Wireshark Network Protocol Analyzer Information Technology Essay

Wireshark intercommunicate Protocol Analyzer Information Technology EssayTodays nets are typically very s dodge. The difficulty is they arent static. perplexity and users are constantly demanding new technologies, new services, and better slaying, which inevitably require changing infrastructure, deploying new privatenessings, and dealing with security. And in the passage lucre executive needs to control IT costs and minimize disruption to the organization and as well need to be able to clearly see all aspects of communicate to accurately assess the impact of adding new technologies and services and to make sure it is delivering maximum slaying. And direct-a-days on that point are wide variety of software and hardware products surgical procedureal that helper profits system administrators manage a profit. interlocking solicitude covers a wide area as well as local area cyberspace which mainly based on three several(predicate) principles, which are Performance r educe blockage in the network.Reliability keeps the network and the services that the network provides up and available for all the users .It includes supervise the network to spot enigmas as soon as possible, ideally before users are affected.Security Makes the network protected from unofficial users and outside world.Functions that are execute as part of network management accordingly include controlling, planning, allocating, deploying, coordinating, and monitoring the resources of a network, network planning, predetermined traffic routing to deliver load balancing, cryptographic key distribution authorization, human body management, demerit management, security management, performance management, bandwidth management, analytics. There are a variety of network monitoring peckers available in the market to be use depending on the size and requirements of the organisation.OBJECTIVEThe intention of this report is to have a in depth study and appraisal of network management t ools that allow us to observe and manage the performance and function of networks effectively and efficiently, to produce a short report detailing the benefits of implementing Network Management. The tools which have been use in this report are trematode Protocol tester, Wireshark network protocol analyzer, SNMP Browser Utility and Network inspector.FLUKE OPTIVIEW ANALYZERANDWIRESHARK interlocking PROTOCOL ANALYZERA network protocol analyzer is a vital part of a network administrators toolkit. Network protocol analysis is the virtue serum of network communications. If you want to find out why a network device is functioning in a certain way, use a protocol analyzer to sniff the traffic and expose the data and protocols that pass along the wire. labial pipe and Wireshark network protocol analyzer offers insights into what is happening not provided over the WAN, but in addition on the local area network (LAN) at distributively location. Information pertaining to traffic flows , protocols, and even individual data packets endure authorize the IT organization responsible for the network to keep it operating at peak performance. Fluke and wireshark are tools to admin computer networks and they helps in monitoring and troubleshooting the network. In addition, they to a fault helps in observe the status of devices, errors, warnings, and changes. Fluke and wireshark, the network analyzers are fast performing and compatible with almost every operating system of windows.To observe the activities and the performance of these network analyzer program, a small network has been assembled image 2.1 TEST NETWORKThe minimal equipment for using Protocol Inspector/analyzer to observe the performance and applications of a network properly, is make up of two routers, two switches and two droves. A class B extensioning scheme has been utilize on the network. Two routers to wit R1 and R2 respectively represent two different sites. R1 is using 172.17.0.1/30, R2 is using 172.17.0.2/30 and both the routers are connected through 172.17.0.0/24.To make easily understand tho two users have been used. User1 and user2 are respectively on 172.17.1.100 and 172.17.2.100.Summary raft of Fluke Opti affect AnalyzerThe program opens in the Summary View. This put wizard across shows several windows used by the tool. The Resource Browser window in the upper left corner shows the only monitoring network device. The Monitor View, which is in the main window on the upper right, monitors one resource per window in a variety of viewing options. The engine block (red colour tab) in the upper-left corner of the Monitor View window confirms that no monitoring is occurring. designing 6.1Start the Monitor / Capture processTo start the monitoring / capturing process, use the Start button or staff - Start from the menu system. The Utilization chart should start showing activity like the graphic below material body 6.2The word ARM(green colour tab) should appear where St op had been before. If opening the Module menu, notice that Stop is now an option while Start is muted.The tabs at the bottom of the window show the resulting data in a variety of forms. Click on each and note the result. Transmit (Tx), Alarms, and Alarm Log willing be blank. The following is the Received (Rx) frames, which indicates that Broadcast and Multicast frames are universe received, but they may not show any Unicasts. formula 6.3Using the console community to the router, ping the monitoring host, and notice that Unicast frames appear. Unfortunately, the errors shown in the third pillar will not appear in the lab exercise unless a traffic generator like the Fluke Networks OptiView product has been added.Now ,for the Detail View window click on the Detail View button in the toolbar or double click anywhere on the Monitor View chart. This will open a sanction window that should look something like the following, subsequently maximizing the Utilization / Errors Strip Cha rt (RX) window.In a detail view on that point are few options we target see MAC StatisticsFrame size distributionProtocol Distribution waiter TableNetwork tier Host tableApplication layer host tableHost matrixNetwork layer matrixExpert viewMAC STATISTICS mack Statistics tells us rough the module type and speed used on the system. It provides essential nurture like Network utilization, total bytes of data received. It also provides the different types of frames travelling across the network. put down 2.2 Mac StatisticsAs shown in Error Reference source not found, the total numbers of 1,555 frames were received. Further more than there were 152 broadcast frames, 322 multicast frames and 1,081 unicast frames sent over the network. There were no errors found and a total of 122,453 bytes of data was received with an effective 0.003% network utilisation.FRAME sizing statistical distributionFrames on a network are classified according to size. Frame size distribution tells us the fr ames across the network and their size.Figure 2.3 FRAME SIZE DISTRIBUTIONThe draw above shows the frame size distribution over the test network. On the basis of size frames have been classified in to 8 different categories. The maximum average frame size is 65-127.PROTOCOL DISTRIBUTIONProtocol distribution tells the number of protocols operating over the particular network and also at what percentage a protocol is working in terms of transferring data.Figure 2.4 Protocol DistributionThe judge above shows different types of protocols on the network and the percentage of each protocol on the right of the graph and on the left side are different tabs, by clicking on each one of them an individual percentage of each protocol stand be monitored.HOST TABLEHost table gives us a picture of the traffic multiplication on the network and the MAC compensate of the devices receiving the traffic. It tells us the maximum traffic host and the minimum traffic host.Figure 2.4 HOST TABLEIn the pi cture above it shows percentage of traffic based on the number of frames coming in to the host. On the right hand side it shows the MAC denotationes of the different hosts. It also tells us about the broadcast and the STP traffic.NETWORK story HOST TABLEThe Network Layer Host Table tells us about the packets, errors and bytes for each station at network layer. It allows decoding the packets based on their network layer address. So it helps the network managers to troubleshoot at the host level.Figure 2.5 NETWORK LAYER HOST TABLEThe manakin above shows the packets coming in to the hosts at the network layer based on their IP addresses. It also tells us that there are 5 IP hosts and no IPX hosts on the network.1APPLICATION LAYER HOST TABLEApplication layer host table tracks packets, errors and bytes on an application specific basis. It traces packet activity of a particular application. It helps network managers to monitor bandwidth utilization on the network.Figure 2.6 APPLICATIO N LAYER HOST TABLEThe figure above shows the operation of the different applications by the host. It shows the usage of the bandwidth in percentage by each application.HOST MATRIXHost Matrix shows the communication in the midst of two or more MAC addresses/ hosts. Hosts could be talking to more than one host at the same time which privy be defined by the graph belowFigure 2.7 HOST MATRIXFigure 2.7 shows different hosts communicating to each other and at what percentage they are move and receiving data on the network, which helps an unionise in bandwidth allocation to various hosts on the network.NETWORK LAYER MATRIXNetwork Layer Matrix shows the total data packets between a pair of systems by the network layer protocol. It shows the protocol specific traffic between the hosts.Figure 2.7 NETWORK LAYER MATRIXThe figure above shows the conversations between the different pair of hosts. It shows the communication between two IP addresses and their bandwidth utilization. keen VIEWEx pert view shows different kinds of data capturing on the network on a single screen where the network engineer can monitor the user activities to make the network more responsive and reliable.Figure 2.8 EXPERT VIEW OVERVIEWFigure 2.9 Expert View of Data Link layerFigure 2.10 EXPERT VIEW OF sitting LAYERFigure 2.11 EXPERT VIEW OF NETWORK LAYERThe figures above show the output of different layers of OSI model. It also shows the protocol distribution across the network and utilisation of the different applications for turn on transfers like HTTP, ARP and others. It also identifies errors and any broadcast or multicast on the network.PROTOCOL OPERATIONSNetwork inspector tool is also used to investigate the operation of different protocols likeICMPTFTPTELNETDHCP lacerate/OSPF/IGRPICMP (internet Control Message Protocol)ICMP stands for Internet Control Message protocol. It is one of the very important internet protocols, it is used by the a network administrators to monitor network conne ctionsICMP SUCCESSFUL PINGICMP is the tool used to check the connectivity also known as PING (Packet Internetwork Gropper) which sends and receives echo point. PING boffo means that device is in a reachable remoteness, when host receives the echo request it reply to it this means the terminus is reachable. This process is explained in the figures belowFigure 0.1 ICMP double REQUESTFigure 0 .1 shows it is an reproduction request by the host 192.168.2.2 to the destination 192.168.1.2 all across the network.Figure 0.2 ICMP ECHO REPLYThe Echo reply to the request is shown in the figure above. It is clearly visible that the 32 bit data packet was sent to the host 192.168.1.2 and the source 192.168.2.2 sends it as a reply the host 192.168.1.2 as the same 32 bytes which means no data was lost and both can communicate without loosing any data.ICMP PING TIMEOUT other common message while trying to ping a host or address is Ping Timeout. Ping times out when destination IP address does n ot exist, network inspector displays the following result for ping time out.Figure 0.3 REQUEST TIMED OUTFigure 0 .3 shows that when the engineer tries to ping an address which does not exists on the network, ARP protocol broadcasts this request with MAC address FFFFFFFFFFF to find the destination address, but when it does not get any reply because the address is not there on the network the Ping Request, Times out after some time.ICMP NETWORK UNRECHABLENetwork Unreachable means the network which we are trying to reach is not available for communication. This could happen due to numerous reasons, if the interface is down for some reason, if in case of using RIP it is at a distance more than 15 hops from the source or if the destination address does not exist in the routing table of the router. Fluke network inspector helps network manager to find the reason behind the network failure as explained in the figures belownFigure 0.4 ECHO REQUEST FOR THE IP ADDRESS OUTSIDE THE NETWORK ADD RESSFigure 0.5 DESTINATION UNRECHABLE REPLYFigure 0 .4 explains a network engineer direct an Echo Request to the address 192.168.3.1 which is not within the network and Figure 0 .5 shows if the address is not on the network or routing table of the router it sends a message Host Unreachable.ICMP Ping Time Out is different from ICMP Ping Network Unreachable because when the host sends a data to an address, it then waits for the reply from the destination. If after some time the reply does not come back this means the data is going to the destination address but cannot receive any updates or data from that destination, it displays the message Request Timed out. On the other hand when host sends data to the address which does not has not entry in the routing table of any of the routers, the data will not be sent anywhere and the message comes out as Destination Host UnreachableTFTPTFTP or bantam File Transfer Protocol is very easy and simple to implement as it adjourns very less memo ry. It is a connectionless service that uses UDP (User Datagram Protocol). It is faster than FTP. It is used on routers, switches and some hosts that support TFTP for the purpose of transferring the file.Figure 0.6 TFTP FILE COPYINGFigure 0.7 TFTPIn the above figure it is clearly visible that the source port is 56882 and destination port is 69 which is used for (Trivial File transfer). This diagram also proves that TFTP uses UDP to transfer of files along the network. In the second portion TFTP is captured where it shows the file transferred is sdm-config.TELNETTelnet is a public advantage to plan of attack a device remotely over the network. It can be used for many purposes. Telnet works with TCP/IP. Whenever we access a device remotely, a connection has to establish using a trey Way Handshake process.ESTABLISHING A TELNET SESSIONSynchronization between hosts is done by an exchange of connection establishing segments that extract SYNs. The Synchronization requires each side to send its own (ISNs Initial Sequence Numbers) and to receive a conformation of it in an Acknowledgement (ACK) from the other host. Each host also receives each others ISN and send a conformation as ACK this process is called a Three Way Handshake tercet WAY HANDSHAKEHost A send its ISN (Seq = X) to start the session, it is received by the Host B who then send its own ISN (Seq = Y) and also sends (ACK = X+1) to Host A, when Host A receives the ACK it do the same as Host B adds 1 to the ISN received and send (ASK = Y+1) back to the Host B which establishes the TELNET session (see Figure 0 .72).Sends SYNSEQ = YACK = X + 1)Host AHost BSends SYN(Seq = X)Receive SYN(Seq = X)Receive SYNSEQ = YACK = X +1)Sends ACK(ACK = Y +1)Receive ACK(ACK = Y +1)Figure 0.72 THREE WAY HANDSHAKE diagram taken from CCNA 1 2 Companion GuideFigure 0.8 THREE WAY HANDSHAKEFigure 0 .8 shows the Three Way Handshake. Each host sends an ISN and in reply other host add 1 to it and sends it back as an acknowledgement . Fluke Network Inspector allows network administrator to see this process and monitor any unauthorized attempts.Figure 0.9 FIRST STAGE OF THREE WAY HANDSHAKEIn Figure 0 .9 Client sends the request to synchronise its ISN to the telnet server, it then specifies its initial sequence and adds 1 to it.Figure 0.10 SECOND STAGE OF THREE WAY HANDSHAKEFigure 0 .10 shows that the ACK packet has been sent back to the host and at the same time another packet for its SYN has also been sent to establish a connection.Figure 0.11 tercet STAGE OF THREE WAY HANDSHAKEFigure 0 .11 shows that the server just now received a packet from the host and the connection is now established between them for just more data transfers.DATA CAPTURINGFluke network inspector helps network manager to monitor and capture the data being transferred between the devices once the telnet session is active, though it can be a lengthy process to see the whole data but it can be really helpful in troubleshooting typical conu ndrums. Data is captured in only one letter at a time which can be seen in the following diagram.Figure 0.12 DATA CAPTURINGIn the figure above letter I has been captured which is a part of password while accesing the device remotely. Thus Fluke tool helps network engineer to monitor each and every bit of data travelling across the network..Figure 0.13 LOGGED ON THROUGH TELNETFigure 0 .13 shows the successful remote log on to the router R2. Now here all the data transferred will be captured by the Fluke tool inspector.TERMINATING A TELNET SESSIONTerminating a TELNET connection is a must for security reasons. It again takes Three Way Handshake process. This process can be monitored in Fluke Inspector as we will see this in the diagrams below (see Figure 0 .14).Figure 0.14 FIRST STAGE TERMINATIONIn Figure 0 .14 the request for the termination of the session has been sent, next figure will show the acknowledgment received by the server.Figure 0.15 SECOND STAGE TERMINATIONIn Figure 0 .15 server receives the request and sends an acknowledgment for the termination of the session.Figure 0.16 THIRD STAGE TERMINATIONFigure 0 .16 shows the third and the last stage of terminating the telnet session.LIMITATIONS OF TELNETTELNET is not very secure process as it is over the internet and the data is not encrypted which can be easily hacked and the information can be lost. secondly TELNET involves TCP/IP only, and hence is not compatible with other protocols. Unauthorised users can on to log on to the network and can damage the configuration files, which can affect the performance of the network and can result in less reliable network. To prevent this remote access can be restricted to certain ports so that only authorised individual can log on remotely which helps in reducing the chances of and intrusion on the network.DHCP (Dynamic Host bod Protocol)DHCP allows hosts on the network to obtain an IP address dynamically. Network engineer configures a DHCP server for the netw ork defining a pool of IP address to be allocated to a particular range of hosts. Whenever a host requests an IP address, server automatically assigns the address.When a DHCP client comes online it sends a DHCP Discover broadcast message. later on sending a DHCP Discover, client moves into a select state. Client then takes the offer from the DHCP server, it then receives the first response and sends the DHCP Request packet and asks for how long it can keep that address without renewing it, then server acknowledges the request and sends DHCP ACK packet. At this stage the client gets into the bound stage and starts using the IP address. The flow chart below (see Figure 0 .17) describes the whole process.Clint BootsInitialize StateSelectDHCP ACKDHCP RequestRequestDHCP DiscoverBoundFigure 0.17 FLOW CHART FOR DHCPDiagram taken from CCNA 1 2 Companion GuideDHCP DISCOVERProtocol Inspector tool can be used to monitor the whole process step by step.Figure 0.18 DISCOVERFigure 0 .18 shows th e client has been discovered by a DHCP server by its broadcast. At this point it does not have any IP Address.DHCP OFFERDHCP server makes an IP address offer to the client.Figure 0.19 DHCP OFFERIn Figure 0 .19 an offer made by server to accept 192.168.2.3 as an IP address.CLIENT REQUESTA request from the host is sent to the DHCP server for an IP addressFigure 0.20 DHCP REQUESTIn Figure 0 .20 host negotiates for the lease time for the IP address offered by the DHCP server.DHCP ACKNOWLEDGMENTDHCP server then sends an acknowledgment packet.Figure 0.21 ACKNOWLEDGMENTFigure 0 .21 shows the IP Address 192.168.2.3 has been accepted by the client as new IP address.DHCP RELEASEDHCP server issues an IP address to the client which can been seen in the Figure 0 .22Figure 0.22 DHCP RELEASERIP (Routing Information protocol)The Routing Information Protocol (RIP) is a dynamic routing protocol used in local and wide area networks. As such it is classified as an interior gateway protocol (IGP) using the distance-vector routing algorithm. Devices running RIP sends the information of all the connected devices in the network every 30 seconds to keep the network reachable and connected. RIP has two versions.Fluke network inspector tool tells about the connected routers and the hops, with there IP address. All this information is very multipurpose in troubleshooting.Figure 0.23 RIP ROUTING INFORMATION PROTOCOLFigure 0 .23 explains the routing process. It shows that the port used for routing is UDP 17. Only two routers are connected to each other. It also tells us which version or RIP is running and at what distance both router are as in HOPS COUNT as visible the first one is 1 Hop far from the host and second one is 2 get down hop from the host it sends the routing information every 30 seconds. Another thing is that RIP can only support 15 Hops per network.SNMP (Simple Network Management Protocol)This protocol operates at the network layer of the OSI model where it exchanges the m anagement information among the devices installed in the network. It is very clear from its name that this protocol is used to manage network devices such as routers, Switches Hubs, modems, and systems. It is used to monitor different user activities over the network. SNMP helps network engineer to monitor and identify any faults on the network and helps to solve these problem for better connectivity.A network managed by the SNMP consist of the followingManaged devices Devices used on the network such as Routers, Switches Hubs, modems, systems and servers etc.Agents Agent is software which is used to operate the managed devices.Network-management systems They provide the processing and memory mandatory for the network management, there can be one or more network-management systems on a managed network desexIF UTILITYThe SNMP operation can be monitored by the network engineer with the use of Protocol inspector and a utility(prenominal) called OPTIVIEW using a freely available brows er utility called GETIF. GETIF is a network tool which is based on windows GUI it is very helpful to join forces the graphical information of SNMP devices. It provides information like Parameters, Interfaces Connected, Routing Tables, Trace Route and Network length..GETIF PARAMETERSAfter loading up the GETIF utility type in the router IP address in the host name box of the parameter window the result will be as following.Figure 0.24 GETIF PARAMETERIn Figure 0 .24 it is shown once the router IP Address has been typed in and START button has been pressed in the Parameter Tab of GETIF utility, it gives us the information like the router name and IP Address, router description, and also shows the SNMP port number which is 161.SNMP GETFluke network inspector tool can be used with GETIF utility to see the data observed from SNMP agent. To retrieve this information select MBrowser tab on the GETIF window and then select the SNMP option from the graphical tree, it gives us all the require d information shown below.Figure 0.25 SNMP GETSNMP SETWhen a single item is selected in MBrowser of GETIF utility, start the network protocol inspector to monitor the data transfer. When the name of the router is changed by using GETIF utility it will be shown on the Network Inspector Utility as wellSNMP TRAPFluke Network Inspector tool along with GETIF utility has the ability to diagnose the error on the network, To see the result on the Network Inspector tool if the network engineer can physically take the accompanying cable out from the router port and disconnect the communication in the network the Network Inspector tool identify this error and displays it on the tools screen for the network engineers urgent attentionFigure 0.26 SNMP TRAPIn Figure 0 .26 the status of the serial connection is show to down this is due to the serial cable being unplugged from the port.GRAPHYCAL MONITORING IN GETIFThis is another option in GETIF utility to monitor the network bandwidth consumption and the percentage of the different protocols. It can be seen in the following figures.Figure 0.27 SNMP GRAPHYCAL MONITORINGIn Figure 0 .27 two graphs have been shown, in these graphs only ICMP packet has been monitored to show the operation of the protocol. In top half(prenominal) of the fig graph starts from the 0 and then gradually goes up due to the increase in the ICMP PINGs. A sudden drop can also be seen while the graph is increasing this is due to the term Request Timed Out in the ping in the second half you can see the decrease in the graph and this is due to when the pings were cancelled one by one.BENEFITS OF FLUKE NETWORK INSPECTOR TOOLFluke Network Inspector allows network engineer to provide reliable, and desirable connectivity to the organisation, it saves time and money by effective resource management. It also provide better knowledge to the network engineer about the devices installed on the network which helps to find the faults and fix them easily.Fluke Network Inspector provides a solution for monitoring and analysing the network which can be very helpful to the organisations to get desirable and reliable connectivity of their network.It also allows the network engineer to protect the network from any unauthorized users and gives a freedom of managing the network remotely.Fluke Network Inspector Tool helps in performing major functions of the network management which includesFault ManagementConfiguration ManagementAccounting ManagementPerformance ManagementSecurity ManagementAll these functions have been explained briefly in this reportFAULT MANAGEMENTThe process of identifying, diagnosing a problem on the network and resolving it is called fault management. The problem could be of any kind from faulty cables to defective hardware. In other words, it is a very important for the effective operations of a network and to provide the connectivity among the users of a company, An intelligent network engineer will detect the fault in the networ k in very less time and fix the problem fast. Fault management is a very reliable tool for providing the connectivity for the network.Fault management is very useful to the network administrator as they can keep an eye on the network from anywhere in the network and resolve the issues quickly. Apart from automatic updates about the fault on the network, network administrator can be informed by the users. Network administrator can send ping packets to identify the problem. If a network administrator cannot reach a certain device remotely like when administrator pings a device and gets no reply there could be number of reasons, fault management helps in finding solution to such problems, so that the network is available all the time.Whenever there is a fault on the network it will be known to the network operator by using SNMP (Simple Network Management Protocol) it also rate the problem as if the problem is of high risk to the network or to the low risk, but will keep on sending info rmation to the network administrator about the fault in the network till the time it has be resolved and will send a notification of error resolved.CONFIGURATION MANAGEMENTConfiguration management is all about handling the configurations of the network devices. It involves maintaining a database of the network devices, and providing reports of the data travelling over these devices. Keeping the record of the configured devices on the network is called configuration management.Configuration management can help a network administrator to install different software for the better communication among the network. The data base of the configuration management includes different entries like, the devices used, the version numbers and the device capabilities.By using configuration management a network administrator can increase the devices on the network, can provide or deny access to the certain number of users or a group on a particular network. Remote sites can be configured by using di fferent techniques, access can be restricted to certain area of the network for specified users, or if required interfaces can be brought down or up by using the configuration.ACCOUNTING MANAGEMENTAccount management helps in managing the utilization of network resources, which further leads to a more productive network. One of the functions of the accounting management is to distinguish between inter and intra -domain accounting data and route them to the respective device, for the session record containing Network Access Identifier, this packet can be routed by examining the NAI to save this packet to be broadcasted over the whole network and utilizing the bandwidth.Accounting management involves the monitoring of the users activities on the network at an individual or at a group level which helps in providing better communication and also reduces the fault contemporaries which can cause loss of data. It allows network engineer to keep track of the bandwidth utilisation w