TCP/IP Analysis and Troubleshooting Toolkit
Contents
1. the transport layer would have to retransmit it behind voice data already received by the user That retransmission would obviously lead to very gar bled reception on the receiving end of the call Could the transport layer wait and hold transmitted data in a buffer until the lost packets are retransmitted It certainly could but with the added delay for retransmission and reassembly the quality of the voice call would be severely degraded Thus it would be preferable to use an unreliable protocol for transmitting voice data over an IP network AA 41 13 143 In Chapters 5 and 6 I discuss two types of transport layer protocols UDP User Datagram Protocol and TCP and the purposes for their use Layer 5 Session Layer The session layer is the layer about which people most commonly ask Why do we need this layer Don t other layers already possess the same functional ity The answer is yes other layers do possess this functionality but the con cept of a session layer still exists whether it exists in the form of a protocol or not Further many times an application layer protocol needs the services of the session layer to take on extra functions such as connection establishment and maintenance or data segmentation and reassembly Figure 1 9 which appears later in the chapter shows two types of session layer activities The first is a name resolution function that allows a host to determine the IP address of another host giv2. TCP IP Analysis and ng IOOiIK DUE noc Kevin Burns WILEY Wiley Publishing Inc TCP IP Analysis and ng IOOiIK DUE noc Kevin Burns WILEY Wiley Publishing Inc Executive Publisher Robert Ipsen Vice President and Publisher Joe Wikert Editor Carol A Long Developmental Editor Kevin Kent Editorial Manager Kathryn Malm Production Editor Pamela M Hanley Text Design amp Composition Wiley Composition Services This book is printed on acid free paper Copyright 2003 by Kevin Burns All rights reserved Published by Wiley Publishing Inc Indianapolis Indiana Published simultaneously in Canada No part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording scanning or otherwise except as permitted under Section 107 or 108 of the 1976 United States Copyright Act without either the prior written permission of the Publisher or authorization through payment of the appropriate per copy fee to the Copyright Clearance Center Inc 222 Rose wood Drive Danvers MA 01923 978 750 8400 fax 978 646 8700 Requests to the Pub lisher for permission should be addressed to the Legal Department Wiley Publishing Inc 10475 Crosspoint Blvd Indianapolis IN 46256 317 572 3447 fax 317 572 4447 E mail permcoordinator wiley com Limit of Liability Disclaimer of Warranty While the pu
3. Data Display Notification Logging Packet Generator Configuring and Using Your Analyzer Capture Configuration Filtering Expert Analysis Measuring Performance Analysis Tips Placing Your Analyzers Using Proper Filters Troubleshooting from the Bottom Up Knowing Your Protocols Comparing Working Traces Analyzing after Each Change Summary Part Il The Core Protocols Chapter 3 Inside the Internet Protocol Reviewing Layer 2 Communications Multiplexing Error Control Addressing Case Study NetBEUI Communications Name Resolution Reliable Connection Setup NetBIOS Session Setup Application Process Limitations of Layer 2 Communication Networks Network Layer Protocols Internet Protocol Addressing IP Addressing Reserved Addressing Classful Addressing Classless Addressing IP Communications Address Resolution Protocol ARP ARP Packet Format Case Study Troubleshooting IP Communications with ARP and PING ARP Types ARP in IP Communication Case Study Incomplete ARP 97 100 101 101 Chapter 4 Chapter 5 IP Routing The Routing Table Route Types Router Routing Tables The Forwarding Process Case Study Local Routing IP Packet Format Version Header Length Type of Service Datagram Length Fragment ID Fragmentation Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Address Destination IP Address Options Data Case Study TIL Expiring Case Study Local Routing Revisited A Word about IP Version 6 The IPv6
4. 1 8 illustrates an example of data being lost during its transmission over a network and the subsequent retransmission of the data by the transport layer protocol in this case TCP 21 22 Chapter 1 TCP Retransmissions and Reassembly z 1 Data handed down to the transport layer is broken up into multiple data segments and transmitted across the media 2 One of the data frames is dropped by the network during transmission and the receiving station receives only four of the five segments 3 After a time period the transport layer retransmits the lost segment of data Figure 1 8 Reliable transport protocol example The transport layer must accommodate both of these situations The answer to the question of why you might not want a reliable transport layer is that the choice of reliable versus unreliable services depends on the type of informa tion being exchanged by the application Obviously a user saving a critical finance spreadsheet to a network server wants reliability in case a packet or two is lost during the file transfer In that case the transport layer simply retransmits the data and all is well because this is how the transport layer pro vides reliability However consider the example of a phone call being routed through an IP network Would it make sense to retransmit all data that might be lost during the conversation Every time a packet containing voice was lost Introduction to Protocol Analysis
5. Security Payload 51 AH Authentication Header 83 VINES Vines Layer 4 Transport Layer The transport layer can provide reliable or unreliable service Why would any application developer want to use unreliable services when reliable services are available The choice depends on the nature of the application In the con text of the transport layer it makes sense to define what is meant by reliable and unreliable m Reliability in the transport layer refers to the ability of a transport protocol to provide some guarantee of the delivery of data over a net work By providing a guarantee the data delivery becomes reliable m Unreliability in the transport layer refers to the lack of a transport protocol s ability to guarantee data delivery over a network As I stated earlier in the chapter networks are unreliable A number of events can occur in the lower three layers that may need to be handled by the transport layer The transport layer needs to provide a method of detecting packet loss so that it can retransmit the lost data Sometimes the network layer may route multiple packets over separate links causing them to arrive at the destination in the wrong order The transport layer must have a means of reassembling them into the correct order so that the data can be passed to the application Since most applications exchange data in a structured format the data needs to be reassembled into the proper order in which it was sent Fig ure
6. and other devices implement those protocols Understand the protocol and you can largely understand what happens inside the box A Brief History of Network Communications For years complex processing needs have been the driving factors behind the development of computer systems Early on these needs were met by the devel opment of supercomputers Supercomputers were designed to service a single Chapter 1 application at a very high speed thus saving valuable time in performing manual calculations Supercomputers with their focus on servicing a single application couldn t fully meet the business need for a computing system supporting multiple users Applications designed for use by many people required multiple input output systems for which supercomputers were not designed These systems were known as time sharing systems because each user was given a small slice of time from the overall processing system The earliest of these sys tems were known as mainframes Although not as fast as supercomputers mainframes could service the business needs of many users running multiple applications simultaneously This feature made them far more effective at servicing multiple business needs The advent of mainframes thus led to the birth of centralized computing With its debute centralized computing could provide all aspects of a net worked communications system within a tightly controlled cohesive system Such systems as IBM s 5 390 provid
7. details of how the lower layers operate they simply must possess the ability to use the lower layers services The model was created so that in a perfect world any network layer protocol such as IP Internet Protocol IPX Internet Packet Exchange or X 25 could operate regardless of the physical media it runs over This concept applies to all of the layers and in later chapters you can see how some application protocols function identically over different network protocols and sometimes even dif ferent vendors Server Message Block SMB is a perfect example of this as it is used by Microsoft IBM and Banyan s server operating systems Most commu nication protocols map very nicely to the OSI model NOTE OSI actually consists of not only the model but also a suite of complex protocols Although the protocols are rarely used today their original purpose was to provide a single protocol suite that all vendors could adopt into their systems allowing for interoperability The model survived but unfortunately the protocols did not Chapter 1 The OSI Model Example Protocols Applicat SMB HTTP FTP SMTP Po NCP TELNET Ba JPG GIF MPEG ASN 1 SMB Negotiation Session NetBIOS TCP 3 way handshake Ethernet Token Ring Data Link FDDI Frame Relay HDLC Physical X 21 RS 232 DS1 DS3 Figure 1 1 The OSI model Defining the Layers Because almost all protocols are based on the OSI model it is important to complete
8. for use by the NIC driver software Media access means just what it says the NIC must access the media A NIC cannot always transmit at will sometimes the media is being used by another node on the network This sce nario is where the term shared networks comes from In a shared network only one node at a time can be transmitting bits out onto the wire A shared network may physically consist of many wires and hubs but logically it acts as one piece of wire Only one station at a time may transmit on that wire Consider the following examples m Ethernet uses a collision back off algorithm called CMSA CD Using this algorithm a station listens to see if the media is free and then transmits if it is If it hears another station transmitting this is called a collision both stations back off for a certain time and try again until one station successfully obtains access to the media m Token Ring and FDDI use what is called a token based access scheme whereby a small token frame circulates around the logical ring When the token arrives at the appropriate station that station marks the token as busy and attaches data to it for transmission around the ring 12 Chapter 1 Both methods have their benefits and drawbacks but the concept is essentially the same Each data link protocol must provide some method for accessing the media MAC Addressing Communication occurs between nodes on a network and each node must have a unique identifie
9. organization specializing in network analysis and training Kevin s 10 years of experience consist of the design implementation and analysis of various multiprotocol multivendor networks This book comprises the techniques he has used in diagnosing complex network and application problems which he also teaches to students at various seminars and corporate settings Kevin can be reached at kburns tracemasters com Introduction Why I Wrote This Book Network engineers face difficult challenges on a daily basis Servers can crash WAN links can become saturated and for unknown reasons an application s performance can come to a crawl pitting network engineers against applica tion developers in a complicated blame game usually without facts Without the proper tools and training when something breaks network engineers often have to ask why Why can t users obtain DHCP addresses why can t users log into the server and the ever so bothersome question why is the network slow During all of this commotion upper management is usually also asking why Why haven t these problems been resolved Most large net work infrastructures have a mix of troubleshooting tools at their disposal but more often than not the wrong tools are selected for the wrong job How can you best use the tools at your disposal and the knowledge of your networks to assist you in quickly and decisively solving problems on your network infra structures The answe
10. pick out the digital ones and zeros from the background noise With this ability to tell signals apart from noise it became much easier to build networks capable of carrying computerized binary data over long distances 10 Chapter 1 BYES there are many types of digital signaling One of the factors that drives the type of digital signaling used in a specific technology is its efficiency and method of bit representation For example 10 Mb Ethernet uses what is called Manchester encoding a type of digital signaling but for 100 Mb Fast Ethernet Manchester was inefficient if not impossible to use because the cabling available at the time the late 1980s couldn t support its high bandwidth Instead Fast Ethernet uses what is called Non Return to Zero Inverted NRZI encoding and in certain configurations Multi Level Three MLT 3 Other data link technologies use different digital signaling methods Token Ring uses Differential Manchester and T1 circuits use AMI or B8ZS encoding Layer 2 The Data Link Layer So how do a bunch of ones and zeros become IP packets that traverse the net work For the network interface card NIC to put bits on the wire it first must have a method of accessing the media This method is called the media access method All data link protocols designed for use in shared networks have one One function of the media access method is letting the destination station recog nize which bit is the first bit of the Media Ac
11. problems a network analyst sees on TCP IP networks For the more curious interested in the intricate details and inner workings of the protocol I have provided an appendix further detailing the website The goal behind the TCP IP Analysis and Troubleshooting Toolkit is to give the reader the information needed to successfully maintain the protocol in real world networks Since TCP IP is the most common protocol in use today this made the decision to concentrate an entire book on the subject of its analysis and troubleshooting methods easy Rather than write a book about the many intricate and often mundane details of the protocol I attempt to empower you with the knowledge to understand and diagnose problems related to the TCP IP protocol You will quickly notice that many of the examples in the book are either Cisco or Microsoft specific Since those are the two most prevalent vendors in use today I have chosen to use examples pertaining to their systems The examples are by no means exclusive to either Cisco or Microsoft In almost all cases you can take the examples and apply them to any vendor s hardware or software Specific examples that apply to a certain vendor are noted Along this line you might also notice several analysis tools mentioned or used in the examples The type of tool is not typically important just as long as it provides the functionality needed or described An understanding of the technology is what s important a
12. 6 bytes The third address the broadcast address has the same 6 bytes but each byte is the same value FE Why is this Table 1 1 Three Types of MAC Addresses Unicast 00 00 0C 45 A9 D5 Multicast 01 23 7D 34 1E 9A Broadcast FF FF FF FF FF FF Introduction to Protocol Analysis Half duplex NIC cards when not transmitting data listen on the wire for a MAC frame containing their own address For example on Ethernet a node hears another station s transmission and synchronizes on its bit pattern When it recognizes the first bit of the frame it looks at the first 48 bits to determine if the frame should be copied off the wire and sent to the upper layers Why 48 bits Because there are 8 bits in a byte therefore 48 bits equals exactly 6 bytes the length of the MAC address NOTE Ethernet is by its nature a half duplex protocol At the time of its creation only shared hubs existed there was no switching When an Ethernet card is connected directly to a switch port there are only two stations on the segment the Ethernet card on the computer and the switch port By turning off collision detection and allowing both the NIC and the switch to transmit at will the connection becomes full duplex Full duplex is really just the disabling of collision detection on both ends of a point to point Ethernet segment Nodes on a network need to be able to transmit data frames to a single sta tion multiple select stations or all stations A f
13. Data Link Layer calculates the 2 byte CRC value appends it to the frame and transmits the frame out on to the media 2 As the frame is traveling over the media its contents become corrupted 3 The Data Link Layer on the destination receives the frame and performs the CRC calculation based on the frames contents Because the resulting value is different the NIC discards the frame Figure 1 5 CRC operation Layer 3 Network Layer The network layer has four primary functions m Addressing m Routing m Path management Multiplexing Introduction to Protocol Analysis 192 168 1 2 Figure 1 6 Routed IP network example 192 168 1 1 The addressing function provides a Layer 2 independent address Unlike a Layer 2 MAC address that can change as data is routed through an internet work the Layer 3 network address of an endpoint remains the same throughout the entire path Layer 3 addressing also provides the means for creating subnetworks for the purpose of logically partitioning a large Layer 2 LAN Figure 1 6 illustrates two IP networks connected by a router Notice how each subnetwork contains its own addressing scheme AA 143 143 discuss network addressing in more detail in Chapter 3 The network layer also provides for the end to end routing and delivery of datagrams through multiple networks To accomplish this protocols known as routing protocols distribute address reachability information throughout the ent
14. Header IPv6 Address Format Other Changes to IPv6 Summary Internet Control Message Protocol Reliability in Networks Comnection Oriented versus Connectionless Networks Feedback Exploring the Internet Control Messaging Protocol ICMP Header ICMP Types and Codes ICMP Message Detail Destination Unreachable Type 3 Diagnostic Messages Redirect Codes type 5 Time Exceeded Type 11 Informational Messages Network Diagnostics with ICMP Summary User Datagram Protocol Revisiting the Transport Layer UDP Header Source Port Destination Port UDP Length UDP Checksum Data UDP Communication Process Contents 104 104 108 110 112 114 117 117 117 117 119 119 119 119 120 120 121 121 121 121 121 122 124 126 128 129 130 130 131 152 132 133 134 134 135 157 137 144 146 151 151 152 154 155 156 157 157 157 158 158 159 160 vill Contents Case Studies in UDP Communications Name Resolution Services Routing Information Protocol Simple Network Management Protocol UDP and Firewalls Case Study Failed PCAnywhere Session Case Study NFS Failures Traceroute Caveats Summary Chapter 6 Transmission Control Protocol Introduction to TCP Requirements for a Reliable Transport Protocol Fast Sender and Slow Receiver Packet Loss Data Duplication Priority Data Out of Order Data The TCP Header Source Port Destination Port Sequence Number Acknowledgment Number Header Offset Reserved Bits Connectio
15. Lookup Name Servers ROOT Name Servers Name Server Caching Resource Records Analyzing DNS IPCONFIG CyberKit DNS Expert Common DNS Configuration Mistakes File Transfer Protocol FTP FTP Commands and Responses Case Study Active Transfer Failure Case Study Passive Transfer Failure Case Study FTP Failures through Firewall Case Study Revisiting FTP Transfer Failures Hypertext Transport Protocol HTTP HTTP Requests HTTP Responses HTTP Headers and Messages Host Header Redirection Cookies Cache Control Headers Contents 207 209 212 215 215 215 217 218 218 218 219 220 221 222 224 225 225 227 229 229 231 233 233 235 238 240 242 244 247 249 290 254 254 260 260 261 262 264 265 265 269 272 273 276 278 278 281 284 285 285 285 288 ix X Contents HTTP Proxies Measuring Proxy Latency Analyzing Advanced Web Architectures Case Study Web Site Failure Simple Mail Transport Protocol Summary Chapter 8 Microsoft Related Protocols Dynamic Host Configuration Protocol DHCP Header DHCP Process DHCP Messages DHCP Options DHCP Leases NetBIOS over TCP IP NetBIOS Names NetBIOS Services Datagram Service Session Service Name Service NetBIOS Operations Name Service Operations NetBIOS Datagram Operations NetBIOS Session Operations Server Message Block SMB Header SMB Commands SMB Responses SMB Operations Analysis Initial Connection File Transfer File Locking Interprocess Communicat
16. appears in print may not be available in electronic books Library of Congress Cataloging in Publication Data is available from the publisher ISBN 0 471 42975 9 Printed in the United States of America 10 987654321 To my parents who always believed in me Contents Acknowledgments xi About the Author xiii Introduction XV Part I Foundations of Network Analysis 1 Chapter 1 Introduction to Protocol Analysis 3 A Brief History of Network Communications 3 OSI to the Rescue 5 Defining the Layers 6 Layer 1 Physical Layer 6 Layer 2 Data Link Layer 7 Layer 3 Network Layer 7 Layer 4 Transport Layer 7 Layer 5 Session Layer 7 Layer 6 Presentation Layer 8 Layer 7 Application Layer 8 Protocol Analysis of the Layers 8 Layer 1 The Physical Layer 8 Layer 2 The Data Link Layer 10 Layer 3 Network Layer 18 Layer 4 Transport Layer 21 Layer 5 Session Layer 23 Layer 6 Presentation Layer 23 Layer 7 Application Layer 24 Putting It All Together 24 History of TCP IP 26 Summary 28 Chapter2 Analysis Tools and Techniques 29 Reviewing Network Management Tools 30 Categorizing Network Management Tools by Function 30 Fault Management Systems 31 Performance Management and Simulation 31 vi Contents Protocol Analyzers Application Specific Tools Classifying Tools by How They Perform Functions Protocol Analyzers Problem Solving Tools Why Protocol Analysis Protocol Analyzer Functions Data Capture Network Monitoring
17. blisher and author have used their best efforts in preparing this book they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose No warranty may be created or extended by sales representatives or written sales materials The advice and strategies contained herein may not be suitable for your situation You should consult with a professional where appropriate Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages including but not limited to special inci dental consequential or other damages For general information on our other products and services please contact our Customer Care Department within the United States at 800 762 2974 outside the United States at 317 572 3993 or fax 317 572 4002 Trademarks Wiley the Wiley Publishing logo and related trade dress are trademarks or registered trademarks of Wiley Publishing Inc in the United States and other countries and may not be used without written permission All other trademarks are the property of their respective owners Wiley Publishing Inc is not associated with any product or ven dor mentioned in this book Screenshot s Copyright 2002 Wildpackets Inc All rights reserved Wiley also publishes its books in a variety of electronic formats Some content that
18. cess Control MAC frame Once the first bit of the frame is found the NIC can start grouping the ones and zeros into a Data Link Control DLC frame Just as there are different methods of digital signaling there are different types of DLC frames In Ethernet the IP protocol is carried by Ethernet II frames On Token Ring IP is carried by Token_Ring SNAP frames NOTE Since the objective of this book is to learn how best to analyze TCP IP networks I won t detail the many frame types that exist For more information on the various frame types refer to Data Link Protocols by Ulysses Black Prentice Hall Professional 1993 It is important however to understand the basic details of Layer 2 framing Each DLC frame has five basic parts Media access portion Addressing E E Service access points m Upper layer data Frame protection These five basic parts are illustrated in Figure 1 2 and discussed in detail in the sections that follow Introduction to Protocol Analysis 11 Data Link Control Frame Service Frame Protection Addressing Access Point Upper Layer Data Ethertype Contains the data from or to Layer 3 Identifies the Layer 3 protocol l Provides error Provides a way detection for to address the frame other nodes Manages access to the media Figure 1 2 Data Link Control frame Media Access Portion The media access portion of the frame consists of certain bit patterns and reserved bits
19. ctions at the data link layer a handy OUI list makes it easier to spot which MAC addresses in the protocol trace belong to what hardware Several years ago I was analyzing broadcast traffic on a client s network and was seeing many strange IPX broadcasts on our IP only segments Comparing the MAC addresses from which the broadcasts were originating revealed that they all contained the same the 3 bytes the OUI After looking up the OUI realized that the broadcasts were coming from our print servers which were incorrectly configured with IPX Disabling IPX stopped the unnecessary broadcasts The current list of OUIs registered with the IEEE can be found at http standards ieee org regauth oui ouil txt Ethertypes At any given moment a data link layer protocol is performing one of two tasks It is either receiving a data link frame from the network and passing it to the network layer or itis receiving data from the network layer that needs to be transmitted out onto the network The next couple paragraphs investigate this process further After the data link layer fully receives the frame its next job is to determine the identity of the Layer 3 protocol to which the frame s data should be deliv ered However a workstation might be running multiple Layer 3 protocols besides IP in mixed vendor environments a workstation may have Novell IPX or AppleTalk running How then does the data link layer determine which Layer 3 protocol should r
20. e Protocols builds the foundation for understanding the protocols that TCP IP is built upon It is these protocols that provide the support for all other application layer protocols m Part III Related TCP IP Protocols extends the search for understand ing by revealing the inner workings of standard and vendor indepen dent protocol implementations Applications such as DNS Domain Name System HTTP Hypertext Transport Protocol and FTP File Transport Protocol are thoroughly analyzed and a deep investigation is conducted into Microsoft s TCP IP implementation including the ever so mysterious Server Message Block protocol In each chapter the material is complemented with numerous case studies and examples from real live networks These examples and case studies are given to illustrate how the knowledge and techniques discussed can be put to use Tools This book uses several different analysis tools to illustrate the troubleshooting examples While the tools are not necessary to understand the examples you do need them to view the trace files included on the companion Web site The Web site includes instructions for downloading the freeware version of the Ethereal protocol analyzer which can be used to view the traces xvii xviii Introduction The Companion Web Site The companion Web site to this book which can be found by pointing your browser to www wiley com compbooks burns contains protocol standards such as RFCs Reque
21. e this problem Digital Signaling Unlike analog signals digital signals have only discrete values either aone ora zero Early digital telephone engineers figured out a way to modulate an ana log signal onto a digital carrier using something called pulse code modulation or PCM PCM lets the instantaneous frequency of an analog signal be repre sented by a binary number Instead of an amplifier having to guess at which signal to amplify now it just had to repeat either a zero or a one Using this method greatly improved the quality of long distance communications When computer data needed to be transmitted across network links the decision to use digital signaling was easy Since computers already represented data using zeros and ones these zeros and ones could very easily be transmitted across networks digitally How these ones and zeros are represented is what digital signaling is all about On 10BaseT Ethernet networks data is represented by electrical volt age a one is represented by a transition from 2 05 V to 0 V and a zero is rep resented by a transition from 0 V to 2 05 V Over fiber optic networks a one might be represented by a pulse of light and a zero by the absence of light The process isn t quite that simple but the concept is basically the same Different digital signaling methods create ones and zeros on the media Now with the ability to have only two kinds of signals to recognize it is much easier for amplifiers to
22. eceive the data Inside the MAC frame there is a 2 byte field called an Ethertype The value of this field determines what Layer 3 protocol should receive the data Table 1 3 shows a partial listing of Ethertypes and their values Table 1 3 Sample Ethertypes VALUE DESCRIPTION 0000 05DC IEEE 802 3 Length fields 0101 01FF Experimental For development 0200 Xerox PUP Conflicts with 802 3 Length field 0201 PUP Address Translation Conflicts with 802 3 0600 Xerox XNS IDP continued 16 Chapter 1 Table 1 3 continued VALUE DESCRIPTION 0800 DOD IP 0806 ARP For IP and CHAOS OBAD Banyan Systems Inc 8137 8138 Novell IPX In the reverse situation when the data link layer is transmitting data passed down to it from a Layer 3 protocol the data link layer simply places the correct Ethertype value inside the Ethertype field that corresponds to the Layer 3 pro tocol from which it received the data SERVICE ACCESS POINTS Another method of upper layer protocol identification is what are called service access points Service access points are used with a frame type called the Logical Link Control or LLC LLC is more than just a frame format it is an entire protocol used extensively in IBM Source Route bridge networks Instead of Ethernet II frames LLC uses Ethernet_802 3 frames It is also used by the NetBEUI protocol which I will discuss in Chapter 3 Instead of an Ethertype the LLC frame format uses a source service acce
23. ect errors that may occur Corrupted data should never be passed to upper layers Layer 3 Network Layer Layer 3 is the end to end communications provider Whereas the data link layer s responsibility ends at the next Layer 2 device the network layer is responsible for routing data from the source to the destination over multiple Layer 2 paths Applications utilizing a Layer 3 protocol do not need to know the details of the underlying Layer 2 network Layer 3 networks such as those using the Internet Protocol willspan many different Layer 2 technologies such as Ethernet Token Ring Frame Relay and Asynchronous Transfer Mode ATM Some examples of Layer 3 protocols are IP IPX and AppleTalk Data gram Delivery Protocol DDP Although the network layer is responsible for the addressing and routing of data from source to destination it is not respon sible for guaranteeing its delivery Layer 4 Transport Layer Networks are not reliable On Ethernet networks collisions can occur resulting in data loss switches can drop packets due to congestion and networks them selves can lose data due to overloaded links the Internet itself experiences anomalies such as these on a daily basis Protocols that operate in the transport layer may retransmit lost data perform flow control between end systems and many times add an extra layer of error protection to application data While the network layer delivers data between two endpoints the trans
24. ed the communication paths applications and storage systems within a large centralized processing system Client work stations were nothing more than text screens that let users interact with the applications running on the centralized processing units Distributed computing followed on the heels of centralized computing Distributed computing is characterized by the division of business processes on separate computer systems In the late 80 s and early 90 s the dumb terminal screens used in centralized computing architectures started to be replaced by computer workstations that had their own processing power and memory and more importantly the ability to run applications separate from the mainframe Early distributed systems were nothing more than extensions of a single vendor solution bought from a single vendor over modem or dedicated leased lines Because the vendor controlled all aspects of the system it was easy for that vendor to develop the communication functions that were needed to make their centralized systems distributed These types of systems are known as closed systems because they only interoperate with other systems from the same manufacturer Apple Computer and Novell were among the first compa nies to deliver distributed although still proprietary networking systems Distributed processing was complicated lt required addressing error control and synchronized coordination between systems Unfortunately the commu
25. en its name The second in this example is the ses sion layer setup performed by NetBIOS It can only be performed once the IP address of the destination host is known The degree that an application understands the heuristics of the transport layer determines its dependence on transport layer protocols In pre Windows 2000 environments Microsoft s Server Message Block SMB protocol needed session layer services of Net BIOS since it could not natively communicate with transport layer protocols like TCP In the discussion of the SMB protocol in Chapter 8 I show how SMB relies on the session layer to segment blocks of data for delivery to the trans port layer Layer 6 Presentation Layer The presentation layer is the most difficult to analyze simply because it some times does not exist in the sense of being a working protocol format The presentation layer deals with how information is represented how it is exchanged and what structure it is stored in The best example of the presenta tion layer is the method of data exchange between applications For example ASN 1 is a data format used in the SNMP protocol for querying the Manage ment Information Databases MIBS on network devices ASN 1 is the format 23 24 Chapter 1 used to make the request Application layer protocols utilize the services of the presentation layer and in the case of ASN 1 SNMP utilizes its format that is its presentation In the case of ASN 1 not only i
26. ion Named Pipes Mailslots DCE RPC Microsoft Applications NetLogon Browser Protocol Summary Appendix A What s on the Web Site System Requirements What s on the Web Site Standards and RFCs Author Created Materials Applications Using the Flash Video Examples Troubleshooting Appendix B BSMB Status Codes Index 289 290 291 293 294 298 299 299 300 302 306 308 311 312 312 315 316 917 319 320 321 326 326 329 330 332 336 338 339 344 351 352 353 353 354 359 339 362 368 369 369 370 370 371 371 371 372 373 399 Acknowledgments This book never would have been a reality without the following people Emily Roche who helped me open the door to writing and took me to my first book proposal seminar Toni Lopopolo who taught the seminar and put me in con tact with my great agent Jawahara Saidullah I want to thank Tony Fortunato for patiently reviewing my book for technical accuracy Thanks also goes out to everyone at Wiley Publishing who worked so hard on this book including my great development editor Kevin Kent who held me to task on making sure readers would be able to easily understand the complex case studies and examples in the book Last but not least I want to thank my parents who have given me everything and asked for nothing in return This book is for you xi About the Author Kevin Burns is the founder of Tracemasters Inc of Philadelphia Pennsyl vania a consulting
27. ire network Figure 1 7 shows a simple version of how the RIP Routing Information Protocol advertises information between routers Again this material is discussed further in Chapter 3 The network layer must also handle path management issues such as rerouting around failed links MTU maximum transmission unit discovery and processing control information messages received from routers ICMP Internet Control Message Protocol works in tandem with IP to provide critical information on the state of the network Also because other upper layer protocols use the services of the network layer it must provide multiplexing and demultiplexing functions in order to pass data back and forth between layers IP uses a very similar concept to Ethertypes except that in the network layer they are called protocol identifiers Table 1 4 shows a partial list of common protocols and their IP protocol IDs 19 20 Chapter I Router 10 2 1 1 192 168 1 1 RIP Message 1 network 172 16 1 0 0 hops away WAN Link 172 16 1 1 RIP Message 2 networks 10 2 1 0 O hops away 192 168 1 0 0 hops away Figure 1 7 RIP operation Introduction to Protocol Analysis Table 1 4 Example IP Protocol IDs DECIMAL KEYWORD PROTOCOL 1 ICMP Internet Control Message Protocol 2 IGMP Internet Group Management Protocol 6 TCP Transmission Control Protocol 17 UDP User Datagram Protocol 37 DDP Datagram Delivery Protocol 41 IPv6 Ipv6 50 ESP Encapsulating
28. ly understand how the model operates and to understand the proto cols you must first understand the framework The following sections explain the seven layers in more detail and Figure 1 1 gives examples of protocols that reside at each layer Layer 1 Physical Layer The simplest definition of the physical layer is that 1t deals with how binary data is translated into signals and transmitted across the communications medium I talk more about media in the Detailed Layer Analysis section later in this chapter The physical layer also comprises the functions and pro cedures that are responsible for the transmission of bits Examples would be procedures such as RS 232 handshaking or zero substitution functions on B8ZS T1 circuits The physical layer concerns itself only with sending a stream of bits between two devices over a network Introduction to Protocol Analysis Layer 2 Data Link Layer Layer 2 the data link layer handles the functions and procedures necessary for coordinating frames between devices At the data link layer zeros and ones are logically grouped into frames with a defined beginning and end Unlike the physical layer the data link layer contains a measure of intelligence Ethernet a common Layer 2 protocol contains detection algorithms for controlling collision detection corrupted frames and address recognition Higher layers depend on the data link layer not only to provide an error free path but also to det
29. n Flags Window Size TCP Checksum Urgent Pointer Options Data TCP Implementation Multiplexing Data Sequencing and Acknowledgment Flow Control TCP Connection Management TCP Open Initial Sequence Number ISN TCP Connection States TCP Options TCP Close Half Close TCP Reset Case Study Missing Drive Mappings Case Study No Telnet Case Study Dropped Sessions TCP Data Flow Management Data Sequencing and Acknowledgment TCP Retransmissions Retransmission Time Out Case Study Bad RTO Delayed Acknowledgments Case Study Slow Surfing 164 165 166 169 169 170 171 173 174 175 175 176 177 1747 178 178 1 9 179 180 180 181 181 181 181 182 182 182 182 183 183 183 183 183 183 184 185 185 189 189 192 195 194 194 196 197 200 200 202 202 203 204 206 The Push Flag TCP Sliding Windows Slow Start and Congestion Avoidance Nagle Algorithm Data Protection Case Study TCP Checksum Errors TCP Expert Symptoms TCP Application Analysis TCP and Throughput Segment Size Latency Window Size Case Study Slow Web Server Case Study Bad Windowing Case Study Inefficient Applications High Performance Extensions to TCP Selective Acknowledgments Window Scale Option Timestamp Option Summary Part Ill Related TCP IP Protocols Chapter 7 Upper Layer Protocols Introduction to Upper Layer Protocols Analyzing Upper Layer Protocols Chapter Goals Domain Name System DNS DNS Database DNS Message Format Using NS
30. nd before transmitting that data out to the network the data link layer performs one more task to help pro tect the integrity of the data as it travels along the network path At the end of each MAC frame it appends a 4 byte value called a CRC This CRC or cyclical redundancy check is a value that is calculated by a complex formula based on the data inside the MAC frame When the destination NIC receives the frame it performs the same calculation on the data to see if the value is the same If it is the frame s data is passed on to the network layer If not the data link layer dis cards the frame since its integrity cannot be guaranteed These types of errors where a frame s contents are corrupted during the transmission over the local media are called CRC errors Figure 1 5 illustrates the CRC operation Upper Layer Data carried by the Data Link Layer Bytes Destination Source Application Addresss Address Data Data Link Layer Network Layer Transport Layer Upper Layer Data carried by the Data Link Layer Bytes Destination Source Application Addresss Address Data Data Link Layer Network Layer Transport Layer Figure 1 4 Layer 2 encapsulation examples 18 Chapter 1 INN INN a ii Workstation Server aan Garbage Data Link Data Link Layer Data Link Layer discards frame Layer Data 123456 Data content has changed Data 122256 CRC 45A9h CRC 45A9h Data 122256 CRC 45A9h 1 The
31. nd that is what this book concentrates on Who Should Read This Book Although this book does provide an introduction to network analysis tech niques and the TCP IP protocol it is not for beginners A basic understanding of the OSI model is important as well as a decent level of experience manag ing server operating systems running TCP IP More advanced readers already familiar with the protocol will benefit greatly from the case studies presented in each chapter This book will help you become a better network analyst If you are a network administrator eager Introdution to learn more about understanding communications between clients and servers this is a good place to start If you are already familiar with configur ing routers and switches this book will teach you the technology behind the configuration commands it will help you learn to think outside the box This book is about technology and how to best use tools at your disposal to keep your networks running smoothly How This Book Is Organized The book is organized into three parts m Part I Foundations of Network Analysis answers such questions as Why protocol analysis and What tools do I use It explains the process of capturing and manipulating trace files It also provides a refresher of the OSI model and the basic concepts of network communi cation that are needed to benefit from the material presented in the later chapters m Part II The Cor
32. nication architectures designed to meet those requirements were not compatible across vendors boundaries Many closed proprietary systems were developed most notably IBM s System Network Architecture SNA and Digi tal Equipment Corporation s DECNet Down the road other companies such as Novell and Apple followed suit In order to open up these closed systems a Introduction to Protocol Analysis framework was needed which would allow interoperability between various vendors systems OSI to the Rescue OSI Open System Interconnection developed by the International Organization for Standardization ISO was the solution designed to promote interoperability between vendors It defines an architecture for communications that support dis tributed processing The OSI model describes the functions that allow systems to communicate successfully over a network Using what is called a layered approach communications functions are broken down into seven distinct layers The seven layers beginning with the bottom layer of the OSI model are as follows Layer 1 Physical layer Layer 2 Data link layer Layer 3 Network layer Layer 4 Transport layer Layer 5 Session layer Layer 6 Presentation layer Layer 7 Application layer Each layer provides a service to the layers above it but also depends on ser vices from the layers below it The model also provides a layer of abstraction because upper layers do not need to know the
33. port layer can guarantee that it gets to its destination Layer 5 Session Layer The session layer provides the ability to further control communications between end systems by providing another layer of abstraction between trans port protocols and the application If an application layer protocol possesses this functionality a session layer protocol may not be needed NetBIOS as you will see later in this chapter is a perfect example of a session layer protocol Sometimes the session layer does not reveal itself as a protocol but rather as a Chapter 1 procedure performed to allow a protocol to continue its functions Even though a protocol will exist at a certain layer a procedure of that protocol can sometimes perform functions that normally reside in another layer I will note instances in later chapters where this anomaly takes place Layer 6 Presentation Layer The presentation layer is another layer that sometimes does not manifest itself in obvious ways The presentation layer handles making sure that data for mats used by application layer protocols are compatible between end systems Some examples of Layer 6 would be ASCII JPG and ASN 1 Just as I indicated was the case with Layer 5 some protocol functions performed in other layers fit nicely into the description of the presentation layer Layer 7 Application Layer Many people confuse Layer 7 with the applications used on servers or work stations Application layer p
34. r This identifier is called the Data Link Control address or DLC address It is also called the MAC address MAC is short for Media Access Control I use the two terms interchangeably throughout the book MAC addresses are provided by the data link control endpoint typically a NIC They are also known as burned in addresses because the address is programmed permanently into ROM read only memory The process of creating a ROM chip actually involves burning small fuses inside of the chip to represent either a 1 ora 0 hence the name burned in address The MAC address is a 6 byte hexadecimal number that uniquely identifies an interface on a node It is important to remember that the MAC address does not identify the node but only an interface to it Nodes can be workstations servers routers bridges or even access points into a wireless network and any of these nodes can have multiple NIC cards that is endpoints on the network A router for example may have many interfaces On the other hand a server may have just two connections one to the production LAN and one to a backup LAN There are three types of MAC addressing and Table 1 1 illustrates the three types m Unicast Processed by a single endpoint m Multicast Processed by multiple endpoints m Broadcast Processed by all endpoints The first one a unicast address contains 6 bytes in hexidecimal that make up the entire address The second a multicast address also contains
35. r can manufacturer around 1 5 million NIC cards using the remaining 3 bytes Table 1 2 contains a list of common vendors OUIs 13 14 Chapter 1 Table 1 2 Sample OUls OUI COMPANY ASSIGNMENT 000102 3Com 00508B Compaq 000142 Cisco 0002B3 Intel 0004AC IBM 0020D8 Nortel 00007D Sun Microsystems Figure 1 3 illustrates a breakdown of different reserved bits in the MAC address format The first bit broadcast bit is always set to 1 in multicast and broadcast frames The second bit universal local bit is reserved for organizations that use nonpublic NIC cards This bit lets organizations choose their own OUI without being concerned with which ones have already been reserved by other vendors If the local bit is set to 1 you know you are seeing a NIC card that is not in public use Non public NIC cards are used for specific purposes and are not often mixed with NIC cards publicly sold by NIC manufacturers Las 00000 0 0 0 Functional Address Indicator Bit used in Token Ring Broadcast Bit Universal Local Bit Figure 1 3 MAC address bit definitions Introduction to Protocol Analysis 15 MAINTAINING AN OUI LIST Maintaining a handy reference of current OUI registrations can be very helpful in troubleshooting situations Although most protocol analyzers have many OUls already programmed into them there are always new products on the market with OUIs your analyzer might not know about yet When you are analyzing transa
36. r to even barbed wire if you can get the signals to successfully transmit over it Media carry communication Introduction to Protocol Analysis signals In wireless networks signals travel over air as RF radio frequency radio waves On 10BaseT Ethernet networks they are carried as electrical volt age In Fiber Distributed Data Interface FDDI networks glass is used as the medium the signals travel as pulses of light over glass fiber optic cables Many reasons exist as to why specific types of media are used in different tech nologies Theoretically you should be able to use whatever medium you want to carry the signals unfortunately the way those signals are represented places limitations on the types of media you can use Analog Signaling Communications signals are transmitted in two ways The first method ana log is used to transmit signals that have values that vary over time Sound is a perfect example of an analog signal Sound is measured as an analog signal in cycles per second or hertz The range of the human voice varies from about 100 Hz to 1 500 Hz When early telephone networks were developed it was difficult to create good quality long distance communications using analog signals because when these analog signals were amplified there was no way to distinguish the noise from the voice signal As the analog voice signal was amplified so was the noise Converting analog voice signals to digital signals was one way to solv
37. r to that question is the subject of this book I wrote this book for the people on the front lines the network field engi neers I have a great respect for field engineers They are the doers the people that make things work they are also the first people whose pagers start beep ing when things don t work In my over 10 years of experience supporting desktops servers and large complex network infrastructures I ve come to the conclusion that the best field engineers are the ones who can solve the really tough problems People who are good problem solvers are usually tenacious and curious These two qualities drive these people to stay up all night to try to solve a prob lem They know the answer is there somewhere waiting to be uncovered and XV xvi Introduction they are tenacious enough to dig until they find it The truly curious will most likely have read many good books on the TCP IP protocol including W Richard Stevens TCP IP Illustrated Addison Wesley January 1994 and Dou glas Comer s Internetworking with TCP IP Prentice Hall January 2000 To date these books are the flagship manuscripts on understanding TCP IP but they focus intensely on theory and lack in practical examples That said I still rec ommend every analyst have a copy of them on their bookshelves I have attempted to bridge the gap left by these two books by taking the most impor tant concepts on the protocols and applying them to the most common
38. rame transmitted to a single station is known as a unicast frame one transmitted to multiple stations is a multicast frame and one transmitted to all stations is a broadcast frame When a NIC card sees its own address in the destination portion of a MAC frame it copies the frame off of the wire and determines to what upper layer protocol it should be passed The multicast address operates the same way except that nodes must be told to listen for a specific multicast address Video multicast ing applications use this technique to stream a single video stream to multiple clients on the same Layer 2 network The broadcast address FF FF FF FF FF FF is the one MAC address that all stations must listen to When a station sees a destination address of all Fs it must copy the frame from the wire and look at it even if the data in the frame is destined for an upper layer protocol that the station doesn t support In that case the NIC simply discards the frame MAC addresses also have a unique way of identifying the hardware to which they belong The first 3 bytes of each MAC address are known as the Organizationally Unique Identifier OUI Each vendor who manufacturers NIC cards requests an OUI from the Institute of Electrical and Electronics Engineers IEEE The vendor uses this 3 byte value as the first 3 bytes in the NIC cards it manufacturers and then assigns the remaining 3 bytes Because the first 3 bytes are static and cannot change the vendo
39. re to the appli cation layer protocol in this case the Server Message Block SMB protocol SMB cannot act on its own it must pass the request down to the awaiting Session layer protocol NetBIOS 2 Upon receiving the SMB open file request NetBIOS must perform two functions of its own First it must resolve the destination host name Server to an IP address Second it must open up a NetBIOS session with the destination host using this IP address XT Take a look at the processes that have taken place so far File Save Request Name Resolution Session Setup and Transport Layer Connection It s easy to see how many things have to happen even before the file can be transmitted across the network
40. rotocols are not user applications but instead the protocols that allow those applications to operate over a network A user browsing the Internet with Internet Explorer utilizes an application layer pro tocol called HTTP Microsoft Word users saving files to a network server make use of the Server Message Block SMB protocol To a user a network drive simply appears as G but in the background there are powerful application layer protocols that allow G 1 to represent a location on a remote server Other examples of application layer protocols are FTP and Telnet Protocol Analysis of the Layers The following sections comprise a protocol analysis approach to the OSI model They explain what each layer does and more importantly why How each layer performs its function is left up to the protocol designers I discuss how TCP IP performs its functions in Chapters 3 through 6 More advanced readers may notice some vague or overly generic descriptions of packet descriptions in the following sections I have written the descriptions this way to provide a generic blueprint for describing the layer s functionality the details follow later in the book Layer 1 The Physical Layer As I indicated earlier in the chapter the physical layer concerns itself with how communications signals are transmitted across a medium Appropriately a medium is defined as a path where communication signals can be carried A path is anything from copper water or ai
41. s it used as a representation of data but it also specifies the methods for exchanging the data For example an SNMP MIB file will define the types of information a device supports It will also specify the types of methods the device supports for obtaining that infor mation SNMP traps are a fine example of how the ASN 1 format is used in MIB files to define a method of information exchange An SNMP trap is when based on certain conditions a device will send out trap information to a cen tralized management system Layer 7 Application Layer The application layer handles the exchange of information All software such as word processors browsers and email clients in some way exchange infor mation A user opening up a Web page is viewing information a user saving a document is storing information Application layer protocols contain the functionality to perform these tasks Application layer protocols must handle situations that arise in data storage such as what happens when two users attempt to open a file simultaneously or how many attempts should be made at saving a file before notifying the user of an error The application layer is the last line of responsibility in interpreting events in all lower layers Putting It All Together Figure 1 9 shows and this section explains what goes on behind the scenes inside the OSI model when a user opens a file on a network server 1 The open file request is passed from the client softwa
42. ss point and a destination service access point called SSAP and DSAP respectively The SSAP and DSAP values like Ethertypes tell the data link layer what upper layer protocol should receive the data in the Layer 2 frame Below is a decoding of an LLC frame Instead of an Ethertype field the 802 3 frame has a 2 byte length field We can see that the SSAP and DSAP values are OxF0 which tells the data link layer that the upper layer protocol is NetBIOS 802 3 Header Destination 00210724220 13275 Source 00 04 5A 76 F3 329 LLC Length 47 802 2 Logical Link Control LLC Header Dest SAP OxFO NetBEUI NetBIOS Source SAP OxFO NetBEUI NetBIOS Command 0x03 Unnumbered Information NetBEUI NetBIOS Network Basic Input Output System Length 44 NetBIOS Delimiter OxEFFF Command Ox0E Name Recognized Walt Option Data 1 0x00 Reserved Session Number 4 Name Type 0 Unique Name Xmit Resp Correlator 0x00000060 Destination Name KEVIN_98 lt 0x00 gt Source Name SERVER lt 0x20 gt Introduction to Protocol Analysis 17 Upper Layer Data The purpose of MAC frames is to carry upper layer data from one Layer 2 interface to another Figure 1 4 shows two different examples of Layer 2 com munications carrying upper layer data NOTE Data link protocols can carry multiple types of upper layer protocols Note that Figure 1 4 shows Ethernet encapsulating both IP and IPX Frame Protection After receiving all data from the network layer a
43. sts for Comment IETF Internet Engineering Task Force standards and other resources concerning the protocols discussed in the book It also contains online videos of most of the books example materials and trace files from the actually case studies which you can load and examine for your self Finally it includes several freeware and shareware utilities that are a must in the network analyst s toolkit For more specific information as to what is on the Web site see Appendix A El Foundations of Network Analysis Introduction to Protocol Analysis What is protocol analysis A protocol is defined as a standard procedure for regulating data transmission between computers Protocol analysis is the process of examining those procedures The way we go about this analysis is with special tools called protocol analyzers Protocol analyzers decode the stream of bits flowing across a network and show you those bits in the struc tured format of the protocol Using protocol analysis techniques to understand the procedures occurring on your network is the focus of this book In my 10 years of analyzing and implementing networks Ihave learned that in order to understand how a vendor s hardware platform such as a router or switch functions you need to understand how the protocols that the hardware imple ments operate Routers switches hubs gateways and so on are simply nothing without the protocols Protocols make networks happen Routers
Download Pdf Manuals
Related Search