Recent Case Studies of Packet Capture and Analysis Use of Captured-data Analysis Support Tool

Similar documents
Case Studies of Using the Gigabitcompatible. as a Troubleshooting Tool for Home IP Systems

Wireless LAN Tester Conformable to IEEE802.11ac

Transporting Voice by Using IP

Network Processing Technology for Terminals Enabling High-quality Services

VG422R. User s Manual. Rev , 5

Broadband Router. User s Manual

Chapter 3: Network Protocols and Communications

Secure Telephony Enabled Middle-box (STEM)

IT 341: Introduction to System

CNBK Communications and Networks Lab Book: Purpose of Hardware and Protocols Associated with Networking Computer Systems

Special expressions, phrases, abbreviations and terms of Computer Networks

ETSF10 Internet Protocols Transport Layer Protocols

Approaches to Deploying VoIP Technology Instead of PSTN Case Study: Libyan Telephone Company to Facilitate the Internal Work between the Branches

Router Router Microprocessor controlled traffic direction home router DSL modem Computer Enterprise routers Core routers

MODULE: NETWORKS MODULE CODE: CAN1102C. Duration: 2 Hours 15 Mins. Instructions to Candidates:

VG-422R. User s Guide

BSc. (Hons) Web Technologies. Examinations for 2017 / Semester 1

CyberP3i Course Module Series

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

Facilitator. Introduction to IT Networking for Facilities Managers. Class Logistics

ABSTRACT. that it avoids the tolls charged by ordinary telephone service

Spectrum Enterprise SIP Trunking Service NEC Univerge SV8100 IP PBX Configuration Guide

CNPE Communications and Networks Lab Book: Data Transmission Over Digital Networks

OSI Layer OSI Name Units Implementation Description 7 Application Data PCs Network services such as file, print,

The Applications and Gaming Tab - Port Range Forward

Arion Router and Firewall User s Manual. Rev 1.0 Mar 2004

Quick Start Guide MU120131A/32A. IP Multicast Measurement MD1230B/MP1590B. Data Quality Analyzer / Network Performance Tester

Computer Science 461 Midterm Exam March 14, :00-10:50am

Improving User Capacity and Disaster Recovery Time in IP Telephone Service Systems

IPv6 Network Construction Support Solution: Application to the IPv6 Experimental System of IPv6 Promotion Council

Overview of SIP. Information About SIP. SIP Capabilities. This chapter provides an overview of the Session Initiation Protocol (SIP).

Lab - Using Wireshark to Examine a UDP DNS Capture

Draft Version. Setup Reference guide for KX-HTS Series (Tested with HTS32 Version 1.5) Peoplefone SIP Trunk service with External Router

Chapter 2 Communicating Over the Network

Truffle Broadband Bonding Network Appliance

5 What two Cisco tools can be used to analyze network application traffic? (Choose two.) NBAR NetFlow AutoQoS Wireshark Custom Queuing

Lab - Using Wireshark to Examine a UDP DNS Capture

Integrating Information Systems: Technology, Strategy, and Organizational Factors

4 rd class Department of Network College of IT- University of Babylon

31270 Networking Essentials Focus, Pre-Quiz, and Sample Exam Answers

Seamless Traffic Migration between the Mobile and Fixed Networks

Ethernet Transmission Equipment ERP-SW for All-IP Transmission Paths. Under these circumstances, particularly

Information About SIP Compliance with RFC 3261

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeBPR (Shaping) How To Guide

6 Computer Networks 6.1. Foundations of Computer Science Cengage Learning

SonicWALL / Toshiba General Installation Guide

PLEASE READ CAREFULLY BEFORE YOU START

Internet. 1) Internet basic technology (overview) 3) Quality of Service (QoS) aspects

Communicating over the Network

Chapter 3: Network Protocols and Communications CCENT Routing and Switching Introduction to Networks v6.0 Instructor Planning Guide

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Development of Transport Systems for Dedicated Service Provision Using Packet Transport Technologies

Overview of TCP/IP Overview of TCP/IP protocol: TCP/IP architectural models TCP protocol layers.

CSC Introduction to Computers and Their Applications. Background

ESI Voice Router Public-Installation Guide

Provide a generic transport capabilities for real-time multimedia applications Supports both conversational and streaming applications

Multi-Homing Broadband Router. User Manual

Real Time Protocols. Overview. Introduction. Tarik Cicic University of Oslo December IETF-suite of real-time protocols data transport:

Chapter 7. Local Area Network Communications Protocols

Spectrum Enterprise SIP Trunking Service NEC Univerge SV9100 IP PBX Configuration Guide

Security SSID Selection: Broadcast SSID:

SIP Session Initiation Protocol

Data Communication & Networks G Session 7 - Main Theme Networks: Part I Circuit Switching, Packet Switching, The Network Layer

MODERNIZATION OF AUTOMATIC SURFACE WEATHER OBSERVING SYSTEMS AND NETWORKS TO UTILIZE TCP/IP TECHNOLOGY

TCP/IP Transport Layer Protocols, TCP and UDP

Troubleshooting Voice Over IP with WireShark

Operating Systems CS 571

Multimedia in the Internet

Provides port number addressing, so that the correct destination application can receive the packet

MRD-310 MRD G Cellular Modem / Router Web configuration reference guide. Web configuration reference guide

A common issue that affects the QoS of packetized audio is jitter. Voice data requires a constant packet interarrival rate at receivers to convert

Typical Network Uses

Visualization of Internet Traffic Features

Yealink VCS Network Deployment Solution

UIP1869V User Interface Guide

Compliance with RFC 3261

SV9100 SIP Trunking Service Configuration Guide for Cable ONE Business

BEng. (Hons) Telecommunications. Examinations for / Semester 2

Configure Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) Service Settings on a Switch

networks List various types of networks and their

13. Internet Applications 최양희서울대학교컴퓨터공학부

The Internet and the World Wide Web

Mobile MOUSe ROUTING AND SWITCHING FUNDAMENTALS ONLINE COURSE OUTLINE

LevelOne FBR-1405TX. User s Manual. 1 PORT BROADBAND ROUTER W/4 LAN Port. Version: 1.0

Introduction to computer networking

CS164 Final Exam Winter 2013

VoIP with Channel Associated Signaling (CAS)

General comments on candidates' performance

Load Balance Mechanism

Dolby Conference Phone. Configuration guide for Avaya Aura Platform 6.x

Wireshark Lab: Getting Started v6.0

Introduction... 3 Features... 3 Minimum Requirements... 3 Package Content... 3 Get to know the Broadband Router... 4 Back Panel... 4 Front Panel...

Load Balancing Technology White Paper

Thank you for purchasing a Panasonic Pure IP-PBX. Please read this manual carefully before using this product and save this manual for future use.

Computer Networks. More on Standards & Protocols Quality of Service. Week 10. College of Information Science and Engineering Ritsumeikan University

APPLICATION NOTE No

Step 3 - How to Configure Basic System Settings

PART IV. Internetworking Using TCP/IP

Voice Performance Statistics on Cisco Gateways

Transcription:

Practical Field Information about Field Telecommunication Information Technologies about Telecommunication Technologies Recent Case Studies of Packet Capture and Analysis Use of Captured-data Analysis Support Tool Abstract This article introduces case studies involving packet capture and analysis using a support tool. This is the twenty-seventh of a bimonthly series on the theme of practical field information on telecommunication technologies. This month s contribution is from the Network Interface Engineering Group, Technical Assistance and Support Center, Maintenance and Service Operations Department, Network Business Headquarters, NTT EAST. Keywords: IP-related faults, packet capture, captured-data analysis support tool 1. Introduction The volume of Internet protocol (IP)-related data communications has been increasing thanks to the recent proliferation and increasing sophistication of IP broadband access services typified by NTT s FLET S HIKARI NEXT and the rise of social network services and other novel services. The functionality of routers and terminals installed in homes has consequently been advancing, but this has been accompanied by increasingly complicated IP faults. As a result, there has been an increasing number of cases in which the conventional approach of dealing with a fault by simply replacing faulty equipment has not been effective. In response to this situation, techniques for identifying the causes of such faults have been promoted. These techniques obtain (capture) a large volume of packets transmitted between IP devices through the use of our gigabit-compatible protocol checker [1] or a similar tool and analyze the state and content of communications. However, with popular software for packet analysis such as Wireshark, the operations needed to identify the packets that are causing the fault from a large volume of captured data can be quite complicated and extremely time-consuming. Maintenance personnel must also learn how to use such analysis methods, which means that the analysis results can depend greatly on the maintenance personnel s individual skills. To address these problems, we have developed and begun using a captured-data analysis support tool equipped with functions for supporting batch input and analysis of a large volume of captured data so that the causes of complicated IP faults can be quickly uncovered. We describe here some recent case studies of packet capture and analysis using this tool. 2. Overview of captured-data analysis support tool The captured-data analysis support tool consists of software that inputs data captured in the pcap/pcapng packet-capture format and displays the results of analyzing that data. This tool has an analysis section and a display section with a total of five functions, as shown in Fig. 1. (1) Captured-data analysis function This function analyzes captured data and is the core NTT Technical Review

Captured-data analysis support tool Captured data (1) Captured-data analysis function (2) Time-offset output function (3) Summary display function (4) Graph display function (5) Log display function Data input Analysis section Display section Wireshark link Fig. 1. Configuration of captured-data analysis support tool. Table 1. Types of summary information. Hikari-Denwa/050IP-phone information Hikari-TV information Internet access information (DNS/HTTP) Video site information TCP information MAC-address/IP-address information UPnP information General information (number of calls, completed calls, uncompleted calls, etc.), call-specific information (call begin/end times, originating/destination phone numbers, packet loss, jitter), etc. Start/termination times, viewed channel, packet loss, etc. Start time, response time, IP address, domain name, download speed (HTTP only), etc. IP address, port number, viewed uniform resource locator (URL), file size, download speed, etc. Session start/end times, IP address, maximum segment size (MSS) value, protocol type (Secure Sockets Layer (SSL), HTTP, etc.), number of TCP errors, response time, etc. MAC-address/IP-address correspondence table Universal Plug and Play (UPnP) table inferred from communications (internal IP address/port, external IP address/port) DNS: domain name system HTTP: hypertext transfer protocol MAC: media access control TCP: transport control protocol TV: television of this software. It is capable of analyzing several gigabytes of data divided into multiple files all together. The display section presents the results of this analysis using the summary display function ((3) in Fig. 1), graph display function (4), and log display function (5). Maintenance personnel can re-examine analysis results for certain data without having to perform the analysis again by simply inputting that data into the display section. (2) Time-offset output function This function changes the timestamp given to each captured packet. This is a useful function if the user wishes to correct the timestamps of captured data whose times are offset from the actual time. (3) Summary display function This function displays the results of analysis performed by the captured-data analysis function. It can display various types of service- and protocol-related information as listed in Table 1. Each type of summary Vol. 13 No. 2 Feb. 2015

FLET S HIKARI ONU VoIP gateway PBX Gigabit-compatible protocol checker ISDN protocol analyzer Fig. 2. Configuration of inspection method. information can be subjected to full-text searches, making it easy to display a portion of the analysis results that are of interest to the maintenance personnel and to check individual packets in unison with Wireshark. (4) Graph display function This function can display multiple time series simultaneously. Specifically, it can simultaneously compare multiple time series such as the number of simultaneous IP phone calls, the estimated number of network address and port translation (NAPT) tables, and traffic volume, which is not possible with other types of software such as Wireshark. Network INVITE 100 Trying 180 Ringing 200 OK ACK BYE 200 OK VoIP gateway Call in progress SETUP CALL PROC ALERT CONNECT CONNECT ACK DISCONNECT RELEASE RELEASE COMPLETE PBX (5) Log display function This function prepares logs from information in communication packets recorded in routers and other communication devices and displays those logs. It can display that information in classes; for example, log data that may indicate the cause of a fault can be labeled as a warning, and other data that reflect the process flow needed for analysis can be labeled simply as information. 3. Case studies of using the captured-data analysis support tool to identify faults 3.1 Call is suddenly disconnected in IP phone service 3.1.1 Fault description A customer using an IP phone service at a call center reported that calls would suddenly be disconnected several times a day during peak calling periods. The problem persisted despite replacing the VoIP (voice over IP) gateway. 3.1.2 Inspection method We installed the gigabit-compatible protocol checker between the ONU (optical network unit) and ACK: acknowledge PROC: proceeding Fig. 3. Call control sequence. the VoIP gateway to collect data on call-control and voice packets and installed an ISDN (integrated services digital network) protocol analyzer between the VoIP gateway and the PBX (private branch exchange) to collect data on call control (Fig. 2). 3.1.3 Inspection results A check of the call control sequence at the time of a cutoff event indicated that the call had been disconnected in a normal manner from the network side (Fig. 3). It was also found on checking voice packets (RTP/RTCP: real-time transport protocol/real-time transport control protocol) that the VoIP gateway had transmitted no RTCP packets several tens of seconds before the normal disconnection. 3.1.4 Cause of fault On the basis of the inspection results described in 3.1.3 above and the customer s report stating that the 3 NTT Technical Review

25 Number of calls 23 20 Number of calls 15 10 10:16:38 Call begins 10:19:57 Call terminates in about 3 min. (event occurs) 5 10:18:25 Call begins 10:19:58 Call terminates in about 1.5 min. (event occurs) 0 10:00 10:30 11:00 Time Fig. 4. Calling conditions revealed by captured-data analysis support tool. Internet ISP configuration Business PCs FLET S HIKARI PBX Router Gigabit-compatible protocol checker Phone terminals ISP: Internet service provider PC: personal computer Fig. 5. Configuration of inspection method. event would occur during peak calling periods, we checked calling conditions using the captured-data analysis support tool (Fig. 4) and found that the event would typically occur when the number of calls had risen dramatically, which occurred just after 10:00 AM. We therefore considered the possibility that the non-transmission of RTCP packets from the VoIP gateway was related in some way to the large number of calls. 3.1.5 Countermeasure and effect We shared this information with the developer of this VoIP gateway, which proposed as a countermeasure that the gateway equipment be replaced with its most recent version that had higher performance. The problem disappeared upon doing so. 3.2 Internet is disconnected 3.2.1 Fault description A customer reported experiencing trouble connecting to the Internet once or twice a week when starting work in the morning but said that the problem would disappear on its own in about ten minutes. The customer was also a subscriber to an IP phone service that functioned normally at the time of this event. 3.2.2 Inspection method We installed the gigabit-compatible protocol checker between the PBX and router and captured data for a one-week period (Fig. 5). 3.2.3 Inspection results We analyzed the data captured in this way using the Cascade Pilot software developed by Riverbed Technology and found that the router was attempting to Vol. 13 No. 2 Feb. 2015 4

* Router would reattempt UDP connection for more than 200 addresses. * One line indicates IP address of a single connection destination. Reconnection attempted at intervals of about 30 min. Fig. 6. UDP connection destinations shown by Cascade Pilot. Estimated number of NAPT tables 12,000 10,000 8,000 6,000 4,000 2,000 * Limit (about 10,000) of estimated number of NAPT tables in router 8:30 Business start time * Number of NAPT tables would decrease about every 15 min. (consistent with UDP NAPT-table retention time) 0 07:54:34 08:02:54 08:11:14 08:19:34 08:27:54 08:36:14 08:44:34 08:52:54 09:01:14 Time Fig. 7. Estimated number of NAPT tables revealed by captured-data analysis support tool. make UDP (user datagram protocol) connections for more than 200 IP addresses and was performing unauthorized-access actions (Fig. 6). We also checked the number of estimated NAPT tables using the captured-data analysis support tool and found that the number of connections would approach the 10,000 limit of the router about every 15 minutes (Fig. 7). 3.2.4 Cause of fault We speculated that the router s NAPT tables were becoming depleted through unauthorized access from the router s LAN (local area network) side, and that the Internet was inaccessible by computers connected at that time. 3.2.5 Countermeasure and effect Because we captured data on the WAN (wide area network) side of the router in this inspection, we were not able to isolate the terminal that was generating such a large amount of data traffic. Maintenance personnel explained the analysis results to the customer and requested that any business PCs that were infected by a virus be removed from the LAN. The customer complied with the request, and the fault subsequently disappeared. 5 NTT Technical Review

4. Conclusion This article presented recent case studies of packet capture and data analysis using our captured-data analysis support tool. Going forward, the Technical Assistance and Support Center is committed to identifying the causes of faults through packet capture using a variety of tools and to contribute to the early resolution of increasingly complicated IP-related faults. Reference [1] Gigabit-compatible Protocol Checker, NTT Technical Review, Vol. 10, No. 7, July 2012. https://www.ntt-review.jp/archive/ntttechnical.php?contents=ntr2012 07fa3.html Vol. 13 No. 2 Feb. 2015

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback