220 likes | 231 Views
Learn about the roles and purposes of network analysis, how to install protocol analyzers, and the features of the Sniffer Pro application. Understand protocol analysis, useful roles for protocol analysis, and elements of a protocol analyzer. Discover how to place a protocol analyzer on a network and different methods for analyzing switched networks.
E N D
BAIST – Network Management BAI513 - PROTOCOLS Introduction to Network Analysis and Sniffer Pro
Objectives • At the end of this presentation, the student will be able to: • Describe the roles and purposes of Network Analysis. • Describe the “how, where and why” of installing Protocol Analysers. • Describe the main features / functions of the Sniffer Pro application.
About Protocol Analysis • Protocol analysis (also referred to as network analysis) is the process of tapping into the network communications system, capturing packets that cross the network, gathering network statistics, and decoding the packets into readable form • In essence, a protocol analyzer eavesdrops on network communications • Many protocol analyzers can also transmit packets—a useful task for testing a network or device
Useful Roles for Protocol Analysis • Protocol analyzers are often used to troubleshoot network communications • Typically, analyzers are placed on the network and configured to capture the problematic communication sequence • Protocol analyzers are also used to test networks • Testing can be performed in a passive manner by listening to unusual communications, or in an active manner by transmitting packets onto the network
Protocol Analyzer Elements • The following diagram depicts the basic elements of a protocol analyzer • The basic elements are: • Promiscuous mode card and driver • Packet filters • Trace buffer • Decodes • Alarms • Statistics
Promiscuous Mode Card & Driver • The network interface card and driver used on the analyzer must support promiscuous mode operation • A card that runs in promiscuous mode can capture broadcast packets, multicast packets, and unicast packets sent to other devices, as well as error packets • An analyzer running with a promiscuous mode card and driver can see Ethernet collision fragments, oversized packets, undersized packets (a.k.a. runts), and packets that end on an illegal boundary
Packet Filters • If you are interested in the type of broadcasts that are crossing a network, you can set up a filter that allows only broadcast packets to flow into the analyzer • When filters are applied to incoming packets, they are often referred to as capture filters, or pre-filters
Packet Filters • Filters can be based on a variety of packet characteristics including, but not limited to: • Source data link address • Destination data link address • Source IP address • Destination IP address • Application or process
Trace Buffer • The packets flow into the analyzer’s trace buffer, a holding area for packets copied off the network • Typically, this is an area of memory set aside on the analyzer, although some analyzers allow you to configure a “direct to disk” save option • Most analyzers have a default trace buffer size of 4 MB
Decodes • Decodes are applied to the packets that are captured into the trace buffer • These decodes enable you to see the packets in a readable format with the packet fields and values interpreted for you • Decoders are packet translation tools
Alarms • Many analyzers have a set of configurable alarms that indicates unusual network events or errors • The following lists some typical alarms that are included with most analyzer products: • Excessive broadcasts • Utilization threshold exceeded • Request denied • Server down
Statistics • Many analyzers also display statistics on network performance, such as the current packet-per-second rate, or network utilization rates • Network administrators use these statistics to identify gradual changes in network operations, or sudden spikes in network patterns
Placing a Protocol Analyzer on a Network • A protocol analyzer can only capture packets that it can see on the network • On a network that is connected with hubs, you can place the analyzer anywhere on the network • There are basically three options for analyzing switched networks: • Hubbing out • Port redirection • Remote Monitoring (RMON)
Hubbing Out • By placing a hub between a device of interest (such as a server) and the switch, and connecting the analyzer to the hub, you can view all traffic to and from the server
Port Redirection • Many switches can be configured to redirect (actually, to copy) the packets traveling through one port to another port • By placing your analyzer on the destination port, you can listen in on all the conversations that cross the network through the port of interest
Remote Monitoring (RMON) • RMON uses Simple Network Management Protocol (SNMP) to collect traffic data at a remote switch and send the data to a management device
Sniffer Pro Introduction • Sniffer Pro is a powerful network visibility tool that enables you to: • Monitor network activity in real time • Collect detailed utilization and error statistics for individual stations, conversations, or any portion of your network • Save historical utilization and error information for baseline analysis • Generate visible and audible real-time alarms
Sniffer Pro Introduction (cont) • Sniffer Pro is a powerful network visibility tool that enables you to: • Notify network administrators when troubles are detected • Capture network traffic for detailed packet analysis • Receive Expert analysis of network traffic • Probe the network with active tools to simulate traffic, measure response times, count hops, and troubleshoot problems
Sniffer Pro Major Components • The main functional components of Sniffer Pro: • Monitorcalculates and displays real-time network traffic data. • Capturefunction captures network traffic and stores the actual packets in a buffer (and optionally to a file) for later analysis. • Real-time Expert Analysisfunction analyzes the network packets during capture and alerts you to potential problems on your network. These problems are categorized as either symptoms and/or diagnoses. • Displayfunction decodes and analyzes the packets in the capture buffer, and displays them in a variety of formats. • NOTE: BAI513 will only utilize the Capture and Display components of Sniffer Pro.
Summary • This presentation covered information that allowed the student to: • Describe the roles and purposes of Network Analysis. • Describe the “how, where and why” of installing Protocol Analysers. • Describe the main features / functions of the Sniffer Pro application.