582 Chapter 12 • Troubleshooting Traffic for Network Optimization NOTE You learned how to configure ART in Chapter 4, “Configuring Sniffer Pro to Monitor Network Applications.” ART is also a valuable tool to use to make sure there are no unauthorized applications being used on your network. For example, instant messaging or file sharing applications pose a serious security risk to any network since they are not built with security in mind and can be misused by hackers. Often, you’ll find policies regarding the acceptable usage of Internet access, but nothing regarding streaming audio, instant messaging, or file sharing applications. If your organiza- tion doesn’t have a policy regarding such applications, encourage them to imple- ment one. Last, but hardly least, make sure you discuss the expectations and needs of the network with the users.This, as much as anything else, will aide you in your goal of speedy, reliable, and secure network services. One way is to attend the meetings www.syngress.com Wear the White Hat One of the most valuable tools you can have, and one of the most destructive forces you’ll ever encounter on your network, will be your users. Whether users are part of the problem or part of the solution depends on how they perceive you. If you are perceived as a heavy- handed dictator using Sniffer Pro like a bloodhound to weed out any and all network infractions, then you have set yourself up as the enemy. If, on the other hand, you are perceived as a source of assistance, as someone who uses tools like Sniffer Pro to resolve problems, then you’ve added hundreds of extra hands to your network support team. If you find that there are users on your network that are not “behaving” and creating problems for you, you may want to enforce a security policy (with management’s approval and support). If you are a manager, you should have a security policy in place already. Designing & Planning… 219_sniffer_12.qxd 6/28/02 12:25 PM Page 582 Troubleshooting Traffic for Network Optimization • Chapter 12 583 of other departments. Make sure the users have reasonable expectations based on the level of service available. Invite them to give you feedback. Find out how they use the network and what you can do to make it more effective. Something as simple as moving a printer to a more convenient and accessible location can go a long way toward improving communication between you and your users. Just looking at packets wouldn’t tell you that a majority of users have to schlep down the hall to retrieve printed documents. Now that you’ve established how you want to monitor, let’s build our base- line documents. In Chapter 6,“Capturing Network for Data Analysis,” we cov- ered capturing network data in great detail. For the purposes of our baseline document, we need to determine several key points: ■ What do we want to monitor? This should be determined by the needs of the business and information gathered using tools such as ART. Make sure you understand what protocols are the most important to the business goals of the organization. ■ When do we want to monitor? Select specific times to capture traffic to give you a variety of samples and reflect the highest demands on net- work resources and the lowest. For example, you know that first thing in the morning, as people arrive to work and log on to the network, traffic will be higher.This data should be compared to a time when the demands are much lower, such as overnight or on weekends. Use histor- ical samples to build a graphical timeline, which shows the trends of your organization’s network usage.A chart, such as the one shown in Figure 12.10, can be exported for use in your baseline documents.You can get great information from sampling, like spikes and surges in network traffic. You can optimize traffic based on historical sampling. ■ Where do we want to monitor? Later in this chapter we’ll discuss attaching directly to switches for analysis. It’s important that you monitor and collect samples from the main access points on your network. Don’t rely on data collected just from the obvious points such as your gateway to the Internet, your Master WINS Server, and PDC. Look at data from unlikely areas as well. Perform spot checks at various points all over your network to get an accurate picture of where the highest demands are being made. www.syngress.com 219_sniffer_12.qxd 6/28/02 12:25 PM Page 583 584 Chapter 12 • Troubleshooting Traffic for Network Optimization N OTE If you’re planning on taking the SCP Exam, here’s a tip for you: Make sure you know what data can be exported and imported and from what menus in Sniffer Pro! Now that we’ve compiled our data, what can we do to optimize our network services? Naturally, it depends on the information you’ve gathered, but here are some tips that may help maximize your network resources. Printing Consider the amount of printing done and where the highest demands for print services are being made to your print servers. Some departments may only do light printing, e-mails, and the occasional memo, but other departments may be sending massive documents, filled with color graphics to your print servers.This sends a large amount of data over your wire and requires a high CPU utilization by your print server’s spooling service. Often a domain controller is configured to act as a centrally located print server.This can cause slow network services when print demand is high. One way to counteract this is by spreading out the load. If you move a print server to the areas where demand is highest and point the most print-hungry users to those servers for print services, you will decrease the amount of bandwidth utilization for the rest of the network. E-mail E-mail service can be a network administrator’s biggest headache. One thing you may find your users doing is e-mailing files to each other. In one company I worked for, users were sending large PowerPoint presentations to each other via www.syngress.com Figure 12.10 Historical Data Sampling 219_sniffer_12.qxd 6/28/02 12:25 PM Page 584 Troubleshooting Traffic for Network Optimization • Chapter 12 585 e-mail.The users were in the same building; some were not more than several cubicles apart! The files, often 15MB or more, were sent by one user, hit the MTA on the Exchange e-mail server, then sent back down the wire to the next user, who reviewed it, made changes, and sent it back. Considering how often this was being done by so many users, this was a sizable drain on network band- width and on the resources of the e-mail server! While the MTA service on the Exchange server was processing all those monster-sized files, all the other mail was backing up behind them.The solution was to build a file server for that department so the users could share group documents. Using local e-mail servers as file sharing servers can be a waste of valuable network resources. Unauthorized Internet Traffic Unauthorized Internet traffic can eat up bandwidth that could be used for legiti- mate business purposes.Any company that provides Internet access will have an acceptable usage policy. Make sure you know what that policy covers and deter- mine if it is comprehensive enough based on your monitoring of Internet use. If needed, make sure it restricts the use of bandwidth-hogging, unsecured applica- tions. Stopping by a Web site for sports scores or news headlines may be consid- ered acceptable under the organization’s policies, but things like downloading video highlights of last night’s game, QuickTime movie trailers, real-time stock quotes, instant messaging, and streaming audio music all waste bandwidth and present a very real security risk. Monitor for this kind of usage, and make sure a minority of users is not monopolizing Internet access.Table 12.1 lists some of the more notorious applications and the ports they use. Keep in mind that this is only a portion of the applications of this type and that many applications allow the user to configure custom ports. Table 12.1 Popular Network Applications Application Description Ports AOL Instant A chat and filesharing Accesses the list of users Messenger application from the AOL server via TCP 5190 AOL via TCP/IP A direct link to an AOL TCP port 5190 account over the Internet DirectX Gaming A Microsoft multiplayer TCP/UDP ports 47624 and gaming protocol 2300-2400 www.syngress.com Continued 219_sniffer_12.qxd 6/28/02 12:25 PM Page 585 586 Chapter 12 • Troubleshooting Traffic for Network Optimization ICQ A chat and filesharing Accesses a list of users application from TCP port 4000 KaZaa A distributed filesharing TCP port 1214 application MSN Instant A chat and file sharing TCP port 1863 Messenger application MSN Gaming Microsoft’s online gaming TCP ports 28800-29000 Zone service Microsoft’s A chat, video, audio Uses H.323 on TCP/UDP NetMeeting filesharing application port 1720 and MS ICCP on TCP/UDP port 1731 Yahoo! Messenger A chat and video TCP ports 5050 and 80 application QuickTime video Apple’s streaming video TCP port 80 and UDP ports streaming application 7070, 6970 and 554 RealPlayer Popular application for TCP ports 7070. 554 and streaming audio and video 90. UDP ports 6870-7170 NOTE For a complete listing of the registered services and their assigned port numbers, visit the Internet Assigned Numbers Authority website at www.iana.org. AntiSniff:Who’s Sniffing Whom? One tool that could be used by a hacker is the very one you are learning how to use: Sniffer Pro.Very often, a hacker will use a “sniffer-like” application to look for holes on a network. Sniffer Pro is one of the most popular sniffer applications, but certainly not the only one. Here is a small list of other utilities you (or hackers) can use to sniff traffic: ■ WildPackets Etherpeek ■ Microsoft’s Network Monitor www.syngress.com Table 12.1 Popular Network Applications Application Description Ports 219_sniffer_12.qxd 6/28/02 12:25 PM Page 586 Troubleshooting Traffic for Network Optimization • Chapter 12 587 ■ Various other complied sniffing tools created by hackers Make sure you are watching for unusual signs that could indicate there is another, unauthorized sniffer application running on your network. One way is using a tool called AntiSniff, as seen in Figure 12.11. AntiSniff uses custom packets to look for systems that are running in promis- cuous mode.Another clue is an unusually large amount of name resolution traffic going to one client.This is an indication that the client could be scanning the network with a sniffer application. Make sure your network design includes solid security planning. In Figure 12.12 you can see the general interface to run AntiSniff version 1.02 is GUI-based and easily accessible on the Internet.You can use this tool to find promiscuous mode machines sniffing your network. Let’s take a deeper look. Learning how AntiSniff works will help to reinforce what you know about Sniffer Pro. Understanding AntiSniff shows you how Sniffer Pro works by www.syngress.com Figure 12.11 “AntiSniff” Created by L0pht Figure 12.12 The Interface of L0pht AntiSniff 219_sniffer_12.qxd 6/28/02 12:25 PM Page 587 588 Chapter 12 • Troubleshooting Traffic for Network Optimization exploiting its operation.AntiSniff is network card promiscuous mode detector: It runs in promiscuous mode to grab all packets on the wire, not just the ones that are broadcast-based or “destined” to get to the host running Sniffer Pro.AntiSniff sends a series of carefully crafted packets in a certain order to a target machine. It then gets the results and performs timing tests against the target, measuring the timing results while monitoring the target’s responses on the network. It then determines if the target is in promiscuous mode. The proactive side of using AntiSniff is that you will essentially be removing a possible traffic generator on your network. If someone on the network is using a sniffer without you knowing, they could essentially be grabbing data, account names, passwords, or generating and sending out traffic.You are trying to opti- mize and proactively manage your network, and someone is using your own tools against you! AntiSniff to the rescue! One cool thing you can get out of AntiSniff is the highly accurate detection of promiscuous mode Ethernet cards.When AntiSniff is used, you will eliminate this threat from your network very quickly as well as save your sessions and alarms.Alarming is useful because you can set this application to run and shoot you an e-mail when an alarm is triggered, as seen in Figure 12.13 On the bottom of Figure 12.13 you can see that graphics and noises can be thrown at you as needed as well. Figure 12.14 shows the default image used to alarm you when AntiSniff confirms a security violation. www.syngress.com Figure 12.13 Setting Alarms on Your AntiSniff Application 219_sniffer_12.qxd 6/28/02 12:25 PM Page 588 Troubleshooting Traffic for Network Optimization • Chapter 12 589 As always, I stand by my words as a writer, engineer, and analyst to always give the good and bad on every product I touch. In that spirit, here are some dis- advantages to running AntiSniff that you should be aware of: ■ It’s only going to be simple for someone with knowledge of sniffing and protocols and deep networking knowledge (all of which you should now have). ■ It is very resource intensive.A dedicated machine (a PC or Laptop) run- ning AntiSniff is recommended. If you run this on your workstation, your machine’s resources will be depleted. ■ If you are setting your network analysis applications to report to anet- work management utility (NMS) that collects traps, then you’re out of luck,AntiSniff doesn’t support the use of Simple Network Management Protocol (SNMP). ■ AntiSniff only functions on the same segment as the machine running AntiSniff. NOTE Other references to scanning tools that are free to you (and Script Kiddie hackers) are found at the @stake website (www.atstake.com) and at Sam Spade (www.samspade.org). Security is something you should take very seriously because you have seen very clearly that you can grab passwords and perform other “hacker like” activi- ties with the Sniffer Pro.You will be privy to sensitive information: Make sure www.syngress.com Figure 12.14 You Are Being Hacked! 219_sniffer_12.qxd 6/28/02 12:25 PM Page 589 590 Chapter 12 • Troubleshooting Traffic for Network Optimization you keep your capture files secure and the information you find (if sensitive) to yourself and your client. If you are a security professional and you are looking for hackers on your network using a tool like Sniffer Pro, then you now know how to find and eliminate them. Finding Unnecessary Protocols with the Sniffer Pro Sniffer Pro can be very useful in finding and eliminating bandwidth-hogging protocols.There is certainly no need to take up valuable network resources with protocols, which aren’t being used by your users. In this section we’ll cover how to look for those protocols your network can live without and discuss some of the properties of the most common protocols. Let’s think about what the impli- cations of leaving multiple protocols are on a network and why we would even want to start removing protocols on your network in the first place. First off, you should understand why there might be many protocols on your network. Places to find protocols that you may not know about include: ■ Printers are the most vicious culprits of garbage traffic on your network. You can often eliminate a significant amount of traffic by doing an anal- ysis sweep on your printers. ■ Cisco Routers and the Cisco Discovery Protocol (CDP) are also traffic issues when the CDP starts talking to your Cisco LAN switches.You will definitely grab this traffic if it is enabled. Running CDP is a security risk.A quick look at Figure 12.15 shows just how revealing it can be. I would say to just disable it by going into your routers (and switches) and using the global configuration command: no cdp run. NOTE To turn CDP off, you will have multiple choices of platforms to turn if off from. Here is a breakdown of the commands for each: ■ For Cisco IOS on Global: no cdp run ■ For Cisco IOS on Interface: no cdp enable ■ For Cisco CatOS on Switches: set cdp disable www.syngress.com 219_sniffer_12.qxd 6/28/02 12:25 PM Page 590 Troubleshooting Traffic for Network Optimization • Chapter 12 591 ■ Any old hub, switch, or router (Wellfleet, Bay, Nortel, Synoptic, etc.) may be broadcasting or multicasting traffic to include breath of life (BOFL) packets. If you are unsure, then look up the Ethertype codes within the frame to figure out what you have captured. ■ Any server running Routing Information Protocol (RIP) or, worse yet, Novell servers acting as routers running Network Link Services Protocol (NLSP), or Internet Packet Exchange (IPX) RIP. Disable Novell Server routing if unneeded and add a static router (default gateway) within Inetcfg.nlm to eliminate that traffic. ■ Servers, and other devices using SNMP that is not needed. I have found servers and other devices still pointing to an NMS that has long been removed and have also found devices polling absolutely nothing.All this is traffic generated on your network. ■ Servers with multiple protocols bound to their interface cards. ■ Novell Clients with auto frame type detection set to “auto.”This is really bad because essentially every Novell client that boots up has to broadcast to a server to find out what frame type it should be using.This is for every client in your network… it can add up. www.syngress.com Figure 12.15 Viewing Excessive CDP Traffic on Your Network 219_sniffer_12.qxd 6/28/02 12:25 PM Page 591 [...]... how to position Sniffer Pro to optimize this traffic: www .syngress. com 597 219 _sniffer_ 12.qxd 598 6/28/02 12:25 PM Page 598 Chapter 12 • Troubleshooting Traffic for Network Optimization ■ You can use Sniffer Pro network analyzer to locate AppleTalk hosts with the Matrix After you position Sniffer Pro correctly and capture AppleTalk Traffic, you can use the Matrix to find which hosts on your network are using... looked at one way to perform analysis using Sniffer Pro to optimize traffic on your network Let’s look at another way to use Sniffer Pro In the next example we will connect directly to a switch to analyze it in hopes of improving network traffic www .syngress. com 605 219 _sniffer_ 12.qxd 606 6/28/02 12:25 PM Page 606 Chapter 12 • Troubleshooting Traffic for Network Optimization Attach Directly to a Switch for... using Sniffer Pro Let’s look at broadcasts in switched networks first Broadcasts in Switched LAN Internetworks As mentioned earlier in the chapter, be careful not to fall into the trap of thinking that installing a switch will solve your network traffic problems It could create www .syngress. com 601 219 _sniffer_ 12.qxd 602 6/28/02 12:25 PM Page 602 Chapter 12 • Troubleshooting Traffic for Network Optimization. .. for total optimization: ■ Routing Table Maintenance Protocol (RTMP), a Distance vector protocol that has a default update timer of 10 seconds, which is way too much) ■ AppleTalk Update-based Routing Protocol (AURP) is another AppleTalk routing protocol that allows the creation of a tunnel to www .syngress. com 219 _sniffer_ 12.qxd 6/28/02 12:25 PM Page 599 Troubleshooting Traffic for Network Optimization. .. with Sniffer Pro to monitor ports and manage your switch’s traffic via analysis for the purposes of learning, analysis, and optimization Another problem that network administrators have to deal with on a daily basis is the latency experienced across WAN links Let’s look at potential problems that may arise from this and solutions to them using Sniffer Pro Using Sniffer Pro to Find WAN Latency Another problem... and more www .syngress. com 219 _sniffer_ 12.qxd 6/28/02 12:25 PM Page 617 Troubleshooting Traffic for Network Optimization • Chapter 12 Figure 12.29 A View of an Expert Description Within the Expert System of Sniffer Pro More Slow Network Problems Your job is never done.There is always something to analyze Here is another short list of things that are seen as the cause of some “slow network problems that... 12.12, the way to see (and fix) the binding order problem is to do the following: www .syngress. com 219 _sniffer_ 12.qxd 6/28/02 12:25 PM Page 593 Troubleshooting Traffic for Network Optimization • Chapter 12 1 Open your network properties (on Windows 2000) by going to Start | Settings | Control Panel | Network and Dial-Up Connections 2 At the top of the Network and Dial-Up Connections dialog box, select... traffic www .syngress. com 599 219 _sniffer_ 12.qxd 600 6/28/02 12:25 PM Page 600 Chapter 12 • Troubleshooting Traffic for Network Optimization IPX has problems with sending tons of traffic as a part of its functionality As with any NOS, it needs to send and collect updates, which has a cost in network services One such collector of network information is the IPX Watchdog protocol.The Watchdog protocol is... multiple protocols 5 Widely used, accepted, and implemented (universally used on the Internet) 6 Eliminates the need for protocol gateways, which can be a bottleneck Continued www .syngress. com 219 _sniffer_ 12.qxd 6/28/02 12:25 PM Page 597 Troubleshooting Traffic for Network Optimization • Chapter 12 7 Less documentation and support personnel needed if configured properly 8 Cost savings because some network. .. disabled You do not want this to happen to you www .syngress. com 219 _sniffer_ 12.qxd 6/28/02 12:25 PM Page 603 Troubleshooting Traffic for Network Optimization • Chapter 12 When viewing Figure 12.22, you can see that although the Sniffer Pro is connected to a switch with Spanned Ports, you still get broadcast traffic traversing the monitored port that Sniffer Pro is attached to.Traffic is inevitable, and it . looking for hackers on your network using a tool like Sniffer Pro, then you now know how to find and eliminate them. Finding Unnecessary Protocols with the Sniffer Pro Sniffer Pro can be very useful. order problem is to do the following: www .syngress. com 219 _sniffer_ 12.qxd 6/28/02 12:25 PM Page 592 Troubleshooting Traffic for Network Optimization • Chapter 12 593 1. Open your network properties. Object Network is 0XFFFFFFFF www .syngress. com Figure 12.19 Digging Into the IPX RIP Packet With Sniffer Pro 219 _sniffer_ 12.qxd 6/28/02 12:25 PM Page 600 Troubleshooting Traffic for Network Optimization