Introduction to Protocol Analysis - Version 5.pdf - BAIST \u2013 Network Management Northern Alberta Institute of Technology BAI513 Introduction to

Introduction to Protocol Analysis - Version 5.pdf - BAIST...

This preview shows page 1 out of 267 pages.

You've reached the end of your free preview.

Want to read all 267 pages?

Unformatted text preview: BAIST – Network Management Northern Alberta Institute of Technology BAI513 Introduction to Protocol Analysis Prepared by Leonard Rogers C.E.T., C|EH, GCFW Introduction to Protocol Analysis BAIST-NM/August 2006 Symbol Conventions iv What is “Network Analysis”? 6 Network Trouble Shooting ...................................................................................................... 6 Network Optimization ............................................................................................................. 6 Network Planning/Testing ....................................................................................................... 7 Where do we place the network analyzer? 9 The Hubbed Network .............................................................................................................. 9 The Switched Network ............................................................................................................ 9 The Routed Network.............................................................................................................. 12 What Are the Different Elements of the Sniffer Pro Analyzer? 13 Ports ....................................................................................................................................... 13 Decodes.................................................................................................................................. 13 Capture Filters ....................................................................................................................... 14 Display Filters........................................................................................................................ 14 Gauges and Graphs ................................................................................................................ 14 Alarms and Alarm Thresholds............................................................................................... 15 Trace Buffer........................................................................................................................... 17 Sniffer Pro – Getting Started 18 Using the Summary Window 21 Statistics, Trends, and Patterns 26 Statistics................................................................................................................................. 26 Packets Per Second.............................................................................................................. 26 Utilization............................................................................................................................ 26 Errors Per Second................................................................................................................ 27 Broadcasts ........................................................................................................................... 28 Multicasts ............................................................................................................................ 28 Packet Size Distribution ...................................................................................................... 28 Hosts.................................................................................................................................... 29 Protocols.............................................................................................................................. 33 Trends .................................................................................................................................... 34 Short Term Trends .............................................................................................................. 34 Long Term Trends............................................................................................................... 34 Patterns .................................................................................................................................. 35 Understanding Packet Decodes 36 Building a TCP/IP Packet...................................................................................................... 36 The Basic TCP/IP Packet Structures ..................................................................................... 38 Understanding DHCP 43 DHCP Function ..................................................................................................................... 43 How does it work?............................................................................................................... 43 When problems occur…...................................................................................................... 45 DHCP Frame ......................................................................................................................... 46 DHCP Header Fields ............................................................................................................. 46 DHCP Field Descriptions ...................................................................................................... 46 Understanding ARP 56 ARP Function ........................................................................................................................ 56 How does it work?............................................................................................................... 56 When problems occur…...................................................................................................... 57 Prepared by: Leonard Rogers C.E.T., C|EH, GCFW Page i Introduction to Protocol Analysis BAIST-NM ARP Frame ............................................................................................................................ 59 ARP Header Fields ................................................................................................................ 60 ARP Field Descriptions ......................................................................................................... 60 Understanding ICMP 63 ICMP Function ...................................................................................................................... 63 How does it work?............................................................................................................... 63 When problems occur…...................................................................................................... 66 ICMP Frame .......................................................................................................................... 69 ICMP Header Fields .............................................................................................................. 69 ICMP Field Descriptions ....................................................................................................... 69 Understanding IPv4 74 IP Function............................................................................................................................. 74 How does it work?............................................................................................................... 74 When problems occur…...................................................................................................... 74 IP Frame................................................................................................................................. 77 IP Header Fields .................................................................................................................... 77 IP Field Descriptions ............................................................................................................. 77 Understanding UDP 84 UDP Function ........................................................................................................................ 84 How does it work?............................................................................................................... 84 When problems occur…...................................................................................................... 85 UDP Frame ............................................................................................................................ 85 UDP Header Fields ................................................................................................................ 85 UDP Field Descriptions......................................................................................................... 86 Understanding TCP 87 TCP Function......................................................................................................................... 87 How does it work?............................................................................................................... 87 When problems occur…...................................................................................................... 89 TCP Frame............................................................................................................................. 92 TCP Header Fields................................................................................................................. 92 TCP Field Descriptions.......................................................................................................... 92 Understanding DNS 96 DNS Function ........................................................................................................................ 96 How does it work?............................................................................................................... 96 When problems occur….................................................................................................... 105 DNS Frame .......................................................................................................................... 106 DNS Header......................................................................................................................... 106 DNS Field Descriptions....................................................................................................... 106 Appendix A – Background Information 110 Well Known Port Numbers ................................................................................................. 111 Protocol Numbers ................................................................................................................ 167 MAC Address Structure ...................................................................................................... 170 Ethertypes ............................................................................................................................ 195 Appendix B – Manual Packet Decoding 201 Appendix C – Glossary of Terms 202 Appendix D – Labs 220 DHCP LAB.......................................................................................................................... 221 Prepared by: Leonard Rogers C.E.T., C|EH, GCFW Page ii Introduction to Protocol Analysis BAIST-NM PART 1.............................................................................................................................. 222 PART 2.............................................................................................................................. 224 ARP LAB............................................................................................................................. 227 PART 1.............................................................................................................................. 228 PART 2.............................................................................................................................. 229 ICMP LAB........................................................................................................................... 231 PART 1.............................................................................................................................. 232 PART 2.............................................................................................................................. 234 IP LAB................................................................................................................................. 237 PART 1.............................................................................................................................. 238 PART 2.............................................................................................................................. 239 UDP and TCP LAB ............................................................................................................. 241 PART 1.............................................................................................................................. 242 PART 2.............................................................................................................................. 244 DNS LAB ............................................................................................................................ 247 PART 1.............................................................................................................................. 248 PART 2.............................................................................................................................. 249 FILTER PRACTICE LAB .................................................................................................. 251 References and Resources 257 Prepared by: Leonard Rogers C.E.T., C|EH, GCFW Page iii Introduction to Protocol Analysis BAIST-NM Symbol Conventions The diagrams in this book use several different symbols to represent various pieces of network equipment or devices. The following is a list of these symbols and the network equipment or devices they represent. Network Analyzer Network Tap Router Hub Core Switch Workgroup Switch Wireless Access Point Prepared by: Leonard Rogers C.E.T., C|EH, GCFW Page iv Introduction to Protocol Analysis Prepared by: Leonard Rogers C.E.T., C|EH, GCFW BAIST-NM Page v Introduction to Protocol Analysis BAIST-NM/August 2006 What is “Network Analysis”? Network Analysis is the art of listening in on the network’s communications and determining the health of the network. Typically, the processes involved in this type of analysis include: • Tapping into the network. • Capturing traffic. • Reviewing the captured traffic. • Filtering out only the interesting traffic. • Documenting the findings of the analysis. Network analysis is used primarily for three purposes: • Network troubleshooting • Network optimization • Network planning/testing Network Trouble Shooting Network analysis is an important tool in the function of troubleshooting network problems. Today’s analyzers perform a myriad of tasks and functions instantly that once had to be performed manually, and were time consuming processes. Many problems can be immediately spotted on the wire once you plug the analyzer in, including: • Can the PC or server communicate onto the cabling system or is there a media fault somewhere? • Did the service discovery process work properly? (Could the PC find the server?) • Could the PC locate the route to the server? (Is the route available and within reach?) • Did the user/client properly authenticate to the server? • Did the user/client make a proper request for service? • Did the server reply to the user/client’s request for service? • If the server did reply was there a failure or denial of service indicated in the reply? • Are the client and server using the same frame type for communications? Network Optimization Network optimization analysis is done to ensure that the performance of the network is operating within a set of defined parameters. These parameters are invariably different for each type of network topology. Nobody would expect the parameters for optimizing a LAN and a WAN link to be the same, just as nobody would also expect the optimization parameters for a 16Mb Token Ring LAN to be the same for a 100Mb Ethernet LAN. Again, today’s network analyzers can spot all types of performance problems on the network, regardless of topology, protocol or media type. For example, an analyzer can be used for the following optimization analysis techniques: • Identify excess ICMP redirection messages and which workstations are responsible for them. o This allows the support personnel to go to those systems and reconfigure them to use an appropriate gateway. • Identify the cause of excessive broadcasts on the network. o This allows the support personnel to reconfigure the devices sending out the unnecessary broadcasts, thereby reducing the networks bandwidth overhead and processor drag caused by this traffic. Prepared by: Leonard Rogers C.E.T., C|EH, GCFW Page 6 Introduction to Protocol Analysis • • • BAIST-NM/August 2006 Identify the cause of excessive failure replies from a server. o Again, the support personnel would reconfigure the workstations to correct this problem and reduce these bandwidth-consuming replies. Identify and tune the router configurations to reduce unnecessary routing protocol overhead, which is often caused by periodic network broadcasts or multicasts. Identify and remove any unnecessary “discovery” protocols, which are consuming unnecessary bandwidth on the network. o These are often issued from a vendor’s device that has the ability (through a proprietary protocol or some other method) to search for other “same vendor” devices. An example of this type of protocol would be Cisco’s “Cisco Discovery Protocol also known as CDP. Network Planning/Testing Network analysis is also used to perform planning and testing functions – especially application testing – to assist in determining future growth requirements and to determine the amount of bandwidth each application consumes on the network as it performs its normal functions. So what should you look for when you plan for growth or testing an application? Well, the answer is simple and should be obvious however, some of its aspects are often overlooked. The following items should be identified when determining network growth requirements: • How much bandwidth does a single (normal) user require to run the typical applications needed to perform their job? o You then need to multiply that number by the number of people you currently have in this position to determine what your current bandwidth requirements are? o You also need to create a predictive number of how many people you expect to have in this position at some point in the future – typically 1 to 5 years ahead, to help determine your expected growth patterns. • The same process must be followed again for your networks “super-users”. People who run bandwidth intensive and high overhead applications. o This category often includes most network analysts. But wait… • You don’t know what your bandwidth intensive or high overhead applications are? Or for that matter, you don’t know what the bandwidth requirements are for any application your organization is using? o Well you should, and a network analyzer combined with a consistent application testing method can help you determine exactly how much bandwidth any application is using in performing its normal operations, such as its login/logoff routines or task processing routines. • There are many reasons to analyze and test applications including: o Assist in determining and preparing for the necessary bandwidth required to roll the application out to the local network or throughout the entire organization. o Baseline an application to ensure that when users complain about slow response times, you have a baseline record to compare their current response times against. o Identify supplemental files that the application uses and determine the best location for those files to optimize the applications traffic. Prepared by: Leonard Rogers C.E.T., C|EH, GCFW Page 7 Introduction to Protocol Analysis BAIST-NM/August 2006 o Time the a...
View Full Document

  • Fall '19
  • Leonard Rogers

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture