219_sniffer_07.qxd 378 6/28/02 11:57 AM Page 378 Chapter • Analyzing Network Issues Fragment Errors In Figure 7.40, Sniffer Pro’s expert has flagged Packet as a fragment The packet also contains a bad CRC In reality, the packet contains no CRC, so it failed the comparison operation Figure 7.40 Fragment Error We ask Sniffer Pro Help for more information on this error; we get the results displayed in Figure 7.41 A fragment is an undersized packet that contains a CRC error After examining the hex display, we see that the data in the packet appears to be a valid source and destination MAC address with a type field of 0800 (refer back to Figure 7.40).The size of the packet is 14 bytes, and no collisions were detected.The transmission appears to have simply stopped.This problem can be caused by an intermittent cable connection, a faulty interface card, or software driver hanging.The SCP has the source address of the offending station in this case and should determine whether subsequent errors are from the same address If the errors are random, you should suspect the cable plant or an intermediate device such as a hub or a switch Figure 7.41 Fragment Error Help Jabber Errors In Figure 7.42, we see the hex display of a packet that Sniffer Pro flagged as a jabber error.The UDP checksum is missing, causing a CRC error.The Help definition of a jabber error is displayed in Figure 7.43 Figure 7.42 Jabber Error www.syngress.com 219_sniffer_07.qxd 6/28/02 11:57 AM Page 379 Analyzing Network Issues • Chapter Figure 7.43 Jabber Error Help Sniffer Pro defines a jabber error as a frame containing random or garbage data, hence the moniker jabber.The packet is oversized, with a CRC error.With that in mind, let’s examine the packet more closely for clues.There appear to be valid source and destination MAC addresses, and the type field of 0800 looks okay.The data starting at offset 2B in the packet appears to be valid until we reach offset 3B At this point, the data starts repeating a consistent value of 55 in hex Although this data might be valid ASCII U characters, it has no valid EBCDIC counterpart Let’s look at this suspicious character more closely Hexadecimal 55 equals binary 01010101.You should recognize the alternating pattern of 0s and 1s.The pattern appears to be a spurious clocking signal without data In Figure 7.44, we see a continuation of the jabber error frame Starting at offset 460 in the packet, the data consists of normal ASCII escape sequence characters (such as 0, X, esc, *, q, 1, A, esc, *, b, 2, 5, 1,W, us) However, at offset 46F—the last character in the first line—a repetitious pattern of (ff ) characters begins Let’s look at the character more closely.The hexadecimal value (ff ) equals binary 11111111.This value is neither a valid ASCII nor an EBCDIC character Well, then, what is it? You are reminded of the previous discussion of Manchester encoding If no change occurs during a bit time, the bit retains the value of the last sampling In effect, the receiving stations (both Sniffer Pro and the destination address) are sampling a signal stuck at As Sniffer Pro Help suggested, this situation can be caused by a hardware fault In addition, a software driver or any device (hub or switch) on the segment that can hold the signal level high without causing a collision can also cause this error.The first suspect should be the source station’s interface card Figure 7.44 Jabber Error Continued www.syngress.com 379 219_sniffer_07.qxd 380 6/28/02 11:57 AM Page 380 Chapter • Analyzing Network Issues NOTE It’s a good idea to remember that there are no laws governing compliance with Ethernet standards The individual manufacturers comply with the standards to achieve compatibility of their products with competing products in the open marketplace However, they are free to interpret and implement the standards in full, in part, or in any manner they choose Using Sniffer Pro to Troubleshoot Small Packets (Runts) The Sniffer Pro trace in Figure 7.45 contains a small packet, often referred to as a runt In Packet 7, the Expert has detected a frame of size 30 bytes.The third line in the DLC header states FRAME ERROR = Short/Runt The packet contains a source and destination address and in all other respects is a valid packet, with the exception of its size Sniffer Pro Help for this error is displayed in Figure 7.46 Figure 7.45 Runt Error Figure 7.46 Runt Error Help Sniffer Pro’s definition of a runt error states that it is an undersized packet— less than 64 bytes—with a valid CRC If the sending station had simply stopped transmitting, the CRC would be invalid and the packet would be defined as a fragment error.What if the packet had no data field? Recall the previous discussion on standard Ethernet frames If the data field to be sent is less than 46 bytes, the protocol requires a special pattern called a pad be used to fill the frame to the www.syngress.com 219_sniffer_07.qxd 6/28/02 11:57 AM Page 381 Analyzing Network Issues • Chapter minimum value of 64 bytes It appears that this error condition cannot happen if the standards are followed The manufacturer’s compliance with the standards can vary A runt can be caused by inability of the sending station’s processor to fill the transmit buffer during a service cycle If the computer has many interface cards and a slow bus processor, a parallel operation on multiple interface cards can fail.The question is, how will the station handle the overloaded condition? The Ethernet standard simply requires the pad to be inserted during normal operation It does not define error-handling procedures.These error algorithms are designed at the manufacturer’s discretion Some manufacturers choose to discard the packet and let the upper-layer timers control retry Other manufacturers continue transmitting the packet with a bad CRC, alerting the receiving station to the error (a fragment error) A third method of error handling, employed by some manufacturers, is to complete the packet without the pad, requiring the receiving station to process the error.This method is, in effect, error handling by delegation Mainframes were notorious for this type of error handling in the early 1990s Whether or not the actual cause of the runt error can be determined, you now have the culprit’s address and know where it lives Using Sniffer Pro to Troubleshoot Browsing Battles The Computer Browser service is a Windows implementation to help users locate network resources It functions, basically, as a distributed series of lists.The lists are maintained by a group of computers performing various functions in support of browser clients In this sense, it is a client/server architecture The master browser (MB) maintains the master list (sometimes referred to as the browse list) of available servers.The list is collected from its domain or workgroup and can contain other domains and workgroups.The MB distributes the list to the backup browser (BB).The BB provides the browser clients with a list of requested resources.The domain master browser (DMBR), which is also the primary domain controller (PDC), is responsible for synchronizing the browser list from all BBs within the domain The MB is continually collecting server information for the browse list Periodically, a MB broadcasts an announcement indicating to the BB that the MB is still in service If the MB browser fails to make this announcement, the BB assumes it is offline and initiates an MB election.The BB periodically contacts www.syngress.com 381 219_sniffer_07.qxd 382 6/28/02 11:57 AM Page 382 Chapter • Analyzing Network Issues the MB and downloads the current browse list A potential browser (PB) does not currently maintain or distribute a browse list; however, it is capable of being elected and assuming that role We use the small network shown in Figure 7.47 in our explanation of browser traffic and troubleshooting Keep in mind that this network is on a single segment All browser functions except the DMBR can be duplicated on each and every segment in your network Every segment has an MB and can have many BBs Note that at this point browser traffic is broadcast based, utilizing NetBIOS datagrams on port 138; therefore, some mechanism for cross-segment traffic must be configured in a router An example of this type of configuration is the Cisco IP Helper-Address Figure 7.47 Browser Network Domain Master Browser WALLY Potential Browser Backup Browser Potential Browser IDSMGR TEST-SERVER BACKUPDNS PDC In Figure 7.47, we see the PDC in the role of DMBR In this case, the PDC is also the MB for the segment.The unit labeled IDSMGR is functioning as a PB The next computer, labeled TEST-SERVER, is the BB for this segment Lastly, the backup DNS server labeled BACKUPDNS is also a PB for this segment The process for servicing a client browsing request from the computer labeled IDSMGR is as follows: The client (IDSMGR) using Windows Explorer contacts the MB for its domain or workgroup—in this case, the PDC The MB responds with a list of BBs (IDSMGR retains this list.) IDSMGR requests the resource list from TEST-SERVER (the BB) TEST-SERVER sends IDSMGR a list of servers IDSMGR interrogates a server and receives a list of resources www.syngress.com 219_sniffer_07.qxd 6/28/02 11:57 AM Page 383 Analyzing Network Issues • Chapter Browser Elections Before we start the discussion on troubleshooting browser traffic, it seems appropriate to explain how an MB becomes an MB A browser election determines the computer that will function as the MB.The election is held in the event the PDC is booted, a BB is unable to obtain a browse list from the MB, or the client is unable to obtain a list of BBs from the MB.When a computer experiences one of these conditions, it broadcasts an election packet.Within the election packet is a list of criteria values such as operating system, version, and browser role (BB or MB) of the computer If you examine Figure 7.48, you’ll see a request from the computer TESTSERVER in Figure 7.47.The Browser Command equals Request Election.The Election Criteria = 10010F23 and decodes to a computer running the Windows NT Workstation operating system functioning currently as a BB and SB.These values are compared to those of the other computers on the segment, and a winner is declared For example, a Windows NT server is considered a higher value than a Windows workstation All computers on the segment receive the broadcasted election packet and compare the values to their own Unlike a real election, however, if the values in the packet are equal or lower, the computer removes itself from the process by not responding If, however, the receiving computer’s values are higher, it starts a campaign of its own by broadcasting another election packet.The process continues until no further election packets are broadcast, and the computer sending the last packet (with the highest values) declares itself the winner, or the MB Figure 7.48 Browser Election www.syngress.com 383 219_sniffer_07.qxd 384 6/28/02 11:57 AM Page 384 Chapter • Analyzing Network Issues NOTE Many times, a browser election results in a poor choice for MB The criteria values in the election packet favor servers and can promote your Oracle database server to the additional role of MB You should avoid the resulting additional processor and network utilization, if possible The registry value for Windows NT HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Browser\Parameters\MaintainServerList can be configured to No to prevent a particular computer from becoming an MB Note that this exact configuration works with NT and 2000 but is slightly different in Windows 9x-based machines You can find the information you need for 9x-based machines online if necessary Troubleshoot Browsing Battles There are many Windows NT commands you can use to examine a network.We look at a few of the more useful ones here.The following examples were generated from the command-line prompt of the TEST-SERVER computer in Figure7.47 The net name command is used to set and display the names used by the Messenger service.This command offers you a quick method for determining a computer’s name (see Figure 7.49) Figure 7.49 The Net Name Command The net view command displays available network resources In Figure 7.50 we see a list of available servers.These computers are running the server service and are depicted in the network diagram of Figure 7.47.The command performs a function similar to double-clicking the Network Neighborhood icon on the desktop In addition, a file of the current server list can be created and printed using the following command: NET VIEW > C:\SERVERFILE www.syngress.com 219_sniffer_07.qxd 6/28/02 11:57 AM Page 385 Analyzing Network Issues • Chapter Figure 7.50 The Net View Command You can examine the file C:\SERVERFILE using Notepad or Word.You can search the list for a particular server In a large network, the list can be quite long The net use command administers local connections to resources on the network—resources such as directory shares and printers In Figure 7.51, Drive F: on TEST-SERVER is mapped to C-DRIVE, a shared resource on IDSMGR Figure 7.51 The Net Use Command You can customize the net view command to display all shared resources located on the computer IDSMGR this way: NET VIEW \\IDSMGR In Figure 7.52, four disk units are being shared as resources on the network Figure 7.52 Net View IDSMGR The Microsoft Windows NT Server Resource Kit 4.0, Supplement Two, includes two excellent utilities for examining and troubleshooting browser problems: Browmon.exe and Browstat.exe www.syngress.com 385 219_sniffer_07.qxd 386 6/28/02 11:57 AM Page 386 Chapter • Analyzing Network Issues Browmon.exe is a graphical utility that can be used to view master and backup browsers It lists the browser servers for each protocol in use by computers in the domain Browstat.exe is a command-line utility that performs the functions of Browmon.exe and more Browstat.exe can force an election and force a master browser to stop, therefore invoking an election Controlling the election process can be useful in troubleshooting a problem Here’s an example of a Browstat.exe command used to find the MB for a domain: BROWSTAT GETMASTER In the command, transport is the equivalent of the protocol, and domain_name is the Windows domain of interest Other useful commands are getblist (get backup list) and stats (statistics) These command-line entries can be redirected to files for creating a dynamic record of browser topology changes.You can use this information in conjunction with the registry settings to control the browser environment Browser Communication Now that we have examined the various roles browsers play in a networking environment, let’s focus on browser communication as it pertains to updates As you see in this section, browser traffic can become excessive if it’s not controlled properly The Sniffer Pro trace in Figure7.53 contains packets captured from our discussion network depicted in the diagram of Figure 7.47 Let’s examine these packets in turn as they apply to browser communication Figure 7.53 Browser Announcements In Packet 1, the computer WALLY is broadcasting a local master announcement.The announcement, in effect, declares this computer to be the MB for this www.syngress.com 219_sniffer_07.qxd 6/28/02 11:57 AM Page 387 Analyzing Network Issues • Chapter segment All BBs listen to the packet and know where the MB is located Packet is a host announcement from TEST-SERVER.You can see host announcements from computers BACKUPDNS and IDSMGR in Packets 19 and 20, respectively These computers can provide network resources, so they broadcast an announcement automatically every 12 minutes, regardless of whether or not they have resources to share.The MB adds these resources to the browse list In large networks and over slow or on-demand links, this traffic can become excessive Examining the contents of Packet 1, we see in Figure 7.54 that the browser command is a local master announcement confirming that this computer is the local master As we previously stated concerning host announcements, the announcement frequency field of this packet is set to 12 minutes Figure 7.54 Local Master The Server Type Flag high fields of interest are set to 1, for workstation, server, primary domain controller, and Windows NT Workstation Additionally, in Figure 7.55, Server Type Flag low field MB server is set.Taken together, these flag fields define this computer as the DMBR Figure 7.55 Local Master, Continued Continuing with our packet inspection, the contents of Packet are displayed in Figure 7.56.The browser command is a host announcement from www.syngress.com 387 219_sniffer_08.qxd 6/28/02 11:58 AM Page 431 Using Filters • Chapter Select IP in the Address Type drop-down menu Type 192.168.2.2 in the first line of the Station column Drag Any from the Known Addresses window to the first line of the Station column 10 Because we want to capture only the traffic that is destined for the server, select an appropriate icon in the Dir column Figure 8.14 Capturing All the Traffic Destined for 192.168.2.2 To capture all the IP broadcast traffic on the segment, we need to add t wo more filtering rules: one for IP local broadcasts (destination IP address 192.168.2.255) and one for IP global broadcast (destination IP address 255.255.255.255).You so by entering appropriate IP addresses on the second and third lines of the Station and Station columns Compare your filtering rules to the rules shown in Figure 8.15 Figure 8.15 IP Filtering Rules Filtering Distributed IP Applications If your client has a network application that resides on two or more servers and employs IP as a transport protocol, you are dealing with a distributed IP www.syngress.com 431 219_sniffer_08.qxd 432 6/28/02 11:58 AM Page 432 Chapter • Using Filters application.The challenge of a distributed IP application in comparison to an application that resides on a single server is that you can observe a number of data flows between servers—not only between a workstation and a server that can be related to the same event, such as a customer’s data query Let’s say we have some sort of distributed application that resides on Server A and Server B (refer back to Figure 8.9) A user at Workstation A is experiencing network problems while working with this application As a network expert, you decide to capture all the traffic flowing among Workstation A, Server A, and Server B First you have to decide where your Sniffer Pro should be connected to.You have a choice of connecting it to the segment to which Workstation A and Server A are connected, or you can connect it to the segment where Server B and Server C reside In this particular case, the choice is clear:Your Sniffer Pro must be connected to the same Ethernet segment as Workstation A and Server A If you connect your Sniffer Pro to the Server B and Server C segment, you won’t be able to capture network traffic between Workstation A and Server A As you know, routers typically not propagate to different interfaces unicast traffic local to an interface The second step is to define a proper filter Because we want to capture IP traffic between three separate devices, we must define a filter that includes three pairs of capture rules: ■ Traffic between Workstation A and Server A ■ Traffic between Workstation A and Server B ■ Traffic between Server A and Server B Since you already know how to create filters based on addresses, create your own filter and compare it to the one shown in Figure 8.16 If you experience some difficulties, review the “Unidirectional IP Unicast and IP Broadcast Filtering” section of this chapter Figure 8.16 Filtering Rules Between Three Network Devices Therefore, the filter we’ve just created will permit all the IP traffic among Workstation A, Server A, and Server B and will deny all other traffic Note that www.syngress.com 219_sniffer_08.qxd 6/28/02 11:58 AM Page 433 Using Filters • Chapter we could not define this type of filter based on Layer (MAC) information only In that case, instead of using Server B’s MAC address, we would have to use the router’s MAC address (refer back to Table 8.1), and there would be no way for us to differentiate between traffic flowing toward Server B and all the other traffic going through the router (for example, traffic flowing toward Server C) IPX Address Filtering Before we start discussing filtering based on IPX addresses, we need to remind you about the IPX addressing scheme Like the majority of other network addresses, each IPX address associated with a network device must be unique.These unique addresses are represented in hexadecimal format and consist of two parts: ■ Network number (32 bits) ■ Node number (48 bits) The IPX network number is 32 bits long and is manually assigned by a network administrator.The node number, which is usually the MAC address of the system’s NIC, is 48 bits long While filtering based on IPX addresses, you will use the same techniques you learned when we discussed MAC and IP address filtering As usual, after you’ve defined a new profile, follow these steps: Switch to the Address tab in the Define Filter window Select IPX in the Address Type list Enter combinations of Station and Station IPX addresses In the Mode panel, select whether you want to capture or filter out traffic between two devices you have specified by selecting Exclude or Include mode For example, Figure 8.17 shows an IPX filter that excludes IPX traffic originated and destined for the device with an IPX address 00000070.0050ba25ccc0 It permits all other IPX traffic To be able to troubleshoot IPX-related issues in a timely manner, besides understanding basic IPX addressing you also need to know how the following core IPX protocols work: ■ NetWare Core Protocol (NCP) ■ Service Advertisement Protocol (SAP) ■ Routing Information Protocol (RIP) for IPX www.syngress.com 433 219_sniffer_08.qxd 434 6/28/02 11:58 AM Page 434 Chapter • Using Filters You can find a very good document, Troubleshooting Novell IPX, at the following site: www.cisco.com/univercd/cc/td/doc/cisintwk/itg_v1/tr1908.htm.The document discusses most of the issues that you can experience while resolving IPX problems Figure 8.17 Filtering Out Traffic Flowing to and from a Single IPX Host Troubleshooting with Filters We have already talked about a large number of network scenarios that can be much easier to troubleshoot if you develop a proper filter.You could have realized by yourself that the main step that will lead you to find the cause of a network issue is understanding the customer’s network and the network protocols your customer uses.This section discusses two problems that were easily resolved with the help of proper filters Cisco Discovery Protocol As a network analyst, imagine that you are called by a customer whose network has started to experience security issues associated with Cisco equipment the customer is using She suspects that an intruder is able to find out what particular versions of the Cisco IOS software are used on the network and explore security bugs associated with these versions of code via cdp neighbors A new company security policy was developed to eliminate all CDP traffic on the network.The client expects you to make an audit of her network to make sure that CDP is disabled on all the Cisco devices www.syngress.com 219_sniffer_08.qxd 6/28/02 11:58 AM Page 435 Using Filters • Chapter NOTE Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol that allows users to discover other Cisco devices on a network It also provides additional information about neighboring devices, such as IOS version and IP address configured on the interface Each CDP-enabled Cisco device sends periodic messages to a special multicast address Neighboring devices discover each other by listening at this address You can disable CDP on Cisco devices On IOS-based routers and switches, type no cdp run to disable CDP globally on the device You can also disable CDP on a per-interface basis by typing no cdp enable in interface configuration mode To disable CDP on CatOS-based switches, enter set cdp disable[mod_num/port_num] As an experienced network analyst, you start your research of CDP traffic on the network by defining a new filter that permits CDP traffic only Sniffer Pro does not have a predefined filter that allows you to capture CDP traffic only, so you have to create your own protocol-based filter (In the Advanced tab of the Define Filter window, select Cisco CDP.) Once you have defined the filter, you can start capturing data by pressing F10.Your screen could look something like the one shown in Figure 8.18 Figure 8.18 Cisco CDP Neighbors In the figure, you can see four unique Cisco devices periodically sending multicast frames to the special multicast address (01000CCCCCCC) Let’s analyze one of the frames to find out what kind of information we can get from it A CDP packet contains more information than can fit on a single screen; Figure 8.19 shows only the information that is relevant to the customer’s security issue www.syngress.com 435 219_sniffer_08.qxd 436 6/28/02 11:58 AM Page 436 Chapter • Using Filters Figure 8.19 A Cisco CDP Packet Let’s highlight the main fields you should pay attention to: ■ Device ID = “R14” This is a host name the customer has assigned to the router by typing hostname R14 ■ IP Address = “140.10.156.14” This is the IP address of the customer’s router.With this information an intruder can originate an attack on the router ■ Port ID = “Ethernet 2/0” The interface that connects the router to the segment on which you put your Sniffer Pro ■ Capability flags = “0001” Each flag specifies the function this Cisco device can perform Some Cisco devices (for example, Layer switches) can have multiple bits set because they can perform multiple functions ■ Version This field provides you with very detailed information on the IOS software this Cisco device is running As you can see from Figure 8.19, we are dealing with a Cisco 3640 router running IOS Version 11.3(11b) By knowing security bugs associated with this version of the code, an intruder can modify configuration on the route, crash it, or get access to it www.syngress.com 219_sniffer_08.qxd 6/28/02 11:58 AM Page 437 Using Filters • Chapter ■ Platform = “cisco 3640” This one’s not shown in Figure 8.19.The Platform field gives you information on the Cisco hardware platform Routing Information Protocol Your customer has just installed two new routers with multiple interfaces He did not want to spend time on manual configuration of IP static routes and decided to implement a dynamic routing protocol Because he does not have much experience with dynamic routing protocols, he wants to use RIP version 1—the simplest of available protocols He used some examples from the documentation CDs he got with the routers, but he ran into problems: Routes are appearing and disappearing from the routing tables and his network is very unstable He has asked you to look into the issue and resolve its NOTE RIP is one of the most popular and definitely the simplest of the large variety of IP routing protocols RIP version is a classful routing protocol (refer to the “IP Address Filtering” section of this chapter for the definition of classful routing) that employs UDP packets to send broadcast periodic updates Hop count is used as a metric to choose the best path between destinations A network that is 16 hops away is considered unreachable, and that is a limiting factor of the diameter of a RIPenabled network RIP version is very similar to RIP version in the sense that it uses periodic updates and hop count as a metric, but it has a few major differences: ■ ■ RIP version messages carry network masks (therefore, RIP version is a classless protocol) RIP version uses multicast address 224.0.0.9 as a destination for routing updates For more information on RIP and RIP packet format, refer to www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/rip.htm As a Sniffer Pro expert, you started your research by taking a snapshot of traffic on the customer’s network.You found nothing unusual; the network was not overutilized, you discovered no packet loss of loops.The next step is to define a filter that will capture only the traffic related to the problem you are investigating www.syngress.com 437 219_sniffer_08.qxd 438 6/28/02 11:58 AM Page 438 Chapter • Using Filters In other words, you need to define a filter that will permit RIP traffic only As usual, you define a new capture profile After you have created the profile, move to the Advanced tab in the Define Protocol window In the list of available protocols, select IP, UDP, RIP Start capturing traffic and wait for at least 10 minutes for enough RIP messages to arrive Figure 8.20 shows the capture that was made on the customers’ site Do you see something abnormal? Isn’t it strange that you see only one RIP update from the router with an IP address 102.168.2.9 for each 10 updates from the router with the IP 192.168.2.10? This is very strange, so you recommend that the customer check RIP timers on the router with the IP address 192.168.2.9 Bingo! The customer finds the configuration problem and gets it resolved Figure 8.20 Misconfigured RIP Timers NOTE RFC 1723 defines only 25 routing entries per RIP update Therefore, if your routing table contains more than 25 routes, RIP has to send more than one RIP packet to advertise all these routes For example, if you have 60 routes advertised by RIP on your network, you will see three packets to be generated every so often (every 30 seconds, by default) Two of them will contain 25 routing entries, and the third one will contain 10 routing entries www.syngress.com 219_sniffer_08.qxd 6/28/02 11:58 AM Page 439 Using Filters • Chapter Summary The principles of filtering were not invented for networks specifically, but they’ve been adapted for the purposed of working with digital data.When we talk about filtering as it relates to networks, we mean separating unnecessary data—in other words, data irrelevant to the problem we are investigating Sniffer Pro is designed to help you achieve that goal Sniffer Pro comes with a number of predefined filters that are very useful when you need to filtering based on a network protocol type (AppleTalk, IPX, NetBEUI) or a network application (IP/FTP + HTTP, IP/Telnet, IP/whois).To access and use the predefined filters, you need to copy a sample profile and save it as a new one Profiles are special units in which Sniffer Pro stores filters, and each filter has its own profile.You can create new profiles from the Monitor, Capture, and Display menus, depending on a type of filter you need Generally, you use capture filters when, at the moment you begin capturing data, you are absolutely sure of the specific data you need to analyze and save it into the capture buffer One of the advantages of this type of filtering is that you capture and save only specific information you are interested in and thus save space on your hard drive If you are not sure what particular information you want to save, you should capture all data Sniffer Pro can see and use a display filter afterward to select the data you need It is possible to apply a number of filters to the original capture buffer or apply a filter to already filtered information If the devices on your network are running multiple Layer protocols and you don’t know what particular protocol is causing a problem, it is a good idea to filtering based on source and/or destination MAC address to solve a problem If you are sure that a particular Layer protocol is involved in an issue, or if you are dealing with an application distributed among a number of servers separated by routers, you should use filtering based on Layer addresses (IP or IPX) Solutions Fast Track What Is Filtering, and Why Filter? ! Filtering is the process of removing impurities from a substance with the help of a filter www.syngress.com 439 219_sniffer_08.qxd 440 6/28/02 11:58 AM Page 440 Chapter • Using Filters ! In networks, filtering involves separating the irrelevant data from relevant data—the process of searching for specific information hidden in the midst of the data flow ! Sniffer Pro allows you to employ different types of traffic filtering: by MAC, by IP address, by data patterns, and by protocol types Using Predefined Filters ! Sniffer Pro comes with a number of predefined filters ! To access predefined filters copy a sample profile Creating Filters ! In Sniffer Pro, filters are stored in special units, called profiles Every type of filter is stored in a corresponding profile.You can create profiles from the Monitor, Capture, and Display menus ! We recommend that you not make any changes to default profiles Instead, create a new profile for every new filter you set up ! Keep your filters in order Create a naming convention for your filters based on each filter’s purpose Expert-Level Filtering ! Filtering from one node to another is an important method to master when it comes to solving user’s network problems ! Depending on the particular network protocol used by the application that is experiencing network-related problems, a corresponding filter should be used ! Filtering based on MAC address can be very helpful if the devices on your network are running multiple Layer protocols and it is hard to find out which of these protocols is causing a problem ! Filtering based on Layer protocol addresses (IP or IPX) should be used if you are troubleshooting a distributed application www.syngress.com 219_sniffer_08.qxd 6/28/02 11:58 AM Page 441 Using Filters • Chapter Troubleshooting with Filters ! Before going into troubleshooting with sophisticated filters, try the five easy general troubleshooting steps described in this chapter ! Familiarize yourself with the topology, data flow, and protocols used by your client ! Define an appropriate filter and start capturing data Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form Q: I defined a monitor filter that permits only IP broadcast packets to find out who are the top broadcast speakers on my network For some reason I see a lot of IP packets with IP source address 0.0.0.0.Who can probably originate these packets? A: Most likely the packets you see are DHCP requests DHCP clients that are broadcasting DHCP discovery packets are using a 0.0.0.0 source address.You can define a new filter that will capture only DHCP Discover, DHCP Offer, DHCP Request, and DHCP ACK packets to make sure the DHCP process is functioning correctly Q: My friend has mentioned some “backdoor” programs that allow hackers to take control of my servers How can I find out if my network is infected? A: Unfortunately, there is no simple way to make sure that you have a security breach in your network.You can develop a filter that will capture incoming connections from the Internet to the following TCP ports on your network: 31337, 31335, 27444, 27665, 20034, 9704, 5999, 6063, 5900–5910, 5432, 2049, 1433, 137–139 Many of the “backdoor” programs use these ports to listen to incoming connections www.syngress.com 441 219_sniffer_08.qxd 442 6/28/02 11:58 AM Page 442 Chapter • Using Filters Q: I see some abnormally high traffic entering my network from the Internet, and I suspect that this is some sort of attack How can I find out what is going on? A: First, it is always a good idea to start any troubleshooting action by capturing all traffic on your network without any filters applied.This practice will give you an overall picture of the traffic flow If an attack is originated from a single IP address, you can then block it on your router or firewall.Your next step will be to set up a filter that will separate the data based on SYN bit in the TCP header set to 1.This process will allow you to capture all TCP connection attempts to your network Q: The security policy of the company I work for does not allow FTP servers on employee desktops.We’ve implemented a firewall rule that does not permit outside connections to port 21, but it seems that some of the employees manage to connect to their desktops through FTP from the Internet How can this happen? A: Most FTP servers nowadays allow changing the default FTP port (21) they should be listening on to some other port number In this case, your firewall rules won’t help much.What you can is to create a data pattern filter that will capture different FTP-specific commands, such as PASS, RETR, and NLST Q: My client is experiencing some problems with the IP OSPF routing protocol on his network He is complaining that some of the routes are not getting installed into the IP routing table on his Cisco routers, although they can be seen in the OSPF database I’ve defined an OSPF filter and captured all OSPF packets that traversed the network in a one-hour period I see a lot of OSPF hello packets, but I cannot find any routing entries in these packets When another client was experiencing a similar issue with RIP, I captured RIP traffic and could see routing entries in the RIP packets.What is different about OSPF? How can I help my client resolve the issue? A: RIP and OSPF are very different protocols RIP belongs to a group of distance-vector protocols and sends periodic updates that contain information about all routes RIP is aware of OSPF is a link-state protocol, which means that OSPF routers build adjacencies with directly connected OSPF-enabled neighbors.These neighbors synchronize link-state databases that contain www.syngress.com 219_sniffer_08.qxd 6/28/02 11:58 AM Page 443 Using Filters • Chapter information about all routes on the network at the time the adjacencies are built After routers have exchanged information about all the routes, they start to exchange hello packets only.These hello packets serve as keepalives but not contain information about the actual routes on the network.Therefore, although Sniffer Pro can be a very useful tool for troubleshooting adjacencyrelated problems, it is not very useful in troubleshooting the problem your customer is experiencing.You can refer your client to the following link, which explains reasons that some of the routes can be visible in the OSPF database but not be installed in the routing table: www.cisco.com/warp/ public/104/26.html Q: I’ve got a request from my customer to capture all Bridge Protocol Data Unit (BPDU) packets on a specific Ethernet segment Of course, my first step was to define a new filter that will permit BPDUs only In the Define Filter window, I switched to the Advanced tab, but could not find BPDU in the list of available protocols How I define the filter? A BPDU packets are sent to the specific multicast address 01:80:C2:00:00:00, therefore you can define a BPDU filter using this address as the destination hardware address In the Define Filter window, switch to Advanced In the Known Addresses list, open Broadcast/Multicast Address, choose Bridge Group (0180C2000000), and drop it into the Station column Put Any in the Station column www.syngress.com 443 219_sniffer_08.qxd 6/28/02 11:58 AM Page 444 219_sniffer_09.qxd 6/28/02 12:00 PM Page 445 Chapter Understanding and Using Triggers and Alarms Solutions in this chapter: ■ Introducing Triggers ■ Configuring and Using Triggers ■ Configuring and Using Alarms ■ Configuring Alarm Notifications ■ Modifying Alarm Threshold Levels ■ Application Response Time ! Summary ! Solutions Fast Track ! Frequently Asked Questions 445 ...219 _sniffer_ 07. qxd 6/28/02 11: 57 AM Page 379 Analyzing Network Issues • Chapter Figure 7. 43 Jabber Error Help Sniffer Pro defines a jabber error as a frame containing... process to retrieve the server list www .syngress. com 219 _sniffer_ 07. qxd 6/28/02 11: 57 AM Page 389 Analyzing Network Issues • Chapter Figure 7. 59 WINS Answer Section Referring back to Figure 7. 53,... TRAFFIC in the New Pro? ??le Name field Select OK | Done (see Figure 7. 61) Select the Advanced tab (see Figure 7. 62) www .syngress. com 219 _sniffer_ 07. qxd 6/28/02 11: 57 AM Page 391 Analyzing Network Issues