PRCTICA SOBRE CAPTURA Y ANLISIS DE TRFICO CON ETHEREAL

Prof. Vincenzo Mendillo Junio 2006

Objetivo
Familiarizarse con el uso de sniffers y analizadores de trfico como Ethereal para capturar y estudiar los datos que circulan por las redes, a fin de detectar problemas causados por fallas o congestin, y adems entender mejor cmo funcionan los protocolos de comunicacin. Nota: Se recomienda leer adicionalmente el anexo Descripcin de los protocolos TCP/IP al final de esta gua para realizar bien esta prctica. En esencia, los analizadores de protocolos capturan y almacenan los datos que viajan por la red. De esta forma, los tcnicos y administradores responsables de una red disponen de una ventana para ver lo que est ocurriendo en la misma, permitindoles solucionar problemas de fallas y congestin o estudiar y modelar el comportamiento de la red mediante la visin del trfico que circula. Si bien existen analizadores de redes en hardware (como Agilent Advisor) con la interfaz adecuada para distintas tecnologas (ATM, SDH, Frame Relay, etc.), la mayora de los analizadores de red son productos de software que utilizan la tarjeta de interfaz de la red (NIC, esto es Network Interface Card) para capturar indiscriminadamente todo el trfico Ethernet que circula por el hub (concentrador de cableado) en vez de solamente el trfico enviado especficamente a esa mquina. Tenga en cuenta que el hub acta como un repetidor y el trfico que llega a un puerto, es transmitido a todos los dems puertos. Si se utiliza una laptop, sta se puede fcilmente conectar al segmento de red que se quiere analizar.

Seccin A: Introduccin
Existe una gran variedad de herramientas que permiten capturar los datos que viajan por las redes de comunicacin y posteriormente analizarlos. Se les conoce como: analizadores de protocolos, analizadores de redes, analizadores de trfico, sniffers. Ellos son muy tiles para los ingenieros, tcnicos y administradores de redes, ya que por medio del monitoreo permiten encontrar y solucionar variados y complejos problemas. Tambin son una excelente ayuda didctica para entender cmo funcionan los protocolos de las redes modernas. Pero representan un arma peligrosa en mano de personas mal intencionadas porque pueden capturar datos confidenciales (ej. contraseas) que no estn encriptadas. Algunos de los productos comerciales ms conocidos son: Agilent Advisor (www.agilent.com), Sniffer Pro (www.nai.com), Iris (www.eeye.com). Ethereal (www.ethereal.com), es una herramienta rpida, simple y gratuita, al contrario de los anteriores, que son comerciales. Requiere un driver especial llamado WinPcap para capturar los paquetes. Tcpdump es una herramienta para ambiente Linux muy verstil, especialmente utilizada en tareas de seguridad informtica (por ejemplo, en la evaluacin de la seguridad de una red) as como en el anlisis del funcionamiento de las redes. Le versin para Windows es conocida como WinDump. Libpcap es una biblioteca de funciones para aplicaciones que requieran captura de paquetes, colocando la tarjeta de red en modo promiscuo. Se trata de una librera utilizada por una gran cantidad de productos: Tcpdump, Ethereal, Snort (sistema de deteccin de intrusos) y muchos otros programas. En la carpeta Captura del CD-ROM se encuentran varias de las herramientas antes mencionados.

Normalmente una tarjeta Ethernet descartara cualquier trfico que no vaya dirigido a ella o a la direccin de difusin de la red, por lo que el analizador deber hacer que la tarjeta entre en un estado especial denominado modo promiscuo. Una vez que la tarjeta se encuentra en ese modo, el analizador puede capturar y analizar cualquier trfico que pase por el segmento local Ethernet. Esto limita de algn modo el alcance de un analizador, puesto que no ser capaz de capturar el trfico externo al dominio local de la red (es decir, ms all de los routers, switches u otros dispositivos de segmentacin). Es obvio que un analizador hbilmente situado en el backbone (columna vertebral) de la red, en un enlace interred, o en otro punto de agregacin de la red, podr capturar un volumen mayor de trfico que otro colocado en un segmento aislado de Ethernet. Por ejemplo, muchas redes tienen un router en la periferia conectado por un lado a Internet y por el otro a un switch que interconecta las PCs. En este caso un buen sitio es colocar el

-2analizador entre el router y el switch. Tenga en cuenta que un switch acta como un bridge y el trfico que llega a un puerto, es transmitido slo al puerto donde est la mquina de destino. Los switches a veces permiten configurar un puerto (mirror) al cual se puede redirigir el trfico de cualquier otro puerto. Otra forma es utilizar un mini hub de 3 puertos, conectando all el switch, el router y el analizador. Existen distintas tcnicas para detectar la presencia de sniffers en una red. Por ejemplo, si mediante un agente SNMP instalado en una PC sospechosa se chequean las estadsticas de los paquetes IP recibidos y se ven que son anormales, se puede pensar que en esa PC est activo un sniffer. Tambin se dispone de herramientas especializadas, tales como PromiScan, AntiSniff y Neped, las cuales se encuentran en la carpeta Captura del CD-ROM.

Seccin B: Ethereal
Ethereal (www.ethereal.com), es una analizador de protocolos rpido, simple y gratuito, al contrario de Iris, Agilent Advisor o Sniffer Pro, que son productos comerciales. Tethereal es la versin TTY (cnsola) de Ethereal, es decir que no posee la interfaz grfica, por lo cual es mucho ms eficiente y no carga tanto el PC. Permite mostrar en la pantalla los datos que se capturan o vaciarlos (dump) a un archivo para su posterior anlisis con Ethereal u otro analizador de protocolos. 1. Instale Ethereal corriendo Setup desde la carpeta Captura | Ethereal del CD-ROM. Durante la instalacin de Ethereal tambin se instala WinPcap, que es el driver que permite capturar trfico en vivo bajo Windows. 2. Copie la carpeta Captura | Muestras del CD-ROM a la carpeta de disco duro donde se instal el programa. Tambin copie all el archivo User-guide.pdf. 3. Ejecute Ethereal mediante Inicio | Programas | Ethereal. Luego desde la barra de opciones seleccione File | Open para as abrir un archivo de muestra de datos capturados ubicado en la carpeta Muestras. Puede empezar con Mail.cap, que contiene el inicio de una sesin POP3 de correo electrnico.

Como sucede con la mayora de los recursos a disposicin de los administradores de redes, su uso se ha subvertido para realizar tareas en provecho de los intrusos y curiosos. Imagnese la enorme cantidad de datos importantes que pasan a travs de una red. Estos datos incluyen el nombre de usuario y su contrasea, mensajes de correo electrnico confidenciales, transferencia de archivos con datos financieros, etc. En un momento u otro, si esta informacin se enva a travs de una red, se convierte en bits y bytes que son visibles para alguien que emplee un analizador en algn punto de la ruta de los datos. Una red Ethernet compartida mediante un hub entonces es extremadamente vulnerable ante un analizador, puesto que en este tipo de redes todo el trfico se transmite a todas las mquinas conectadas al hub. Una red Ethernet conmutada (mediante un LAN switch) esencialmente sita a cada mquina en su propio dominio de colisin, de forma que solamente el trfico broadcast y el trfico destinado a esa mquina especfica alcanza la NIC. Una ventaja adicional para considerar al pasarse a una red conmutada es su mejor desempeo, al reducir la congestin. El costo de un LAN switch es ya comparable al costo de un hub tradicional, por lo que ya no existe ninguna excusa para seguir adquiriendo tecnologa Ethernet compartida. En todo caso los switches no eliminan completamente el riesgo de escucha. En efecto, existen nuevos analizadores como Ettercap (http://ettercap.sourceforge.net) que utilizan la tcnica de ARP poisoning para alterar las tablas del switch a fin de que enve las tramas a la direccin Ethernet donde se encuentra la mquina espa, adems de enviarlas a la mquina legtima. As que para mxima seguridad, el uso de switches debera complementarse con la encriptacin. Los sniffers clandestinos son un peligro serio y existen dos tcnicas bsicas para detectarlos: una basada en host y otra basada en la red. La tcnica ms directa basada en host consiste en determinar si la tarjeta de red de esa mquina est funcionando en modo promiscuo. En Unix, los sniffers aparecen en la lista de procesos y tienden a crear, con el tiempo, grandes archivos de registro, as que sencillos scripts que utilicen los comandos ps, lsof y grep pueden sacar a la luz alguna actividad sospechosa de tipo sniffer. Los intrusos ms inteligentes casi siempre disfrazan el proceso de sus sniffers e intentan esconder en un directorio oculto los archivos de registro que crean, por lo que estas tcnicas no son siempre efectivas.

4. La pantalla de Ethereal muestra 3 cuadros (panes). El superior contiene una lista de las tramas capturadas con un resumen de su contenido. El cuadro superior muestra en cada fila una trama capturada, con un resumen de sus caractersticas (direccin

-3de origen y destino, tamao, tiempo, etc.). Haciendo clic sobre una trama, se muestran sus detalles en los otros 2 cuadros. Escoja la trama 7 y note cmo se revela claramente la contrasea (abc123) de inicio de la sesin POP. El cuadro del medio muestra ms detalles de una trama que se haya seleccionado, a nivel de las diferentes capas de los protocolos (Frame, Ethernet, IP, TCP, POP). Ntese que el orden de las capas de los protocolos es de acuerdo a su posicin secuencial en la trama, esto es Frame. Se recomienda consultar el documento Descripcin de los protocolos TCP/IP al final de esta gua para entender mejor esta informacin. El cuadro inferior muestra el contenido de los campos del protocolo, en formato hexadecimal y ASCII.

10. Repita la experiencia seleccionando TCP flow en vez de General flow.

5. Consulte la ayuda en lnea (Help) a fin de entender mejor los pasos que siguen. Para ms informacin consulte User-guide.pdf (en la carpeta de instalacin o en el CD-ROM) y Ethereal Manual desde Inicio | Programas | Ethereal. 6. En el men seleccione View | Expand All, para as expandir la estructura de los protocolos y as observar mejor todos los detalles. 7. En el men seleccione Analyze | Follow TCP Stream, a fin de reconstruir la sesin TCP completa.

11. En el men seleccione View | Time Display Format para as abrir la opcin Time of Day ( o Date and Time of Day) y poder visualizar el tiempo absoluto de la captura en vez del tiempo relativo (Seconds Since Beginning of Capture). 12. Mediante File | Open abra otro archivo de muestra de datos capturados en la carpeta Muestras. Por ejemplo, Telnet.cap contiene el inicio de una sesin Telnet. Ntese que con el protocolo Telnet no es fcil averiguar la contrasea, ya que cada letra que se pulsa es enviada como un paquete individual. Sin embargo, seleccionando la trama 3 y utilizando Analyze | Follow TCP Stream, puede reconstruir la sesin TCP completa y ver la contrasea (cisco) u otros datos.

8. En el men bajo Statistics se puede obtener una impresionante cantidad de informacin sobre el trfico capturado. Empiece por seleccionar Flow Graph. 13. Bajo Statistics | Flow Graph, analice las informacin desplegada con General flow y con TCP flow. 14 Como otro ejemplo de captura de contrasea, cargue el archivo FTP.cap, que contiene los datos de inicio de una sesin FTP. Aqu la contrasea se muestra claramente en la trama 9, ya que ella es enviada completa en un solo paquete cuando se pulsa Enter (al contrario de Telnet).

9. Luego seleccione General flow y analice la informacin desplegada.

-4-

Nota: En caso de que no aparezca nada, utilice Clear para eliminar cualquier filtro.

Nota: Si quiere probar uno de esos ejemplos, en vez de escribir la lnea, para mayor comodidad copie el texto desde el archivo Practicas\Captura en el CD-ROM. Si no le funciona bien, cambie el formato de la fuente, ya que los espacios en blanco a veces se copian mal. El smbolo de admiracin ! significa negacin (not). En lugar de != se puede usar la notacin abreviada ne (not equal). La siguiente es una lista de operadores: eq, == equal ne, != not equal gt, > greater than lt, < less than ge, >= greater than or equal to le, <= less than or equal to Note que los dos filtros siguientes no dan el mismo resultado en el archivo FTP.cap: ip.addr ne 207.46.133.140 (no pasa nada) not ip.addr eq 207.46.133.140 (elimina todo) El primer filtro dice: mostrar las tramas con una direccin IP no igual a 207.46.133.140. Es decir que basta con que alguna de las direcciones IP (origen o destino) de la trama no sea igual a 207.46.133.140 192.168.4.1, para que la trama pase por el filtro. El segundo filtro dice: no mostrar las tramas que posean alguna direccin IP igual a 207.46.133.140, Es decir que basta con que alguna de las direcciones IP (origen o destino) sea igual a 207.46.133.140, para que la trama no pase por el filtro. Para averiguar ms sobre el uso de los filtros, consulte Display Filter Manual desde Inicio | Programas | Ethereal. 19. Abra otros archivos de datos capturados para observar distintos protocolos de comunicacin. Por ejemplo, el archivo Download.cap contiene las muestras de un dascarga desde Internet y permite entender al funcionamiento del nmero de secuencia y ACK en TCP. El archivo Samples.txt contiene el ndice de una lista de muestras de varios protocolos interesantes. 20. Analice con detenimiento el significado de los distintos campos de los protocolos para as comprender mejor cmo operan las redes de comunicacin y adems aprender a diagnosticar y resolver problemas causados por fallas o congestin. La opcin

15. el men seleccione Analyze | Follow TCP Stream, a fin de reconstruir la sesin TCP completa.

16. Bajo Statistics | Flow Graph, analice las informacin desplegada con General flow y con TCP flow.

17. Pruebe a aplicar un filtro a los datos capturados. La expresin para el filtro se escribe en la casilla superior de la pantalla (Filter) y deben usarse minsculas. Como ejemplo, introduzca ftp contains PASS y pulse Apply. Ver solamente los paquetes FTP que contienen los characteres PASS. Limpie el filtro y pruebe con tcp contains PASS 18. Introduzca un filtro ftp y pulse Apply. Ver solamente los paquetes FTP. Si en cambio pone un filtro: ip.src==207.46.133.140, ver solamente los paquetes que provienen de esa direccin IP. Los siguientes son otros ejemplos de filtros: tcp.port==21 ip.addr==207.46.133.140 ip.addr!=207.46.133.140 ip.addr==207.46.133.140 or ip.addr==192.1.1.1 ip.addr==207.46.133.140 and tcp.flags.syn ip.addr==207.46.133.140 and not tcp.port==80 frame.pkt_len<128 ip.len le 1500 eth.src ==08:00:09:15:ca:fe

-5Statistics en el men de Ethereal proporciona valiosa informacin para este fin. 21. Para capturar trfico en vivo, es necesario que est instalado el driver WinPcap. Para chequear si est o no est instalado, desde Windows y mediante Inicio | Configuracin | Panel de Control | Agregar o quitar programas vea si en la lista aparece WinPcap. 22. En caso negativo, ejecute WinPCap.exe desde la carpeta Captura \ WinPcap del CD-ROM. Luego cierre Ethereal y vuelva a iniciarlo. 23. Elimine cualquier filtro y seleccione Capture | Interfaces. Aqu seleccione la interfaz a utilizar (ej. Ethernet) pulsando Prepare. mquina. Nota: Si est usando una tarjeta inalmbrica para WLAN que no soporta el modo promiscuo, quizs tenga que desactivar esta opcin para capturar el trfico. 27. Si activa Limit each packet to 68 bytes, solamente va a capturar el inicio de las tramas, es decir los encabezados, ya que los datos del usuario a menudo no son relevantes para diagnosticar problemas. Adems as se reduce la carga sobre Ethereal. 28. Si desactiva las opciones Name Resolution, no se traducen direcciones numricas (MAC, IP, puertos) a nombres (por ejemplo, interrogando el DNS). De esta forma el despliegue en pantalla es mucho ms rpido y hay menos posibilidad de que se pierdan algunas tramas. 29. Finalmente pulse Start y si hay trfico, debera empezar a llenarse la pantalla de datos capturados en tiempo real. Si no hay trfico, conctese a un sitio Web o actualice una pgina Web. Puede parar la captura mediante Capture | Stop. 30. Utilice la opcin Statistics en el men de Ethereal para obtener informacin valiosa para este fin. Nota: Si la interfaz Ethernet no se puede seleccionar, significa que probablemente no est instalado correctamente el driver WinPcap y tiene que volver a instalarlo. 24. A continuacin se abre una ventana que permite definir las opciones de la captura. Active la opcin Update lists of packets in real time, ya que de otro modo los datos se envan a un buffer y slo se ven al parar la captura (esto sera conveniente si hay mucho trfico y entonces la PC podra sobrecargarse). 31. Analice los datos capturados y determine si su PC de encuentra conectada a un switch o a un hub (concentrador). Aydese tambin usando Statistics en el men de Ethereal. Razone su conclusin. 32. Como ejemplo de uso de filtros, conctese a http://www.cantv.net, active la captura y en la casilla para entrar a revisar el correo, introduzca un nombre (ej. vmendillo) y una contrasea cualquiera. Luego ponga el siguiente filtro tcp contains vmendillo y pulse Apply. Ver solamente los paquetes TCP que contienen esa palabra y al lado tambin ver la contrasea. 33. A menudo es ms conveniente un filtro de precaptura que un filtro de postcaptura, ya que se evita que se acumulen datos irrelevantes en la pantalla y sobre todo en el buffer. Para tal fin desde el men de Ethereal seleccione Capture | Interfaces. Aqu escoja la interfaz a utilizar (ej. Ethernet) pulsando Prepare. 34. Oprima la tecla Capture Filter para as pasar a seleccionar o crear un filtro nuevo.

25. Tambin active Automatic scrolling in live capture y Hide capture info dialog. 26. Si desactiva la opcin Capture packets in promiscous mode, solamente capturar las tramas Ethernet que salen o entran a su

35. En la ventana que se abre, aparece una listas de filtros ya predeterminados. Si usted pulsa New puede crear su propio filtro, pero por ahora seleccione el filtro cuyo nombre es IP address 192.168.0.1, tal como se muestra en la figura. Este es un filtro para capturar slo los paquetes IP de una determinada mquina, por ejemplo de su PC.

-6[tcp|udp] [src|dst] port <port>

Por ejemplo, capturar todo el trfico http, excepto el del host 10.0.0.5
tcp port 80 and not host 10.0.0.5

La siguiente expresin permite filtrar por tamao del paquete:

less|greater <length>

La siguiente expresin permite filtrar por direcciones Ethernet:

ether [src|dst] host <ehost>

La siguiente expresin permite filtrar por tipo de protocolos que encapsula Ethernet o IP:
ip|ether proto <protocol>

36. Pulse OK y ahora note que al lado de la tecla Capture filter aparece la regla de ese filtro, es decir host 192.168.0.1.

La siguiente expresin permite filtrar paquetes tipo broadcast o multicast:

ether|ip broadcast|multicast

La siguiente expresin permite filtrar el inicio y el final de una sesin TCP (bandera SYN o FIN activada): 37. Edite la direccin IP poniendo en su lugar la direccin IP de su propia mquina (ej. 200.109.164.23), que la puede averiguar (por ejemplo), ejecutando IPconfig. 38. Experimente con el funcionamiento de este filtro y con otros filtros de precaptura. Tome en cuenta que su forma es distinta de los filtros de postcaptura y se basa en la sntaxis del conocido programa en Unix llamado tcpdump, cuya versin para Windows se llama Windump y se encuentra en la carpeta del mismo nombre del CD-ROM (incluyendo la documentacin). Un filtro de captura tiene la forma de una serie de expresiones primitivas unidas mediante las conjunciones and/or y opcionalmente precedidas por not:
[not] primitive [and|or [not] primitive ...] tcp[13] & 3 != 0

Note que la parte tcp[13] se refiere al byte 13 en la cabecera TCP y con ese valor se hace un AND 3 para as filtrar sus primeros 2 bits (que corresponden a las banderas SYN y FIN).

Una primitiva es una expresin como la siguiente, que permite filtrar el trfico de un host por direccin IP o por nombre:
[src|dst] host <host>

Las palabras opcionales src|dst permiten especificar que estamos interesados slo en el trfico de la fuente o del destino. Por ejemplo, el siguiente filtro nos permite ver slo la respuestas a un ping a www.cantv.net
src host www.cantv.net

La siguiente expresin permite filtrar paquetes ping que no sean (ICMP tipo 8 para solicitud y ICMP tipo 0 para respuesta):
icmp[0] != 8 and icmp[0] != 0

Un mensaje type = 8 es un Echo Request y un mensaje type = 0 es un Echo Reply.

La siguiente expresin permite filtrar paquetes que vayan o vengan de la red 10.20.30:
net 10.20.30

La siguiente expresin permite filtrar por puertos TCP o UDP:

-739. En esta ltima experiencia con Ethereal se va observar la fragmentacin de los datagramas IP. Para ello se utilizar el comando ping para generar mensajes ICMP echo de peticin (request), con un tamao suficientemente grande y Ethereal para capturar el trfico generado y poder analizarlo. Enve un solo mensaje ICMP de tamao 10000 bytes a una direccin externa (ej. 200.44.32.12). Ciertos ataques de negacin de servicio (DoS) se hacen con mensajes ICMP de tamao grande. Analice el trfico capturado y determine cuntas tramas Ethernet han sido enviadas para completar la transmisin de un solo mensaje ICMP y cuntos bytes de informacin viajan en cada una de las tramas (los datos enviados deben sumar 10000 bytes). Averigue el MTU (Maximum Transfer Unit) de la interfaz de red por la que se han enviado los mensajes ICMP. En Ethernet la MTU es de 1500 bytes. Tiene alguna relacin el MTU con la fragmentacin observada en el punto anterior? 40. Al terminar esta parte de la prctica, se puede eventualmente desinstalar Ethereal mediante Inicio | Programas | Ethereal | Unistall. 41. WinPcap se desinstala mediante Inicio | Configuracin | Panel de Control | Agregar o quitar programas.

Seccin D: Ethereal bajo Linux (Opcional)

Para esta parte se debe disponer de una PC de buenas prestaciones que corra Knoppix como mquina real o mquina virtual. En este ltimo caso asegrese de que asignar al menos 160 MB a la mquina virtual, ya que de otro modo no podr operar con Knoppix en modo grfico. 1. Ejecute Ethereal mediante desde K menu | Internet | Ethereal. Se le va a pedir la contrasea de root, por lo que desde una consola debe ejecutar sudo passwd root para crear esa contrasea (ej. abc123). 2. Seleccione Capture | Interface y escoja la interfaz que va a utilizar. Para esta prctica, escoja la interfaz Ethernet eth0 pulsando Prepare. 3. Repita algunas de las experiencias a partir del punto 16 de la seccin B anterior.

Seccin E: Otras herramientas

1. De tener tiempo e inters, pruebe a utilizar otras herramientas que se encuentran en la carpeta Captura del CD-ROM, por ejemplo WinDump. Lea antes la documentacin correspondiente. 2. En la carpeta Captura se encuentran varias herramientas (PromiScan, AntiSniff y Neped) que sirven para detectar la existencia de sniffers activos en la red y la presencia de posibles espas. Pruebe a utilizarlas luego de leer un artculo en los anexos de esta gua.

Seccin C: Tethereal (Opcional)

Tethereal es la versin TTY (cnsola) de Ethereal, es decir que no tiene la interfaz grfica, por lo cual es mucho ms eficiente y no carga tanto la PC. Permite mostrar en la pantalla los datos que se capturan o vaciarlos (dump) a un archivo para su posterior anlisis con Ethereal u otro analizador de trfico. 1. Para probar Tethereal, cierre Ethereal y desde una ventana de comandos y mediante cd o DOShere, cmbiese a la carpeta donde instal Ethereal y ejecute Tethereal D para as ver la lista de las distintas interfaces disponibles. En Tethereal.html se explica el uso de este programa. 2. Si su PC tiene varias interfaces (por ejemplo PPPMAC y SISNIC), ejecute Tethereal -V i seguido por el nombre de la interfaz donde desea capturar. 3. Genere trfico y vea si aparecen los datos capturados en la pantalla. Para parar la captura, pulse Control C. 4. Para enviar los datos a un archivo en vez que a la pantalla, agregue al comando anterior la opcin w seguido por el nombre del archivo (ej. Captura1.cap). Note que ahora se muestra slo un nmero, el cual indica la cantidad de tramas capturas. 5. Pare la captura mediante Control C y vea los datos almacenados en el archivo anterior mediante Ethereal.

Seccin F: Informe
Elabore un informe de no menos de 8 pginas donde se reportan las experiencias ms relevantes, se analizan los resultados obtenidos, finalizando con conclusiones y eventuales recomendaciones. El informe debe ser redactado con palabras propias; no se debe repetir el texto del material que se encuentra en esta gua, en el CD-ROM o en otras fuentes. Se pueden capturar las pantallas ms importantes o interesantes y luego copiarlas a un archivo en Word para as incorporarlas al informe como evidencia del trabajo realizado. Para capturar una ventana activa, puede pulsar simplemente Alt+PrintScreen, y luego mediante Control V pegarla a Word. Pero es preferible utilizar el programa MWSnap que se encuentra en la carpeta Varios del CD-ROM. A fin de que el archivo en Word no sea demasiado grande (< 1 MB), puede guardar primero la imagen en formato GIF o JPEG y luego importarla a Word. El informe debe llevar la fecha de elaboracin y debe entregarse a ms tardar dos semanas despus de su realizacin.

-8-

Descripcin de los protocolos TCP/IP

en Redes de Computadoras por Andrew S. Tanenbaum Prentice-Hall, 1996
Varios protocolos de la familia TCP/IP suministran los servicios de bajo nivel, correspondientes a las tres capas inferiores del stack; estos incluyen TCP, UDP, ICMP e IP. Otros protocolos de la familia TCP/IP estn orientados a las capas superiores, de aplicacin y presentacin, y estn dirigidos a tareas o servicios especficos como correo electrnico (SMTP, POP3), transferencia de archivos (FTP), acceso remoto (Telnet) y acceso al Web (HTTP). A continuacin se hace una breve descripcin de las protocolos ms importantes de las capas inferiores, de acuerdo al esquema de la figura 1, que ilustra el stack de protocolos de un host conectado a una red Ethernet por medio de una tarjeta de interfaz (NIC). Una trama contiene dos direcciones, una de ellas es para el destinatario y la otra para la fuente. Se utilizan direcciones de 6 bytes, es decir 48 bits. El bit de mayor orden en la direccin del destinatario, corresponde a un 0, en las direcciones ordinarias, y un 1 para las direcciones de grupo. Las direcciones de grupo autorizan a mltiples estaciones para escuchar en una sola direccin. Cuando se enva una trama a una direccin grupal, todas las estaciones del grupo la reciben. La transmisin a un grupo de estaciones se denomina difusin restringida (multicast). Las direcciones que tienen todos los bits a 1 estn reservadas para difusin general (broadcast). Una trama que tiene nicamente valores de 1 en su campo destinatario, se enva a todas las estaciones de la red.

Figura 2. Estructura de las tramas Ethernet y 802.3 El campo de longitud (length) indica cuntos bytes presentes en el campo de datos, desde un mnimo de 0 hasta un mximo de 1500. Aunque un campo de datos de 0 bytes es legal, origina un problema. Por ejemplo, cuando un transmisor-receptor detecta una colisin, trunca la trama que se est transmitiendo, por lo cual quiere decir que, en el cable aparecern pedazos de tramas y bits parsitos. Para simplificar la distincin entre las tramas que son vlidas debern tener por lo menos una longitud de 64 bytes, desde la direccin destinataria hasta el cdigo de redundancia. Si la parte de datos correspondiente a una trama es menor de 46 bytes, el campo de relleno se utilizar para llenar la trama al tamao mnimo requerido. Otra de las razones para atener una trama de longitud mnima es con objeto de evitar que una estacin complete la transmisin de una trama corta, antes de que el primer bit haya alcanzado el extremo final del cable, donde podra sufrir una colisin con alguna otra trama. Las tramas que contienen menos de 64 bytes se consideran fragmentos resultante de alguna colisin y deben ser descartadas (se les llama runts, mientras que a las tramas ms largas del lmite legal se le llama jabbers). Es oportuno hacer notar que usualmente las tramas que se utilizan con TCP/IP son Ethernet y no 802.3. La diferencia principal es que en Ethernet el campo de longitud no se usa para

Figura 1. Encapsulamiento de protocolos en TCP/IP Capa de enlace: Ethernet Para redes locales (LAN) actualmente la tecnologa ms popular a nivel de la capa de enlace es Ethernet. El estndar 802.3 difiere de Ethernet en el sentido de que describe una familia completa de sistemas, operando a velocidades que van desde 1 a 10000 Mbit/s sobre varios medios fsicos (cobre, fbra, inalmbrico). La estructura bsica de las tramas utilizadas en Ethernet y en 802.3 se muestra en la figura 2. Cada trama comienza un prembulo de 7 bytes cada uno con el patrn de bits 10101010 a fin de permitir que el reloj del receptor se sincronice con el del transmisor. Despus, viene el delimitador que contiene el patrn 10101011 y que denota el inicio efectivo de la trama.

-9tal fin, sino para identificar el tipo de protocolo de la capa superior mediante un nmero (type). Por ejemplo, si lleva IP, entonces el nmero es 0800 en hexadecimal. El campo final (FCS, frame check sequence) corresponde al cdigo de redundancia ciclico (CRC). Es un cdigo especial de 32 bits que permite detectar errores en los datos, por ejemplo debido al ruido en el cable. Capa de enlace: PPP El protocolo para conexiones punto a punto (PPP) es una solucin muy popular para transportar trfico (incluyendo Ethernet) entre dos sitios, por ejemplo entre la casa y el provedor de acceso a Internet (ISP) va modem. La estructura de la trama PPP es muy parecida a la trama HDLC y se muestra en figura 3. IHL: Este nmero es la longitud total de la cabecera, en unidades de 4 bytes. La longitud mnima de una cabecera IP es 5, o un total de 20 bytes. Tipo de servicio: Este campo permite solicitar una determinada calidad en la transmisin. En funcin del tipo de red por la que estn viajando los datos, este campo puede ser utilizado o ignorado. Por ejemplo, configurando adecuadamente este campo, se pueden solicitar una ruta con low delay (bajo retardo), high throughput (alto caudal) o high reliability (alta confiabilidad). Longitud total: La longitud total del paquete que se enva. Identificacin: Utilizado para ensamblar los paquetes fragmentados. Indicadores: Estos indicadores se utilizan para determinar si un paquete es un fragmento de un paquete mayor o si se puede fragmentar. Deplazamiento del fragmento (offset): Indica la posicin del fragmento con respecto al paquete original no fragmentado. Tiempo de vida: Este byte representa el tiempo de vida de un paquete. Consiste en un nico byte, que almacena un determinado nmero en segundos. En cada dispositivo por el que pase el paquete, una enrutador o pasarela por ejemplo, este valor se ha de decrementar en al menos una unidad. Protocolo: Este campo indica el protocolo que fue utilizado en la parte de datos del paquete, por ejemplo TCP o UDP. Suma de comprobacin de la cabecera: Este nmero representa una verificacin, que asegura que la informacin contenida en la cabecera sigue inalterada. Direccin origen/destino: Estos dgitos constituyen las direcciones IP de 32 bytes para identificar a las mquinas a travs de los distintos segmentos de una red. Opciones: Las opciones pueden contener diversos datos, entre otros informacin de enrutamiento. Es posible llevar un registro de la ruta que tome un paquete, a medida que viaje a travs de la red, configurando una opcin de este campo. Relleno: La cabecera IP debe ser divisible en unidades de 4 bytes (32 bits). Para asegurar que la cabecera cumple esta condicin se aaden ceros al final de la misma. Capa de red: ICMP Adems del IP, que se usa para la transferencia de datos, TCP/IP tiene varios protocolos de control que se usan en la capa de red, incluidos ICMP, ARP, y RARP. La operacin de Internet es supervisada cuidadosamente por los enrutadores. AI ocurrir algo inesperado, el ICMP (Internet Control Message Protocol) informa del suceso. Se han definido un gran nmero de tipos de rnensajes ICMP, por ejemplo ECHO (conocido como ping), que tambin se usa para probar la conectividad. Cada tipo de mensaje de ICMP se encapsula en un paquete IP. Los ms importantes se listan a continuacin. 0: Echo reply 3: Destination unreachable 4: Source quench 5: Redirect 8: Echo 9: Router advertisement 10: Router solicitation

Figura 4. Estructura de la trama PPP La bandera (Flag) indica el inicio y el final de la trama. Los campos Address y Control + Normalmente no se utilizan. El campo Protocol lleva el cdigo del protocolo encapsulado, de acuerdo al RFC 1700. El campo Payload lleva los datos del protocolo encapsulado y su longitud mxima es de 1500 bytes. El campo Checkum lleva el cdigo para detectar errores (CRC). Capa de red: IP Pasando ahora a la capa encima de la capa de enlace, all nos encontramos con datagramas IP que contienen una cabecera con los siguientes campos: versin, IHL, tipo de servicio, longitud total, identificacin, marcadores, desplazamiento del fragmento, tiempo de vida, protocolo, suma de comprobacin de la cabecera, direccin de origen, direccin de destino, opciones y relleno.

Figura 5. Header IP Versin: Este campo proporciona informacin sobre la versin de IP que se ha utilizado para construir el paquete. El estndar actual es IP versin 4 y en el futuro tendremos IP versin 6.

-1011: Time exceeded 12: Parameter problem 13: Timestamp request 14: Timestamp reply 15: Information request (obsolete) 16: Information reply (obsolete) 17: Address mask request 18: Address mask reply 30: Traceroute 31: Datagram conversion error 32: Mobile host redirect 33: IPv6 WhereAreYou 34: IPv6 IAmHere Los mensajes tipo 8 de solicitud de echo (Echo request) y tipo 0 de respuesta al echo (Echo replay) sirven para ver si un destino dado es alcanzable y est vivo (ping). Si el campo Code es 0 significa que no hay problemas. Identifier es un nmero invariable que identifica a la mquina de origen. Sequence number es un nmero variable que lo genera la mquina de origen para diferenciar los mensajes El mensaje Supresin de origen (Source quench) se usaba antes para controlar a los hosts que enviaban demasiados paquetes. Al recibir un host este mensaje, se esperaba que se refrenara. Este mensaje se usa poco en la actualidad porque, al ocurrir congestionamientos, estos paquetes tienden a echarle ms lea al fuego. El control de congestionamiento de Internet se hace ahora en gran medida en la capa de transporte. El mensaje de Redireccionamiento (Redirect) se usa cuando un enrutador se da cuenta de que un paquete parece estar mal enrutado y el enrutador lo usa para indicar al host transmisor el posible error. Los mensajes Solicitud de marca de tiempo (Timestamp request) y Respuesta de marca de tiempo (Timestamp reply) son parecidos, excepto que el tiempo de llegada del mensaje y el tiempo de partida de la respuesta se registran en ln respuesta. Este recurso se emplea para medir el desempeo de la red. Capa de transporte: TCP y UDP A nivel de esta capa tenemos segmentos TCP (Transmission Control Protocol) o UDP (User Datagram Protocol). UDP es muy importante hoy, ya que se utiliza mucho en voz sobre IP (VoIP) y en otras aplicaciones. La diferencia fundamental entre UDP y TCP es que UDP no proporciona necesariamente transmisiones de datos confiables. De hecho, el protocolo no garantiza que los datos lleguen a su destino. Aunque esto puede parecer un requerimiento extrao para un protocolo, en realidad es muy til. Cuando la finalidad de un programa es transmitir la mxima informacin en el menor tiempo posible, y cada elemento de datos carece relativamente de importancia, se utiliza UDP. Por ejemplo, las aplicaciones que transmiten vdeo estn interesadas en enviar el flujo de vdeo a su destino tan rpido como puedan. No tiene demasiada importancia si uno o dos pxeles se pierden, sino que el vdeo se genere lo ms suave y fluido posible. Este tipo de comunicaciones tambin se emplea en muchos juegos de Internet. Cuando jugamos con otras personas por Internet, es poco probable que todos los elementos de informacin sobre la posicin sean imprescindibles para que el juego funcione adecuadamente, por lo que los datos se envan lo ms rpido posible y lo que no Ilega en su formato original se descarta. Muchos programas utilizan conexiones separadas TCP y UDP La informacin importante sobre el estado se enva a travs de una conexin TCP confiable, mientras que el flujo de datos principales se enva por UDP. El propsito de TCP es proporcionar transmisiones de datos que puedan ser consideradas confiables y mantener una conexin virtual entre dispositivos o servicios que estn hablando entre s. TCP es responsable de la recuperacin de datos en caso de que los segmentos se reciban de forma no secuencial, o si se produce algn tipo de corrupcin durante la entrega. Esta recuperacin la lleva a cabo proporcionando un nmero de secuencia con cada segmento que enva. Recurdese que el nivel de red inferior trata cada paquete como una unidad separada, por lo que es posible que los segmentos se enven a travs de rutas diferentes, incluso aunque todos ellos formen parte de un mismo mensaje. Este enrutamiento es muy similar a la forma con la que el nivel de red gestiona la fragmentacin y ensamblado de los paquetes, slo que en un nivel superior. Para asegurar que los datos se han recibido correctamente, TCP requiere que se reciba una confirmacin, denominada ACK, de la mquina de destino, una vez que haya recibido satisfacto-

Figura 6. Header ICMP tipo ECHO El mensaje Destino inalcanzable (Destination unreachable) se usa cuando la subred o un enrutador no pueden ubicar el destino. El campo Code para mensajes tipo 3 (destino inalcanzable), contiene uno de los siguientes valores: 0: Network unreachable 1: Host unreachable 2: Protocol unreachable 3: Port unreachable 4: Fragmentation needed but the Do Not Fragment bit was set 5: Source route failed 6: Destination network unknown 7: Destination host unknown 8: Source host isolated (obsolete) 9: Destination network administratively prohibited 10: Destination host administratively prohibited 11: Network unreachable for this type of service 12: Host unreachable for this type of service 13: Communication administratively prohibited by filtering 14: Host precedence violation 15: Precedence cutoff in effect El mensaje de Tiempo excedido (Time exceeded) se enva cuando un paquete se descarta debido a que su contador llega a cero. Este suceso es un sntoma de que los paquetes estn en ciclo, de que hay un congestionamiento enorme, o de que los valores de temporizacin son demasiado bajos. El mensaje de Problema de parmetro (Parameter problem) indica que se ha detectado un valor ilegal en un campo de cabecera. Este problema indica una falla en el software de IP del host, o posiblemente en el software de un enrutador transitado.

-11riamente los datos. Si no se recibe la confirmacin ACK adecuada en un determinado espacio de tiempo, se retransmitir el segmento. Si la red est congestionada, esta retransmisin dar lugar a la duplicacin de los segmentos enviados. Sin embargo, la mquina receptora utilizar el nmero de secuencia para determinar si son duplicados, en cuyo caso los descartar. TCP tambin permite que el receptor especifique la cantidad de datos que desea que le enven. A1 especificar los nmeros de secuencia aceptables, posteriores a la ltima secuencia recibida, el emisor ser informado de que el receptor slo es capaz de recibir un conjunto de datos muy especfico y no seguir enviando datos ciegamente y esperando su confirmacin. Un segmento TCP contiene la siguiente informacin: puerto de origen, puerto de destino, nmero de secuencia, nmero de confirmacin, longitud de la cabecera, banderas URG/ACK/PSH/RST/SYN/FIN, ventana, suma de comprobacin, puntero de urgencia, opciones y relleno. Longitud de la cabecera: Indica el tamao del header en unidades de 4 bytes. La longitud mnima de una cabecera TCP es 5, o un total de 20 bytes. Reservado: Actualmente sin utilizar (Unused). URG/ACK/PSH/RST/SYN/FIN: Banderas de un bit, que se utilizan para especificar determinadas condiciones que estn presentes en la conexin. URG: Los datos contenidos en urgente son importantes y no se deben ignorar. ACK: Los datos contenidos en el campo de confirmacin no se deben ignorar. PSH: Forzar la transmisin. RST. Reinicializa la conexin. SYN: Sincroniza los nmeros de secuencia. FIN: No hay ms datos del emisor. Ventana: Determina la cantidad de datos que el emisor puede recibir. Suma de comprobacin: Otra comprobacin ms de la exactitud de los datos. Observe que en cada nivel hay una verificacin de errores independiente. Puntero de urgencia: Identifica los datos que debern ser considerados como urgentes. Opciones: Las opciones se pueden utilizar para especificar informacin adicional sobre la conexin TCP (por ejemplo MSS, maximum segment size). Relleno: Funciona de la misma manera que en la cabecera IP. Se utiliza para rellenar la cabecera TCP de forma que sea un mltiplo de 4 bytes. TCP es un protocolo de la capa de transporte para comunicar datos confiablemente entre dos mquinas a travs de un circuito virtual. Los segmentos TCP que atraviesan la red pueden llegar fuera de orden o daados. Por tal razn se utiliza el nmero de secuencia para reordenarlos y el nmero de confirmacin para confirmar su recepcin correcta. En la figura 8 se muestra cmo en una sesin FTP capturada con un analizador de protocolos, se incrementa el nmero de secuencia en 1322 bytes, el cual representa el nmero efectivo de datos enviados en cada segmento. El tamao (Size) de 1376 bytes indicado en la ltima columna es el tamao total de la trama Ethernet e incluye 20 bytes del header TCP, ms 20 bytes de header IP, ms 14 bytes del header Ethernet, es decir 1322+54. Los 14 bytes del header Ethernet corresponden a las direcciones MAC (6+6 bytes) y tipo de protocolo (2 bytes), pero no incluye los 2 bytes del FCS (chequo de errores), los cuales se encarga de procesarlos la subcapa LLC y son invisibles para el analizador de protocolos.

Figura 7. Header TCP Puerto de origen: Un nmero de 16 bits que especifica el puerto de origen de los datos. Cuando la mquina receptora responde, utiliza este nmero como puerto de destino para la respuesta. Puerto de destino: El nmero de puerto del dispositivo receptor al cual van dirigidos los datos. Nmero de secuencia: Indica el orden de un determinado paquete. Se utiliza para reordenar secuencias de segmento y eliminar duplicados. Nmero de confirmacin: Identifica el siguiente nmero de secuencia esperado.Es decir, confirma que ha recibido bien hasta N-1 bytes de datos.

Figura 8. Ejemplo de incremento del nmero de secuencia en una transferencia de archivos (FTP)

-12Pero antes de poder transferir realmente datos usando TCP, se debe establecer una conexin entre las 2 mquinas usando el procedimento llamado apretn de manos de 3 vas (3-way handshaking) mediante los flags SYN y ACK y el nmero de secuencia inicial (ISN), tal como se ilustra en la figura 11. El host 1 que quiere establecer la conexin enva un segmento con la bandera SYN (sincronizar). Este segmento contiene el nmero de puerto de destino y un nmero aleatorio de secuencia inicial x. El host 2 contesta con un segmento con la bandera SYN y que contiene su propio nmero aleatorio de secuencia inicial; adems lleva el nmero de confirmacin x+1 y la bandera ACK. El host 1 enva otro segmento con la bandera SYN y con nmero de secuencia x+1; adems confirma la recepcin mediante y+1. A este punto se ha establecido una conexin full-duplex y se puede comenzar a transferir datos. segmento en la linea 5 es el mismo que en la lnea 4, porque los mensajes ACK no ocupan espacio de nmeros de secuencia (si lo hicieran, terminaramos teniendo que confirmar los mensajes de confirmacin).

Figura 10. Ejemplo de 3-way handshaking

Figura 9. El 3-way handshaking En la figura 10 se ilustra un ejemplo simple de establecimiento de conexin. Las lneas estn numeradas para facilitar la referencia; las flechas que apuntan hacia la derecha indican la salida de un segmento TCP desde el protocolo TCP A hasta el B, o la llegada de un segmento a B procedente de A. Las flechas que apuntan hacia la izquierda indican lo contrario. Los estados TCP representan el estado despus de la salida o llegada del paquete (cuyo contenido se muestra en el centro de cada lnea). El contenido se muestra de forma abreviada, con nmero de secuencia, campo ACK e indicadores de control (CTL). En aras de la claridad, se han dejado fuera otros campos referentes a la ventana, direcciones, longitudes y texto. En la lnea 2 de la tabla, TCP A comienza enviando un segmento SYN que indica que va a utilizar nmeros de secuencia a partir del nmero 100. En la lnea 3, TCP B enva un SYN y confirma el SYN recibido de TCP A. Obsrvese que el campo de confirmacin indica que TCP B espera ahora recibir el nmero de secuencia 101, confirmando as el SYN que ocupaba el nmero de secuencia 100. En la lnea 4, TCP A responde con un segmento vaco que contiene la confirmacin ACK, para el segmento SYN del TCP B y en la lnea 5, TCP A enva algunos datos. Observe que el nmero de secuencia del

-13-

Introduction to NetBIOS
By Tony Northrup
IDG Books, July 1998 Network Basic Input/Output System was designed for IBM by an organization named Sytek, Inc. It was created to provide an easy-to-use programming interface for connections between computers over a network. Microsoft began developing products for the MS-Net and LAN Manager (the predecessor to Windows NT) using the NetBIOS interface, anticipating the popularity of the standard. Ironically, the standard is only popular today because of Microsofts implementation of it. NetBIOS is an application programming interface, providing a set of functions that applications use to communicate across networks. It is similar in function to named pipes and sockets; it allows application programmers to add network capabilities to applications while minimizing the amount of code that must be dedicated to actually transporting the data. NetBEUI, the NetBIOS Enhanced User Interface, was created as a data-link-layer frame structure for NetBIOS. A simple mechanism to carry NetBIOS traffic, NetBEUI has been the protocol of choice for small MS-DOS- and Windows-based workgroups. NetBIOS no longer lives strictly inside of the NetBEUI protocol, however. Microsoft worked to create the international standards described in RFC 1001 and RFC 1002, NetBIOS over TCP/IP (NBT). Understanding the advantages of NBT One of the greatest advantages of Microsofts implementation of NetBIOS is that it provides a consistent programming interface regardless of the network protocol used. For those familiar with the OSI model, NetBIOS exists at the Session level. Because it is completely independent of the protocol, applications such as Server Manager and User Manager work on systems that are running IPX/SPX, TCP/IP, or NetBEUI. This is in contrast to most network applications that are developed specifically for use with a single network protocol, such as the entire Internet suite of applications (Telnet, FTP, and so on). Sound amazing? The drawbacks are equally astounding. Internetworking with TCP/IP is the fastest growing area of modern computing. This is a good thing; soon, we will be able to forget about other network protocols. NetBIOSs advantages no longer outweigh its disadvantages, but we are still required to use it or find other ways to administer our Windows machines. Microsoft has promised to phase it out of their operating systems, but only time will tell. I hope to build your understanding of the protocol so that you may better work with it or work around it, whichever you decide. Now that you have an understanding of what NetBIOS is, where it came from, and why we are still burdened with it, we will begin to explore its most visible aspect. NetBIOS naming causes the majority of problems on networks for a variety of reasons. Breaking down NBT by service The services that NetBIOS over TCP/IP provide fall into three categories: the NetBIOS Name service, the NetBIOS Datagram service, and the NetBIOS Session service. Each service provides a distinct set of functions to applications and has a unique impact on a network. Most applications that use TCP/IP make use of a WellKnown Port, a port that is registered internationally for use with a specific application. For example, Web requests use port 80 and FTP requests use ports 20 and 21. NetBIOS over TCP/IP (NBT) uses a separate port number for each of the three services: two UDP ports (137 and 138) and TCP port 139. Table 1 gives a summary of the individual services, the TCP and UDP ports they use by default, and their typical usage. TABLE 1 NETBIOS SERVICES OVER TCP/IP NetBIOS Service Name TCP, UDP Port Number NetBIOS Name service UDP 137 Description

Used to resolve NetBIOS on a local network segment using broadcasts Used to transfer data between applications when a broadcast must be used or when speed is more important than data integrity Used to transfer data between applications when broadcasts are not required and when data integrity is more important than speed

NetBIOS Datagram service

UDP 138

NetBIOS Session service

TCP 139

To better troubleshoot problems with browsing, domain authentication, trusts, and file sharing, it is important to understand, in detail, how and why these three services are used. If you work in a routed environment, pay particular attention to the port numbers to understand what routers should and should not filter to support different functionality. Once you understand the intricacies of each service, you can make use of a protocol analyzer such as Microsofts Network Monitor to narrow down problems. Network Monitor is an excellent tool for examining frames sent using these services because it automatically decodes many of the cryptic fields within the frames.

-14NetBIOS Name Service The NetBIOS Name service provides for name resolution within a single network segment. It is also called upon by services that must listen for a specific NetBIOS name to be used on the network, both to register the name and to release the name. It is used by computers that are part of a domain to locate a domain controller on the local network segment for domain authentication. NetBIOS connections involve several different steps. When a connection is requested, the first is to resolve the name of the server to something more useful, like an IP address. This step, which sounds simple, causes more NetBIOS problems than anything else! Microsoft recognizes this problem and has provided several different methods of name resolution, outlined in greater detail in the sections to follow. For now, understand that only name resolution through broadcasts uses the NetBIOS Name server. WINS queries and responses use the NetBIOS Datagram service. If the name is currently cached, no request is made. The NetBIOS Name service always uses the UDP protocol, which exists at the transport layer of the OSI model. The advantages and disadvantages of UDP carry over to the NetBIOS Name service. To its advantage, it carries little overhead by avoiding the three-way handshake of TCP and using fewer header fields. Its connectionless property is also a disadvantage because it provides no method of notifying the sender if a packet is not carried across the network properly. The specific transport-layer port number that NetBIOS Name service packets use is UDP port 137. Recognizing this port number is important when troubleshooting using tools such as protocol analyzers. The Messenger service is an excellent example because it uses all three NetBIOS services, depending on the situation. The NET SEND command can be used to direct messages to a specific computer, a specific user, or an entire domain. If a message is sent to a computer, the NetBIOS Name service is used to find that computer by sending a broadcast on the local network. If a message is sent to a user, a broadcast is sent to the network and is processed by all machines for which the Messenger service has registered a NetBIOS name (consisting of the username and a sixteenth character of <03>). Each machine that has registered that name responds to the query. At this point, the NetBIOS Session service is called upon to actually deliver the message. The NetBIOS Name service is not extremely well-adapted to typical, routed TCP/IP networks; it was designed to be used on LANs. However, there are several workarounds to smooth out problems. Routers, by default, simply ignore UDP broadcasts. This makes a lot of sense; the whole purpose of a router is to block that type of traffic. Unfortunately, this means that name resolution using the NetBIOS Name service only works on a single network segment, and adding a single router requires the use of an LMHOSTS file at each host or the WINS service. To avoid this problem, most router manufacturers provide a way to forward these broadcasts between subnets, making the router act more like a bridge. Enabling this feature is a quick way to ensure that name resolution continues to work properly when segmenting a TCP/IP network; without it, users would be able to connect only to servers within their broadcast domain. NetBIOS Datagram Service The NetBIOS Datagram service is one of two ways applications may communicate with each other, the alternative being the NetBIOS Session service. The NetBIOS Datagram service provides connectionless and broadcast-oriented communications, making use of the UDP transport-layer protocol, port number 138. The most common uses for UDP port 138 are for Browser service notifications. These messages are used to build the Network Neighborhood on your users desktops, and if enabled, they can be mildly useful or extremely frustrating, depending on whether or not the Browser service is working properly on your network. Though the Browser service is the most frequent user of the NetBIOS Datagram service, it is merely an optional application, not a required component of the operating system.There are many resources on the details of the Browser service, and I will not cover it in detail here. Each LAN segment has one master browser and up to 3 backup browsers. Each domain has one domain master browser. Browsing produces a high amount of network traffic: Every 12 minutes each (local) master browser contacts the domain master browser to update the browse lists Every 12 minutes each hosts announces itself in the local subnet (broadcast) Every 12 minutes each backup browser contacts its local master browser to retrieve an updated browse list Every 15 minutes each master browser announces itself to the master browsers of other domains in the local subnet. Another common use for the NetBIOS Datagram service is the Messenger service. The Messenger service is an interesting example because it uses either the NetBIOS Datagram service or the NetBIOS Session service, depending on the type of communications required. Messages sent to groups of computers, for example, using the NET SEND * command, make use of UDPs ability to broadcast packets to the local network. The NetBIOS Datagram service uses the UDP transport protocol and so suffers from the same problems as the NetBIOS Name service when a routed network is used. To make the Browser service, the Messenger service, and any other applications that use the NetBIOS Datagram service work in a routed network, you must forward broadcasts across routers as described in the previous section. NetBIOS Session Service The bulk of all NetBIOS traffic generated on a network occurs using the NetBIOS Session service, which utilizes TCP port 139. The Datagram service, using the connectionless UDP protocol, and the Session service, using the connection-oriented TCP protocol, provide two methods for applications to communicate. The Datagram service, because it uses UDP, is faster and more efficient but does not provide guaranteed delivery of packets. The phrase guaranteed delivery does not imply that every packet makes it through every time; it simply means that the computer sending the packets is always notified whether or not they were received. In modern networks, UDP is an extremely reliable protocol, but it still lacks the capability of notifying the sending application that a packet was not received properly. By utilizing

-15TCP, the NetBIOS Session service allows for small and large transfers where authentication is required, a session must be maintained over a period of time, or delivery of packets must be guaranteed. File and printer services make up the bulk of traffic generated by the NetBIOS Session service. Another common use is the networked application: Server Manager, User Manager, Event Viewer, Registry Editor, and Performance Monitor all make use of the NetBIOS Session service to interact with remote machines. Therefore, if a router or firewall connecting two machines is blocking TCP port 139, all of these applications fail when used remotely. The Messenger service makes use of the NetBIOS Session service and Server Message Blocks (SMB) for messages which are directed to a specific computer name. In this way, the Messenger service uses the connectionless NetBIOS Datagram service for broadcasts to groups of computers and the connection-oriented NetBIOS Session service for directed messages to a specific computer. If you are not yet familiar with SMB, it is covered in more detail later. The NetBIOS Session service is far more complex than its UDP counterpart, the NetBIOS Datagram service. Because it is connection-oriented, the NetBIOS Session service includes functions to establish connections, authenticate computers and users, and break connections. The NetBIOS Session service must perform NetBIOS name resolution to locate the IP address of a computer when given the NetBIOS name, and problems while connecting applications may be caused by a problem with either service. Once the name resolution has been accomplished, a one-way NetBIOS connection is created by the client and maintained until either party terminates it. If the server needs to open a connection to the client, an entirely separate connection must be created. The name and IP address of the server are stored together in the NetBIOS name cache on the client. If you are curious, the names in the cache can be viewed using the command NBTSTAT -c. NetBIOS Connections After a single NetBIOS session is established between two hosts on a network, all data transferred thereafter between NetBIOS network applications on those two machines is channeled through the existing session. Because this same session is reused, the overhead of renegotiating a connection is avoided. This has an interesting side effect. When you need to connect to a remote computer that is not in the same domain as your user account, or if you need to access it with a different user account, tools such as the Event Viewer and Server Manager simply give an error and refuse the connection. These tools do not provide a method to authenticate your connection with a different user account than the one currently in use. However, the Windows Explorer and NET USE commands do allow you to provide a different username and password. Therefore, if you need to connect to a machine using any of the standard administrative tools with a different account than the one you are currently using, start by establishing a network connection to the remote machine using the command NET USE \\SERVER /USER:USERNAME. The NET command prompts you for a password and creates a NetBIOS session. Until that session is broken, the administrative tools and all other NetBIOS networked applications run in the context of the username and password you specified with the NET USE command. Similarly, if you have an existing connection (such as a connection to a shared directory) and need to perform a task on a remote machine using a different user account, all existing connections must be broken. To view the current NetBIOS sessions, execute the command NBTSTAT -s. A Final Word on NetBIOS Services As you learned in the previous sections, the presence NetBIOS has on a network is divided into three individual services. The NetBIOS Name service allows name resolution without using a WINS server but is a common source of problems and delays. The NetBIOS Datagram service is used by applications such as the Messenger service, the Browser service, and other applications that use the mailslots interface. The NetBIOS Session service is the most significant NetBIOS presence on most networks, allowing file transfers, network printing, and remote applications such as Server Manager and User Manager to function. SMB (Server Message Blocks) There are previous section different methods Windows systems use to resolve NetBIOS names on a network. Resolving the name is only the first part of NetBIOS communications, however. Once the name is resolved, useful work may be accomplished. One of the most popular mechanisms for this work is SMB, or Server Message Blocks, described in this section. Microsoft, Intel, and IBM worked as a team to develop the Server Message Blocks (SMB) protocol as a standardized way of exchanging information using NetBIOS. It has been submitted as an open Internet standard, allowing other organizations to create SMB-compliant applications in the future. SMB provides much of the workgroup functionality that is available in Microsoft operating systems such as MS-DOS, Windows 3.1, Windows for Workgroups, Windows 95, LAN Manager, and Windows NT. It is well suited to workgroup communications, but it is not the most efficient way of exchanging files on a TCP/IP network. However, it has become widely used because it is included with all of Microsofts desktop and network operating systems, it is easy to configure, and it is free. Microsoft is not the only organization using SMB, though they are the driving force behind its use. Products such as SAMBA allow UNIX-based systems to connect to shared drives from Windowsbased systems, enabling heterogeneous networks to use a single method of file exchange. Currently there is no method for Macintosh systems to connect to SMB shares. Though Windows has the ability to exchange files with Apple systems through the Apple Filing Protocol (AFP), it requires introducing yet another protocol to a network. The Server Message Blocks protocol has been written to comply with C2 security specifications. It incorporates user authentication and exchanges passwords only in a hashed format to thwart someone with a protocol analyzer from compromising the passwords. The process of exchanging passwords starts with the client, which attempts to initiate a SMB connection to a

-16server. The server determines that the client must supply a username and password, and it sends an authentication challenge including a randomized token. The client uses this token to encrypt a hashed version of the password and returns the result to the server. The server performs the same steps on the password it has stored for the user and matches the results to the answer the client provided. If the answer matches the result of the hash the server computed, the client has started with the correct password and is authenticated. This security makes it very difficult for someone to listen to a conversation between two different machines and decrypt the password. The client is still vulnerable to attack from the server, however. One method that has been proven to compromise client passwords involves creating a server that challenges the client with the same token every time. In this scenario, the client encrypts the password using the token and returns it to the server. Because the token is not randomized, the server may have constructed a dictionary of hashed passwords to be used to look up the original password based on the clients hashed password. This is a difficult trap to build, but it has been done before. The moral of the story is twofold: Carefully consider which servers you attempt to authenticate with, and consider the security of the client as carefully as security of the server. Microsofts Common Internet File System (CIFS), their solution for file sharing across the Internet, is being based on the SMB protocol. SMB relies on the NetBIOS Session service for all communications. Commands can be broken into four broad categories, discussed in the next sections. Session Control A subset of the entire SMB message suite, the Session Control message group, is composed of messages used to establish and break redirector connections (file sharing). These are called when the Windows NT commands NET USE and NET USE /DELETE are issued, or when the Map Network Drive and Disconnect Network Drive commands are called from Windows Explorer. File The File message group is a group of commands used to access shared files and directories once a session between a client and a server has already been established. These messages would be sent when copying files from a network drive. Printer Similar in function to the File message group, the Print message group is used to send documents to a network print server and provides printer management functions. These messages are used when printing to a network printer or performing management functions from within Printer Manager. Message The Message SMB type is used to exchange messages between systems. A command such as NET SEND COMPUTERNAME test_message uses a Message-type SMB packet to transmit a directed message to a specific computer. SMB is an important topic to understand because it is the underlying mechanism for much of Windows NTs network functionality. While NetBIOS and SMB have proven themselves over time in production networks, they are not without their flaws. The next section will explore these flaws in more detail, with the goal of making you aware before they cause serious problems. Uncovering NetBIOSs weaknesses NetBIOS is not the ideal way for applications on a TCP/IP internetwork to communicate. The most obvious drawback is the additional overhead. When used with TCP/IP, NetBIOS adds yet more headers after the frame header: the IP header and the TCP/UDP header. Another disadvantage is that different applications using NetBIOS all look the same to a router or firewall, limiting an administrators ability to filter out specific applications. The result is that most simply block NetBIOS entirelylosing the functionality of applications that may be useful. When designing these applications, did Microsoft simply not take these factors into account? Certainly they did, but NetBIOS was designed in an era before the dominance of TCP/IP in local area networks. In retrospect, Microsoft made a very wise choice; had they built the applications around a single Net protocol, they no doubt would not have chosen TCP/IP. In fact, they were so convinced NetBEUI would be the next major protocol that they began development of a routable version called JetBEUI (no joke!). Network Level Security Undoubtedly the most publicized flaws of NetBIOS are its security weaknesses. Being aware of the specifics of these weaknesses will make you more able to combat them, and this section will provide you with the information you need to limit your security risks. Securing any network, especially those attached to the public Internet, needs to include security at both the network level and the systems level. Securing at the network level means using firewalls and filtering routers, and it is important specifically because it is independent of the systems operating on the network. For example, if a router has been configured to block all incoming traffic from the Internet to a specific NT server, that system is safe from direct attacks from the Internet, regardless of how the computer itself has been configured. To avoid the cost of adding a true firewall, most networks make use of packet filtering on routers. Packet filtering allows traffic to be selectively blocked according to the source IP address and the UDP/TCP port number. Port-level filtering allows a network manager to permit certain types of traffic through a router, depending on the application. Because Telnet uses TCP port 23 and HTTP uses TCP port 80, a network manager has the ability, for example, to allow Web requests from the Internet to be forwarded only to the corporate Web server, and to disallow all Telnet access. System-Level Security as Part of Network Security System-level security is also critical. Every effort must be made to secure individual hosts on a network through methods such as strict share permissions, limiting the services offered to the network, and requiring long, complex passwords for all users. While system-level security is an important component of overall network security, it cannot be relied upon. Flaws in operating systems are common, and many such flaws allow

-17malicious users to bypass system security. Additionally, all users with legitimate accounts on the server must be entrusted to protect their passwords. To compensate for these weaknesses, system-level security should be used in concert with networklevel security. A substantial disadvantage is that all NetBIOS traffic, regardless of the application, relies on the same three TCP ports: UDP 137, UDP 138, and TCP 139. This completely invalidates traditional port-level filtering, a common method of security in TCP/IP networks. This level of granularity is not available with NetBIOS applications. In many cases, an organization with an Internet connection may wish to publish files on the Internet and allow people to connect to that drive as a NetBIOS share. This is very possible, but the organization is forced to allow all NetBIOS traffic through and thereby invite attacks. To further clarify, for an organization to allow file sharing on the Internet, all public routers must be configured to forward traffic for TCP port 139. Print sharing also uses TCP port 139 and so is automatically accessible. Therefore, if the file server also acts as a printer server, anyone on the Internet may attempt to print to that server. They are forced to authenticate depending on how the share permissions on the printer are configured, but the responsibility for the security of the network has been shifted from the network administrator to the systems administrator. Ideally, security would be provided at both levels. Security at the network level for NetBIOS is all or nothing. The network manager must decide which computers will and will not act as servers for NetBIOS applications, but he or she has no control over which of the many NetBIOS applications will be available. This weakness makes a strong argument for using Windows sockets for network application programming. Because Windows sockets applications may be filtered out at the network level by specifying a TCP port filter, specific Windows sockets applications may be allowed or disallowed. Despite these weaknesses, Microsoft continues to leverage NetBIOS for the majority of its administrative utilities. Unfortunately, this trend will continue in Windows NT 5.0. For this reason, understanding the weaknesses and potential problems with NetBIOS is important; until Microsoft changes major parts of the Windows operating system, we must continue to accommodate the protocol. However, very few third-party applications make use of NetBIOS. Perhaps third-party developers realize these weaknesses, or perhaps the application programming interface that NetBIOS provides is simply too complicated.

-18-

Administracin fsica de redes

ITD Latinoamrica, Julio 2000
Las redes de hoy son vitales para los negocios. Por una parte, sostienen la plataforma computacional sobre la cual se apoyan los procesos de las empresas. Pero adems - y ste es un fenmeno reciente - las redes de comercio electrnico son ellas mismas una fuente de ingresos. Como si esto fuera poco, hoy podemos ver que las redes de voz y datos se han integrado en una sola red de manera que todas las comunicaciones internas y externas de una empresa (voz, correo electrnico, fax, video) se transmiten por el mismo medio, una sola red convergente. Estos factores hacen que las redes sean crticas para las empresas. Sin embargo, con la notable excepcin de los bancos, en muchos sectores la manera como se administran y se mantienen las redes es absolutamente irracional. Nadie sabe dentro de una empresa por qu o cundo se producen problemas en la red. Las acciones son claramente reactivas en vez de proactivas y muchas veces se convive con situaciones de bajo desempeo que afectan los negocios. Existen, sin embargo, herramientas de monitoreo, diagnstico, anlisis y resolucin de problemas que permiten controlar los niveles de servicio de las redes de misin crtica. El mapa de proveedores de este tipo de herramientas es extremadamente complejo ya que abarca desde plataformas de software para la administracin lgica de un sistema completo, sistemas para la administracin fsica de la red, herramientas para la gestin de dispositivos, hasta instrumentos puntuales de medicin para determinar el estado de un segmento o de un puerto de red en particular. En otras palabras, el espectro puede incluir productos como Spectrum de Cabletron, Optivity de Nortel, ManageWise de Novell, Unicenter TNG de Computer Associates, Tivoli de IBM. Sin embargo, en este artculo nos vamos a concentrar en herramientas ms especficas de administracin fsica que involucra el anlisis de paquetes como Sniffer de Network Associates, NetMetrix de Agilent y nGenius de NetScout. Finalmente mencionamos tambin los dispositivos porttiles de Fluke. Agilent Technologies Agilent es una escisin (spin off) de Hewlett Packard que comenz sus operaciones independientes en noviembre de 1999 con cuatro divisiones de negocios: pruebas y mediciciones, emiconductores, soluciones para el rea de salud y anlisis qumico. La idea general de Agilent es la de aplicar tecnologas de medicin para desarrollar productos de detecten, analicen, muestren y comuniquen datos. Algunos de los productos de Agilent todava son manejados -especialmente en Amrica Latina- por la divisin empresarial de Hewlett Packard (que maneja los grandes servidores Unix). Esto se debe a la gran sinergia de la lnea de programas y probes Net Metrix y Firehunter (de Agilent) con la plataforma de administracin HPOpen View (parte fundamental de la estrategia de la divisin empresarial en cuanto a la alta disponibilidad necesaria en el tipo de plataforma que soportan los servidores HP). El software NetMetrix sirve para administrar el trfico de un red y puede trabajar o no con probes de NetMetrix u otras marcas siempre que cumplan con los estndares RMON y RMON2. Firehunter, por otra parte, es un paquete para manejar los niveles de servicio en comunicaciones. "Firehunter sigue siendo una solucin de nivel de redes, no se mete con las aplicaciones", afirma Jess Alberto Ramrez, gerente de software de HP en Colombia. "Sin embargo, para ofrecer niveles de servicio es necesario meterse con las aplicaciones y esa es una funcionalidad que el Firehunter ofrece en su integracin con el Network Node Manager de HP OpenView". Con estos paquetes se pueden reconocer los cuellos de botella que afectan su desempeo, crear y mantener contratos de nivel de servicio, reducir los costos de administracin y extender el poder del software de administracin HP OpenView Network Node Manager, uno de los 42 mdulos que componen la plataforma HP OpenView. Para generar esta visibilidad de la red, es preciso contar con dispositivos de recoleccin de datos especficos para cada tipo de soporte fsico de la red. Los probes de Agilent vienen para Ethernet, Fast Ethernet, Token Ring, FDDl, ATM, HSSI, T1, T3/DS3, E1, E3, OC3c y OC12c. La escisin de Agilent ha sido una accin ms que todo administrativa, ya que los productos NetMetrix y Firehunter siguen integrados a la plataforma OpenView, adems de que son vendidos y mercadeados por la fuerza de venta de Hewlett Packard en la regin. Sniffer Sniffer era el producto estrella de Network General, compaa que se fusion con McAfee Associates hace un par de aos para crear Network Associates International (NAI). Como analizador de paquetes para LANs, Sniffer se hizo popular en los aos ochenta y domin el mercado de las herramientas para resolver problemas de redes en la poca de Token Ring y las primeras redes Ethernet. Posteriormente, el producto evolucion hacia redes de alta velocidad basadas en switches cuando introdujo capacidades de monitoreo remoto (RMON). Hoy, Sniffer incluye avanzadas carnctersticas de reportes para administracin proactiva de redes y el futuro del producto est en la administracin de aplicaciones y redes de comercio electrnico. El Sniffer de hoy es una suite completa de productos que permiten monitorear, reportar y administrar de manera proactiva la disponibilidad y el desempeo de la red. Constantemente se agregan nuevas funcionalidades a las herramientas de Sniffer, como el anlisis VLAN de redes switcheadas, el anlisis de ambientes de negocios electrnicos (incluidas las WANs) y la planeacin de capacidad con Sniffer Predictor. Recientemente se aadi la funcionalidad de

-19monitorear aplicaciones para administrar el desempeo de cada una de las aplicaciones en una red. Sniffer tiene productos porttiles diseados para correr en notebooks o lasptops, as como suites de productos distribuidos que cubren las redes a escala empresarial, monitoreando diferentes segmentos, decodificando protocolos y realizando anlisis experto en toda la red. Segn Robert Kusters, gerente de mercadeo de Sniffer en NAI, el crecimiento de la industria de IT as como la popularizacin de tecnologas cada vez ms complicadas, no han sido acompaadas por un crecimiento en el personal capacitado para apoyar estas instalaciones. Por tal motivo, los costos de soporte tcnico se han elevado de una manera dramtica. "Herramientas como Sniffer permiten encontrar direcciones duplicadas en una red en menos de cinco segundos, tarea que demandara ms de tres horas si se realizara de manera manual". Lo mismo sucede para problemas de bajo desempeo en la red por gran nmero de retransmisiones. "La fuente de retransmisiones puede ser identificada en 10 segundos contra 40 minutos que demandara sin el Sniffer". Sin embargo, una de las principales ventajas que NAI le atribuye a Sniffer es el sistema experto para el anlisis de la informacin recogida, su interpretacin y la resolucin de los problemas. "La competencia no resuelve problemas -afirma Kusters-. Sistemas como OpenView, Optivity o Cisco Works solamente ven los problemas y los reportan". Con respecto a las redes switcheadas, los ejecutivos de NAI sostienen que a diferencia de otras herramientas, los switches no son invisibles para Sniffer ya que permite monitorear redes fsicas o redes virtuales. Sniffer Pro 4.0, por ejemplo, tiene APIs especfico para diferentes marcas de switches, los cuales pueden ser controlados en sus capacidades de puertos espejos y SPAN. Por qu NAI sostiene que Sniffer es una herramienta que permite habilitar el comercio electrnico? Por una parte, Sniffer detecta problemas relacionados con HTTP/HTTPS y analiza dificultades entre la transmisin de la WAN y el servidor web. Por otra parte, tambin permite aislar problemas del front end, del servidor de transacciones o de la base de datos de backend. Las redes convergentes son manejadas por Sniffer gracias a las mltiples tecnologas y protocolos soportados (IP, HTTP H323, SIP PoS, ATM) y a su nica interfaz para manejar voz y datos sobre todas las topologas. Finalmente, Kusters destaca la nueva versin de Sniffer PoS (Packet over Sonet) para redes pticas y los nuevos modelos de Sniffer que pronto estarn disponibles en el mercado: SnifferBook Ultra, Portable Sniffer v. 4.0, DSS/RMON y Application Informant v. 4.0, suites para voz sobre IP y anlisis mejorado de desempeo de aplicaciones y groupware. El simple analizador de protocolos de los aos ochenta hoy se ha convertido en toda una suite de productos de administracin de desempeo que trasciende las caractersiticas de un analizador de red para convertirse en un sistema empresarial capaz, incluso, de ver las diferentes aplic:aciones. NetScout Utro fabricante con software de monitoreo y agentes para recoleccin de datos es NetScout, el cual ofrece varias familias de soluciones para administracin de sistemas. La familia de administracin y facturacin de niveles de servicio (Application Service Level Management and Billing) incluye la aplicaciones Appscout, para verificar el desempeo de una aplicacin comparndolo con un contrato de nivel de servicio, y Net Countant, para facturacin de utilizacin de recursos de red. Capacity Management es una solucin para minimizar costos al tiempo que se asegura el desempeo de una aplicacin. Se compone de WebCast, para establecer patrones de uso de aplicaciones y de la red y NetScout Server, el cual agrega la informacin recogida. Optimizacin y aislamiento de fallas (Optimization and Falut Isolation) se compone de AppScout, NetScout Manager Plus, para aislar los problemas de la red, WWG Mentor, que automatiza el aislamiento de problemas a travs de tecnologa experta y WWG Examine que decodifica paquetes para anlisis de profundidad. Una nueva familia llamada eBusiness Performance Management (administracin de desempeo de negocios electrnicos), agrupa los productos nGenius (nGenius Server, nGenius Performance Monitor, nGenius Traffic Monitor y nGenius Probe) en una solucin que asegura la disponibilidad de redes de e-business. El sistema nGenius fue presentado al mercado durante la reciente NetWorld+Interop en Las Vegas el pasado mes de mayo, como la primera solucin dirigida a administrar el desempeo de sistemas totales con visibilidad y control sobre las redes de frontend y las de backend. NetScout ha logrado entrar en mercados importantes gracias a significativas alianzas con empresas de redes como Cisco y compaas OEM que han agregado mucha experticia a las soluciones como WWG (Wavetek Wandel & Goltermann). Fluke En el rea ms especfica de certificacin de cableado, Fluke ha sido la empresa ms enfocada que tradicionalmente ha liderado el mercado. Fluke fabrica una gran variedad de probadores de cable tanto elctricos como de datos, probadores de tono, multmetros digitales, testers elctricos, grabadores de eventos de voltaje y analizadores de calidad de fluido elctrico. Todos estos son dispositivos porttiles usados ampliamente por instaladores y tcnicos. En el campo de redes de datos, Fluke tiene analizadores de cable para categoras 3, 5, 5e o 6 (aunque para esta ltima todava no exista el estndar aprobado). El DSP-4000 es un aparato muy porttil y fcil de usar que viene protegido especialmente para trato duro. Su pantalla muestra grficas de indicadores de NEXT, ELFEXT, PSNEXT, atenuacin, ACR, demora en propagacin y prdida de retorno, hasta 350 MHz. Con un adaptador especial, el DSP-4000 puede certificar tambin instalaciones de fibra ptica. El OneTouch Network Assistant es un dispositivo que descubre los elementos de un determinado segmento de la red y detecta errores en ellos. Realiza tests de conectividad IP e incluye el Network Advice. para interpretar las estadsiticas de Ethernet. Finalmente, el software CableManager permite organizar, ordenar y analizar la informacin recogida por dispositivos porttiles como el DSP4000. Una versin de CableManager se puede bajar gratis del sitio de Fluke en Internet.

-20-

Deteccin de espas en redes Ethernet

por Jordi Murg Linux Actual, #3, octubre 2000
Introduccin Una red del tipo Ethernet, es una red de transmisin de paquetes basada en bus comn. Al bus comn conectamos todos los equipos informticos de la red. El bus puede ser un simple cable coaxial (10Base2), o puede estar forrmado por elementos pasivos como hubs, que nos facilitan el cableado estructurado de la red por pares trenzados (10BaseT). Bajo esta arquitectura de red, cuando un equipo desea transmitir un paquete, comprueba que el bus esta libre y lo enva. Si dos equipos envan simultneamente un paquete a la red, se produce una colisin. La colisin es detectada por ambos y esperaran un tiempo aleatorio antes de intentar enviar de nuevo la informacin al bus. Todos los equipos compatibles Ethernet poseen una direccin MAC nica en el mundo, de 48 bits de longitud. Cada fabricante de equipos Ethernet tiene asignado un segmento de direcciones, y es responsabilidad de ste asignar una direccin distinta a cada equipo. Las direcciones MAC estn almacenadas en una pequea memoria que poseen las tarjetas de red. Las direcciones MAC se representan en hexadecimal con el siguiente formato: XX:XX:XX:XX:XX:XX. La informacin es enviada al bus agrupada en forma de tramas o paquetes. Estos paquetes contienen la direccin MAC de destino, la de origen, el tipo de datos, los datos a transmitir y un checksum de comprobacin. En condiciones normales, una tarjeta Ethernet slo es capaz de oir los paquetes destinados a su direccin MAC o los destinados a todo el mundo (BROADCAST). La direccin MAC de BROADCAST es FF:FF:FF:FF:FF:FF. El protocolo IP (Internet Protocol), es un protocolo de red con direcciones de 32 bits, bajo el conocido formato aaa.bbb.ccc.ddd, formando 4 grupos de 8 bits. La direccin de red IP puede ser dividida en dos partes, la direccin de red y la direccin de equipo. Si estamos en una red conectada a Internet, nuestra direccin de red ser nica en Internet, y nuestra direccin de equipo ser nica en nuestra red, formando as una direccin IP nica a nivel global. Vamos a centrarnos en la conectividad entre maquinas de nuestra propia red IP, funcionando sobre un medio fsico Ethernet. Para enviar un paquete IP desde nuestra estacin 192.168.1.1 hacia la estacin 192.168.1.2, es necesario conocer la direccin MAC de la estacin de destino. Podramos solucionarlo con un archivo de configuracin, asignando a cada direccin IP de nuestra red la correspondiente direccin MAC asociada a cada IP, pero sera poco practico. Para solucionar este problema se desarroll el protocolo ARP (Address Resolution Protocol). Cuando un equipo desea conocer la direccin MAC correspondiente a una IP, emite un paquete BROADCAST preguntando " Quien es el propietario de 192.168.1.2 ?". Todos los equipos de la red escuchan la peticin, pero slo responde el destinatario: "Aqu est 192.168.1.2 desde la direccin MAC xx:xx:xx:xx:xx". Esta respuesta se almacena en el cache ARP del peticionario para usos posteriores, y luego procede a enviar el paquete al destinatario. Herramientas para espiar Desde hace unos aos, es habitual que en todos los sistemas operativos Unix se incluya una herramienta de captura y visualizacin de trfico. GNU/Linux incluye "tcpdump" en todas sus distribuciones. El programa tcpdump slo puede ser ejecutado por root (el administrador), y se trata bsicamente, de una herramienta de diagnstico para redes TCP/IP. Puede usarse para analizar nuestro propio trfico, o el de toda nuestra red Ethernet. Para poder escuchar todo el trfico que circula por una red, es necesario colocar la tarjeta Ethernet en modo "promiscuo", que significa que recoger todos los paquetes de la red, aunque el destinatario no sea su propia direccin MAC. El programa tcpdump no es excesivamente peligroso en s y es una gran herramienta para los administradores de redes. Pero circulan por Internet unas cuantas herramientas menos inocentes, que estn orientadas especficamente a la captura de claves. Estos programas analizan el contenido de los paquetes de nuestra red, en concreto los primeros paquetes de las sesiones de protocolos que comnmente contienen claves de acceso, como Telnet, FTP, POP, IMAP y Rlogin. Los nombres de usuario y claves obtenidas son depositadas en un archivo de texto, para posterior lectura por parte del espa. Medidas preventivas Como administradores de redes, una de nuestras obligaciones es la seguridad, o al menos eso quieren nuestros jefes. Si este es nuestro caso, lo mejor es permanecer cerca del mundillo underground, para mantenernos en forma. No debemos tener activos servicios innecesarios en nuestros sistemas ya que cualquier da nos podemos llevar un disgusto por una brecha de seguridad en un servicio que jams hemos utilizado, pero que tenamos activo. Intentaremos que todos nuestros equipos dispongan de las ltimas actualizaciones en seguridad. Si esto no es posible por motivos de presupuesto, ser mejor que obtengamos por escrito la negativa por parte del responsable de dotacin presupuestaria. No suelen negarse cuando les solicitas una respuesta escrita y les explicas las posibles consecuencias de no actualizar. Otra de nuestras funciones ser analizar cuidadosamente el diseo de red, ver las partes sensibles de sta, y realizar un informe por escrito, ofreciendo una solucin preventiva, basada en LAN switching y firewalls departamentales con encriptacin de trfico, para as minimizar el impacto de un posible ataque

-21espa. Quizs nuestra opinin no sea tomada en consideracin, pero podremos rescatar nuestro informe en el futuro, cuando suframos un ataque. Debemos ser duros con nuestros usuarios, y obligarles, de forma automtica preferiblemente, al cambio peridico de claves de acceso, y a que dichas claves no sean fciles de adivinar. Seria lamentable que el usuario "presidente" usase la clave "presidente". Podemos estar seguros que a los primeros que sealarn cuando pase algo, ser a nosotros, por no proteger las cuentas de los usuarios. Nunca debemos acceder a nuestros sistemas usando sesiones no encriptadas, al menos si vamos a operar como administradores. Un buen sustituto de Telnet, rlogin y rsh es ssh. Existen clientes para Windows, y las versiones Unix son libres y gratuitas. Realizaremos o obligaremos a la realizacin de copias de seguridad, diariamente o semanales. El periodo solo depende del riesgo. Evitaremos en lo posible las relaciones de confianza entre mquinas, especialmente si no las administramos todas nosotros. Evitaremos conectar directamente nuestros recursos a Internet o a redes de terceros. S fuera necesario hacerlo, lo primero ser instalar un servicio de firewall separando nuestras redes interna y externa. Definiremos una poltica de restriccin total, y abriremos paulatinamente a medida que se nos solicite por escrito, y est correctamente aprobado. No facilitaremos la clave de administrador a nadie que no deba utilizarla. Si nuestro jefe no sabe administrar los equipos, es mejor no drsela, pues las apuntar el algn papel. Intentaremos violar la seguridad de nuestros propios sistemas peridicamente. Si en la red hay ms de un administrador, es un juego muy divertido y provoca un alto grado de adiccin. Analizaremos o realizaremos herramientas que analicen nuestros archivos de alarmas e histricos. Localizadas las cuentas ms sensibles y comprobaremos que slo acceden desde las direcciones habituales. Si aparece un acceso desde una posicin extraa, hablaremos con el propietario de la cuenta para comprobar la autenticidad del acceso. Este tipo de comprobaciones conciencian a los usuarios de que en el departamendo de informtica nos tomamos muy en serio nuestro trabajo. Herramientas para la deteccin de espas El programa NePED es un detector de tarjetas Ethernet en modo promiscuo. NePED es una herramienta imprescindible para cualquier administrador de redes TCP/IP y la forma de uso es muy sencilla:
# neped > My IP Addr: 192.168.1.1 > My NETMASK: 255.255.255.0 > My BROADCAST: 192.168.1.255 -------------------------------------------> Scanning .... *> Host 192.168.1.2, 00:60:08:64:06:FF **** Promiscuous mode detected !!! > End.

La tcnica empleada para la deteccin es sumamente sencilla. Se trata de realizar una simple peticin ARP para cada una de las IPs de nuestra red, con la salvedad de que los paquetes no van destinados a broadcast (FF:FF:FF:FF:FF:FF), sino a una direccin arbitraria (cualquiera que no exista). Solo las mquinas con la tarjeta en modo promiscuo son capaces de ver estos paquetes, y por lo tanto, solo ellas contestarn a nuestras peticiones. Cmo afrontar un caso de espionaje Ante cualquier caso de deteccin de espas, lo primero que debemos realizar es una localizacin fsica del equipo espa. En pequeas instalaciones no es difcil, pero cuando el nmero de equipos supera los 50, repartidos en diversas plantas de uno o varios edificios, el proceso puede resultar laborioso. Un ayudante o un laptop se hacen imprescindibles. Una vez localizado el equipo, se proceder a su desconexin inmediata de la red, y a su inspeccin detallada para realizar un informe sobre el impacto en nuestra seguridad. Lo primero ser averiguar que claves ha conseguido, que nivel de confidencialidad o riesgo tienen las claves afectadas. Tras la deteccin de una brecha de seguridad, suelen exigir responsabilidades desde arriba y es el momento de poner nfasis en la falta de recursos del departamento de informtica. Caso 1. Somos administradores en una empresa El espa puede ser alguien de nuestra empresa, y con las claves de acceso obtenidas, imitar la identidad de otro usuario de nuestra red. Estos casos son especialmente peligrosos, pues el espa sabe exactamente qu hacer, cmo y cundo. Si como administradores detectamos un caso de estos, mi consejo es que lo dejemos en manos de Recursos Humanos. Nunca puedes predecir como reaccionar el individuo cuando se entere que ha sido descubierto. La gente de Recursos Humanos sabe como "disuadir" de la forma ms acertada a este tipo de elementos. Caso 2. Somos administradores en una universidad El espa puede ser un estudiante en una universidad. La situacin es incluso ms peligrosa que la anterior. El estudiante no tiene tanto a perder como un empleado en una empresa, y normalmente, cree que tiene mucho a ganar. Imaginemos por un momento que hara un estudiante con la cuenta y clave del departamento de control de estudios. Ante casos como estos, es ms importante proteger con rapidez que buscar al culpable concreto. Lo primero ser valorar que posible trafico ha visto desde su posicin en la red. Haremos una lista de sistemas afectados y los iremos desconectando de la red. Revisaremos cuidadosamente los histricos de accesos a esos sistemas, y comprobaremos la integridad de sus sistemas operativos. Caducaremos TODAS las cuentas, obligando al cambio de clave en la prxima sesin. Cuando hayamos realizado el informe de situacin, solicitaremos permiso para reconectar los equipos a la

Al ejecutarlo, el programa nos informar de todos los equipos conectados a nuestra red local con la tarjeta Ethernet en modo promiscuo:

# neped eth0
--------------------------------------------------------> My HW Addr: 00:00:F4:C2:0E:2A

-22red de la forma ms segura posible. Este es un buen momento para recordar nuestro informe de seguridad preventiva y probablemente seamos escuchados. Caso 3. Somos administradores en un proveedor de servicios Internet (ISP) Mas vale prevenir. Es fundamental separar las redes de los distintos clientes para evitar el espionaje cruzado. Los casos de espionaje a proveedores suelen tener mal principio y peor final. Caso 4. Una intrusin externa En cualquiera de los tres supuestos anteriores, ante una intrusin externa, espiaremos durante un tiempo al intruso. El tiempo suficiente para saber cmo ha conseguido entrar, donde tiene el nido, y cuntas maquinas ha dominado. Desconectaremos todos los accesos externos, incluidos mdems o y accesos ADSL. Corregiremos el agujero y posibles alteraciones en los sistemas operativos. Cambiaremos las cuentas con acceso a shell de todas las mquinas espiadas. Y conectaremos de nuevo, esperando su pronto regreso.

-23-

What is a Protocol Analyzer?

Protocol analyzers capture conversations between two or more systems or devices. A protocol analyzer not only captures the traffic, it also decodes (interprets) the traffic. Decoding allows you to view the conversation in English, as opposed to binary language. A sophisticated protocol analyzer will also provide statistics and trend information on the captured traffic. Protocol analyzers provide information about the traffic flow on your LAN, from which you can view device-specific information. Unlike SNMP-based management consoles, protocol analyzers are device independent. How will a protocol analyzer be useful to me? A protocol analyzer is the only tool that shows you exactly what is happening on your LAN. Once a problem is isolated and recorded, then you can find which equipment or which system is the cause. For example, if your TCP/IP sessions are hanging", a protocol analyzer can show which system sent the last packet, and which system failed to respond. If you are experiencing slow screen updates, a protocol analyzer can display delta time stamps and show which system is waiting for packets, and which system is slow to respond. In an Windows NT/2000 environment, a protocol analyzer can show runaway traffic (broadcast or multicast storms) and its origin, system errors and retries, and whether a station is sending, trying to send, or only seeming to communicate. You will get information that is otherwise unavailable, which results in more efficient troubleshooting and better LAN health. Do I have to be a protocol expert to use a protocol analyzer? Definitely not. While protocol analyzers can be used by network developers to view the exact contents of a network conversation, a modern protocol analyzer with a graphical user interface provides many other types of information beyond the bits and bytes of the actual protocols. Being able to see which device or system failed to respond is usually enough information to pinpoint the problem and focus your attention on that piece of the puzzle. As you may have experienced, network troubleshooting can be full of hours of wasted time chasing a theory that turns out to be misdirected. If a protocol analyzer helps you save just one wild goose chase, it is money well spent. Protocol analyzers also provide many statistical and real time trend statistics that help for management justification of new hardware. What kind of information will a protocol analyzer provide to help troubleshoot or maintain the overall health of my LAN or switch? Protocol analyzers should provide three main sources of information about your LAN traffic. 1. Network Statistics about traffic flow, station health and network or station line errors. This information helps identify trends and general conditions that may signal an

2.

3.

unexpected network problem condition, or a load issue that is causing slowdowns. Additionally if you are considering adding a switch, the statistical traffic breakdown can show how best to implement the new switch. If you currently have a switch installed, statistical analysis can show if your switch is configured correctly and your ports are supporting a balanced load of LAN traffic. Packet Capture and Decode displays LAN traffic (packets) decoded into specific function and sub-function for LAN or protocol problem isolation. Being able to view the specific packet-by-packet conversion can show exactly what is happening during a system-to-system communication, both when things are functioning correctly and when things are not. Trending Information displays historical usage data over days, weeks, months or even years. This information provides a historical perspective on any new problem, and can show trends that may indicate a potential problem before it happens.

Examples of Network Statistics troubleshooting applications: Viewing frame errors can show if a LAN slowdown is because of excess CRC or alignment errors. Once the error rate is determined to be above normal, viewing errors by station will show which stations are sending the error packets, and let you focus your attention to the source of the problem. Protocol Statistics displays the percentage of your LAN bandwidth that a particular protocol is using. This helps determine efficient segmentation, and allows for problem isolation based on application or server type. Station Statistics shows the traffic generation by each station, server, bridge, router and the percent of the total bandwidth each station is using. With this information, you can determine who is using your bandwidth and what stations or devices are using more bandwidth than expected. For example, if one station is sending 40% of the total data sent this could indicate either a faulty network adapter (multiple retries) or simply a device that consumes more network bandwidth than expected. In either case, having a protocol analyzer allows you to take the appropriate action based on facts, not guesswork. Packet Capture and Decode allows you to capture traffic in real time and record and view the decoded information. Packet decodes show you conversations between workstation and host, between workstations or between hosts. This information helps in any problem situation by showing you exactly what is happening and when, and exactly which device is doing what. Some example problem situations where a protocol analyzer's information is indispensable: Host sessions are ``hanging" - packet capture and decode will show which system sent the last packet and which system failed to respond. This helps pinpoint which device - host or workstation - is causing the problem.

-24Problematic network printing - an analyzer answers the question: Did the station send the job or does it just look as though it was sent? Can't log in - Packet Capture can display login negotiations, retransmits and response times to determine where the problem is, and where to focus your attention. Do protocol analyzers use SNMP? Typically not. SNMP (Simple Network Management Protocol) products provide device specific information, where protocol analyzers obtain all their information by examining the traffic on the LAN. For example, an SNMP collection utility could not provide session delta time stamps for a Unix telnet session, nor can SNMP provide bandwidth utilization statistics directly. Example SNMP statistics would include how many packets came in or went out of a router, a print server's IP address, or a predefined trap generated by a network printer for "out of paper". SNMP products such as SNMPc or HP OpenView are a good complement to any protocol analyzer. Can an analyzer see all of the segments of my network (can a protocol analyzer work over a WAN)? No. Protocol analyzers can only view and collect traffic from the segment where the analyzer is located. To capture and analyse traffic from another segment (local multi-segment LAN or remote WAN), a distributed or multi-segment analyzer is required. Distributed analyzers offer similar functionality to a standard (non-distributed) analyzer, displaying multiple diagnostic windows, each representing a segment on your LAN - all from a single management station. Typically, distributed analyzers consist of a software based management station and ether software or hardware based probes allowing an administrator to "view" any segment that hosts a probe. Is a protocol analyzer useful in a switched environment? Yes. Using a protocol analyzer in a switched environment is common, and can provide both global port balancing information (using station statistics) and specific conversation troubleshooting information (using packet capture and decode). In most switched environments using an analyzer is as simple as placing the tool on a server to collect access and conversational data to and from that server. Placing the analyzer on a "downstream" hub can show if the hub's users are correctly placed to maximise the aggregate throughput of the switch. Most switches allow for port tapping to direct any port's traffic to the port where the protocol analyzer is installed.

-25-

Protocol analyzers make easy work of network management tasks

by Ron Nutter TechRepublic, March 2002

It used to be that protocol analyzers were expensive pieces of hardware, costing upwards of $20,000 and requiring specialized training to use. Things have changed quite a bit in just a few years. Some protocol analyzers are now available for free, and others can cost up to $1000, but they can all make the life of a network admin much easier. In this article, I'll explain how you can use various protocol analyzers on your network to perform such tasks as benchmarking, intrusion detection, and troubleshooting e-mail problems. Know what's normal for your network I have never used a protocol analyzer for a byte-level analysis to resolve a problem. Instead, I usually use one to benchmark my network. Once you know what is normal for your network, finding problems or exceptions to the benchmark becomes easier. Several years ago, I received a panicked phone call from a network administrator in a bank several hours away from the office where I worked. Their network was locking up every 10 to 15 minutes. I talked with the administrator for several minutes and had him make sure other possible causes such as a bad electrical ground, faulty network cable, or a broken network card weren't the source of the problem. After I arrived at the site, I ran the protocol analyzer for a few minutes. It was then that I noticed something strange: Each workstation on the network was requesting the current date and time from the Novell server 20 to 30 times per minute. In normal conditions, this should happen only when the workstations boot up. A little investigation found that a third-party utility was being loaded that was supposed to get the current date and time about two or three times per day. After removing this utility from the workstations, the problem disappeared. Had I not been using a protocol analyzer, my troubleshooting time would have been much longer. Perform intrusion detection Unfortunately, detecting intrusions is becoming more and more important as unwelcome visitors from the outside try to access and do damage to your network. This is where a protocol analyzer can be handy. First, look for services that shouldnt be running on a particular server, such as FTP. It's good practice to check for and disable such rogue services whenever new servers are added to your network and when service packs or updates are applied to existing servers. You should also watch for people trying to do things that they shouldn't be doing on your servers. For example, say you have a server that allows you to use the Secure Shell utility for remote administration. Upon analyzing the server, you find another user taking advantage of this open port (ssh or port 22). This allows you to immediately track down their source address and block that address from accessing your network. Another

way to find intrusions is to look at login accounts that have been disabled or should have been disabled to see if they are being used to access the network. Check for virus activity Several of the protocol analyzers (Etherpeek and Sniffer, for example) offer the ability to download filters, which allows you to view specific types of traffic on your network. So instead of having to sort through all the network traffic, you can download predefined filters to scan for virus activity such as Code Red and Nimda. I like to run these filters in what I call a global mode, which looks at all the packets crossing the wire regardless of source or destination. You can also create your own virus filters. The information you need is contained in the virus alerts put out by such companies as McAfee and Norton. Looking for a file attachment by name in a mail message or looking for a certain command on an HTTP header line are just a couple of ways you can take a more proactive stance toward virus protection. Watch out for unauthorized programs With the IP-based network and the Internet becoming commonplace, it's easier to find unauthorized programs on your network and stop their use. The proliferation of peer-to-peer file sharing applications such as BearShare and Napster have consumed network bandwidth that could be better used elsewhere. The best way to halt usage of such applications is to download the applications onto a test workstation and have a protocol analyzer watch for traffic going to and coming from the IP address of the test workstation. Once youve seen the traffic created, you can create filters that stop the apps' usage. Each analyzer has a different method for creating such filters, so you will want to take a look at your application's documentation for this step. Check for WAN Link usage When you have more than one T1 connection to the Internet, knowing these links are working correctly is critical to the health of your network. If routing protocols such as OSPF and BGP4 are being used, it can be helpful to be able to see what the problem is when things go awry. Not all protocol analyzers can track all IP traffic patterns, so knowing what is required to monitor your T1 or similar link can help decide what analyzer will be best for you. One tool that has the ability to track patterns is the Sniffer Portable WAN tool. This high-end utility automatically finds and labels Internetwork problems such as retransmissions, duplicate IP addresses, high rate of physical cyclic redundancy check (CRC) errors, WAN overload, and frame relay congestion. Once an issue is detected, Sniffer recommends solutions to potential network problems.

-26Many enterprise level analyzers require special PCMCIA cards with the appropriate type of connectors to sit in series with the V.35 or other type of connector that your laptop or workstation may use. For nonportable solutions, you may end up getting either an external pod-like interface or a special interface board to go into a conventional desktop form factor. This same process also applies to ATM and DS3 connections. Check for e-mail problems I use protocol analyzers to monitor e-mail problems much more than I would have thought. To do this, you must set up an analyzer with a filter that monitors the IP ports used by a mail server (typically port 25 for SMTP, 110 for POP3, and 143 for IMAP) to send and receive mail. Several good examples of how to do this can be found on the Packet-Level site. I've found the type of filter I described above to be useful in figuring out why a particular e-mail wont go through when the only error I get in the Exchange server logs is communications error. I have made the modification to the filter that the site suggests, but this modification examines only e-mail to and from a particular mail server. However, this technique is still a big help because I don't have to go through an entire capture session to look for the mail traffic. (Entire capture sessions can be quite large, depending on the size of your network.) Is your firewall working correctly? Since firewalls protect your network from unwelcome visitors, knowing that they are working correctly is tantamount to the security of your network. Checking the firewall will involve using several different filters (these can be predefined filters, administer-created filters, or downloaded filters, all with various functions), depending on the level of sophistication of the packet filtering being used. In general, you will have two sets of filters, one checking for the traffic based on outgoing traffic and one based on incoming traffic. Leaving the incoming filter running 24/7 would be a good idea, because this filter will be a good indication that the firewall is working as expected and will provide a quick alert if the firewall fails for some reason and begins letting every packet through. For example, NetDoppler utilizes several features of the ICMP, IP, and DNS protocols to perform tasks and tests on remote hosts to check latency and throughput and to isolate problems. Also, PacketScrubber removes sensitive or confidential data from frames and packets within a trace file by changing the packet and frame payloads to null data. Conclusion The list presented here just scratches the surface on the possible uses of a protocol analyzer. Before you go out and buy the first one you see or something that a vendor recommends, try to obtain trial versions of a few, use them, and see which candidate best meets your needs. It's also a good idea to keep the analyzer you buy under some type of maintenance contract from the vendor to keep the decodes and the application up to date and problem-free.

-27-

SPAN (Switched Port Analyzer) configuration for Cisco switchs

Unlike hubs, switches usually prevent promiscuous sniffing. In a switched network environment, a sniffer is limited to capturing broadcast and multicast packets and those traffic sent or received by the same PC as the sniffer running one. However, most modern switches support SPAN, or called "port mirroring", which is an advanced feature that enables switches to forward all packets to one or more switch ports and allows sniffers capture network traffic of the whole LAN. Here is a 3-step instruction on how to configure SPAN for Cisco Catalyst 1900 Series Switch. 1. Log on to the web manager for your switch.

2. Click on the "SPAN" link at the top of the web page, and show the "SPAN Configuration" page.

-283. Select a monitoring port and add all the ports to be monitored. In this case, we set the port "Ethernet8" as monitoring port and the computer running sniffers can connect to it.

-29-

Wireless LAN analyzers

By Andy Dornan Network Magazine, March 2003
Protocol analyzers are usually regarded as testing and planning tools: You don't plug one in unless you actually have a network, or at least some cable, and often not until something goes wrong. In a Wireless LAN (WLAN), things are different. Its physical medium is the electromagnetic spectrum, which exists everywhere and respects few boundaries. Wi-Fi is now available at two different frequencies-IEEE 802.11b at 2.4GHz and IEEE 802.11a at 5GHz-and both can suffer interference from neighboring networks and other sources. The only way to know for sure which will work best in a particular environment is to perform a comprehensive site survey before buying a single access point. Even if you have no intention of investing in Wi-Fi, knowing what's passing through your airwaves can still be useful. In addition to full-featured hardware and software analyzers, several vendors are pitching simpler, cheaper versions as security tools. These are designed to detect and track down rogue access points-WLAN base stations set up by employees without the IT department's knowledge. Almost all Wi-Fi hardware has its security features off by default, and the cheaper consumer-level models may not include any security at all, so these rogues can act as an open door into an otherwise well-protected network. Protocol processing You don't necessarily need a full-scale analyzer to track down rogue access points or test radio reception. A Wi-Fi-equipped laptop running Windows XP or Mac OS X can automatically log on to any open wireless network available. There are also several free programs that can help. The most popular is NetStumbler, which scans all Wi-Fi frequencies for unsecured networks and measures the signal-to-noise ratio and throughput of each one. It can even be linked to a GPS receiver and mapping software, which makes it popular among both war drivers-people who search cities for Wi-Fi access points that (intentionally or not) provide free Internet access-and IT departments trying to locate security holes in their own networks. Some wireless NIC vendors have even added basic radio scanning functions to their driver software, attempting to differentiate themselves in what's becoming a commodity market. Despite the plethora of WLAN cards, most are based on circuitry and reference designs from just four chip makers: Intersil, Texas Instruments, and Agere for 802.11b; and Atheros for 802.11a. Proxim's dual-mode cards, for example, are supplied with software that runs under any 32-bit version of Windows. They can scan every available channel in both the 802.11a and 802.11b bands, and present the user with a visual display of signal strength and bandwidth. Wi-Fi protocol analyzers go well beyond either NetStumbler or the NIC vendors' software, but in different ways. Some can decode higher-level protocols, including the entire TCP/IP stack and more. Others focus on the lower layers, detecting interference sources in the radio spectrum itself. Many concentrate on security alarms, while a few include planning and mapping tools. Some can generate reports aimed at even the least technical executive, or spreadsheets filled with hexadecimal characters. All promise to simplify the task of installing, supporting, and securing a wireless network. Disappearing into the ether Most protocol analyzers are software-based, designed to run on a standard Windows laptop. The wireless versions are no exception (see Table 1). This makes it easier to transfer data onto other software and lightens the load that nomadic troubleshooters have to cart around, assuming that they're carrying a laptop anyway. On the other hand, laptops aren't designed to be used at the same time as they're being carried. This isn't a problem with ordinary Ethernet, but Wi-Fi signals need to be measured literally everywhere that a user or attacker might be, not just at cable outlets. For people who think best on their feet, AirMagnet, Network Associates, and Wireless Valley Communications produce analyzer software for Windows CE 3 (Pocket PC) handhelds. The Windows CE versions usually have more limited capabilities than their laptop equivalents, but can share data with them. Pocket PCs are also restricted to 802.11b, as their relatively slow processors can't keep up with the high speeds of 802.11a. The other problem with building an 802.11 protocol analyzer in a PC is that Windows doesn't really support the 802.11 protocols. Instead, it relies on driver software that converts 802.11 frames to regular Ethernet before they reach the PC. This is why, before the name Wi-Fi caught on, 802.11b was known as Wireless Ethernet: From the PC's perspective, it is Ethernet. While most applications might like Wi-Fi to seem like Ethernet, Wi-Fi protocol analyzers don't. To look inside 802.11 packets, they need specially re-written drivers, which can require help from the NIC vendor or chip maker. The similarities shared between NICs allow some software to support any card based on a particular chipset-usually Intersil's Prism II-but even here, there are differences. Cisco's Aironet, for example, uses part of the Prism chipset, but replaces other parts with its own chip that handles the Lightweight Extensible Authentication Protocol (LEAP), Cisco's proprietary authentication mechanism. Aironet cards require different drivers than regular Prism-based cards, but these usually aren't hard to find since Cisco is such a popular brand.

-30-

Program AirMagnet Duo AiroPeek NX Ethereal

Vendor AirMagnet www.airmagnet.com WildPackets www.wildpackets.com None www.ethereal.org Wireless Valley Communications www.wirelessvalley.com Baseband Technologies www.baseband.com Network Instruments www.networkinstruments.com

Platforms Win CE 3, 98, NT 4, 2000, XP Win 2000, XP Linux 2.46, FreeBSD 4.6

802.11 Type b and a b or a b

NIC Required Supplied PC or CF+ Card Intersil- or Atheros-based Intersil Prism II, Cisco Aironet

Wired Ethernet No Optional Yes

Layers 2-4 2-7 2-7

Rogue AP Detection Yes Yes No

LANFielder LinkFerret

Win CE 3, 98, b, a or FH Cisco Aironet NT 4, 2000, XP Win 98, NT 4, 2000, XP Win 98, NT 4, 2000 XP b Cisco Aironet 340/350 Cisco Aironet,

Yes Yes

2,3 2-7

No No

Yes Proxim Skyline Network Associates Win CE 3, 98, Proxim, Cisco, Sniffer Wireless b or a Optional www.sniffer.com NT 4, 2000, XP Symbol, Agere WSP100 Network Chemistry Win 95, 98, NT Packetyzer b Access No www.networkchemistry.com 4, 2000, XP Point Orinoco Gold, Internet Security Systems (ISS) Wireless Scanner Win 2000, XP b Compaq WL No www.iss.net 10 Table 1. Software-based Wi-Fi protocol analyzers. At least nine different programs promise to turn a laptop or protocol analyzer. Smarter cards Though NICs are relatively cheap in terms of cost, they occupy valuable space inside a laptop. Most analyzers require one in a PC card and won't work with the Wi-Fi networking now built into many high-end laptops. The exception is AiroPeek from WildPackets, which supports Intel MiniPCI interfaces. Unfortunately, this support is so far limited to 802.11a, which is still rare to find built-in. Even Intel's own Banias chipset, which aims to include dual-band Wi-Fi in all PCs, will at first only include 802.11b. The need to re-write drivers also means that analyzers lag behind other Wi-Fi equipment. The cheaper software-Wireless Scanner from Internet Security Systems (ISS) and LinkFerret from Baseband Technologies-doesn't yet support 802.11a. The problem is even greater for Ethereal, the popular Free protocol analyzer. Although Ethereal itself works with many different systems, including virtually all versions of Windows and Unix, raw 802.11b packet capture is only supported under Linux and FreeBSD. To monitor 802.11b, users of Ethereal for Windows need Packetyzer. This open-source program runs alongside Ethereal and connects (via ordinary Ethernet and USB) to Network Chemistry's WSP100, a specially-adapted access point. Separating the radio from the PC like this enables Wi-Fi analysis from a desktop computer, but makes a laptop-based system even more cumbersome to carry around.

Observer

b or a

2-7

Yes

2-7 2,3

Yes No

2,3

Yes

PDA into an 802.11

AirMagnet supplies its own card along with its software, which ensures that there are no driver issues. It also acts as a copy prevention mechanism, because each installation of the software is hard-coded to a specific card's MAC address-so just like the "dongles" that used to be supplied with high-end applications, you need to be careful not to lose the card. The AirMagnet NICs are all standard components, usually a Cisco 802.11b PC card, which will work with either a desktop or a handheld. (AirMagnet even sells a "combo" package, including both types of software but just one card.) As an alternative, its handheld software is available with a Proxim CF+ card, which can fit into smaller devices. Compaq's iPAQthe most popular Windows CE handheld and the one recommended by both AirMagnet and Network Associatessupports CF+ cards natively, but requires an expansion cradle to hold a full-size PC card. More interestingly, the AirMagnet laptop software is available in a "Duo" version, supplied with a dual-mode NetGear PC card. This can scan all available channels of 802.11a and 802.11b simultaneously, letting network managers compare the performance of the two variants directly or track down both types of rogue access point in a single sweep. Observer from Network Instruments, Sniffer Wireless from Network Associates, and AiroPeek can also analyze 802.11a, while LANFielder from Wireless Valley Communications can even understand the older Frequency-Hopping (FH) variant of 802.11. (Though FH is much slower than Wi-Fi and has the

-31same security problems, it's enjoying a resurgence thanks to a longer range.) None of these support dual-mode cards, so simultaneous analysis requires a laptop with at least two spare PC card slots. Hard unwired Instead of worrying about cards and drivers, some vendors have designed hardware-based analyzers (see Table 2). Unlike laptops, these are designed to be used while walking around, and some can also run other Windows applications. Form Factor Wired Rogue AP Layers Ethernet Detection No No Yes No No 2-4 1,2 2-7 2-4 1,2 Yes Yes Yes Yes Yes

Device Handheld Pak

Vendor

OS

AirMagnet iPAQ Win CE www.airmagnet.com Berkeley Varitronics Systems (BVS) Locust Handheld Own www.bvsystems.com Fluke Networks OptiView Wireless Tablet PC Win 98 www.flukenetworks.com Fluke Networks WaveRunner iPAQ Linux www.flukenetworks.com Berkeley Varitronics YellowJacket Systems (BVS) iPAQ Win CE www.bvsystems.com

Table 2. Hardware-based 802.11b Analyzers. Five devices can scan and troubleshoot 802.11b networks. Three devices are built around iPAQs, with varying degrees of customization: AirMagnet's Handheld Pak, Fluke's WaveRunner, and Berkeley Varitronics Systems's (BVS) YellowJacket. The least-changed is Handheld Pak, which is simply AirMagnet's Windows CE software and 802.11b PC card bundled together and pre-installed in an iPAQ with an expansion sled. It's also available with an external antenna, which increases its range. Though users are unlikely to have external antennas, war drivers sometimes do, and they're useful when tracking down rogue access points or interference sources. Fluke's WaveRunner looks almost the same as the AirMagnet Pak-until it's switched on. In addition to supplying its own PC card, Fluke has replaced the usual Windows CE with Linux, which allows a greater degree of customization: Whereas Windows CE includes many applications, the WaveRunner devotes its entire processing capacity to Wi-Fi decoding. This makes the WaveRunner faster than the Pak, but not as versatile: You can't use it to store your contact lists, edit spreadsheets, or load other Linux applications. Neither can you download the source code to build your own: Though Fluke has improved some Linux components and contributed them back to the open-source community (at www.handhelds.org), the actual protocol analysis is carried out by Fluke's own proprietary, closed-source application. The YellowJacket adds the most to the iPAQ. Although it still runs Windows CE, it doesn't use a regular PC or CF+ card. The iPAQ sits inside BVS's own cradle, which includes specialized spectrum analyzer circuitry and an optional directional antenna and GPS receiver. A spectrum analyzer allows the YellowJacket to go beyond protocol decoding, displaying every radio signal within the 802.11b frequency band. It's a purely passive device, though: Unlike the other products, it can't transmit test packets or connect to a network. BVS's other tool, Locust, is essentially a YellowJacket without the iPAQ, using a push-button keyboard and monochrome display for its user interface. BVS makes similar devices for monitoring FH-based 802.11 (the Cricket) and Bluetooth (the Mantis). Although these standards all use the same frequencies as 802.11b, the devices are separate, so network managers will need to buy different models to monitor different kinds of 2.4GHz networks. Fluke's OptiView is the largest and most sophisticated hardware analyzer, built around what Microsoft is now pitching as the Tablet PC, a full-featured, laptop-sized PC with a touchsensitive screen rather than a keyboard. The OptiView actually predates the Tablet PC concept-Network Magazine gave it an award for the best troubleshooting tool released in 2000-but Fluke has kept it up to date by adding several new options, of which Wi-Fi is the most recent. Networkers who already use OptiView for Ethernet or Gigabit Ethernet can upgrade to Wi-Fi by installing a Fluke 802.11b card. So far, none of the hardware-based analyzers support 802.11a, though both Fluke and BVS plan to do so in the future. Fluke will add a new option for the OptiView, and BVS will offer a separate device that scans the 5GHz frequencies. Analog analysis By definition, Wi-Fi protocol analyzers must be able to decode the 802.11 protocols at the MAC layer. They must also be able to understand IP and filter packets by address. Where they differ is in their support for higher-level protocols and how much of the 802.11 specification they include. The most comprehensive support for higher-level protocols is found in Wi-Fi analyzers that were originally designed for wired Ethernet. Observer, LinkFerret, Ethereal, and OptiView all include Ethernet as standard, while AiroPeek and Sniffer Wireless offer it as a separate program (EtherPeek and regular Sniffer, respectively). In all cases, the wired version came first, so the vendors (and the open-source community, in Ethereal's case) had time to add support for the entire TCP/IP stack, as

-32well as IPX and more exotic protocols. Although AirMagnet doesn't make wired analyzers, it recognizes that WLANs don't exist in isolation and has made its software able to share data with Sniffer and Ethereal. Several analyzers can also share data with mapping software to plot access point locations. The most advanced is SitePlanner, an application supplied with LANFielder that displays 3D coverage maps. BVS also supplies its own mapping software, BirdsEye, and can export geographic data to Excel. AiroPeek and OptiView can draw network diagrams automatically, showing logical or physical connections by IP or MAC address. AirMagnet and NetStumbler support Microsoft MapPoint. BVS's devices eschew higher level protocols, looking down into the radio layer instead. Thanks to their spectrum analyzers, both the YellowJacket and the Locust can track down interference sources that aren't the result of other Wi-Fi networks. For 802.11b, these include microwave ovens, Bluetooth devices, and older FH-based networks. Interference is much rarer in 802.11a networks because much of the 5GHz band is reserved for communications, but it can still occur: A few cordless phones and outdoor wireless last-mile systems already use the 5GHz band, and others are sure to follow. AiroPeek and AirMagnet both include many security alarms, notifying network administrators of potential intruders. Other analyzers are intended purely as security tools. For example, Fluke's WaveRunner device doesn't display detailed protocol decodes, instead concentrating on signal strength, encryption use, and other information needed to detect security vulnerabilities or optimize wireless coverage. ISS's Wireless Scanner software takes this approach a step further: It produces detailed reports in plain English that recommend actions such as disabling DHCP, or blocking the MAC address of a suspicious client. This kind of automated monitoring can be useful, but don't rely on it exclusively. The 802.11 specification is constantly evolving, with the most rapid changes occurring in the security field. Protocol analyzers can't always keep up. WEP behind the ears All Wi-Fi analyzers can tell whether an access point or client is using Wired Equivalent Privacy (WEP), 802.11's notoriously poor encryption mechanism, and most can detect a potential rogue access point or client. The WaveRunner and YellowJacket even have audible proximity indicators, which emit a Geiger counter-like sound when they close in on one. However, none of the devices support all of the latest security features proposed by the IEEE. The vendor that comes closest is AirMagnet. In addition to WEP and Cisco's LEAP, its software can determine whether a network is using Temporal Key Integrity Protocol (TKIP) or 802.1x, key exchange and authentication features aimed at making WEP less insecure. It cannot process wire-speed Rjindael (AES), the proposed replacement for WEP that's already been built into some cards and access points. The growing penetration of 802.11a will cause further security headaches, as will the third Wi-Fi variant, IEEE 802.11g. Though the standard hasn't yet been ratified, 802.11g cards and access points are already shipping. Because 802.11g is designed to be backward-compatible with 802.11b, it uses the same frequencies as 802.11b and, if an 802.11b node is present, transmits some signaling information in 802.11b format. An 802.11b analyzer should be able to detect the existence of an 802.11g network, even if it can't decipher the data being transmitted. Connecting an 802.11b analyzer to a pure 802.11g network could also slow the whole network down, since it would need to transmit the signaling information at a lower speed. Most rogue access points are currently based on 802.11b, simply because it's cheaper. But this situation isn't likely to last: Both 802.11a and 802.11g offer much higher data rates and are often touted for consumer applications, so they'll soon be available in every chain store. A full security sweep should include these newer variants in addition to 802.11b. But even the most thorough device is no substitute for educating employees on the risks of an insecure wireless network. Resources In addition to the NetStumbler program for Windows laptops, www.netstumbler.com has lots of news and information about free wireless access and Wi-Fi security, and links to similar software for Linux and Windows CE. To decipher the more detailed output of a wireless analyzer, download the 802.11 specs from standards.ieee.org/getieee802/. 802.11: The Definitive Guide (O'Reilly, 2001), by Matthew Gast, has a clear description of the 802.11 protocols and, more importantly, step-by-step instructions on setting up and using the free Ethereal software for 802.11 analysis. For a detailed description of Fluke's OptiView, see Product Spotlight of the January 2001 issue of Network Magazine. For a lab test of the wireless versions of the three major software-based protocol analyzers (Sniffer, Observer, and AiroPeek), see Network Computing, May 27th, 2002, page 65. For more on the dangers of open access points and ways to close them, see three previous Network Magazine articles: "Road Blocks for War Drivers," December 2002; Tutorial Lesson 167, June 2002; and Network Defense, December 2001.

-33-

Understanding how 10/100Base-T Ethernet operates

By Mike Mullins CCNA, MCP TechRepublic, October 2001

Since the late 1990s, 10/100Base-T Ethernet (also known as IEEE 802.3 and CSMA/CD) has become the de facto standard for local area networks. Were going to look at the elements involved in using Ethernet in a 10/100Base-T network, including the components of a frame, how Ethernet technology functions, and where this suite of technologies fits into the OSI reference model.

Ethernet frames are the building blocks The core of the Ethernet system is the Ethernet frame, which is used to deliver data between Ethernet network adapters. The frame (Figure A) consists of a set of bits organized into several fields. These fields include address fields, a variable-size data field that carries from 46 to 1,500 bytes of data, and an errorchecking field that checks the integrity of the bits in the frame to make sure that the frame has arrived intact.

Figure A

Here is a closer look at the components of an Ethernet frame: Preamble: These 56 bits having alternating 1 and 0 values are used for synchronization. They give components in the network time to detect the presence of a signal and read the signal before the frame data arrives. Start frame delimiter: This involves 8 bits having the bit configuration 10101011, indicating the start of the frame. Destination and source MAC addresses: These addresses have 48 bits each to identify the frames destination and source addresses. The addresses used are the MAC addresses of the network adapters. A destination address may specify either an individual address destined for a single network adapter or a multicast address destined for a group of network adapters, as in the case of a broadcast. Length/Type: These 16 bits indicate the number of bytes in the Data field. Data: These are the 46 to 1,500 bytes that represent the data transferred from the source to the destination. Frame check sequence (FCS): A 4-byte cyclical redundancy check (CRC) value is used for error checking. This value is recalculated at the destination network adapter. If the value is different from what is transmitted, the receiving network adapter assumes that an error has occurred during transmission and discards the frame.

As each Ethernet frame is sent onto the shared medium, all Ethernet network adapters look at the first 48-bit field of the frame, which contains the destination address. The network adapters then compare the destination address of the frame with their address. The network adapter with the same address as the destination address in the frame will read in the entire frame and deliver it to the networking software running on that computer. All other network interfaces will stop reading the frame when they discover that the destination address does not match their own address. An Ethernet LAN can simultaneously carry several different kinds of software protocol data. A single Ethernet can carry data between computers in the form of TCP/IP protocols, as well as Novell IPX or AppleTalk protocols. The Ethernet is simply a transport system that carries frames of data between computers; it doesn't care what's inside the frames. The nuts and bolts of the Ethernet The Ethernet consists of the following elements: Physical media The first requirement for the Ethernet to operate is the existence of the actual wires and devices used to carry Ethernet signals between devices. I covered this in my article "Deploying and managing 10/100baseT Ethernet hardware."

-34Media Access Control rules Media Access Control rules are embedded in each Ethernet network interface card (network adapter). They allow multiple computers to reasonably decide who gets access to the shared Ethernet medium and when they get that access. The Media Access Control rules are based on a system called carrier sense multiple access with collision detection (CSMA/CD). Only one network adapter can talk at a time on a shared wire. To send data, a network adapter first listens (carrier sense) to the wire. Carrier sense The IEEE 802.3 specification states that before a station can attempt to transmit on the wire, it must wait until it has heard 9.6 microseconds (millionths of a second) of silence. This 9.6microsecond interframe gap allows the network adapter that last transmitted to cycle its circuitry from transmit mode to receive mode. Without the interframe gap, a network adapter could miss a frame that was destined for it because it had not yet cycled back into receive mode. This standard is based on 1970s technology, and most network adapters in today's market are capable of switching from transmit to receive in much less time than 9.6 microseconds. Some adapter manufacturers have designed their cards with a smaller interframe gap cycle and advertise higher data transfer rates than their competitors. This is another reason to be consistent with the network adapters you use. Multiple access After each frame transmission, all network adapters on the network will wait 9.6 microseconds and compete equally for the next frame transmission opportunity. This ensures that access to the network media is fair and that no single station can lock out the other stations. After the interframe gap, if two network adapters start transmitting at the same instant, they detect each others presence (collision detection) and stop transmitting. Collision detection Ethernet frames are a series of voltage pulses on a wire and take a specific amount of time to travel from one end of an Ethernet system to the other. The first bits of a transmitted frame do not reach all parts of the network simultaneously. Therefore, it's possible for two network adapters to sense that the network is idle and to start transmitting their frames simultaneously. When this happens, the Ethernet system has a way to sense the collision of signals and to stop the transmission and resend the frames. The network adapters are notified of this event and instantly reschedule their transmission using a specially designed backoff algorithm. As part of this algorithm, the network adapters involved choose a random time interval to schedule the retransmission of the frame, which keeps the network adapters from constantly colliding during retransmission. Collisions on an Ethernet network are normal and indicate that the CSMA/CD protocol is functioning properly. As more computers are added to a given Ethernet network, the traffic level will increase and more collisions will occur as part of the normal operations. The design of the system ensures that the majority of collisions on an Ethernet will be resolved in microseconds. On a network with heavy traffic, there might be multiple collisions for a given frame transmission attempt. This is also normal behavior. If repeated collisions occur for a given transmission attempt, the stations involved begin expanding the set of potential backoff times from which they chose their random retransmission time. Repeated collisions for a given packet transmission attempt indicate a busy network. The expanding backoff process, formally known as the truncated binary exponential backoff, is a feature of the Ethernet MAC that provides an automatic method for network adapters to adjust to traffic conditions on the network. Only after 16 consecutive collisions for a given transmission attempt will the network adapter finally discard the Ethernet packet. This can happen only if the Ethernet is overloaded for a long period of time or is broken. If a network is experiencing an excessive number of collisions, an Ethernet switch can be used to segment the collision domains. Delivering the data Ethernet systems operate as a best effort data delivery system. No guarantee of reliable data delivery is made. The Ethernet is engineered to produce a system that normally delivers data extremely well. However, errors still occur. For instance, electrical noise may occur somewhere in a cabling system corrupting the data in a frame and causing it to be dropped. No LAN system is perfect, which is why higher protocol layers of network software are designed to recover from errors. It is up to the high-level protocol sending data over the network to make sure that the data is correctly received at the destination. These protocols do this by establishing a reliable data transport service using sequence numbers and acknowledgment mechanisms in the packets that they send over the LAN.

-35-

Deploying and managing 10/100BaseT Ethernet hardware

By Mike Mullins CCNA, MCP TechRepublic, October 2001

Since the late 1990s, 10/100baseT Ethernet has become facto standard for local area networks. Heres a look hardware components involved in using Ethernet 10/100baseT network, including cable pinouts and network cards, hubs, and switches.

the de at the in a specs,

Some background on Ethernet So you want to build an Ethernet LAN? Or maybe youre wondering exactly what Ethernet is. Well, Ethernet (the name commonly used for IEEE 802.3 CSMA/CDcarrier sense multiple access, collision detection) is the dominant cabling and low-level data delivery technology used in local area networks (LANs). First developed in the 1970s, it was published as an open standard by DEC, Intel, and Xerox (or DIX) and later described as a formal standard by the IEEE. Following are some Ethernet features: Ethernet transmits data at up to 10 million bits per second (10 Mbps). Fast Ethernet supports up to 100 Mbps. Gigabit Ethernet supports up to 1,000 Mbps (but thats another story). Currently, 10BaseT and 100BaseT (Fast Ethernet) Ethernets are the most common, and both can be built with twisted-pair cabling. Data is transmitted over the network in discrete packets (frames), which are between 64 and 1,518 bytes in length (46 to 1,500 bytes of data, plus a mandatory 18 bytes of header and cyclical redundancy code [CRC] information). Each device on an Ethernet operates independently and equally, precluding the need for a central controlling device. Ethernet supports a wide array of data types, including TCP/IP, AppleTalk, IPX, etc. To prevent the loss of data, when two or more devices attempt to send packets at the same time, Ethernet detects collisions. All devices immediately stop transmitting and wait a randomly determined period of time before they attempt to transmit again. Phase 1: Preplanning The first decision is a technology and cost decision. Will your network be 10BaseT or 100BaseT? Can you afford 100 Mbps from POP (Point of Presence, your connection to the outside world) to client or do you just need the higher bandwidth on your backbone? The following is a comparison of the two technologies. Standard Ethernet (10BaseT)

Standard Ethernet (10BaseT) uses RJ-45 connectors on Unshielded Twisted Pair (UTP) or Shielded Twisted Pair (STP, also called Plenum) cable and operates at 10 Mbps. Using a Star topology, all computers connect to a Hub/Switch using patch cables with RJ-45 male connectors on both ends. These hubs can be linked to increase the number of ports available for patch cables; however, no more than three hubs should be linked together. Sometimes these hubs/switches have "uplink" ports that allow them to be connected to each other using special cables that blend two hubs into one without daisy chaining. Both clients and hubs have RJ-45 female connections. Ideally, Category 5 patch cables should be used in 10BaseT (so that you can upgrade to 100BaseT without recabling). Specifications: 10BaseT networks are wired (within the plugs and ports) according to EIA/TIA 568B specifications. Maximum cable length is 100 meters. Maximum number of devices is 1,024, although performance would be unacceptable long before this number is reached. Fast Ethernet (Also called 100BaseT) This technology is essentially the same as 10BaseT in terms of specifications and limitations, but it has higher bandwidth. However, the network interface cards (NICs) and the ports on the hubs and switches operate at 100 Mbps. It is very common to have a 10BaseT LAN that runs from clients to a central switch or hub and a 100BaseT LAN as the backbone for your servers. Phase 2: Plan Building any network should begin with a physical plan. Draw your network out and measure the distance from the POP to each workstation. By having a physical reference for your network, you can determine how far your cable runs are going to be and where you will need to use switches and hubs to segment and extend your network. The heart of an Ethernet network is the cable you use. One of the reasons for your physical plan is to ensure that your wiring plan will not violate the maximum cable length (100 meters for 10BaseT/100BaseT networks) for the type of wire you will use to connect your network. Currently, the majority of copper cable used for Ethernet is Category 5. This refers to a standard for cabling developed by the IEEE. Category 5 cable offers speeds up to 100 MHz and a data throughput rate up to 100 Mbps. When networking with Ethernet, it is highly recommended that you use Category 5 (or Category 5e) cable. You may not have switches/hubs that support 100-Mbps connections to the

-36desktop. But having the ability to upgrade that switch/hub without the expense and time associated with rewiring your network is enough reason to justify the additional cost of Category 5 rated wire. Your wiring should begin from the heart of your network your data center or server roomand fan out to the clients. Phase 3: Buy Network interface cards NICs connect a client/host device to your network. Cheap NICs can introduce chatter and collisions. They can deny bandwidth and cause endless hours of troubleshooting. The same is true with hubs and switches. Find a good NIC that is within your price range and use that type of card consistently throughout your network. Plan for a failure rate of 1 in 100 and purchase additional cards when you are populating your network. When a NIC fails and cuts a client or server off your network (or disables your network with chatter), thats not the time to learn how to install a NIC. Hubs Hubs are used to connect multiple hosts to one segment of wire, and all hosts share the same bandwidthmeaning one large collision domain. Use hubs at points where you would deploy a network sensor. That way, the hubs can see all the traffic on their portion of the network. Switches Switches transfer data between different ports based on the destination MAC addresses. Each segment or port connection is its own collision domain, but all ports are in the same broadcast domain. You can use switches to connect multiple ports to the same destination (that is, multiple uplink ports), but only one port can be active at a time. If cost allows, use intelligent switches that offer port spanning. This will enable you to place a network sensor on that switch and let it inspect all of the traffic regardless of destination. When buying hubs or switches, plan on 50 to 100 percent growth rate. So, for example, if you currently need to connect only 12 hosts to a switch, buy a switch with 24 ports. This allows for growth as well as potential port failure. Phase 4: Build Once youve planned properly and bought the hardware, its time to build out your Ethernet hardware. Whether you outsource the cabling job or do it yourself, here are some tips to follow: When you place your servers, hubs, and switches, remember to allow for the proper ventilation and cooling in your data center or server room. Dont skimp on cable layout. Make cable runs from switches and hubs to a patch panel, preferably in your data center/server room. Then, run the cable through your walls from the patch panel to the wall mounts and run a separate cable from the wall mounts to the client devices. Never run cable from an intermediate device (switch/hub) directly to a client device. This can result in troubleshooting and design problems. Do not run Ethernet cable alongside power cables. If costs allow, buy cable ducting and use it to route and protect your cables. After installation, test your cables with data testing equipment or known good devices.

Cabling If you are the network manager, you should have a firm understanding of the layout (also called pinouts) of the RJ-45 connectors on your Ethernet data cables. There are two standards for cable ends: EIA/TIA 568A (Figure A) and EIA/TIA 568B (Figure B). When looking at an RJ-45 wall jack (female), contact 1 is on the left, and contact 8 is on the right. When looking at the RJ-45 connector on the end of a cable (male) with the tab on the bottom and the contacts on the top, contact 8 is on the left, and contact 1 is on the right. I would recommend using one standard throughout your network. The most popular is 568B. It doesnt matter which standard you use; just be consistent. Also, remember the following: To connect two similar devices (two clients, two hubs, etc.), you should make one end of your cable 568A and the other 568B. This is often called a crossover cable. To connect two different devices (client/server to a hub or switch), your cable should have the same wiring scheme on both connectors. Summing up Now you have the information you need to decide what type of Ethernet network (10baseT or 100baseT) youll need, how to plan, what to buy, and how to build. In my next article, Ill cover the protocols that can run over your Ethernet LAN and explain what your data looks like on the wire, as well as offer some helpful troubleshooting tips specific to Ethernet LANs.

-37-

Figure A

Figure B