Know What’s on Your Network: Protocol Analyzers
A good network administrator should always know what’s on the wire. The best way of discovering what datagrams contain is to use a protocol analyzer. Why use an analyzer in the absence of known problems? Besides trending in advance of show-stopping problems, insidious threats—malware, direct attacks, and peer-to-peer file sharing—make it a necessity to categorize your network traffic. Protocol analyzers have dramatically improved ease of use, and much better training materials are available. The Cadillac of analyzers is still expensive—Network Associates’ Sniffer Pro (www.networkassociates.com) and Distributed Sniffer, though Netasyst is much less so. Another capable tool, Ethereal (www.ethereal.com), is open-source.
Two good books discuss using these respective products, both from Syngress: “Sniffer Pro: Network Optimization and Troubleshooting Handbook,” by Shimonski et al, and “Ethereal Packet Sniffing,” by Orebaugh and the development team. Another set of books, by Laura Chappell, is available from www.podbooks.com. In “Introduction to Network Analysis,” Chappell covers packet construction, basic capture procedures and tips on programs to convert analyzer formats or scrub private IP information. More advanced books cover intermediate topics such as display filters, communication patterns and triggers. Most of the protocol information is on the first CD book set, but a second set covers white hat tools, case studies and more filtering. Numerous trace files, a free course called “Defeating Network Scans” and other information are available at www.packet-level.com.
Different protocol analyzers offer varying features. Where Sniffer requires a network connection to start—an annoyance if you are trying to examine trace files—Ethereal does not, so you may wish to capture with Sniffer, but view with Ethereal, at least if you’re looking at old trace files. Ethereal has very strong Novell decodes, but Sniffer maintains state-of-the-art decodes in other areas such as Cisco VLANs, wireless, SONET and gigabit protocols. Sniffer also has monitor (real-time) functionality, expert analysis, a packet generator and a very good summary column, perfect for quick interpretation of traces, while Ethereal does not. Sniffer’s expert system shows diagnosis and symptoms, as well as configurable alerts. To capture with Ethereal, you need libpcap packet capture drivers if you are running Linux/UNIX (available at www.tcpdump.org); for Windows, load the WinPcap drivers, from win pcap.polito.it. (Note: Some capture drivers have been infected with a malicious Trojan. See CERT advisory CA-2002-30, and choose your sources carefully.) Decodes are also slower with Ethereal, so turn off name resolution to speed up decoding.
Assuming you have the correct promiscuous mode driver, have filtered out yourself and have a mirrored port on your switch, first examine normal traffic. This pattern analysis lets you create a baseline of normal traffic. With Sniffer’s Dashboard gauge tab, you can measure percent traffic, as well as packet and error rates. Most analyzers have a map or matrix function. This discerns what percent traffic is local versus non-local networks. The top-talkers list shows what devices are bandwidth hogs. Analyze protocol distribution—define any unknown protocols, such as Gnutella, Kazaa, Morpheus or other peer-to-peer software, and eliminate them from your network. You should have no unknown devices in address columns. Analyzers may also serve as another security layer; you may use one to do passive OS fingerprinting and look for rogue signatures.
You may use analyzers to figure out why network traffic is slow. If you suspect an application, examine workstation traffic for presence of background communication or retransmission, none of which should occur with regularity. To scan packet latency, use Sniffer’s delta timestamp. Ethereal has a similar frame.time_delta to record differences.
What at first seems like a luxury to have and use can prevent future network problems from taking too much time to solve. Not only does a protocol analyzer show you what’s on your network, it also helps you improve speed, reliability and security.
Douglas Mechaber, MCNE, MCSE, CCNA, BCSD, works for a health agency when he’s not consulting or writing. Send him your network problems and favorite utilities at email@example.com.