NAI-supported adapters with

enhanced drivers to observe and capture
physical error frames
– NAI-21140UC
• Adaptec (Cogent) ANA-6911A/TX PCI
• Adaptec (Cogent) ANA-6911A/TXC PCI
Sniffer University
– Xircom CBE-10/100 BTX CardBus

– Xircom CBE2-10/100 BTX CardBus

Slide Title: Capturing Error Frames
Important
Points to
Cover: New Slide.
Use this slide to emphasize they need to use NAI supported cards
and drivers in order to capture the error frames.
These cards capture both 10 and 100 Mbps networks.
Page 4 - 3
4-4
Analyzing the Ethernet Physical Layer
• Frame Corruption
– Collisions
– Propagation delay
– Reflected signals
– Electrical noise
Sniffer University
– Hardware failure
• With any of these problems, users will see
decreased performance due to multiple
frame retransmissions

Slide Title: Analyzing the Ethernet Physical Layer
Important
Points to
Cover: Look for evidence of these in the Sniffer Pro analyzer.
Page 4 - 4
4-5 Some Guidelines
• More than one bad frame per Mbyte of data deserves

attention
• Any unexplained change in the baseline deserves
attention
Sniffer University
• More than 1% Error Rate deserves attention
The IEEE specifications stipulate that the Bit Error Rate (BER) should not
exceed 10-8 in worst case. A typical LAN 10Mbps segment should have a BER
of 10-11 or better. This translates to a frame loss rate of 10-7.

Slide Title:Some Guidelines
Important
Points to
Cover: These are important guidelines for determining when they need to
act.
Be sure to cover these, since these are important CNX numbers

they need to know.
CNX guidelines do not allow you to specifically state that this is a

CNX concept, however, so do not say this is on the test!
We have met the requirement that it is documented

in the course materials.
Page 4 - 5
4-6 Fast Transmit Adapters
• Some adapters start transmitting before the entire
frame has arrived in their transmit buffer
– If the remainder of the frame has not arrived when the
first part is on the wire, it just quits transmitting, leaving
the short incomplete frame on the wire
– Since it has no CRC, the Sniffer calculates the CRC based
on the last 4 bytes and shows a CRC error
– The adapter waits for carrier to drop and 96 bit times to
Sniffer University
elapse before it sends the complete frame

CRC
Partial frame on the wire Error!
Frame from
Complete frame on the wire
upper layer
Transmit
Buffer
• Do not count these incomplete bad CRC frames in the
+4 1 bad frame /MB calculation
The name depends on the vendor. The adapter may also be called a parallel
tasking adapter.

Slide Title: Fast Transmit Adapters
Important
Points to
Cover: This is a new slide that discusses the effect of “fast transmit” or
“parallel tasking” adapters. (They may be known by other vendor-
specific names)
It is a build slide that is partially timed and partially relies on mouse

clicks.
The slide is pretty self-explanatory and should help you explain

away some of the false CRC errors the Sniffer reports.
Page 4 - 6
4-7 Troubleshooting Tip
• It is always easier to identify what is wrong if one knows

how it is supposed to work
• One recommendation would be to capture an example of
“how it looks” when the network is working
• Save the captured data to a file
• When the network stops working, capture another
Sniffer University
snapshot and compare the working scenario with the non-

working scenario
• Then simply identify what is different between the two
examples

Slide Title: Troubleshooting Tip
Important
Points to
Page 4 - 7
4-8
Divide and Conquer
• All speeds of half-duplex Ethernet are contention-
based
• Because of its nature, we are still troubleshooting
Ethernet with the “Binary Search” method
• Divide the domain in half. Which half does the
problem follow?
– This is still valid for star networks
• We could always use a network map!
Sniffer University
Problem?
Problem?
+1
Some hubs will autopartition devices out of the network that have too many
bad CRCs or if they are jabbering.
You can also look at the hub with a solid activity light. That usually indicates
problems.

Slide Title: Divide and Conquer
Important
Points to
Cover: This is an automated build slide.
It’s an old method “tried and true” on bus topology Ethernet.
It still works on star configurations, too. Of course, managed hubs

and switches provide a lot of information to the management
software, so this may be a last resort technique.
A star configuration should prompt a discussion about hubs and

switches.
Be sure to mention the student notes topics, too. A blinking light on

the hub/switch is there to remind you to talk about autopartitioning
hubs and looking at the lights in the wiring closet for lights that are
abnormal. Not all hubs and switches support them, but they need
to know which is supported on their equipment and use those
clues, too.
Page 4 - 8
4-9 Exercise: Hubports

complete this exercise.
Use the diagram on the
next page for reference
Sniffer University

Slide Title: Exercise: Hubports

Important
Points to
Cover: Use the diagram on the next page to introduce this exercise.
Page 4 - 9
4-10 Exercise: Hubports Continued
Network Diagram
10BASE-T Hub • The user’s PC was
replaced by a Sniffer.
The same cable
Hubport1: known good port
connecting the PC
Hubport2: suspect port was used
NetWare client: Novell~FAA
Sniffer University
• Another Sniffer is
NetWare file server: 3Com~704 plugged into a known
good port. Both
Sniffers were
capturing
NetWare client: 3Com~F91 simultaneously
1) The network is broadcast-oriented: every node hears everything on the

wire, including bad or collided frames.
2) Communication is half-duplex and asynchronous in nature: each node must
wait until the wire is quiet before accessing the network.
3) Although the network is physically wired as a star, it is still logically a bus.

Slide Title: Exercise: Hubports Diagram

Important
Points to
Cover: Give the background information before the students begin the
exercise. They may not catch all the clues, but that’s the fun of the
exercise.
10BASE-T Hub
NetWare client:
Sniffer analyzer: suspect port
NetWare client:
NetWare file server:
NetWare client:
Page 4 - 10
4-11 Legal Collisions
• Collision occurs within the first 512 bits (64 bytes) of
data
• Preamble collisions have no recoverable frame data
• Typical collisions occur within the first 48 bytes of
data
• Sniffer Pro Analyzer needs to see 96 bits to capture
the frame, otherwise it just increments the collision
counter
Sniffer University
– This includes the preamble and the first bytes of the

destination address
– 64 bits of Preamble 32 bits of the destination address
• Networks up to 37% sustained utilization are often
very “clean”

Slide Title: Legal Collisions
Important
Points to
Cover: These collisions are a normal part of Ethernet.
Sniffer adapters:
The Sniffer Network Analyzer uses two basic types of adapters:
Those that can report collisions.

The adapter senses that a collision has occurred and marks the
frame with an “x.”
Those that do not report collisions.
Sniffer Pro software uses a “soft collision” counter. If the

packet is analyzed and has a CRC error nd the last 2 bytes of
the packet are 0xAAAA or 0x5555, then the packet is
considered to be a soft collision.
Page 4 - 11
4-12 Normal Collisions
• Preamble collisions are not captured
• Local coax collisions do not have AAs or 55s in the data
• Remote collisions show AAs and 55s in the data field
inserted by the repeater
• They may be labeled collision fragments or runts
Sniffer University
Runts
Preamble D Addr S Addr Tp/Ln Headers Data CRC
8 6 6 2 varies varies 4

Slide Title: Normal Collisions
Important
Points to
Cover: New slide
Screen shot showing a normal collision. It is labeled as a collision

fragment in the Detail window.
This is from 01.CAP
Page 4 - 12
4-13 Late Collisions
• On coax, the signal becomes much more negative
when the collision occurs. The squelch filter drops this
signal, so you see good data then nothing.
• On UTP repeated sections, look for evidence of jam
from the repeater after 6010 bytes
– Either aa aa aa aa... or 55 55 55 55 …
– 101010101010 is aa aa aa, 010101010101 is 55 55 55
– 64 byte minimum minus the 4 byte CRC
– 6010 = 3D16
Sniffer University
Late Collisions
Preamble D Addr S Addr Tp/Ln Headers Data CRC
8 6 6 2 varies varies 4

Slide Title: Late Collisions
Important
Points to
Cover: This is a screen capture that “draws the line” in the hex window to
show where the dividing line is between a normal and late collision.
The Expert gives a symptom that indicates when it has seen a

collision after the 64th byte when the frame meets certain criteria.
17.cap has a lot of collisions, some are marked as occurring after

the 64th byte. There are no AAs or 55s in the hex data, so it was
captured on a local coax segment.
Badcrc.cap has a late collision in frame 6 way out at offset 38F,

but it must be beyond what the Sniffer uses to call a late collision.
This should help you in teaching them how to determine when the
collision was too late.
Page 4 - 13
4-14 Rogue Nodes or Bad Hubs
• Rogue nodes with “hearing problems” may think the
wire is quiet when they send their frame in the middle
of someone else’s frame
• Bad hubs can also cause late collisions
• Calculate the math pertaining to network size
– If collisions are occurring well beyond where they should be,
suspect a rogue node or bad hub
Sniffer University

Slide Title: Rogue Nodes or Bad Hubs
Important
Points to
Cover: New Slide.
Sniffer recognizes when a collision occurs too late and shows it in

the Expert and on the Summary and Detail panels in the decode
window.
05.cap and 04.cap both have frames marked as “collision after 64

bytes”.
This slide was suggested by Don Prefontaine. Thanks, Don!
Page 4 - 14
4-15 Propagation Delay Problems
• Propagation delay is part of normal communications

– Example: a signal sent from the Moon takes 1.29 seconds to
reach Earth
• Excessive propagation delay causes corruption
• Corruption is random
– Size of corrupted frame is random
– Victim (source) is random, but skewed by participation
Sniffer University
• Corruption typically occurs before the 64th byte

– This is NOT an absolute rule
• Cause: Cable is too long, or out of spec, or there are
too many repeaters or hubs
– The faster technologies have shorter cable specifications and
require high quality cables, old legacy cables may have been
overlooked and are still in use
FRAGS.ENC shows an example of propagation delay. Filter out the good

frames and turn off symptoms. Look at frames 958-964 in the hex panel.

Slide Title: Propagation Delay Problems
Important
Points to
Cover: Important skill which allows you to know what may have caused the
corruption the Sniffer analyzer is showing.
Page 4 - 15
4-16 Excessive Propagation Delay
• Users at end of topology may have more problems than

other users
• Sniffer Pro Analyzer sees:
– “Physical errors” symptoms or diagnoses
– Damaged frames (CRC errors)
– Only a few runts (many frames will be legal minimum length)
– Collision counter will be high if cable is too long
Sniffer University
• May not be high if collisions are across a repeater

• Examine frames for “Collision data” visible at end of
frame
– aa aa aa… or 55 55 55...

Slide Title: Excessive Propagation Delay
Important
Points to
Page 4 - 16
4-17 Signal Reflection Problems
• These problems occur on all media, but are not seen
in UTP frames because the adapter does not see
them. They are easy to detect on coax.
• Corruption is non-random
– Frames are corrupted by their own reflected preamble
• A victim node’s frame will typically be corrupted at
the same offset
– Corruption often occurs prior to the 32nd byte (3210 = 1F16)
– Collision data may be visible
Sniffer University
• If signal reflection is suspected, the best way to

examine it is to examine the coax segments with a
Time Domain Reflectometer (TDR)
Sniffer Pro CRC errors-
Transmit collision data
+1
Signal reflection problems occur everywhere on every medium. They cannot be

observed on UTP because, unlike coax, a node cannot “see” the bits it is
transmitting. It is simply looking for link pulse to know if the link is still there.
It does not do current sensing, voltage sensing, and Manchester encoding
detection like it can with coax.
On coax, one pair is used for both transmission and reception. On UTP, one
pair is for transmission and the other is for reception. When a node sends bits
to a hub, the hub repeats it out all ports except the one it received on. That
means that a node cannot see what it is transmitting.
Reflections are also the result of poor termination or no termination. If a hub
uplink or switch uplink is not working properly, change the cable to a known
good cable and test again. If the UTP cable is flexed too much, it can create a
“near open” (resistance too high; exceeds the 110 ohms or 130 ohms of
normal termination) that will not pass enough current, thus creating a signal
reflection. A TDR will tell you if the cable is good, bad, or ugly.

Slide Title: Signal Reflection Problems
Important
Points to
Important point: This shows up almost exclusively in coax Ethernet,

so you can skip it if no one has it anymore.
The diagram is automated.
You may want to discuss some of the things that may show up in
the Sniffer’s hex window. Of course, where the Sniffer was
attached in relation to the open cable and where the transmitting
station is located directly affect it.
There may be reflected preamble in the frame. It is doubtful that

you would see any of the destination address folding back.
Page 4 - 17
4-18 Electrical Noise Problems
• Users see intermittent disconnections and problems
connecting to network services
– “Physical errors” symptoms or diagnoses
– Damaged frames resulting in CRC errors
– The frames are the “right” size but have incorrect data,
maybe only one or a few bits got changed
– Not many more runts or collisions than baseline
• Cause:
Sniffer University
– Radio Frequency Interference (RFI)

– Electromagnetic Interference (EMI)
– Poor quality cabling not meant for high speed data
transmission
Sniffer Pro
Transmit
CRC errors
+1

Slide Title: Electrical Noise Problems
Important
Points to
Cover: Review quickly.
The diagram is automated.
Page 4 - 18
4-19 Troubleshooting Electrical Noise
• Corruption is random
• No collision data is visible
– This is an absolute!
• Noise typically has no effect on frame length
• Worst case scenario:
– If the damaged frame is greater than 64 bytes, it will
Sniffer University
appear as a CRC or Alignment in the status field

– If the damaged frame is less than 64 bytes, it will appear
as a Runt or Fragment in the status field
– Noise disrupts the clock; adapter thinks the frame ended

Slide Title: Troubleshooting Electrical Noise
Important
Points to
Page 4 - 19
4-20 Hardware Problems / Issues
• Corruption can look like all the other types of physical
errors
• Typical evidence is too many bytes
– Much more than 8 bytes of corrupted data
• Corrupted data may resemble preamble sequence of AAs and
55s
• Could be a jabbering transceiver or NIC
– The 802.3 specification states that a transceiver should
contain a self-interrupt capability to inhibit a station from
Sniffer University
sending for more than 150 milliseconds. The Ethernet V1 and

V2 specifications did not have this feature
• A managed hub will autopartition the port out quickly
– An unmanaged hub waits until it misbehaves for .25 to .75 s
– The port LED will flash and Sniffer shows chronic errors
A hardware card that is jabbering can jabber with preamble sequence or all
ones.

Slide Title: Hardware Problems / Issues
Important
Points to
Page 4 - 20
4-21
Jabbering NIC
• Lots of
ones or
zeros
that
seem to
go on
forever
Sniffer University

Slide Title: Jabbering NIC
Important
Points to
Cover: New slide.
Screen shot showing jabber in a frame. This shot was taken from
jabtest.enc from HQ engineering. It may have been created, but it
meets the Expert’s criteria for jabber as you see on the screens.
Warning- the Jabber.cap file we previously used for jabber may not
actually show jabber. The Expert doesn’t label it that way and you
will see the same pattern of bits in the frame that was retransmitted
and others around it.
Page 4 - 21
4-22 Sniffer Pro Ethernet Error Analysis
Sniffer Label Frame Size Error patterns Probable Causes
#Collision 64 bytes or greater N/A (Truncated) Representative of late collisions on coaxial media.
Frames will be truncated. Causes include
propagation delay or faulty hardware.
Alignment <64 bytes Look for 8 to 12 bytes Alignment errors with the AA/55 pattern are most
# Alignment >64 bytes of AAAAs or 5555s. often caused by normal collisions on UTP cable.
If not there, or greater The data pattern is caused by the repeater jam
amount, see signal. If data length is greater than 64 bytes on
comments. any damaged frame, include propagation delay and
hardware as causes. If the AA/55 pattern exceeds
12 bytes, a jabbering NIC or repeater is most likely.
CRC >64 bytes No specific pattern. Most commonly caused by noise or hardware,
especially damaged or improperly installed wiring.
Runt <64 bytes May contain the Runts have the same causes as Alignments.
AA/55 pattern, usually
Sniffer University
from 8 – 12 bytes.
Fragment <64 bytes May contain the Fragments are defined as Runts with an invalid
AA/55 pattern, usually CRC. Handle the same as Alignments.
from 8 – 12 bytes.
Jabber May be any size. Greater than 12 bytes The cause is hardware, usually a NIC or repeater.
The pattern is of AAs or 55s.
important
Oversize >1514 bytes Pattern will include Hardware has failed and is streaming data.
lots of AAs and 55s. Managed hubs may permanently partition node
streaming for more than 150ms; unmanaged hubs
may not.
Sniffer Pro Physical Error Descriptions

CRC Errors A legal frame with a CRC error, a frame whose CRC does not agree
with the actual bytes received
Short/Runt A frame that is less than 60 bytes with a good CRC
Soft Collision A runt frame with a CRC error and one of the following patterns in
the last three bytes: 0X5555, 0XAAAA, 0X0D0D, 0X1A1A, 0XA1A1,
0X6868, -X8989, -X3434, 0X4343
Alignment A frame with a dribbling bit set that is larger than 60 bytes with a
CRC error or the frame contains a non-integer multiple of 8 bits
Jabber A frame with a CRC error and size larger than 1514 bytes
Oversize A frame with a good CRC and size larger than 1514 bytes
Fragment A frame with a CRC error and size less than 60 bytes

Slide Title: Sniffer Pro Ethernet Error Analysis
Important
Points to
Cover: Review quickly. Do not attempt to read this fine print from the
screen.
Have them mark this page for future reference for

labs and when they get back to the job.
Page 4 - 22
4-23 Exercise: More Problems

Sniffer University

Slide Title: Exercise: More Problems

Important
Points to
Cover: Tell the students whether to go on to this or wait for you to discuss
the previous exercise.
Page 4 - 23
4-24 Most Hubs Bit Jam on a Collision
• Per 802.3: If a collision is detected on any of the ports
to which the repeater (hub) is transmitting, the
repeater transmits a 96 bit Jam, such that the first 62
bits transmitted are a pattern of alternate 1s and 0s.
– The 96 bits is 12 bytes if 55 or AA, 4 from source
collider, 4 from destination collider, and 4 bytes
from the hub
Sniffer University
+
Sniffer Pro Analyzer

Slide Title: Most Hubs Bit Jam on a Collision
Important
Points to
Cover: When the hub senses a collision, it sends a 96 bit jam out all of the
ports.
Page 4 - 24
4-25
Sniffer University
Hub Jam Signatures
Look for AAAAAAs

or 55555555s in
the hex window

Slide Title: Hub Jam Sniffer Signatures
Important
Points to
Cover: New slide.
Two screen captures showing both 5s and As. Both the Summary
and Hex windows are shown so you can point out how the Sniffer
shows in each panel.
The screen shots are taken from 02.cap and busy-jam.cap.
Page 4 - 25
4-26 Analyzing Collisions and Hub Jam
Sniffer Pro 2 sees
a partial frame
with jam bits
Sniffer Pro 1
sees a partial
frame with
jam bits
Sniffer Pro 3
Sniffer University
sees a partial
frame with jam
bits
1-A collision
occurs here
2-The hub
Collision
propagates jam
signals out to Jam
all devices Repeaters
+

Slide Title: Analyzing Collisions and Hub Jam
Important
Points to
Cover: New slide.
This slide shows what you see in Sniffer screens in a hub-based

network.
Page 4 - 26
4-27 Frame Type Interoperability Problems
• User sees:
– Inability to connect to specific network services
– No more error frames than usual
• Examine frames to see:
– If the user’s system is using Ethernet frame format and the
network service IEEE 802.3 frame format (or vice versa)
Sniffer University
– If the user’s system is using SNAP frame format while the

network service is not (or vice versa)
• Cause:
– Driver software configured incorrectly
– Some implementations support only Ethernet or only IEEE
802.3
If the network is not experiencing physical layer problems, verify the frame
types being used by both communicating parties.

Slide Title: Frame Type Interoperability Problems
Important
Points to
Cover: Review quickly.
Page 4 - 27
4-28
Check Dashboard Statistics
• Look here for indications of high utilization and errors

Sniffer University

Slide Title: Check Dashboard Statistics
Important
Points to
Cover: The following screen shots enable you to discuss the areas of
Sniffer Pro that help them to troubleshoot Ethernet specifically.
This should be familiar if they have been to the 101 G class, but it
never hurts to re-emphasize these.
You may want to do a demo of this.
Open a trace file and display the decode windows.
Either use the traffic generator screen from the tools menu or right
click over the Summary panel and choose “Generate current
buffer” and send it out continuously so you’ll have plenty of time to
show these next screens.
Click the Dashboard icon to show this screen.
Page 4 - 28
4-29 Monitor Dashboard Details
• Use the Dashboard Detail counters to find physical
errors
Sniffer University
Reminder: You must have the enhanced drivers loaded to detect and capture
error frames. Supported Ethernet adapters are:
Adaptec Fast Ethernet Adapter
Network Associates Card Bus Ethernet 10/100 Adapter (Xircom)

Slide Title: Monitor Dashboard Details
Important
Points to
Cover: Click the Detail tab to show this view.
Point out the important fields:

Utilization Errors
CRCs Runts
Oversize Fragments
Jabber Alignment
Collisions
Page 4 - 29
4-30 Dashboard Error Timeline
• Click on the Network and Detail Error sections to see
a graphic representation of Ethernet physical errors
Sniffer University
6
0
5
0
10
0
9

Slide Title: Dashboard Error Timeline
Important
Points to
Cover: New Slide.
Show all of the lower timelines and relate them to Ethernet counts.
Be aware that this data cannot be exported – it shows real-time

statistics. You can start history sample if you want to save this type
of information.
The lower graph was fabricated by adding lines to the display.

There is no trace that will generate this type of display. Heaven
help the people who would be on a network this bad!
Page 4 - 30
4-31 Track Errors with History Samples
• Run these
and save
the data as
a .CSV file
• Open in
Excel or a
Sniffer University
reporting
application

Slide Title: Track Errors with History Samples
Important
Points to
Cover: There are more. Demonstrate on your Sniffer.
Page 4 - 31
4-32 Create a Multiple History Report
• Include the errors you need to see
Sniffer University
• Collect the data, then save to a file to import into a

spreadsheet or reporting program
To create a multiple history report, open the History Samples window from
either the Monitor menu > History Samples or by clicking the History
Samples icon.
Click the Add Multiple History icon, assign a name to your sample and
modify the sample interval and Graph Type on the General dialog box.
Click the Selection tab, then the New (Insert) icon and scroll and click to
choose a sample from the Statistics List window. Repeat this process until you
have chosen all the statistics you want included in your report. Use the up and
down arrow icons to place the statistics that will have the highest values at
the bottom. Adjust any colors as you wish. Click OK when done.
Double click the icon with the sample name to start collecting the statistics.
Minimize the window to get it out of your way if you wish. It will continue to
gather statistics in the background.
When you want to save the statistics to a file, click the Export icon and
name the file and choose the file type (comma, tab or space delimited) and
path. The application will continue to gather statistics until you close the
window.
You will also be able to save the information in graphic format when you close
the sample window. This can be viewed later within the History samples
application. If you want to import a snapshot of this screen, just press the alt
and print screen keys to copy it to the clipboard. Then paste it into your
document or a paint program for further editing.
Slide Title: Create a Multiple History Report
Important
Points to
Cover: Demonstrate how to create a Multiple History report of the Ethernet
errors.
Suggest they may want to run this as a baseline and for trend
analysis or scheduled reports for the boss.
Run for a specific time and save the file as comma, space or tab
delimited file for import into a spreadsheet or database.
They can also save a snapshot of this graph as a .HST file when
they close the window.
Page 4 - 32
4-33 Check Utilization In Global Stats
• Remember, for best performance, utilization should be

below 37% sustained utilization to be considered
“clean”
Sniffer University

Slide Title: Check Utilization in Global Stats
Important
Points to
Cover: Demonstrate this screen under Global Statistics.
The 37% given here will re-emphasize this statistic they need for
CNX.
If they are seeing a high level of physical errors, they should check
first if the network is overloaded. If the traffic is within normal
ranges, they need to look at a possible physical reason for the
errors.
Page 4 - 33
4-34 Look at the Expert’s DLC Layer
Who’s the
source?
Sniffer University
Is this really the

culprit, or is it
just impacted?
Check the
Symptoms and
Diagnoses
The physical errors include:

• CRC errors
• Runts
• Oversize
• Fragments
• Jabber
• Alignment errors
• Collision packets

Slide Title: Look at the Expert’s DLC layer
Important
Points to
Cover: This emphasizes “troubleshoot from the bottom up”.
The DLC layer is the only place they will see Ethernet-related
specific information.
Demonstrate with your favorite trace file that shows several DLC
layer symptoms and diagnoses.
Point out the information available for each symptom or diagnosis

in the Expert Detail panel on the lower right.
This is not the place to teach the Expert. They learned this in TNV-
101-GUI (we hope they went).
Expert help is available for symptoms and diagnoses by clicking the

? icon.
Page 4 - 34
4-35 Troubleshooting Exercises
Your instructor will choose the

exercises to meet class needs.
complete the selected exercises.
• Test Your Skill
• Errors
• Ethernet Physical Errors
Sniffer University
• Evaluating Hub Jams

If you complete them early, try
another one. Come back to them
when you get back to work and
need review.

Slide Title: Troubleshooting Exercises

This single slide points to all of the exercises for this section. These
are time-consuming. You may wish to eliminate any that you feel
do not meet the needs of the class you are teaching.
Emphasize that you are selecting based on the needs of the
students in this class so they don’t feel you are skipping things they
really want to see.
Test Your Skill Exercise
This one is very important. It gives them a chance to look at
traces with no clues of the problems in them. Have them mark the
matrix on page 22 to help them determine what the problems might
be.
Errors Exercise
The conversation always recovers prior to frame 941. The damage
appears to be hardware related. We don’t know what was causing
that damage and can only speculate that it was bad hardware (the
original repeater? A bad NIC card on the segment?)or an out of
spec network (unlikely since they are on the same segment, but
w/o a network map it is difficult to know).
The administrator suspected the repeater and replaced it with

another that was not being used. This replacement was defective.
It was replaced prior to frame 941 which is the reason for the large
delta time and since it was defective, it is the reason there is no
recovery in the conversation starting with frame 941.
Ethernet Physical Errors
See impact of Parallel Tasking feature of some Ethernet cards
Evaluating Hub Jams
Practice troubleshooting hub jams.
Page 4 - 35
4-36
Summary
• Use a bottom-up process for troubleshooting Ethernet

network problems
• Work on the crises first, then spend time doing
proactive monitoring to look for areas where
performance is degrading and make appropriate
changes
Sniffer University
• Eventually, the crises should be fewer and the

proactive preventive work will take on more
importance
• Use the clues in the Sniffer Pro Monitor, Expert and
Decode screens to help you determine the cause of
frame damage

Important
Points to
Cover: Wrap up the section by reviewing the bullets and answering any
Add your own suggestions to this list that’s here.
We’re trying to emphasize using the tool for proactive

network management here to plant a seed. Good
technicians try to avoid problems by looking for signs of
degradation and fixing them before they become crises.
The Sniffer is much more than a troubleshooting tool!
Target Time: Lunch or before if possible.
Page 4 - 36
5-1
Ethernet Bridging and

Switching Concepts
Sniffer University
We are including a very brief overview of bridging and switching techniques

here to enable you to troubleshoot a switched Ethernet environment.
Since many of these same principles are used for Full Duplex and Fast Ethernet,
this section will lay the groundwork for those discussions.
Sniffer University has a three day class TNV-315-GUI with many more details.

Bridging and Switching
Slide Title: Ethernet Bridging and Switching Concepts –

Section 5
Section Timing: Start: Day 2 Before Lunch Work through the

bridging section if you can
Finish: Day 2 Mid-afternoon
Important
Points to
Files: 05_brg_g.PPT 05_brg_g.DOC
Traces: scbridge.caz busy_jam.caz VLANprob.caz
8021q.cap VLANprob2.cap 8021q-gig.cap
Exercises: Short Circuited Bridges

Busy Jam
Switch Traffic (Optional) new
The bridging and switching sections are somewhat short to allow

time for the VLAN and expanded Fast Ethernet, Full Duplex and
Gigabit Ethernet sections.
VLAN tagging information has been added.
Move through it as quickly as you can to have time for the new
section.
The bridging section is also used as an introduction to concepts for
the switching section. Spanning Tree is covered very briefly in this
course. Refer the students who need more to the 315 course,
which covers it in great detail.
Page 5 - 1
5-2
Section Objectives
Upon completion of this section, you will be able

to:
• Differentiate between bridging and switching on
a conceptual level
• Recognize network configuration issues with
bridges and switches
Sniffer University
• View VLAN information in frames

• Use Sniffer Pro to identify common problems
associated with bridges and switches

Important
Points to
Cover: State the objectives for the section.
Page 5 - 2
5-3
Bridges
Sniffer University

Slide Title: Bridges
Important
Points to
Page 5 - 3
5-4
Ethernet Bridges
LOCAL REMOTE
HUB HUB HUB HUB
LAN or WAN link

Bridge Bridge
Sniffer University
• A bridge is a store-and-forward Data Link layer device

• A bridge increases the size of a network without increasing bandwidth
contention, since segments separated by a bridge are in different
collision domains
• A bridge is protocol independent. A bridge bases its forwarding decision
on the Data Link layer destination address in a frame
• Bridges only pass valid frames
• An Ethernet bridge is transparent from the end node’s point of view
Bridges work at the Data Link layer of the OSI Reference Model, specifically at the
MAC sub-layer. Bridges are only concerned with physical layer addresses. They learn the
address of each device on each segment to which the bridge is connected, typically two
segments. When a frame is received on one port of the bridge, it examines the physical
layer address to determine whether or not the frame should be forwarded to the other
segment. The bridge stores this information in a "Forwarding Table."
Bridges are also what is termed "Protocol Transparent." Since they work at the MAC
layer and are only concerned with physical layer address (like Ethernet), they have no
reason to be concerned with higher layer protocols like DECnet, XNS, TCP/IP. One bridge
can forward (or filter) all of these higher layer protocols.
Some bridges allow complex filters to be used to determine which frames get forwarded
and which frames don't. This might be used in the case where a router was previously
installed to route IP frames. Due to company growth, a new protocol is added and
eventually a bridge to allow access to a second segment. Since an IP router is already
being used to forward IP frames, the bridge must not forward these same frames. The
bridge is programmed (using a filter) not to forward IP frames, but allow remaining
frames to be forwarded if the destination address deems it necessary.
With any luck at all your bridge is sophisticated enough to have some sort of bridge
manager. The bridge manager will allow you to configure the bridge, maintain its address
table, as well as allow you to examine how effective the bridge is to forward and filter
frames. Additionally, consider this: is your vendor's manager going to manage another
vendor's bridge? When determining a vendor for your bridge purchase, you may want to
consider its management capability.

Slide Title: Ethernet Bridges
Important
Points to
Cover: Work at the Data Link Layer.
Forward frames based on the MAC layer address.
Bridges learn the addresses on each of their ports and build a

forwarding table.
They are protocol transparent.
Some may do complex filtering.
Many are managed by bridge management programs.
Label was added to indicate the link can be LAN or WAN.
Page 5 - 4
5-5
Multiport Ethernet Bridges
Multi-Port Bridge
Port A Port B Port C Port D
Address 1 Address 4 Address 5 Address 7
Address 2 Address 6 Address 8
Address 3
Hub
OFF
ON
OFF
ON Mini-Hubs
Sniffer University
• Learns the addresses of devices that reside off each port

• Maintains a list of the addresses for each port in hardware “Content
Addressable RAM”
• Logically extends the cabling segment, but physically separates into
separate collision domains
• RAM for storage usually holds 1024 addresses
• Can be increased, but the maximum limit is vendor specific
A list must be kept of what node addresses lie beyond a bridge port. The list can
be lengthy.
The number of addresses are vendor dependent, but usually start with 1024.

Slide Title: Multiport Ethernet Bridges
Important
Points to
Cover: As noted on the slide.
Page 5 - 5
5-6
Ethernet Bridges are Responsible For:
Flooding:
If the destination address is unknown, or if it’s a multicast/broadcast
destination address, the bridge sends the frame out each port except
the port on which the frame was received
Learning:
A bridge is promiscuous and sees every frame on the segments to
which it is attached. By examining the source address in frames, a
bridge learns which stations are on which side of it
Forwarding:
Sniffer University
Once a bridge learns where stations are, it only sends a frame out the
correct port to reach the destination station
Filtering:
If the destination and source addresses are on the same port, the
bridge just drops the frame
User Filtering:
Allows a network manager to filter, based on protocols, addresses,
packet type, etc., to increase the network's efficiency or add security
measures
The filtering function might seem so obvious it's not worth mentioning, but
actually it is worth mentioning in order to compare a bridge to a repeater: a
repeater repeats everything, even if the two stations communicating are on the
same side of the repeater. Since a bridge looks at the data link header, it learns
the locations, it does not need to forward unnecessarily.
The filtering rate advertised for a bridge is the number of frames per second on
which the bridge can make forwarding/nonforwarding decisions. User filtering
may employ a technique similar to the Sniffer analyzer’s pattern match function,
allowing some manufacturers to claim to filter on layer three protocol addresses,
even though a bridge is a layer two device.

Slide Title: Ethernet Bridges Are Responsible For
Important
Points to
Cover: Cover the slide points well.
Page 5 - 6
5-7
Store and Forward
A B
DA = B
HUB HUB
CRC good? If yes,

then forward.
CRC bad? If yes,
throw frame away.
Sniffer University
• Bridges are “Store and Forward” devices

• They must copy the entire frame and verify the CRC before
forwarding
• If the CRC is good, the bridge will forward as it should
• If the CRC is bad, the bridge will discard the frame
– A higher layer protocol will time out and attempt
retransmissions
+
This technique requires the bridge to look at the entire frame before making a
forwarding decision. A benefit of this feature is that the bridge can determine
whether there is an error in the frame before making a forwarding decision.
Error frames are removed from the network. A drawback is that the bridge will
introduce latency (delay).

Slide Title: Store and Forward
Important
Points to
Cover: This is now an animated build slide.
Slide and notes are adequate to explain the concept.
Review them.
Page 5 - 7
Bridge Data Flow
Receive frame on
5-8
Port x
Read source
address
MAC Port Age

MAC SA in Yes Read Dest Is it Yes
Table? MAC Bdcst?
No Flood to
Enter into No all ports
Port x except x
Table
MAC Port Age
Sniffer University
MAC DA
in Table? No
Yes
No Yes
Forward frame DA on
on correct port Port x?
Discard
frame
+4
All speeds of Ethernet follow this flowchart. Only the timing changes.

Slide Title: Bridge Data Flow
Important
Points to
Cover: New partially automated build slide.
Click to reveal each step in the decision process as you discuss it.
Page 5 - 8
5-9
Bridging Loop
Forward Forward
Broadcast
Frames
circle Forward
Forward
endlessly
Forward Forward
• Ethernet bridges are susceptible to loops

Sniffer University
• The Spanning Tree Algorithm handles loops by disabling alternate

routes
– All traffic flows toward the root bridge
• Bridges use Bridge Protocol Data Unit (BPDU) frames to negotiate a
unique device-to-device path
• The picture above does not have Spanning Tree enabled. When
Station A sends a broadcast frame, the frame can be forwarded by
all bridges in a constant loop
The Spanning Tree specification is defined in IEEE 802.1d. Topology loops can
occur in a switched network just like a bridged network.
Bridges are assigned an ID by the administrator (two byte field).
The MAC address of the adapter is appended to the two byte ID, and the result
becomes the Bridge Identifier.
The lowest value Bridge Identifier becomes the Root bridge.
The network manager configures a cost for each port on the bridge. For example,
the cost for a T1 link could default to 100, while the cost for a 56 kbps line could
default to 500.
Costing information is exchanged with BPDU frames.

Slide Title: Bridging Loop
Important
Points to
Cover: Broadcast frames will be forwarded continuously when
Spanning Tree is not enabled.
IEEE 802.1d is the specification covering Spanning Tree.
Page 5 - 9
5-10
Spanning Tree
• Bridges in a mesh configuration use a “cost” metric to

determine the best (cheapest) path
– The best path is used for forwarding
– The other paths are backups and not used unless the best
path fails
• One bridge is elected “root”
– All frames are directed towards the root
Sniffer University
Cost = 2
Co s 5
2 t= =
= 1 st
st C o
Co
Co
Co
4 st
st
= =
st
=
Co s 2
t= Co
1
4
Best Cost = 5
Backup
Many switches in meshed configurations use Spanning Tree to prevent loops.

Anytime you see BPDUs in your traces, you’ll know it is active. Many vendors
have proprietary protocols that allow you to do load balancing in a mesh
environment. If you are using one of these and see BPDUs, check to make sure
Spanning Tree is not needed, then disable it on the bridge(s) sending the
frames.

Slide Title: Spanning Tree
Important
Points to
Cover: New Slide.
You might want to mention here that switches frequently use

Spanning Tree to maintain forwarding tables to indicate the
continued use of Spanning Tree and BPDU frames.
Each bridge/switch has a unique identifier.
Administrators can assign IDs to control which bridge/switch

becomes the root of the tree.
The administrator can control paths by assigning a high cost to an

expensive, slow link used as a backup path and a low cost to a fast
primary path.
The fast primary path will be used until it fails.
The bridges/switches exchange BPDU frames when a link fails to

reconfigure the tree to cover the segment that’s down.
You need a good logical drawing of the bridged/switched segments

to plan the best paths and assign costs appropriately.
Page 5 - 10
5-11
BPDU Frames
Multicast
Dest. Address
• Sent by the
bridge to
neighbors to
share
configuration
information Type of frame
Sniffer University
Root Bridge
Link Cost
Source
information
Timers
The destination address is a functional address assigned to “all bridges”.

The source address is the address of the port sending the BPDU
The Root ID in the frame is the bridge this one assumes is the root
Sending bridge ID is the ID of the bridge sending this frame
The cost is the least cost path to the root from this bridge
Bridges build forwarding tables from the BPDU frames
When a bridge receives a BPDU frame from its neighbor, it compares the
message received from that port with what it would send out that port. It
changes its table if it discovers a better route and stops sending configuration
messages on that LAN.
If the message age reaches a certain threshold, the message is considered stale
and the bridge recalculates the best route as if it had not received the message.
For a detailed explanation of the Spanning Tree algorithm, see Section 3 in
Interconnections, Bridges and Routers, Radia Perlman, Addison Wesley, 1992
ISBN 0-201-56332-0.

Slide Title: BPDU Frames
Important
Points to
Cover: New Slide.
Cover only the basics in this class. TNV-315

“Interconnection Concepts and Troubleshooting” will
teach the specifications and structure of the BPDU frames
in detail. There is no time for it here.
Page 5 - 11
5-12
Capturing in a Bridged Environment
Node D Node A
Node B
Node E
HUB HUB
Sniffer University
Node F Node C
SnifferPro
Frames seen by Sniffer Pro
The Sniffer Pro Network Analyzer will:

See frames going between Nodes A, B and C.
See traffic bridged between the two networks.
Not see frames going between Nodes D, E and F.
At the data link layer, the source and destination addresses will be the end
node’s addresses. You will not see the bridge’s addresses.
Example: Node A is communicating with Node D via a bridge. The Sniffer Pro
Network Analyzer will show Node A and Node D's Ethernet addresses.

Slide Title: Capturing in a Bridged Environment
Important
Points to
Cover: “New” Slide. (Actually a resurrection of the slides we always
included in this class – updated to star wiring.
You might want to mention the bridge could actually be a switch.
Page 5 - 12
5-13
Exercise: Short Circuited Bridges (Optional)

Sniffer University

Slide Title: Exercise: Short Circuited Bridges (Optional)
This exercise is optional due to the time constraints of the class.

Since the Spanning Tree discussion has been expanded again,
you may not want to skip this exercise.
Fit it in, as you are able.
Page 5 - 13
Exercise: Short Circuited Bridges
5-14
192 Kb Link
Sniffer University
192 Kb Link
Sniffer
Pro
analyzer

Slide Title: Exercise: Short Circuited Bridges (Diagram)

If you are questioned about the small delta times that appear in this
trace file, you may want to work through the following math with the
students. For this discussion, label the bridges 1-4 starting in the upper
left-hand corner and continue on clockwise.
Time to transmit a minimum length Ethernet frame across the 192 Kb link
Minimum frame = 512 bits

Preamble = + 64 bits
=============
Total bits transmitted = 576 bits
576 bits / 19,200 bits/second = .03 seconds
Time to transmit one frame on an Ethernet where 1 bit = 1/10,000,000
Seconds = .000001
Seconds = 1 microsecond. Therefore to transmit 576 bits takes 576
microseconds.
(.000576 Seconds or roughly half a millisecond.)
Assume the propagation delay across the Ethernet or WAN link is 0. We
can assume this because the network as shown is symmetrical.
TIME LINE
Station on left sends ARP. Assume within 576 microseconds Bridge 1
and Bridge 4 receive the frame.
.03 seconds later Bridge 1 has transmitted the frame to Bridge 2. During
the same time period Bridge 4 to Bridge 3.
Either Bridge 2 or Bridge 3 will be able to access the Ethernet media on
the right.
Assume Bridge 2 puts the frame out. (For argument’s sake, let's say this
is the ARP Frame 1 we see on the Sniffer.) Within 576 microseconds,
Bridge 3 is receiving the frame Bridge 2 transmitted.
Bridge 3 begins transmitting Frame 1 back towards Bridge 4.
Bridge 3 begins transmitting its frame out on to the Ethernet (Frame 2 on
the Sniffer).
Bridge 2 receives Frame 2 after 576 microseconds.
During which time, Bridge 4 begins putting Frame 1 onto the left Ethernet
segment.
Bridge 2 will transmit the frame back toward Bridge 1 and then the
process continues...
Page 5 - 14
5-15
Switches
Sniffer University

Slide Title: Switches
Important
Points to
Page 5 - 15
5-16
Switches
• Switches are similar to bridges and do these actions:

– Learn which addresses are available at each port
– Maintain lookup tables by port (as bridges do)
– Look at the destination address and forward immediately if
possible
– Switch packets between ports
– Switching fabric maintains multiple, simultaneous
Sniffer University
conversations on different ports (unlike bridges)

– Provide full bandwidth at each port
– Do not verify the validity of the CRC (unlike bridges)
• Most switch vendors implement Spanning Tree
Algorithm
A switch connects LAN segments like a hub does, but unlike a hub, which divides the
bandwidth among all attached segments, a switch provides full bandwidth at each port.
A port can be dedicated to a single file server, for example. Like a bridge, a switch
learns which addresses are available at each port. Unlike a bridge, when forwarding a
packet a switch may look at just the destination address, instead of the whole packet,
and forward immediately if possible. If the destination segment is busy, the frame is
queued in a buffer, just like a bridge, until the destination segment is free. Usually the
destination segment is not busy.
Packets are processed in parallel by very fast hardware. One vendor claims a switching
delay of only 40 microseconds, which they measure as the time between the first bit of
a packet received and the first bit of the packet sent.
Some switches support software configuration to specify which ports can talk to which
ports, sort of an “electronically controlled patch panel.” It really is hard to compare
switches, especially because they have very different architectures and because vendors
are getting very creative in combining the functions of layer 1, layer 2 and layer 3
relays. The late 1990s started major innovations in this area.
Issues with using switches instead of bridges or routers include:
1. A switch may forward a bad CRC and a runt that has a destination address.
2. Switches will not isolate broadcast storms. They often cannot be set up for protocol
filtering. They generally won’t do fragmentation and re-assembly.
3. Using the switch’s “electronically controlled patch panel” feature sounds great, but
could wreak havoc with IP addressing and subnet mask schemes.

Slide Title: Switches
Important
Points to
Cover: Vendors are doing many things to improve the performance of their
products.
Read the fine print!
Will it work with what you have?
Page 5 - 16
5-17
Switched Networking
• Switched networking provides a simple solution to

existing networks suffering from traffic congestion
• In Ethernet environments, each switch port is a
separate collision domain
• Switches allow you to micro-segment
• Some switches provide monitor ports to attach a
Sniffer University
Sniffer Pro
• Switches are not governed by standards, so a
combination of vendor switches is difficult
– There are many proprietary implementations
Microsegmentation means that there is only one device at each switch port,
rather than a shared LAN on a port as in segmented network.
The overall benefit of switching is that multiple conversations can occur
simultaneously on a single switched hub, providing the user or segment with
almost dedicated bandwidth.
Switching extends the life of existing legacy LAN networks, provide increased
performance without replacing existing wiring plant, and increase network
throughput, reducing response times. Switches are a small cost, when compared
to other alternatives.
Switches are plug and play, easy to implement, but much pre-planning is
required. As an example, if your bandwidth is being eaten up by DLC layer
broadcasts, a switch will not improve the condition. Traffic is aggregated on the
backplane of the switch. This backplane should be between 1.5 - 10 Gbps with
recent announcements for 85 Gbps backplanes.

Slide Title: Switched Networking
Important
Points to
Cover: Slide and notes points.
Page 5 - 17
5-18
Basic LAN Switching Defined
• A switch allows dedicated communications paths to

be rapidly built and torn down between multiple
sources and destinations. The total aggregate
bandwidth goes up with switch technology
• A 12 port switch can support six simultaneous
conversations
Sniffer University
Server Server
Workstation Workstation
A switch allows devices or segments to have a unique dedicated path to each

other. The path is active for the duration of the frame, then is broken down and
made available for the next frame.
Each port on a switch is, in effect, a separate collision domain or ring. Switches
can act like fast bridges, they are layer 2 devices. But some vendors are adding
layer 3 functions to switches, like the ability to route IP and IPX.
In 12 port switches, backplane speed needs to equal six times the individual wire
speeds of the ports. Similar ratios apply to other size switches.
The VLAN concept, by which you can logically group switch ports, is growing in
acceptance. VLAN schemes are proprietary to the different vendors. A VLAN
generally divides your network into broadcast domains. VLAN is popular in today's
dynamic environment where “Tiger Teams” are created across departmental lines
to address a particular problem or project and then disbanded once that problem
or project has been resolved.

Slide Title: Basic LAN Switching Defined
Important
Points to
Cover: Collisions are in switched environments.
Each pair of communicating devices has the entire bandwidth (in

this case 10 Mbps) for their frame.
The path is active for the duration of the frame only. It is torn down
after each frame has been transmitted.
Each port is a separate collision domain.
The Virtual LAN (VLAN) concept allows the administrator to group

ports through software for workgroup segmentation.
A bullet and student note was added that addresses the issues of
the speed of the switching fabric.
Many switches implement Spanning Tree to avoid topology loops

where broadcast frames circulate endlessly.
Other manufacturers use proprietary methods to avoid loops.
A switch should have a very low PLR or Packet Loss Rate. It can
have congestion control, where a switch will slow things down if
ports become overloaded. Switching times may degrade
noticeably, but at least you won’t lose any packets which will cause
retransmissions.
For switches without active congestion control, the ability to handle

100 to 300 back-to-back, min. and max. size frames pretty much
assures negligible packet loss no matter what the traffic pattern.
Switches that can buffer more than 100 1518 byte packets are
considered very robust.
Page 5 - 18
5-19
Capturing in a Switched Environment
SnifferPro sees only

Broadcast Traffic
plus...
Node D Node A
Sniffer University
Node E Node B
Node F Node C
Vendor
Dependent
The Sniffer Pro Network Analyzer sees different things based on the switch
technology and how the switch has been set up. At the data link layer, the
source and destination addresses will be the end node’s addresses. You will
not see the switch’s addresses. Switch vendors have provided various
mechanisms for network analysis tools to evaluate network traffic and
conversations.

Slide Title: Capturing in a Switched Environment
Important
Points to
Cover: What you see is what the vendor allows you to see.
Addresses are like the addresses in a bridged environment.
DLC addresses are the end station’s.
Page 5 - 19
5-20
Seeing the Frames
• Switch sends all traffic to a monitor port
SnifferPro
Sniffer University
• Switch sends selected port or VLAN traffic to a

monitor port
SnifferPro
+2
Tapping the backplane of the switch does not limit the traffic sent to the
monitor port. You will get all traffic that occurs on any port in the hub. This may
present problems due to high utilization on the monitor port. It will work well
when overall use of the switch is low, but if several users of the switch are
demanding high amounts of bandwidth individually, their combined traffic may
be greater than the switch can process through a single monitor port. You will
most likely lose packets.
A port tap limits traffic seen to just what happens on that one port.

Slide Title: Seeing the Frames
Important
Points to
Cover: Several separate slides are now combined so you can cover them
quickly and compare them more easily.
All traffic to a Monitor Port (This is not an industry-standard label

for this port.)
Issues: Is the port able to handle the aggregate bandwidth of the

backplane?
Is the Sniffer Pro analyzer able to handle the aggregate bandwidth

of the backplane?
You can’t just put a Fast Ethernet Sniffer Pro analyzer here. The
signals and timing are different in Fast Ethernet.
You’ll need to set a capture filter to focus on the traffic that will help
you solve the problem.
Station address filter
Address class filter
Protocol filter
Gives a very limited view of just one station’s traffic.
Selected port or VLAN traffic to a monitor port
But if the port can’t deliver it, you still can’t capture it.
Page 5 - 20
5-21
Seeing the Frames Continued
• Attach a shared media • Install a matrix switch to

hub between a server and view several segments
the port to see all server
traffic
Switched Media Hub
Shared
Media
Sniffer University
Hubs
Shared
Media
Hub
(mini-hub)
Server Server Server
Work-
Server Transport
stations
Card
Matrix Switch
SnifferPro
Monitor Card
DSS/RMON Agent
+
The hub should be attached when the server is inactive, and left in place to
enable real-time monitoring. There are several inexpensive mini-hubs on the
market. This is a very easy solution to implement and, in some environments, a
very effective solution. For example, when there are only a couple of servers in
a server-client environment, everyone will be talking to those servers, therefore
you’re actually getting all traffic on the switch by just monitoring the servers’
ports. This also works well with unsophisticated switches that have do not have
a built-in monitor port.
Several companies make matrix switches.
Portable Sniffer Pro Network Analyzers can also be used in place of the
DSS/RMON. If you are using a DSS/RMON Agent, you should use a Network
Associates supported switch like the DataComm switch. There are several
advantages to using a Network Associates supported switch.
Remember, though, you can only monitor one port at a time. Adding the hub
may change the timing characteristics of the segment and may introduce its
own set of errors if you exceed the collision domain. Be sure you are not
introducing a repeater into a full-duplex link by mistake.

Slide Title: Seeing the Frames (Continued)
Important
Points to
Cover: Permanently install minihubs in the line to your servers.
Allows you to see all the traffic to and from the server.
Permanently install a minihub in the line to your bridges and

routers.
Allows you to see all traffic directed to or from them.
SniffView allows you to switch the DS Pro Agent into multiple

segments so you can monitor the conversations to multiple servers
(or routers) one at a time.
There are several vendors that supply switches from DS Pro. Some
of them can be controlled directly with SniffView.
We also sell DSS/RMON Multiview, which is a DS Pro in a matrix

switch. There are several models that can attach into a
combination of Ethernet and other topologies.
Page 5 - 21
5-22
Switch Control and Expert
• Switch control allows you to access supported
switches and span one port or VLAN to a monitor port
• Two adapters are required to span a port
– The configuration adapter sends SNMP signals to the switch’s
IP address to control the switch and retrieve MIB data
• Attach to the switch control port
– The monitor adapter does the assigned Sniffer tasks
• Attach to the mirrored port
• One adapter is enough if you just want MIB data
Sniffer University
Monitor
Switch
adapter
SPAN
Port
Frames Port or
VLAN
Configuration SNMP
Commands
adapter
+
Sniffer Pro version 4.0 switch expert supports:

Cisco models: * = this versions or newer
2900 v.4.5(2) 2916XL v11.2(8)SA5*
2924(M)XL v12.0(5.1)XP* 2926 v4.5(2)
5000 v4.5(2)* 5002 v4.5(2)* 5500 v4.5(2)* 5505 v4.5(2)* 5509 v4.5(2)*
6000 v5.4(1)* 6002 v5.4(1)* 6500 v5.4(1)* 6509 v5.4(1)*
Nortel models:
Baystack 450 v HW:RevB, FW:V1.04, SW:V1.1.0
Not all features are supported. Contact NAI tech support for specific issues.
SPAN (Switched Port ANalyzer) is a proprietary Cisco protocol used to mirror traffic
from a port or VLAN to a monitor port.
If you have just one adapter in your Sniffer, it must have TCP/IP bound to it so it can
connect to the switch to control it. It is connected to the switch control port which
cannot be a monitor port. You would need to stop Sniffer Pro and reconnect it into the
monitor port and restart it as a Sniffer to sniff the monitor port. You then would not be
able to control the switch or see the MIB data.
Mirroring places a heavy load on the switch. Be sure to disable it when you have
completed your analysis or capture!
The TNV-201-DSP and TNV-315-GUI classes have more information on switch control
and Expert.

Slide Title: Switch Control and Expert
Important
Points to
Cover: New Slide.
Unfortunately we just don’t have time to delve into this in this class.
You also need a switch to demonstrate all the functions of this
feature.
It is covered in detail in the TNV-201-DSP class. That class has a

switch, so all of the MIB and control screens can be demonstrated.
It will also be shown in the Advanced TNV-102-GUI class being

written.
The basics:
You can get all the MIB data from the switch and see it in the
Sniffer windows.
You can use these MIB screens to mirror a port or VLAN to the port
where the Sniffer is attached. (VLAN mirroring is not supported for
all switch models.)
You can do all the Sniffer functions on the mirror port i.e. start
Monitor screens, capture, set triggers, etc.
Try to attend a TNV-210-DSP class to see this in action so you can

discuss it better.
You need the second card only if you want to do the Sniffer
functions. You can get the MIB data with a single adapter. You
cannot use a single card to send the SNMP commands to the
switch to control it AND then turn around and sniff using the same
card. Port mirroring (or SPAN) puts a big load on the switch. DO
NOT leave it enabled constantly. Turn the mirroring off when you
are done!
Page 5 - 22
5-23
Switch Frames
• Once you get the frames from the switch, they

look just like any other Ethernet frame
• Expert shows symptoms and diagnoses plus
valuable VLAN information
• Use the skills you’ve gained here to determine
where problems lie
Sniffer University

Slide Title: Switch Frames
Important
Points to
Cover: New Slide.
The main difference in the Sniffer screens is the VLAN information

in the Expert. The students will see that in the VLAN section.
Any VLAN symptoms and diagnoses will be labeled in the

Summary display.
You can filter from the Expert’s VLAN symptoms and diagnoses.
You can get the switch MIB statistics on adapter and VLAN MIB
counts that can be very helpful.
Page 5 - 23
5-24
Switch Performance
• Switches are often faster than bridges

• They segment collision domains
• Cut Through switches are fastest
– They read only the destination address and forward to a new
or established port
– The provide the least amount of data integrity (they only
verify the destination MAC address)
• Some switches offer FFCT (fragment-free cut-through)
Sniffer University
mode
– Only frames at least 64 bytes in size are forwarded
• Switch latency increases the further into a frame the
switch checks for data integrity
• Switches forward damaged frames if damage occurs past
their check point

Slide Title: Switch Performance
Important
Points to
Cover: Slide is adequate.
Page 5 - 24
5-25
Exercise: Busy Jam

Sniffer University

Slide Title: Exercise: Busy Jam
Page 5 - 25
5-26
Exercise: Busy Jam Diagram
Switch
Hub
Sniffer
Pro 10 Mbps Server
analyzer
Sniffer University
Client
Stations

Slide Title: Exercise: Busy Jam Diagram
Network Diagram
Page 5 - 26
5-27
Virtual LANs (VLANs)

Sniffer University

Slide Title: Virtual LANs (VLANs)
Important
Points to
Cover: New Section - New title Slide.
Page 5 - 27
5-28
VLANs
• Many switches allow you to set up virtual LANs
– A VLAN is roughly a broadcast domain
– Stations in different physical locations can communicate as if
they were on a common LAN
– Some manufacturers allow you to place ports on more than
one switch in a VLAN
– There are many vendor-specific implementations
Sniffer University
HR
VLAN 2nd Floor
Finance
1st Floor VLAN
Exec 3rd Floor
VLAN
Port configurations aggregate stations based on the port where they are
attached. This was the first implementation of VLAN groups. It is a good way to
isolate groups using non-routable protocols.
Protocol-based VLANs group stations based on their protocol type or layer 3
address. The switches use standard routing protocols to communicate with
routers, but all traffic in the VLAN is switched.
MAC address-based VLANs group stations based on their MAC address. This is
useful when you have laptop users who carry them around and attach their
PCMCIA cards in different locations. Problems arise when they dock these
laptops and use the docking station’s NIC card or software overwrites the MAC
address.
IP Multicast address groups segregate the multicast traffic and send only to
those devices that are in the VLAN. This extends beyond the normal network-
maintenance address types for routing and bridging support to specialized
applications like broadcast audio or video data.
802.1Q VLAN tagged frames is a new IEEE standard that uses an additional
header in the frames between the switches that identifies the VLAN.
Since many of the mechanisms are vendor-specific, you should try to buy all
your switches from one vendor or only use switches that support the 802.1Q
standard.

Slide Title: VLANs
Important
Points to
Cover: New Slide.
VLANs have been around for a long time and most students will
have basic knowledge about them. What they may not know is how
their traffic looks on the wire.
Emphasize the broadcast domains. See, the stuff we taught in the

technology section hasn’t gone away!
VLANs provide a way to logically link devices in different layer 1-2

physical network segments into a logical layer- three network
segment.
Page 5 - 28
5-29
VLAN Grouping Techniques
• Port
– Assign each port to a particular VLAN
– Quick and simple, moves require reconfiguration
• Protocol (Layer 3 grouping)
– Groups all devices with the same protocol - isolates protocol-
specific broadcasts
– Stations with multiple protocols belong to multiple VLANs
– Router required between different protocols and IP subnet
Sniffer University
VLANs
• MAC address
– Assign each NIC to a particular VLAN IP multicast address
– Good for laptops that move around
• Multicast Address
– Proxy address for a group of devices

Slide Title: VLAN Grouping Techniques
Important
Points to
Cover: New Slide.
Quickly review the ways vendors implement VLANs.
Page 5 - 29
5-30
VLAN Tagging
• When devices are spread across several

physical segments, there needs to be a way to
quickly send them to the proper switch
• Cisco developed a proprietary protocol called
Interswitch Link Protocol (ISL) which added a
few bytes or “tag” at the beginning of the
frame
Sniffer University
– The tag identifies the VLAN

– This eliminated the need to do a table lookup for
each frame - just send them to the right port
• The IEEE modified this for the 802.1Q
specification

Slide Title: VLAN Tagging

Important
Points to
Cover: New Slide.
This is just a page to introduce the reason for tags and the VLAN
tagging methods
Page 5 - 30
5-31
Interswitch Link (ISL) Protocol
• The Grandfather of the IEEE 802.1Q tagging

standard
• A proprietary Cisco protocol developed to
support trunks between Cisco switches
• Tags added to the frames between the
switches include a VLAN group identifier to
Sniffer University
route them to the proper VLAN

• Several other vendors licensed ISL
• 3Com used VLT frame tagging method

Slide Title: Interswitch Link (ISL) Protocol
Important
Points to
Cover: New Slide.
This is a Cisco vendor proprietary protocol. Other vendors licensed

it.
Tags are carried on the trunk links between Cisco Switches
We can see them and decode them on frames captured on these

links
Page 5 - 31
5-32
Cisco ISL Frame Tags
• Ethernet frame
is attached
after the 26
byte ISL Header
• VLAN identifier
Sniffer University
Inter Switch Link (ISL) protocol was developed by Cisco and has been
incorporated into the 802.1Q standard.
ISL adds a 10 bit address to every frame as it enters the switch fabric. The
frame is forwarded only to switches and interconnected links with the same 10
bit address.
This tag is removed before the frame is forwarded to the end station or switch
outside the VLAN.

Slide Title: Cisco ISL Frame Tags
Important
Points to
Cover: New Slide.
This screen capture was taken from VLANprob.caz frame 1. The

students will use it in the exercise at the end of this section.
Don’t go into details of this protocol. Let Cisco teach that in their
classes!
Page 5 - 32
5-33
Cisco ISL Expert Information
• VLAN information shown at the Global Layer
• VLAN list in the Detail Tree
• Statistics and details in the Expert Detail panel
Sniffer University

Slide Title: Expert Cisco ISL Information

Important
Points to
Cover: New Slide.
This screen capture was taken from VLANprob2.cap Expert view

with the Global symptoms highlighted.
Explore more of the Expert information with the students.
Page 5 - 33
5-34
802.1Q VLAN Standard
• The 802.1Q standard is based on the 802.10 standard
– 802.10 is the Interoperable LAN/MAN Security (SLIS) standard
which defines a single Protocol Data Unit (PDU) with an 802.10
header inserted between the MAC header and the frame data
for secure transmission of data
• 802.1Q uses frame tagging to carry VLAN membership
information across multiple multivendor devices
– The security header from 802.10 is modified to support VLAN
tagging
Sniffer University
– Tags allow frames to be forwarded quickly to other switches

within the VLAN
• Routers are required to forward frames between VLANs
– Can be internal to the switch or external one-armed routers
• Vendor proprietary implementations are still also used
– This creates vendor interoperability problems
Several issues need to be addressed when implementing VLANs:

Management: Even though most vendors use management software to create
the VLANs and move ports into the VLAN, there is an issue of keeping up with
all the moves (though this is certainly easier than moving cable to keep a person
in the same network segment!). People also may feel isolated when they are
moved out of the area where their co-workers are.
80/20 Rule: It is difficult to maintain the “80/20” where 80% of the traffic
remains local and 20% goes outside the area and through a router.
Shared resources like servers and printers need to be managed so people in a
different VLAN can print to the local printer and access their server.
You may choose to put these devices into more than one VLAN so all who need
them can access them.

Slide Title: 802.1Q VLAN Standard
Important
Points to
Cover: New Slide.
This is the IEEE standard for VLAN tagging. The headers are
different.
Highlight the last bullet.
All the switches in the VLAN must support the same tagging
method or frames will not get where they need to go!
Page 5 - 34
5-35
802.1Q VLAN Headers
Fits between the Source MAC address and Type/Length
field of the MAC header of the Ethernet frame
MAC D & S Type Tag Control MAC Type/Length Data
8100 User Priority Tunnel Type VLAN ID
2 bytes Tag Protocol Type field identifies the 802.1Q

header
Sniffer University
2 bytes Tag Control field has three fields:

3 bits user priority
1 bit tunnel type i.e. Ethernet or Token Ring
12 bit VLAN ID
802.1Q standard works hand in hand with the 802.1P standard for assigning
priority levels to frames. You may see it called 802.1 Q/p in some publications.
The user priority field allows applications that require guaranteed bandwidth to
be delivered before applications that are not time-sensitive.
3 bits allow for 8 different priority levels. The switches must maintain internal
queues for each priority. Incoming frames are placed in the queue for the
priority in the field and the highest priority frames are transmitted out before
the lower priority frames.
This enables lower cost Ethernet installations to compete with the high-
maintenance and cost ATM networks that provide robust Quality of Service
guarantees.
Keep in mind that this is priority done at layer 2. RSVP at the network layer in
the stack needs to inform layer 2 to set the priority bits to match the level of the
data being sent. To have end-to-end priority, all devices in the intervening path
must recognize the priority levels at both layers.
The 802.3ac standard has extended the maximum frame size to 1522 bytes to
allow for these 4 additional bytes.

Slide Title: 802.1Q VLAN Headers
Important
Points to
Cover: New Slide.
This shows a breakout of the fields in the tag to prepare them for
what the Sniffer shows.
Point out that the tag comes in the MAC header! This was very
confusing when I first viewed these frames. I wanted to put the
Type/Length field in with the tag, because the Sniffer puts it there
without identifying that it is part of the DLC header. The number of
bytes in the spec didn’t match what I saw in the frames that way.
The destination and source addresses come first, then the tag,
then the MAC type or length field.
Page 5 - 35
5-36
802.1Q Header
• Ethernet
frame is
encapsulated
inside the
802.1Q
Header
• VLAN
Sniffer University
identifier
• Maximum length frames grow to 1518 bytes

• Sniffer does not capture the last 4 bytes of the frame
– No CRC error is posted
The tag Protocol Type is used for FDDI, Token Ring and SNAP encoded fields.
Ethernet sets this to 8100.

Slide Title: 802.1Q Header
Important
Points to
Cover: New Slide.
Hey – the Ethernet maximum frame size has been exceeded!
If a max size Ethernet frame is encapsulated in a tagged frame, it is

1518 bytes. The Sniffer knows this is OK when it sees the 8100
Type field and it doesn’t post an oversize symptom or count is as
bad.
It does indicate only the first 1514 bytes were captured in the Detail
window. That shouldn’t create problems for us, since it still has
almost the entire frame, certainly enough to get through all the ULP
layers to see if there are problems there.
BTW – a question has been raised about how the Sniffer handles
the max size Ethernet frames captured by a pod. Remember it
encapsulates them in Ethernet frames to send them to the PC. The
pod transparently fragments these oversize frames and the PC
reassembles them in the driver software before they are sent up
the stack for analysis.
Page 5 - 36
5-37
Expert 802.1Q Information
• VLAN information is shown at the Global layer
• Symptoms and diagnoses break out stations in
the VLAN
Sniffer University
VLAN
8021Q Protocol in use numbers and
switch MAC
addresses
VLAN Info

Slide Title: Expert 802.1Q Information
Important
Points to
Cover: New Slide.
You might want to demonstrate this on your Sniffer using the

8021q.cap trace file the students will use for their exercise.
If time is running short, give them the details and skip the exercise.
If you’re doing OK, cover it very briefly here and let them discover
the details on their own in the exercise.
There is another 8021q-gig.cap trace that shows this information

captured from a gigabit Sniffer. Point out the [A] and [B] in the
status column and show the Statistics tab where 1000 is the line
speed.
This was a serendipity trace I found just before press time.
Page 5 - 37
5-38
VLAN Frames
• Sniffer sees VLAN headers only between switches that
support them
– Tap into the trunk link or mirror the trunk port to the Sniffer
port with Switch control
Sniffer University
HR
VLAN 2nd Floor
Finance
1st Floor VLAN
Exec 3rd Floor
VLAN
More details on the switch Expert are available in these Sniffer University
classes:
TNV-101-GUI, Troubleshooting with the Sniffer Pro Analyzer
TNV-201-DSP, Implementing Distributed Sniffer System/RMON Pro
TNV-315-GUI, Interconnection Concepts and Troubleshooting

Slide Title: VLAN Frames
Important
Points to
Cover: New Slide.
This is just a visual reminder you will see these only if you tap into
the trunk link either physically or by spanning the trunk port to the
Sniffer. This is risky!
Page 5 - 38
5-39
Optional Exercise: Switch Traffic

Sniffer University

Slide Title: Optional Exercise: Switch Traffic
Important
Points to
Cover: New Exercise.
The students will observe several types of traffic in a switched

environment. They will look at typical switch-related protocols and
the different VLAN tagging encapsulation methods.
This is a great exercise to satisfy the students who came to see

switch troubleshooting. Try to allow time to do it so they feel
good about at least seeing the Expert part of switch analysis
and see the frame tagging.
They won’t see the MIB data or be able to do a SPAN, but this will
help.
Page 5 - 39
Summary
5-40

• Differentiate between bridging and switching on a
conceptual level
• Attach Sniffer Pro to bridged and switched
networks
Sniffer University
• View VLAN identifying information in tagged

frames
• Use Sniffer Pro to identify common problems
associated with bridges and switches

Important
Points to
Cover: Wrap up the section by reviewing the objectives and answering any
Target Time: Day 2 early afternoon. This is a good place for a

break if you haven’t already done so.
Page 5 - 40
6-1
100 Mbps
Fast Ethernet
Sniffer University

Fast Ethernet
Slide Title: 100Mbps Fast Ethernet

Section 6
Section Timing: Start: Day 2 Mid-afternoon

Finish: Day 2 Approx. 3:00
Important
Points to
Files: 06_fe_g.PPT 06_fe_g.DOC
Traces: 100MBFIL.CAP, BACKPRES.CAP, BACKPRES1.CAP ,

Big_bad_rich.caz
Exercises: Fast Ethernet Troubleshooting and Back Pressure

Fast Ethernet Problems
10/100 Hubs
The former three-part section covering all the fast technologies has
been split into sections for each.
Please allow enough time to present it if the class is interested. By
now, they have seen Fast Ethernet several times, so this section
can be taught very quickly.
Have the students do the exercises if possible. The first shows
various different vendor implementations of back pressure.
The second is a filtered trace and shows lots of hub jams and
collisions.
References:
Fast Ethernet: dawn of a New Network by Howard W. Johnson,
1996, Prentice Hall Publishing, ISBN 0-13-352643-7
Switched, Fast and Gigabit Ethernet 3rd Edition by Robert Breyer

and Sean Riley, 1999, Macmillan Technical Publishing, ISBN
1-57870-073-6
Page 6 - 1
6-2
Section Objectives

• Summarize the features of Fast Ethernet
• Summarize 100BASE-T4, 100BASE-TX, and 100BASE-FX
implementations
• Recognize back pressure frames in a trace
• Attach Sniffer Pro to your Fast Ethernet networks
Sniffer University
• Use the Sniffer Pro statistics and decodes to locate areas of

concern

Fast Ethernet
Important
Points to
Cover:
Troubleshooting Fast Ethernet is basically the same as 10mb
Ethernet.
Page 6 - 2
6-3
Overview of Fast Ethernet
• 100Mbps version of the Ethernet standard

• Uses the same timing criteria as 10 Mbps
Ethernet
• 100BASE-Tx supports Category 3,4 and 5
twisted-pair wiring and fiber cabling
Sniffer University
• Standard defined by IEEE 802.3u

• Many switches and hubs combine 10 Mbps
and 100 Mbps ports to link legacy networks
into high speed backbones
IEEE802.3u (100BASE-T) adopted in 1995 as a supplement to IEEE802.3

Several clauses are included in the specification. Earlier versions of 802.3 are
defined in clauses 1-20. 802.3u is defined in clauses 21-30
Clause 21 100BASE-T Introduction
Clause 22 Medium Independent Interface
Clause 23 100BASE-T4 Transceiver
Clause 24 100BASE-X Transceiver
Clause 25 100BASE-TX PMD*
Clause 26 100BASE-FX PMD*
Clause 27 Repeaters
Clause 28 Autonegotiation
Clause 29 Topologies
Clause 30 Management

Fast Ethernet
Slide Title: Overview of Fast Ethernet
Important
Points to
Cover: The specification calls for a few changes from the previous spec,
but mostly outlines the new features.
Page 6 - 3
Where to Deploy Fast Ethernet
Remote LAN
6-4
Remote Router Fractional T1,
Campus
Workgroup 10/100 Mbps Hubs
LANs and Switches
Network Center
10/100 Mbps
Workgroup WAN
Switches
Hubs/Switches
T1, X.25,
Frame Relay
Router
Sniffer University
Faster Hub
Server
Firewall Links
Router
Router
Token Ring
Server Cluster
Due to the small collision domain and repeater limitations, most Fast Ethernet
hub installations will be in workgroup areas. It is not useful in the backbones of
large enterprise networks. Fast Ethernet switches or other technologies are
needed to go the distances.

Fast Ethernet
Slide Title: Where to Deploy Fast Ethernet
Important
Points to
Cover: Key words: “In place of” does not mean pull out all of your FDDI
and use Fast Ethernet instead. FDDI has been around a long time
and is a proven technology. This is to say, “If you need to install a
new highspeed backbone, consider Fast Ethernet.”
Pulling out FDDI would be a real waste of money, and Fast
Ethernet is probably inferior.
Fast Ethernet is, however, cheaper to implement, and easier, since
troubleshooting skills students already have transfer over to this
technology.
Also mention the environments listed in the student

notes section where Fast Ethernet could be
implemented.
Page 6 - 4
6-5
Similarities between 10BASE-T and 100BASE-T
• Both use CSMA/CD

• Frame formats and frame lengths are the same
• Both can run on Category 3, 4 and 5 UTP
• It must be four-pairs for 100BASE-T to run on 3 and 4
• Interconnections are made with hubs, repeaters,
switches, etc.
Sniffer University
Fortunately, 100BASE-T makes use of CSMA/CD and the same frame formats as
10Mbps Ethernet. Therefore, most of what has been covered in this course is
applicable to 100BASE-T also.
Wiring specification
Page 131 of IEEE 802.3U - 1995 spec details the pinout for internal and external
crossover cables.
pin
1 ----------| Dedicated Transmit pair +
2 ----------| Dedicated Transmit pair -
3 ----------| Dedicated Receive pair +
4 ----------| Bi-directional pair 1 +
5 ----------| Bi-directional pair 1 -
6 ----------| Dedicated Receive pair -
7 ----------| Bi-directional pair 2 +
8 ----------| Bi-directional pair 2 -

Fast Ethernet
Slide Title: Similarities Between 10BASE-T and 100BASE-T
Important
Points to
Cover: Point out just how similar the two are. The differences do not affect
us as the protocol analyst. Of course, as a network manager
concerned with the installation and overall network design, the
similarities and differences are critical.
Page 6 - 5
6-6
100BASE-T Features
• 100BASE-T transmits ten times as much data in the

same amount of time
• It has new PHY standards
• The network design is more compact
Sniffer University
• The interframe gap is .96 microseconds instead of 9.6

microseconds
• It is still 96 bit times for 10/100/100, the times just get shorter
as the speed increases
• Coding schemes 4B5B and 8B6T replace Manchester
encoding
100BASE-T does have some important differences from 10BASE-T. Changes

have been made to the PHYsical layer components. New sub-layers such as the
Reconciliation sub-layer and an interface called the MII (Media Independent
Interface) have been defined in the specification.
There are new rules defining the number of repeaters allowed.

Fast Ethernet
Slide Title: 100BASE-T Features
Important
Points to
Cover: This slide shows key differences
Point out the interframe gap is still 96 bit times, the bit times are
just 10 times shorter!
Page 6 - 6
6-7
Physical Layer Specifications
• 100BASE-TX: Fast Ethernet for Category 5 UTP

– Most widely used physical layer specification for
100BASE-T today
• 100BASE-T4: Fast Ethernet for CAT3 UTP
– Use when you have a large installed base of voice grade
wiring
– Requires four wires of the cable
– Not implemented very often, so there is very little
Sniffer University
vendor support for it

• 100BASE-FX: Fast Ethernet for Fiber Optic
Cabling
– Used in sites that are considering fiber cabling or have it
installed
– Usually used between floors of a building

Fast Ethernet
Slide Title: Physical Layer Specifications
Important
Points to
Cover: Use this page as a preview of what we will cover in more detail.
Page 6 - 7
6-8
100BASE-TX for Category 5 UTP
• Transmission over two pairs of Category 5 UTP or

IBM Type 1 STP wire
• RJ-45 connector is exactly the same as that used by
10-BASE-T where the RJ-45 links two pairs of wires
• The punchdown blocks in the wiring closet must be
Sniffer University
Category 5 certified
• Traditional DB-9 connector used for STP wiring
• 4B5B coding

Fast Ethernet
Slide Title:100BASE-TX for Category 5 UTP
Important
Points to
Cover: Slide information is adequate.
Page 6 - 8
6-9
100BASE-T4 for Category 3 UTP
• Operates over four pairs of Category 3, 4, or 5 UTP

wiring
• Three pairs are used for transmission and the fourth
wire is used for collision detection
• Since it can run on Category 3, provides for easier
migration to 100BASE-T without rewiring
Sniffer University
• Three of the four pairs are used to transmit or receive,

so full-duplex operation is not possible
• 8B6T coding
TIA/EIA Cabling standards

Category Application Support Bandwidth Year Std
1 Voice only voice 1950s
2 Voice or low speed data 1 1960s
3 Voice, 10BASE-T 16 MHz 1991
4 16 Mbps Token Ring 20 MHz 1993
5 CDDI, 100BASE-TX, ATM 155 100 MHz 1994
5 1000BASE-T (higher specs) 100 MHz 1999
5E 1000BASE-T 100 MHz 1998
6 TBD 200 MHz 1999
7 TBD (Work in Process) 600 MHz 9/2000

Fast Ethernet
Slide Title:100BASE-T4 for Category 3 UTP
Important
Points to
Page 6 - 9
6-10
100 Base T Ethernet Pinouts
RJ45 8
1 AT&T 258A and
EIA/TIA-T568A EIA/TIA-568B
Pin Signal Wire Color Pin Signal Wire Color

1 Transmit 3 white/green 1 Transmit 2 white/orange
2 Receive 3 green/white 2 Receive 2 orange/white
3 Transmit 2 white/orange 3 Transmit 3 white/green
4 Receive 1 4 Receive 1
Sniffer University
blue/white blue/white
5 Transmit 1 white/blue 5 Transmit 1 white/blue
6 Receive 2 orange/white 6 Receive 3 green/white
7 Transmit 4 white/brown 7 Transmit 4 white/brown
8 Receive 4 brown/white 8 Receive 4 brown/white
It doesn’t matter which wiring spec you choose, you just need to ensure you
follow through with the same pinouts for all the cables.
Both T4 and 1000BASE-T require four pairs. Gigabit requires a higher quality
connector.
Wiring specification
Page 131 of IEEE 802.3U - 1995 spec details the pinouts for internal and
external crossover cables

Fast Ethernet
Slide Title: 100BASE-T Ethernet Pinouts
Important
Points to
Cover: New Slide.
For student reference.
10BASE-T required only:

pin 1 Transmit 2 – white/orange
pin 2 Receive 2 – orange/white
pin 3 Transmit 3 – white/green
pin 6 Receive 3 – green/white
If they are upgrading NICs to 100 or 1000 Mbps, they will need to
connect all eight of the pins to make the old cable work for the new
speed!
Page 6 - 10
6-11
100BASE-FX for Fiber Optic Cabling
• Operates over two strands of multimode or

singlemode fiber cabling (just like FDDI)
• Fiber optic media transmits over greater
distances than UTP; useful for connections
between interconnect devices on a Fast
Ethernet backbone
Sniffer University
• Uses the MIC, ST or SC fiber connectors defined

for FDDI and 10BASE-FX networks
• 4B5B coding
The Fiber MIC connector uses one keyed connector.

It is quite large and is being replaced
by the SC connector.
The ST connector is the bayonet-style connectors that

twist onto separate fiber cables.
It is the most popular connector.
The SC connector is smaller and uses a duplex connector.

It is the connector of choice for future designs.

Fast Ethernet
Slide Title:100BASE-FX: Fast Ethernet for Fiber Optic Cabling
Important
Points to
Page 6 - 11
4B5B Encoding Technique
(100BASE-FX and 100BASE-TX )
6-12
• Upper layer protocols send data in 8

8 bit
bit bytes
bytes
• The MAC driver splits the bytes into 4 ULP
bit nibbles 4 bit
– A look-up table is used to convert the 4- nibbles
bit nibble to a 5-bit symbol or symbol
code MAC
• Clocking information is carried within 5 bit
Sniffer University
the data stream symbols

• 100BASE-FX uses a two-state NRZI PHY
signal
– A change in signal level represents a
binary code-one; no signal level change
represents a binary code-zero
The conversion from 4 bits to 5 bits does not involve any mathematical
calculations - it is merely a table lookup.
Q: How does 4B5B contribute to making Fats Ethernet fast?
A: By processing bits in parallel blocks as they pass through the MAC layer
rather than serially as in Manchester encoding.
Fast Ethernet operates at 100 Mbps as data passes through the NIC. After the
addition of the extra bit, it theoretically transmits at 125 MHz.

Fast Ethernet
Slide Title: 4B5B Encoding Technique (100BASE-FX and

100BASE-TX)
Important
Points to
Cover: New diagram requested by Linda Richman. Thank you!
Encoding is red bold to emphasize this is and encoding scheme to

differentiate it from the purpose of the next slide.
This is “nice to know” information but not needed to troubleshoot

Fast Ethernet. Cover it quickly so you have time to present the stuff
that will help them.
The codes do not directly map to the hex value of the byte, so don’t
get hung up on the fact that a 1 maps to 01001 and F to 11101.
The codes were defined to keep the number of sequential zeros
less than 3 to maintain clock.
In 4B5B, every four bits will be sent out over five bit times.
Look at the beginning of the bit cell to see if there’s a transition. If
there is, you’ve got a one, otherwise it’s a zero.
What makes 4B5B different from other encoding schemes is that
the kind of transition is not always the same.
The transition order (+1,0,-1,0,+1,0…) tells us that if there is going
to be a transition, this is where the signal goes.
Page 6 - 12
6-13
4B5B Ternary Example
• 100BASE-TX uses MLT-3 ternary signaling
– Any signal change in TX is represented by
circulating among three progressive levels: (+1, 0,-
1, 0, +1, 0,-1, 0 ...)
No Transition
transition +1 present,
present, 0 so this is a
so this is a -1 binary 1
binary 0
Sniffer University
0 1 0 0 1 1 1 1 0 1
1 F
• Hex 1F to 4B5B: 1 maps to 01001, F maps to

11101
• A transition = binary 1; No transition = binary 0
• Transition order: +1 0 -1 0 +1 0 -1 0 endlessly
Each 4 bit nibble is translated into a 5 bit symbol. The five bit symbol for 1 is
01001, the 5 bit symbol for F is 11101.
What happens if you connect a 10 Mbps hub to a 100 Mbps port?
Autonegotiation signals will not be sent by the 10Mbps hub, so the 100 Mbps
hub will adjust the port to 10 Mbps.
The slow hub will send frames using Manchester encoding, the fast hub
converts it to 4B5T encoding and uses MLT-3 ternary signaling to forward it out
a fast port. It does the opposite conversion before forwarding any frames from
the fast port to the slow port.

Fast Ethernet
Slide Title: 4B5B Ternary Example
Important
Points to
Cover: This is electrical signaling – how we get the bits we just converted
form 4 bit patterns into 5 bit symbols.
Notice that after each group of four bits, there’s a transition. This
transition does not provide data but is used for clocking.
Page 6 - 13
8B6T Encoding Technique
(100BASE-T4)
6-14
• Based on a ternary symbol - meaning it may take on

one of three values: 1,0 or -1 also represented as +,
0 or -
• Each byte is mapped to a 6 bit-time ternary code
symbol, called a 6T symbol
– (i.e., to represent 1F, the 6T code group is 0 - + 0 + -)
– A lookup table is used to convert the 8 bit byte into the 10 bit
symbol
Sniffer University
• Each 6T code symbol is fanned out onto the three

pairs in round robin fashion
• Preamble is still 8 bytes in length
– A special pattern is used to help the receiver locate the
beginning of data on each pair
– The receiver strips this pattern and returns an ordinary
preamble to the MAC

Fast Ethernet
Slide Title: 8B6T Encoding Technique (100BASE-T4)
Important
Points to
Cover: This is “nice to know” information but not needed to troubleshoot
Fast Ethernet. Cover it quickly so you have time to present the stuff
that will help them.
The 802.3u spec defines a six part code for each byte.
Page 6 - 14
6-15
8B6T Example
Taken from the 802.3u specification: Data 6T code group

octet
00 +-00+-
1F uses code word 0 - + 0 + - 01 0+-+-0
02 +-0+-0
: :
1F 0-+0+-
Sniffer University
+3.5 Volts +/- 10%

0 Volts +/- 50 mV
-3.5 Volts +/- 10%
0 - + 0 + -

Fast Ethernet
Slide Title: 8B6T Example
Important
Points to
Cover: Cover quickly.
Page 6 - 15
6-16
Data Frame Transmission in 8B6T
BYTES
Convert to 6T code group

Sniffer University
3 ( of t
he 4 pairs
)

Fast Ethernet
Slide Title: Data Frame Transmission in 8B6T
Important
Points to
Cover: As we showed earlier, 100BASE-T4 operates over four pairs of
UTP wiring. Three are used for transmission, the fourth does
collision detection.
Each byte goes to a different wire in a round robin fashion.
Page 6 - 16
6-17
Maximum Collision Domain
• The physical size and number of repeaters is limited in

order to meet the round-trip propagation delay
requirements
– 100 meters (328 feet) is the maximum for each UTP link
– A maximum of two repeaters is allowed
– Two “classes” of repeaters are used (depending on their
latency characteristics): Class I and Class II
Sniffer University
– The maximum collision domain for Fast Ethernet over cat 5

UTP using one class I repeater is 200 meters (672.4 feet)
– Two class II repeaters extend it to 205 meters
• Because of these constraints, switches are frequently
used to extend the distances.
The 512 bit-time propagation limitation still applies. However, 512-bit times
equals only 5.12 micro-seconds. Therefore, the performance of the repeater
determines the number of repeaters allowed. To make things easier, certain
classifications regarding the repeater’s characteristics have been defined.

Fast Ethernet
Slide Title: Maximum Collision Domain
Important
Points to
Page 6 - 17
6-18
Class I Repeaters
• Used to connect unlike physical signaling systems

• Only one Class I repeater can reside within a single
collision domain when maximum cable lengths are
used
• Standard Class I repeater has maximum round-trip
delay of 140 bit times
– Late collisions result if limits are exceeded
Sniffer University
100m
Class I 100m
UTP UTP
100Base-TX 100Base-T4
200m
Class one repeaters convert each incoming analog signal to digital before the
data is placed on the backbone and repeated out. The digital data then must be
converted back to analog at each port before it is sent out. This allows
translation between different encoding, but adds latency to the repeater. For
this reason, only one level one repeater is allowed in the collision domain.
Analog Digital
Analog Digital
Analog Digital
Analog Digital Backplane
Analog Digital
Analog Digital
Analog Digital

Fast Ethernet
Slide Title: Class I Repeaters
Important
Points to
Cover: A little more clarification has been added to help differentiate
between Class 1 and 2 repeaters.
Because Class 1 repeaters can do translation between different

cabling systems, it takes longer to repeat the signal.
This limits you to just one repeater due to the longer propagation
delay.
Page 6 - 18
6-19
Class II Repeaters
• Provide ports for only one physical signaling system
type
– Timing constraints do not allow translation between 100BASE-
TX and 100BASE-T4
• Have smaller internal delays so that two class II
repeaters may reside within a given collision domain
when maximum cable lengths are used
• Standard Class II repeater has 92 bits as its maximum
Sniffer University
round trip delay

– 67 bits for Class II repeaters with any T4 ports
Class II 5m Class II
100m UTP UTP 100m UTP
205m
Class II repeaters repeat the analog signal BEFORE it is converted to digital. The
latency of these repeaters is less, but no conversion between encoding can be
done.
Analog
Analog
Analog
Analog Backplane Digital
Analog
Analog
Analog

Fast Ethernet
Slide Title: Class II Repeaters
Important
Points to
Cover: Because Class II repeaters cannot translate, they can forward the
information much more rapidly. That allows for two in a collision
domain.
Page 6 - 19
6-20
Stackable Hubs Provide More Ports
• Stackable hubs are multiport repeaters

• Their backbones are connected with external
cables to repeat all the frames
• The stack acts like a single repeater
Sniffer University
Timing slowed for demonstration!

+1

Fast Ethernet
Slide Title: Stackable Hubs Provide More Ports
Important
Points to
Cover: New Slide.
Stackable hubs allow you to put a lot more devices in a collision

domain than you could with single hubs.
Essentially the backbone is extended through the external cables

so the stack acts like a single repeater.
Page 6 - 20
6-21
Fiber Repeaters
• Fiber cabling allows much larger collision
domains Class II 18m Class II
105m Fiber Fiber 105m Fiber
228m
Class II Class II
• Fiber and UTP can be mixed
Sniffer University
• Just be sure the end-to-end propagation delay

does not exceed 512 bit times
+Delay for each cable to the node (x2)
+Delay for each repeater
+Delay for cable between repeaters

Fast Ethernet
Slide Title: Fiber Repeaters
Important
Points to
Cover: New Slide.
Since fiber optic is becoming quite common now, (especially on the

backbone) this slide was added to show the optical repeater
specifications.
The calculations for maximum collision domains need to add the

delay of each wire based on type and length plus the delay of the
repeater(s), expressed in bit times.
The Switched, Fast, and Gigabit Ethernet book mentioned on the

front of this section has great information on how to calculate all the
different combinations. If you carry a book with you, this is the one
to carry.
Page 6 - 21
6-22 Auto-Negotiation
• “The algorithm that allows two devices at either end of a link segment
to negotiate common data service functions”
• RJ-45 connector may have any one of five different Ethernet signals:
10BASE-T, 10BASE-T full-duplex, 100BASE-TX, 100BASE-TX full-duplex
or 100BASE-T4
• Both 100BASE-T NICs and hubs send a modified 10BASE-T link
integrity test pulse sequence (called Fast Link Pulses -FLP)
– 10BaseT devices don’t understand the pulses and ignore them
– 100BaseT devices adjust to 10 Mbps when they receive 10BASE-T link
pulses
• Hub and NIC automatically adjust their speed to the highest common
Sniffer University
denominator both can accommodate
10 or 100? OFF
ON
Useful if you’re
unsure what
Full or half? ??
OFF
ON
you’re plugging
AUTO- Hub or into AND when
NEGOTIATE! switch upgrading to
100BASE-T hubs
or cards
10BASE-T link pulses are a single signal every 201 µs.

Fast Ethernet link pulses are bursts containing information about the capabilities
of the adapter. They are used for all the faster Ethernet interfaces. Priority bits
in the pulses identify the type of the device connection capabilities and are
assigned as below. The highest common connection type is used for the
connection.
Priority Connection type
1 1000BASE-T full-duplex
2 100BASE-T2 full-duplex
3 100BASE-T2
4 100BASE-TX full-duplex
5 100BASE-T4
6 100BASE-TX
8 10BASE-T
Autonegotiation is a common source of incompatibility problems when using a
10/100 card from one vendor and a hub from another vendor.

Fast Ethernet
Slide Title: Auto-Negotiation
Important
Points to
Cover: Good coverage of this on pages 133 through 135 of the Seifert
book.
Autonegotiation created a lot of problems in the early NICs. Not
vendors used the same algorithm and things worked OK until you
introduced a new brand of NIC into the network. These early
implementation problems are now corrected and most cards are
compatible.
Most hubs allow you to turn autonegotiation off to force the network
to specific parameters.
Autonegotiation is done on power up. Generally there are devices
on the network that are never powered down, so they control the
parameters of a broadcast segment.
The negotiation is done for a specific link. Most hubs and switches
can negotiate on each port, so you may have a combination of 10
and 100 MB stations on the ports.
The pulses sent to negotiate are ignored by any cards that do not
support it. 16 bit “pages” are sent that carry information that
identifies the parameters. There is a larger discussion of these in
the gigabit section.
Cards are able to differentiate between the link pulses,
autonegotiation and data signals on the wire. The Sniffer will not
capture any of these signals, so we will not see them in traces.
Autonegotiation is used only on 100 Mbps twisted pair networks.
The IEEE has not been able to overcome the negotiation problems
in fiber optic networks, so the ends of the links must be manually
configured.
The Sniffer does not capture Fast Ethernet autonegotiation – the

gigabit Sniffer Pro does.
Page 6 - 22
6-23
10/100 Hubs and Switches
• There are many varieties of 10/100 hubs

– Hubs with separate linked backbones for each
speed
• Frames between different speed devices crosses over the
link
– 10 Mbps hubs with 100Mbps uplinks
• 10 Mpbs traffic is aggregated onto the high speed uplink
Sniffer University
• The frames are buffered until they can be forwarded

• Be sure the uplink is switched to enable longer distances
• Each 100 Mbps device autonegotiates the
speed of the port
– Since 10BASE-T devices have no autonegotiate
pulses, their port is set to 10Mbps

Fast Ethernet
Slide Title: 10/100 Hubs and Switches
Important
Points to
Cover: New Slide.
Slide information is adequate.
This slide also answers the question of “what if I plug in the wrong
Sniffer?” (We address it later, too.)
The best advice is to leave the 10/100 Ethernet card in your Sniffer
set to autonegotiate the speed. Attach it to the network, then power
it up. It will learn automatically the correct speed and begin to
watch the frames even before you start any monitor or capture
processes.
If you plug any 10/100 card into the wrong port, the worst that
happens is the card (including the Sniffer) won’t see anything!
Page 6 - 23
6-24
10/100 Flow Control
• Devices with a mixture of port speeds must

provide buffers to hold the data between the
high and low speed devices
– Flow control must be used to signal devices to stop
sending data when the buffer is full
– Half-duplex uses back pressure signals
Sniffer University

Fast Ethernet
Slide Title: 10/100 Flow Control
Important
Points to
Cover: New Slide.
This is a lead-in to the back pressure discussion and the exercise

where we see two traces from a 10/100 autosensing hub.
There will be a delay between the 10 and 100 connections because

of the bridging effect inside the hub or switch.
Page 6 - 24
6-25
Back Pressure
• Switches send “back pressure” frames as a “busy
signal” to end stations to prevent them from sending
frames when the switches internal buffers have
reached their capacity
– Switches that do not use back pressure or some other “flow
control” mechanism will simply DROP FRAMES when their
internal buffers cannot handle the traffic flow
• Frames are vendor-specific
– IEEE specifies this as preamble bits not followed by a start of
Sniffer University
frame delimiter. Not all vendors follow the spec

– Show up in the Sniffer hex window with 5555555555,
AAAAAAAA, 202020202, 34343434, D0D0D0D0 patterns
– To determine your back pressure patterns, disable back
pressure and capture a trace
• If fragments are there, it is jam
• If they are gone, it is back pressure
Switches discard frames when their buffers are full. This causes retransmissions
at the higher layers, which degrades performance.
If the switch causes collisions when the buffer is full to keep from discarding
frames, the backoff algorithm in the end station will keep incrementing the time
the card waits to retransmit and will finally give up.
Back pressure eliminates this problem. By keeping the line busy with bits, the
cards can transmit as soon as they sense the line is free and the backoff
algorithm will not be started.

Fast Ethernet
Slide Title: Back Pressure
Important
Points to
Cover: This slide discusses the features of back pressure and how to deal
with and identify it in the network.
Demo: If you don’t have time for the exercise in class, show the
BACKPRES.CAP and BACKPRES1.CAP trace files. If they will do
the exercise, let them discover it.
Here is the text of an email from a former instructor while she was
working at 3 Com about the BACKPRES.CAP trace. It is copied
verbatim from the IFAQ.
The same patterns can be used as jams, too. I differentiate by
looking at the fragments in the trace. (The suggestion in the last
bullets are hers.) 3 Com calls it Intelligent Flow Management (IMF)
in its documentation.
Here’s how it works: There’s an input buffer (size varies by device);
let’s use 256k for our example. When the switch detects there’s
254k in the input buffer, it sends those signals to the network. The
filling of the input buffer could mean the outbound segment is busy
and the switch is having difficulty sending frames out, etc.
A few things to remember:
Since these are not valid frames, their only function is to trigger
carrier detect on the cards on that segment. There is no meaning to
their content.
Backpressure is a good thing! It looks like collisions, but keep this
in mind. Ethernet cards are designed to backoff and retransmit if
they detect a collision while transmitting. This takes microseconds.
Backpressure will prevent them from transmitting in the first place
or may cause a few collisions here and there (the switches don’t
carrier sense before they output backpressure). Anyway, it’s the
physical layer that handles this. If you disable backpressure,
frames may be dropped at the switch. This means no collision
occurs and the upper layer has to time out to detect the lost packet.
With LLC this could be a matter of milliseconds. With TCP, this
could be a matter of hundreds of milliseconds. That’s an eternity,
especially on Fast Ethernet. Bottom line, leave backpressure on.
Thanks, Michelle!!!
Page 6 - 25
6-26
Troubleshooting Fast Ethernet
• Troubleshooting Fast Ethernet is pretty much like

troubleshooting 10 Mbps Ethernet
• Look for bad ports on the switch or hub
– Check the Dashboard Detail panel for error counts
– Look for corruption in the frame’s hex window
• Check if the collision domain is too large
Sniffer University
– Collision domains are much smaller than 10BASE-T

– Are there too many repeaters in series?
– Is the fiber segment too large?
– Look for propagation delay clues in the frames: collision
evidence late in the frame

Fast Ethernet
Slide Title: Troubleshooting Fast Ethernet
Important
Points to
Cover: The slide is self-explanatory.
Refer them back to the hubports exercise we did. The same

technique applies in Fast Ethernet.
Page 6 - 26
6-27
• Autonegotiation vendor incompatibilities

– Not all vendors implement
– TX idles simulate jabber that keeps network busy
• View the Dashboard Detail panel for jabber and oversize
frames
• Look for garbage in the frames
Sniffer University
– May autonegotiate to T4 assuming cable may not be category

5
• Result is lower performance for the higher quality wiring
• Turn off autonegotiate and enable TX with cat 5
• Check your switch port information if this statistic is
available

Fast Ethernet
Important
Points to
Cover: The slide is adequate.
Page 6 - 27
6-28
• Cabling problems
– All RJ-45 jacks look alike. Cables coming into the wiring closet
may come from a lower speed NIC and cause problems
without autonegotiation
– Updated NIC may connect to old wires and cause degradation
in the signals
– Look for evidence of physical corruption, CRC errors, jabber,
etc., in the Dashboard Detail panel
Sniffer University
– Check for a link light

– 100BASE-TX NICS plugged into 10BASE-T ports
• Their idle signals can cause collisions on the 10BASE-T hub

Fast Ethernet
Important
Points to
Cover: The slide is adequate.
Page 6 - 28
6-29
Fast Ethernet Exercises

to complete the Fast
Ethernet exercises
• Fast Ethernet
Troubleshooting and
Sniffer University
Back Pressure
• Fast Ethernet
Problems

Fast Ethernet
Slide Title: Fast Ethernet Exercises
Important
Points to
Cover: Please do these two exercises. They teach valuable skills and give
them another chance to work with Fast Ethernet and how it impacts
the network.
Fast Ethernet Troubleshooting and Back Pressure
The first shows Fast Ethernet traffic. At the end are 2 trace files
showing different types of backpressure.
If you run out of time, you could use these trace files to
demonstrate the patterns.
The second exercise discusses some of the issues in the 10/100
autosensing hubs.
Look back to page 25 for the backpres.cap story. This is the story
that came with the backpres2.cap file:
This trace came from a company that was having problems from a
line running in the proximity of a generator in a warehouse using
cat 5 cabling. The errors coming from the EMI was overflowing the
buffer on the 10/100 switch so the switch was sending out the
backpressure. To solve the situation the customer installed a fiber
zip cord and it worked. This proves the point that the back pressure
was not the problem but the EMI was. I hope this fills in the gaps
for everyone. Michael "Mickey" Giovingo
Page 6 - 29
6-30
Summary

• Summarize the features of Fast Ethernet
• Differentiate the 100BASE-T4, 100BASE-TX, and 100BASE-FX
implementations
• Recognize back pressure frames in a trace
Sniffer University
• Attach Sniffer Pro to your Fast Ethernet networks

concern

Fast Ethernet
Important
Points to
questions.
Target Time: Day two at afternoon break.
Page 6 - 30
7-1
Full Duplex Ethernet

Sniffer University

Full Duplex
Slide Title: Full Duplex Ethernet
Section Timing: Start: Day 2 after break

Important
Points to
Files: 07_fd_g.PPT 07_fd_g.DOC
Traces: None available – sorry!
This section looks back to Fast Ethernet and forward to Gigabit

Ethernet. Both use Full Duplex.

own copy as you gain experience. Please e-mail suggestions to
the course Subject Matter Expert (SME) for future updates to the
course material.
Page 7 - 1
7-2
Section Objectives

• Summarize the features of Full Duplex Ethernet
• Differentiate Full Duplex Ethernet standards and cabling
• Recognize Pause frames in the trace and why they are sent
• Attach Sniffer Pro Full Duplex pod to your Full Duplex Ethernet
networks
• Configure Sniffer Pro’s full duplex features
Sniffer University

concern
• Attach the Full Duplex pod to analyze full duplex connections

Full Duplex
Important
Points to
Cover: You will not have access to the FDX pod for this class.
This section, Full Duplex, has no exercises accompanying them

and consist of many slides depicting configuration. How you handle
these sections will depend on your comfort level with the material.
Since many students may have questions regarding how the Sniffer
will handle Full Duplex and Gigabit, you have these sections as an
overview.
References:
Fast Ethernet: dawn of a New Network by Howard W. Johnson,
1996, Prentice Hall Publishing, ISBN 0-13-352643-7
Gigabit Ethernet, Technology and Applications for High Speed
LANs by Rich Seifert, 1998, Addison Wesley Publishing, ISBN
0-201-18553-9
1-57870-073-6
Page 7 - 2
7-3
Full Duplex Communication
Full-duplex
Power Users
Switch • Simultaneous Transmit and
Receive on separate cables
Full-duplex
Uplinks • Eliminates collisions
• Must be supported by both
hub and end-node
Full Duplex • Can allow full distance
Switch
limitation of media
Sniffer University
(2km for fiber optic cable)

• Defined in the 802.3x
Specification
Half-duplex • Many half-duplex switches
Workstations have full-duplex uplink
Full
Duplex
ports
Server or
Routers
Full duplex cards are usually practical only for servers with high levels of traffic
on both the receive and transmit lines.
Adding a full duplex card to a workstation is only practical for one with a multi-
tasking operating system running applications that require and can handle
simultaneous read and write operations.

Full Duplex
Slide Title: Full Duplex Communication
Important
Points to
Cover: Each station has two cables: one to transmit to the port, the other
to receive. They can send and receive simultaneously.
Because there are no collisions, the cables can be much longer.
Full duplex doubles the aggregate channel capacity, but does not
double the maximum data transfer rate due to the nature of the
traffic. Most connections send a lot of data in one direction and
acknowledgements in the other direction. This imbalance will be
most apparent in a client-server link between a single user and
server. With a server or router connected to a backbone and many
stations accessing them, the receive and transmit channels are
more likely to have an equal amount of traffic.
Each link must be a dedicated connection. If they were shared,
you’d need the CSMA/CD and all the advantages go out the
window.
Page 7 - 3
7-4 Where to Deploy Full Duplex Ethernet
Remote LAN
Campus Workgroup Remote Router
LANs 10/100 Mbps
Hubs and Switches
Network Center
Full Duplex
Workgroup Connections
Hubs WAN
SONET, ATM or
Sniffer University
ISDN with H
Firewall
Router channels
Router Faster
Server Links
Server Cluster
attached full duplex
Traffic management for frames going to non-duplex stations is handled by the

internal buffering on the switch.

Full Duplex
Slide Title: Where to Deploy Full Duplex Ethernet
Important
Points to
Cover: In the backbone so edge devices can have full bandwidth in each
direction.
In powerful servers that service many clients.
Anywhere there is a need for a huge fast pipe.
Note that is can be used in 10, 100 or 1000 Mbps networks.
This is a very simplified diagram. Most companies will have much
larger configurations!
Page 7 - 4
7-5
Switched Full Duplex
• Only two devices on the segment - the node and

switch port
• Simultaneous receive and transmit
• No need to wait for carrier, always available
Sniffer University
– Queue up the frames and send immediately

• No collisions
– No backoff delays
– No Carrier Sense, No Multiple Access, No Collision Detection -
No CSMA/CD!

Full Duplex
Slide Title: Switched Full Duplex
Important
Points to
Cover: Emphasize the first bullet.
Idea from Seifert: Ethernet has always been defined as CSMA/CD.
If it didn’t do it, it was Token Ring, FDDI, Token Passing- you get
the idea.
Now we have an environment that doesn’t do CS, isn’t MA and
doesn’t need to do CD, but we still call it Ethernet!
Page 7 - 5
7-6
Full Duplex Transmit
• Receive frame from the upper layer
• Transmit out the transmit port
• Wait interframe gap
• Transmit the next frame
Frame
Sniffer University
Frame
Frame
Frame Frame IFG Frame

Full Duplex
Slide Title: Full Duplex Transmit
Important
Points to
Cover: This slide is animated.
If you have a frame to send, by golly, just put it on the wire!
If you have a bunch of frames to send, just keep pumping them
out, but be sure to put the interframe gap for the technology
between them so the receiver can catch it’s breath, send the frame
up the stack and get ready to synch up for the next one.
Page 7 - 6
Full Duplex Receive
10101010...
7-7
Yes My No
SFD? Assemble Frame Address?
No Yes
Wait CRC No
Discard Frame
Valid?
Sniffer University
Yes
Good Frame!
Yes >512 No
Pass to higher
Bits?
layer protocol

Full Duplex
Slide Title: Full Duplex Receive
Important
Points to
Cover: This is a modified version of the 10 Mb flow chart. A couple of
things have been added here that were assumed in the 10 Mb
chart: SFD recognition, frame assembly, address recognition.
The other one had so many things going on, that we just didn’t
have room for them there!
Question: Does the receiver need the gap to tell when the frame
has ended?
Nope. It has the length filed to tell it how long the frame is.
Page 7 - 7
7-8
Full Duplex Flow Control
• Switches discard frames when their buffers overflow
• Full duplex transmission bursts can fill buffers,
especially if different speed devices are conversing
• MAC Control Frames were developed to allow the
switch to tell the nodes to throttle back
– PAUSE is the only MAC Control frame defined today
• MAC Control frames are part of the Data Link Layer
Sniffer University
– Sent to a well-known address

– Bridges and switches do not forward
– The switch sends the PAUSE to the device on the TX wire
– The NIC stops sending for the time specified in the PAUSE
frame
– The switch can send multiple PAUSE frames until the buffers
reach the lower threshold

Full Duplex
Slide Title: Full Duplex Flow Control
Important
Points to
Cover: MAC frames in Ethernet????? And they still call it Ethernet???
The PAUSE is the only MAC frame defined yet. It is anticipated
more will be added as needed.
These frames replace backpressure.
Page 7 - 8
7-9
MAC Control Frame
Bytes
8 Preamble and SFD
6 Destination Address 0180C2000001
6 Source Address Sending Station’s Address
2 Type = 8808 MAC Control Frame Type
2 MAC Control Opcode PAUSE = 0001
Sniffer University
MAC Control Parameters Pause time in 512 bit-time

44 increments
Pad to 44 bytes
4 CRC
The destination address is a multicast address that has previously been

reserved. Only stations that support the PAUSE function will accept the frame.
All MAC Control frames will be type 8808.
The opcode specifies the type of control frame. PAUSE frames are opcode 0001
and are the only MAC Control frames currently defined. They are sent by either
side when their buffer is full and are used to notify the receiving side to wait a
certain period of time before sending more frames.
A time is included in the MAC Control Parameter field that indicates the amount
of time the receiver must wait. It is measured in 512-bit times so it is specific to
each data rate. It can be used for 10, 100 and 1000 Mbps Ethernet. 10 Mbps will
be 51.2 µsecond increments, 100 Mbps is 5.12 µseconds, 1000 Mbps is 512
nanosecond increments.
The station can modify the wait time by sending a new PAUSE frame with the
timer set either shorter or longer to reflect current buffer conditions.

Full Duplex
Slide Title: MAC Control Frame
Important
Points to
Cover: The 8808 type filed identifies this as a MAC Control frame.
The opcode indicates which type of MAC frame. Right now the only
one is 0001 for the PAUSE.
The time is always listed in 512 bit-time intervals. Conceivably they
can be used for all speeds- the spec was written with that in mind.
Later on there may be control frames that need more fields. Space
is reserved for more parameters.
Question: Does the full duplex Sniffer capture these control
frames?
Page 7 - 9
7-10
400+ Mbps Full Duplex
• 802.3ad specifies link aggregation

• Port aggregation allows up to four full-duplex Fast
Ethernet ports to be aggregated into what appears as
a single high speed link
• Each channel runs 100 Mbps in each direction
• Can be used only in point-to-point configurations
• Some links can be configured as standby links
Sniffer University
– Failure of a primary link automatically switches the traffic to

the backup link
• Device drivers and software configure full-duplex
adapters
• NAI’s DSPro has a card that can sniff these links
NAI sells a four port Ethernet adapter and tap card for DSPro Agents which
allows you to designate all four ports as an EtherChannel.
The TNV-201-DSP course has more information on this card.

Full Duplex
Slide Title: 400+ Mbps Full Duplex
Important
Points to
Cover: New Slide.
This slide is here to answer questions from students about whether

the Sniffer can capture on these high-speed links.
DO NOT try to give them details here. It is only for the DS Pro and
we cover this card and all the other non-portable solutions in the
TNV-201-DSP class.
Page 7 - 10
7-11
Full Duplex
Sniffer Pro
Sniffer University

Full Duplex
Slide Title: Full Duplex Sniffer Pro
Important
Points to
Cover: Title page to lead into covering the Sniffer.
Page 7 - 11
7-12
Create an Agent for the Pod
• File >
Select
Settings
1 Choose the
Ethernet card
2 Choose the
FDX pod
Sniffer University
3 IP address
should fill in
one higher
than your
card’s Pod initializes
address when you click
OK
When configuring the new agent, you must select the Ethernet network card
before you check the Full Duplex pod radio button. This will enable the IP
address box.
The Host adapter must be configured with a fixed IP address. DHCP for the
host is not supported. Set the pod’s IP address one higher than the address
of the Ethernet card in your computer if the address is not automatically sensed.

Full Duplex
Slide Title: Create an Agent for the Pod
Important
Points to
Cover: Remind them the system requirement and pod information was
covered in section two so we haven’t repeated it here.
Use the familiar File > Select Settings to create the new agent.
First select the Ethernet adapter in the PC
When you select the Full Duplex pod in the Netpod type field, the
IP address becomes active.
Important: the IP address for the pod must be one host number
higher than the address of the Ethernet card. They can use
Ipconfig.exe or open the Windows network window to get the
address if they don’t know it.
When you click OK on this screen and select it from the Select
Settings window, you’ll see some progress report messages as the
code is downloaded to the pod.
If all goes well, you should see the Sniffer window open and the
agent name and pod speed shows up in the title bar.
Page 7 - 12
7-13
Set Line Speed
• Before you start a capture, check the line
speed settings in Tools > Options > Full
Duplex Pod
Sniffer University

Full Duplex
Slide Title: Set Line Speed
Important
Points to
Cover: The first thing you need to do is set the line speed of the link.
Use Tools > Options > Full Duplex pod tab window to do that. All
of the choices are shown in the drop-down list.
Page 7 - 13
7-14 Two Memory Pools
• Pod Memory
– The physical memory installed
in the box
– Up to 512 MB
– Frames from the network are
copied here
Sniffer University
• Sniffer PC Memory
– Set through the Buffer tab on
Capture Filters
– Frames from the pod are copied
here

Full Duplex
Slide Title: Two Memory Pools
Important
Points to
Cover: This is preparation for the next slide that shows the options you
have in capturing this traffic.
Explain it quickly and move on.
Page 7 - 14
7-15
Two Transfer Modes
• Set by clicking the icons on the toolbar or the
Capture Menu
• Stream Mode
– The pod streams the data to the analyzer
application as it is captured off the network
– Counts appear in the Sniffer window
• High Speed Capture Mode
Sniffer University
– The data is held in the pod buffer until the capture

is stopped
– Use this mode when you are capturing from a very
busy network
– You can set the options to stop the capture when
the buffer is full
• The frames are transferred to the PC for analysis

Full Duplex
Slide Title: Two Transfer Modes
Important
Points to
Cover: Stream Mode – the pod sends the frames to the Sniffer PC as they
arrive on the network. The pod may miss capturing some frames as
the frames are transferred to the PC on very busy networks.
The software decodes the frames and shows statistics, but does
not so real-time Expert analysis.
You must stop the capture and upload the frames to the PC before
you get Expert analysis.
High Speed Capture Mode is used on very busy networks. This

allows you to focus on capturing the frames without the holes
introduced in Stream Mode.
You’ll want to watch the buffer dial to make sure you stop the
capture before the pod buffer recycles and writes over the first
frames. You can also configure the Sniffer to stop when the pod
buffer is full and upload the frames to the PC.
How? Read on…..>
Page 7 - 15
7-16
Pod Buffer Action Configuration
Capture > Define Filter > Full Duplex
Pod
Sniffer University

Full Duplex
Slide Title: Pod Buffer Action Configuration
Important
Points to
Cover: This configuration sets the actions on the pod buffer
Page 7 - 16
7-17
Sniffer Buffer Action Configuration
• Capture <
Define
Filter >
Buffer
• Set the
Sniffer University
Sniffer Buffer
actions here
– Same
options as
other
Sniffers

Full Duplex
Slide Title: Sniffer Buffer Action Configuration
Important
Points to
Cover: This panel controls the PC buffer actions. There are no unique Full
Duplex settings here.
Page 7 - 17
7-18
Capture Panel Display Window
View
Sniffer Both
Statistics Shown
when you
start a
capture
from the
capture
menu or
Sniffer University
icon
Pod
Statistics
The Decode window Summary panel shows the channel number as

[A] and [B] in the Status column

Full Duplex
Slide Title: Capture Panel Display Window
Important
Points to
Cover: This is the display when you have enabled the View Both option.
PC statistics at the top.
Pod statistics at the bottom.
The graphs on the lower panel are color-coded for each channel.
The pod counts show numbers for each channel and total counts.
Page 7 - 18
7-19
Special Icons on the Toolbar
• View Full Duplex Pod Only

– Provides statistics for the capture session on
the pod itself
• View Sniffer Only
– Standard capture panel display and more
– Provides run-time statistics for the capture
Sniffer University
session on the PC
• View Both
– Split screen to show statistics for both

Full Duplex
Slide Title: Special Icons on the Toolbar
Important
Points to
Cover: These icons control which panels are open on the Sniffer capture
screen.
You can select just the Sniffer PC counts, just the pod counts or
both.
Page 7 - 19
7-20
Pod Gauges
• Frames Received per

second on each channel
• Percentage of free
memory on each
channel
Sniffer University
• Number of errors per

second received on
each channel

Full Duplex
Slide Title: Pod Gauges
Important
Points to
Cover: Slide is self-explanatory.
Page 7 - 20
7-21 Setting Pod Properties
• Click the Properties icon in the Full Duplex pod

window or click the right mouse button over
the capture window and select the Properties
option
• Identify shows:
– Pod version
Sniffer University
– Pod IP Address
– Pod Ethernet Mac
Address
– Connection mode
– Line Speeds
– Total Memory
Pod Version number specifies the version of the software on the pod
IP Address shows the IP address assigned to the pod
MAC Address shows the hardware address of the Ethernet adapter in the
pod
Connection shows whether the pod is set to passthrough or terminate
mode
Channel A Line Speed shows the line speed of the network segments
attached to Channel A
Channel B Line Speed shows the line speed of the network segments
attached to Channel B
Total Memory shows the amount of memory installed on the pod (in
DIMMs)

Full Duplex
Slide Title: Setting Pod Properties
Important
Points to
Page 7 - 21
7-22
Address Filters
• If Mode is set to Include and you set address filters
with less than or equal to 16 sources and 16
destinations, the filter is applied as a hardware filter
• If Mode is set to Exclude or if you have more than
16 sources or 16 destination, the filter is applied as a
software filter
Type of address filter # Sources # Destinations
Sniffer University
2 2
1 0
0 1
1 1
“Any” does not count as a source or destination
Hardware filters are applied at the pod as the frames are captured from the
network. The frames excluded by hardware filters are not saved in the pod
buffer.
Software filters are applied by the Sniffer application to the frames uploaded
from the pod buffer to the Sniffer buffer.
Hardware filters
Software filters

Full Duplex
Slide Title: Address Filters
Important
Points to
Page 7 - 22
7-23
Filters in High Speed Captures
• When capturing in high speed at full line rate,

address filters are particularly helpful
• When the mode is set to High Speed, the
frames are stored in the pod buffer until the
capture is stopped
• Limiting the frames that are accepted ensures
Sniffer University
you will have the frames needed to isolate the

problem
• When hardware filters are in effect, the pod
will automatically filter out all frames shorter
than 55 bytes, CRC included

Full Duplex
Slide Title: Filters in High Speed Captures
Important
Points to
Set capture filters to save room for what you need to see!
Page 7 - 23
7-24
Error Frames with the Full Duplex Pod
Frame Size <51+4 >50+4 & 60+4 to 1514+4 & >4082+4

<60+4 1514+4 <4082+4 >4082+4
Valid CRC Illegal Runt Normal Oversized Illegal

Sniffer University
Invalid CRC Illegal Fragment CRC Jabber Illegal
(frame sizes in bytes + CRC)
For more details, see Appendix A in the Full Duplex Product Manual on your
student CD.

Full Duplex
Slide Title: Error Frames with the full Duplex Pod
Important
Points to
If you want more details, look at Appendix 2 in the Full Duplex pod
use documentation on the student CD.
Page 7 - 24
7-25
2 LAN Sniffer Pros in Full Duplex
• Interim solution when you don’t have an FDX
pod
FAST ETHERNET 100 Mbps SPLITTER
Transmit Receive
1
Receive Transmit
Fast Ethernet 2
Switch Server
3
Sniffer Port 1 Sniffer Port 2

Receives data from Server Receives data from Server
Sniffer University
Receive/Switch Transmit Transmit/Switch Receive
PA C 62
Fast Ethernet Fast Ethernet

Sniffer Pro Analyzer Sniffer Pro Analyzer

Full Duplex
Slide Title: Using 2 LAN Sniffer Pros in Full Duplex
Important
Points to
Cover: This is the same diagram we had before. It is possible to use two
regular Fast Ethernet Sniffers attached to a splitter to capture each
channel separately.
Remind them to time synchronize them as close as they can before
they start to capture and start the capture as simultaneously as
they can.
They will need to match request and reply sequences in the frames
to line up the frames for comparison.
Once they have the trace files saved, both can be opened in Sniffer
Pro and their windows set side by side to compare them directly as
we did in the hubports exercise.
Page 7 - 25
7-26
Summary

• Differentiate Full Duplex Ethernet standards and cabling
• Recognize Pause frames in the trace and why they are sent
• Attach Sniffer Pro Full Duplex pod to your Full Duplex Ethernet
networks
Sniffer University
• Configure Sniffer Pro’s full duplex features

concern
• Attach the Full Duplex pod to analyze full duplex connections

Full Duplex
Slide Title:Summary
Important
Points to
questions.
Target Time: Day 2 at 3:30
Page 7 - 26
8-1
Gigabit Ethernet
Sniffer University

Gigabit Ethernet
Slide Title: Gigabit Ethernet
Section Timing: Start: Day 2 late-afternoon

Important
Points to
Files: 08_gig_g.PPT 08_gig_g.DOC
Traces: GBautonegotiation.cap GB.cap 8021q-gig.cap
Exercise: Gigabit Traffic
This section was updated to reflect the new technologies

customers are beginning to employ in their networks.
There should be a gigabit dummy driver defined on the class

Sniffers. There is a warning that Monitor mode is disabled, Just
click OK to move beyond it.
This will enable you to create a new agent and show the features of
the Sniffer.

course material.
Page 8 - 1
8-2
Section Objectives

• Summarize the features Gigabit Ethernet
• Differentiate Gigabit Ethernet standards and cabling
• Summarize 1000Base-SX, 1000Base-LX, 1000Base-CX and 1000Base-
T implementations
• Attach Sniffer Pro to your Gigabit Ethernet networks
• Configure Sniffer Pro’s gigabit-specific features
Sniffer University
• View the autonegotiation process in the Sniffer and determine if

there is a problem
concern

Gigabit Ethernet
Important
Points to
Cover: Cover the objectives quickly.
We do have dummy drivers so you can show the Gigabit screens.

Practice with them so can present the information in this section.
References:
Gigabit Ethernet, Technology and Applications for High Speed
LANs by Rich Seifert, 1998, Addison Wesley Publishing, ISBN
0-201-18553-9

1-57870-073-6
Page 8 - 2
8-3
Gigabit Overview
• 1000 Mbps Ethernet is able to transmit a frame at ten times
the data rate of 100 Mbps Ethernet
• It allows you to use familiar Ethernet technology while
providing much higher bandwidth
• The standard using optical cabling is defined in 802.3z
addendum
• 802.3ab addendum defines the Physical Layer parameters
for 4-pair over Cat 5 balanced copper cabling
• Switches with 10/100 and Gigabit port link legacy networks
Sniffer University
into high speed Gigabit backbones

– Frequently used in server clusters, links between switches and
servers
– Some implementations even allow you to aggregate 1000BASE-X
or 1000BASE-T segments into 10 Gigabit links
• Check the Gigabit Ethernet Alliance www.gigabit-
ethernet.org
The aggregate data rate of 100 Mbps is achieved by transmission at a data rate
of 250 Mbps over each UTP wire pair. Full duplex transmission allows symbols to
be transmitted and received on the same wire pairs at the same time. Baseband
signaling with a modulation rate of 125 Mbaud is used on each of the wire pairs.
The period for each symbol is 8 ns.
T T
R R
T T
R R
T T
R R
T T
R R

Gigabit Ethernet
Slide Title: Gigabit Overview
Important
Points to
Cover: You may want to poll the class to see what their plans are for
gigabit vs. ATM.
Review the bullets quickly.
Page 8 - 3
8-4
Deploying Gigabit Ethernet
Remote LAN
Campus
10/100 Mbps Hubs Remote Router
and Switches with
Workgroup Gigabit Uplinks
Network Center
LANs Gigabit Backbone WAN
Workgroup Connections SONET, ATM or
Hubs ISDN with H
channels
Sniffer University
Firewall
Router
Router
Server Cluster with

Gigabit connections
Due to the cost of Gigabit switches, only high throughput links will initially use
or need Gigabit Ethernet.

Gigabit Ethernet
Slide Title: Deploying Gigabit Ethernet
Important
Points to
Cover: One last slide like this.
Early implementations will concentrate these very expensive high
speed connections where the highest levels of traffic exist.
Fast Ethernet switches for the LANs will have gigabit uplinks to
multiplex the traffic onto the high speed backbone.
Later slides address the move to gigabit to the desktop.
Page 8 - 4
8-5 IEEE Gigabit Data Link Layer
IEEE 802.3 Ethernet

IEEE 802.3 LLC Network Layer
IEEE 802.3 CSMA/CD
IEEE 802.3 Physical Layer IEEE 802.3 LLC Data
Link
• Uses the CSMA/CD or Full Layer
Duplex MAC
Physical Layer FC-4 Upper 8B/10B
of the Fiber Layer Mapping Encode/Decode
Channel FC-3 Common Serializer/
Sniffer University
• Uses the MAC Services Deserializer

and LLC layers FC-2 Signaling Connector
of the 802.3 FC-1 Encode/
specification Decode IEEE Networks
(1000Base-3z)
• Increases data FC-0 Interface
rate to 1.25 and Media
Gbps ANSI X3T11
Fibre Channel
The Gigabit Ethernet standard draws from two separate specifications. The
Physical layers are derived from the ANSI X3T11 Fibre Channel specification.
The Data link layers are derived from the IEEE 802.3 Ethernet specification that
specifies CSMA/CD for half duplex or full duplex rules for media access control.
The LLC layer is moved intact from the IEEE specification.

Gigabit Ethernet
Slide Title:IEEE Gigabit Link Layer
Important
Points to
Cover: Don’t spend much time on it here, since it is mainly FYI stuff.
Page 8 - 5
8-6
Physical Limitations of Shared Gigabit
• Using the standard Ethernet specifications for copper
wire, the half-duplex network diameter would be
reduced to 20 meters - not very practical!
• Carrier extension is used to extend the frame so the
diameter can be extended to 200 meters using fiber
or copper media
– Different cables yield higher diameters
– This compares to the 200 meter limit for 100Mbps Ethernet
over copper
Sniffer University
– Only one repeater (hub) can exist between any two devices
on the network
The large number of cable choices allows for a maximum network diagram to range from 200
meters with category 5 UTP to 550 meters using 1300 nm single mode 500Mhx/km fiber at
attenuation 2.32 all the way to 5000 meters using 1300 nm single mode 10/125 µm cables fiber
at attenuation 4.5.

Gigabit Ethernet
Slide Title: Physical Limitations of Shared Gigabit
Important
Points to
Cover: A VERY small collision domain IF you use it in a half-duplex
configuration.
Emphasize again we are still building on the old 10Base5 specs if

we are going to share the media.
Page 8 - 6
8-7
Gigabit Carrier Extend
• Carrier Extend is used in Half Duplex gigabit

Ethernet to extend frames less than 512 bytes to the
slot time minimum (4096 bit-times)
– Fills the Inter Frame Gap (IFG) in burst mode
– This allows collisions to be sensed on shared media while
both sides transmit, but contributes a lot of overhead to each
small frame!
– The standards committee wanted to provide backward
compatibility even though this is impractical
Sniffer University
– It also appears at the end of some full-duplex frames
P DA SA L/T DS SS Ctr Data F Carrier Extend 448-1 bytes
64 + 448 = 512 byte minimum bytes
Most Gigabit implementations will use Full Duplex mode to enable long cable lengths.
P Preamble
DA Destination Address
SA Source Address
L/T Length/Type
DS Destination SAP
SS Source SAP
Ctr LLC Control
A SNAP header not shown here may follow this field
Data Frame data
F Frame Check Sequence (CRC)
Carrier Extend allows the network diameter to remain at the 200 meter limit used by
Fast Ethernet over twisted pair media.
This is also inefficient. If a device only has 64 bytes of data to send (a minimum-length
Ethernet frame), it still must send 512 bytes, most of which is only a carrier signal.
It imposes a great deal of overhead for a network where smaller frames predominate.

Gigabit Ethernet
Slide Title: Gigabit Carrier Extend
Important
Points to
Cover: This is a multi-faceted tool.
Extend small frames to the 512 byte minimum in half-duplex so all
stations will hear the transmission and wait to transmit.
Fill the interframe gap in burst mode (covered on the next slide).
One or more inserted between each frame in full-duplex mode.
The Carrier Extend length is purposely written as 448 – 1 bytes,
since it is dependent on how long the frame is.
Page 8 - 7
8-8
Carrier Extend in the Sniffer
• Turn on 10 Bit decodes from the Hex right-
click menu
– This frame was captured from a full duplex network
• Note the [A] channel indicators
• Even the 1472 byte frame 23 has one Carrier_Extend field
Sniffer University

Gigabit Ethernet
Slide Title: Carrier Extend in the Sniffer
Important
Points to
Cover: This shows how to enable the Sniffer to display the 10 bit codes.
This may help in resolving vendor interoperability problems.
Page 8 - 8
8-9
Frame Bursting Part One
• Frame bursting is used to overcome the overhead of

carrier extend
• The first frame is transmitted using the normal
procedures for half-duplex Gigabit Ethernet
• A frame burst timer is started to allow transmissions
of up to 64 Kbits
Sniffer University
• If additional frames are queued for transmission and

the 64 Kbit timer has not expired, two things happen:
– The first frame is followed by carrier extend
– The next frame is transmitted

Gigabit Ethernet
Slide Title: Frame Bursting Part One
Important
Points to
Cover: If the station has multiple frames queued in its transmit buffer,
packet bursting allows it to send them until the 64Kbit timer runs
out.
The station waits until there is no carrier sensed, then it begins to
transmit the first frame. It extends it to the slot time if it is short.
If a collision occurs, it backs off and waits its turn to transmit.
When the first frame is out, it keeps the line busy by transmitting
nondata symbols (carrier extension symbols) to fill the interframe
gap, then it transmits the second frame.
It can continue to transmit frames separated by carrier extend until
the 64 Kbit timer runs out (8192 bytes). If it has a frame in process,
it finishes sending it, then yields the line.
Collisions should not occur during the burst, since all stations
should hear carrier and wait. If the collision domain limit is
exceeded or a device has failed, it may cause a late collision. If this
occurs, the adapter stops transmitting data and starts jamming,
then it backs off and retries, starting the process over again.
Packet bursting is not used in full-duplex, since the stations owns
the wire in each direction and has full bandwidth to transmit at all
times.
Page 8 - 9
8-10
Frame Bursting Part Two
• The process is repeated until there is no more data to

send or until the timer expires
• If the 64 Kbit limit is reached during the transmission
of a frame, that frame may be completely sent
– In many cases a station could theoretically transmit more
than 64 Kbits
Sniffer University
– The actual maximum bits that could be sent would be seen

where the 64 Kbit limit is reached on the first bit of a
maximum-length frame
– In this case, the total bits transmitted would be 64 Kbits plus
the length of that frame which would be 1518 bytes or 12,144
bits

Gigabit Ethernet
Slide Title: Frame Bursting, Part Two
Important
Points to
Cover: Notes on previous page cover this page.
Page 8 - 10
8-11
Problems of Shared Media
• Using hubs requires that all devices share the media to

form a single collision domain
• Even with frame bursting, the overhead of carrier
extension is still significant
• A topology with a maximum diameter of 200 meters is
not workable in many large environments
Sniffer University
• Therefore, shared media hubs are probably not a

practical option with Gigabit Ethernet
– All vendors offer Full-duplex switches to overcome the
inefficiencies

Gigabit Ethernet
Slide Title: Problems of Shared Media
Important
Points to
Cover: Review the bullets quickly.
This is a quick recap of the problems of shared media 9and why full
duplex is the choice for everyone.
Emphasize again the IEEE chose to build on the old 10Base5

specs for backward compatibility.
But fortunately they moved on to create an environment where

Gigabit can really speed things up.
Page 8 - 11
8-12
Full-Duplex, Switches & Jumbo Frames
• Gigabit switches will be the solution of choice
– Since switches act like bridges - each port is a separate
collision domain
– Switches can be connected in a hierarchical fashion to extend
the network without the concern of collision detection
• Most switches offer full-duplex ports which will
effectively double the potential throughput to 2 Gbps
and extend the cable length.
• Many 100 Mbps hubs and switches will be equipped
Sniffer University
with gigabit uplink ports to provide connectivity with

the network’s gigabit backbone
• Pause frames are used for flow control
• Jumbo frames are now allowed
– Up to 9,000 bytes!
Single mode fiber increases the length of the cable substantially. One vendor
supports single mode cable lengths up to 9 miles.
Since sending frames requires CPU processing, sending a lot of small frames is
inefficient. By allowing servers to send large frames, the CPU can queue a large
frame, then work on other tasks while it is being sent.

Gigabit Ethernet
Slide Title: Full Duplex, Switches & Jumbo Frames
Important
Points to
Cover: Can you imagine Gigabit without using switches?
Each connection is its own collision domain. There still can be
collisions between the switch and the end station, but these will be
very rare.
Half duplex still does contention, full duplex doesn’t need it.
The best solution is full duplex gigabit. You get full bandwidth in
both directions, reduce the overhead doing contention and increase
the cable lengths.
Page 8 - 12
8-13
Physical Media - Optical Fiber
• Three varieties of fiber are specified:

– 50 µm multimode
– 62.5 µm multimode
– 10 µm single mode
• The specs allow for two types of laser drivers
Sniffer University
– 1000BaseSX: 850 nm (short-wave)

– 1000BaseLX: 1350 nm (longwave)
µm = micron
nm = nanometers

Gigabit Ethernet
Slide Title: Physical Media – Optical Fiber
Important
Points to
Cover: This is the first of 3 slides that discuss the various types of media.
Cover them quickly.
Lasers are expensive. See big bucks $$$$$$$$$
Page 8 - 13
8-14
Copper Cable
• 1000BASE-CX
– Can only be used as patch cables or “jumpers” due to a
distance limit of 25 meters
– Created to help reduce cost of the many short connections
required in a wiring closet
– Consists of 2 pairs of shielded 150-ohm Twinax cable
– Much like Type 1 STP used in traditional token ring
environments, but with higher electrical quality standards
• 1000BASE-T
Sniffer University
– 4 pairs of category 5 UTP balanced copper cable

– 100 meter cable limit
– Uses 4D-PAM5 (4-dimensional 5-level Pulse Amplitude
Modulation) coding (8B1Q4)
• 8 bits are converted to 4 quinary symbols
• Levels are +2 +1 0 -1 -2
• Start-of-Stream delimiter signals beginning of frame
• End-of_stream delimiter signals the end of the frame
1000BASE-T clock frequency is 125 MHz (v.s. 25 MHz for 100BASE-T2). It

simultaneously transmits on all four pairs to achieve the 1000 Gbps rate. Each
wire transmits 250 Mbps which aggregate to 1000 Mbps.
The Twinax cable consists of two center conductors surrounded by an insulated

spacer which is surrounded by a tubular outer conductor (usually braid, foil or
both.) It is then covered entirely by an insulating and protective cover.
It is similar to twisted pair in that it uses differential or balanced transmission.

Gigabit Ethernet
Slide Title: Copper Cable
Important
Points to
Cover: Slide is adequate.
Page 8 - 14
8-15
Gigabit to the Desktop
• Very limited deployment - usually used in servers

– Use multiple parallel high speed processors to handle the data
flow effectively
– Install plenty of fast memory to cache the data, since disk
drives operate in milliseconds, while gigabit data flows at
nanosecond speeds
– Use a 64 bit 66 MHz PCI slot so the CPU bus can handle the
Sniffer University
amount of traffic
The gigabit transceiver chip on the board contains more than 200,000
transistors, about the processing capability of an Intel 486 chip. Many different
manufacturers use this chip on the r boards.

Gigabit Ethernet
Slide Title: Gigabit to the Desktop
Important
Points to
Cover: Big challenges:
Coax cable limitations for such high speeds
Big Bucks $$$$$$$$
Page 8 - 15
8-16
Encoding Technique: 8B10B
• Used for fiber optic and 1000BASE-CX media
• Derived from 4B5B encoding used in 100BaseTX,
100BaseFX, and FDDI
• Each 8-bit byte is represented by a 10-bit code
– There are two code groups or categories:
• “D” Group - Used for data transmission
• “K” Group - Used to send control signals
• Uses a look-up table for the conversion values
Sniffer University
• The clock signal is embedded in the data stream

– To insure that there are adequate voltage transitions, a data
signal (“D” groups) never have more than 4 consecutive ones
or zeros in them
– 8B10B includes a number of unique control signal patterns
(known as “commas”) that allow devices to synchronize and
align their bit cells
IBM developed and patented the 8B10B encoding standard and it licensed it for
Fibre Channel and Gigabit Ethernet.
It ensures there are enough clock transitions for receiver clock recovery and
allows control signals to be embedded in the data stream.
Single and multiple bit errors can be corrected.
The data code words never include more than 4 consecutive ones or zeros or
the ten bit codes do have an imbalance of more than one, i.e., 5 ones and 5
zeros, 6 ones and 4 zeros or 4 ones and 5 zeros.
The IEEE std 802.3ab -1999 spec lists the entire bit-to-symbol mapping table of
codes. It is also referred to as 8B1Q4 coding technique. The conversion process
is called 4D-PAM5 and refers to the 4 Dimensional 5-level Pulse Code Amplitude
Modulation process.

Gigabit Ethernet
Slide Title: Encoding Technique 8B10B
Important
Points to
Cover: Nice to know information.
Won’t help troubleshoot.
Cover quickly.
A table of symbols is included in the spec and table A-1 page 387
of Seifert’s book and the IEEE spec (of course).
The Gigabit Sniffer interface in current use gives statistics of the D
and K group bits.
Page 8 - 16
8-17
Autonegotiation
• Gigabit autonegotiation is used to configure

operational parameters
– Fast Ethernet negotiates the speed with fast pulses
• Gigabit uses special normal-rate signaling
– Signals indicate whether it is using full or half-duplex
Sniffer University
• 16 bit message pages are exchanged on link

initialization, multiple pages can be used
If only one side supports full duplex, the connection will use half-duplex if each side allows
negotiation.
The PAUSE and Asymmetry direction bits are used together to determine if the device supports
flow control and if it does, whether is is capable of asymmetric flow control.
(Asymmetric refers to a large discrepancy between the amount of data on each line at the same
time. If the device is a server, it can process requests from multiple clients on the transmit and
receive lines, so the traffic will be somewhat even on the two sides. If the device is a node, data
transfer will occur on only one line with acknowledgments on the other, so the traffic tends to be
heavy on one line and light on the other line.)
There are four possibilities with the two bits:
1) No flow control 2) Asymmetric flow control toward the node 3) Asymmetric flow control from
the node and 4) Symmetric flow control.
The Remote Fault bits indicate error conditions that prevent normal operation. Codes are shown
Remote Fault bit 1, Remote Fault bit 2.
00 = No error, 01 = Device Offline, 10 = Link failure, 11 = Auto-negotiation failure
Autonegotiation messages are sent repeatedly until the sender receives an acknowledgement.
The acknowledgement bit indicates the sender has received 3 sequential autonegotiation
messages with the same contents.
The next page bit is reserved for future use when more than 16 bits are required to negotiate
parameters.
Special K and D combinations identify the autonegotiation signals so they are not interpreted as
data.

Gigabit Ethernet
Slide Title: Autonegotiation
Important
Points to
Cover: We’ve talked about autonegotiation before in the Fast Ethernet
section.
Here are the details about the 16 bit message pages and the
significance of each of the bits.
This shows all the different parameters that can be negotiated.
Student notes should help you present this.
Page 8 - 17
8-18
Autonegotiation Process
PHY comes up as Slave
Enter slave silent mode
Start wait timer & send 0s
Scan for carrier

Link Status = Fail
Send fast link pulses
Yes
No
Sniffer University
Master Enter training mode Process

on NW? Establish receive operation fail?
Send info to link partner
Yes No
Process No
Receive link info from partner
fail? Send idles
or data
Yes Yes
Link Status = Fail
The fast link pulses are identical to the Fast Ethernet pulses. They indicate the
type of connection the system is able to use. The highest level for both sides
becomes the negotiated transmission characteristic.
Priority Connection type
2 100BASE-T2 full-duplex
3 100BASE-T2
4 100BASE-TX full-duplex
5 100BASE-T4
6 100BASE-TX
8 10BASE-T

Gigabit Ethernet
Slide Title: Autonegotiation Process
Important
Points to
Cover: Use this flow chart to explain the autonegotiation process and the
symbolism of the Master and Slave bits they will see in the Sniffer
screens.
They will look at this in the exercise, so you can cover it in the slide
now and let them discover it in the exercise if you have time for it.
Page 8 - 18
8-19
Autonegotiation Frame Details
Bits Parameter
0-4 Reserved
5 Full-duplex
6 Half-duplex
7 PAUSE
8 Asymmetry
direction
Sniffer University
9-11 Reserved
12 Remote Fault 1
13 Remote Fault 2
14 Acknowledgement
15 0
15 Next Page Present
This is very useful when you need to troubleshoot vendor incompatibility issues.

Gigabit Ethernet
Slide Title: Autonegotiation Frame Details
Important
Points to
Cover: New Slide.
The bits are listed on the side.
You can send multiple “pages” of information in the process. We

see two duplicate pages here.
Developer note: I tried very hard to get new Full Duplex and Gigabit
traces, but no one came through for me. I asked a couple of
different mailing lists and HQ people and there just don’t seem to
be many floating around.
I surely hope to get one showing the autonegotiation process

through real work for the next revision!
Page 8 - 19
8-20
Autonegotiation Frame Summary
Pulses- no
addresses
Number of ten bit

codes in the set
Sniffer University
32 nanosecond
timestamps
• 10 bit Hex decodes are automatically enabled

for autonegotiation signals

Gigabit Ethernet
Slide Title: Autonegotiation Frame Summary
Important
Points to
Cover: Point out that there are not addresses in these signals
Page 8 - 20
8-21
10 Bit Decode of the Signals
• Right-click in the
Hex window and
select 10 Bit to see
the autonegotiation
decodes
Sniffer University

Gigabit Ethernet
Slide Title: 10 Bit Decode of the Signals
Important
Points to
Cover: This shows how to see the 10 bit decodes
Page 8 - 21
8-22
Gigabit Sniffer
Sniffer University

Gigabit Ethernet
Slide Title: Gigabit Sniffer
Important
Points to
Cover: Title Page.
This is a brief overview.
Page 8 - 22
8-23
Some Advice
• Full wire speed transmission can create 125

MB of data every second!
• That’s just too many frames to analyze
• Run Monitor applications to gather statistics
and narrow in on problem areas
• Set capture filters to accept the frames where
Sniffer University
you see problems

• Turn off real-time Expert analysis and view
Expert after you stop the capture

Gigabit Ethernet
Slide Title: Some Advice
Important
Points to
Cover: Capture filters!
Turn off real-time Expert
Page 8 - 23
8-24
What if I Plug in the Wrong Sniffer?
• First of all, the media and connectors will limit

the number of mistakes you can make
• Then there’s autonegotiation
– If you have the wrong speed card, the
autonegotiation will fail, so you won’t get any data
at all (and will get a failure to open the adapter
message)
Sniffer University
• If you plug a 10/100 adapter into a full-duplex

Fast Ethernet port, you’ll just get one side of
the conversation

Gigabit Ethernet
Slide Title: What If I Plug in the Wrong Sniffer?
Important
Points to
Cover: New Slide.
Slide is sufficient
Page 8 - 24
Gigabit User Interface
• Uses the standard Sniffer Pro interface with
8-25
enhancements for Gigabit technology
Sniffer University
The Gigabit Sniffer now has the Sniffer Pro interface. Due to the complexity of
the products, it and Full Duplex Ethernet will be covered in detail in a separate
High Speed Ethernet class.

Gigabit Ethernet
Slide Title: Gigabit User Interface
Important
Points to
Cover: The Monitor screens and Expert are the same
The capture panel has a tab for Channel Info that shows counts for
each channel
The Summary window shows [A] and [B] to indicate which channel
the frame was captured from.
Page 8 - 25
8-26
Other Differences
• The Dashboard and Capture Panel show
counts for each channel
• History samples are doubled- one for each
channel
• Global Statistics shows individual channel
statistics and colored-coded graphs for each
• The Summary window shows [A] and [B] in
Sniffer University
the status columns to indicate which channel

captured the frame
• Packet Generator has tabs to set the rate,
override addresses and preamble and change
the CRC

Gigabit Ethernet
Slide Title: Other Display Differences
Important
Points to
Cover: New Slide.
Cover the bullets.
Demo if you like.
Page 8 - 26
8-27
Three Separate Buffers
• Adapter Memory
– 144 MB trace buffer memory
• 72 MB per channel (2)
– Configure parameters on the Tools > Options >
Gigabit tab
• Monitor or Emulation mode
• Enable Jumbo frames
Sniffer University
• SPAN port connection

PAC 62
.
• SnifferPro software RAM
– Configure Buffer size on the Buffer tab
• Configuration process is similar to Full Duplex

Gigabit Ethernet
Slide Title: Three Separate Buffers
Important
Points to
Cover: New Slide.
Two on the card, one on the PC
Note there are no choices for uploading since the frames are
already in the Sniffer buffer.
Page 8 - 27
8-28
More New Options
• Tools >Options
>Gigabit
– Set mode
– Enable jumbo frames
Sniffer University
• Capture > Define Filter

– Control card buffers
– Capture filters can be set on
one channel or both
The Gigabit Packet Generator has more options than the other Ethernet
Sniffers:
The Rate tab allows you to set the Interpacket Delay, Packets per seconds, and
Network Utilization
The Address tab allows you to override the source and destination address in
several different ways
The Advanced tab (single frames only) choices are: random size packets, set
data offsets, include sequence numbers, adjust timestamps and generate
certain types of errors.
The Gigabit tab allows you to set the preamble length and change the CRC.

Gigabit Ethernet
Slide Title: More New Options
Important
Points to
Cover: New Slide.
These two screens adjust how you want to control the buffers and
the behavior of the ports.
The Define Filter > Gigabit Ethernet tab shows up from Display >
Define Filter, but not all of the options are enabled.
The Tools > Options > Gigabit tab sets the action of the port.
Yes, you can span a gigabit port to the Sniffer. The 8021q-gig.cap
trace file shows VLAN information from a spanned gigabit port.
Explain the options as shown on the screen caps.
Use the Sniffer with the dummy driver to demonstrate these

options when needed.
There is a good bit of information on the gigabit packet generator in

the student notes. Open a trace file, then use Tools > Packet
Generator to show these new tabs, choosing both a new frame
and buffer option.
Page 8 - 28
8-29
Solving Gigabit Ethernet Problems
• Gigabit Ethernet is quite stable now that the vendors

are manufacturing to the specification
• Ensure you use high quality cables and connectors
• Use the same vendor when possible to avoid vendor
incompatibilities
• Watch the autonegotiation sequence when you have
Sniffer University
stations that cannot communicate at all or show poor

performance due to negotiating to a lower capability
• SMNP and RMON statistics of the interfaces show
long-term statistics
– Use a management application to watch for trends

Gigabit Ethernet
Slide Title: Solving Gigabit Ethernet Problems
Important
Points to
Cover: These notes are based on a conversation with the Gigabit Ethernet
people in the University of New Hampshire Interoperability lab.
Page 8 - 29
8-30
Summary

• Differentiate between Gigabit Ethernet standards and cabling
• Attach the Gigabit Sniffer to Gigabit networks
• Configure Sniffer Pro’s gigabit-specific features
concern
• Analyze autonegotiation frames to look for incompatibilities and
downgraded connection setup
Sniffer University

Gigabit Ethernet
Slide Title:Summary
Important
Points to
questions.
Wrap up the class.
Thank them for coming.
Gather student evaluations.
Distribute certificates.
Make sure the students have deleted their probes and have them
Run > Clean to empty the CLASS directories of files they’ve saved.
Make sure that the HUBPORT3 and 4 trace files are removed.
Remove demo Sniffer software from rental PCs using the uninstall
program on the first installation disk if you have been instructed to
do that.
Target Time: Day 2 at 5pm
Page 8 - 30
9-1
Optional Technologies
Sniffer University

LLC, 10BASE2 & 5
Slide Title: Optional Technologies
Important
Points to
Files: 09_app_g.PPT 09_app_g.DOC
Trace: LLCNetb2.cap (new)
Exercise: Observing LLC Traffic (new)
This section is now called Optional Technologies.
Time: The LLC section has 2 hours of material in it if a student asks for it.
It is not expected you will need to cover this very often.

course material.
Page 9 - 1
9-2
Contents
Logical Link Control (LLC) 9-3

10BASE-5 and 10BASE-2 Ethernet 9-23
Exponential Backoff Formula 9-31
Transmission Models 1 and 2 Details 9-32
Sniffer University
The backoff time is an integral random multiple of the Slot Time.

0 is considered by some to be an integer, and some implementations do choose
0 constantly. It is rather rude: some chipsets will see the resulting transmission
not as a runt followed by a good frame, but as a single oversize frame, or may
not see the good frame at all.This is the basis of some of the accusations of the
Sniffer analyzer losing frames. Choosing 0, by the way, assumes that no one
else on the net is playing the same rude trick, or that everyone who is playing
that trick can sense a new frame at 1.6 instead of 9.6 bit times. It can cause
repeated collisions between the same two stations.

LLC, 10BASE2 & 5
Slide Title: Contents
Important
Points to
Cover:
Page 9 - 2
9-3

Sniffer University

LLC, 10BASE2 & 5
Slide Title: Logical Link Control
LLC was designed by the IEEE 802.2 committee to provide

transparent connectivity between any IEEE-compliant LAN physical
layer to any upper-layer protocol. It does this by using Service
Access Points (SAPs) in the header to address the network layer
protocol.
Members of the IEEE pushed for more functionality, so 3 types of
data exchange were defined. (One more may be coming, according
to Radia Perlman in Interconnections, Bridges and Routers.)
LLC uses a subclass of the HDLC “superset” and is classified as
BA (Balanced links, Asynchronous balanced mode), with several
options on how to use the functional extensions.
It acts like HDLC, but is intended for a LAN.
It is independent of, yet utilized by, all the various media access
protocols defined by the 802 working group.
Page 9 - 3
9-4
Objectives

• Explain the three types of LLC connections and when
each one is used
• Know the purpose of the LLC frames and when they
are used
Sniffer University
• Follow a connection-oriented LLC conversation from

setup through data exchange and shutdown

LLC, 10BASE2 & 5
Slide Title: Objectives

Review the objectives.
Page 9 - 4
9-5
IEEE 802.2 • Point to point data integrity

• Flow control
Data
LLC
• Link maintenance
Link • Service access point
addressing
Sniffer University
Layer
• Connection oriented or
MAC connectionless services
• Functions independently of
MAC layer
Many of these connection-oriented features of Type II LLC are found in reliable

Transport layer protocols like TCP.
The IEEE specifications refer to the frames as “Protocol Data Units” or PDUs.

LLC, 10BASE2 & 5
Slide Title: Logical Link Control

Upper part of the Data Link Layer
Review the points on the slide.
IEEE 802.2
Upper half of the Data Link Layer
Lower half controls how the devices access the wire,
i.e., contention or token passing.
Page 9 - 5
9-6
802.2 Header Format
802.X Header DSAP SSAP Control
MAC Sublayer LLC Sublayer
DSAP: (1 byte) Destination Service Access Point;

Sniffer University
receiving process at destination

SSAP: (1 byte) Source Service Access Point;
sending process in source
Control: (1 byte) Various control information (2
bytes for connection-oriented LLC)
• The control field used in type 1 datagrams is always one byte long.
• The control field can use one or two bytes for LLC type 2.

LLC, 10BASE2 & 5
Slide Title: 802.2 Header Format

Header fields:
DSAP: (1 byte) Destination Service Access Point;
receiving process at destination.
Least significant bit is Individual or Group
Address indicator.
SSAP: (1 byte) Source Service Access Point; sending
process in source.
Least significant bit is the command or response
indicator. 0 = command, 1 = response.
Analogy: Post Office Box: Frame is addressed with the SAP
number (PO Box number). The Physical layer (post office) places
the frame in the appropriate buffer (box). Protocol listening (postal
customer) retrieves the frame from its box.
Alternate: A numbered hole in the ceiling. The protocol above
looks for frames at its assigned hole.
The SAP numbers are reserved for IEEE and ISO protocols.
8 bits is not nearly long enough to define the number of protocols.
The numbers were assigned on a first-come, first-served basis
following strict rules for the types of organizations and protocols
that may have a SAP number.
To make things even worse, two of the 8 bits are reserved for other
uses, so the field is actually only 6 bits long!
Control: (1 byte) Various control information
(2 bytes for connection-oriented LLC)
The control field byte(s) are very complex, with the different types
of functions having different bit meanings. No attempt has been
made here to delineate all the various frame headers, since the
Sniffer analyzer decodes them.
Page 9 - 6
9-7
LLC Service Access Points (SAP)
BPDU 42 Bridge Protocol Data Units

Banyan BC Banyan VINES
IBM_NM F4 IBM Network Management
IP 06 Internet Protocol
ISO FE International Standards Organization
NetBIOS F0 Network Basic I/O System
Novell E0 Novell (NetWare)
Sniffer University
SNA 04, 05, 08, 0C Systems Network Architecture

SNAP AA SubNetwork Access Protocol
Global FF Broadcast
Null 00 IBM SAP Negotiation
• SAPs are a pass-through between any IEEE-compliant physical layer and any
upper-layer protocol.
• 00 is a Null SAP. Only real use at this time is by IBM which forces SAP
negotiation for connection to 3745s. This is the only SAP initially active on a
3745 so the initial request must be addressed to the Null SAP.

LLC, 10BASE2 & 5
Slide Title: LLC Service Access Points (SAP)

Just mention quickly. This is for their reference.
Page 9 - 7
9-8
SNAP Header Format
SubNetwork Access Protocol (SNAP) provides a standard

way of encapsulating upper-layer protocols on IEEE 802
networks
DSAP SSAP Organization/
802.X Header (AA for (AA for Control Vendor Code Type
SNAP) SNAP) (optional)
LLC Sublayer SNAP

Sniffer University
MAC Sublayer
Organization Code: (3 bytes) Identifies the vendor or manufacturer.

Same as vendor code in MAC layer address.
Often 0000 if Upper-Layer Protocol (ULP) did not change.
Type: (2 bytes) Identifies the ULP.
Same as Ethertype for protocols that came from the
Ethernet environment.
• The SNAP field allows version 2 Ethertype fields to be included in IEEE-

compliant frames.
• It also allows vendors to specify their "type" within the SNAP header.
• The vendor code is usually not supplied when the upper-layer protocol is
unchanged to run on SNAP instead of 802.X or Ethernet. For example, you
will see that TCP/IP implementations on SNAP do not supply the vendor
code.
• A nifty expression: “SNAP allows us to snap Ethertypes into 802.x
frames.”

LLC, 10BASE2 & 5
Slide Title: SNAP Header Format

SNAP was added to enable non-IEEE protocols to be supported at
the LLC layer.
The vendor code and Type fields are “bought” by a vendor.
If they want to write their own proprietary protocols, they can use
their vendor code and the “type” that was assigned them in these
fields. Then stations will be able to feed the frames to the correct
upper-layer protocol. The problem arises when different vendors
implement the protocols differently, so there may be problems with
interconnectivity across vendor lines.
The most frequent use we see of the SNAP header is for Ethernet
version II Ethertypes to be included in an IEEE frame.
Page 9 - 8
9-9
LLC Functions
• Some protocols use LLC merely as a pass-through

header to carry data. All control of the connection is
handled by higher layers. The frames are Unnumbered
Information frames
• Other protocols use the additional functionality that
the IEEE provides
Sniffer University
– LLC connection-oriented service at OSI layer 2 offers many of

the data integrity functions we expect to find at OSI layer 4 -
the transport layer
– The primary difference is that LLC deals with point-to-point
connections, whereas layer 4 protocols like TCP deal with end-
to-end connections

LLC, 10BASE2 & 5
Slide Title: LLC Functions

Some protocols use LLC merely as a pass-through header to carry
data. Higher layers handle all control of the connection. The frames
are Unnumbered Information frames.
NetWare uses the LLC layer this way. The only reason LLC is there
is because it is using standard IEEE 802.5 frames that have the
LLC header. NetWare predates the IEEE specs, so the original
design was for non-IEEE compliant frames like ARCNET and
proprietary Ethernet. Neither of these has an LLC layer. The LLC
SAPs are used to identify this frame as a NetWare frame
(SAP = E0).
Other protocols use the additional functionality that the IEEE

provides. This is what we will cover here.
LLC connection-oriented service at OSI layer 2 offers many of the
data integrity functions we expect to find at OSI layer 4 - the
transport layer.
The primary difference is that LLC deals with point-to-point
connections, whereas layer 4 protocols like TCP deal with end-to-
end connections.
Page 9 - 9
9-10
LLC Frame Types
• Unnumbered frames:
– Establish link connections/disconnections
– Provide link maintenance and error recovery
– Provide connectionless (datagram) support
• Supervisory frame:
– Acknowledges frames received
– Requests retransmission of frame(s)
Sniffer University
– Provides flow control

• Information frames:
– Transport user data and higher-layer
protocols
– Increment sequence numbers
• These frames are identified by bits in the LLC headers.

• There are many types of fields in LLC frames. Fortunately, the Sniffer
Network Analyzer knows all of them and decodes them in the Summary and
Detail windows for you, so we will not break them out here.

LLC, 10BASE2 & 5
Slide Title: LLC Frame Types

Quickly go over the three types of frames and their purposes.
Mention that we will cover them in more detail in the following
pages.
Page 9 - 10
9-11 LLC Unnumbered Frame Types
SABME Set Asynchronous Balanced Command Connection

Mode Extended Oriented
UA Unnumbered Acknowledgment Response Connection

Oriented
DISC Disconnect Command Connection

Oriented
DM Disconnect Mode Response Connection

Oriented
FRMR Frame Reject Response Connection

Sniffer University
Oriented
XID Exchange Identification Either Connection or

Connectionless
TEST Test Either Connection or

Connectionless
UI Unnumbered Information Either Connection or

Connectionless
• SABME is used to set up a duplex connection, using a modulo 128 window.

• UA acknowledges a SABME or DISC message.
• DISC requests connection termination.
• DM is transmitted by the receiver of a DISC to let the other side know it has
received the DISC.
• FRMR indicates the receipt of an invalid frame.
• XID is used only with Type 1. An XID command from the transmitter informs
the receiver of the identity of the transmitter and which LLC types the
transmitter supports. A response is required to an XID command. It contains
the same information as the command.
• TEST also has command and response frames. The transmitter can send this
to see if the recipient can receive and return a packet. Data can be included
that the recipient must return in the response frame.
• Unnumbered Information frames are used for connection control and to carry
unsequenced data.

LLC, 10BASE2 & 5
Slide Title: LLC Unnumbered Frame Types

Use the student notes to explain each type of unnumbered frame.
Page 9 - 11
9-12
LLC Supervisory Frames
(Type 2 - Connection oriented only)
RR Receive Ready Command/Response
RNR Receive Not Ready Command/Response
REJ Reject Command/Response

Sniffer University
LLC Information Frame

(Type 2 - Connection oriented only)
I Information Command/Response
• Receive Ready is an acknowledgment frame. It contains a sequence number

of the frame it is next expecting to receive and indicates the receiver is ready
to receive more data.
• Receive Not Ready is an acknowledgment for previously received frames.
The “Next expect to Receive” sequence number (NR) is included in the RNR
frame. It also indicates that the receiver is temporarily busy and further
frames should not be transmitted until the busy station sends a receive ready
frame.
• REJect frames are sent when the receiver is requesting retransmission of
frames. The REJ frame includes the sequence number of the next frame it
expects. LLC rejects only once. If it doesn’t get an ACK, it starts polling with
RRs.
• Information frames are sequence numbered data frames.

LLC, 10BASE2 & 5
Slide Title: LLC Supervisory Frames

These are for connection oriented delivery only.
Note that there are both command and response types.
RR Receive Ready Command/Response
RNR Receive Not Ready Command/Response
REJ REJect Command/Response
LLC rejects only once. When it doesn’t get an ACK, it starts polling
with Receiver Ready. (Hello? Are you still there?)
LLC Information Frame
Connection oriented only
I Information Command/Response
These carry the data and acknowledgments.
This is a building block for looking at the Sniffer analyzer displays.
Page 9 - 12
9-13
Type 1 Connectionless Services
Data Messages
Data Messages
Sniffer University
To use the Post Office as an example:

It’s like mailing a letter
• No connection establishment is required.

• Type 1 supports point-to-point, multicast and broadcast communications.
• Messages are not sequenced.
• No flow control is provided.
• Delivery is not guaranteed.
• There is no retransmission on error.
• Sequential delivery is not guaranteed.
• Type 1 service is unreliable, but this is not a problem as long as an upper-
layer protocol can recover from the error.
• Higher layers are responsible for flow control, error recovery and reliability.
• Three types of frames are supported: Unnumbered Information (UI),
Exchange Identification (XID), and TEST. The control byte indicates the frame
type.

LLC, 10BASE2 & 5
Slide Title: Type 1 Connectionless Services

This is just data transport.
No setup.
No acknowledgments.
No teardown.
No error correction.
No flow control.
Upper-layer protocols are responsible for these functions.
Frames are generally unnumbered information frames.
Page 9 - 13
9-14
Type 2 Connection Oriented Service
Session Setup
ACK
Sequenced Data Messages
Disconnect
Sniffer University
ACK
Like making a telephone call: The end-

to-end connection is setup before
your conversation begins, then torn
down when you hang up
+
• Type 2 is very similar to HDLC.

• Connection establishment and termination are required.
• Type 2 service provides a sequenced, acknowledged delivery of data.
• Each side of the connection maintains independent sequence numbers.
• Acknowledgments can be sent in separate frames or can be “piggy-backed”
onto data frames, making it capable of very efficient use of the wire.
• Error recovery processes are available.
• Type 2 uses sliding window flow control (modulo 128).
• Example: Sessions between IBM LAN Manager and IBM bridges make use
of this connection type when they're talking to each other.
• Type 2 frames can use one or two byte control fields.
• Frames with a one byte control field are: Set Asynchronous Balanced Mode
Extended (SABME), DISConnect, Disconnected Mode, Frame Reject
(FRMR) and Unnumbered Acknowledgment (UA).
• Frames with a two byte control field are: Information, Receive Ready,
Receiver Not Ready and REJect.

LLC, 10BASE2 & 5
Slide Title: Type 2 Connection Oriented Service

Based on HDLC
Sequence numbers are maintained by each side and
acknowledgments are sent based on the other side’s sequence
number.
Because acknowledgments can be “piggy-backed” on data frames,
it uses the wire efficiently.
Session Setup
ACK
Disconnect
ACK
Frames will have either one or two byte control fields.

Example: Sessions between IBM LAN Manager and IBM
bridges make use of this connection type when they're talking to
each other.
Page 9 - 14
9-15
Type 2 Connection Setup
Workstation Server
TEST (Optional)
TEST (Optional)
XID (Optional)
XID (Optional)
SABME P(oll)
UA F(inal)
Sniffer University
RR NR=0 P
RR NR=0 F
I NS=0 NR=0
RR NR=1
Some upper-layer applications will send TEST frames to make sure both sides
can communicate.
They may follow with one or two pairs of XID frames to negotiate the type of
connection both can support.
The first frame that establishes the connection is the SABME. You can do a
Search for text on SABME to find the first instance of a connection being setup.
Once the connection is made, the data will be sequenced and acknowledged.
The Poll bit when set to a “1” forces the other side to respond.
The Final bit is set to a “1” in the response frame.

LLC, 10BASE2 & 5
Slide Title: Type 2 Connection Setup

This slide was included to discuss how sessions are setup in
preparation for what they need to observe in the Sniffer Summary
window. It deliberately does not show the additional information on
the Summary line. It will be added later.
This slide has a “build” which will display one line per click.
Workstation Server
TEST (Optional)
TEST (Optional)
XID (Optional)
XID (Optional)
The above frames are application-dependent. If you turn All layers

on with no protocol filters set, you will see that the upper-layer
protocol may actually be starting this. SNA uses TEST and XID
frames to set up Physical Unit (PU) Allocations. They are also used
for Source Route bridging explorer frames.
This is the important part:
SABME P(oll)
UA F(inal)
RR NR=0 Poll
RR NR=0 Final
I NS=0 NR=0
RR NR=1
Discuss the play of the Poll and Final bits.

Poll means “Answer me.”
Final means “This is my answer to your poll.”
Page 9 - 15
9-16
Type 2 Connection Teardown
Workstation Server
DISC P
UA F*
DM
UA
Sniffer University
Normal teardown can be started from either side in the

fashion described above.
If there is a problem with the sequence numbers, the side
detecting the problem will send a REJect and include the
sequence number it next expects to receive. If the other
side is able to back up and send that sequence numbered
frame, all is well. If the two sides cannot resynchronize,
one side will send the DISC to “hang up.” The other side
+ will then respond with a UA(optional)* or DM.
So what is the difference between a REJect and a DISConnect?

A REJect is sent when a problem occurs. The two sides will attempt to get
resynchronized. If that fails, they will DISConnect. You can look for this by doing
a Search for text on REJ, then follow through to see if they were able to roll
back to a point where they can move forward again.
A DISC is the normal conclusion of a connection. The first side will send the
DISC when it has completed its work. The other side responds with the
Disconnect Mode, indicating it is finished, too. A DISC will also be used when
one of the two stations determines that the efforts to resolve a problem are
fruitless and it needs to shut the connection down. Upper-layer protocols will
determine whether a new attempt is made to open a new connection.

LLC, 10BASE2 & 5
Slide Title: Type 2 Connection Teardown

This slide is also preparation for what they will see in the Sniffer
analyzer.
This slide has a “build” which will reveal one line at a time.
Workstation Server
DISC P ---------->
<---------UA* F
<---------DM*
UA -----------à
DISC is used to shut down a connection for either a normal End of

Operation or upon the failure of a resynchronization effort.
REJ does not end the conversation. It is sent when a problem is
encountered. Attempts are made to back up to a point where
sequence numbers can be synchronized. The data exchange will
restart if synchronization is achieved; if not, then a DISC will be
sent to close the connection.
* This is according to the IEEE802.3 specification.
Page 9 - 16
9-17
FRMR vs. REJ
• FRMR is sent upon:

– Receipt of a frame with a data field that is not permitted
• i.e., an unnumbered acknowledgment (UA) with data
– Receipt of an unsolicited Final (F) bit set to one
– Receipt of an unexpected UA
– Receipt of an unsupported frame type
– Receipt of an I frame that exceeds the established maximum
Sniffer University
length
– Receipt of an invalid receive sequence number N(R)
– Receipt of an invalid send sequence number N(S)
• REJ is sent to:
– Request the resending of I frames starting with the frame
number N(R)
• Upon receipt of an FRMR a station should:

Send a SABME or DISC.
• Upon receipt of a REJ a station should:
Send the corresponding I frame as soon as it is available.
Resend any unacknowledged I frames.
• Behavior upon receipt of an invalid send sequence number varies:
If the data is within the receive window, then an REJ should be sent.
If the data is not within the receive window, then a FRMR should be sent.
The receive window size can be specified in an XID frame.
In the real-world, we see more REJs than FRMRs. REJ is preferable because
the session doesn’t need to be re-established.

LLC, 10BASE2 & 5
Slide Title: FMR vs. REJect

Slide is self-explanatory.
Cover the student notes, also. This is an important concept to
understand when they troubleshoot an LLC problem.
Page 9 - 17
9-18
Type 3: Acknowledged Connectionless
ACK
Sniffer University
• Connectionless service
• Guaranteed in-sequence delivery of data
• Uses stop and wait flow control
Like a conversation where one side is

saying “Uh huh,” “Yes,” “I see”
LLC Type 3 was developed primarily for process control applications over a
token bus, so it is very seldom seen today.

LLC, 10BASE2 & 5
Slide Title: Type 3 Acknowledged Connectionless

This is here to complete the types of LLC connections.
As the student notes indicate, it was intended for process control
applications over a token bus (computer-aided car manufacture?)
and is seldom used today.
Don’t spend any time on this.
Page 9 - 18
9-19
Decoding LLC Connection-Oriented Frames
From Workstation LLC C D=F0 S=F0 RR NR=0 P

Command
D=F0 Destination Service Access Point = F0 (NetBIOS)
S=F0 Source Service Access Point = F0 (NetBIOS)
RR Receive Ready
NR=0 Frame Number Workstation expects to receive is 0
Poll bit is on: Workstation expects a response from Server
From Server LLC R D=F0 S=F0 RR NR=0 F
Response
S=F0 Source Service Access Point = F0 (NetBIOS)
RR Receive Ready
Now sending 0 NR=0 Frame Number Server expects to receive is 0
Final bit is on: Response to Workstation's Poll
Sniffer University
From Workstation LLC C D=F0 S=F0 I NR=0 NS=0

Command
S=F0 Source Service Access Point = F0 (NetBIOS) Next expect to receive 1,
Information frame: Higher layer data is included now sending 0
NR=0 Workstation is still expecting to receive frame 0 next
NS=0 Workstation is sending frame number 0
From Server LLC R D=F0 S=F0 I NR=1 NS=0 P
Response
S=F0 Source Service Access Point = F0
(NetBIOS)
Information frame; higher layer data is included
NR=1 Server expects to receive frame number 1 next
NS=0 Server is sending frame number 0
Poll bit is on: Server expects a response from Workstation
The easiest way to view LLC conversations is to set up a Station address

filter for the two communicating stations. Then turn on Two station format
in the Summary window. The top line is what you would see in the Summary
window.
In the first two frames, we see both ends of the logical connection advertise the
sequence numbered frame they expect to receive next (NR = Receive
sequence Number). These are also the initial frames.
In the third frame, the workstation issues the sequence numbered Information
frame the server expects (NS = Send sequence Number).
In the fourth frame, the server both acknowledges the workstation’s frame by
specifying the next frame it expects to receive (NR), and also sends the frame
the workstation asked for earlier (NS).

LLC, 10BASE2 & 5
Slide Title: Decoding LLC Connection-Oriented Frames

This is the key page to explain what they will see in the Sniffer
analyzer’s Summary screen.
Emphasize that they should:
Set up a station address filter on the two sides.
Protocol filter on LLC (or enable All layers and leave all
protocols visible if they want to watch how the upper-layer
protocols are using LLC).
Use two-station format.
Presentation Idea: You may want to place a paper over the

screen and pull it down as you explain each field in the Summary
line. Because of the way this screen is constructed, a build could
not be created.
Page 9 - 19
9-20
Understanding LLC Frame Numbering
Workstation Server
# N(R) N(S) N(R) N(S)
1 0
2 0
3 0 0
4 1 0
Sniffer University
5 1 1
6 2 1
7 2
8 3
9 4
• Here we see a graphical representation of the first 4 frames. We are also

witnessing a “window of 1” because each “I(nformation)” frame is
“ACKnowledged” before the next is issued. If we assume that the “piggy-
backing” of an I frame onto the ACK continues, we will see frames 5 and 6.
• The server expands its window to 3, so we see 3 sequenced I frames
(NS=1,2,3) starting in frame 6 to frame 8, with the subsequent ACK (NR=4)
by the workstation in frame 9.
• Many times, upper-layer protocols start their sessions by setting up an LLC
connection first, then you can watch the middle layer set up connections until
the highest layer protocol establishes its connection. You may want to set a
protocol filter so you see just the LLC layer, or you may choose to enable All
layers so you can see the progression of the connections being established
at each layer.
• LLC can be set to efficiently use the wire. Data can be being piggybacked on
the ACK frame from the server.

LLC, 10BASE2 & 5
Slide Title: Understanding LLC Frame Numbering

Each side maintains separate sequence numbers.
As you explain this, use the terms “Now sending” and
“Next expect to receive” to help them make the link between the
NS and the NR.
This slide has a “build” that will display one line per click.
Frames 1 and 2 are the Receive Ready setup- each side tells the
other their first sequence number will be 0.
Frame 3 Workstation “Now sending” number 0, next expects to
receive 0.
Frame 4 Server “Now sending” number 0, next expects to receive
1. (In other words, I’m acknowledging I got frame 0.)
Frame 5 Workstation now sending frame 1, next expects to receive
frame 1 (acknowledges frame 0).
Frame 6 Server now sending frame 1, next expects to receive
frame 2 (acknowledges frame 1).
Frame 7-8 Server sends frames 2-3.
Frame 9 Workstation acknowledges frames 1 through 3 by saying
“I next expect 4.”
Question: If frame 7 (NS=2) becomes lost or is damaged and
the workstation receives frames 6 and 8 (NS=1 and NS=3), which
frame will the workstation ACK (NR=?)?
Answer: The workstation will ACK 2 (NR=2).
Page 9 - 20
9-21
Common LLC Problems
• LLC is usually very reliable

• When problems happen the most
common reasons are:
– Connection reset
– Unsupported LLC frame types
– Flow control lockup
Sniffer University
– Frame sequence retransmission

– Excessive length information field
– Expired timers
– Expired counters
• Connections get reset when one side stops responding or stops sending
correctly sequenced frames. We will see an example in the exercise.
• Unsupported LLC frame types and excessive length information fields
shouldn't happen if the implementation follows the LLC specification.
• Flow control lockup happens when a station continually sends Receive Not
Ready due to lack of buffers or other resource problems.
• Retransmissions may be happening because the sender's timer isn't set
correctly, and the sender isn't waiting long enough for acknowledgment.
Counters refer to how many times a station will retransmit. Timers and
counters are configurable.

LLC, 10BASE2 & 5
Slide Title: Common LLC Problems

LLC is pretty reliable. When failures occur, look for:
Connection resets if the parameters were not negotiated properly.
Connection resets due to incorrect sequence numbers. They must
resend every frame after the error.
Unsupported frame types.
Flow control lockup -each one hears the other’s hold music.
Excessive length fields.
Buffer allocation problems causing RNR.
Adjust configuration file.
Short retransmission timers, which cause retransmissions.
Configure longer. Vendors may have configuration files that
override the driver’s timers.
Problems are frequently caused by device drivers.
Page 9 - 21
9-22
Exercises: Observing LLC (Ethernet)

complete this exercise
Sniffer University

LLC, 10BASE2 & 5
Slide Title: Exercises:

Observing LLC (Ethernet)
This is a new exercise suing a new trace file.
It is mostly FYI and pretty straightforward.
Practice it!
Page 9 - 22
9-23
10BASE5
and
10BASE2
Sniffer University

LLC, 10BASE2 & 5
Slide Title: 10BASE5 and 10BASE2

Important
Points to
Cover: Section Title Page.
Header page to show the components that the specifications were
built upon.
Even though we have placed this further in the back of the book
now, we cannot neglect it.
Page 9 - 23
9-24
10BASE2 and 5 Components
50 Ω 50 Ohm
Terminator 10BASE5 Thick Ethernet Terminator
Transceiver
Ground
AUI cable
Sniffer University
10BASE-T Hub
Unshielded Network Interface

Twisted Pair Card (NIC)
50 Ohm Repeater 50 Ω
Terminator Terminator
Network Interface
Card (NIC) 10BASE2 Thin Ethernet
Ground
Network Interface
Card (NIC)
Transceiver: Used to physically and electrically attach DTE equipment to the

network.
Transceivers sense carrier and detect collisions. If a collision occurs, the
transceiver notifies the adapter by outputting a voltage on the collision present
circuit. V2 Ethernet added SQE. The Transceiver notifies the adapter during the
interframe gap time that it is capable of informing the adapter if a collision
occurs. With 802.3 specs, a transceiver provided a jabber latch. There are three
versions: Version 1 used with the early Ethernet specification, Version 2
Ethernet (Heartbeat added), and IEEE 802.3 version (changes to the AUI
wiring). A transceiver can be built into the Network Interface Controller (Card).
This is used in 10BASE-T and 10BASE2. A fourth type of transceiver is the Fiber
Optic transceiver.
Repeaters: Used to extend the cable segment beyond the maximum segment
distance for the topology used. Repeaters are also used when changing from
one media type to another (that is, from thick to thin Ethernet).

LLC, 10BASE2 & 5
Slide Title:10BASE 2 and 5 Components
Important
Points to
Cover: Terminators remove the signal from the wire and prevent
reflections back onto the wire.
Thick Ethernet cable

Color defines the place it is installed.
Some give off noxious fumes, so they must be installed in
plenums.
Spec defines as a “bright color.”
Thin Ethernet (Cheaper net)
Transceivers
External: Vampire tap into the thick cable or small box
attached to the AUI connector of the adapter.
Internal: On the card.
AUI Cable
NICs
Grounding rules
Ground only one end of each segment to a good earth
ground.
Repeater: Used to extend the signal and other functions.
Hub: Yes, they are used frequently today.
This shows a way that they can be integrated into legacy

environments.
Page 9 - 24
9-25
10BASE5 Thick Ethernet
50 Ω 50 Ω
terminator Coax cable Transceiver terminator
AUI cable
Sniffer University
Maximum segment length = 500 meters

• Each end terminated with 50 ohm terminators
• Maximum number of attachments per segment = 100
• Maximum length of AUI cable = 50 meters*
• Minimum separation between attachments = 2.5 meters
2.5m minimum separation makes sure that signal reflections, when they occur
(that is, the cable is unterminated), do not add up in phase, which would
probably blow the transceiver. The 500 meter segment does not need to be
made from a single length of cable. Cable sections can be joined together using
"N" type barrel connectors. The IEEE 802.3 specification recommends the
following when slicing thick cable:
1. Use cable sections from the same manufacturer and cable lot number, to
avoid impedance mis-match and other problems.
2. To minimize signal reflection problems, use segments that are lengths of
23.4m, 70.2m, and 117m. Since these lengths are odd integral
multiples of a half wavelength in the cable at 5 MHz, reflections do
not have a high probability of adding in phase. (A 5MHz signal is achieved
when the transceiver is outputting only alternating ones and zeros, as it
does with the preamble.)
*The maximum length of the AUI cables refers to the transmission model one
which we will discuss later.

LLC, 10BASE2 & 5
Slide Title: 10BASE5 Thick Ethernet
Important
Points to
Cover: Slide and notes are adequate.
Page 9 - 25
10BASE5 Components
Thick Coax
9-26
Cable
50 Ω
terminator
Transceiver Terminal
AUI Cable
Server
Transceiver
AUI Cable Multi-Port
Transceiver
Sniffer University
Transceiver
AUI Cable Multi-Port
Repeater
50 Ω
terminator to
ground
A terminal server could be used to support RS-232 connected ASCII "dumb"

terminals to the Ethernet. CSMA/CD is done in the terminal server.
The Multi-Port Transceiver is also known as a Fan Out box, Delni, or a multi-tap.
It is a dumb wiring concentrator that connects multiple workstations using a
single tap in the thick Ethernet cable. CSMA/CD is done by the end stations.

LLC, 10BASE2 & 5
Slide Title: 10BASE5 Components

Important
Points to
Cover: There are probably still some of these lurking in older
environments.
Page 9 - 26
9-27
Signal Quality Error Test
• SQE is used to test the collision presence

SQE TEST circuit
Transceiver
• After successfully transmitting data, the
Transceiver asserts the SQE signal on the
collision presence circuit
• When the Network Interface Card sees the
AUI cable SQE signal asserted, it knows the
Transceiver can inform the Network
Interface Card when a collision does occur
Sniffer University
• Not supported by Ethernet Version 1

equipment
Network • Turn off SQE on a transceiver attached to
Interface an AUI port on a repeater or repeating hub
Card (NIC) • Transceivers that are integral to the NIC do
not require SQE to test the AUI link
between NIC and transceiver: the link is
hard-wired
From 802.3: "At the conclusion of the output function, the Data Terminal
Equipment opens a time window during which it expects to see the SQE signal
asserted on the Control In (collision presence) circuit. The time window begins
when CARRIER_STATUS becomes CARRIER_OFF. The duration of the window
shall be at least 4.0 microseconds but no more than 8.0 microseconds. During
the window, the Carrier Sense Function is inhibited."
SQE should be turned off on transceivers connected to repeaters
because a repeater can't be inhibited for 4.0 microseconds. It may receive bits
on its other port and need to send them. Most people just turn SQE off because
it causes confusion when counting collisions. Some transceivers and network
management tools will count the SQE test as a collision (for example, the
Collision LED may be lit when the SQE test is asserted).

LLC, 10BASE2 & 5
Slide Title: Signal Quality Error Test
Important
Points to
Cover: Turn SQE off on repeaters and hubs (that act as repeaters).
Some manufacturers require that SQE be turned on for their cards

and Media Access Unit (MAU) combinations. (HP required this on
their cards. Present requirement is unknown.)
The specifications don’t say what the NIC card does if it expects
the SQE test and it doesn’t see it. It is probably driver-dependent
(that is, implementation-dependent).
It is important to note that this signal does not go out onto the
cable. It is a loop-back between the transmit side of the card,
looping through the MAU and back into the receive side of the card.
Many students talk about their collision counts going up when they
have SQE turned on. You need to ascertain if they are referring to
statistics gained by SNMP polls of the collision register on the card
(which may count these as collisions) or if they are seeing this on
cable statistics. If this is going out onto the cable, it is not obeying
IEEE rules.
Page 9 - 27
9-28
Analyzing Coax Collisions
B 2nd station Sniffer 8

0
Pro 1
50m AUI cables 0
x 450 m
R3 m
F
i
(Point of collision) Evidence of collision will arrive at station A 50m AUI
______ bytes into station A’s transmission cables b
e
r
Sniffer University
50m AUI cables

R2 L
R1 A Transmitting Sniffer i
50m AUI station Pro 2 n
cable k
50m AUI cable
Sniffer
Pro 3 NAI enhanced drivers required to
sense and capture collision frames
Once you understand the concepts of signal propagation delay, you can begin to
apply them to perform more precise analysis of the collision frames you find in
your Sniffer Pro analyzer traces.
As shown in the diagram above, what you will see in the trace will depend upon:
1) The point of collision.
2) The location of the Sniffer Pro analyzer relative to the collision point.
The diagram shows one collision event. However, each of the three Sniffer Pro
analyzers will show different indications of the event. This fact is key to effective
troubleshooting.
All components are given in terms of their

equivalent lengths in Thicknet coax
R1 = 231 m (10 bit times)
R2 and R3 pair = 231 m
50 m AUI segment = 59 m
800 m fiber segment = 933 m
Total equivalent Thicknet distance between points A & B

LLC, 10BASE2 & 5
Slide Title: Analyzing Coax Collisions

This has been included in the student appendix.
This diagram should enable you to tie together three important concepts you have learned:
1. The propagation delay of a signal on different types of media (per How long is a bit)
2. How different Ethernet physical components react during a collision (station jam signal, hub jam, etc.)
3. How different Sniffers react to the same collision event.
The scenario is as follows: Station A starts a transmission. The transmission goes both ways towards
Sniffers 1 and 2, and towards Sniffer 3. Just before the leading bit of the preamble reaches the far end of
the uppermost Ethernet segment, the station near point B starts a transmission, causing a collision at Point
B. The following concepts will help you understand the scenario:
• The station at point B will be the first station to detect the collision; what will it do? (Send a 32-bit jam
signal) Why? (To busy the wire and enable repeater R3 to detect evidence of the collision).What is the
evidence? (2 signals on the same coaxial media—R3’s and the jam from station at point B).
• Sniffer 1 will not show any evidence that a collision occurred (unless it’s a version that’s counting
preamble collisions). Why? (Because we don’t capture preamble collisions.)
• How repeaters R3 and R2 react to the collision when the jam signal reaches them. (R3 will begin to jam
96 bits back to R2; R2 will begin to jam 96 bits on the middle coaxial segment towards Station A.)
• What Station A has been doing during all this time. (Still transmitting its signal.) How much of Station
A’s signal has gotten out on the wire before the jam signal from R2 reaches it? Here is some of the
math to show the different propagation delays by differing types of media and repeaters:
Total equivalent Thicknet distance between points A & B:
59+450+ 59+231+59+933+59+59 = 450 = 2359m
2359m / 23.1 = 102 bits, or 12.75 bytes
• What will happen when the jam signal reaches Sniffer 2? (Because this is coaxial media, the
combination of Station A’s transmission and the 96-bit jam signal from R2 will cause the receive
function on Sniffer 2 to lose synchronization/clocking. When this happens, the Sniffer stops capturing
the frame and truncates it if enough of the frame – 2 bytes past the preamble – has been received.)
What sort of flag will be posted with this frame? (The “X” flag.)
• Major learning point: If someone hands you a trace file for analysis and you see the X flag posted on
truncated frames, you can say with a high degree of certainty that the trace was captured from coaxial
media!
• What will happen when Station A realizes that a collision has occurred? (Starts jamming 32 bits.) Has
this been a “legal” collision event. (Yes, because it has happened well before 64 bytes have left Station
A.)
• What does repeater R1 do when it sees evidence of the collision? (Starts jamming 96 bits onto the
lowermost Thicknet segment.) What causes R1 to sense the collision event? (The combined jam
signals from R2 and Station A.)
• What will be recorded on Sniffer 3? (Because the Sniffer was on a segment where only one signal—
the one from the lower half of R1—was being broadcast, the frame will appear similar as it does on
Sniffer 2. However, the frame will not be truncated but will be followed by R1’s jam pattern of
alternating 1’s and 0’s, that will be translated to the hex values of AA’s or 55’s.) What flags will be
posted? (R and C, but certainly not an X flag.) How many bytes of AA’s and 55’s will be shown. (This
will depend upon what the vendor has implemented as the jam pattern; remember that 96 bits are a
minimum. Generally, it is safe to assume that you will see a value of 12 bytes, plus or minus 4.)
Major learning point: Because Sniffer 3 has been on the far side of a repeater for this event, this simulates
exactly what happens in 10baseT environments. In 10baseT shared environments, a station can only
receive direct evidence of collision if the hub sends a jam signal while that station is transmitting. And since
Sniffers don’t transmit, it has to use the jam pattern to deduce that a collision occurred somewhere.
Page 9 - 28
9-29
10BASE2 Thin Ethernet
50 Ω RG 58 Cable
terminator 50 Ω
BNC Tee Connectors terminator
Sniffer University
to ground
• Maximum segment length = 185 meters

• Maximum number of attachments per segment = 30
• Minimum separation between stations = .5 meters
Thin Ethernet, at 0.18 inches in diameter, is also known as Cheapernet.

T connectors must be right at the network interface card. Adding additional
cable to go from the T to a network interface card is not permitted, though
people do it. This will suffice if you're not approaching length limitations, though
the signal will attenuate. The problem with this solution is that most people
forget to count it in their length considerations.
Drop cable not permitted!

LLC, 10BASE2 & 5
Slide Title: 10BASE2 Thin Ethernet
Important
Points to
Cover: Again, focus on the termination rules.
Mention the drawing in their notes section.
Page 9 - 29
9-30
Exponential Backoff
Transmission Models 1 and 2 Details
Sniffer University

LLC, 10BASE2 & 5
Slide Title:Exponential Backoff Transmission Models 1 and 2

Details
Important
Points to
Cover: Title page only.
Page 9 - 30
9-31
Truncated Binary Exponential Backoff
• BackoffTime = RandomNumber multiplied by SlotTime

• SlotTime = time to propagate 512 bits (i.e., 51.2
µseconds)
• RandomNumber is greater than or equal to 0 and less
Sniffer University
than 2n
• n = number of times it has tried for first 10 times or n
= 10 for the 11th through 16th try
• After 16 tries, report error to the upper-layer protocol
The backoff time is an integral random multiple of the Slot Time.

0 is considered by some to be an integer, and some implementations do choose
0 constantly. It is rather rude: some chipsets will see the resulting transmission
not as a runt followed by a good frame, but as a single oversize frame, or may
not see the good frame at all.This is the basis of some of the accusations of the
Sniffer analyzer losing frames. Choosing 0, by the way, assumes that no one
else on the net is playing the same rude trick, or that everyone who is playing
that trick can sense a new frame at 1.6 instead of 9.6 bit times. It can cause
repeated collisions between the same two stations.

LLC, 10BASE2 & 5
Slide Title: Truncated Binary Exponential Backoff
Important
Points to
Page 9 - 31
9-32
New IEEE Maximum Topology Specs
• The maximum topology of a 10 Mbps baseband

network is limited by two factors:
– Round-trip collision delay
– Interpacket gap shrinkage
• There are two methods, or “transmission models,” for
calculating the round-trip collision delay (i.e.,
maximum copper and fiber lengths), according to the
Sniffer University
standard
– Model 1 closely follows the 5-4-3 rule
– Model 2 assigns a value to each type and length of copper or
fiber media, which corresponds to a worst-case round-trip
delay for the Ethernet signal
The new standards allow you to mix media types in your networks.
More details on these specifications are in the appendix.

LLC, 10BASE2 & 5
Slide Title:New IEEE 802.3 Maximum Topology Specs
Important
Points to
Cover:
This presents the factors in the determination and states there are
two ways to calculate the maximum topology.
Factors:
Round-trip collision delay
Interpacket gap shrinkage
Models 1 and 2 detailed on the next pages.
Page 9 - 32
9-33
Transmission Models 1 and 2
• 10 Mbps maximum topology rules

• Transmission Model 1 is the more conservative and
restrictive of the two
– It has the advantage of being validated to work with all
vendors’ products
• Transmission Model 2 uses tables to calculate:
Sniffer University
– Round-trip delay times for all types of media

– Interpacket gap shrinkage for multiple repeaters
Model two is more cumbersome than model 1, but has the advantage of
extending the topology farther.
It also more accurately reflects the types of distances found in real networks.

LLC, 10BASE2 & 5
Slide Title: Transmission Models 1 and 2
Important
Points to
Page 9 - 33
9-34
Transmission Model 1
• Closely matches the traditional “5-4-3 rule” of

traditional Ethernet networks
– FOIRL, 10baseFL, 10baseFB and 10baseFP links are included
– AUI cables, if used, are restricted to 25 meters in length
– The maximum allowable length of any inter-repeater fiber
segment is restricted to 1000 meters (FOIRL, FL, and FB)
• If all five segments are present, the maximum length of
Sniffer University
any fiber segment shall not exceed 500 meters

– The maximum length for a fiber hub-to-station (repeater-to-
DTE) drop is 400 meters in an Ethernet network that also
contains a 1000-meter link segment
• If fiber link segments are held to 500 meters, the
maximum fiber hub-to-station drop is increased to 500
meters
Since no vendors are known to manufacture to 10baseFP standards, we will not

consider 10baseFP in this course.
FOIRL = Fiber Optic Repeater Link
FP = Fiber Passive
FL = Fiber Link (replaces FOIRL)
FB = Specification for fiber with lower repeater delay that allows for longer
length

LLC, 10BASE2 & 5
Slide Title: Transmission Model 1
Important
Points to
Cover: Most similar to 5-4-3.
AUI cables 25 meters maximum.
Maximum interrepeater fiber cable is 1000 meters, but if 5 are

used, then the maximum of each is reduced to 500 meters.
Add diagram here.
Page 9 - 34
9-35
Model 2 Path Delay Value
• Model 2 assigns a value to each type and length of copper
or fiber media, which corresponds to a worst-case round-trip
delay for the Ethernet signal
– The value also takes into account the repeater for any fiber or copper
segment
• Starting from the point of highest variability your network
(call it the “left end”), calculate the length of each segment
across repeaters to the farthest station on the network
(called the “right end”)
Sniffer University
– Add the individual segment values to arrive at a total Path Delay

Value, or PDV
– The total should not exceed 572 bit times
– The number of repeaters on any path may exceed the Model 1 limit
of four
Delay A R Delay B R Delay C

R Delay D
R Delay E
PDV A + B +C + D + E <= 572
The standards add an additional value of 5 to the Path Delay Value for a margin
of error.

LLC, 10BASE2 & 5
Slide Title: Transmission Model 2 (Calculating Path Delay Value)
Important
Points to
Cover: Calculations are made using two types of variables: Path Delay
Values and Interpacket Gap Shrinkage. We’ll cover the first one
here and the second one on the next slide.
A B C D E
Tables have been established that set delay for segments.

Delay values reflect the media type and repeater.
Total delay of A + B + C + D + E must be less than 572.
There may be no more than four repeaters.
Page 9 - 35
Transmission Model 2
(Calculating Interpacket Gap Shrinkage)
9-36
• The distance (in bit times) in the gap between frames

will decrease with each repeater in the path as
repeaters regenerate the preambles of Ethernet frames
– This limits the number of repeaters that can be installed on any
given path on very short networks
• The calculation is made by adding the path variability
values, (or P V V) for each segment across repeaters
Sniffer University
that the signal must pass

– The total value must not exceed 49 bit times
R R R R
PvvA PvvB PvvC PvvD
P v v A + B +C + D <= 49 bit times
The starting point is called the transmitting end, the center segments are called
“mid-segments”.
The far end (“receive end”) across the last repeater is not taken into
consideration.
We will be using a network diagram in the next exercise to determine if it
passes the model 1 or 2 requirements.

LLC, 10BASE2 & 5
Slide Title: Transmission Model 2 (Calculating Interpacket Gap

Shrinkage)
Important
Points to
Cover: Here is part two.
Repeaters shrink the interpacket gap as they regenerate the

preambles. Each successive repeater shortens it more.
This calculation is the deciding factor in how many repeaters can

be in a segment.
A B C D
pvv A + pvv B + pvv C + pvv D must be less than 49 bit times
Page 9 - 36
9-37
Maximum Transmission Paths
Four Repeaters, Five Segments
Three Coax Segments
Two 10BaseT or Fiber Optic Links
Repeater Repeater
500 m 10Base5 or 185m

Repeater 10Base2 Coax Links Repeater
Sniffer University
MAU 100 m 10BaseT or 500m 10BaseFL Link MAU
AUI AUI
Cable Cable
DTE DTE
The Version 2 specification explained the maximum topology slightly differently

500 Meters Maximum 500 Meters Maximum 500 Meters Maximum
AUI Cable
50 Meters
End Maximum End
Fiber Optic Fiber Optic Repeater
Station Repeater Repeater Station
3 x 500 Meter coax cable segments 1500 meters

2800 meters total distance
1 x 1000 Meter fiber optic link + 1000 meters
between transmitting stations
6 x 50 Meter AUI cables + 300 meters
The fiber link is called FOIRL (Fiber Optic Inter-repeater Link).

You’ll often hear the maximum distance between two stations on an Ethernet
network is 2.8 kilometers. That number is derived by drawing the topology shown
above. The 2.8 kilometers limit is mentioned in the Ethernet Version 2 Blue Book
specification. It is not mentioned in 802.3. (802.3 has the picture from the
previous page.)
Note: the Ethernet maximum distance specification does abide by the newer
802.3 specification: the 2.8 Km limit is a special case of the general rules.

LLC, 10BASE2 & 5
Slide Title: Maximum Transmission Paths
Important
Points to
Cover: Here is a graphic representation of allowable cable lengths for
various types of media.
Page 9 - 37
9-38
Model 1Max Transmission Paths
4 Repeaters, 5 links
(1-Coax, 3-10BaseT 500m Coax
and/or 2-Fiber Optic Rptr Rptr
10Base5 Link
Set Set
Links)
100m 10BaseT Rptr
Link Set
Rptr Rptr
Set 500m Fiber Optic Links
Set
Sniffer University
100m 10BaseT Links

3 Repeaters, 4 link
segments (2- 10BaseT and
2- 1 km Fiber Optic links) Rptr
Set
AUI
1 km Fiber Optic Links Cables
Rptr
Set Rptr
Set
MAU DTE

LLC, 10BASE2 & 5
Slide Title: Model 1 Max Transmission Paths
Important
Points to
Cover: This is the first of two diagrams showing different allowed
maximum path configurations.
These diagrams are modified from the diagrams in section 13 of

the 802.3 spec. The 10Base FP sections were replaced with FL or
T since FP is not used in current networks.
The slide is complete.
Page 9 - 38
9-39
Model 1 Max Transmission Paths
3 Repeaters, 4 link
segments (1- 1 km Rptr
10BaseFB,1- 1km FOIRL, 2- Set
400 m 10BaseFL) 25 m
ink 400 m 10BaseFL Links
F O IRL L AUI
1 km Cables
Rptr
Rptr
Set 1 km 10BaseFB Link Set
MAU DTE
4 Repeaters, 5 link
Sniffer University
segments (2- 500m 500m

10BaseFB, 1- 500m FOIRL, 2- FOIRL
500m 10BaseFL) Rptr
Link
Rptr Set
Set 25 m
500 m 10BaseFL Links AUI
Cables
Rptr 500m 10BaseFB Links
Set Rptr
Set
MAU DTE

LLC, 10BASE2 & 5
Slide Title: Model 1 Max Transmission Paths
Important
Points to
Cover: This is the second two of four diagrams showing different allowed
maximum path configurations.
The slide is complete.
Page 9 - 39
LLC, 10BASE2 & 5
Page 9 - 40
Section 9 Ethernet Network Analysis and Troubleshooting
Helpful Information
Helpful Information ........................................................................................... 41

List of Known Ethertypes ................................................................................. 43
Ethernet Frame Type References.................................................................... 46
An explanation of the Analyzing Coax Collisions diagrams in the appendix .... 47
Recommended Reading List............................................................................ 48
Helpful WWW Links ......................................................................................... 49
Page 9 - 41
List of Most Common Service Access Points (SAPs)

Ethertype Protocol Purpose Organization
00 Null XID or Text IEEE
02 LLC Individual Sublayer Management IEEE
03 LLC Group Sublayer Management IEEE
04 SNA Individual Path Control IBM
05 SNA Group Path Control IBM
06 IP IP SAP for TCP/IP DOD
08 SNA IBM
0C SNA IBM
0E IEC 955 PROWAY Network Management IEEE
10 IPX Novell
18 Texas Instr
20 CLNP Network Layer ISO
34 CLNP ISO
42 BPDU Spanning Tree Bridge Management IEE
4E EIA RS-511 Manufacturing Message Service IEEE
7E ISO 8208 X.25 over 802.2 Type 2 LLC IEEE
80 XNS 3 Com
86 Nestar
8E IEC 955 Active station list maintenance IEEE
98 Address Resolution Protocol (ARP) ARPANET
AA SNAP Subnetwork Access Protocol DOD
BC VIP Banyan
E0 IPX Network Layer Routing Novell
EC CLNP ISO
F0 NetBIOS IBM
F4 LM Individual IBM
F5 LM Group IBM
F8 Remote Program Load (RPL) IBM
FE Network Layer Protocol ISO
FF Global LSAP
Page 9 - 42
List of Known Ethertypes

0000-05EE None IEEE 802.3 Length Field IEEE
0000-05FF 802.5 IEEE 802.5 Length Field IEEE
0101-01FF PUP Xerox
0200 PUP Address Translation Xerox
0201 PUP Address Translation Xerox
0400 Nixdorf
0600 XNS IDP Xerox
0601 XNS Address Translation 3MB Only Xerox
0800 IP IP DOD
0801 X.25 Internet
0802 NBS Internet
0803 ECMA Internet
0804 CHAOSNet Texas Instr
0805 X.25 Level 3
0806 ARP For IP and CHAOS DOD
0807 XNS
081C Private Symbolix
0888-088A Debugger
0900 Address Translation UB
0A00 PUP Address Translation Xerox
0A01 PUP Xerox
0BAD VIP Banyan
1000 Trailer Negotiation Berkely
1001-100F IP Trailer Block Encapsulation Berkley
1600 Simnet Valid System Protocol BBN
4242 PCS Basic BI
5208 Simnet Private BBN
6000 Unassigned DEC
6001 MOP Dump Load Assistance DEC
6002 MOP Remote Console DEC
6003 Phase IV DRP Routing DEC
6004 LAT Local Area Transport DEC
6005 Diagnostics DEC
6006 User Protocol DEC
6007 LAVC System Communication Architecture DEC
6008-6009 Unassigned DEC
6010-6014 3Com
7000 Download UB
7001 NIU UB
7002 BootDiagLoop “Broadcast at Boot Stage, DL” UB
7020-7029 LRT
7030 Proteon
7034 Caletrom
Page 9 - 43

8003 VLN Chronus
8004 Direct Chronus
8005 Probe Protocol HP
8006 Nestar
8008 Local Use AT&T Stanford
8010 Excelan
8013 Diagnostics SGI
8014 Network Games SGI
8015 SGI
8016 Stanford
8019 Bounce Server HP Apollo
802E Native Ethernet Tymeshare
802F Tigan, Inc
8035 RARP DOD
8036 Aenoic
Systems
8038 BPDU Spanning Tree Bridge Management DEC
8039 DSM/DTP DEC
803A Argonaut Con DEC
803B VAXLN DEC
803C Unassigned DEC
803D CSMA/CD Encryption DEC
803E DNA Time Service DEC
803F LAN Traffic Monitor DEC
8040 NetBIOS Emulator DEC
8041 LAST Local Area System Transport DEC
8042 Future Use DEC
8044 Plan Res Co
8046-8047 AT&T
8049 Expert Data
805B V Kernel Experimental Stanford
805C V Kernel Production Stanford
805D Evans &
Suther
8060 Lt Machines
8062 Counterpoint
8065-8066 Univ of Mass
8067 Integrated Automation Veeco
8068 General
Dynamics
8069 AT&T
806A Autophon
806C ComDesign
806D Compugraphic
806E-8077 Graphics Landmark
Page 9 - 44

807A Matra
807B Data Elektronik Dansk
807C Merti
807D-807F Bridge, Router, WANManager Vitalink
8080 TranLAN III Management Vitalink
8081-8083 Counterpoint
8088-808A Xyplex
809B Ether-Talk Kinetics
809C-809E Datability
809F Spider
80A3 Nixdorf
80A4--80B3 Seimans
80C0-80C3 DCA
80C6 Pacer
Software
80C7 Applitek Corp
80C8-80CC Intergraph Inc
80CD-80CE Harris/3M
80CF-80D3 Taylor
80D4 Rosemont
80D5 RT Distributed Services/DB IBM
80DD Varian
80DE Transparent Remote File System Integrated
Systems
80DF Integrated
Systems
80E0-80E3 Allen Bradley
80E4-80F0 Datability
80F2 Bridge Management Retix
80F3 AppleTalk Apple
80F4-80F5 AppleTalk Shiva
80F7 HP Apollo
80FF-8103 Bridge Management Wellfleet
8107-8109 Private Symbolics
8130 Waterloo
8131 VG Labs
8137-8138 NetWare IPX Novell
8139-813D KTI
9000 LAN Loopback DEC
9001 Bridge Comm. Management Xerox
9002 3Com
9003 3Com
FF00 Vital LAN Bridge cache wake BBN
Page 9 - 45
Ethernet Frame Type References
Version 2 Frame IEEE 802.3 Frame

Bytes Field Bytes Field
8 Preamble 8 Preamble (7 bytes preamble, 1 byte
of Start of Frame Delimiter)
6 Destination Address 6 Destination Address
6 Source Address 6 Source Address
2 Ethertype 2 Length
46 to Data – Padded to minimum 1 Destination SAP
1500 frame length of 64 bytes L
4 Frame Check Sequence (FCS) L 1 Source SAP
C 1-2 Control
42 to Data – Padded to minimum length
1497 of 64 bytes
4 Frame Check Sequence (FCS)
New IEEE Frame

Bytes Field
8 Preamble (7 bytes preamble, 1
byte of Start of Frame
Delimiter)
6 Destination Address
6 Source Address
2 Type/Length
1 Destination SAP
1 Source SAP
42 to Data – Padded to minimum
1497 length of 64 bytes
NetWare “Raw” Frame IEEE 802.3 SNAP Frame

Bytes Field Bytes Field
8 Preamble 8 Preamble (7 bytes preamble, 1 byte
of Start of Frame Delimiter)
6 Destination Address 6 Destination Address
6 Source Address 6 Source Address
2 Length 2 Length
46 to FFFF followed by Data – L 1 Destination SAP
1500 Padded to minimum frame L 1 Source SAP
length of 64 bytes C 2 Control
4 Frame Check Sequence (FCS) S 3 Vendor Code
N
A 2 Type
P
38 to Data – Padded to minimum length
1492 of 64 bytes
Page 9 - 46
An explanation of the Analyzing Coax Collisions diagrams in the

appendix
This diagram should enable you to tie together three important concepts you have learned:
1. The propagation delay of a signal on different types of media (per How long is a bit)
2. How different Ethernet physical components react during a collision (station jam signal, hub jam,
etc.)
3. How different Sniffers react to the same collision event.
The scenario is as follows: Station A starts a transmission. The transmission goes both ways towards
Sniffers 1 and 2, and towards Sniffer 3. Just before the leading bit of the preamble reaches the far end of
the uppermost Ethernet segment, the station near point B starts a transmission, causing a collision at Point
B. The following concepts will help you understand the scenario:
• The station at point B will be the first station to detect the collision; what will it do? (Send a 32-bit jam
signal) Why? (To busy the wire and enable repeater R3 to detect evidence of the collision).What is the
evidence? (2 signals on the same coaxial media—R3’s and the jam from station at point B).
• Sniffer 1 will not show any evidence that a collision occurred (unless it’s a version that’s counting
preamble collisions). Why? (Because we don’t capture preamble collisions.)
• How repeaters R3 and R2 react to the collision when the jam signal reaches them. (R3 will begin to jam
96 bits back to R2; R2 will begin to jam 96 bits on the middle coaxial segment towards Station A.)
• What Station A has been doing during all this time. (Still transmitting its signal.) How much of Station
A’s signal has gotten out on the wire before the jam signal from R2 reaches it? Here is some of the
math to show the different propagation delays by differing types of media and repeaters:
Total equivalent Thicknet distance between points A & B:
59+450+ 59+231+59+933+59+59 = 450 = 2359m
2359m / 23.1 = 102 bits, or 12.75 bytes
• What will happen when the jam signal reaches Sniffer 2? (Because this is coaxial media, the
combination of Station A’s transmission and the 96-bit jam signal from R2 will cause the receive
function on Sniffer 2 to lose synchronization/clocking. When this happens, the Sniffer stops capturing
the frame and truncates it if enough of the frame – 2 bytes past the preamble – has been received.)
What sort of flag will be posted with this frame? (The “X” flag.)
• Major learning point: If someone hands you a trace file for analysis and you see the X flag posted on
truncated frames, you can say with a high degree of certainty that the trace was captured from coaxial
media!
• What will happen when Station A realizes that a collision has occurred? (Starts jamming 32 bits.) Has
this been a “legal” collision event. (Yes, because it has happened well before 64 bytes have left Station
A.)
• What does repeater R1 do when it sees evidence of the collision? (Starts jamming 96 bits onto the
lowermost Thicknet segment.) What causes R1 to sense the collision event? (The combined jam
signals from R2 and Station A.)
• What will be recorded on Sniffer 3? (Because the Sniffer was on a segment where only one signal—
the one from the lower half of R1—was being broadcast, the frame will appear similar as it does on
Sniffer 2. However, the frame will not be truncated but will be followed by R1’s jam pattern of
alternating 1’s and 0’s, that will be translated to the hex values of AA’s or 55’s.) What flags will be
posted? (R and C, but certainly not an X flag.) How many bytes of AA’s and 55’s will be shown. (This
will depend upon what the vendor has implemented as the jam pattern; remember that 96 bits are a
minimum. Generally, it is safe to assume that you will see a value of 12 bytes, plus or minus 4.)
Major learning point: Because Sniffer 3 has been on the far side of a repeater for this event, this simulates
exactly what happens in 10baseT environments. In 10baseT shared environments, a station can only
receive direct evidence of collision if the hub sends a jam signal while that station is transmitting. And since
Sniffers don’t transmit, it has to use the jam pattern to deduce that a collision occurred somewhere.
Page 9 - 47
Recommended Reading List
Standards
IEEE Standard 802.3, 1998 Edition

This includes the contents of the 8802-3:1996 Edition plus IEEE standard 802-
3aa-1998, IEEE Standard 802-3r-1996, IEEE Standard 802.3u-1995, IEEE
Standard 802-3u-1995, IEEE Standard 802-3x and y-1997 and IEEE Standard
802-3z-1998.
1268 pages ISBN 0-7381-0330-6
Supplements to IEEE Standard 802-3-1998

802.3ac-1998 Frame Extensions for Virtual Bridged Local Area Network (VLAN)
Tagging on 802.3 networks 20 pages ISBN 0-7381-1421-9
802.3ab-1999 Physical Layer Parameters and Specifications for 1000 Mb/s

Operation over 4-Pair of category 5 Balance Copper Cabling, Type 1000BASE-T
144 pages ISBN 0-7381-1741-2
Approved draft 802-3ad-2000 Aggregation of Multiple Link Segments

184 pages 0-7381-2468-0
Books
Switched, Fast, and Gigabit Ethernet, Understanding, Building and Managing

High-Performance Ethernet Networks 3rd Edition 1999 618 pages Robert
Breyer and Sean Riley, Macmillan Technical Publishing ISBN 1-57870-073-6
Gigabit Ethernet, 1998 411 pages Rich Seifert Addison Wesley

ISBN 0-201-18553-9
Fast Ethernet, Dawn of a New Network, 1996 310 pages Howard W. Johnson,
Prentice Hall ISBN 0-13-352643-7
Page 9 - 48
Helpful WWW Links
http://www.sniffer.com
Sniffer Technologies website
http://www.Standards.ieee.org/
IEEE website
http://www.idg.net/metcalfe/
Bob Metcalf’s website – the inventor of Ethernet)
http://www.ansi.org
ANSI website
http://www.iol.unh.edu
University of New Hampshire Interoperability Labs. Leaders in interoperability
testing for many new technologies. This site has links to tutorials.
http://www.gigabit.ethernet.org
The gigabit alliance website
http://www.tolly.com
Independent hardware testing and industry reports
http://www.nstl.com
National Software Test Lab – independent testing
http://www.global.his.com
Official supplier of IEEE and TIA/EIA standards documents – not free
Page 9 - 49
Instructor Exercises
Sniffer University
TNV-202-GUI
4.0-OCT2000
________________________________________________
Ethernet Network Analysis and Troubleshooting
Table of Contents
Table of Contents............................................................................................................................. 1
Exercise Section 1: Which Frames Are on the Network? ................................................................ 3
Exercise Section 1: Isolating Frame Types with Pattern Matching (Optional)................................. 7
Exercise Section 1: A Surprise at 23:00 (Optional) ....................................................................... 11
Exercise Section 2: Comparing Ethernet Data .............................................................................. 13
Exercise Section 3: Cable Specifications....................................................................................... 15
Exercise Section 4: Hubports......................................................................................................... 21
Exercise Section 4: More Problems............................................................................................... 25
Exercise Section 4: Test Your Skill ................................................................................................ 27
Exercise Section 4: Errors.............................................................................................................. 31
Exercise Section 4: Evaluating Hub Jams ..................................................................................... 35
Exercise Section 4: Ethernet Physical Errors (Optional) ............................................................... 37
Exercise Section 5: Short Circuited Bridges .................................................................................. 41
Exercise Section 5: Busy Jam ....................................................................................................... 43
Exercise Section 5: Switch Traffic (Optional)................................................................................. 47
Exercise Section 6: Fast Ethernet Troubleshooting and Back Pressure ....................................... 51
Exercise Section 6: Fast Ethernet Problems ................................................................................. 55
Exercise Section 6: 10/100 Hubs ................................................................................................... 57
Exercise Section 8: Gigabit Traffic................................................................................................. 59
Exercise Section 9: Observing LLC ............................................................................................... 63
A word of explanation about the formatting of the exercises
Choices you need to make in the menus or configuration windows are in bold.
When you are navigating through a series of steps, they have been shortened and separated
with a right arrow.
Example: Pull down the Monitor menu, choose Select Filter, click Select Filter becomes
Use Monitor > Select Filter > Select Filter.
As you work through the exercises, you will be opening a series of windows. When asked to
close many of them, Sniffer Pro will ask if you want to save them. Do not save the data
unless specifically instructed to save the data.
There are more exercises here than can be done in the allotted class time. The instructor will
choose exercises that meet the needs of the majority of the students in each class. All of the
trace files needed for these exercises are on the CD in your class manual. You may wish to
work on these independently if you finish your exercises early or do them outside of class
time.
4.0-OCT2000 Network Associates 10-1


Exercise Section 1: Which Frames Are on the Network?
Objective: Use data pattern filters based on frame formats to determine what frame types
are in use on the network and make sure no incompatibilities exist.
Procedure: Identify the most common frame format and then eliminate all frames of that type.
When they are gone, you will see what remains. Repeat this process until you
have identified all frame types present on the network.
1. Configure the analyzer then open the file:
a. Create a new Agent for this class called "TNV202": File > Select Settings... > New.
Name it TNV202 and choose the 10/100 Ethernet adapter. Don’t copy any settings. Click
OK twice.
b. Use Display > Display Setup> General to enable the Expert and Post Analysis tabs.
(They may already be enabled.) Click OK.
c. Set the agent to loopback with File > Loopback Mode.
d. Open the file C:\202GUI\Mixed_01.cap.
2. From the Expert click on DLC layer Objects. There should be 35. The frame types for each
object (adapter) are shown in the Expert Detail panel on the lower right. Hint: on the Expert
Summary screen, identify the separator bar on the right. If you drag that up, you’ll see the
Objects listed in the upper right, highlighting each in the top right shows its details in the
lower right panel.
Click the arrow on
the top of the upper
left window to Separator bar
enlarge the right
windows. Expert Detail panel
3. Observe the frame types shown for each adapter. How many different frame types (other
than broadcast and multicast) are shown?
Just 2 types, 802.3 and Ethertype. There are actually 3 frame types in this trace file:
one standard 802.3 frame with the LLC header and 10 “Raw” Ethernet frames.
Unfortunately, the Expert doesn’t distinguish between them.
4. Display the Decode windows and click the Monitor’s Protocol Distribution icon. We’ll
use this tool to determine the protocols on the network and their distribution. We’ll need to
generate the trace file once to see the protocols. Right-click over the Decode window and
choose Send Current Buffer and click OK to send the buffer 1 time.
5. Fill in the table on the next page as you answer the questions from the Protocol Distribution
view when the entire trace has been sent (wait until the counter on the lower right goes
blank).
a. With the MAC layer and Table view selected, which protocols are listed and how many
frames were sent for each protocol?

b. Look at the Pie Chart view and note the percentages of each protocol shown by clicking
on each slice or look at the Bar Graph view and click on each bar to see the stats.)
DECnet IP IPX IP_ARP LAT Others

Protocol
35 27 10 1 1 3
# Packets
45.45% 35.06% 12.99% 1.30% 1.30% 3.90%
% of Total
You may want to mention that LAT is a part of DECnet, so the total is 36 packets and
46.75%
6. Close the Protocol Distribution window. From the Decode display, we can get a quick
summary of frame types by using Display > Display Setup. On the Summary Display tab,
exclude All protocols in the lower window, and then click on Ethernet to enable it. You now
see which frames are version 2, but no differentiation is made between the rest. Highlight the
non-Ethertype frames, then look in the Detail panel and note the frame types you see.
Most are “raw”, but frame 75 is 802.3 with the LLC header. There are no SNAP frames.
7. To see which station is using each protocol, click the Matrix tab.
a. With the Traffic Map showing the MAC layer, click off all protocols except Other. Ctrl
click to select all those end station addresses with “Other” traffic, then press the Visual
filter icon to display only these frames. How many frames did you get? 2
What frame type(s) are they using?
Stations HP1 012BB4 and 090009012BB4 (multicast) are using 802.3 frames with
the LLC header (SAP FC); stations DECnet 00C8CC and broadcast are using
version 2 frames (Ethertype 0804 for Chaosnet).
b. Click back on the Matrix tab (this still reflects the original trace file with all the frames).
Now enable only the IPX stations in the Matrix Traffic Map view. Ctrl click on each IPX
address to select all of them, then press the Visual filter icon and display the frames.
How many frames are there?
10
Does this agree with the number you noted in the chart above?
Yes
Does the frame type match what you anticipated it would?
Yes, they are “raw” frames, typical of NetWare frames
c. We’ll use a similar process to determine the frame types the DECnet stations are using.
Click the Matrix tab. Enable only DECnet on the MAC layer of the Traffic Map. Looking
at the pattern of the frames on the traffic map, what do you observe?
Almost all of the traffic is to and from the level one router. Only two stations are
talking to each other.

CTRL click to select all DECnet addresses, then filter them into a new window. How
many frames do you have?
35
Use Display > Display Setup > Summary Display to exclude none of the protocols.
What information is being sent?
Most are Router hellos, end node hellos and route advertisements. Only one (frame
40) carries NSP data between 51.4 and 51.30.
What frame type does DECnet use?
Version 2.
d. Last, let’s look at the IP traffic next. We’ll use a protocol filter to see those frames. Start
with the Decode tab with 77 frames (this is the original unfiltered trace file.)
e. Right click over the Summary window, choose Define Filter, then create a new profile
called IP using Profiles > New > name = IP, copy the Default filter. Click OK, then Done.
f. Now click the Advanced tab and enable only the IP and IP ARP protocols, click OK.
g. Right click over the Summary window and use Select filter to choose the IP filter. How
many frames did you get in the new window?
28
What version frames are they?
Version 2.
This is a fairly quick way of seeing what frames are on your network. The traffic map is
especially useful to see IP local router situations. If you see a lot of frames going to a router
when they should stay local, you need to look for local router diagnoses in the Expert.
In a NetWare environment, you normally see most of the client traffic going to the servers,
since it is a client-server environment. If you see a lot of traffic between servers, investigate
to see if a server is being used to forward frames that are not compatible with the intended
server’s configuration.
If you are migrating from an IPX-based network to NetWare 5 on IP and are using an
intermediate server to forward the frames to the new server, this is a normal phenomenon.
This should be an interim short-term solution, since the traffic is doubled with that
configuration.
8. Close the window. Do not go on to the next exercise.


Exercise Section 1: Isolating Frame Types with Pattern Matching

(Optional)
Objective: Determine what frame formats are in use on the network and make sure no
incompatibilities exist.
Procedure: Identify the most common frame format and then eliminate all frames of that type.
When they are gone, you will see what remains. Repeat this process until you
have identified all frame types present on the network.
1. You can also use pattern match filtering to eliminate frames based on data patterns. We'll
repeat this process until you have filtered most frame types present on the network. When
the frames you want to exclude are gone, you will see what remains.
Exit the Sniffer application, then start it again so your filtered tabs start at 1. Open the file
C:\202GUI\Mixed_01.cap.
2. Which frame format is being used in Frame 1?
Ethernet Version 2
3. Eliminate all frames using the Ethertype in Frame 1. We'll start a new profile and configure a
hexadecimal pattern match display filter. Highlight frame 1.
a. Look at the DLC header in the Detail window and note the Ethertype here:
6003
b. From Display > Define Filter. Click Profiles > New > Name it Pattern Match,
c. Copy Existing Profile = Default.
d. Click OK > Done.
e. Click the Data Pattern tab, click Add NOT, then Add Pattern (This window opens).

f. Make sure Pkt: 1 is displayed (If not, use the Previous button).
g. Click on Ethertype = 6003 (DECNET) in the DLC layer of the frame data.
h. Click Set Data. Note the pattern 60 03 is pasted in the data area above and the offset
field is updated to C.
FYI: If you wanted to do a different type of pattern match, you would need to click the
Format button and choose from Binary, ASCII, EBCDIC before pasting in the data. You
can paste up to 32 bytes of data for matching.
i. Click OK here, then OK on the Define Filter window.
4. That's a start, but the filter hasn't been applied yet. Let’s apply the filter now.
a. Right click in the display window, click Select Filter and select the Display Pattern
Match filter. Note: Data Pattern should read (NOT DLC: Ethertype = 6003[DECNET]).
Click OK.
b. You should have a new Filtered x window with a frame count in the title bar.
c. How many frames are there?
42
5. Note this new filtered window has maintained the original frame numbers. The window should
start with frame 3, a DNS OK status frame.
What frame format is being used in Frame 3?
V2
6. We’ll add this Ethertype to our filter to eliminate all frames with the Ethertype in the DNS OK
frame.
Write the Ethertype here:
0800
a. Display > Define Filter > Data Pattern tab.
b. Add NOT > Add Pattern.
c. Highlight DLC: Ethertype = 0800 (IP) then click on Set Data. 08 00 pastes in at C.
d. Then click OK. Your match should now look like this:
e. Hold your cursor over the AND line to see how the match has been built this far.
Click OK if it matches. Go back and fix it if it doesn't.

f. Right click in the Filtered x display window, click Select Filter > select the Display
Pattern Match filter. Click OK.
g. You should get a new Filtered x window with 15 frames that starts with a LAT change
node frame.
Is the LAT frame the same frame format as the previous frames?
Yes.
7. Eliminate all frames with the Ethertype in the LAT frame.
Write the Ethertype here:
6004
8. Repeat the same filtering process to eliminate this frame type:
a. Display > Define Filter > Data Pattern tab > Add NOT > Add Pattern.
b. Highlight Ethertype 6004 (DEC LAT), click on Set Data, then click OK.
c. Click OK to save the updated filter.
9. Display > Select Filter > select the Display Pattern Match filter again. Click OK.
How many frames are in the new Filtered x window that pops up?
14
a. What is the frame format in the NSAP frame?
Novell Raw.
b. What field can be used to filter this frame type?
IPX Checksum.
c. What is the hex pattern and offset used to perform this filter?
FFFF at offset 0E.
10. First, we'll create a filter to view only the Novell Raw frames then we'll change it so we
exclude these frames along with the previously excluded Ethertype frames.
a. Since we plan to filter out the Novell Raw frames in the last step, we'll start by adding a
NOT before we add the pattern as we did before.
b. Display > Define Filter > Data Pattern tab > Add NOT > Add Pattern.
c. Highlight IPX Checksum = 0xFFFF, click on Set Data, then click OK.
d. Before we finish, remember that we want to include all of the Novell Raw frames and
exclude all of the others. To make this happen, click on the NOT left of the IPX
Checksum entry so it turns to a solid red (the NOT disappears). Your match should now
look like this:

e. Click OK if it matches. Go back and fix it if it doesn't.
11. Display > Select Filter > select the Pattern Match filter again. Click OK.
How many frames are in the new Filtered x window that pops up?
10
12. Review the DLC header in each frame. These should all be 802.3 Raw frames.
13. Let's change our filter to exclude these frames and see what type of frames are left in the
trace.
a. Display > Define Filter > Data Pattern tab.
b. Enable the NOT above the IPX Checksum pattern by clicking on the red block.
c. Click OK when finished.
14. Now we need to apply this filter as we did before.
What do you think will happen if we apply the filter to this filtered window?
You'll get the error message "No frames matched the filter!" because this window only
contains the 802.3 Raw frames (all other frames were filtered out earlier).
a. Let's go back to our original trace window by clicking the Decode tab.
b. Display > Select Filter > select the Pattern Match filter again. Click OK. How many
frames are in the new Filtered 5 window that pops up? 4
15. You have now eliminated all Novell NetWare frames and enough Version 2 traffic so that you
can easily examine the remaining frames. Answer the following questions:
a. How many standard 802.3 frames (with only an LLC header) are there?
One - RPL Unknown
b. How many 802.3 SNAP frames are there? zero
c. How many Version2 frames remain?
Three - ARP, LOOP Reply Receipt, Chaosnet
16. Close the window. Do not go on to the next exercise.

Exercise Section 1: A Surprise at 23:00 (Optional)
Objective: In the real world, you often encounter unexpected results. This exercise presents
an unexpected situation and asks you to describe your findings. Your instructor
will explain the technical background causing the situation AFTER you have
done the exercise. (We don't want to spoil the surprise!)
Instructor Note: You will want to omit this exercise, demo it, or do it with the class if
you have chosen not to do the previous optional pattern match filtering exercise. The
pattern match required here is not detailed in these steps since it was detailed in the
previous exercise.
1. Open the file C:\202GUI\Mixed_02.cap. Display the Decode view.
2. What is the frame format used in Frame 1?
802.3 Raw as evidenced by the 802.3 Length field and missing LLC header.
3. What field will you use to eliminate all these packets to see what else might be on this
network?
You will use the IPX Checksum field ('FFFF' pattern).
4. Create a new Data Pattern match called No Raw Frames to eliminate all frames using this
frame format. Select the filter.
5. Carefully study your results. Can you explain the 5 frames?
These frames DON'T GO AWAY! When you examine the HEX you will see the '1111'
padding bytes between the LENGTH field and the 'FFFF' checksum in the XNS Header.
Sniffer Pro assumes they are IPX and decodes them as IPX, posting a message in the
Detail window noting the incorrect IPX length field.
6. Close the window. Stop here. Do not proceed to the next exercise.
Instructor Note: Here's the story behind the problem:
These bytes were included when IBM, Sytek (the broadband vendor) and Novell built the
IBM Broadband/Ethernet bridge. Although we don't know exactly why Novell put them
there we do know that the request came from Novell. One speculation is that something
moved data in 4 byte words and the header, when padded from 14 to 16 bytes, provided 4
even 4-byte words. You will only encounter this in some obscure environments. The
exercise is intended to give the student an opportunity to encounter a strange situation
and make reasonable observations about it. (Think about a bridge set to filter FFFF!)


Exercise Section 2: Comparing Ethernet Data
Objective: To look at a series of trace files captured from different speeds of Ethernet data
and compare how they appear in the Decode windows. We’ll start at 10 Mbps
data and work to Gigabit. We are not going to do any type of response time
measurements; we’ll just look at the delta times between the frames to see how
quickly a station can get a frame into the network after the last frame completes.
We won’t look at any errors there may be, either. We’ll save that for later.
Background: The appropriate Sniffer Pro was connected to each of these networks and a file
was saved.
1. We’ll look at a 10 Mbps trace first. Open C:\202GUI\bcast.cap to the Decode window. This
is a trace where every device on the network responded to the RWHO in frame 1 about as
fast as they could get them onto the network. There are no physical errors to confuse the
timing, but there is one long pause we’ll ignore.
a. What is the range of Delta times between the ARP frames? (Ignore frame 20)
0.002.985 to 0.003.150 – about 3 milliseconds apart (frame 54 is about 4 ms)
b. Click the Statistics tab. What is the line speed shown here?
10 Mbps
2. Now let’s see what’s different in the 100 Mbps screens. Open C:\202GUI\100mbfile.caz to
the Decode window.
a. Click the Statistics tab. What is the line speed?
100 Mbps
b. What is the Delta time of frame 108, one of the shortest delta times?
0.000. 161 = 161 microseconds, a good improvement.
3. Finally, we’ll look at some Gigabit data. Open C:\202GUI\GB.cap to the Decode window.
Instructor note: There are CRC errors and Code Violations (CV) errors in this trace. The
help screens give this definition: Gigabit Ethernet uses the 8B/10B transmission code
10
to map signals into 10-bit code groups. 8B/10B coding provides a set of 2 possible
code groups. A given 10-bit code group can be categorized as either legal, showing a
positive running disparity error, showing a negative running disparity error, or as an
illegal code group. The Sniffer Pro reports a code violation when it sees a code group
that is either illegal or that has a running disparity error as compared to the previous
code group. The students will look at the help screen in the Gigabit section exercise.
a. Click the Statistics tab. What is the line speed shown?
1000 Mbps

b. In the Decode view, what is the Delta time of frame 16, one of the shortest delta times in
this trace? (Expand the width of the Delta Time column to see the entire value.)
0.000.000.012 = 12 nanoseconds!
c. Note that an extra 3-digit column has been added to the Delta and Relative time columns
to compensate for this faster speed. It can measure down to 32 nanoseconds.
d. What is different about the Status column?
It shows [A] and [B] to indicate which channel captured the frame. The Fast
Ethernet Full Duplex pod captures show the [A] and [B] indicators, too.
4. This has been just a short comparison of what you see in the Sniffer windows. We hope it
points out that once you learn how to use the Sniffer for one speed, you can apply those
same techniques to looking at the other speeds. In the next sections we’ll give you more
specific information on how to look in different areas to help you analyze your traffic.
5. Close all the open windows. Do not go on until instructed.

Exercise Section 3: Cable Specifications

Objectives: Use Output from Sniffer Pro and a network map to:
1) Determine if the fact that the 5-4-3 rule was broken in this network design is
the "Cause" of the problem
2) Determine the round trip propagation delay for this network
3) Determine if the collisions are "Legal" or appropriate for this network design
4) Narrow the "Fault Domain" and determine the best place to start
troubleshooting this problem
5) Determine if there is a relationship between collisions and a LAN overload

symptom
Background: You have been called in to investigate problems on an Ethernet network that
was designed by someone else. As far as you can tell, the network looks like
the drawing below.
50 meters
Node 1 Thin Ethernet RG
?? Coax 58 coax
WstDig178C41
Hub Hub Hub Hub Hub Hub
1 2 3 3 3 3
Node 2
WstDig96EC2C
Node Sniffer
Bridge 3
File Server
COFFEE.1
WstDigFF965F
Student note: Note that the picture is not complete. For example, there probably were other
stations on the thin Ethernet. The Sniffer analyzer was connected somewhere
near the end of the thin Ethernet. We don't know exactly what was on the other
side of the bridge shown on the left.
Originally the Sniffer analyzer was placed at the end of the topology and saw no
errors. In the actual trace, the Sniffer analyzer was traded with Node 3 and saw
errors. Node 3 was moved to the end of the topology and worked without
incident. Client addresses and the Server COFFEE.1 all exist off of Hub 1.
Instructor Note: Questions in step 13 have been changed to reflect the actual forwarding delay
of 15 bits on the Gandolf hubs. Please review them and be ready for new
numbers! Questions 14 and 15 have also been reworded with new assumptions.
1. Configure the Alarm settings.
a. Select Tools > Expert Options > Alarms tab.
b. Click on the + next to Global to expand it.
c. Under the LAN overload entry, notice the value of 50 (percent) as the threshold for LAN
Overload.

d. Click in the Lan Load field and change the value to 30 so we will be alerted when the
lower threshold is exceeded.
e. Click on the Apply button. Click OK to exit the Alarms.
f. When you change these settings for your own Sniffer, adjust the Dashboard settings,
too, so it will reflect the same thresholds.
g. Open the Dashboard, click the Set Thresholds… button. Change the Utilization(%)
High Threshold setting to 30. Click OK and note the red area on the Utilization dial now
starts at 30%. (This will have no effect unless we generate some traffic for the Dashboard
to monitor.) Close the Dashboard.
2. Open the file C:\202GUI\HUB6ARC.caz.
3. Click on Global Symptoms.
What are the symptoms?
LAN overload and Bad CRC
4. Let's take a closer look at these errors.
a. Click on the Objects tab on the upper right. (Drag the separator bar to the bottom if the
tab is not visible on the right.) Specific information about the condition should now
appear.
b. Click the icon to see the Expert Explain on the LAN Overload symptom. Read the
explanation of the problem and possible remedies. Close the Help window when done.
c. What is the First Time for the LAN Overload symptom?
16:36:56.765 (or 4:36:56:765 PM as it will show later)
d. What is the Duration of the symptom?
1s 436 ms (1.436 seconds) (4:36:56:765 + 1:436 = 4:37:492:765 PM end time)
e. What was the value recorded for Maximum and Average LAN Overloads?
35% Maximum, 11% Average
f. Record the stations involved.
4 stations: WstDig0A065A, WstDigFF965F, Gandlf100738, and WstDig178C41
g. Click the F7 key and observe the similar information on the Bad CRC symptom.
5. Click on the Summary tab to return to the Expert Overview window.
What are the symptoms at the DLC layer? What stations are involved?
Runt frames (2 stations: WstDigFF965F and Gandlf100738)

What are the diagnoses at the DLC layer? What stations are involved?
High rate of physical errors (3 stations: WstDigFF965F, WstDig96EC2C and

WstDig178C41)
Are any of the stations involved in the LAN Overload condition also reporting errors at the
DLC layer?
Yes, 2 out of 4 were involved in the DLC Diagnosis (WstDigFF965F and WstDig178C41
sent bad frames); 2 out of 4 were involved in the DLC Symptoms (WstDigFF965F and
Gandlf100738 sent or received Runt frames).
6. Press the Decode tab to display the data. Enable Relative time if the column is not visible.
What is the total time of this capture?
Only 11.201 seconds
7. In the next few steps we are going to try to determine what, if any, correlation exists between
the LAN Overload condition and the bad frames. This is a common approach used by
analysts when troubleshooting.
The questions one might ask are:
Are the bad frames the result of excessive collisions that will occur whenever utilization
on an Ethernet network starts to reach a critical state?
If so, with the topology involved, at what maximum point within a frame could one expect
damage to occur?
In this example, one simple way to begin to rule out a correlation is to look for bad frames
occurring at times when no LAN overload condition exists.
8. Reference the time you recorded earlier for the start and duration of the LAN Overload, let's
use a filter to display only bad frames.
a. Select Display > Define Filter > Profiles > New. Name it allbadframes. Click OK and
Done…
b. Select the Advanced tab.
c. Disable Packet Type Normal, which will leave only problem frames enabled. Click OK.
d. Select the allbadframes display filter. Display > Select Filter > allbadframes > OK. A
new Filtered x window should open with 2503 frames.
9. Zoom in (F4) on the Summary window. We’re going to examine the Status column.
a. Enable the Summary Display Optional Fields, Status, Absolute Time and Bytes (Len)
by clicking on Display > Display Setup > Summary Display > Optional Fields. Click
OK.
b. What types of errors do you observe?
Lots of Alignments and Runts, 21 Collisions, 1 Fragment, and 11CRCs
10. Scroll over to the far right-hand column and scan through the Absolute Time values.

a. Did most of the bad frames happen during the LAN Overload?
The bad frames were happening before the LAN Overload, during the LAN Overload,
and after the LAN Overload. (Expert shows military time, decode shows AM, PM)
b. In your judgement, are the bad frames the result of the LAN Overload condition?
The error frames are not just due to the network being busy.
c. If not, what else could be a cause of the bad frames?
The errors could be caused by signal reflections, noise, hardware problems,

propagation delay, etc., at this point we don’t know enough to isolate the problem.
11. Scan through the LEN (Bytes) column values. The Sniffer stops capturing a frame when a
collision causes the bits to no longer be recognizable.
With a network only 50 meters in length, would you expect to see collisions occurring so far
into the Ethernet frames?
No
12. We're now going to determine how far into the frames collision damage is occurring. To do
that, you will need to define and select a new display filter.
a. Display > Define Filter...
b. Create a New Profile called Collisions (copy the Default profile).
c. OK > Done.
d. Select the Advanced tab.
e. In the Packet Type text window, clear all of the boxes except for the Collision box.
f. Click OK to save the filter.
g. Display > Select Filter... When you select the Collisions filter, you should see a new
Filtered x window appear with 21 frames.
h. Zoom into the Summary window and observe the LEN (bytes) column.
What is the largest collision frame recorded?
11 bytes
13. With a network of six repeaters in series and a total cable distance of fifty meters between
end stations in the collision domain, do the collision frame sizes seem appropriate?
(Hint: each of these hubs adds about 15 bit times of latency to the network. Also, in 10BaseT
each bit is 17.7 meters long.)
To determine the answer to this question, let's calculate the round trip delay: (use the
Windows calculator if you like)

a. Cable latency in bit times = total distance \ length of bit:
50 / 17.7 = 2.82 bits
b. Total Hub Latency in bit times = latency of each hub * number of hubs:
15 * 6 = 90 bits (/ 8 = 11.25 bytes)
c. Total Delay = cable latency + total hub latency:
2.8 +90 = ~93 bits ( / 8 = 11.6 bytes)
d. Round trip latency = Total Delay * 2:
93 * 2 = 186 bits (23.2 bytes)
e. Subtract preamble (preamble is on the wire only):
186 bits – 64 bits = 122 bits (15 bytes)
f. Subtract CRC (CRC is on the wire only):
122 bits – 32 bits = 90 bits (11 bytes)
g. Total number of bytes displayed in the Sniffer:
90 bits/8 = approx. 11.25 bytes or > 11
h. Compare your calculations to what you’re seeing on the Sniffer Pro analyzer. Does your
worst case calculation concur?
The collisions (maximum of 11 Bytes) are “Legal” (appropriate) for this network
design. These collisions are also within 64 bytes, which is an IEEE "LEGAL"
collision.
14. Was the fact that the network broke the 5-4-3 rule the reason the collision is occurring so far
into the frame?
No, the network is only 50m or “3 bits” in length. The accumulated propagation delay
of the 6 hubs is what caused the collision to occur so far into the frame.
15. Will extending the length of each of the hub lengths to their maximum of 100m cause “late
th
collisions” that occur beyond the 64 byte mark in the frame?
Potentially yes.
16. In the next few steps, we are going to look at a conversation in the original trace file and
attempt to isolate the location of the problem on this LAN. Note that on the network diagram,
the Sniffer Pro is behind the suspect cable. Sniffer Pro will therefore, see “error” frames from
this conversation that really do not exist due to the intermittent cable problem.
a. Select the Expert tab to return to the main file.
b. Click on the DLC Objects column.

c. Click on the WstDig96EC2C address in the Summary view to select it.
d. Click on the Display Filter icon to filter on this node, a new Filtered x window appears.
e. What are the errors noted in the Status column?
Mostly Alignment and a few Runt errors.
f. Notice that throughout the conversation between these two nodes, not one frame is re-
sent – even the runt frames!
g. Is this conversation operating normally?
It must be.
h. Apply your filter for Collision frames. Are there any collisions in the conversation
between these two nodes?
No
i. There are Runt frames in the trace file between these two nodes. What are they if not the
results of a collision? To find out, define a new filter for Runt frames only and select it.
j. How long are the frames?
All 56 bytes- could be an indication of a “partial reflection” but it is more like a

standing wave that can run the entire length of the cable after the node has
nd
finished sending. True reflections occur BEFORE the 32 byte in a frame. There
are no AAs or 55s in the frames, either, indicating it was a local collision on a coax
segment.
17. Based on the errors reported in the Sniffer, is the conversation working correctly?
No – (at the Sniffer end of the network).
18. Where is the "Fault Domain" and what is causing this problem?
The conversation is working correctly between the workstation and the server -- so
something is damaging the frames between the workstation and the Sniffer.
19. If you could physically inspect the cabling in the Fault Domain, you would notice a piece of
ARCnet cable (RG62) connecting a machine to the Thinnet (RG58) segment.
Could replacing bad cable correct physical layer errors?
Yes!
20. Close the trace file window.
21. Stop here. Do not proceed to the next exercise.

Exercise Section 4: Hubports
Objective: Use two related trace files to isolate the cause of physical errors on a 10BASE-T
network. Evaluate traces taken by the DOS Sniffer with Sniffer Pro.
Background: A user on a 10BASE-T network was experiencing intermittent problems. Other

users appeared to be working fine. Two DOS Sniffer analyzers were used to take
"simultaneous" traces. One trace (Hubport2) was taken at the user's work area
by disconnecting the drop cable at the back of the workstation and attaching it to
the Sniffer's RJ-45 port. The second trace (Hubport1) was taken at the 10BASE-
T hub that served the user's work area. (See the diagram below.)
We are going to show you how you can use a single Sniffer Pro to perform analysis and
comparison on two trace files.
10BaseT Hub
Hubport 1: Sniffer on known good port
Hubport 2: Sniffer on suspect port
NetWare client: Novell~FAA
NetWare File Server: 3Com~704
NetWare Client: 3Com~F91
Fact One: The user's PC was replaced by a Sniffer analyzer.
Fact Two: Another Sniffer analyzer is plugged into a known good port. Both Sniffer analyzers
were capturing simultaneously.
1. Evaluate the network diagram then proceed.
2. Think about different ways to approach isolating the source of the problem. What have you
come up with?
3. Use the Display menu > Display Setup..., disable the Expert tab.
4. Open the files C:\202GUI\ Hubport1.cap and Hubport2.cap.
5. Use Window > Tile to display both files simultaneously and do a frame to frame comparison.
(Use the Ctrl-Tab keys to switch between the windows.)
6. How many frames are in the file Hubport1.cap? 71
Hubport2.cap? 75
7. These two trace files start at different frames because the captures could not be started at
exactly the same time. You will need to "align" the two trace files to start at the same frame.

Think about different ways to approach aligning the two trace files to start at the same packet
before continuing with the lab.
8. We're going to align the two trace files by examining the first frame in Hubport1.cap for a
unique string of data and then search for that string in Hubport2.cap.
a. In frame 1 of Hubport1.cap, notice the NCP read command ("Read 512 at 2812416").
The offset value (2812416) is the unique string we will use to align these trace files.
b. Ctrl-Tab to Hubport2.cap > click on frame 1 in the Summary window.
c. Use the Find Frame feature to find the first frame that matches this string:
- Right Click in the Summary window > Select Find Frame
- Choose Text tab
- Input the value of the offset (2812416)
- Search from = Summary text
- Search Direction = Down
d. Click OK.
9. What is the frame number in Hubport2.cap that matches Frame 1 of Hubport1.cap?
Frame 5
If the "found frame" in Hubport2.cap matches the first frame in Hubport1.cap, can we
assume that the rest of the trace will match as well?
If they were both set to capture without a filter, yes.
10. Since we have found a frame in Hubport2.cap that matches Frame 1 in Hubport1.cap, we
should be able to select all of the rest of the frames as well. If we select these frames as a
group, we should have a file that matches Hubport1.cap exactly. Let's give it a try:
a. Right Click in the Summary window of Hubport2.cap.
b. Click Select Range.
c. Choose Range, From = 5, To = 75.
d. Click Select.
Note: The boxes to the far left of frames 5 to the end of the trace should contain an X.
e. Right Click in the Summary view.
f. Click Save Selected.
A new window titled Snif(n) should appear (The “n” represents a number). The new
window should have 71 frames and be aligned frame for frame with Hubport1.cap. We
don’t need the Hubport2.cap file any longer so close it now.

11. Do a quick comparison of the first few frames to verify that the traces are aligned.
12. Choose Window menu > Tile so we can see parts of both windows.
13. The next thing we need to do is quickly search through each of the trace files to locate any
bad Ethernet frames. We'll use the Find Frame feature again:
a. Highlight the Snif(n) window, select Alt-F3 (the Find Frame window should pop up).
Choose the Status tab and select all frame error boxes under Trigger, then select OK.
b. Were any bad frames located? If so, write down the frame number(s) here:
Yes – Frame 40
c. Repeat the search until there are no other error frames.
14. Repeat the search process with the Hubport1.cap window.
a. Were any bad frames located here?
No
b. What could account for the differences in the traces?
One trace was captured from a known good port on the hub, the other was taken
from a suspect port.
15. While looking at the Hubport1.cap Summary view, use Display > Go to Frame, to go to the
frame number of the bad frame from the Snif(n) window (recorded in Step 13).
Compare the two frames in each of the windows. Have you gotten closer to isolating the
problem?
You should be able to see that the frame is damaged in one trace and is not in the
other- think about the situation that might cause this to happen.
You may think the problem in frame 40 of HUBPORT2.cap was caused by a collision.
But if it were a collision, HUBPORT1.cap would have seen a damaged frame also. In
addition, if a collision had occurred, the NetWare client would have retransmitted the
data. But in HUBPORT1.cap , we can see that the client and the server seem to think
there was nothing wrong with frame 40. It seems that only the Sniffer analyzer on
hubport 2 saw a problem. In fact, that was the case: the port was bad. The hub took a
good frame off the backplane and output a bad frame at the bad port only.
16. Use Display > Display Setup and Enable the Expert tab on the General window and close
all open windows without saving.


Exercise Section 4: More Problems
Objective: Evaluate and describe the traffic from a network that was experiencing problems.
1. Open the file C:\202GUI\BADCABLE.cap. What are the Expert diagnosis and symptoms at
the DLC layer? How many are there?
1 diagnosis - High rate of physical errors, 18 symptoms - Runt frame, DLC source
address multicast and DLC source address broadcast.
View the Decode window. How many frames are there in this trace?
The total number of frames is 79
2. Select the allbadframes display filter to show only error frames.
a. How many damaged frames are there in the Filtered x window?
56 frames
b. Based on the number of Runt, Alignment and Bad CRC frames, do you think there's a
problem?
Absolutely! 56 out of 79 frames in error is a 71% error rate. We'll discuss later
some of the “rules of thumb” for excessive damaged frames.
3. Scroll right in the Summary panel.
What is the range of the size (in bytes) of the damaged frames?
2 ~ 566 bytes
4. Evaluate the Delta times between some of the damaged frames.
Is there any consistency to the delta times?
No, it varies between .0001 and 1.9 seconds.
5. Look in the Hex window for evidence of hardware-related problems.
Do you think this is a hardware-related problem? How would you describe the damaged
frames?
Yes. Many of the longer damaged frames include more than 8 bytes of FFs.
6. What would you do next to fix this problem?
Consider using binary search method to isolate the problem and identify where the
damage is occurring.
The problem here is that someone put his own plugs on UTP and incorrectly
connected the wire pairs so there was no Common Mode Rejection of noise. It might

as well have been flat satin wire. The FFFFs show that noise was affecting the traffic
and changing the 0 bits to 1s. Unfortunately, noise is not always so obvious and does
not always leave the telltale FFFFs.
7. Close the window.

Exercise Section 4: Test Your Skill
Objective: To evaluate several different types of frame corruption.
Hint: Consider using the Sniffer Pro Ethernet Error Analysis table located before the
exercise slides in your student guide.
1. Configure the Display options to show DLC addresses in the Summary view
Display > Display Setup > Summary Display tab > disable Show Network Addresses
2. For each of the following files, write down the characteristics of the damaged frames (length,
any pattern present at the end of the frame, whether frame appears to be repeated, etc.) and
assess the probable type of frame corruption demonstrated in the trace. Assume that the
trace shows a representative sample of the error. Close each window when you’ve answered
the questions. Choose between:
• Normal collisions
• Propagation delay
• Reflected signals
• Electrical noise
• Hardware problems
a. C:\202GUI\01.cap
Sniffer Pro shows collision indication in the Status column. The Hex window shows
that the bad frame, Frame 2, is perfectly truncated at Byte 12, indicating that this trace
was taken from coaxial-based media. Frame 3 is most likely a retransmission of Frame
2.
Probable cause: Legal local coax collision. This trace came from a pulp and paper mill
where the thick and thinnet cables were occasionally run over by forklifts carrying a
large roll of paper. The steel pipe that was embedded in the grooved concrete floor (it
carried the coax) had become crushed over time. The problem always surfaced for a
moment whenever the forklifts ran over the crushed pipe containing the coax cable
b. C:\202GUI\05.cap
(Note: For a detailed review of this trace file, please consult the document "trace file
addendum" located at the back of this manual.)
Legal and late collisions caused by a faulty (crushed) cable. Sniffer Pro shows frames
with collision indication in the Status column. Also, the Summary window indicates
that the collision on frames 4 and 6 occurred after 64 bytes. This is accurate, but on
these larger size frames it is difficult to tell if the frames have been truncated because
Sniffer Pro does not decode past the DLC layer. So we can't tell (from layer 3 info) how
big the frame was supposed to be unless we manually draw out the layer 3 details.
(Protocol forcing does not give us an option for the DECnet DRP protocol, only LAT.)

c. C:\202GUI\06.cap
Sniffer Pro shows frames with collision indication in the Status column.
All are small 24 byte frames. Contains DLC addresses, no pattern at end of frame.
Probable cause: If this were truly representative of the traffic, it's probably signal
reflection.
d. C:\202GUI\16.cap
Variable but small-sized frames. All have 11-12 bytes of 55s, representing hub/repeater
jam, appended to 43 bytes of data.
Probable cause: repeated collisions on a remote 10BASE-T network. They look like
reflections but cannot be. Remember, the majority of the signal moves towards the
termination and will not be reflected back. That means that in a full-size 32-byte
network, the collision can never be more than one-half the network – that’s 16 bytes
from the center to the unterminated end and 16 bytes back towards the sender headed
towards the termination. That’s 32 bytes total.
This is jut a “lucky break”. The frames were selected to create the individual trace to
ensure the students learned to identify this pattern as hub jam, not reflection. It is
strictly coincidental that the collision occurs 55 bytes into the frame.
e. C:\202GUI\17.cap
Sniffer Pro indicates that frames 5 through 8 are damaged by collisions. Frame 7 and
frame 8 are late collisions, as indicated in the Summary and Expert views.
Four damaged frames come from same source. Frames 5 and 6 are truncated at byte
42. Frames 7 and 8 are truncated late at byte 86. Frames 7 and 8 are evidence of late
collisions combined with signal reflection. There are possibly multiple problems with
this network.
Probable cause, in order: Propagation delay, hardware, and signal reflection.
f. C:\202GUI\21.cap. (Be sure to look at frames 124, 178,179 and 321.)
Sniffer Pro reports Alignment and CRC errors in the decode Status column.
The Expert doesn’t report any errors other than the Global CRC errors. This may seem
odd with so many problems in this trace. The answer is that the Expert builds the
object database from addresses seen in frames without CRC errors. Then, when it sees
what it knows is a valid address associated with a problem frame it reports the
Symptom/Diagnoses.
Since every frame in this trace has a CRC error, the Expert never builds the object
database, never learns the valid addresses and therefore has nothing to associate a
Symptom/Diagnoses with even though the addresses here are most likely valid – the
Expert would not have learned that.

If you need to demonstrate this, load FRAGS.cap. Select the allbadframes filter. You
will have a decode full of Alignment, Fragment and Runt frames. Select a few of one
kind and Save Selected. You will notice that Alignment and Fragment frames all have
CRC errors and the Expert will not learn about any DLC objects associated with those
frames. However, Runt frames do not have a CRC error and the Expert will learn about
those DLC objects.
Probable cause: Hardware, a jabbering NIC.
3. Close all open windows.
4. Use Display > Display Setup > Summary Display to reset the Display option to Show
Network Addresses.


Exercise Section 4: Errors
Objective: Use filtering options to identify physical errors on an Ethernet Network.
Background: The NFS client pc150 [192.9.200.150] is experiencing problems communicating

with the NFS server natco-4 [192.9.200.203]. The client and server are
separated by a repeater.
1. Open the file C:\202GUI\FRAGS.cap. Click on the Decode tab and note the frame count.
How many frames?
1173
2. Let's investigate how many of the frames in this trace have been damaged in some way.
Apply the allbadframes filter to only show the bad frames.
a. How many frames are bad in the Filtered x window?
111
b. Does this seem to be a problem?
111 bad frames in 1173 is more than a 9% error rate. It certainly warrants more of an
investigation.
c. Return to the Decode tab to show the original entire trace.
3. Look at the detail of frame 1. This should be part of a conversation between [192.9.200.150]
pc150 and [192.9.200.203] natco-4. The subnet mask for these devices is 255.255.255.0.
Are they on the same or different subnets?
The same subnet.
4. Let's apply a filter to isolate this conversation.

a. Click on the Matrix tab. Change the view to IP and use Ctr-click to highlight
[192.9.200.203] and [192.9.200.150].
b. Click on the Visual Filter icon to create the filter.
c. How many frames are in this new Filtered x window?
947
5. Now let’s analyze the conversation between these two stations. Right click on the current
Filtered x window and choose Create New Filtered Window. This will allow Expert analysis
of these frames. The new window should be named FilteredFramesx.cap.
a. Use the search function to find any frames that contain physical errors (or other
symptoms):
Display > Find Frame > Expert tab > Any symptom/diagnosis string > Down > OK.
Use F3 to repeat the search.

b. When a bad frame occurs, notice who is sending the frame and the C/R sequence, does
the conversation recover after each error?
Yes, for error frames up to Frame 940. Starting with Frame 941 it does not recover.
c. Prior to frame 941, is [192.9.200.203] or [192.9.200.150] always receiving a bad frame?
Both are receiving bad frames. This would rule out a bad NIC card in one of the
nodes
d. Repeat the process to find and analyze all of the error frames in this conversation. How
many symptom frames are there?
17 frames have symptoms, some are physical errors, others are NFS problems.
e. Apply the allbadframes filter to this trace to see how many frames contain physical
errors. How many frames do we see in the new filtered trace?
11
f. What types of physical errors are found in this display?
Alignment errors
g. Does the number of errors found here seem excessive?
11 errors in 947 frames equals slightly more than 1% errors. This does not seem to
be a problem.
h. Use F4 to zoom in the Hex window and look at the damaged frames. What do you notice
about the damage?
4 of the frames show 5555s . All frames are damaged beyond 64 bytes.
6. Can we draw any conclusions?
5555s are evidence of hardware problems or collisions. If they are collisions, they all
extend beyond 64 bytes and would be late or illegal collisions indicating a possible out
of spec network or propagation delay.
7. Press the Decode tab to return to the FilteredFramesx.cap display window with 947 frames.
GoTo Frame 943 and evaluate the conversation.
a. Does the conversation seem to continue normally at this point?
No, we see PC150 sending messages but Natco-4 never responds. The
conversation always recovered prior to frame 943.

b. What is the delta time between frames 941 and 943?
206.953.080 seconds!
c. What could cause this type of delay?
A number of problems or changes in the physical network could cause the network
to go down for this amount of time (over 3 minutes!)- all of them caused by human
intervention.
8. Based on what we know now, draw a diagram of this network including the cabling, PC150
and Natco-4, the repeater, the Sniffer, and any other devices that you can identify. Use the
diagram to try and isolate the problem.
9. Close the windows without saving.


Exercise Section 4: Evaluating Hub Jams
Objectives: Be able to recognize indications of a Hub/Repeater Jam by examining examples

taken from a live network.
Procedure: Open these trace files and answer the questions for each:
C:\202GUI\19.cap
C:\202GUI\20.cap
C:\202GUI\BAD03.cap
1. Open and evaluate the Expert information
There are no symptoms or diagnoses in any of these traces.
2. Press the Decode tab to display the frames.
3. What type of frame damage is present?
a. File 19.cap
Shows one Runt frame, 7 bytes in length with all AAAAs.
b. File 20.cap
Shows one Runt, 8 bytes long, all AAAAs.
c. File BAD03.cap
Shows two Runts, each 8 bytes long, with all 5555s.
Instructor Notes:
From the Hex view point out the characteristics of a hub jam as seen on the Sniffer
analyzer: 5555555s. May also see AAAAAAs. Hubs are repeaters. When they detect a
collision off of a port, they will jam and ensure at least 96 bits. The first 62 bits are
defined by IEEE to be 10101010...
Presumably the real preamble came from the sender of the frame. A collision occurred.
It was followed by the repeater's jam. The repeater jam is 96 bits. When we see 8 bytes
of AA or 55, we are seeing the first 64 bits of the jam. The remaining 32 bits are used by
the Sniffer Pro analyzer for the CRC check and thus are not visible.


Exercise Section 4: Ethernet Physical Errors (Optional)
Objective: Determine whether apparent frame errors should be counted as part of overall
Network statistics.
Background: The parallel tasking feature of many Ethernet cards can throw off baseline
statistics unless you know what to look for.
1. Manually create address book entries for the two stations communicating in this trace. Assign
the name Server to 161.69.97.200 and Client to 161.69.97.202. Enable Show network
address in Display < Display Setup > Summary Display.
2. Open and display the trace file C:\202GUI\BADCRC.cap. Press the Decode tab to display
the data.
3. In Frame 1, we see Client (NGC 030B4D) issue an SMB Read command for 32 kb of data,
starting at offset 3964928 (00803c00h) for the file handle (F=) 1009.
4. Frames 2 and onwards show Server using NetBIOS to move 1460-byte blocks of data (over
a TCP connection) until the TCP window is filled and an acknowledgement is received. (Note
that the first block of data is 1456 bytes.)
a. What is unusual about frame 6?
Bad CRC
b. What is the frame length?
978 bytes
c. From the information within the IP header, what size frame did the IP stack on Server
indicate that it was sending to the DLC layer for encapsulation?
1500 bytes – a maximum size frame. The Sniffer also notes the frame was
retransmitted in frame 13, but the Summary window associates it with frame 14. Frame
13 is the retransmission looking at the hex data and the TCP sequence number.
5. Let's change our display to show only the TCP protocol information:
a. Display > Display Setup… > Summary Display tab.
b. Click on the All button on the bottom to exclude all protocols, then press T repeatedly
until you find Transmission Control Protocol. Uncheck the box for it, then click on OK.
c. You should now see only the TCP layer displayed.
d. Lastly, adjust the width of the Summary column in the main display to allow the ACK,
SEQ, LEN and WIN values to be displayed.
(Instructor Note: Note that the column will retain this length for all future trace files
until you change it again, or until you delete the Sniffer.INI file in your operating
system's configuration files directory.)

6. Examine the LEN= value in the Summary view for Frame 6. What is the value? 924 bytes
a. Look at the Len(Bytes) column in the Summary window. How many bytes are there in the
frame? 978 bytes
b. What it the IP total length? 1500 (Sniffer is showing the actual length of the data in
the Summary panel line rather than what was originally sent.)
7. What is the delta time between Frames 7 and 8? 323.6 milliseconds.
a. Does this appear consistent with the times for previous exchanges of data between these
two stations? No, it is much longer.
b. Frame 8 is a retransmission of which previous frame?
Frame 2, from the sequence number 60142096. (If you go back to frame 2, the Sniffer
tells you it was retransmitted in frame 8.)
c. Why is the Server retransmitting frames?
It did not receive an ACK from Client before before the retransmit timer expired.
8. Look for the retransmitted frame that has the same SEQ number as frame 6 (the bad frame).
In which frame did you find it?
Frame 13 (The first line of the TCP header in frame 6 points us to frame 13)
9. To confirm that the communication continues normally, compare Client's next SMB Read in
Frame 38 with that of Frame 1. Is the Read 32KB further into file 1009? Look in the SMB
detail of this frame at “Starting offset.”
Yes, the next read is 32KB further into the file, 3997696.
10. We have just seen a scenario where a corrupted Ethernet frame causes the upper layer
protocol to time out and retransmit. Now, let's examine a scenario where things do not
proceed as we expect.
11. Close the trace file, in preparation to load a new one. Also, return to the Display Setup >
Summary Display tab, and click on the None button to clear all the protocol filters. Click OK.
12. Click on the Address Book icon on the main toolbar. Change the Server's address to
206.116.6.132, and the Client's address to 206.116.6.135.
When you have edited both stations, close the address book.
13. Open the trace file C:\202GUI\BADCRC-1.cap and click on the Decode tab to display the
frames.
14. In Frame 1 Client opens the file PRO40A1.TMP. In Frame 3 it issues a command to the
server of Write Block Raw 65520 bytes at offset 0 of the file. Then Client starts sending the
data using NetBIOS in frames 4 and 5. Frame 6 is a TCP Ack to frames 4 and 5.

15. Frame 7 shows Server's response to Client's write request in frame 3. Look in the SMB Write
Raw Data header. It indicates Server is ready to write the data Client will send. The Bytes
actually written shows 0, the bytes remaining to be read is 65535 (actually a little more
than the client said it would send.) Evidently it has not read the NetBIOS data sent in frames
4 and 5 yet.
16. In Frame 8 we see Client use NetBIOS to write another 1456 bytes of data.
17. Examine the Status and LENgth columns in the Summary view along with the Detail window
of Frame 9.
a. What kind of error does SnifferPro post against the frame? CRC error
b. What is the frame length? 516 bytes
c. What type of problem do we normally associate with this type of frame corruption?
Electrical noise
18. Now examine Frame 10. With the exception of the actual frame length, do Frames 9 and 10
appear to be the same? To be sure, compare the unique IP Identification fields, IP Length
fields, the unique TCP Sequence numbers and Hex ASCII data patterns.
Both Frames 9 and 10 are identical: same IP Identification fields (14342, incremented
by at least one for each frame sent), same IP Length fields of 1500 (although the first
frame contains considerably less than 1500 bytes), and same TCP Sequence numbers
(60550401). Even the TCP Checksum fields are the same, although the first frame
contains less data than the second frame, which means the Checksum must be
different as Sniffer analyzer points out (8722). The Hex data matches to the point of
corruption.
19. When a frame is damaged in transit that is not the result of a legal collision, the receiver will
request the SMB Write again. Does this occur?
No, Server does not request the write again in Frame 73. In fact, the client continues
onward, with Server's permission, in writing the next 64KB of data in Frame 75.
20. Now examine the Delta time between Frames 9 and 10.
a. How much time elapses between when Expert Sniffer Analyzer sees the beginning of
Frame 9 and when it sees the beginning of Frame 10?
1.6 ms elapses between Frames 9 and 10.
b. How is it possible that Client knew it had sent an undersized and error frame and
compensated by retransmitting it immediately?
Normally, it is impossible for a sender to know it transmitted a bad frame or that its
frame became damaged in transit and, subsequently, retransmit it immediately.
Normally, the receiver's transport layer protocol makes the decision to have the
original frame retransmitted properly, which may include repeating the entire write
process of all 64KB as we saw in the earlier example.

c. After reviewing a typical retransmission as in the earlier trace file, doesn't this seem more
like "magic" than a protocol with a structured retransmission mechanism at work?
Yes, this does defy convention and seems more like magic than normal
communication.
21. Use F8 repeatedly to advance to Frame 17. Use the same method to compare Frames 17
and 19. Does the earlier situation repeat itself or is this a different problem?
The situation repeats itself in Frames 17 & 19.
22. There is a general performance guideline for baselining that suggests a network segment
should have no more than one CRC error per MB of data seen "on the wire."
Do the cumulative physical errors exceed this guideline?
There are 2 physical errors, specifically CRC errors, for 153,902 bytes seen “on the
wire”. If 1 CRC error for 1MB of data = 100%, then 2 CRC errors for 154KB = 1,300%.
This exceeds the guideline substantially!
23. It may be difficult for us to speculate as to what is causing the CRC-error frames to be
retransmitted so quickly in the second trace file. In reality, it is the implementation of a
relatively new performance feature called “early transmit”. The frame is copied from the PC's
memory buffer directly to the network, instead of going through the NIC's memory buffer first.
Unfortunately, the PC in this trace file couldn't provide the data fast enough to the NIC card,
which was creating and transmitting the frame simultaneously. Subsequently, the first frame
was undersized and aborted. Fortunately, the entire frame was ready for transmittal the
second time, in both instances.
There are actually two scenarios that can cause this kind of problem. One scenario
involves incompatibilities between PCI-based personal computers and PCI-based
Ethernet NICs. Another scenario involves “early transmit.” This trace file deals with
“early transmit” of newer high performance NIC cards with “parallel tasking” or
“pipelining” features. This trace file came from a client and server using 100Mhz
Pentium PCs with 64MB of RAM and 3COM 3C59x PCI-bus based Ethernet NICs.
Although the PCs were fast, the NIC was faster. (Note that an operating system and
concurrently executing applications can also bog down a fast PC so as to cause the
transmit underrun situation.) Periodically, the PC couldn't provide the data for an entire
frame before the NIC had sensed the 10BASET network was free and started sending
the frame it was creating “on the fly.” The result is a 516 byte frame instead of a 1514
(Sniffer analyzer interprets the last 4 bytes in an Ethernet frame as the CRC and
doesn't show them to us). SMC uses an Early Transmit Threshold (ETT) of 64 bytes
with an increment of 8 bytes for each transmit underrun situation. It appears as though
3COM uses an ETT of 516B.

Exercise Section 5: Short Circuited Bridges
Objective: Evaluate the results of an incompatible implementation of Spanning Tree or

disabled Spanning Tree.
Background: The network was in its initial stages of development. There were very few actual
users connected at this time. New users were being added and the network
topology was changing. Not all bridges in use were managed bridges. The few
users that were connected were complaining of extremely slow response time
and sessions that were disconnecting. There were no problems with the physical
layer. The design of the network provided for redundant backup paths. Spanning
Tree would prevent the occurrence of network loops.
Instructor Note: This trace file was taken in a lab network. The bridges were buffering and
were doing 8:1 compression. The WAN links are true full-duplex.
192 Kb Sniffer
Bridge Bridge Pro
analyzer
192 Kb
Bridge Bridge
1. Evaluate the network diagram, then proceed.
2. What should Spanning Tree accomplish in this network?
Spanning tree should disable one of the 192 Kb links.
3. Open the trace file C:\202GUI\SCBRIDGE.caz.
4. Select the DLC Objects. How many station (non-broadcast) addresses are displayed?
Only one (WstDigFD965F).
5. Select the Global Symptoms. Record the two symptoms displayed.
Broadcast / Multicast Storm and LAN overload.
6. Does this seem logical, given the number of devices detected by the Sniffer Pro?
Not really.
7. Press the Decode tab to display the Summary window.
8. What is the range of Delta times for the first 10 frames?
From .076 to .172 milliseconds.

9. Are all the frames the same size?
Yes. They are all 60 bytes.
10. Press the End key to go to the last frame of the trace. How many frames were captured?
12,406.
a. Observe the value in the Relative Time column.
How long did it take for all the frames to be captured by Sniffer Pro?
1.576 seconds.
11. What conclusions do you make?
Either that the adapter is streaming with the same frame or there is a bridging loop in
the network. In fact, this is indicative of a bridging loop. All the frames are copies of
the same frame endlessly circulating the network. If there had been more stations then
you would see two, maybe three stations at the maximum, transmitting.
12. If the speed of the bridged links was 10 Mbps instead of the two 192 Kbps links, what effect
do you think it would have on the utilization value?
Nearly 100%.
What would happen to the Delta times?
They would decrease to about half their current range values.

Exercise Section 5: Busy Jam
Objective: Determine the cause of continued network slow downs.
Background: The network has been using hubs for some time. NetWare’s Pburst was recently
installed to improve the throughput when reading files from and writing files to the
file server. Due to the volume of complaints about network response time, a
switch was installed to give the file server the equivalent of its own 10 Mbps
Ethernet segment. Network performance was not improved.
Sniffer Switch
Pro Hub
10 Mbps
NetWare
NetWare Server
Clients
1. Evaluate the network diagram, then proceed.
2. Open the trace file C:\202GUI\BUSY-JAM.caz.
3. How many DLC addresses does Expert Overview display?
18
Instructor note: the DOS Sniffer showed 13. Sniffer Pro counts all stations receiving valid
frames as objects, even if they have not transmitted any frames.
4. Click on the number posted in the Global Symptoms column.
a. What symptom is posted?
LAN overload.
b. How long has this symptom been active?
10.096 seconds
c. Press the Decode tab. Using the value in the Relative Time column at the end of the
trace, can you determine if this symptom was occurring throughout the duration of the
trace?
Yes, the trace took 10.61 seconds total; Sniffer Pro adds the minimum time that the
LAN will remain at overload before resolving itself, if it does.

5. Back in the Expert view, double-click on the LAN overload symptom to display more detail
related to the problem. (Drag the separator bar to the bottom if you do not see the Objects
tab on the top right.)
a. What value is recorded for Maximum LAN Overload?
Maximum was 94%.
b. What value is recorded for Average LAN Overload?
Average was 80%
c. Click on the for an explanation of this problem.
6. Given the number of DLC addresses identified by the Sniffer analyzer does it seem logical
that we have a switch loop in our network?
Not really. There are too many stations participating for a loop to be the cause.
7. Can we always rely upon the correctness of our network map?
In most networks, no. They should be close, however.
8. Display the data and evaluate the delta times.
Do the Delta times posted by the Sniffer analyzer seem consistent with a switch or bridge
loop in our network?
No. They are larger than one would expect to see with a loop. They are not the same
frame, either.
9. Frame 1 shows an NCP command to open a file. The destination address of A1.1 is the
address of the Novell File Server. If you cannot see the entire client address, adjust the width
of both of the address columns until the entire address is visible.
10. Let's take a look at the lower two layers to see what's happening there.
a. Apply our Allbadframes filter (Display > Select Filter)
b. A new Filtered x window with 618 frames should appear.
11. Looking through the frames, do you see signs of physically damaged frames?
8 or 9 bytes of AAAAAs for the destination address and question marks for the source
address. Each frame is also 8 or 9 bytes long.
12. What problems do we associate with this pattern of damaged frames?
Signal Reflection and Hub Jams.

13. With the network topology (type of equipment and design) and indicators from the data, what
conclusions do you reach?
This is most likely not a Signal Reflection problem. We are using hubs and switches
exclusively. These devices reduce the network to a series of point-to-point links with a
bus compliance. Each station transmits its data to the hub/switch; the hub/switch
either repeats or switches the data to the appropriate port.
The transmit leads from each device are a discreet pair, as are the receive leads.
We are witnessing Hub Jams (either from the hub or the switch).
The real problem is that the server is still on a 10Mbps link. By installing a switch we
have done nothing to eliminate the bottleneck in the network (it is now the switch
instead of the cable segment that existed earlier).
The switch will also introduce one full frame of latency to all buffered frames. If the
server is responding to the client, then the client port must buffer the incoming client
frames. This really adds latency to all transactions and is a classic example of poor
network design. Switches can be very helpful, provided they are deployed correctly.


Exercise Section 5: Switch Traffic (Optional)
Objective: To view several types of frames captured in a switched network. You will look at
typical switch-related protocols and the different VLAN tagging encapsulation
methods.
Background: The first trace was captured using the Switch Expert control to SPAN a port to
the Sniffer port. Several protocols are used in this switched environment:
Spanning Tree BPDUs, VTP (Cisco Virtual Trunk Protocol) to maintain the tree
of switches, Cisco ISL (Interswitch Link Protocol) encapsulation, CDP (Cisco
Discovery Protocol), and DISL (Cisco Dynamic Inter-Switch Link). We are not
going to explore the proprietary protocols, but will look at the ISL headers and
use the Expert information to learn how to troubleshoot from it. Most of the data
has been stripped out of the trace. You can also see the switch’s MIB data when
you attach to a switch. Once you get the port mirrored, the captured data looks
pretty much like other Sniffer traffic with added VLAN information and switch
traffic.
The second trace and third show 802.1Q encapsulation.
1. Open C:\NAI\202GUI\VLANprob.caz. In the Expert windows, answer the following

questions.
a. At the Global layer, what protocols are active?
BPDU, Cisco ISL and Cisco VTP
b. What symptoms are listed?
VTP versions different, VLAN not operational, Spanning Tree Topology Change,
VLAN removed from Domain
c. How many VLAN objects are there at the Global layer?
40 – from the upper right panel, there are 36 VLANs, 2 domains and 2 segments.
Note that some of them are FDDI and Token Ring in addition to the Ethernet
VLANs.
d. At the DLC layer, what protocol is shown?
Ether and Token Ring
e. We’ll limit our exploration to the Global layer. It looks like that will provide us a lot of
things to learn!
2. The Global layer symptom “Spanning Tree Topology Change” is related to BPDU frames.
We’ll start there. The Expert gives us a lot of help in determining what has happened.
3. With all five of the Expert windows open, highlight the symptom associated with VLAN #1,
then look at the lower right panel to see the information shown about the BEFORE and
AFTER configuration. If we had a good network map, it would be very easy to see how the
mesh has changed with this information. It’s a lot better than trying to make sense of the
series of frames on our own!

a. What is the Priority ID of the root bridge before and after the change?
b. Before: 0001.0060478F9A00 After: 012c.00100706D000
4. Click the Decode tab. Look at the details of the first BPDU frame. What type of encapsulation
is it using? Are all the frames encapsulated?
It is a standard Ethernet frame encapsulated in an ISL header. The Ethernet frame is

directed to the multicast address 0180C2000000
No, all the frames are not encapsulated. Some of the DISL frames have just a DISL
header with two parts: one that looks like a version 2 DLC header followed by a
“Pseudo LLC/SNAP header” that contains the DISL information. CDP frames are not
encapsulated, either. They look like standard LLC/SNAP frames. (In the original
unfiltered trace, there were also NSAP frames that were not encapsulated.)
5. Notice that frame 9 has a different “Pri” number from the earlier frames. Look at the BPDU
header of frame 9. Compare the BPDU header information with frames 1-8. What is different
about the flags in this frame?
It is a topology change frame
a. Compare the root ID in frame 8 and frame 9. Does this agree with what we saw in the
Expert?
No, frame 8 shows the root as 8000.Cisco58F9AFD, frame 9 shows

0001.Cisco58F9A00 as root. These frames are repeated in frames 29 and 30.
6. Since these frames didn’t apply to the information we saw in the Expert, go back to the
Expert and highlight the VLAN #1 Spanning Tree Topology Change symptom, then press
the Expert’s Display Filter icon.
7. Compare the root identifier in frames 9 and 113. Does this match what we saw in the Expert?
Yes, this is what triggered the symptom. The BPDUs in the trace allowed the
Expert to build the BEFORE and AFTER table.
8. Let’s go back to the Expert and look at those VLAN changes we saw.
a. Look at the Global symptoms and highlight the VTP Versions Different symptom. Click
on the ? help icon to see what this symptom means. From the lower right panel, what
was the last VTP version received? 2
b. What VLAN was removed? 333 We can assume this is related to the VTP version
problem. If you look at the VLAN Removed from Domain symptom, you’ll see that it is
this same VLAN and the incorrect version shows in these panels.
c. Click on the TNV layer in the Detail Tree in the center bottom panel. What is the VTP
version being used? 1
d. What VLANs are in this domain?
1, 225, 226, 1002, 1003, 1004, and 1005

e. Highlight the VTP Versions Different symptom, then click on the Display Filter icon to
see the frames associated with this symptom. Find the VTP frames and locate the frame
that shows version 2. Which frame shows version 2? Frame 64
What is the updater's IP address? 161.69.225.250 This and the DLC address should
make it quite easy to locate the device that needs the upgrade.
If you want to isolate the VTP frames, you’ll need to do a data pattern match filter on the
SNAP Type = 203 (VTP) which pastes 20 03 at offset 2E. (There are 12 in the trace.)
f. In the Expert, highlight one of the VLAN Not Operational symptoms and click the ? help
button to get some information about what caused this symptom. Note the reason for the
non-operational state shown in the lower right window. This information will help you
reconfigure the devices so you can bring them up.
# 2 is Undefined, # 10 shows MTU Too Big For Trunk, # 11 shows MTU Too Big For
Device, and # 12 shows Suspended.
g. If you want to find the frame(s) that triggered these symptoms, go to the Decode window
and right click, then Find Frame. Type MTU too big and click to search in the Detail
window and disable match case.
Frame 106 shows all the VLAN that are “Not Operational”.
9. Last, let’s look at some 802.1Q headers. This trace is using ISL, so we’ll close it and look at
another trace. Open C:\NAI\202GUI\8021q.cap. This trace is pretty clean, fortunately, so
we’ll just look at the frames in the Decode window.
a. Scroll up in the Detail window and look at the 8021Q headers. It’s pretty simple- showing
just the 8100 protocol type field that identifies this field as a tag, then the next byte
showing the frame priority, tunnel type and the VLAN ID. Remember that the Ethertype
field shown in this header actually belongs to the part of the DLC header – the tag is
inserted between the source DLC address and the type/length field.
b. Scroll down to one of the 1518 byte frames just to see how the Sniffer labels these
maximum size 1518 byte Ethernet frames that have the 4 byte header added. There is no
CRC error posted, but you will see a TCP checksum error message.
c. We may see longer frames in the future as the specifications are changed to make
Ethernet more efficient at the higher speeds.
10. Close the 8021q.cap trace and open C:\202GUI\8021q-gig.cap trace. This is a trace taken
from the trunk between gigabit switches, since we see the VLAN tags in the frames and the
telltale full-duplex channel identifiers in the Status column. The Statistics tab shows the link
is 1000 Mbps.
11. Check the tag header in the Detail window. Is it like the one we saw from the 100 Mbps link?
Yes
12. There are some frames labeled Oversize in this trace. Evidently the Sniffer allows 1518 byte
802.1Q frames because it knows the tag adds 4 bytes to the maximum size Ethernet frame.
Because these are greater than 1518 bytes, it labels them as Oversize.

13. Remember that Sniffer Pro’s switch Expert and Control functions also shows the MIB data for
switches. MIB data allows you to see the version of the switch’s operating system and
statistics for each module, port and VLAN. This is covered in more detail in the TNV-201-DSP
and TNV-112-GUI classes.
14. Close all windows. Do not go on to the next exercise.

Exercise Section 6: Fast Ethernet Troubleshooting and Back

Pressure
Objective: To review Ethernet troubleshooting techniques using a trace captured from a

Fast Ethernet network, then recognize back pressure frames sent by Fast
Ethernet switches.
Background: Both trace files were taken from switched Fast Ethernet networks. They have
several problems. We'll use the Expert to tell us about them.
1. Open C:\202GUI\100MBFIL.caz.
2. Look at the Expert. What symptoms do you see at the Global layer?
Broadcast/Multicast Storm.
a. How many stations are involved in this?
Thirteen. Several of them are DECnet stations, which tends to be a very “chatty”
Protocol.
3. What diagnoses do you see at the DLC layer?
High rate of physical errors.
a. What symptoms do you see at the DLC layer?
Lots of runts and “DLC address is a multicast address” caused by frame corruption in
the destination address field. If you highlight a station with this symptom in the upper
right window and look at the DLC addresses in the Detail tree, you’ll see that many of
them have 5s or As in the address.
4. Look at the Decode window and frame 13.Decnet stations periodically send these “Hello”
frames.
a. What is the DLC address for 46.307?
DECnet0033B9 (WISHPB)
b. Highlight that address in the Expert DLC object list and click on the Display Filter icon.
A new Filtered x window with 6 frames will open. Enable Relative Time column if not
shown. How often is 46.307 sending these “Hello” frames?
Every 14.5 seconds
DECnet nodes multicasting at this rate will contribute to Broadcast/Multicast storms.

Based on this, you will want to adjust your Expert Alarm thresholds for broadcast
storms to a much higher level to eliminate these Global symptoms.

5. Apply your allbadframes filter to the unfiltered Decode window. How many frames have
errors?
219.
a. Of the 6059 frames in the original trace, what is the percentage of frames with physical
errors?
219/6059 = 3.6%. This is outside what is considered normal and should be corrected.
b. Analyze the problem by looking at the hex of the damaged frames. What conclusions can
you draw?
Frames are damaged anywhere from 2 to 51 bytes into the frame. AAAAs and 5555s
appear in most of the damaged frames. We’d rule out normal collisions because there
are far more than 8 bytes of AAAAs and 5555s. It is most likely a hardware problem or
backpressure. (We don’t have the story on this trace.) We’d need a network map or the
actual network to probe further. Fix the physical problems before moving on to the
upper layer problems.
6. Let’s look at a couple of traces with backpressure so you will recognize it. System Engineers
gave these traces to us. They were captured from different networks using different hubs.
Close the 100mbfil.caz window and open the C:\202GUI\Backpres.cap trace file. This is a
filtered trace that shows only bad frames. Normally, backpressure will not have such a
catastrophic effect on the network. What data patterns do you see in Decode window?
D0D0D0, 434343 and 343434 patterns.
a. What size range are most of the frames?
12 to 20 bytes (a few are larger). This trace was from Michelle Coomes when she was
at 3Com.
7. Now open the C:\202GUI\Backpres2.cap trace file. From the Expert, what symptoms or
diagnoses do you see at the DLC layer?
Collision after 64 bytes.
a. What station is involved?
0008C7A4ACB3. This is coincidental-- it happened on many stations.
8. View the Decode window and look at the hex data for the frame with this symptom. What
type of errors do you see in this frame?
Repeating 55s starting at offset 236 in frame 6.
9. Follow the sequence of the bytes and offsets in this file transfer. Frame 9 below the damaged
frame, you’ll see a burst frame from the client requesting retransmission of the frame that got
damaged. Look in the Detail window for the offset and size. Which frame retransmits the
damaged frame?
Novell’s Pburst has selective retransmission of frames not received in a burst.
Use Two station format to show this sequence. Disable Show Network Addresses,
then use the Matrix to set a filter on the 2 MAC addresses. It becomes very easy to

see the effects of the backpressure on the transfer and how the upper layers handle
any collisions that result.
The Intel client requests a big read in frame 4
The server sends packets 5, 6, 7 and 8 with the data, but 6 gets damaged.
The client comes back in frame 9 with the request for the missing frame
Frame 10 is the retransmission of frame 6.
This trace came from a company that was having problems from a line running in the
proximity of a generator in a warehouse using cat 5 cabling. The errors coming from
the EMI was overflowing the buffer on the 10/100 switch so the switch was sending
out the backpressure. To solve the situation the customer installed a fiber zip cord and
it worked. This proves the point that the backpressure was not the problem but the EMI
was. I hope this fills in the gaps for everyone. Michael "Mickey" Giovingo
10. These are two examples of backpressure sent by switches to slow the stations. Evidently
the buffer is full and they need to slow things down so they can free buffer space.
Remember that the specification allows the switch to send preamble bits (alternating ones
and zeros) to keep the line busy. This shows up as 5s or As in the traces. If the vendor
chooses to use another bit pattern, you will see other bit patterns.
11. To determine the bit pattern for your switches, capture during a busy period and look for
frames with suspicious patterns. Disable backpressure on your switch, while capturing a
trace. See which patterns are missing. Document the information for your co-workers.
12. If you see a lot of “errors” like this on your Fast Ethernet segments, look at where the back
pressure bits show up in the frames to ensure you don’t have a different problem. You may
need to segment a network if the switch is unable to keep up with the normal traffic.


Exercise Section 6: Fast Ethernet Problems
Objective: Look at a trace taken from a busy Fast Ethernet network.
Background: Several Windows NT workstations were copying files across the network in a
Sniffer University classroom. The stations were connected to a 100 Mbps hub.
Many errors caused slow response times. In spite of the problems shown here,
most stations did not experience much difficulty. This trace was captured with a
filter set to capture only physical error frames.
1. Open C:\202GUI\Big_bad_rich.caz. What problems does the Expert see and how long did
they last?
Bad CRC errors at the global layer, lasting 3 minutes, 45 seconds and 723 ms
2. How many DLC objects are shown?
Only two, both have NGC cards
3. Look at the Decode window. What type of errors are reported in the status column?
CRC, alignment, collision, unknown
4. What conclusions can you draw from what you’ve learned in class?
The 55s are collision data that are the result of the two colliders and the hub all
jamming at about the same time. On bigger networks, the jam is accumulated. On
small networks, the jam overwrites each other. Result: big networks can have 8 to 12
bytes of jam, small networks can have 0 to 8 bytes of jam, depending on where it
started in the frame or preamble.
The partial frames showing the conversation from 10.10.0.7 (NGC 100D4E) to 10.10.0.9
(NGC 100EF8) show CRC errors, probably due to a marginal or failing card.
5. Close the window. Stop; do not go on to the next exercise.


Exercise Section 6: 10/100 Hubs
Objective: Explore traces taken from 10 Mbps and 100 Mbps ports on a single autosensing
hub (multi-port repeater) to see if there are differences in what each port sees.
Background: Two Sniffers were attached to a hub, one was attached at 10 Mbps, the other at
100 Mbps. Each port on the hub was capable of either speed. We could assume
there were two backplanes in the hub, one for each speed with a link between
them to propagate traffic to all ports.
Instructors: These traces are from Steve Hammill. They were taken from the Hawking
10/100 multiport repeater that is advertised as a hub. Each port autosenses
the speed of the connection. Any ports that are not the same speed have
the frames bridged between them. There are other issues in these traces
that are not related to the forwarding we point out in this exercise. Stay
away from them unless you are cornered or are prepared to discuss them!
1. Open these two trace files: C:\NAI\202GUI\Hawk10b.enc and Hawk100b.enc. Use

Windows > Tile to see both of the traces Expert overview simultaneously.
2. How many frames are in the Hawk10b.enc trace? 130 The Hawk100b.enc trace? 42
(This does not imply that there is a difference in what the Sniffers saw, it may just be a matter
of when each was started and stopped.)
3. Note any differences in Expert information here.
Hawk10b.enc has 2 ICMP redirect symptoms and 1 Router Storm diagnosis at the
Station layer, and 1 WINS No Response diagnosis at the Session layer.
Hawk100b.enc has only the router storm diagnosis
There are different object counts at the Session, Connection, Station and Subnet
layers, too.
4. Adjust each window so it occupies one half of the screen vertically so you can compare the
traces frame by frame. Press F4 to zoom each Summary panel. Look at the frame data so
you can align the first matching frames side by side. What are the first two identical frames?
Frames 1-5 in each trace are identical. Starting at frame 6, the Hawk100b.enc has
frames that are not found in the Hawk10b.enc trace.
5. Let’s see if we can filter out some of the frames to get an idea of the criteria this device is
using to forward the frames. First let’s find out how many are broadcast frames. Create a new
profile called Broadcast. Use the Address tab, leave the Address type set to Hardware,
then click the + in front of the Broadcast/Multicast Address icon. Scroll down and highlight
Broadcast(FFFFFFFFFFFF), drag it to the top Station 1 field, click in the Station 2 top field to
select Any, then click OK. Select this filter on each trace. How many frames are there in each
trace?
Both have 24 broadcast frames, so we know the hub forwarded all of those as it should
have.

6. Now go back to your Broadcast filter and click the Exclude button and apply the filter to
each of the Decode-tabbed windows again. How many non-broadcast frames are in each
trace?
Hawk10b.enc has 106 frames, Hawk100b.enc has 18 frames.
7. Click the Host Table tab for each trace and compare the IP addresses. How many hosts are
in each trace and which ones appear in each trace?
Both traces have 192.168.1.13, 192.168.1.192, 192.168.1.252-255.
Hawk10b.enc also has 192.168.1.251, 10.1.1.11, 10.1.1.53, 161.69.33.11, 161.69.5.203
8. Change the layer to MAC. How many DLC addresses are in each trace?
The same six devices appear in both traces. This means there is at least one router.
9. What conclusions can you draw from the behavior of this hub/multiport repeater?
This device seems to be doing more than bridging the frames between the backplane.
It is forwarding frames based on criteria above the datalink layer.
Note that only the Ping and ARP frames between .13 and .192 are in the Hawk100b.enc
trace.
These frames are also in the Hawk10b.enc trace, but there are lots of WINS “Refresh
Name” frames in the Hawk10b.enc that aren’t in the Hawk100b.enc trace.
All the WINS non-broadcast frames were filtered by the hub on the 100 Mbps port.
10. This seems like non-standard behavior. You may want to do a similar check of any odd
connection problems you see on your 10/100 hubs. You may find that this type of behavior
might impact what you see on the Sniffer, security devices, network management tools, etc.
11. Enlarge both trace file windows to normal size, then close them. Stop here. Do not go on to
the next exercise unless directed by your instructor.

Exercise Section 8: Gigabit Traffic
Objective: Follow autonegotiation frames and analyze a trace with errors.
Background: The first trace was taken as a Gigabit Ethernet device was initializing. We will
follow the sequence of frames each side sent. The second trace was captured on
a network and has many Expert symptoms.
1. Use File > Select Settings to create a new Gigabit agent. Click New. Name it Gigabit and
choose the Network Associates Gigabit Ethernet PCI Adapter_x from the Network
Adapter drop-down list. Don’t copy any settings. Click OK twice. Click OK on the “Failed to
Set Monitor Mode” message. You should see Gigabit, SX in the title bar. Ignore the blinking
“Channels A and B Link Faults” indicator in the title bar.
2. Open C:\202GUI\GBAutonegotiation.cap. This trace has 12 frames captured between

channels A and B. Zoom the Detail window and press F8 to advance frame by frame. Note
the contents of C1 for each.
Frame Channel A Direction Channel B
1 ç All zeros
2 All zeros è
3 Asymmetric & Symmetric è

Pause, Full Duplex
4 ç Ack, Link Failure, Symmetric

Pause, Half & Full Duplex
5 Ack, Asymmetric & Symmetric è

Pause, Full Duplex
6 Idle è
7 All zeros è
8 Asymmetric & Symmetric è

Pause, Full Duplex
9 ç Ack, Symmetric Pause, Half & Full

Duplex
10 Ack, Asymmetric & Symmetric è

Pause, Full Duplex
11 Idle è
12 ç Idle
3. Though we don’t see definitive frames where both agree in this trace, we can assume they
will settle on Symmetric Pauses and Full Duplex as the highest common denominator. They
will maintain this mode until they are reset or reboot. The rule is to acknowledge after a side

has received 3 consecutive identical frames. These devices do not seem to follow the rule.
There is no field to indicate the media type in use.
4. Notice the 10 bit decodes in the Hex panel are automatically enabled for autonegotiation
signals.
5. The proof of success lies in seeing whether the devices go on to exchange data (we don’t
see that in this trace). If they do, then the inconsistencies with the specification don’t matter. If
they don’t exchange data, you have the frames to follow to see where the sides disagree and
work from that point. Close this file.
6. Open C:\202GUI\GB.cap. You will see in the Expert that this trace file has 5 Time-to-Live
Expiring symptoms at the Station layer. We won’t worry about those – that’s for another
course! We can do some examination of the Global symptom of a Bad CRC.
7. Looking in the Decode window, we see that almost every frame has a symptom associated
with it. Let’s pull in only the frames with bad CRCs. From Display > Define Filter > Profiles
> New name the filter CRC Errors, click Done and OK. On the Advanced tab select 3 only
the CRC errors. Now right-click on the Summary window and choose Select Filter from the
menu and choose the CRC Errors filter. A new window will open with 24 frames showing
CRC and CV (code violation) errors.
8. Use Help > Help Topics > Find. Wait while the help files build. Enter code vi to find the
explanation for these. Highlight the Code Violation Errors in the bottom panel and click
Display. Close the Help screen when you’ve learned how the Sniffer makes this
determination.
9. Do you see any single source address that might indicate a bad card?
No, there are several different IP source addresses, though all of them are sent to the
same IP and DLC multicast address.
10. Let’s look for evidence of physical damage or other erroneous data in these frames. Tab into
the Hex window and press F4 to zoom it. Now press F8 to advance one frame at a time. Do
you see evidence of physical damage?
No, the frames look pretty normal.
11. Now click back on the Decode tab to view the entire trace again. We’ll check to see if any of
these frames were retransmitted. Highlight frame 10 and note the IP identification number
in the frame. ID = 52848.
12. Right-click and choose Find Frame, type in this ID number in the text search window and
click the Detail window radio button, then click OK. Repeat this for a couple of the other CRC
error frames. Are they retransmitted?
No, they are not, so it appears the other side got them OK.
13. Let’s do one last thing with this trace. Right-click over the Hex window and choose 10 Bit so
we can see the 10 bit decodes. (This is automatically enabled for Autonegotiation frames, but
you must set it manually for gigabit data frames.) Scroll through the Hex window to see how
this data looks. You will see some Carrier Extend and idle bits at the end of most of them.
Even though Carrier Extend was developed for half-duplex links, one or more are inserted
between each frame in full-duplex mode, too.

14. We don’t have more information on this trace to tell you how this was resolved. We hope this
has given you some confidence that you can use the skills you’ve learned here to analyze
Gigabit Ethernet frames.
Use File > Select Settings to return to your 10/100 Ethernet agent.


Exercise Section 9: Observing LLC
Objective: Use the Sniffer Pro Network Analyzer Display options to study an LLC session.
Background: This trace file was taken from a Fast Ethernet network running Windows NT4
running on NetBIOS and LLC.
1. Open the file C:\202GUI\LLCnetb2.cap. You should have 221 frames.
2. View the Detail of frame 1. Is this an Ethernet Version 2 or 802.3 frame? 802.3 frame.
3. Use Display > Display Setup > Summary Display to enable Two-station format and
exclude All protocols, then click Logical Link Control to enable only LLC, click OK.
4. Is this an LLC Type 1 (connectionless) or LLC Type 2 (connection-oriented) session?
LLC TYPE 2 (connection-oriented). There are send [N(S)] and receive [N(R)] numbers
for connection-oriented sequencing. There are also two bytes in the Control Field in
the hex window.
5. Which frame starts a new LLC connection?
Frame 10 is the SABME
6. Which is the first frame where data is sent? Who sent it? What sequence number is sent?
Frame 14 is sent by Intel B41D55 using sequence number 0
7. In which frame does Dell D45AE8 send sequence number 3? 23
8. Which frame shuts down the connection? Who sent it?
The Intel B41D55 sends the DISC in frame 107
9. What is the response to this frame?
Dell D45AE8 sends a UA in frame 108 and that’s the end of this session.
10. What was the purpose of all those frames where no LLC data was sent? Hint: Enable the
display of all protocols in Display > Display Setup > Summary Display > enable Show all
layers, then click None at the bottom.
The first LLC data frame (14) carried the NetBIOS session initialization frame.
Frame 18 begins the CIFS/SMB protocol negotiation and account setup process
Once that is done, it appears that the LLC frames are just keep alives. There is no
upper layer activity.
CIFS/SMB ends the session in frame 105 and LLC disconnects in frame 107.
11. Close all open windows without saving and disable Two-station format.
12. Shut down the Sniffer. We hope this class will enable you to effectively troubleshoot your
Ethernet networks back at your company


Ethernet Network Analysis and Troubleshooting

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Ethernet Network Analysis and Troubleshooting

Încărcat de

Drepturi de autor:

Formate disponibile

1-1

© Network Associates Ethernet Network Analysis and Troubleshooting

Slide Title: Ethernet Network Analysis and Troubleshooting–

Section Timing: Start: Day 1 Approx. 9am

Section 1 title slide.

Files: 01_frm_g.PPT 01_frm_g.DOC

Traces: Mixed01.cap Mixed02.cap

Exercises: Which Frames are on the Network?

There are several new concepts and exercises, so go through the

© Network Associates Ethernet Network Analysis and Troubleshooting

Slide Title:NAI – Sniffer University

01.CAP 02.CAP 03.CAP 04.CAP

New traces added in version 4.0

Name Source Speed Course Location

BEEPERS IN SILENT MODE

CELL PHONES IN SILENT MODE

© Network Associates Ethernet Network Analysis and Troubleshooting

Slide Title: Housekeeping

Use Your Trace File

The Trace File CD that comes with this manual contains:

• All Class Traces - which can be copied to the C:\ drive or

© Network Associates Ethernet Network Analysis and Troubleshooting

Slide Title:Thank You!

Sniffer University's Total Network Visibility Curriculum

www.sniffer.com >> follow the Sniffer University Links

© Network Associates Ethernet Network Analysis and Troubleshooting

Slide Title:Sniffer University's TNV Curriculum

Point out where you are in the curriculum.

Mention other GUI courses available and highlight next step

• Ethernet Frame Formats Page 1-18

• 100 Mbps Fast Ethernet Page 6-1

© Network Associates Ethernet Network Analysis and Troubleshooting

Slide Title:Table of Contents

A dotted line has been added to give the students an indication of

Timing: A guideline for timing:

Day two: Morning: Section 4 and Section 5 (Bridges).

© Network Associates Ethernet Network Analysis and Troubleshooting

Slide Title:Course Overview

Upon completion of the course, you will be able to:

• Use practical hands-on troubleshooting methods and

© Network Associates Ethernet Network Analysis and Troubleshooting

Slide Title:Course Objectives

State the course objectives.

• Basic LAN knowledge and experience using the

© Network Associates Ethernet Network Analysis and Troubleshooting

Slide Title: Prerequisites

• The Session, Presentation, and Application layers

The Data Link layer provides for communications

© Network Associates Ethernet Network Analysis and Troubleshooting

Slide Title:OSI Functional Protocol Layers

Upper Layer protocols control the communications between the

of Service Access Points on any 802.X LAN

802.1B – LAN/MAN Management

802.1E – System Load Protocol

802.3 802.4 802.5 802.6 802.9 802.11 802.12 Layer

Physical Physical Physical Physical Physical Physical Physical Physical

© Network Associates Ethernet Network Analysis and Troubleshooting

Slide Title:IEEE 802 Standards

Many other specification documents cover many facets of the Ethernet

© Network Associates Ethernet Network Analysis and Troubleshooting

Slide Title:Major IEEE Ethernet Standards

It is not a comprehensive list, since there are numerous other

Work on Novell 10Base-T Fast Full Duplex Terabit