A Network Analyzer is a software tool that allows you to monitor traffic on al network. It receives all traffic on the segment of a network, and displays it for analysis. There are two types of Network Analyzer devices, those that are built on custom hardware, and those that are software based, running on a standard networked workstation.
A hardware based Network Analyzer is a custom piece of hardware that looks at the network traffic at the very lowest physical layer. These devices are particularly well suited for detecting wiring problems and hardware failures (such as voltage anomalies or jitter problems), since they look at the electrical characteristics of the signals on the network. To do this, they must have hardware to actually sample the network lines (at very high frequencies) with A/D converters, and do some signal processing on the received data. These devices are typically very expensive, and for most networking problems, they are not needed.
Software based Network Analyzer are programs that use a workstation’s network interface card to collect data from the network, and then display it for analysis. This capture of network traffic is accomplished by reconfiguring the workstation’s network interface card to a special state, called Promiscuous mode(Listen-All).
i. Normal Ethernet packet reception
When a
workstation is operating normally on a network, it uses its MAC address to
identify which packets on the network it should receive. It checks the MAC
address of every frame it sees on the network against its own MAC address, and
discards those that do not match. This
function is usually performed by the chipset in the network interface card,
reducing the software load on the machine. The one exception to this is
broadcast traffic, which is sent out on the network with a destination MAC
address that acts as a wildcard, and is received by all machines on the
network.
ii.
Promiscuous mode packet reception
In order for a workstation to begin operating as a Network Analyzer, this standard packet filtering must be removed. This is done by putting the network interface hardware in a state that is known as Promiscuous Mode. In this mode, the network interface hardware will receive all packets it sees on the network, regardless of destination MAC address. Almost all newer Ethernet chipsets support this mode. Before installing Network Analyzer software on a machine, you should be sure to check that the network interface card you have installed is supported by the Network Analyzer product.
Lab: Carry out the following and answer all the questions and submit it at the next class.
This is homework #5 !!!
Reboot a computer with Windows NT Workstation(Not Windows 2000 Professional) since the demo version of Sniffer(a network analyzer program) only runs on Windows NT system. If the program(Sniffer) is not installed, then install the program from the machine 132.241.158.35. It is under Im's Classes folder.
From Start -> Programs -> Sniffer Pro(A software-based
Network Analyzer program from Network Associates Inc.)
From Monitor menu, try the following components:
(Some components may not function well--this is a trial
version!)
Dashboard
Host
Table
Matrix
History
Samples
Protocol
Distribution
Global
Statistics
Switch
Statistics
Capturing ARP Packets
Delete all
entries in ARP cache
Go to Sniffer program and select Capture -> Define Filter -> Address -> Select Hardware in Address Type -> Enter your station’s MAC address in Station 1, Enter “Any” in Station 2 -> OK
Capture -> Start and leave the program running
Go to Command Prompt and enter
Ping your neighbor’s
IP address
Go back to Sniffer program and select Capture -> Stop and Display -> Decode(at bottom tabs)
Can you see the details of ARP
Request message from your station and the ARP Reply message from your
neighbor’s station?
ARP Request uses Ethernet broadcast
address. What is the value of broadcast address?
________________________
Does ARP Reply use broadcast
also? ________
Now look at the ping messages.
What is the 3rd layer protocol that ping uses?
_______
Now identify as many fields in
the IP header(from one of the IP packets) format and list them:
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
What is the value of type
field(for an IP packet) on an Ethernet packet?
____________
What is the value of type
field(for an ARP packet) on an Ethernet packet?
____________
What is the value of type
field(for an ICMP packet) on an IP packet?
____________