How to Use a Network Analyzer Last Update 2007.06.08 1.4.0 Copyright 2000-2007 Kenneth M. Chipps Ph.D. www.chipps.com 1.

Slides:



Advertisements
Similar presentations
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
Advertisements

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
SYSTEM ADMINISTRATION Chapter 19
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Introduction to Network Analysis and Sniffer Pro
Copyright 2009 Kenneth M. Chipps Ph.D. Host Addressing Last Update
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.
Chapter 15 Chapter 15: Network Monitoring and Tuning.
Copyright Kenneth M. Chipps Ph.D. How to Use SNMP to Collect Network Data Last Update
Networking Components
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Static Routing Last Update Copyright Kenneth M. Chipps Ph.D.
Troubleshooting methods. Module contents  Avaya Wireless tools  Avaya Wireless Client Manager  Avaya Wireless AP Manager  Hardware indicators  Non.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Thick v Thin Access Points Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
The OSI and TCP/IP Models Last Update Copyright 2009 Kenneth M. Chipps Ph.D.
Connecting LANs, Backbone Networks, and Virtual LANs
HiVision SNMP Software.
1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 
1 Version 3.1 Module 4 Learning About Other Devices.
Hands-on Networking Fundamentals
Slow Web Site Problem Analysis Last Update Copyright 2013 Kenneth M. Chipps Ph.D. 1.
23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.
Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.
Lab How to Use WANem Last Update Copyright 2011 Kenneth M. Chipps Ph.D. 1.
Copyright Kenneth M. Chipps Ph.D. PPP Last Update
Network Management Tool Amy Auburger. 2 Product Overview Made by Ipswitch Affordable alternative to expensive & complicated Network Management Systems.
Shepard’s Valley Cowboy Church Web Server File Download Problem Analysis Last Update Copyright 2013 Kenneth M. Chipps Ph.D.
VLAN V irtual L ocal A rea N etwork VLAN Network performance is a key factor in the productivity of an organization. One of the technologies used to.
1. Insert the Resource CD into your CD-ROM drive, click Start and choose Run. In the field that appears, enter F:\XXX\Setup.exe (if “F” is the letter of.
Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.
CCNA 3 Week 4 Switching Concepts. Copyright © 2005 University of Bolton Introduction Lan design has moved away from using shared media, hubs and repeaters.
The Routing Table Last Update Copyright Kenneth M. Chipps Ph.D.
15.1 Chapter 15 Connecting LANs, Backbone Networks, and Virtual LANs Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or.
CHAPTER 9 Sniffing.
CSE 6590 Department of Computer Science & Engineering York University 111/9/ :26 AM.
Agilent Technologies Copyright 1999 H7211A+221 v Capture Filters, Logging, and Subnets: Module Objectives Create capture filters that control whether.
Click to edit Master subtitle style
1 CSCD 433 Network Programming Fall 2011 Lecture 5 VLAN's.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Sniffer, tcpdump, Ethereal, ntop
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Connecting Devices CORPORATE INSTITUTE OF SCIENCE & TECHNOLOGY, BHOPAL Department of Electronics and.
1 OSI and TCP/IP Models. 2 TCP/IP Encapsulation (Packet) (Frame)
Copyright Kenneth M. Chipps Ph.D. Ethernet Frame Format Last Update
Monitoring Troubleshooting TCP/IP Chapter 3. Objectives for this Chapter Troubleshoot TCP/IP addressing Diagnose and resolve issues related to incorrect.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Networking Material taken mainly from HowStuffWorks.com.
1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.
VLANs Last Update Copyright Kenneth M. Chipps Ph.D.
IS493 INFORMATION SECURITY TUTORIAL # 1 (S ) ASHRAF YOUSSEF.
1. Layered Architecture of Communication Networks: TCP/IP Model
ERICSON BRANDON M. BASCUG Alternate - REGIONAL NETWORK ADMINISTRATOR HOW TO TROUBLESHOOT TCP/IP CONNECTIVITY.
Cisco Confidential © 2013 Cisco and/or its affiliates. All rights reserved. 1 Cisco Networking Training (CCENT/CCT/CCNA R&S) Rick Rowe Ron Giannetti.
Semester 1 v CCNA 1 Module 1:Introduction. Semester 1 v Connecting to the Internet.
PORT CONNECTION STATUS CT Lab#4. TCP packet UDP packet Ports Background.
TCP/IP Layer 4 Protocols. TCP and UDP TCP provides error recovery, but to do so, it consumes more bandwidth and uses more processing cycles. UDP does.
Network Load Balancing Addressing
Instructor & Todd Lammle
Lab 2: Packet Capture & Traffic Analysis with Wireshark
Port Connection Status
Instructor Materials Chapter 6: VLANs
Hubs Bridges Switches Last Update
Configuring EtherChannels and Switch Troubleshooting
Chapter 4: Access Control Lists (ACLs)
Communication Networks NETW 501 Tutorial 3
Access Control Lists Last Update
TCP/IP Protocol Suite: Review
Chapter 15: Network Monitoring and Tuning
Active Tests and Traffic Simulation: Module Objectives
Active Tests and Traffic Simulation: Module Objectives
Presentation transcript:

How to Use a Network Analyzer Last Update Copyright Kenneth M. Chipps Ph.D. 1

What Will Be Learned How to use the most basic troubleshooting and analysis tool The network analyzer Copyright Kenneth M. Chipps Ph.D. 2

Equipment This lab is best with both of these –PC with promiscuous mode NIC, a driver for the NIC as specified by the network analyzer manufacturer, and an operating system installed –Access to a hub based network Copyright Kenneth M. Chipps Ph.D. 3

Equipment This lab only can work with either of these instead –PC with any NIC, any driver, and an operating system installed –Access to a switch based network through a spanned port Copyright Kenneth M. Chipps Ph.D. 4

Connect to the Network Drivers for Ethernet NICs are designed to see all traffic However they ignore all unicast traffic that is not addressed to them by MAC address To overcome this the driver for the NIC must be set to promiscuous mode In such a mode it sees all traffic Copyright Kenneth M. Chipps Ph.D. 5

Connect to the Network A NIC with a card that can be set to promiscuous mode is required for this lab, otherwise the card will see only traffic addressed to itself In general most NICs can be set this way by the network analyzer program Copyright Kenneth M. Chipps Ph.D. 6

Connect to the Network A connection issue related to the NIC is whether the driver will capture all of the errors on the network This does not relate to promiscuous mode, but rather to the way the driver is written In general these drivers are only available from the manufacturer of the network analyzer software Copyright Kenneth M. Chipps Ph.D. 7

Connect to the Network Be sure that you have a NIC that the supplier of the analyzer has a driver for If such a driver is not available the analyzer will still work, but it will miss the error packets Copyright Kenneth M. Chipps Ph.D. 8

Connect to the Network Once the NIC in the computer is set to promiscuous mode it will read in all traffic sent across the network as long as it is connected to a hub As in Copyright Kenneth M. Chipps Ph.D. 9

Connect to the Network Copyright Kenneth M. Chipps Ph.D. 10

Connect to the Network To analyze the local traffic of a switch based network is more difficult because after a switch learns a MAC address on a port, it forwards traffic for this MAC address directly to the corresponding port On a switch, after host B's MAC address is learned, unicast traffic from A to B is only forwarded to B's port, and therefore not seen by the sniffer Copyright Kenneth M. Chipps Ph.D. 11

Connect to the Network Copyright Kenneth M. Chipps Ph.D. 12

Connect to the Network To watch traffic on a switch based network, plug the cable from the computer running the analyzer software into any standard port on the switch Then set the switch port to span or monitor mode Copyright Kenneth M. Chipps Ph.D. 13

Connect to the Network In such a mode instead of the port just seeing the traffic directed to the MAC address of the computer on that port, the broadcast traffic, and the multicast traffic; by spanning the port, this port will see all traffic on the local network As in Copyright Kenneth M. Chipps Ph.D. 14

Connect to the Network Copyright Kenneth M. Chipps Ph.D. 15

Connect to the Network For example on the Cisco Catalyst 2950 switch the Switched Port Analyzer or SPAN feature, also called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer This is called creating a Span port Copyright Kenneth M. Chipps Ph.D. 16

Connect to the Network The Catalyst 2950 Switches can have only one SPAN session active at a time and can monitor only source ports, it can not monitor VLANs Copyright Kenneth M. Chipps Ph.D. 17

Connect to the Network To create such a port, access the command line interface for the operating system then enter –C2950#config t –C2950(config)#monitor session 1 source interface fastEthernet 0/2 – !-- Interface fa 0/2 is configured as source port Copyright Kenneth M. Chipps Ph.D. 18

Connect to the Network –C2950(config)#monitor session 1 destination interface fastEthernet 0/3 –!-- Interface fa0/3 is configured as destination port –C2950(config)#Ctrl Z To check this enter –C2950#show monitor session 1 –Session 1 – Copyright Kenneth M. Chipps Ph.D. 19

Connect to the Network –Source Ports: –RX Only: None –TX Only: None –Both: Fa0/2 –Destination Ports: Fa0/3 To clear this –C2950#config t –C2950#no monitor session session 1 Copyright Kenneth M. Chipps Ph.D. 20

Connect to the Network Catalyst 2950 Switches are able to SPAN source port traffic in the –Receive direction only - Rx span or ingress span –Transmit direction only - Tx span or egress span –Both directions Copyright Kenneth M. Chipps Ph.D. 21

Connect to the Network Keep in mind the way most switches work these days in that if the switch receives a corrupted packet, the ingress port usually drops it, so you won't see it on the egress port It is then true that a switch is not completely transparent when it is a matter of capturing traffic Copyright Kenneth M. Chipps Ph.D. 22

Connect to the Network So when you see a corrupted packet, the errors where generated on the egress segment Copyright Kenneth M. Chipps Ph.D. 23

What is a Network Analyzer As Laura Chappell, a very well known writer and trainer on network analysis says –A network analyzer is a device (desktop, laptop or portable computer) that can 'capture' all the packets seen on the network and display them in the order they appeared on the cable –A good analyzer should have some alerts/alarms that notify you of unusual or faulty traffic patterns Copyright Kenneth M. Chipps Ph.D. 24

What is a Network Analyzer –The analyzer should also be able to build trend graphs to illustrate the current and long- term traffic patterns (such as utilization and packets per second) –In order to make the communications information useful to you, the analyzer decodes, or interprets, the actual packet information received Copyright Kenneth M. Chipps Ph.D. 25

What to Call These Things Network analyzers go by many different names Such as –Network Analyzer –Protocol Analyzer –Sniffer Copyright Kenneth M. Chipps Ph.D. 26

A Network Analyzer Next we will go through the basics of what a network analyzer can do using screenshots and an explanation of each task This example uses Sniffer Pro Version 4.5 We will begin by looking at each button on the toolbar Copyright Kenneth M. Chipps Ph.D. 27

Opening Display Copyright Kenneth M. Chipps Ph.D. 28

Toolbar Buttons Copyright Kenneth M. Chipps Ph.D. 29

Toolbar Buttons Copyright Kenneth M. Chipps Ph.D. 30

Gauge Dashboard View The normal opening view shows the dashboard To make the dashboard appear click on the dashboard button on the toolbar Copyright Kenneth M. Chipps Ph.D. 31

Gauge Dashboard View Copyright Kenneth M. Chipps Ph.D. 32

Gauge Dashboard View The dashboard is a set of gauges showing –Utilization –Packets per Second –Errors per Second Below this is a line chart –Utilization is selected by default –Other lines can be added by checking the boxes Copyright Kenneth M. Chipps Ph.D. 33

Gauge Dashboard View Copyright Kenneth M. Chipps Ph.D. 34

Detail Dashboard View The information seen in the gauges can be expanded to show more detail by clicking the Detail tab Copyright Kenneth M. Chipps Ph.D. 35

Detail Dashboard View Copyright Kenneth M. Chipps Ph.D. 36

Detail Dashboard View Copyright Kenneth M. Chipps Ph.D. 37

Gauge Threshold Settings The two colors on the gauges represent the normal range – in black and the problem range – in red These can be set to any level desired by clicking on the Set Thresholds button And adjusting the values shown Copyright Kenneth M. Chipps Ph.D. 38

Gauge Threshold Settings Copyright Kenneth M. Chipps Ph.D. 39

Gauge Threshold Settings Copyright Kenneth M. Chipps Ph.D. 40

See All Devices on the Network The network analyzer can be used to show all devices that are sending traffic over the network This is done by clicking the Host Table button Copyright Kenneth M. Chipps Ph.D. 41

See All Devices on the Network Copyright Kenneth M. Chipps Ph.D. 42

See All Devices on the Network Copyright Kenneth M. Chipps Ph.D. 43

See All Devices on the Network The devices can be listed by –MAC address –IP address Copyright Kenneth M. Chipps Ph.D. 44

See All Devices on the Network Copyright Kenneth M. Chipps Ph.D. 45

See All Devices on the Network Copyright Kenneth M. Chipps Ph.D. 46

See All Devices on the Network The IP list shows local and remote devices, such as web sites viewed This window has several other views that can be selected by clicking on the buttons on the left of the window Copyright Kenneth M. Chipps Ph.D. 47

See All Devices on the Network Copyright Kenneth M. Chipps Ph.D. 48

Traffic Map The Traffic Map is an odd display It is meant to show who is talking to who Copyright Kenneth M. Chipps Ph.D. 49

Traffic Map Copyright Kenneth M. Chipps Ph.D. 50

Traffic Map There are two basic views –Graphic view –Table view As in Copyright Kenneth M. Chipps Ph.D. 51

Traffic Map Copyright Kenneth M. Chipps Ph.D. 52

Traffic Map Copyright Kenneth M. Chipps Ph.D. 53

Application Response Time Next is the Application Response Chart This is a useful tool for baselining as it shows how long it takes for a station to talk to a server Copyright Kenneth M. Chipps Ph.D. 54

Application Response Time Copyright Kenneth M. Chipps Ph.D. 55

Application Response Time Copyright Kenneth M. Chipps Ph.D. 56

History Copyright Kenneth M. Chipps Ph.D. 57

History History shows a bunch of stuff As in Copyright Kenneth M. Chipps Ph.D. 58

History Copyright Kenneth M. Chipps Ph.D. 59

History Packets per Second Utilization Errors per Second And so on Lets look at a few of these by double clicking the icon Copyright Kenneth M. Chipps Ph.D. 60

History Copyright Kenneth M. Chipps Ph.D. 61

History Copyright Kenneth M. Chipps Ph.D. 62

History Copyright Kenneth M. Chipps Ph.D. 63

Protocol Distribution Copyright Kenneth M. Chipps Ph.D. 64

Protocol Distribution The Protocol Distribution display is very useful It shows what protocols are running on the network For example, you may think there is no NetBEUI traffic on the network Yet this sample display shows NetBEUI traffic Copyright Kenneth M. Chipps Ph.D. 65

Protocol Distribution Copyright Kenneth M. Chipps Ph.D. 66

Protocol Distribution This has a –Histogram –Pie Chart –Table view Copyright Kenneth M. Chipps Ph.D. 67

Global Statistics Copyright Kenneth M. Chipps Ph.D. 68

Global Statistics The Global Statistics shows the packet sizes seen on the network Copyright Kenneth M. Chipps Ph.D. 69

Global Statistics Copyright Kenneth M. Chipps Ph.D. 70

Alarm Log Copyright Kenneth M. Chipps Ph.D. 71

Alarm Log The Alarm Log shows just that, any alarms that have been issued based on the settings for alarms This is set on the Dashboard view using the Set Threshold button Copyright Kenneth M. Chipps Ph.D. 72

Alarm Log Copyright Kenneth M. Chipps Ph.D. 73

Capture and Decode Packets To examine the traffic packets must be captured and presented in a form humans can comprehend This is what capture does Copyright Kenneth M. Chipps Ph.D. 74

Capture and Decode Packets Copyright Kenneth M. Chipps Ph.D. 75

Capture and Decode Packets When –Capture –Start is selected frames going over the wire are placed in a buffer To look at this go back to the same place and select –Stop and Display Copyright Kenneth M. Chipps Ph.D. 76

Capture and Decode Packets Copyright Kenneth M. Chipps Ph.D. 77

Capture and Decode Packets In Sniffer Pro the initial decode display has the Expert tab selected For this example click on the Decode tab Copyright Kenneth M. Chipps Ph.D. 78

Capture and Decode Packets Copyright Kenneth M. Chipps Ph.D. 79

Capture and Decode Packets Now the display shows each packet listed in the top pane The decoded information in the middle pane The raw data in hex and ASCII in the bottom pane Copyright Kenneth M. Chipps Ph.D. 80

Capture and Decode Packets Copyright Kenneth M. Chipps Ph.D. 81

Capture and Decode Packets The middle pane is the most useful It presents the information layer by layer in a form simple humans can deal with The example shown next is a decode showing a conversation with a web server Notice that it shows several layers from bottom to top of the TCP/IP model Copyright Kenneth M. Chipps Ph.D. 82

Capture and Decode Packets Copyright Kenneth M. Chipps Ph.D. 83

Capture and Decode Packets Copyright Kenneth M. Chipps Ph.D. 84

Capture and Decode Packets Copyright Kenneth M. Chipps Ph.D. 85

Capture and Decode Packets Copyright Kenneth M. Chipps Ph.D. 86

Capture and Decode Packets Copyright Kenneth M. Chipps Ph.D. 87

Basic Packet Filtering Doing it the way just shown captures everything It is more useful to limit the packets captured to just those of interest This is done by specifying a filter such as –Address Filters –Protocol Filters –Dataset Filters Copyright Kenneth M. Chipps Ph.D. 88

Basic Packet Filtering Address filters look for particular source or destination addresses at the MAC address, IP address, or IPX address level Protocol filters look for a particular activity as revealed by the protocol number the activity uses, such as 53 for DNS Copyright Kenneth M. Chipps Ph.D. 89

Basic Packet Filtering Dataset filters define traffic to watch based on a specific value at a specific offset within a packet –These are considered advanced filters and difficult to construct But this is a topic for another lab Copyright Kenneth M. Chipps Ph.D. 90

Typical Things to Watch What types of trends are most interesting Common things to watch include –Protocol distribution –Top 10 most active devices –Packet size distribution –Utilization trends –Packets per second trends –Error packets –Broadcast and multicast traffic Copyright Kenneth M. Chipps Ph.D. 91

Common Problems to Look For The network is experiencing excessive broadcasts –Filter on all traffic to the broadcast address and find the most active device - the one that is broadcasting most often –Then classify the broadcast types to determine its purpose Copyright Kenneth M. Chipps Ph.D. 92

Common Problems to Look For –Typically broadcast storms are caused either by a device performing an unsuccessful lookup or by a device blasting information out to all devices on the network There is a large amount of unnecessary traffic on the network –For example, unanswered routing queries, excessive watchdog or connection keep-alive sequences are just wasteful on the network Copyright Kenneth M. Chipps Ph.D. 93

Common Problems to Look For A client appears to have numerous failure replies –Filter on packets to and from that client device to create a packet-by-packet view of what the client has been doing –Perhaps the client mapped a resource to an incorrect location and it cannot find what it is looking for there Copyright Kenneth M. Chipps Ph.D. 94

Common Problems to Look For An unusual amount of unknown or undecoded traffic is found on the network –Consider filtering on some unique field value, such as the type field or the port field value –You might find some proprietary communication going on Copyright Kenneth M. Chipps Ph.D. 95

Common Problems to Look For The network is slow General Traffic –Does anything stick out as strange Broadcasts –Do periodic broadcast storms occur Multicasts –Does the network have a multicast storm problem ICMP Packets –Do any ICMP - Internet Control Message Protocol packets indicate misconfigurations, loops, or services that are available only sporadically Copyright Kenneth M. Chipps Ph.D. 96

Common Problems to Look For Protocol Distribution –Is anything unexpected happening with the network protocols Client Boot-Up Sequences –What happens when the client simply boots up –Do any severe slowdowns occur during the boot-up sequence Client Login Sequences –What happens during the login process –Can I identify any slowdowns during the login sequence –How does the client get configured during this process –Do any errors occur Copyright Kenneth M. Chipps Ph.D. 97

Common Problems to Look For Network File Transfer Times –How much time does it take to copy a big file - at least 40 MB - across the network Internet Access Times –What is the roundtrip time when users access the Internet Copyright Kenneth M. Chipps Ph.D. 98

Troubleshooting Procedure The general procedure to follow is –Look at the typical latency between a client and a server to see if packets have a problem getting from one place to anotherIf the roundtrip LAN times are just a few microseconds or milliseconds no problem, but if a slowness is seen with every request and reply set or there are retransmissions or timeouts, then look at the infrastructure as a possible problem Copyright Kenneth M. Chipps Ph.D. 99

Troubleshooting Procedure –If most request and reply sets are quick, however, look for anomalies - sudden moments when the response time climbs unusually –To do this, scroll through the summary of the boot-up and login sequence, looking at the delta time column to see if any sudden increases in response time can be seen Copyright Kenneth M. Chipps Ph.D

More Than This There is much more to network analysis But this is a start There are several issues that must be dealt with when using a network analyzer Such as Copyright Kenneth M. Chipps Ph.D

Problems In the wrong hands these little guys are dangerous Let’s say a member of the cleaning crew plugs one in one night, then sets it to capture all of the traffic for the next day or two Copyright Kenneth M. Chipps Ph.D

Problems Or just lets it run while they are there With all of the broadcasts – even on a network with no active users – much can be discovered In general network analyzers cannot be detected as they are passive devices Copyright Kenneth M. Chipps Ph.D

Detecting Network Analyzers To detect these you can run a program that scans for NICs set to promiscuous mode The average NIC should not be set this way. Copyright Kenneth M. Chipps Ph.D

Sources Several articles and books by Laura Chappell Copyright Kenneth M. Chipps Ph.D

For More Information Introduction to Network Analysis, 2nd Edition –Laura Chappell –ISBN Copyright Kenneth M. Chipps Ph.D

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.