Friday, November 15, 2019
Wireshark Network Protocol Analyzer Information Technology Essay
Wireshark Network Protocol Analyzer Information Technology Essay Todays networks are typically very stable. The problem is they arent static. Management and users are constantly demanding new technologies, new services, and better performance, which inevitably require changing infrastructure, deploying new applications, and dealing with security. And in the process network administrator needs to control IT costs and minimize disruption to the organization and also need to be able to clearly see all aspects of network to accurately assess the impact of adding new technologies and services and to make sure it is delivering maximum performance. And now-a-days there are wide variety of software and hardware products available that help network system administrators manage a network. Network management covers a wide area as well as local area network which mainly based on three different principles, which are : Performance: reduce blockage in the network. Reliability: keeps the network and the services that the network provides up and available for all the users .It includes monitoring the network to spot problems as soon as possible, ideally before users are affected. Security: Makes the network protected from unauthorized users and outside world. Functions that are execute as part of network management accordingly include controlling, planning, allocating, deploying, coordinating, and monitoring the resources of a network, network planning, predetermined traffic routing to support load balancing, cryptographic key distribution authorization, configuration management, fault management, security management, performance management, bandwidth management, analytics. There are a variety of network monitoring tools available in the market to be used depending on the size and requirements of the organisation. OBJECTIVE The intention of this report is to have a in depth study and estimation of network management tools that allow us to observe and manage the performance and function of networks effectively and efficiently, to produce a short report detailing the benefits of implementing Network Management. The tools which have been used in this report are Fluke Protocol Inspector, Wireshark network protocol analyzer, SNMP Browser Utility and Network inspector. FLUKE OPTIVIEW ANALYZER AND WIRESHARK NETWORK PROTOCOL ANALYZER A network protocol analyzer is a vital part of a network administrators toolkit. Network protocol analysis is the truth serum of network communications. If you want to find out why a network device is functioning in a certain way, use a protocol analyzer to sniff the traffic and expose the data and protocols that pass along the wire. Fluke and Wireshark network protocol analyzer offers insights into what is happening not only over the WAN, but also on the local area network (LAN) at each location. Information pertaining to traffic flows, protocols, and even individual data packets can authorize the IT organization responsible for the network to keep it operating at peak performance. Fluke and wireshark are tools to admin computer networks and they helps in monitoring and troubleshooting the network. In addition, they also helps in observe the status of devices, errors, warnings, and changes. Fluke and wireshark, the network analyzers are fast performing and compatible with almost eve ry operating system of windows. To observe the activities and the performance of these network analyzer program, a small network has been assembled: Figure 2.1 TEST NETWORK The minimal equipment for using Protocol Inspector/analyzer to observe the performance and applications of a network properly, is made up of two routers, two switches and two hosts. A class B addressing scheme has been used on the network. Two routers namely R1 and R2 respectively represent two different sites. R1 is using 172.17.0.1/30, R2 is using 172.17.0.2/30 and both the routers are connected through 172.17.0.0/24. To make easily understand only two users have been used. User1 and user2 are respectively on 172.17.1.100 and 172.17.2.100. Summary View of Fluke OptiView Analyzer The program opens in the Summary View. This view shows several windows used by the tool. The Resource Browser window in the upper left corner shows the only monitoring network device. The Monitor View, which is in the main window on the upper right, monitors one resource per window in a variety of viewing options. The Stop (red colour tab) in the upper-left corner of the Monitor View window confirms that no monitoring is occurring. Figure 6.1 Start the Monitor / Capture process To start the monitoring / capturing process, use the Start button or Module -> Start from the menu system. The Utilization chart should start showing activity like the graphic below: Figure 6.2 The word ARM(green colour tab) should appear where Stop had been before. If opening the Module menu, notice that Stop is now an option while Start is muted. The tabs at the bottom of the window show the resulting data in a variety of forms. Click on each and note the result. Transmit (Tx), Alarms, and Alarm Log will be blank. The following is the Received (Rx) frames, which indicates that Broadcast and Multicast frames are being received, but they may not show any Unicasts. Figure 6.3 Using the console connection to the router, ping the monitoring host, and notice that Unicast frames appear. Unfortunately, the errors shown in the third column will not appear in the lab exercise unless a traffic generator like the Fluke Networks OptiView product has been added. Now ,for the Detail View window click on the Detail View button in the toolbar or double click anywhere on the Monitor View chart. This will open a second window that should look something like the following, after maximizing the Utilization / Errors Strip Chart (RX) window. In a detail view there are few options we can see : MAC Statistics Frame size distribution Protocol Distribution Host Table Network Layer Host table Application layer host table Host matrix Network layer matrix Expert view MAC STATISTICS Mac Statistics tells us about the module type and speed used on the system. It provides important information like Network utilization, total bytes of data received. It also provides the different types of frames travelling across the network. Figure 2.2 Mac Statistics As shown in Error: Reference source not found, the total numbers of 1,555 frames were received. Further more there were 152 broadcast frames, 322 multicast frames and 1,081 unicast frames sent over the network. There were no errors found and a total of 122,453 bytes of data was received with an effective 0.003% network utilisation. FRAME SIZE DISTRIBUTION Frames on a network are classified according to size. Frame size distribution tells us the frames across the network and their size. Figure 2.3 FRAME SIZE DISTRIBUTION The picture above shows the frame size distribution over the test network. On the basis of size frames have been classified in to 8 different categories. The maximum average frame size is 65-127. PROTOCOL DISTRIBUTION Protocol distribution tells the number of protocols operating over the particular network and also at what percentage a protocol is working in terms of transferring data. Figure 2.4 Protocol Distribution The figure above shows different types of protocols on the network and the percentage of each protocol on the right of the graph and on the left side are different tabs, by clicking on each one of them an individual percentage of each protocol can be monitored. HOST TABLE Host table gives us a picture of the traffic generation on the network and the MAC address of the devices receiving the traffic. It tells us the maximum traffic host and the minimum traffic host. Figure 2.4 HOST TABLE In the picture above it shows percentage of traffic based on the number of frames coming in to the host. On the right hand side it shows the MAC addresses of the different hosts. It also tells us about the broadcast and the STP traffic. NETWORK LAYER HOST TABLE The Network Layer Host Table tells us about the packets, errors and bytes for each station at network layer. It allows decoding the packets based on their network layer address. So it helps the network managers to troubleshoot at the host level. Figure 2.5 NETWORK LAYER HOST TABLE The figure above shows the packets coming in to the hosts at the network layer based on their IP addresses. It also tells us that there are 5 IP hosts and no IPX hosts on the network.Ã [1]Ã APPLICATION LAYER HOST TABLE Application layer host table tracks packets, errors and bytes on an application specific basis. It traces packet activity of a particular application. It helps network managers to monitor bandwidth utilization on the network. Figure 2.6 APPLICATION LAYER HOST TABLE The figure above shows the operation of the different applications by the host. It shows the usage of the bandwidth in percentage by each application. HOST MATRIX Host Matrix shows the communication between two or more MAC addresses/ hosts. Hosts could be talking to more than one host at the same time which can be defined by the graph below: Figure 2.7 HOST MATRIX Figure 2.7 shows different hosts communicating to each other and at what percentage they are sending and receiving data on the network, which helps an engineer in bandwidth allocation to various hosts on the network. NETWORK LAYER MATRIX Network Layer Matrix shows the total data packets between a pair of systems by the network layer protocol. It shows the protocol specific traffic between the hosts. Figure 2.7 NETWORK LAYER MATRIX The figure above shows the conversations between the different pair of hosts. It shows the communication between two IP addresses and their bandwidth utilization. EXPERT VIEW Expert view shows different kinds of data capturing on the network on a single screen where the network engineer can monitor the user activities to make the network more responsive and reliable. Figure 2.8 EXPERT VIEW OVERVIEW Figure 2.9 Expert View of Data Link layer Figure 2.10 EXPERT VIEW OF SESSION LAYER Figure 2.11 EXPERT VIEW OF NETWORK LAYER The figures above show the output of different layers of OSI model. It also shows the protocol distribution across the network and utilisation of the different applications for file transfers like HTTP, ARP and others. It also identifies errors and any broadcast or multicast on the network. PROTOCOL OPERATIONS Network inspector tool is also used to investigate the operation of different protocols like; ICMP TFTP TELNET DHCP RIP/OSPF/IGRP ICMP (internet Control Message Protocol) ICMP stands for Internet Control Message protocol. It is one of the very important internet protocols, it is used by the a network administrators to monitor network connections ICMP SUCCESSFUL PING ICMP is the tool used to check the connectivity also known as PING (Packet Internetwork Gropper) which sends and receives echo request. PING successful means that device is in a reachable distance, when host receives the echo request it reply to it this means the destination is reachable. This process is explained in the figures below Figure 0.1: ICMP ECHO REQUEST Figure 0 .1 shows it is an Echo request by the host 192.168.2.2 to the destination 192.168.1.2 all across the network. Figure 0.2: ICMP ECHO REPLY The Echo reply to the request is shown in the figure above. It is clearly visible that the 32 bit data packet was sent to the host 192.168.1.2 and the source 192.168.2.2 sends it as a reply the host 192.168.1.2 as the same 32 bytes which means no data was lost and both can communicate without loosing any data. ICMP PING TIMEOUT Another common message while trying to ping a host or address is Ping Timeout. Ping times out when destination IP address does not exist, network inspector displays the following result for ping time out. Figure 0.3: REQUEST TIMED OUT Figure 0 .3 shows that when the engineer tries to ping an address which does not exists on the network, ARP protocol broadcasts this request with MAC address FFFFFFFFFFF to find the destination address, but when it does not get any response because the address is not there on the network the Ping Request, Times out after some time. ICMP NETWORK UNRECHABLE Network Unreachable means the network which we are trying to reach is not available for communication. This could happen due to numerous reasons, if the interface is down for some reason, if in case of using RIP it is at a distance more than 15 hops from the source or if the destination address does not exist in the routing table of the router. Fluke network inspector helps network manager to find the reason behind the network failure as explained in the figures below n Figure 0.4: ECHO REQUEST FOR THE IP ADDRESS OUTSIDE THE NETWORK ADDRESS Figure 0.5: DESTINATION UNRECHABLE REPLY Figure 0 .4 explains a network engineer sending an Echo Request to the address 192.168.3.1 which is not within the network and Figure 0 .5 shows if the address is not on the network or routing table of the router it sends a message Host Unreachable. ICMP Ping Time Out is different from ICMP Ping Network Unreachable because when the host sends a data to an address, it then waits for the reply from the destination. If after some time the reply does not come back this means the data is going to the destination address but cannot receive any updates or data from that destination, it displays the message Request Timed out. On the other hand when host sends data to the address which does not has not entry in the routing table of any of the routers, the data will not be sent anywhere and the message comes out as Destination Host Unreachable TFTP TFTP or Trivial File Transfer Protocol is very easy and simple to implement as it takes very less memory. It is a connectionless service that uses UDP (User Datagram Protocol). It is faster than FTP. It is used on routers, switches and some hosts that support TFTP for the purpose of transferring the file. Figure 0.6: TFTP FILE COPYING Figure 0.7: TFTP In the above figure it is clearly visible that the source port is 56882 and destination port is 69 which is used for (Trivial File transfer). This diagram also proves that TFTP uses UDP to transfer of files along the network. In the second portion TFTP is captured where it shows the file transferred is sdm-config. TELNET Telnet is a utility to access a device remotely over the network. It can be used for many purposes. Telnet works with TCP/IP. Whenever we access a device remotely, a connection has to establish using a Three Way Handshake process. ESTABLISHING A TELNET SESSION Synchronization between hosts is done by an exchange of connection establishing segments that carry SYNs. The Synchronization requires each side to send its own (ISNs Initial Sequence Numbers) and to receive a conformation of it in an Acknowledgement (ACK) from the other host. Each host also receives each others ISN and send a conformation as ACK this process is called a Three Way Handshake THREE WAY HANDSHAKE Host A send its ISN (Seq = X) to start the session, it is received by the Host B who then send its own ISN (Seq = Y) and also sends (ACK = X+1) to Host A, when Host A receives the ACK it do the same as Host B adds 1 to the ISN received and send (ASK = Y+1) back to the Host B which establishes the TELNET session (see Figure 0 .72). Sends SYN SEQ = Y ACK = X + 1) Host A Host B Sends SYN (Seq = X) Receive SYN (Seq = X) Receive SYN SEQ = Y ACK = X +1) Sends ACK (ACK = Y +1) Receive ACK (ACK = Y +1) Figure 0.72: THREE WAY HANDSHAKE Diagram taken from CCNA 1 2 Companion Guide Figure 0.8: THREE WAY HANDSHAKE Figure 0 .8 shows the Three Way Handshake. Each host sends an ISN and in reply other host add 1 to it and sends it back as an acknowledgement. Fluke Network Inspector allows network administrator to see this process and monitor any unauthorized attempts. Figure 0.9: FIRST STAGE OF THREE WAY HANDSHAKE In Figure 0 .9 Client sends the request to synchronise its ISN to the telnet server, it then specifies its initial sequence and adds 1 to it. Figure 0.10: SECOND STAGE OF THREE WAY HANDSHAKE Figure 0 .10 shows that the ACK packet has been sent back to the host and at the same time another packet for its SYN has also been sent to establish a connection. Figure 0.11: THIRD STAGE OF THREE WAY HANDSHAKE Figure 0 .11 shows that the server just now received a packet from the host and the connection is now established between them for further more data transfers. DATA CAPTURING Fluke network inspector helps network manager to monitor and capture the data being transferred between the devices once the telnet session is active, though it can be a lengthy process to see the whole data but it can be really helpful in troubleshooting typical problems. Data is captured in only one letter at a time which can be seen in the following diagram. Figure 0.12: DATA CAPTURING In the figure above letter I has been captured which is a part of password while accesing the device remotely. Thus Fluke tool helps network engineer to monitor each and every bit of data travelling across the network. . Figure 0.13: LOGGED ON THROUGH TELNET Figure 0 .13 shows the successful remote log on to the router R2. Now here all the data transferred will be captured by the Fluke tool inspector. TERMINATING A TELNET SESSION Terminating a TELNET connection is a must for security reasons. It again takes Three Way Handshake process. This process can be monitored in Fluke Inspector as we will see this in the diagrams below (see Figure 0 .14). Figure 0.14: FIRST STAGE TERMINATION In Figure 0 .14 the request for the termination of the session has been sent, next figure will show the acknowledgment received by the server. Figure 0.15: SECOND STAGE TERMINATION In Figure 0 .15 server receives the request and sends an acknowledgment for the termination of the session. Figure 0.16: THIRD STAGE TERMINATION Figure 0 .16 shows the third and the last stage of terminating the telnet session. LIMITATIONS OF TELNET TELNET is not very secure process as it is over the internet and the data is not encrypted which can be easily hacked and the information can be lost. Secondly TELNET involves TCP/IP only, and hence is not compatible with other protocols. Unauthorised users can on to log on to the network and can damage the configuration files, which can affect the performance of the network and can result in less reliable network. To prevent this remote access can be restricted to certain ports so that only authorised individual can log on remotely which helps in reducing the chances of and intrusion on the network. DHCP (Dynamic Host Configuration Protocol) DHCP allows hosts on the network to obtain an IP address dynamically. Network engineer configures a DHCP server for the network defining a pool of IP address to be allocated to a particular range of hosts. Whenever a host requests an IP address, server automatically assigns the address. When a DHCP client comes online it sends a DHCP Discover broadcast message. After sending a DHCP Discover, client moves into a select state. Client then takes the offer from the DHCP server, it then receives the first response and sends the DHCP Request packet and asks for how long it can keep that address without renewing it, then server acknowledges the request and sends DHCP ACK packet. At this stage the client gets into the bound stage and starts using the IP address. The flow chart below (see Figure 0 .17) describes the whole process. Clint Boots Initialize State Select DHCP ACK DHCP Request Request DHCP Discover Bound Figure 0.17: FLOW CHART FOR DHCP Diagram taken from CCNA 1 2 Companion Guide DHCP DISCOVER Protocol Inspector tool can be used to monitor the whole process step by step. Figure 0.18: DISCOVER Figure 0 .18 shows the client has been discovered by a DHCP server by its broadcast. At this point it does not have any IP Address. DHCP OFFER DHCP server makes an IP address offer to the client. Figure 0.19: DHCP OFFER In Figure 0 .19 an offer made by server to accept 192.168.2.3 as an IP address. CLIENT REQUEST A request from the host is sent to the DHCP server for an IP address Figure 0.20: DHCP REQUEST In Figure 0 .20 host negotiates for the lease time for the IP address offered by the DHCP server. DHCP ACKNOWLEDGMENT DHCP server then sends an acknowledgment packet. Figure 0.21: ACKNOWLEDGMENT Figure 0 .21 shows the IP Address 192.168.2.3 has been accepted by the client as new IP address. DHCP RELEASE DHCP server issues an IP address to the client which can been seen in the Figure 0 .22 Figure 0.22: DHCP RELEASE RIP (Routing Information protocol) The Routing Information Protocol (RIP) is a dynamic routing protocol used in local and wide area networks. As such it is classified as an interior gateway protocol (IGP) using the distance-vector routing algorithm. Devices running RIP sends the information of all the connected devices in the network every 30 seconds to keep the network reachable and connected. RIP has two versions. Fluke network inspector tool tells about the connected routers and the hops, with there IP address. All this information is very useful in troubleshooting. Figure 0.23: RIP ROUTING INFORMATION PROTOCOL Figure 0 .23 explains the routing process. It shows that the port used for routing is UDP 17. Only two routers are connected to each other. It also tells us which version or RIP is running and at what distance both router are as in HOPS COUNT as visible the first one is 1 Hop far from the host and second one is 2 Hops from the host it sends the routing information every 30 seconds. Another thing is that RIP can only support 15 Hops per network. SNMP (Simple Network Management Protocol) This protocol operates at the network layer of the OSI model where it exchanges the management information among the devices installed in the network. It is very clear from its name that this protocol is used to manage network devices such as routers, Switches Hubs, modems, and systems. It is used to monitor different user activities over the network. SNMP helps network engineer to monitor and identify any faults on the network and helps to solve these problem for better connectivity. A network managed by the SNMP consist of the following Managed devices: Devices used on the network such as Routers, Switches Hubs, modems, systems and servers etc. Agents: Agent is software which is used to operate the managed devices. Network-management systems: They provide the processing and memory required for the network management, there can be one or more network-management systems on a managed network GETIF UTILITY The SNMP operation can be monitored by the network engineer with the use of Protocol inspector and a utility called OPTIVIEW using a freely available browser utility called GETIF. GETIF is a network tool which is based on windows GUI; it is very helpful to gather the graphical information of SNMP devices. It provides information like Parameters, Interfaces Connected, Routing Tables, Trace Route and Network length. . GETIF PARAMETERS After loading up the GETIF utility type in the router IP address in the host name box of the parameter window the result will be as following. Figure 0.24: GETIF PARAMETER In Figure 0 .24 it is shown once the router IP Address has been typed in and START button has been pressed in the Parameter Tab of GETIF utility, it gives us the information like the router name and IP Address, router description, and also shows the SNMP port number which is 161. SNMP GET Fluke network inspector tool can be used with GETIF utility to see the data retrieved from SNMP agent. To retrieve this information select MBrowser tab on the GETIF window and then select the SNMP option from the graphical tree, it gives us all the required information shown below. Figure 0.25: SNMP GET SNMP SET When a single item is selected in MBrowser of GETIF utility, start the network protocol inspector to monitor the data transfer. When the name of the router is changed by using GETIF utility it will be shown on the Network Inspector Utility as well SNMP TRAP Fluke Network Inspector tool along with GETIF utility has the ability to diagnose the error on the network, To see the result on the Network Inspector tool if the network engineer can physically take the serial cable out from the router port and disconnect the communication in the network the Network Inspector tool identify this error and displays it on the tools screen for the network engineers urgent attention Figure 0.26: SNMP TRAP In Figure 0 .26 the status of the serial connection is show to down this is due to the serial cable being unplugged from the port. GRAPHYCAL MONITORING IN GETIF This is another option in GETIF utility to monitor the network bandwidth consumption and the percentage of the different protocols. It can be seen in the following figures. Figure 0.27: SNMP GRAPHYCAL MONITORING In Figure 0 .27 two graphs have been shown, in these graphs only ICMP packet has been monitored to show the operation of the protocol. In top half of the fig graph starts from the 0 and then gradually goes up due to the increase in the ICMP PINGs. A sudden drop can also be seen while the graph is increasing this is due to the term Request Timed Out in the ping in the second half you can see the decrease in the graph and this is due to when the pings were cancelled one by one. BENEFITS OF FLUKE NETWORK INSPECTOR TOOL Fluke Network Inspector allows network engineer to provide reliable, and desirable connectivity to the organisation, it saves time and money by effective resource management. It also provide better knowledge to the network engineer about the devices installed on the network which helps to find the faults and fix them easily. Fluke Network Inspector provides a solution for monitoring and analysing the network which can be very helpful to the organisations to get desirable and reliable connectivity of their network. It also allows the network engineer to protect the network from any unauthorized users and gives a freedom of managing the network remotely. Fluke Network Inspector Tool helps in performing major functions of the network management which includes: Fault Management Configuration Management Accounting Management Performance Management Security Management All these functions have been explained briefly in this report FAULT MANAGEMENT The process of identifying, diagnosing a problem on the network and resolving it is called fault management. The problem could be of any kind from faulty cables to defective hardware. In other words, it is a very important for the effective operations of a network and to provide the connectivity among the users of a company, An intelligent network engineer will detect the fault in the network in very less time and fix the problem fast. Fault management is a very reliable tool for providing the connectivity for the network. Fault management is very useful to the network administrator as they can keep an eye on the network from anywhere in the network and resolve the issues quickly. Apart from automatic updates about the fault on the network, network administrator can be informed by the users. Network administrator can send ping packets to identify the problem. If a network administrator cannot reach a certain device remotely like when administrator pings a device and gets no reply there could be number of reasons, fault management helps in finding solution to such problems, so that the network is available all the time. Whenever there is a fault on the network it will be known to the network operator by using SNMP (Simple Network Management Protocol) it also rate the problem as if the problem is of high risk to the network or to the low risk, but will keep on sending information to the network administrator about the fault in the network till the time it has be resolved and will send a notification of error resolved. CONFIGURATION MANAGEMENT Configuration management is all about handling the configurations of the network devices. It involves maintaining a database of the network devices, and providing reports of the data travelling over these devices. Keeping the record of the configured devices on the network is called configuration management. Configuration management can help a network administrator to install different software for the better communication among the network. The data base of the configuration management includes different entries like, the devices used, the version numbers and the device capabilities. By using configuration management a network administrator can increase the devices on the network, can provide or deny access to the certain number of users or a group on a particular network. Remote sites can be configured by using different techniques, access can be restricted to certain area of the network for specified users, or if required interfaces can be brought down or up by using the configuration. ACCOUNTING MANAGEMENT Account management helps in managing the utilization of network resources, which further leads to a more productive network. One of the functions of the accounting management is to distinguish between inter and intra -domain accounting data and route them to the respective device, for the session record containing Network Access Identifier, this packet can be routed by examining the NAI to save this packet to be broadcasted over the whole network and utilizing the bandwidth. Accounting management involves the monitoring of the users activities on the network at an individual or at a group level which helps in providing better communication and also reduces the fault generation which can cause loss of data. It allows network engineer to keep track of the bandwidth utilisation w
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.