How Does a Network Protocol Analyzer Work?

Similar documents
CNBK Communications and Networks Lab Book: Purpose of Hardware and Protocols Associated with Networking Computer Systems

Assessing Wireless Security with AiroPeek

Module 7: Configuring and Supporting TCP/IP

Monitoring, Troubleshooting and Securing Networks with EtherPeek

1 Connectionless Routing

Lecture (02) The TCP/IP Networking Model

CS519: Computer Networks. Lecture 1 (part 2): Jan 28, 2004 Intro to Computer Networking

Lecture (02) The TCP/IP Networking Model

Lecture (02) Network Protocols and Standards

Data Communication. Introduction of Communication. Data Communication. Elements of Data Communication (Communication Model)

Web Mechanisms. Draft: 2/23/13 6:54 PM 2013 Christopher Vickery

Lecture (02, 03) Networking Model (TCP/IP) Networking Standard (OSI)

Networking and Health Information Exchange Unit 1a ISO Open Systems Interconnection (OSI) Slide 1. Slide 2. Slide 3

Lecture (02) Networking Model (TCP/IP) Networking Standard (OSI) (I)

Chapter 7. Local Area Network Communications Protocols

Networking and Health Information Exchange: ISO Open System Interconnection (OSI)

Introduction to Information Science and Technology 2017 Networking I. Sören Schwertfeger 师泽仁

CS4450. Computer Networks: Architecture and Protocols. Lecture 13 THE Internet Protocol. Spring 2018 Rachit Agarwal

1: Review Of Semester Provide an overview of encapsulation.

Fig (1) client and Server network

Lab 7.1.9b Introduction to Fluke Protocol Inspector

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Guide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols

CS164 Final Exam Winter 2013

Introduction to Internetworking

Networking Background

Chapter 3. The Basics of Networking

ITEC 3800 Data Communication and Network. Introducing Networks

Data Communication and Network. Introducing Networks

IT 341: Introduction to System

Lecture - 36 Effect on Higher Layer I

CNPE Communications and Networks Lab Book: Data Transmission Over Digital Networks

COMS Introduction to Computers. Networking

6 Computer Networks 6.1. Foundations of Computer Science Cengage Learning

Data & Computer Communication

CCNA Exploration Network Fundamentals. Chapter 03 Application Functionality and Protocols

Significance of TCP/IP Model Divya Shree Assistant Professor (Resource Person), Department of computer science and engineering, UIET, MDU, Rohtak

2. Network functions are associated with only one layer of the OSI model. 4. Not all Transport layer protocols are concerned with reliability.

Unit A - Connecting to the Network

E&CE 358: Tutorial 1. Instructor: Sherman (Xuemin) Shen TA: Miao Wang

Wireshark Lab: Getting Started v7.0

Homework 4 assignment for ECE374 Posted: 04/06/15 Due: 04/13/15

and the Forensic Science CC Spring 2007 Prof. Nehru

OSI Network Layer. Chapter 5

Title Core TIs Optional TIs Core Labs Optional Labs. All None 1.1.6, 1.1.7, and Network Math All None None 1.2.5, 1.2.6, and 1.2.

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Chapter Motivation For Internetworking

4.0.1 CHAPTER INTRODUCTION

Defining Networks with the OSI Model. Module 2

Local Area Networks and the Network Protocol Stack

Chapter 5 OSI Network Layer

Networking Fundamentals Tom Brett

Introduction to computer networking

INTRODUCTION TO ICT.

Wireshark Lab: Getting Started v7.0

Chapter 8: Subnetting IP Networks

ZENworks for Desktops Preboot Services

PART IV. Internetworking Using TCP/IP

ch02 True/False Indicate whether the statement is true or false.

The Internet Advanced Research Projects Agency Network (ARPANET) How the Internet Works Transport Control Protocol (TCP)

Chapter 15 Networks. Chapter Goals. Networking. Chapter Goals. Networking. Networking. Computer network. Node (host) Any device on a network

IT220 Network Standards & Protocols. Unit 8: Chapter 8 The Internet Protocol (IP)

CS 204: Advanced Computer Networks

networks List various types of networks and their

Layering in Networked computing. OSI Model TCP/IP Model Protocols at each layer

Experiment 2: Wireshark as a Network Protocol Analyzer

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Word Found Meaning Innovation

Course 6. Internetworking Routing 1/33

Revision of Previous Lectures

CSCI Computer Networks

Interface The exit interface a packet will take when destined for a specific network.

CPS221 Lecture: Layered Network Architecture

6 Computer Networks 6.1. Foundations of Computer Science Cengage Learning

A Network Engineer s Guide to Troubleshooting User Satisfaction Problems with SAP Applications April 2007

Introduction to Protocols

4.2 Virtual Circuit and Datagram Networks

Introduction to Open System Interconnection Reference Model

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

2/29/2012. Part 1: Networking overview Part 2: Data transfer methods Part 3: Communication Channels

Packet: Data can be broken into distinct pieces or packets and then reassembled after delivery. Computers on the Internet communicate via packets.

The Internet software layers

Lesson 1: Network Communications

Unit C - Network Addressing Objectives Purpose of an IP Address and Subnet Mask Purpose of an IP Address and Subnet Mask

Application-Centric Analysis Helps Maximize the Value of Wireshark

CCNA Exploration Network Fundamentals. Chapter 06 Addressing the Network IPv4

Lecture A4 Network / Internet. Computing and Art : Nature, Power, and Limits CC 3.12: Fall 2007

Tutorial 2 : Networking

Computer Networks Prof. S. Ghosh Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture 28 IP Version 4

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

Chapter 6. The Protocol TCP/IP. Introduction to Protocols

Concept Questions Demonstrate your knowledge of these concepts by answering the following questions in the space that is provided.

1. IPv6 is the latest version of the TCP/IP protocol. What are some of the important IPv6 requirements?

Essential Elements of Medical Networks. D. J. McMahon rev cewood

Networks: Communicating and Sharing Resources

Network Superhighway CSCD 330. Network Programming Winter Lecture 13 Network Layer. Reading: Chapter 4

b) Diverse forms of physical connection - all sorts of wired connections, wireless connections, fiber optics, etc.

Bridge Cable User s Guide

31270 Networking Essentials Focus, Pre-Quiz, and Sample Exam Answers

APPENDIX F THE TCP/IP PROTOCOL ARCHITECTURE

Transcription:

A WildPackets Academy Tutorial How Does a Network Protocol Analyzer Work? Protocols A company, school, and even many homes may have a computer network connecting the various computers, printers, and Internet gateways that people use. Even the Internet itself is nothing more than a very big computer network. When the devices attached to a network aren t communicating properly, or they re operating too slowly, a network support engineer may use a protocol analyzer to determine the cause. A network protocol analyzer is a software program that runs in a standard notebook or desktop computer. It tells the computer to read all of the conversations that are flowing across the network and then it shows those conversations to the network engineer in a humanreadable format. Because the engineer can see what the computers, servers, and other devices are saying to each other, the cause of a problem can be isolated and described. To understand how a protocol analyzer works, it s first necessary to understand what is meant by protocol. A network communication protocol is a set of rules that define the capabilities and expectations of the communicating devices on the network. An electronic message is constructed by a computer, in accordance with the rules, and the message is sent from one computer to another. This message is referred to as a packet or a frame of information. Someone starts their web browser (Internet Explorer or NetScape, for example) and the browser program determines the location, on the Internet, of the web service that the user wants. The browser then sends a packet with a message asking the web server for a page of information, and that s what the user sees. When a user accesses a file on a file server, their machine is sending a packet asking the file server to open, and then read, the file. The set of rules that define how these various commands are constructed and used make up a part of the network protocol. Protocol Families There are three major protocol families that are used to manipulate files across computer networks: Server Message Block (SMB) Apple Filing Protocol (AFP) NetWare Core Protocol (NCP) Server Message Block (SMB) is the set of commands and replies that is used by Microsoft Windows. Apple Filing Protocol (AFP) is used by Apple computers (which can also use SMB to access Windows files). NetWare Core Protocol (NCP) is used with Novell s NetWare network operating system. The bit patterns (called fields ) that are constructed into each packet message are different for each family, but the end results are the same: search for a file, open a file, read a file, write to a file, close a file, delete a file, rename a file, and so forth. There are commands and replies associated with surfing the Internet, too. The protocol called HyperText Transfer Protocol (HTTP) allows a client machine to issue a Get command to read a web URL (Universal Resource Locator, such as www.wildpackets.com ). Copyright 2003 WildPackets, Inc. All Rights Reserved.

How Does a Network Protocol Analyzer Work? Physical and logical addresses Now, these protocols that we ve discussed so far are called application layer protocols because they allow an application program (like a word processor or a web browser) to issue commands and interpret replies. The commands and replies still have to be carried from the client machine to the server machine across the network, and networks can be very entangled. Physical addresses Every computer attached to a network has networking hardware in it. This is, perhaps, an Ethernet card or built-in Ethernet port. It may also be wireless network hardware, like Intel s Centrino. There is a special numerical address, built into the network hardware, that uniquely identifies every computer and network device in the entire world. That s right, no two devices have the same unique address built into them. This is accomplished by assigning each manufacturer a special identifying address prefix, or range of numerical prefixes. Every Ethernet card and every wireless network device is then manufactured with a unique address. There are enough digits in the number used as an address, so that over 200,000,000,000,000 (two hundred thousand billion) devices can be built before the unique numbers run out! The U.S. census bureau estimates that by the year 2050 there will be slightly over nine billion people in the world. That means that each person on the planet could have over 20 thousand unique addresses assigned to them personally before the number ran out. This unique identifying number is called the hardware address of the device. It is also referred to as the physical address, Ethernet address or MAC address (pronounced mack ). The acronym MAC stands for media access control and refers to the fact that stations take turns talking on a wire or in the air ( accessing the communication medium ) based on certain aspects of communication engineering related to the unique address. Figure 1 Physical addresses, source and destination Logical addresses So, every computer, every web server, every file server, every printer, every device on a network has a unique hardware address. A packet of information contains the source hardware address and the destination hardware address. This is loosely analogous to a letter that has the street address of the recipient and your return street address on it. When your letter gets to the destination city, the mail carrier knows the physical location of your house. Like the mail system, packets of information on a network also contain information regarding the regional location to which the message should be sent. Analogous to the country, state, and city on an envelope, there is an additional aspect to computer network message addressing that helps move packets around in the network or Internet. This additional address is called the logical address. The most widely used scheme for assigning logical addresses is through the use of a set of rules called Internet Protocol (or IP for short; pronounced by saying the two letters, I and P ). A logical IP address consists of four numbers, separated by dots, like this: 2 Physical and logical addresses

10.172.3.212. No individual number may be larger than 255. Analogous to the idea of countries, states, and cities, the IP address may be used to define a large part of a network, then smaller parts (called subnets), and ultimately still smaller parts. For example, all of the computers in the San Francisco Bay area could be assigned addresses that started with 10. San Francisco computers could then have 172 as their second digit while San Jose computers used 173. All of the computers north of Market Street in San Francisco could use.3 as the third number, and those south of Market Street could use.4. Figure 2 Logical addresses, source and destination A central authority, called the Network Information Center, assigns these prefix addresses to companies, schools, and governmental bodies around the world. Now, it turns out that there are only slightly over four billion possible unique combinations of numbers that can be made out of the four-number IP address. A special set of rules called network address translation allow some numbers to be reused without a problem. This is loosely analogous to the fact that there is a city called Dallas not only in Texas but in Iowa, North Carolina, Oregon, Pennsylvania, South Dakota, West Virginia, and Wisconsin, but the post office doesn t get confused. At this point in our discussion we ve described how an application protocol is used to send commands and replies across a network, using a packet of information that has both a physical address uniquely identifying the destination device as well as a logical address that also includes information about the location to which the packet should be sent. Logical addresses allow human network administrators to create groupings of machines that all start with the same initial numbers in the IP address. Routers In a computer network there are interconnect boxes, called routers, that know how to forward packets to specific destination locations based on the IP address. Once the packets arrive at the destination location they are, ultimately, sent to the physical address of the intended recipient through another type of interconnect box called a switch. Although this is a tremendous oversimplification of the process it can be understood that there are two types of interconnect boxes in a network (and in the Internet): routers and switches. Routers make forwarding decisions based on the logical, IP address and switches make forwarding decisions based on the physical, Ethernet or wireless LAN address. Sequence and acknowledgement numbers We re almost ready to reveal how a network protocol analyzer works, but first, there is one more aspect of communication that needs explaining. Packets of information may include a sequence number for individual packet identification. Suppose a client sends five packets to a Routers 3

How Does a Network Protocol Analyzer Work? server and each packet has a unique, incrementing sequence number, say, 1, 2, 3, 4, and 5. The server knows that following the receipt of packet #1, it should then get packet #2, and so forth. If something bad happens to a packet and it gets lost or destroyed while it s being sent across the network, the server can know that something s wrong. The server receives packet #1 followed by packet #3; it knows that packet #2 was lost. If a packet is lost then it can be transmitted again to complete the conversation. In addition to the application protocol that carries the commands and replies, and in addition to the physical and logical addressing in a packet, there can be a sequence number and acknowledgement number to guarantee that packets will be sent properly. The part of a packet that does this is called the transport layer, and the most common transport layer protocol is called Transport Control Protocol ( TCP, pronounced by saying the three letters). Some packets don t require guaranteed delivery. They use a transport protocol called User Datagram Protocol (UDP). UDP has no sequence or acknowledgement numbers. That s it: you now know how computers send messages to each other across a network. These digital messages, consisting of long strings of bits (binary digits, 1's and 0's in binary computer code) are represented by electrical signals (or by radio frequency signals in a wireless network) and are transmitted across the network. When something isn t working properly, it s the job of the network support engineer to figure out why. That s where a network protocol analyzer comes into play. The network protocol analyzer A network protocol analyzer which, as mentioned earlier, is simply a special application program running in a computer. It can read the digital messages being sent across the network and can then decode the bits to present the engineer with the physical address, logical address, sequence number, application protocol command and reply, and other pieces of information carried in each packet. The engineer simply reads the conversation, packet-by-packet, to see who said what to whom, and who misspoke or lost packets, or who s packets were delayed. EventFinder Settings Start/Stop Analysis Express Select Header Conversations pane Tabs Supplemental Area (Node Details pane) Figure 3 Expert analysis of conversations by a network protocol analyzer In addition to reading conversations, protocol analyzers keep track of many network statistics relevant to the operation of the network. The number of packets per second, the quantity of traffic, and the number of errors are all recorded and reported. Many protocol analyzers 4 The network protocol analyzer

include informative graphic displays showing trends and comparative analysis information with bar and line charts. Advanced protocol analyzers include expert system technology to analyze conversations using sophisticated artificial intelligence software that identifies problems automatically. Some analyzers operate in a distributed mode, so that analysis probes can be installed at many remote locations and analysis can be done from a central point. The protocol analyzer can be configured to capture only conversations between specified devices, or only specific protocols (Windows versus Apple versus Novell, for example). If a user of a computer network complains that the network is slow, the engineer can configure the protocol analyzer with a filter that captures only that user s traffic. The combination of filtering and analysis capabilities gives rise to specialized protocol analyzer tools much like the Carnivore program that s been in the news. Carnivore was a special analysis tool used by law enforcement personnel to read conversations on computer networks and track down bad guys. Of course, bad guys themselves ( hackers ) can use protocol analyzers to read conversations on corporate networks, too. For this reason there is much interest in data encryption: to make it harder for an intruder to see the content of the data being transmitted across the network. Some simple protocol analyzer programs are available as shareware or freeware on the World Wide Web. Vendors such as WildPackets ( EtherPeek and AiroPeek analyzers) and Network Associates ( Sniffer analyzer) produce sophisticated commercial protocol analyzers sometimes costing upwards of $40,000.00 (a basic commercial protocol analyzer will cost closer to $1500.00 or less). The next time you see a computer support engineer studying a screen with rows of data, you might be seeing the protocol analysis process taking place. That s how a network protocol analyzer works. The network protocol analyzer 5

WildPackets Professional Services WildPackets offers a full spectrum of unique professional support services, available on-site, online or through remote dial-in service. WildPackets Academy WildPackets Academy provides the most effective and comprehensive network and protocol analysis training available, meeting the professional development and training requirements of corporate, educational, government, and private network managers. Our instructional methodology and course design centers around practical applications of protocol analysis techniques for Ethernet and 802.11 wireless LANs. In addition to classroom-taught Network Analysis Courses, WildPackets Academy also offers: Web-Delivered Training On-site and Custom Courseware Delivery The (T.E.N.) Technology, Engineering, and Networking Video Workshop Series On-site and Remote Consulting Services Instruction and testing for the Network Analysis Expert (NAX ) Certification For more information about consulting and educational services, including complete course catalog, pricing and scheduling, please visit www.wildpackets.com/services. NAX examination and certification details are available at www.nax2000.com. Live Online Quick Start Program WildPackets now offers one-hour online Quick Start Programs on using EtherPeek NX/ EtherPeek and AiroPeek NX/AiroPeek, led by a WildPackets Academy Instructor. Please visit www.wildpackets.com for complete details and scheduling information. About WildPackets, Inc. WildPackets, a privately-held corporation, was founded in 1990 with a mission to create software-based tools to simplify the complex tasks associated with maintaining, troubleshooting, and optimizing evolving computer networks. WildPackets' patented, core Peek technology is the development base for EtherPeek, TokenPeek, AiroPeek, and the NX family of expert packet analyzers. All are recognized as the analysis tools of choice for small, medium, and large enterprise customers, allowing IT Professionals to easily maximize network productivity. Information on WildPackets, WildPackets Academy, Professional Services, products, and partners is available at www.wildpackets.com. WildPackets, Inc. 1340 Treat Blvd., Suite 500 Walnut Creek, CA 94597 925-937-3200 www.wildpackets.com 20030915-M-T010

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback