Network Troubleshooting
Essay Preview: Network Troubleshooting
Report this essay
Introduction
If youve ever been a network administrator, the call you dread the most might be one you receive in the middle of the night by some panicked employee stating that a portion of your critical network has gone down. What troubleshooting options are available to provide answers to your network problem? Besides having a proactive helpdesk that can “read” the mind of your network, an important part of troubleshooting involves using a network protocol analyzer. If youve done your research, you realize that there are many choices on the market today that may satisfy your needs but make a dent your companys pocket book. Plus, you have to factor in training your helpdesk on how to use this new tool and if it will provide some type of return on investment (ROI).
After conducting a thorough research of tools to analyze and troubleshoot a network, we decided to use Ethereal. Many versions such a Sniffer® Portable by Network General and Observer® by Network Instruments provided more options but were only available in “demo” versions and didnt provide full functionality. Since we wanted to use Tcpdump as one of the tools in our network troubleshooting arsenal, it made sense to run Ethereal since it supports this type of filter.
So, what is Ethereal?
Ethereal is a network analyzer. It has the ability to read packets from a network, decipher them, and then display the results with a very intuitive GUI. According to the book Ethereal Packet Sniffing, “the most important aspects of Ethereal are as follows: that it is open source, actively maintained, and free”. After conducting thorough research, Ethereal also supports TcpDump format capture filters, supports over 700 protocols (new ones are added on a regular basis), and the tool can capture data from Ethernet, Token Ring, 802.11 Wireless, etc. For anyone interested in a command line interface (CLI) interface for Ethereal, youre in luck since there is a CLI available called tethereal.
History of Ethereal
Ethereal is a fairly mature networking tool that was developed by Gerald Combs back in 1997, but has only been available to users since 1998. Something unique to this tool is the numerous dissectors that are available. If youre like me, you may ask yourself, what are dissectors? According to Brockmeier, they “are what allow Ethereal to decode individual protocols and present them in readable format”. Since the code is open source, you will notice every few months that the list of supported protocols has increased due to individual contributions to Ethereal. As you can see from the Linux open source software, continued support will only improve the features and overall usability of any open source tool.
Using Ethereal in Your Network
According to Brockmeier, network placement is critical for proper analysis and troubleshooting. If you find yourself working at a large corporation, its inevitable that you will be working in multiple building, across campuses, throughout the country, and perhaps overseas. Its vital when troubleshooting devices, to verify that you are on the correct segment of the network. This will not only save time, but money since you can use your resources more efficiently. It makes sense to have a laptop computer (with some type of network analyzer installed) for troubleshooting network related issues, since not all network related problems occur on the same subnet of your network. Figure 1 depicts a basic network setup where you could use Ethereal to view protocol activity from router to server, etc.
Figure 1
Compliments of Ethereal Packet Sniffing, 2004
What is TcpDump
To troubleshoot the network we also used a tool called TcpDump. TcpDump is a network utility that listens to and records traffic on a network. TcpDump helps in solving problems that can be found in the packet or frame level. By default, it puts the network interface into promiscuous mode to capture every packet going across the wire. The user can specify a large number of variables to help filter the data that is being captured. TcpDump will automatically print the header information of each packet in a text format. There are several tools that have been created to utilize TcpDump formatted documents. ORiellys Network Troubleshooting Tools book lists several of these tools, “trafshow, xplot, tcptrace, tcpshow, tcpslice, tcp-reduce, tcpflow, tcpdpriv, and sanitize.” The author also says this about the tools,” One reason for using tcpdump is the wide variety of support tools that are available for use with tcpdump or files created with tcpdump. There are tools for sanitizing the data, tools for reformatting the data, and tools for presenting and analyzing the data.” (www.hn.edu.cn/book/NetWork/NetworkingBookshelf_2ndEd/tshoot/)
The pcap library is used to read or write data in the raw format. Thus, it is easy to write a program to read or write packets in the TcpDump format. For our needs we used the pcap library that comes with Ethereal to analyze all the packets we captured.
Examples using TcpDump
As mentioned above there are many variables that the user can put into action to filter and concentrate the data. Illustrated in Figure 2 is a basic TcpDump command line the -s specifies the size of each packet to be recorded, the -c specifies the amount of packets captured, and the -w tells it to write the packet information to a file. After executing the command and message is displayed after the capture is over with packets captured, packets dropped, and packets captured by the filter.
Figure 2
This basic command