1. Local Area Network Layer-2 Topology Mapping Local Area Network Layer-2 Topology Mapping Doron Peled Michal Rimmer Supervisor: Zigi Walter Networked Software Systems Lab Department of Electrical Engineering Technion - Israel Institute of Technology Winter semester 2009

2. Description Goal: Determining the layer-2 topology for an unknown LAN. Means: One end-point member of the LAN, without any special equipment. The Challenge: Layer-2 equipment has no signature of its own in the LAN so there is no known straightforward way to map the LAN’s layer- 2. Our solution: A statistical estimation approach that we have developed. This approach is based on correlation measures that was used in the articles [1],[2]. [1] “Network Radar: Tomography from Round Trip Time Measurements”, Yolanda Tsang, Mehmet Yildiz, Paul Barford, Robert Nowak [2] “Maximum Likelihood Network Topology Identification from Edge-based Unicast Measurements”, Mark Coates, Rui Castro, Robert Nowak abcd S Unknown LAN

3. Our Solution – The Mathematical Concept Estimate the shared path between each 2 members by finding statistic correlation behavior between members of the LAN:  The solution is based on sending a large number of combinations to all possible combination of couple LAN members.  Each combination is 2 ICMP messages (pings) sent to 2 different members in the LAN.  The estimation of the path which 2 members of the LAN are sharing is based on the RTT (Round Trip Time) data which was collected and analyzed by our tools.  By cross analyzing all the statistics which is gathered it is possible to estimate the topology of the LAN. abcdS R Split Point Shared Path between a and b

4. Our Solution – The Software Tools Packet Generator (we developed in C++, Linux) :  Prepares and sends the ICMP combinations rapidly. Designed to send all the messages in the same combinations as adjust as possible. Wireshark Sniffer (Open Source in C++, Linux):  Records all network traffic. For this solution we record only ICMP protocol by a built in filter. Parser (we developed in Perl, Linux):  By parsing the huge Wireshark output files we receive smaller files containing only relevant information in the right format for the Results Analyzer. Also, we filter any package which is not a ping or the response (“pong”) between the relevant members. Results Analyzer (we developed in Matlab, Windows) :  Analyzes the data and gives the statistics results in tables and graphs.

5. Overview - source computer WireShark (open source) NETWORK ADPTER Packet Generator (c++) Output File Parser (Perl) Output File Statistics Analyze Function (Matlab) ONLINE Software Tools “real time” OFFLINE Software Tools Hardware

6. Examples and Results Results:  All the tools were examined and proved to be working correctly.  From all the experiments the final results were inconclusive, yet have shown that our suggested approach is probable. High correlation behavior of RTT 2 members which share the same layer-2 switch in the LAN Low correlation behavior of RTT 2 members which are distant from each other in the layer-2 topology