310 Chapter 6 • Capturing Network Data for Analysis The Packet size option allows you to choose if the whole packet should be captured (the default option) or only some part of it (between 32 bytes and 18,432 bytes). The When buffer is full option allows you to modify Sniffer Pro’s behavior in the event that the capture buffer becomes full.The program can either Stop capture or Wrap buffer and keep capturing data. To enable automatic saving, choose the Save to File option and specify the filename prefix as well as the number of files you want to be created on your hard drive. Indicate the directory to which you want the files to be saved. Other options you should specify to complete your setup are as follows: ■ Filename prefix Defines a common prefix of saved capture files. ■ Unique names This option specifies whether the analyzer must use a unique filename for each saved file. Sniffer Pro will make sure that the filenames are unique by assigning three random letters prior to the extension, as shown see in the following example.This option can be useful if you want to be sure that you don’t overwrite the files you have previously captured. Check to make sure that you have enough space on your hard drive to accommodate all the files. ■ Number of files This option sets the maximum number of files Sniffer Pro will create on the hard drive. ■ Wrap filenames This option specifies whether the files for this capture can be overwritten as soon as the number of saved files has been reached. Disabling of this option tells Sniffer Pro that it should stop cap- turing as soon as it fills its buffer and saves the number of files you have specified. To better understand what these options actually do, perform the following exercise. Modify the new profile you have just created using these options: 1. Type LightPave as the filename prefix. 2. Select 3 as the number of files. 3. Enable the Unique Names option. Do not enable the Wrap file- names option, so Sniffer Pro will stop after the files become full. 4. Specify C:\Capture as the capture buffer directory. 5. Start the capturing process by pressing the F10 key. Sniffer Pro will automatically stop capturing as soon as three files are filled. www.syngress.com 219_sniffer_06.qxd 6/28/02 11:55 AM Page 310 Capturing Network Data for Analysis • Chapter 6 311 Now if you look into the C:\Capture directory to which you saved the cap- tures, you will see three files that will look like the following: ■ LightPave001ajr.cap ■ LightPave002ajr.cap ■ LightPave003ajr.cap LightPave here is the file prefix you chose; 001, 002, and 003 are the file num- bers; and ajr is the randomly generated unique file identifier, so it can be different if you repeat this exercise. File Types Table 6.2 summarized different file types used by Sniffer Pro. Now let’s talk about the file types that are directly related to saving captured data—the ones you can select while saving your captured data on a hard drive. When Sniffer Pro was introduced, capture files had extensions that depended on the type of network adapter used. Ethernet files had an extension *.ENC, Token Ring files had *.TRC, and FDDI files had *.FDC. With the release of the Windows version of Sniffer Pro, new file formats were invented. Now Sniffer Pro uses the same *.CAP format for all types of interfaces. Sniffer Pro saves files in a unified uncompressed format, so the files can grow dra- matically if you capture too much data.To prevent this situation, you can save your captures with the *.CAZ extension. In this case, Sniffer Pro automatically compresses your data. In the majority of cases, this extension will significantly reduce the drive space needed to save your captures. NOTE For backward compatibility with other versions, Sniffer Pro permits you to save captures in the original Sniffer formats (*.ENC, *.TRC, and *.FDC). Retrieving and Loading Captures When working with Sniffer Pro, you will find that one of the most difficult and time-consuming parts of the process is analyzing the captures—whether you took them yourself at the client site or someone else sends them to you.To analyze www.syngress.com 219_sniffer_06.qxd 6/28/02 11:55 AM Page 311 312 Chapter 6 • Capturing Network Data for Analysis your captures, you must first open the capture files on your workstation.There are three different ways to do this: ■ From the main menu, choose File | Open. ■ Use the Open icon located on the main toolbar. ■ Press the Ctrl + O key combination. Whichever method you choose, the standard MS Windows File Open dialog box pops up on your screen. From here you can perform all the familiar tasks on the capture files, such as browsing and changing directories, sorting files by file extensions, and creating new folders, to name a few. Capturing and Analyzing Address Resolution Protocol Address Resolution Protocol (ARP) is one of the most important protocols in the LAN environment.ARP allows IP-enabled devices on your network to dynamically map physical (MAC) addresses to IP addresses.Without the ARP process, the lives of network administrators would be miserable, since they would have to do this task manually! ARP is described in detail in RFC 826. Let’s briefly examine the way it actually works. NOTE As a technician and analyst of networks, you will need a detailed under- standing of ARP and how it functions. Viewing ARP caches on devices is also critical for the analyst. Because there is no single “magic” command to check ARP entry on any IP-enabled device, you should remember how to do it on different platforms: ■ Microsoft Windows: arp –a ■ UNIX: arp –a ■ Cisco: show arp and show ip arp Figure 6.6 shows a simple network diagram with two workstations connected to the same shared Ethernet segment.Workstation A wants to communicate with Workstation B through the IP protocol on the same LAN segment. It checks the local ARP cache for Workstation B’s address, and if no entry is found, it broad- www.syngress.com 219_sniffer_06.qxd 6/28/02 11:55 AM Page 312 Capturing Network Data for Analysis • Chapter 6 313 casts ARP requests in a special format to see if there is a device associated with this IP address. Workstation B replies to Workstation A, indicating that this specific IP address belongs to it.Workstation A updates its ARP table and can now communicate with Workstation B. Capturing ARP Traffic Now that we’ve talked about the theory involved, let’s turn to actual practice and capture some ARP traffic. First, we have to find a method to separate ARP traffic from other packets on the network.We can use two different methods: ■ Capture all the traffic and afterward filter out the one we are interested in ■ Define a filter beforehand and capture only the traffic we are looking for As we have already mentioned, both these methods have some pros and cons that we discuss in more detail in Chapter 8. Using capture profiles makes sense if you are absolutely sure exactly what information it is that you need for later anal- ysis. If you don’t know what information you need, you might miss something very important because of your filter settings. If you have a capturing buffer that is big enough to save all the information you capture, it is a good idea to analyze www.syngress.com Figure 6.6 The ARP Request/ARP Response Process Workstation B MAC: 00:01:02:eb:2a:bf IP: 192.168.2.1 Workstation B MAC: 00:00:86:3e:20:0d IP: 192.168.2.101 Frame 1: ARP Request Source MAC: 00:00:86:3e:30:0d Destination MAC: FF:FF:FF:FF:FF:FF Frame 2: ARP Reply Source MAC: 00:01:02:eb:2a:bf Destination MAC: 00:00:86:3e:30:0d 219_sniffer_06.qxd 6/28/02 11:55 AM Page 313 314 Chapter 6 • Capturing Network Data for Analysis all the captured traffic by applying various filters.This way, you can be sure that you haven’t overlooked anything. For the following exercise, we use the second method and capture ARP packets only.To do this, let’s define an ARP filter: 1. Choose Capture | Define Filter. 2. In the Define Filter, choose Profiles | New. 3. Name this profile ARP and click OK, then Done (see Figure 6.7). 4. Now choose the Advanced tab and select ARP from the list of avail- able protocols (see Figure 6.8). www.syngress.com Figure 6.7 Creating a New Capture Profile Figure 6.8 Selecting ARP as a Capture-Filtering Criterion 219_sniffer_06.qxd 6/28/02 11:55 AM Page 314 Capturing Network Data for Analysis • Chapter 6 315 5. Click OK to close the Define Filter window.We have defined the filter, so now we can capture some traffic by pressing the F10 key. 6. Clear the ARP entry for your default gateway by typing arp –d IP, where IP is your default gateway’s IP address, and ping your default gateway. 7. Stop capturing and open the Decode window.You should see at least two captured frames (assuming that you have connectivity to your default gateway).The results, shown in Figure 6.9, are analyzed in the following section. NOTE Clearing an ARP cache is not dangerous to your network; in fact, it could solve some of your troubleshooting problems. Clearing an ARP cache can be useful if, for example, you have replaced network cards on some of your network devices, causing MAC addresses to change. Although most network devices have a special mechanism that ages out ARP entries, you can manually speed up this process by executing the following commands: www.syngress.com Figure 6.9 ARP Request/Reply Frames 219_sniffer_06.qxd 6/28/02 11:55 AM Page 315 316 Chapter 6 • Capturing Network Data for Analysis ■ Microsoft Windows 2000: arp –d ■ UNIX: arp –d –a ■ Cisco routers: clear arp The only negative thing that clearing an ARP cache will do is generate some broadcast traffic so the device can build up the table again. Analyzing the Capture As shown in Figure 6.9, we can see two frames in the Summary pane:ARP request and ARP reply.They are explained in the Detail pane underneath, so let’s take a look at that pane.The DLC header shows the time when the frame capture arrived (it’s not actually a part of the frame; Sniffer Pro simply provides you with this additional information).The fields that are actually part of the frame are: ■ Size of the frame in bytes ■ Destination of the frame (FFFFFFFFFF—all stations’ broadcast address) ■ Source, the MAC address of the frame ■ EtherType, the upper-layer protocol NOTE The EtherType field indicates which upper-layer protocol’s data is encap- sulated into the Ethernet frame. In Ethernet II frames, the EtherType field follows the Source Address field; in 802.2 frames with SNAP headers, the EtherType field follows the OUI field. You can find a list of EtherType values at www.wildpackets.com/ compendium/REF/REF-Etyp.html. The ARP/RARP frame display presents information related to the ARP request itself: ■ Hardware type = 1 Type of media Sniffer Pro is connected to. ■ Protocol Type = 0800 (IP) Upper-layer protocol that originated this requested. www.syngress.com 219_sniffer_06.qxd 6/28/02 11:55 AM Page 316 Capturing Network Data for Analysis • Chapter 6 317 ■ Length of hardware address = 6 bytes Length of MAC address for this media (6 bytes for Ethernet). ■ Length of protocol address = 4 bytes Length of the high-level protocol address (8 bytes for IP). ■ Opcode = 1 (ARP request) Type of ARP frame. ■ Sender’s hardware address = 0000863E200D Sender’s MAC address. ■ Sender’s protocol address = 192.168.2.101 Sender’s IP address. ■ Target hardware address = 000000000000 Target’s MAC address. Please note that this address is set to all zeroes.The requestor doesn’t have this information; this is actually the information the requestor is trying to find through ARP. ■ Target protocol address = 192.168.2.1 Target’s IP address. Now that the first frame has been captured and analyzed, let’s look at the second frame. Remember that the main difference here is that the first ARP frame captured was a Request (Opcode 1) sent out as a “broadcast” and that the next ARP frame, which was a Reply (Opcode 2), was sent directly as a Unicast packet. In other words, the reply was sent directly to the requestor to reduce the broadcast traffic on the network. www.syngress.com ARP Troubleshooting with Sniffer After having learned all these things about capturing traffic, you are probably eager to learn ways to detect a real problem. Let’s take a look at an example of a commonly encountered problem on the network that you can easily troubleshoot if you know how to capture and analyze ARP packets—a situation in which there are duplicate IP address problems. This can be a nightmare for a network administrator who is not familiar with this issue or does not know how to troubleshoot it; it can cause intermediate loss of connectivity to specific destinations for some or all network devices. Configuring & Implementing… Continued 219_sniffer_06.qxd 6/28/02 11:55 AM Page 317 318 Chapter 6 • Capturing Network Data for Analysis Capturing and Analyzing Internet Control Message Protocol Internet Control Message Protocol (ICMP), described in RFC 792 and part of the TCP/IP protocol stack, is an error reporting and control-based protocol used between network devices. ICMP messages are encapsulated into IP datagrams, so we also cover the IP header in this section. ICMP is a very powerful tool that allows us to report over 20 various network conditions. (You can also visit www.protocols.com to get more information about ICMP.) Let’s look at the combi- nation of echo request and echo reply messages as an example. Capturing ICMP Traffic To divide ICMP traffic from the rest of the traffic on the network, let’s define a new capture filter: www.syngress.com In most cases, duplicated IPs are caused by misconfiguration of a network device, when two or more devices on the network are assigned the same IP address. This can also be caused by misconfiguration or mal- functioning of DHCP servers on a segment. Being able to use Sniffer Pro correctly makes troubleshooting this problem a piece of cake. Start capturing packets with the ARP filter defined, clear your ARP cache, and run a ping to the destination in question. If you are really experiencing the duplicated IP addresses problem, you will see two or more responses to a single ARP from different devices, as shown in Figure 6.10. Now, knowing MAC addresses of the devices that erroneously try to share the same IP address, you can track their exact locations. (Most modern switches allow you to view which particular port has a network device with a specific MAC address connected to it.) Once you know the location, you can go there and fix the problem. You can also choose Discovered Addresses from the Display menu. In the Discovered Addresses window, you should be able to find a duplicate address that causes the problem. Figure 6.10 The Duplicate IP Addresses Problem 219_sniffer_06.qxd 6/28/02 11:55 AM Page 318 Capturing Network Data for Analysis • Chapter 6 319 1. Choose Capture | Define Filter. 2. Select Profiles, and in the Capture Profiles window, select New. 3. Choose ICMP as a new profile name. Here is a trick: Sniffer Pro already has a predefined profile that filters ICMP only, so instead of creating your own filter, you can choose the predefined one. Select Copy Sample Profile, select IP/ICMP, and press OK. 4. Click Done in the Capture Profiles window and OK in the Define Filter window. 5. Press the F10 key to start capturing, and send a few pings to your default gateway. Stop capturing by pressing F9 and select the Decode tab. www.syngress.com Be Prepared for Outages If your client is experiencing some technical difficulties, you must resolve the situation efficiently. To do that, you have to capture and analyze the traffic on your network. The faster and more thoroughly you capture and analyze the traffic, the earlier you can detect and eliminate the problem. As soon as you arrive on site (armed with your laptop that has Sniffer Pro on it, of course) at a location where a client is experiencing network problems, start diagramming locations, closets, traffic flows, and IP schemes. The first and one of the most important steps in problem resolution is to get accurate documentation so that you can understand your customer’s network topology. In addition, make sure that you have familiarized yourself with the equipment your client uses before you take immediate action. We also recommend that you make sure that the computer on which you are running Sniffer Pro has enough resources (CPU, memory, hard drive space) to be able to capture all the traffic without packet drops due to a lack of performance on the part of your computer. It can be also a good idea to create a few capture filters for the most important applications for your customers well in advance. In today’s net- works, millions of packets can traverse the network equipment every second, and most of them are not related to the problem your customer is experiencing. For that reason, defining appropriate capture filters beforehand can save precious time during a network outage. Designing & Planning… 219_sniffer_06.qxd 6/28/02 11:55 AM Page 319 [...]... easily.These protocols can work on the application layer (for example: Secure Shell —SSH, secure copy) and on the network layer (IPSec) www .syngress. com 219 _sniffer_ 07.qxd 6/ 28/02 11: 56 AM Page 343 Chapter 7 Analyzing Network Issues Solutions in this chapter: ■ Hey! Why Is the Network So Slow? ■ Resetting Token Ring ■ Using Sniffer Pro to Troubleshoot a Chattering Network Interface Card ■ Using Sniffer Pro. .. for a network analyst who tries to capture unicast traffic between devices It’s a drawback because, if connecting Sniffer Pro to a port on a switch, all he or she can typically see is a broadcast, multicast, and traffic destined to unknown addresses, but not traffic destined to a specific destination Continued www .syngress. com 325 219 _sniffer_ 06. qxd 3 26 6/28/02 11:55 AM Page 3 26 Chapter 6 • Capturing Network. .. (Runts) ■ Using Sniffer Pro to Troubleshoot Browsing Battles ■ Dynamic Host Configuration Protocol Failure ! Summary ! Solutions Fast Track ! Frequently Asked Questions 343 219 _sniffer_ 07.qxd 344 6/ 28/02 11: 56 AM Page 344 Chapter 7 • Analyzing Network Issues Introduction You can use Sniffer Pro not only to monitor traffic on your network, but also as an aid in the isolation and resolution of many network issues... optional, so a UDP frame with the checksum set to 0 is not an erroneous one www .syngress. com 335 219 _sniffer_ 06. qxd 3 36 6/28/02 11:55 AM Page 3 36 Chapter 6 • Capturing Network Data for Analysis Figure 6. 18 A UDP Header As you can see, UDP does not have most of the fields we saw in a TCP frame, because it is a connectionless protocol and does not need all the fields necessary for a TCP frame, such as sequence... captures as well as the formats Sniffer Pro uses for auxiliary information www .syngress. com 337 219 _sniffer_ 06. qxd 338 6/ 28/02 11:55 AM Page 338 Chapter 6 • Capturing Network Data for Analysis Solutions Fast Track Capturing Traffic ! If you have a problem on your network, you need to take fast actions to sort it out Sniffer Pro will help you capture traffic you need to analyze the issue ! All captured... captured by Sniffer Pro, go to File | Open, or press Ctrl + O Alternatively, you can click an appropriate icon in the main toolbar ! To open files captured by other packet analyzers and saved in a different format that is not compatible with Sniffer Pro, you have to use thirdparty products to export one format into another before actually opening a file www .syngress. com 219 _sniffer_ 06. qxd 6/ 28/02 11:55... the date, client name, problem description, and its cause you discovered using Sniffer Pro www .syngress. com 341 219 _sniffer_ 06. qxd 342 6/ 28/02 11:55 AM Page 342 Chapter 6 • Capturing Network Data for Analysis Q: In discussing TCP traffic, we could see how simple it is to capture someone’s secret password Is there any way to transfer the information securely? A: Yes A number of protocols let you to encrypt... it (see Figure 6. 13) 4 Click OK to close the Define Filter window 5 You can start capturing TCP traffic now by pressing F10 www .syngress. com 327 219 _sniffer_ 06. qxd 328 6/ 28/02 11:55 AM Page 328 Chapter 6 • Capturing Network Data for Analysis Figure 6. 13 Defining a TCP Filter NOTE If you are connected to a heavy-loaded LAN segment with a large number of packets traversing it, your Sniffer Pro s capture... these three problems on your network saturated or unreliable network links, slow network device, or outdated TCP/IP stack—you know where to look to fix the problem Capturing and Analyzing User Datagram Protocol User Datagram Protocol (UDP) is another Layer 4 protocol that is very popular on the Internet UDP is used by a number of upper-layer protocols—for example, SNMP,Trivial File Transfer Protocol (TFTP),... chapter answered by the author, browse to www .syngress. com/solutions and click on the “Ask the Author” form Q: I have received a file captured by Microsoft Network Monitor Is there any way to open it with Sniffer Pro? A: You can’t open these files directly from Sniffer Pro, because the formats Microsoft Network Monitor uses to store data are not Sniffer Pro compatible You have to export one format into . media Sniffer Pro is connected to. ■ Protocol Type = 0800 (IP) Upper-layer protocol that originated this requested. www .syngress. com 219 _sniffer_ 06. qxd 6/ 28/02 11:55 AM Page 3 16 Capturing Network. speed up this process by executing the following commands: www .syngress. com Figure 6. 9 ARP Request/Reply Frames 219 _sniffer_ 06. qxd 6/ 28/02 11:55 AM Page 315 3 16 Chapter 6 • Capturing Network Data. 6. 8). www .syngress. com Figure 6. 7 Creating a New Capture Pro le Figure 6. 8 Selecting ARP as a Capture-Filtering Criterion 219 _sniffer_ 06. qxd 6/ 28/02 11:55 AM Page 314 Capturing Network Data for Analysis • Chapter 6 315 5.