A WildPackets Academy Tutorial How Does a Network Protocol Analyzer Work? Protocols A company, school, and even many homes may have a computer network connecting the various computers, printers, and Internet gateways that people use. Even the Internet itself is nothing more than a very big computer network. When the devices attached to a network aren t communicating properly, or they re operating too slowly, a network support engineer may use a protocol analyzer to determine the cause. A network protocol analyzer is a software program that runs in a standard notebook or desktop computer. It tells the computer to read all of the conversations that are flowing across the network and then it shows those conversations to the network engineer in a humanreadable format. Because the engineer can see what the computers, servers, and other devices are saying to each other, the cause of a problem can be isolated and described. To understand how a protocol analyzer works, it s first necessary to understand what is meant by protocol. A network communication protocol is a set of rules that define the capabilities and expectations of the communicating devices on the network. An electronic message is constructed by a computer, in accordance with the rules, and the message is sent from one computer to another. This message is referred to as a packet or a frame of information. Someone starts their web browser (Internet Explorer or NetScape, for example) and the browser program determines the location, on the Internet, of the web service that the user wants. The browser then sends a packet with a message asking the web server for a page of information, and that s what the user sees. When a user accesses a file on a file server, their machine is sending a packet asking the file server to open, and then read, the file. The set of rules that define how these various commands are constructed and used make up a part of the network protocol. Protocol Families There are three major protocol families that are used to manipulate files across computer networks: Server Message Block (SMB) Apple Filing Protocol (AFP) NetWare Core Protocol (NCP) Server Message Block (SMB) is the set of commands and replies that is used by Microsoft Windows. Apple Filing Protocol (AFP) is used by Apple computers (which can also use SMB to access Windows files). NetWare Core Protocol (NCP) is used with Novell s NetWare network operating system. The bit patterns (called fields ) that are constructed into each packet message are different for each family, but the end results are the same: search for a file, open a file, read a file, write to a file, close a file, delete a file, rename a file, and so forth. There are commands and replies associated with surfing the Internet, too. The protocol called HyperText Transfer Protocol (HTTP) allows a client machine to issue a Get command to read a web URL (Universal Resource Locator, such as www.wildpackets.com ). Copyright 2003 WildPackets, Inc. All Rights Reserved.
How Does a Network Protocol Analyzer Work? Physical and logical addresses Now, these protocols that we ve discussed so far are called application layer protocols because they allow an application program (like a word processor or a web browser) to issue commands and interpret replies. The commands and replies still have to be carried from the client machine to the server machine across the network, and networks can be very entangled. Physical addresses Every computer attached to a network has networking hardware in it. This is, perhaps, an Ethernet card or built-in Ethernet port. It may also be wireless network hardware, like Intel s Centrino. There is a special numerical address, built into the network hardware, that uniquely identifies every computer and network device in the entire world. That s right, no two devices have the same unique address built into them. This is accomplished by assigning each manufacturer a special identifying address prefix, or range of numerical prefixes. Every Ethernet card and every wireless network device is then manufactured with a unique address. There are enough digits in the number used as an address, so that over 200,000,000,000,000 (two hundred thousand billion) devices can be built before the unique numbers run out! The U.S. census bureau estimates that by the year 2050 there will be slightly over nine billion people in the world. That means that each person on the planet could have over 20 thousand unique addresses assigned to them personally before the number ran out. This unique identifying number is called the hardware address of the device. It is also referred to as the physical address, Ethernet address or MAC address (pronounced mack ). The acronym MAC stands for media access control and refers to the fact that stations take turns talking on a wire or in the air ( accessing the communication medium ) based on certain aspects of communication engineering related to the unique address. Figure 1 Physical addresses, source and destination Logical addresses So, every computer, every web server, every file server, every printer, every device on a network has a unique hardware address. A packet of information contains the source hardware address and the destination hardware address. This is loosely analogous to a letter that has the street address of the recipient and your return street address on it. When your letter gets to the destination city, the mail carrier knows the physical location of your house. Like the mail system, packets of information on a network also contain information regarding the regional location to which the message should be sent. Analogous to the country, state, and city on an envelope, there is an additional aspect to computer network message addressing that helps move packets around in the network or Internet. This additional address is called the logical address. The most widely used scheme for assigning logical addresses is through the use of a set of rules called Internet Protocol (or IP for short; pronounced by saying the two letters, I and P ). A logical IP address consists of four numbers, separated by dots, like this: 2 Physical and logical addresses
10.172.3.212. No individual number may be larger than 255. Analogous to the idea of countries, states, and cities, the IP address may be used to define a large part of a network, then smaller parts (called subnets), and ultimately still smaller parts. For example, all of the computers in the San Francisco Bay area could be assigned addresses that started with 10. San Francisco computers could then have 172 as their second digit while San Jose computers used 173. All of the computers north of Market Street in San Francisco could use.3 as the third number, and those south of Market Street could use.4. Figure 2 Logical addresses, source and destination A central authority, called the Network Information Center, assigns these prefix addresses to companies, schools, and governmental bodies around the world. Now, it turns out that there are only slightly over four billion possible unique combinations of numbers that can be made out of the four-number IP address. A special set of rules called network address translation allow some numbers to be reused without a problem. This is loosely analogous to the fact that there is a city called Dallas not only in Texas but in Iowa, North Carolina, Oregon, Pennsylvania, South Dakota, West Virginia, and Wisconsin, but the post office doesn t get confused. At this point in our discussion we ve described how an application protocol is used to send commands and replies across a network, using a packet of information that has both a physical address uniquely identifying the destination device as well as a logical address that also includes information about the location to which the packet should be sent. Logical addresses allow human network administrators to create groupings of machines that all start with the same initial numbers in the IP address. Routers In a computer network there are interconnect boxes, called routers, that know how to forward packets to specific destination locations based on the IP address. Once the packets arrive at the destination location they are, ultimately, sent to the physical address of the intended recipient through another type of interconnect box called a switch. Although this is a tremendous oversimplification of the process it can be understood that there are two types of interconnect boxes in a network (and in the Internet): routers and switches. Routers make forwarding decisions based on the logical, IP address and switches make forwarding decisions based on the physical, Ethernet or wireless LAN address. Sequence and acknowledgement numbers We re almost ready to reveal how a network protocol analyzer works, but first, there is one more aspect of communication that needs explaining. Packets of information may include a sequence number for individual packet identification. Suppose a client sends five packets to a Routers 3
How Does a Network Protocol Analyzer Work? server and each packet has a unique, incrementing sequence number, say, 1, 2, 3, 4, and 5. The server knows that following the receipt of packet #1, it should then get packet #2, and so forth. If something bad happens to a packet and it gets lost or destroyed while it s being sent across the network, the server can know that something s wrong. The server receives packet #1 followed by packet #3; it knows that packet #2 was lost. If a packet is lost then it can be transmitted again to complete the conversation. In addition to the application protocol that carries the commands and replies, and in addition to the physical and logical addressing in a packet, there can be a sequence number and acknowledgement number to guarantee that packets will be sent properly. The part of a packet that does this is called the transport layer, and the most common transport layer protocol is called Transport Control Protocol ( TCP, pronounced by saying the three letters). Some packets don t require guaranteed delivery. They use a transport protocol called User Datagram Protocol (UDP). UDP has no sequence or acknowledgement numbers. That s it: you now know how computers send messages to each other across a network. These digital messages, consisting of long strings of bits (binary digits, 1's and 0's in binary computer code) are represented by electrical signals (or by radio frequency signals in a wireless network) and are transmitted across the network. When something isn t working properly, it s the job of the network support engineer to figure out why. That s where a network protocol analyzer comes into play. The network protocol analyzer A network protocol analyzer which, as mentioned earlier, is simply a special application program running in a computer. It can read the digital messages being sent across the network and can then decode the bits to present the engineer with the physical address, logical address, sequence number, application protocol command and reply, and other pieces of information carried in each packet. The engineer simply reads the conversation, packet-by-packet, to see who said what to whom, and who misspoke or lost packets, or who s packets were delayed. EventFinder Settings Start/Stop Analysis Express Select Header Conversations pane Tabs Supplemental Area (Node Details pane) Figure 3 Expert analysis of conversations by a network protocol analyzer In addition to reading conversations, protocol analyzers keep track of many network statistics relevant to the operation of the network. The number of packets per second, the quantity of traffic, and the number of errors are all recorded and reported. Many protocol analyzers 4 The network protocol analyzer
include informative graphic displays showing trends and comparative analysis information with bar and line charts. Advanced protocol analyzers include expert system technology to analyze conversations using sophisticated artificial intelligence software that identifies problems automatically. Some analyzers operate in a distributed mode, so that analysis probes can be installed at many remote locations and analysis can be done from a central point. The protocol analyzer can be configured to capture only conversations between specified devices, or only specific protocols (Windows versus Apple versus Novell, for example). If a user of a computer network complains that the network is slow, the engineer can configure the protocol analyzer with a filter that captures only that user s traffic. The combination of filtering and analysis capabilities gives rise to specialized protocol analyzer tools much like the Carnivore program that s been in the news. Carnivore was a special analysis tool used by law enforcement personnel to read conversations on computer networks and track down bad guys. Of course, bad guys themselves ( hackers ) can use protocol analyzers to read conversations on corporate networks, too. For this reason there is much interest in data encryption: to make it harder for an intruder to see the content of the data being transmitted across the network. Some simple protocol analyzer programs are available as shareware or freeware on the World Wide Web. Vendors such as WildPackets ( EtherPeek and AiroPeek analyzers) and Network Associates ( Sniffer analyzer) produce sophisticated commercial protocol analyzers sometimes costing upwards of $40,000.00 (a basic commercial protocol analyzer will cost closer to $1500.00 or less). The next time you see a computer support engineer studying a screen with rows of data, you might be seeing the protocol analysis process taking place. That s how a network protocol analyzer works. The network protocol analyzer 5
WildPackets Professional Services WildPackets offers a full spectrum of unique professional support services, available on-site, online or through remote dial-in service. WildPackets Academy WildPackets Academy provides the most effective and comprehensive network and protocol analysis training available, meeting the professional development and training requirements of corporate, educational, government, and private network managers. Our instructional methodology and course design centers around practical applications of protocol analysis techniques for Ethernet and 802.11 wireless LANs. In addition to classroom-taught Network Analysis Courses, WildPackets Academy also offers: Web-Delivered Training On-site and Custom Courseware Delivery The (T.E.N.) Technology, Engineering, and Networking Video Workshop Series On-site and Remote Consulting Services Instruction and testing for the Network Analysis Expert (NAX ) Certification For more information about consulting and educational services, including complete course catalog, pricing and scheduling, please visit www.wildpackets.com/services. NAX examination and certification details are available at www.nax2000.com. Live Online Quick Start Program WildPackets now offers one-hour online Quick Start Programs on using EtherPeek NX/ EtherPeek and AiroPeek NX/AiroPeek, led by a WildPackets Academy Instructor. Please visit www.wildpackets.com for complete details and scheduling information. About WildPackets, Inc. WildPackets, a privately-held corporation, was founded in 1990 with a mission to create software-based tools to simplify the complex tasks associated with maintaining, troubleshooting, and optimizing evolving computer networks. WildPackets' patented, core Peek technology is the development base for EtherPeek, TokenPeek, AiroPeek, and the NX family of expert packet analyzers. All are recognized as the analysis tools of choice for small, medium, and large enterprise customers, allowing IT Professionals to easily maximize network productivity. Information on WildPackets, WildPackets Academy, Professional Services, products, and partners is available at www.wildpackets.com. WildPackets, Inc. 1340 Treat Blvd., Suite 500 Walnut Creek, CA 94597 925-937-3200 www.wildpackets.com 20030915-M-T010