page 1 network design

Network Design & TroubleshootingSystems & Network Management: 2007/08

Network Design In networking, scalability is the capability to grow and adapt witho

ut major redesign or reinstallation. Good design is the key to a network's capability to scale . To be sca

lable, a network design should follow a hierarchical model. Hierarchical design model simplifies network design in a similar wa

y the OSI 7-layer protocol model simplifies the communications between computers.

A hierarchical network design model breaks the complex problem of network design into smaller, more manageable problems.


Public Networks

Building Backbone

Hierarchical Model/Structure

R

SwitchSwitch

R

Switch

R R

SwitchSwitch

Campus BackboneR R

R

Local siteRemote sites

RR

Distribution Layer

Core Layer

Access Layer

RRegional site B

Regional site CRegional site D

Regional site A


Layers in Hierarchical Structure A hierarchical model/structure may include the following

layers: Core layer that provides optimal transport between region

al sites or at the network backbone. Distribution layer that provides policy-based connectivity Access layer that provides workgroup and user access to

the network resources Layered models are useful because they facilitate modularity. Sinc

e devices at each layer have similar and well-defined functions, administrators can easily add, replace/remove individual device.


Advantages of Hierarchical Model Design & implementation:

As each layer is assigned clear and specific functions, it is easier to choose the right systems and features for that layer. Implementation of each layer and the overall network is more simple.

Each layer addresses a different set of problems so that the hardware and software can be optimized for specific roles. Devices in the same layer can be configured in a consistent way.

Modularity in network design help replicating design elements.

Predictability: the behaviour of a network is more predictable, capacity planning for growth is easier. Modelling of network performance is made easier.


Advantages of Hierarchical Model Scalability:

Functionality is localized and potential problems can be recognized more easily, hence, network can grow much larger without sacrificing control or manageability

Changes can be more easily implemented. Costs and complexity of upgrade are limited within a subset of the overall network. In large but flat network architecture, changes can affect many parts of the network.

Ease of troubleshooting: It is easier to isolate problems in a network as the

functions of the individual layers are well defined. Easier to identify failure points in a network by structuring

the network into small, easy-to-understand elements.


Traffic Flow in Hierarchical Model A hierarchical model for network design is good for controlling

data traffic patterns. With routers suitably placed in the network, unnecessary traffic will not flow from one layer to the other layer.

Together with a suitable placement of servers, traffic flow can be effectively controlled.

R R

Switch

WANR R

R

R

Site X Site Y Site Z

Regional site BRegional site C

Regional site A

server

SwitchSwitch

For example, when clients in site Z access their local server, the traffic will not go up to the regional router. Only when clients in site Z access servers in other sites will the traffic go up to the regional router and then down to the required site.


Placement of servers Placement of servers affect the traffic flow, hence, the usage of li

nk bandwidth. Some servers (like email servers) are frequency accessed by all clie

nts in the network, while some servers (like file servers) only serve specific client groups. The former is referred as enterprise server and the latter as workgroup server.

To avoid necessary traffic flow across layers and sites, wasting network bandwidth; enterprise servers are better placed at a higher layer in

the hierarchy workgroup servers should be placed in the access layer


Core Layer Typically, the Core layer provides connections between

regional and main sites in a Wide Area Network (WAN). However, the core of a network does not have to exist in the WAN,

a LAN backbone can also be part of the core layer. Gigabit Ethernet is a typical core layer technology.

The Core layer provides optimized and reliable transport structure by forwarding traffic at very high speeds.

Core layer routes/switches packets as fast as possible. Devices at the core layer should not be burdened with any processi

ng that slow down the speed: no access-list checking, no data encryption, no address translation (NAT) at the Core layer.


Features of routers at Core Layer

Scalable: routers at the Core layer routers should provide multiple modules for different media types (copper, fiber, etc.) Routers at the Distribution layer generally need fewer interfaces.

Features (for reliability) of routers at the Core layer: redundant symmetrical links redundant power supplies

Although many packet processing functions are not preferred in the Core layer, the most powerful routers should be used in the Core layer to provide high speed and reliable transport of data between regional sites.

Routers at the Distribution layer usually has lower switching speed than routers at the Core layer because they should handle less traffic.


Core Layer - Load Balancing To add bandwidth, either increase the bandwidth of existing link, or

put additional links. The latter require routers to provide load balancing function. Load balancing/sharing can be Per-Destination (Fast Switching) or Per-Packet ( Process Switching).

Per-destination load balancing: given two paths to the same network, all packets for one

destination IP address will travel over the first path, all packets for a second destination will travel over the second path, and so on.

when router switches first packet to a particular destination, a routing table lookup is performed. The route and data-link information is stored in the fast switching cache. Subsequent packets to the same destination are immediately switched out the same interface without performing another routing table lookup.


Core Layer - Load Balancing

Per-packet load balancing means that the router sends one packet for a destination over the first path, the second packet for the same destination over the second path, and so on.

Per-destination Vs Per-Packet load balancing Per-packet load balancing may distribute traffic more

evenly Per-destination (Fast switching) provides a lower

switching time and processor utilization. Per-destination load balancing can preserve packet order.

Per-packet load balancing guarantees equal load across all links. However, there is potential that the packets may arrive out of order at the destination because differential delay may exist within the network.


Core layer: Redundant Links At the core layer, redundant links are needed to provide fault

tolerance so that network can withstand individual link failure. Together with load balancing of routers, link bandwidth is increased. Response times is lowered, application availability is improved.

Multiple routers can be used to terminate dual links so that there is not a single-point-of-failure.

Main disadvantage of duplicating WAN links to each site is cost. In larges network, especially those using star topology, many links are required. A lower cost alternative is using a partial/semi-meshed or ring topology.

Star topologywith redundant links

partial-mesh topology

A

DB C

A

DB C


Core layer: dedicated link & dial-up link

A reliable backbone may consists of dual, dedicated links. Traffic load can be shared between the two links.

Another model is one dedicated link and one dial-up (switched) link. Under normal operational conditions, the dial-up link is

not operational until the dedicated link fails. The dial-up link can also be setup when the dedicated link

has reach a limit of traffic load (say 90%)


Distribution Layer The distribution layer provides policy-based connectivity. Packe

t manipulation and handling occurs in this layer. A policy is an approach in handling certain kinds of traffic. Policies can be used to secure networks and to preserve resources by preventing unnecessary traffic.

The distribution layer is located between the access and core layer. This layer provide boundary definition using access lists/filters to limit what gets into the core. Traffic filters based on area or service type are used to provide policy-based access control. Access lists/filters can be used to permit or deny traffic from particular networks/nodes or particular protocols and applications. Access filters can be applied on incoming or outgoing ports.

If a network has two or more routing protocols, such as RIP and OSPF, route redistribution is done at the distribution layer.


Access Layer This layer provides access to services and data: servers and

workstations are attached to this layer. Quick access to local services: workgroup servers and printers are placed in access layer.

Using VLANs, users can be grouped according to their logical function.

Access routers generally offer fewer physical interfaces than distribution and core routers. Access routers generally connect to access switches for user access to the network.

Provide connectivity: remote users access through WAN services such as ISDN or Frame Relay; local users access through Ethernet.

The access layer performs network entry security control. Routers at the access layer permit/deny users Authenticating users: prevent unauthorized users from accessin

g network


Three-layer, Two-layer, One-layer A three-layer model can meet the needs of many enterprise

networks. But not all organizations require a three-layer structure. In man

y cases, one-layer and two-layer design are suitable. The way the layers are implemented depends on the needs of the ne

twork being designed. However, a hierarchical structure should be planned or

maintained to allow for future expansion. A two-layer structure may expand into three-layer.


Campus networks usually covers a building or several buildings in close proximity to each other.

Two major problems with traditional networks are availability and performance. These two problems are both impacted by the amount of bandwidth available. Broadcast type traffic can consume a lot of bandwidth and therefore affect the network performance.

Two methods can address the broadcast issue for large switched LANs

Use routers to create many subnets and limit broadcasts within individual subnets. This may create traffic bottleneck at the routers.

Another method is to implement virtual LANs (VLANs) in the switched network. VLAN provides various advantages of better bandwidth utilization, better security and administration (adding/moving computers in VLANs).

Campus Networks: broadcast issue


Network Traffic Pattern The 80/20 rule states that 80 percent of the traffic on a given

network segment is local. No more than 20 percent of the network traffic move across the backbone of the network.

In today's networks, traffic patterns are moving toward the 20/80 model. In the 20/80 model, only 20 percent of traffic remains local to the workgroup LAN, and 80 percent of the traffic leaves the local network. Contributing factors of this shift in traffic patterns include;

The Internet

Server Farms

As majority of traffic leave the local network segment, congestion (traffic bottleneck) may occurs at routers at the distribution layer.


LAN Switching and The Hierarchical Model

Access Layer : provides access-layer aggregation and L3/L4 services

Distribution Layer: provides policy-based connectivity

Core Layer: provides optimal connectivity between distribution blocks

Switch Block 1Switch Block 2

Core Layer

Distribution Layer

Access Layer

Core Block

switchswitch


Network Building Blocks Network building blocks may include the following:

Switch block Core block Server block WAN block Mainframe block Internet connectivity

Switch block provides switch and router functionality Switch block provides Access Layer and Distribution Layer

functions.


Switch Block Access Layer

Switches in the wiring closets connect users to the network. Access layer devices have redundant connections to the

distribution layer device to provide fault tolerance. Spanning-Tree Protocol (STP) is required in the access layer

switches Distribution Layer

Switches/routers provide broadcast control, security and connectivity for each switch block.

The distribution layer device provides switching and routing services.

A distribution layer device can be a switch plus an external router.

A distribution layer device can also be a multilayer switch


Core Block

Dual Core

Collapsed Core

Switch Block

Switch Block

Switch Block

Switch Block


Core Block A core is required when there are two or more switch blocks. The core block is responsible for transferring traffic between switch

blocks at high speed. Traffic between switch blocks, server blocks, the Internet, and the wide-area network must pass through the core.

Core block must be able to pass traffic as quickly as possible One or more switches can make up a core. To provide redundancy,

at least two devices shall be present in the core. With a Collapsed Core, distribution and core layer functions are

performed in the same device. There is not a separated core block. The DL device of one switch block is connected to the DL device of another switch block directly, without a separate core layer device in between.

With a Dual Core, each switch block is redundantly linked to both core switches, providing two equal path links and twice the bandwidth.


Scalable Network – Key Characteristics

Reliable and available - A reliable network should be dependable and available.

Responsive - A responsive network should provide Quality of Service (QoS) for various applications and protocols.

Efficient - Large internetworks must optimize the use of resources, especially bandwidth. Reducing the amount of overhead traffic results in an increase in data throughput.

Adaptable - An adaptable network is capable of accommodating disparate protocols, applications, and hardware technologies.

Accessible but secure - An accessible network allows different types of connections while securing network integrity.


Reliable and Available Network

In a highly reliable and available network, fault tolerance and redundancy make outages and failures invisible to the end user. Devices and telecommunication links can be very expensive, however, the cost of a core router/link goes down, can be much higher.

Reliability can be expressed as Mean Time Between Failure (MTBF).

Availability can be expressed as an percentage of time when service is available, eg. service is available 99.9% during a day.

Reliable system may have high availability. High availability systems could be built with less reliable components if good fault-tolerant mechanism is used.

Core routers maintain reliability and availability. The following features can enhance reliability and availability: scalable routing protocols, alternative paths, load balancing and dial backup.


Reliable & Available Network

Scalable routing protocols : routers in the core of a network should converge rapidly and maintain reachability to all networks and subnetworks. Simple distance vector routing protocols, such as RIP, take too long to update and adapt to topology changes.

Alternate Paths : redundant links maximize network reliability and availability, but they are expensive to deploy.

Load Balancing : redundant links do not necessarily remain idle until a link fails. Routers can distribute the traffic load across multiple links to the same destination.

Dial Backup : A redundant link could be too expensive. A backup link can be configured over a dialup technology, such as ISDN.


Responsive Network

End users notice network responsiveness as they use the network, users expect network resources to respond quickly.

Traffic Prioritization enables policy-based routing and ensures that packets carrying mission-critical data take precedence over less important traffic.

To improve responsiveness in a congested network, routers may be configured to prioritize certain kinds of traffic based on protocol information, such as TCP port numbers.

If the router schedules packets for transmission on a first-come, first-served basis (First-In-First-Out FIFO queuing), users could experience an unacceptable lack of responsiveness. User sending delay-sensitive voice traffic may be forced to wait too long. Delay problem is even more serious in slow WAN links.


Responsive Network: Traffic Prioritization &

Queuing Routers may be configured to reorder packets so that mission-

critical and delay sensitive traffic is processed first. Higher priority packets are sent first even if other low priority packets arrive ahead of them.

Priority Queuing: assign different priority (high, medium, normal, low),

according to various criteria, to different protocols for those traffic classified as low priority, they might not get

serviced in a timely manner, or at all. Custom Queuing:

reserves bandwidth for a specific protocol, ensures a minimum amount of bandwidth be provided to the protocol.

configuration may include: specify max number of packets in each custom queue; specify amount of data to be forwarded from each queue during its turn in the cycle.


Efficient Network

An efficient network should not waste bandwidth, especially over costly WAN links. To be efficient, routers should prevent unnecessary traffic from traversing the WAN and minimize the size and frequency of routing updates.

Techniques that optimize a WAN connection: Access lists – filtering/stopping unwanted traffic Snapshot routing Dial-on-Demand Routing Compression over WANs Incremental updates: routing protocols such as OSPF

send routing updates that contain information only about routes that have changed.


Efficient Network - DDR

With Dial-on-demand routing (DDR), low-volume, periodic network connections can be made over the switched network (such as ISDN, PSTN) in a cost effective way.

A router activates the DDR feature when it receives an IP packet destined for a location on the other side of the dial-up line.

The router dials the destination phone number and establishes the connection. When the transmission is complete, the line is automatically disconnected.

The main difference between dial backup and DDR is the reason for placing the call. With DDR, traffic to the called destination activates the link. With dial backup, the link can be activated as a result of a primary line failure or the utilization of the primary link has reached a predefined level.


Efficient Network - Snapshot routing

Distance vector routing protocols typically update neighbor routers with their complete routing table periodically even there is no change in the network topology. Regular update would cause a dial-up link to re-establish just to maintain the routing tables. It is possible to adjust the timers, but snapshot routing is a better solution.

With snapshot routing, routers exchange their route tables during an initial connection. Then, waits until the next active period on the line before again exchanging routing information.

The router takes a snapshot of the routing table, which it uses while the dialup link is down. When the link is re-established, the router again updates its neighbors.


Making a network adaptable

An adaptable network will handle the addition and coexistence of multiple routed and routing protocols.

Adaptable protocols are needed to support routing information for different routed protocols.

Adaptable protocols and routers also supports route redistribution, which allows routing information to be shared among two or more different routing protocols. For example, RIP routes could be redistributed, or injected, into an OSPF area.


Accessible and secure Accessible networks let users connect over a variety of

technologies. Users may be connected through wired or wireless LAN. Remote users/sites may have access to several types of WAN

services. Circuit-switched networks that use dialup lines Dedicated networks that use leased lines Packet-switched networks VPN over the Internet

The easier it is for legitimate users to access the network, the easier it is for unauthorized users to break in. Network administrator must secure the access. Access lists can be used to provide security. Authentication and encryption should be used


Accessible and secure

A RADIUS client, also referred as Network Access Server (NAS), provides the remote connections for users. RADIUS client is typically a router, a VPN server/router or a wireless access point. A RADIUS servers perform authentication, authorization and accounting functions.

VPN is the extension of a private network that uses links across the Internet. With VPN, data sent between two computers across the public Internet are encrypted for confidentiality. Hence, it is just like sending data over a point-to-point private link.

IPSec is a set of protocols for creating and maintaining secure communications over IP networks. Many VPNs are based on IPSec.

SSL can be used to implement VPN. SSL based VPNs typically only require standard web browsers.


Accessible and Secure - WLAN

Security problems with early WLAN systems (WEP based IEEE802.11) Open system authentication; SSID is sent in clear text Wired Equivalent Privacy (WEP)

Wi-Fi Protected Access (WPA) addresses the problems in WEP WPA uses the Temporal Key Integrity Protocol (TKIP) for

encryption and IEEE802.1X/EAP for authentication. WPA2 uses the Advanced Encryption Standard (AES).

IEEE 802.1X is based on the use of authentication server (e.g. RADIUS) for user management and the Extensible Authentication Protocol for secured communication.


Troubleshooting Troubleshooting begins by looking at a methodology that

breaks down the process of troubleshooting into manageable pieces. This permits a systematic approach, minimizes confusion, and cuts down on time otherwise wasted with trial and error troubleshooting.

The stages of general troubleshooting process are: Step 1 – gather symptoms Step 2 – isolate the problem Step 3 – correct the problem

The stages are not mutually exclusive. At any point in the process, it may be necessary to retrace to previous steps. For example, it may be required to gather more symptoms while isolating a problem. Often, when attempting to correct a problem, another unidentified problem could be created.


Gather Symptoms

Troubleshooter gathers and documents symptoms from the network, end systems, or users.

Troubleshooter determines what network components have been affected and how the functionality of the network has changed compared to baseline.

Symptoms may appear in many different forms; alerts from network management system, console messages, and user complaints.


Gathering Symptoms

Problem is reported by a person or by software Often involves communicating with others

It is like gathering requirements in software design It is an iterative process

Possible questions to ask: What does not work? What does work? Are the things related? When the problem was first noticed? What has changed since the last time it did work? Did any unusual thing happen? When exactly does the problem occur?


Isolation & Correcting Problems

Isolation of problem: Identify the characteristics of problems at the logical layers of

the network so that the most likely cause can be selected. At this stage, may need to gather and document more

symptoms depending on the problem characteristics that are identified.

Correct the problem: Correct an identified problem by implementing, testing, and

documenting a solution. Make change to only one thing at a time. Gather results as you

change each variable Perform each step carefully and test to see if symptoms go away If the corrective action has created another problem, the

attempted solution is documented, the changes are removed. Then returns to gathering symptoms and isolating the problem.


Layered Approach

OSI model is useful in troubleshooting networks. The model allows troubleshooting to be described in a structured way.

The ability to identify which layers pertain to a networking device gives a troubleshooter the ability to minimize the complexity of a problem by dividing the problem into manageable parts.

For example, knowing that Layer 3 issues are of no importance to a switch, defines the boundaries of a task to layer 1 and layer 2. This simple knowledge can prevent the wasting of time troubleshooting irrelevant possibilities and will reduce the amount of time spent attempting to correct a problem.


Bottom-up

When applying a bottom-up approach towards troubleshooting a networking problem, the examination starts with the physical components of the network and then is worked up through the layers of the OSI model until the cause of the problem is identified.

Advantages: most networking problems reside at the lower levels, so, this approach will often result in effective results.

Disadvantages: requires checking of every device and interface on the network until the possible cause of the problem is found. The challenge is to determine which devices to start with.


Top-down

When applying a top-down approach towards troubleshooting a networking problem, the end user application is examined first. Then work down from the upper-layers of the OSI model until the cause of the problem has been identified.

This approach requires checking of every network application until the possible cause of the problem is found. The challenge is to determine which application to start with.


Divide and conquer

When the divide and conquer approach is applied towards troubleshooting a networking problem, a layer is selected and tested in both directions from the starting layer.

This approach is initiated at a particular layer. The layer is based on troubleshooter experience level and the symptoms gathered about the problem

Once the direction of the problem is identified, troubleshooting follows that direction until the cause of the problem is identified.

If it can be verified that a layer is functioning, it is quite safe to assume that the layers below it are functioning as well. If a layer is not functioning properly, gather symptoms of the problem at that layer and work downward to lower layers.


Selecting an approach

A troubleshooting approach is often selected based on its complexity.

A bottom-up approach typical works better for complex problems.

If symptoms come from users complaining about specific network application(s), a top-down approach may be preferred.

If symptoms come from the network (e.g. network monitor display, alarm/warning message from devices), a bottom-up approach will likely be more effective.

If a particular problem has been experienced previously, then the troubleshooter may know of a way to shorten the troubleshooting process.


Documentation

An inventory of equipment and software, such as a list of MAC addresses and IP addresses.

Keep record of changes (a change log file), recording; Each significant change Each problem identified Each entry dated, with name of person who made the entry

Types of documentation: Configuration information that describes the system, for exam

ple, sysreport used in Linux. Procedural information that describes how to do things. Best,

use tools (such as script) that automatically document what you have done.


Monitoring and Logging Event logs are useful for troubleshooting and monitoring performance. An event (an entry in the log file) may include details of date and time

when it occurred, event ID, event category, etc. In Windows systems, event category includes application,

security, system, etc. Performance monitor keeps track of various processes. It help identify

bottlenecks. It help the planning of upgrades, tracking of processes, monitoring results of tuning/configuration, etc. Bottlenecks could be due to the system not having enough

resources, or due to a malfunctioning program, or a program that dominates resource.

Performance monitoring can be done locally or remotely. When the value of a monitored object exceed the limit, an action is

required: record the event in a log file, send a message, execute a script, etc.


Logging

The syslog.conf file specifies rules for logging of system messages on Linux/Unix systems. Each rule consists of two fields: a selector and an action.

The selector field consists of two parts, a facility and a priority. The facility specifies the subsystem that produced the message. Examples of facility: auth, authpriv, cron, daemon, kern, lpr, mail, ne

ws, syslog, user, uucp and local0 through local7 The priority defines the severity of the message. Examples of priority in ascending order: debug, info, notice, warning,

err, crit, alert, emerg Examples of action: write the message to a file on the localhost, or fo

rward the message to another host, or write the message to users' screens if they are logged on


Logging Policies

Data logged should be kept for a period rather than deleted immediately

Log files could be reset at periodic intervals. Data logged can be kept for a period by "rotating" log files. For examples, logfiles are kept for a week. Backup files are na

med as logfile.1, logfile.2, … logfile.6. Every day, the data in logfile.7 is lost as logfile.6 overwrites it.

To store logged data for a longer period, compress and archive the logs to tape or other permanent media


Troubleshooting TCP/IP network

Step 1. Check whether the local host is properly configured, is subnet mask, default gateway correct? Use the TCP/IP utilities such as ipconfig, netstat, route print, arp, etc.

Step 2. Use the ping or traceroute commands to check whether the default gateway (router) can respond. Then, ping outwards – i.e. ping hosts farther away.

Step 3. If not able to get through a particular node (router), check the configuration (show running-config) and use various show commands to determine the state (e.g. show ip route, show interface)

Step 4. If all the routers in the path are working, check the host configuration at the remote host.


Useful tools

netstat — shows connections, services, routing ifconfig— shows network interfaces (for Windows, use ipconfig) ping - tests connectivity traceroute – shows route/path information route — shows, changes routing table ip — shows, changes, set network configuration arp — shows MAC addresses ps — information about processes

is the web server running ps aux | grep httpd top — shows processes that use the most resources (CPU

time) for Windows, use the task manager


netstat

netstat can show statistics about network interfaces, including number of packet/bytes sent/received, etc. These values are cumulative (since interface was up)

netstat –tua shows all network connections, including those listening

netstat –tu shows only connections that are established netstat –i is like ifconfig, shows info and stats about each int

erface netstat –nr shows the routing table, like route –n Linux and Windows provide netstat


ipconfig/ifconfig and route

ipconfig (Windows), ifconfig (Linux) Check interface status: connected or disconnected Check IP and subnet mask Check default gateway, DNS settings

Route Check route table in the computer – route print Check route table in the router – show ip route. Help

checking routing protocols. Can modify route table by adding static routes and

default route.


Ping A useful tool for checking connectivity. Sends an ICMP

echo_request message and waits for an ICMP echo_reply message. Shows round trip time. Can be used to make a rough measurement of throughput.

If a ping is not successful, the following error messages may help understand what is wrong.

Destination Network Unreachable – there is not a route to the destination in the route table of the local host or the router. This may happen if default gateway is not properly assigned to computer. For routers, this may be due to problems related to routing protocols or static/default routes.

Request Timeout – the echo_request message has been sent out by the local host, but there is no reply possibly due to connectivity problem or the remote host is not available.


Path Discovery: traceroute

As the name suggest, traceroute (in Windows, tracert) provides the information about the route from the source to the destination.

Ping can test connectivity between two points, but it does not tell which path is taken by the ICMP packets.

Why bother to know which path is taken? For example, verify that a BGP router is sending traffic with the preferred route.


Rough measurement with ping

Transmission delay – time to put signal onto the media. Propagation delay – time for signal to travel across the media. Queuing delay – time spent waiting for transmission in a

router/switch. Rough measurement with ping

Ping with packet size = 100 bytes, round-trip time = 2Y sec

Ping with packet size = 1100 bytes, round-trip time = 2X sec

A rough estimation of data throughput is: 8000/(X-Y) bps Measurement with ping is simple, BUT it may not be accurate;

for example, routers may give lower priority to answering pings


What is Packet Capture?

Real time collection of data as it travels over networks. Works by putting network interface into promiscuous mode which will examine all packets that arrive, even those not addressed to it. A normal Ethernet interface will ignore packets not addressed to it.

See what client and server are actually communicating with each other. Can analyze type of traffic on network.

Tools called: packet sniffers, packet analysers, protocol analysers, network monitors.

Do not capture packet without permission! Do not invade the privacy of others. Permission should be obt

ained before capturing packets on the network.


tcpdump Be careful not to invade privacy of others. Do not capture packet

without permission! Filter can be used to select addresses, protocols, port numbers,... Show all network traffic to and from 192.168.0.1:

tcpdump host 192.168.0.1 Show packets to 192.168.0.1:

tcpdump dst 192.168.0.1 Show packets to port 68 on 192.168.0.1:

tcpdump dst 192.168.0.1 and port 68 Capture traffic to or from 172.19.64.0/18:

tcpdump net 172.19.64.0/18 Can specify network as source or destination:

tcpdump src net 205.153.60/24tcpdump dst net 172.19.64/18


tcpdump - filter

Can specify protocol: tcpdump ip

tcpdump tcp

tcpdump ip proto ospf This will catch DNS name lookups:

tcpdump udp port 53 This will not work as you might expect:

tcpdump host ictlab and udp or arp Instead, need group with parentheses, and quote:

tcpdump "host ictlab and (udp or arp)" To see more ways of filtering, look at the manual: man

tcpdump


Ethereal

Ethereal can read data captured by tcpdump Ethereal can capture data itself Like tcpdump, various types of filters can be used with Ethereal. Can expand any protocol. View details of protocols at

different layers; data frames, IP packets, TCP/UDP segments, application protocols.

Can view the contents of TCP, in ASCII or in hexadecimal. Can check if a communications stream is encrypted or not Be careful not to invade privacy of others. Do not capture pack

et without permission.


Port Monitoring – switched network

Don't do port monitoring without permission! Port monitoring or port mirroring, selects network traffic for

analysis. To capture traffic sent by hosts connected to a hub, just attach a

protocol analyzer (or a sniffer) to this hub. On a switch, after the host MAC address is learned, unicast traffic to

that host is only forwarded to the required port, and therefore, is not seen by the sniffer.

How do you use Ethereal or tcpdump to monitor traffic between a number of hosts? Solution: some switches support port monitoring, where a

switch port can monitor the traffic of other ports The port monitoring function copies unicast packets to the

required destination port (monitor port). However, not every switch supports port monitoring function.


Port Monitoring – switched network

Don't do port monitoring without permission! Source Port: a port that is monitored. Destination Port (or Monitor Port): a port that is monitoring

source ports, usually where a network analyzer is connected. Port Monitoring can be local or remote:

Local port monitoring: the monitored ports and destination port are on the same switch.

Remote port monitoring: some source ports are not located on the same switch as the destination port.

Port Monitoring can be port-based or VLAN-based Port-based monitoring: specifies one or several source ports

on the switch and one destination port. VLAN-Based monitoring: on a given switch, monitor all the

ports belonging to a particular VLAN


Port Scanning Do not port scan machines without permission! Port

scanning can be interpreted as a cracking attempt Port scanning: the techniques used to determine what ports of a

host are listening for connections. Port scanning software sends out a request to connect to the target computer on each port sequentially and records which ports responded or seem open.

Port scanning tools such as Network Mapper (nmap) can check what network services a computer is offering. A cracked computer may be hiding some services with trojaned utilities.

Network security applications can alert administrators if they detect connection requests across a broad range of ports from a single host.

To avoid being detected, intruder may limits the ports to a smaller target set rather than blanket

scanning all 65536 ports scan the ports over a much longer period of time.

page 1 network design

Documents

routing table

packet load

destination

check route

network building

distribution

scalable routing

default gateway