Computer Network Monitoring & Performance

2014
David Breen,Dmitry Ponomarenko
4/8/2014
Computer Network Monitoring & Performance

Network Monitoring and Performance 2014
1
Contents
Chapter 1.....................................................................................................................................2
Introduction............................................................................................................................. 3
Chapter 2.....................................................................................................................................4
Literary Review......................................................................................................................... 4
Network Monitoring.............................................................................................................. 4
Network Performance ...........................................................................................................5
How Has Network Monitoring evolved:...................................................................................... 5
Functions of network Monitoring............................................................................................... 6
Overview of some Commonly Used protocols............................................................................. 7
ICMP: ...................................................................................................................................7
SNMP:..................................................................................................................................7
Overview of some popular tools ................................................................................................ 8
CommView:.......................................................................................................................... 9
HostMonitor....................................................................................................................... 10
GFI Network Server Monitor................................................................................................ 11
Argus.................................................................................................................................. 12
SmokePing.......................................................................................................................... 12
Axence NetVision................................................................................................................ 12
PRTG Network Monitor........................................................................................................ 13
Performance (lookingforward)................................................................................................ 14
General Findings:- ............................................................................................................... 14
Video Findings:-................................................................................................................... 15
Mobile Findings:-................................................................................................................. 15
Global Business Findings:-.................................................................................................... 16
Conclusion.............................................................................................................................. 16
Chapter 3................................................................................................................................... 17
Simulating a network .............................................................................................................. 17
Objective:........................................................................................................................... 17
Link to packet tracer: project-lab.pkt.................................................................................... 17
Network Configuration........................................................................................................ 18
Switches:............................................................................................................................ 18
Routers:.............................................................................................................................. 18
Voip:................................................................................................................................... 19
Wan:................................................................................................... 19

2
Wireless:............................................................................................................................. 20
Security:............................................................................................................................. 20
Testing................................................................................................................................ 20
Chapter 4................................................................................................................................... 21
WireShark .............................................................................................................................. 21
How to get WireShark.......................................................................................................... 21
WireShark Brief Overview.................................................................................................... 21
Using WireShark.................................................................................................................. 22
Telenet vs SSH:.................................................................................................................... 26
Measuring Bandwidth using Wireshark................................................................................. 29
Some Filtering options......................................................................................................... 31
Chapter 5................................................................................................................................... 33
Conclusion.............................................................................................................................. 33
Bibliography............................................................................................................................... 34
Appendices ................................................................................................................................ 35
Appendix1 Router-Office A Configuation.................................................................................. 35
appendix 2 ............................................................................................................................. 38
Chapter 1

3
Introduction
By 2017, over 1.4 zettabytes of data will be flowing over global networks
Faster broadband speeds, more devices and connections, and more global internet videos.
Around 3.6 billion people will be on line, which represents 48% of the world’s population;
this is up from 32%(presently) or an increase of 2.3 billion.
The number of devices and connection will grow with a projection of 19 billion network
connections (Cisco,2013)
With current volumes and looking at the growth patterns of data and networks, Network
monitoring is vital to the performance, availability and security.
For these reasons, we have decided to look at Network Performance and Monitoring.
Global figures are extremely large and can be quite daunting to even imagine, but these
global figures consist of a combination of millions of micro networks.
We decided to build a micro network, consisting of many of the everyday functions and
capabilities of a common network.
We will configure Routers, Switches, Pc’s, Servers, Wireless Ap’s
We will configure Wan, Lans , Wireless and VOIP
We will implement Security features such as AAA, ACL’s, Console, AUX & VTY security
We will create Frame Relay configuration for our WAN
We will create a VoIP network
And We will create a wireless network using WEP and WPA2
Firstly, this System will be configured on packet tracer, ensuring our configuration is correct,
and using the option of adding more end devices ( which is not practical to do physically)
Secondly, this network will be physically built in the lab using Cisco 2811 Routers, Cisco
3560 Switches, Cisco 2600 ap’s, cisco 7945 IP Phones, windows server 2008 and personnel
Pc’s and Laptops
The network will be connected using Serial and Ethernet cabling plus wireless connections
In this report we will look at a number of Open Source Network Performance and Monitoring
Tools and we will give a brief description of their functionalities.
Based on our preferences of open Source Software, we will look in more depth at the uses
and Functionalities of WireShark.
Use active and passive monitoring over the network we created and we will demonstrate how
the data can be captured.
One of the primary uses of the software is the ability to filter the traffic, enabling you reduce
the amount of visible data, extract the data you wish to see and break it down into small bite
size pieces that you can work with and understand.

4
Chapter 2
Literary Review
Network Monitoring
Whatis network monitoring?
Network Monitoring and Network Management are terms often interchanged for the same
function.
In Simple terms, Network Monitoring is a system with the capability of continually
monitoring a network, and will notify a network administrator of any faults, failures or
outages. There are various software packages available to conduct this task automatically.
The software packages will vary greatly in their capabilities and cost, depending on the level
of monitoring, the size of the network, the amount of resources available and the budget
available to spend.
Network monitoring for large corporations is a critical IT function. By checking on the
network performance and employee productivity, can save the company a lot of money. A
network monitoring system monitors an internal network for problems. It can identify and
help resolve, network vulnerabilities, bad configuration, slow downloads, lost e-mails and
monitor user activity for misuse of the network. It will also highlight overloading, servers-
down and bad connections.
A network Monitoring system will be capable of detecting any failures of devices or
connections.
It will measure the CPU usage of Hosts and the utilization of the bandwidths. Messages are
sent back to a central server or system administrator known as “watchdog” messages
advising of the current status. If the system detects failures, unacceptable slow responses or
unexpected behaviours or responses, the system will send additional messages known as
“alerts” to the administrator, where corrective action can be taken if required.
The most basic of monitoring tests would be a “ping” which is available on all machines and
will test the connection between two devices, this may be of use in a small peer to peer
environment, but as networks grow i.e. in large organizations where a large number of web
servers may be in use and are spread all around the world, a lot more sophisticated software is
required
Network Monitoring uses tools to ensure that the availability and performance of the
network is functioning at an acceptable level for the end hosts/users.
In today’s environment, any downtime with a computer or network, means lost time,
opportunity, business and MONEY, So monitoring your network and ensuring a high level of
performance is vital to any organisation

5
Network Performance
Whatis network performance?
Network performance is normally measured by its bandwidth. Bandwidth, is the amount of
data that can be carried from one point to another in a given period of time. The Bandwidth
refers to the overall capacity of the network which has a direct relationship to the speed at
which your network is operating at. A network performance is measured in bits per second,
i.e. Kbps, Mbps, Gbps. This is impacted by the medium used i.e. LAN, Wi-Fi, satellite and
the ISP providers hardware.
Another measurement in the bandwidth is the latency.
Latency refers to several types of delay in the network, which can be caused by a variety of
reasons. Low Latency in a network refers to small delays, where high latency refers to long
delays. When there is excessive latency, bottlenecks occur and hence reduce the bandwidth.
Latency may be due to propagation delays but also involve transmission delays, i.e. passing
through proxy servers, involving additional hops. Latency can be easily measured using tools
like “traceroute” and “ping” tests.
Other Network performance measures would look at packet loss, uptime of routers, switches
and review protocols such as SNMP and others.
Software packages will ensure Alerts are made to the network administrator by text, paging ,
email, or telephone advising of various predetermined scenarios.
How Has Network Monitoring evolved:
Prior to networking and the Internet as we know it today, communications was limited to
stations directly connected on the network. A common networking practice was to have
computers connected to one central mainframe via leased lines, this type method was used
by project RAND in the 1950’s which connected researchers in Pennsylvania and Santa
Monica (Hauben,2004)
ARPANET and X.25 were standards being used in the United Stated and Europe.
TCP/IP protocol was only created in 1977, and spread rapidly throughout the world to
become the standard protocol. The first Wide area network using the TCP/IP protocol was
created in 1984. In 1984, University College London replaced its transatlantic satellite links
with TCP/IP over IPSS. All links were all converted to TCP/IP in 1982. The ARPANET was
renamed the “Internet” in 1995. (Klienrock,2011)
Traditionally, most of the effort and research concentrated on the physical layer, looking at
speed improvements, routing & transport protocols. As networks increased, with the number
of Nodes, protocols and port numbers and new applications such as multi-media and internet
increased at a rapid rate, much more than had been predicted, so it quickly became evident
that network monitoring and tools were very necessary.
Two types of monitoring were identified, Active Monitoring and Passive monitoring...

6
With Active monitoring, active data such as PING and SNMP are sent over the network and
the performance of the network is extrapolated from the performance of the sent data ,routers
of a domain then have to be queried periodically to gather statistics and general system status
information. This can cause its own challenges, as huge amounts of data needs to be stored in
order to get meaningful results, which in turn increase the overhead on high speed core
routers. For this reason, active monitoring is typically kept to periodic route discovery and
topology analysis.
Nowadays, there are many software packages or combination PnP hardware and software
available to conduct whatever type of monitoring you require for your organisation. Virtually
any kind of network can be monitored. The type of network may vary from LAN, to Wan to
VPN and can include Mobiles, server’s routers or switches. The systems available today will
help identify the customer’s specific needs and performance metrics, whether they be
compliance requirements or eliminating internal security threats of providing more
operational visibility. (Kim S. Nash, 2013)
Functions of network Monitoring
There are many types of traffic which is measured. Each piece of information is monitored by
the packet. Types of measured traffic would consist of
Service Development. Using TCP/UDP port numbers, track new customers and the
applications that they use.
Heavy Hitters. Monitor the number of hits etc (most popular web sites) determined from the
packet ip addresses
Security. Checking for network intrusion
Network Engineering. This could involve rerouting certain traffic due to congestion
Charge back. Allocating cost to certain divisions with in a network based on usage
Customer Billing. An ISP may charge customers for their byte usage and this may also vary
due to the type of application the customer is using ( this can be identified by the TCP/UDP
port numbers)
Path Measurement. Measuring the entire path of a packet through the network and
determining its class usage along the paths enables the passive measurement of network path
performance, route trouble shooting and network attack tracing (Duffield,2004)
Traffic Structure. Checking the duration of traffic flows and the composition of the traffic

7
Overview of some Commonly Used protocols
ICMP:
ICMP is another one of the core protocols used in IP. ICMP operates outside of TCP/UDP.
ICMP has a very limited set of commands, and its most common and powerful is the “Ping”,
which is most useful when troubleshooting. ICMP traffic is common in almost all networks
bar the very highly secured networks. The Ping will determine the connectivity of the
network, but will also determine the Latency. The Latency is the transfer speed between the
source and the target.
A ping response will also inform you of the number of hops a packet has had to take, this is
communicated as a function of its “Time to live” TTL
Lastly a ping will inform you of the quality of the link, stating number of packets lost
(SolarWinds, n.d.)
SNMP:
ICMP is a very simplistic protocol by design and the information you receive will be basic
information about a hosts connection. In order to get greater more detailed information you
need to use alternative protocols. One of the most common protocols is SNMP
SNMP stands for “Simple Network Management tool” It is a commonly used tool, used for
gathering information and configuring devices such as servers, printers, routers, switches
using internet protocol.
This software is especially useful when a network is very large (with many hundreds or
thousands of nodes). SNMP will allow you monitor the network through a management host.
From here you can monitor performance, check network usage, faults or check for
inappropriate access or usage.
SNMP requests information from its host using GET and GET-NEXT commands. These
commands enable you to obtain specific information from the host. It uses port161/UDP for
communication which is a configurable port on all devices. Each piece of information has its
“Own Identifier” OID.
From a NMS you can remotely call OIDs obtaining much information such as performance,
configurations environmental information statistics etc.
SNMP was developed in 1988 and was designed to work on TCP/IP based networks. It was
approved by the IAB as the internet standard 1990 and is widely used ever since. Virtually all
network equipment is SNMP compatible.
As SNMP is a common solution for gathering data from all devices on your network, it goes
without saying that security is to be a major consideration with its implementation. This can

8
be achieved through firewalls, access lists and using the privacy and encryption facilities
which is available in SNMPv3 (SolarWinds, n.d.)
Both ICMP and SNMP are widely used in today’s Network Management systems. ICMP is
typically used on a per device basis checking availability and latency for specific devices.
SNMP will enhance this data giving device behaviours and characteristics. SNMP will gather
data such as the internal performance statistics or configuration. It will check items such as
CPU, memory, Disk utilization. Performance and errors
Overview of some popular tools
In the table belowliststhe Networkperformance toolsdevelopedbetween1996 and 2006
Year Name of Tools
1996
mrtg, NetNow, NetraMet, Network Probe Daemon, InterMapper, Lachesis, Optimal
Networks, Digex
1997
INS Net Perf Mgmt survey, tcpspray, Mapnet, Keynote, prtraceroute clflowd flstats,
fping, tcpdpriv, NetMedic Pathchar, CAIDA Measurement Tool Taxonomy, bprobe
and cprobe
1998 NetOps, Triticom, Maple, PV-Wave, S-Plus, VisualRoute.
1999
Cheops, Ganymede, hping2, Iperf, JetMon, MeasureNet, MatLab, MTR, NeoTrace,
Netflow, NetLogger, Network health, NextPoint, Nmap, Pchar, Qcheck, SAA, SafeTP,
Sniffit, SNMP from UCSD, Sting, ResponseNetworks, Tcpshow, Tcptrace WinTDS.
2000
Analyzer, bbftp, Big Brother, Bronc, Cricket, EdgeScape, Ethereal (now renamed
Wireshark), gen_send/gen_recv, GSIFTP, Gtrace, Holistix, InMon, NcFTP, Natas,
NetAlly, NetScout, Network Simulator, Ntop, PingGraph, PingPlotter, Pipechar, RRD,
Sniffer, Snoop, StatScope, Synack, View2000, VisualPulse, WinPcap, WU-FTPD,
WWW performance monitoring, Xplot.
2001
AdventNet SNMP API, Alchemy Network Monitor, Anasil analyzer, Argent, Autobuf,
Bing, Clink, DSLReports, Firehose, GeoBoy, PacketBoy, Internet Control Portal,
Internet Periscope, ISDNwatch, Metrica/NPR, Mon, NetPredict, NetTest, Nettimer,
Net-One-1, Pathrate, RouteView, sFlow, Shunra, Third Watch, Traceping, Trellian,
HighTower, WCAT, What¡¯s Up Gold, WS_FTP, Zinger.
2002
ANL Web100 Network Configuration Tester, Anritsu, aslookup, AlertCenter, Alertra,
AlertSite, Analyse-it, bbcp, BestFit, Bro, Chariot, CommView, Crypto-Pan,
elkMonitor, DotCom, Easy Service Monitor, Etherpeek, Fidelia, Finisar, Fpinger,
GDChart, HipLinkXS, ipMonitor, LANExplorer, LinkFerret, LogisoftAR, MGEN,
Netarx, NetCrunch, NetDetector, NetGeo, NEPM, NetReality, NIST Net, NLANR
AAD, NMIS, OpenNMS PageREnterprise, PastMon, Pathprobe, remstats, RIPmon,
RFT, ROMmon, RUDE, Silverback, SmokePing, Snuffle, SysOrb, Telchemy,
TCPTune, TCPurify, UDPmon, WebAttack, Zabbix.
2003
AbwE, ActivXpets, AdventNet Web NMS, Analyse It, Argus, Big Sister, CyberGauge,
eGInnovations, Internet Detective, Intellipool Network Monitor, JFF Network
Management System, LANsurveyor, LANWatch, LoriotPro, MonitorIT, Nagios,

9
NetIntercept, NetMon, NetStatus, Network Diagnostic Tool, Network Performance
Advisor, NimBUS, NPS, Network Probe, NetworksA-OK, Sniff¡¯em, Spong, NetStat
Live, Open NerveCenter, OPENXTRA, Packeteer, PacketStorm, Packetyzer,
PathChirp, Integrien, StableNet PME, TBIT, Tcptraceroute, Tping, Trafd, Trafshow,
TrapBlaster, Traceroute-nanog, Ultra Network Sniffer, Vivere Networks.
2004
MonitorMagic, N-central, N-vision, Netmeter, CleverEye, CueVision, D-ITG, Network
Physics, FastCopy, internetVista, IPCheck Server, OSSMon, H.323
Beacon,Monitor,FREEping,NetMechnica, NetVizor, Observer, Overseer, ZTI Network
Monitor, Orca, PRTG Traffic Grapher, QOVIA, Qradar, Wombat, Route Explorer,
Scriptroute, Server Nanny, SNMP Explorer, Ganglia, GFI Network Services Monitor,
Little:eye, STAB a Linux tracepath, SolarWinds Orion, Vantage, Vigilix, VitalNet,
WatchTower Website Monitoring, WindowsNetworking.com, ServerFiles.com, SNMP
Informant,
2005
bulk, BWCTL, Caligare Flow Inspector, Cittio, ClearSight, Distinct Network Monitor,
EM7, EZMgt, GigaMon, Host Grapher II, HPN-SSH, Javvin Packet Netcool, netdisco,
Netflow Monitor, NetQoS, Pathneck, OWAMP, RANCID, SiteMonitor, STC,
SwitchMonitor, SysUpTime, TansuTCP, thrulay, Torrus, Tstat, VSS Monitoring,
WebWatchBot, WildPackets, ZoneRanger, Advanced HostMonitor, Just-ping,
LinkRank, MoSSHe, mturoute, N-able OnDemand, Scamper, SCAMPI, Simple
Infrastructure Capacity Monitor, Spirent, Alvias, Airwave, AppMonitor, BitTorrent,
PingER, Analyzer,
2006
Cacti, CSchmidt collection, Cymphonix Network Composer, Darkstat, Ey-on
Bandwidth, SNM,Etherape, EZ-NOC, IPTraf, Jnettop, Zenoss, Gigamon Uni- versity,
LITHIUM, mrtg-ping-probe, NetMRG, NetworkActiv Scanner, Web Server Stress
Tool, NimTech, NPAD, Nsauditor, Nuttcp, OpenSMART, Plab, WatchMouse, Pandora
FMS, PIAFCTM, PolyMon, PSentry, Rider, Sysmon, SpiceWorks,SftpDrive,
SpeedTest, TruePath, Unbrowse, Unsniff, Webalizer, RSP, Pktstat
(Alam,2006)
This section presents brief introduction of the some popular tools used for monitoring
network performance.
CommView:
CommView runs on a Windows platform. It analyses all packets that pass through the
network, bot local and internet traffic. It collects all the data that passes through the Ethernet
port and decodes them listing all the IP addresses and examines the individual packets.

10
Screenshotsof CommView
(Alam,2006)
HostMonitor
HostMonitor is another useful tool that a network administrator can use. It monitors and
analysis’s all traffic flowing through the network, it checks hosts status and statistics and
reports them in log files and reports.
Screenshortsof HostMonitor
(Alam,2006)

11
GFI Network Server Monitor
GFI works on both Windows and Linux platforms. It maximizes the availability of the
network by monitoring all stations connected to the network, (i.e. workstations, servers,
routers, switches printers etc.) It checks for failures and irregularities and will send alerts by
multiple media to the network administrator when it detects a fault. GFI’S Monitoring service
and its management service run on separate interfaces. The network engine is multi-threaded
and can run up to 40 checks simultaneously. This makes it a good platform for both small and
large organisations as it is easily scalable
GFI Network Server Monitor can check the status of a terminal server by actually performing
a complete login and checking if the session is established correctly. GFI Network Server
Monitor can check the availability of all leading database applications. GFI Network Server
Monitor includes extensive checks for monitoring Linux servers. All CPU usage, printer
availability, file existence, process running, folder size, file size, users and groups
membership, disk partition check and disk space can be monitored by GFI Network Serve.
You can also access the GFI network server monitor remotely which will allow you changes
rules and settings and check local and remote network status
GFI Screenshot
(Alam,2006)

12
Argus
Argus is a real-time flow monitor, which checks metrics such as connectivity, delay, packet
loss, capacity and jitter on a per transaction basis. It supports Linux, Solaris, FreeBSD,
OpenBSD, NetBSD, and MAC OS X
Argus can be used for security management, Network Billing, Network oprations
management and performance management. It can be used to monitor specific individual
sectins of the network or the entire enterprise
SmokePing
SmokePing works on a Unix platform and is an open source software. It measures and stores
Latency in the network. It stores long term data and can graphically display the information
in an easy to read format. It has a smart alarm system which will trigger alarms for
anticipated Latency of loss based on predefined patterns.
SmokePingScreenshot
(Alam,2006)
Axence NetVision
NetVision is relatively recent, developed in 2006. It runs on all platforms. Once it runs, it
detects all hosts on the entire network and scan the services running on them. It displays the
hosts on an interactive map along with the critical information, making it easy for the
administrator to visually check for potential problems

13
NetVisionscreenshot
(Alam,2006)
PRTG Network Monitor
PRTG NetworkMonitormonitorssystemavailabilityusingavarietyof methodsfromsimple ping
throughSNMP and WMI protocolsto specifictaskssuchas HTTP, DNS,and Remote Desktop
availabilityusingvarioussensors.Usingspecificsensorsforspecificmachines,anadministratorcan
monitorservice availability - includingExchange andSQL- and be notifiedinstantlyof problems.
Also,PRTG comeswithsome bandwidthmonitoringsensors,soyoucanensure thatmalware
designedtodoDoS,"phone home",andotheroverloadactivitiesare notoperatingonyournetwork.
PRTG NetworkMonitorscreenshot
(Alam,2006)

14
Performance (looking forward)
Enhancing performance is about more than increasing bandwidth.
Millions of dollars have been spent by It organizations throughout the world on tools and
processes to maximize network availability and eliminate faults. However every day, network
traffic is growing in both volume and complexity and an enormous rate, creating performance
issues. So it is vital that Network and Application improvements need to focus on the
performance and not just the availability.
With the phenomenal growth of the World Wide Web, computer networks are challenged and
are pulled in two different directions. On one hand, you have desktop applications consuming
bandwidth with Images and video. Then you have thin client devices, (Less powerful devices
using a central server or site for its applications and resources) which are mainly connected
by wireless devices at the edge of the network. There is also a mismatch between fiber optic
speeds and computer speeds. This is a gap that needs to be bridged.
(Cisco, 2013)
One growth area is the smart tap intrusion detection market.
Seeing the big picture, knowing what is going on and where it is coming from is the core to
network security and performance management. A tool that is having a big impact on
networking abilities right now is the “smart Tap”.
Network taps are commonly used for network intrusion detection, VoIP recording packet
sniffers. They are used in a number of security applications as they are non-detectable on the
network.
Smart taps provide the ability of dissecting and filtering traffic into manageable chunks.
Smart tap has the capability of preventing a failed tap interrupting the network traffic. Smart
tap also captures all network traffic and does not suffer from lost traffic or network
congestion. It is a more user friendly than standard tap and allows administrators to filter or
direct traffic captures to different devices for analysis.
You could for example use smart tap to only look at HTTPS traffic and ignore all other traffic
if you were checking a particular security problem.
A report from Frost and Sullivan believes that smart tap technology will have additional
growth and that the Europe, Middle East and Africa Market will have revenues of 1.34
Billion euro by 2017
(Ohlhorst, 2012)
The major players in the Networking market are continuously trying to anticipate where the
market is going and what demands will be made on them over the coming years. Cisco being
one such company has recently completed one such analysis.
Cisco has forecasted through its Visual networking index the following:-
General Findings:-
 Annual global IP traffic will surpass the zettabyte threshold (1.4 zettabytes (Ohlhorst,
2012)) by the end of 2017.
 Global IP traffic has increased more than fourfold in the past 5 years, and will
increase threefold over the next 5 years

15
 Busy hour Internet traffic is growing more rapidly than average Internet traffic
 Metro traffic will surpass long-haul traffic in 2014, and will account for 58 percent of
total IP traffic by 2017.
 Content Delivery Networks (CDNs) will carry over half of Internet traffic in 2017
 Nearly half of all IP traffic will originate with non-PC devices by 2017
 Traffic from wireless and mobile devices will exceed traffic from wired devices by
2016
 In 2017, the gigabyte equivalent of all movies ever made will cross global IP
networks every 3 minutes
 The number of devices connected to IP networks will be nearly three times as high as
the global population in 2017.
Video Findings:-
 It would take an individual over 5 million years to watch the amount of video that will
cross global IP networks each month in 2017
 Globally, consumer Internet video traffic will be 69 percent of all consumer Internet
traffic in 2017, up from 57 percent in 2012
 Internet video to TV doubled in 2012
 Video-on-demand traffic will nearly triple by 2017
 Content Delivery Network (CDN) traffic will deliver almost two-thirds of all video
traffic by 2017
Mobile Findings:-
 IP traffic is growing fastest in the Middle East and Africa
 IP traffic in North America will reach 40.7 Exabyte’s per month by 2017
 IP traffic in Western Europe will reach 16.8 Exabyte’s per month by 2017
 IP traffic in Asia Pacific will reach 43.4 Exabyte’s per month by 2017
 IP traffic in Latin America will reach 7.4 Exabyte’s per month by 2017
 IP traffic in Central and Eastern Europe will reach 8.8 Exabyte’s per month by 2017
 IP traffic in the Middle East and Africa will reach 3.5 Exabyte’s per month by 2017

16
Global Business Findings:-
 Business IP traffic will grow at a rate of 21 percent from 2012 to 2017
 Business Internet traffic will grow at a faster pace than IP WAN
 Business IP traffic will grow fastest in the Middle East and Africa.
(Cisco,2013)
Conclusion
Based on trends and research findings, network traffic will continue to grow at a phenomenal
rate worldwide for the next decade. The data will continue to grow in size and complexity,
with video media becoming more and more prevalent.
The need for network management and performance management will become ever
increasingly critical to the success of the anticipated growth
To meet the volume of traffic which is anticipated in the near future, it is likely that the
medium for networks will move more towards the Optical network (Photonic network). This
type network would give speeds up to 10Gbps on a single optic and a lot more if divided into
channels.
While it is relatively easy to tap into copper cables and read the data running over them, it is
difficult to do this with optical signals running over fibre. Many organizations that need
secure networks, such as government and defense installations, already make extensive use of
optical networks, sometimes right to the desktop.
Network Administration, network monitoring and Network Performance will continue to
evolve, develop and expand with the ever growing demand for information and will continue
to play a key role in the future success of all IT systems and applications

17
Chapter 3
Simulating a network
Objective:
Create a network which will consists of the various types of traffic, various mediums of
communication, incorporate standard security protocols and procedures and monitor the
traffic across the network.
This network will be simulated physically in the lab and we will utilize Packet tracer, so we
can expand our network and testing.
1
Networksimulationmap(PacketTracer)
Linkto packet tracer: project-lab.pkt

18
Network Configuration
Devices:
 Routers (cisco 2811)
 Switches (cisco 3560-24ps)
 Frame-relay switch simulator (cisco cloud-pt)
 Server (AAA, Email) may we need more
 PCs, Laptops, IP phones, Tablets
Wireless APs
Switches:
 Basic Security configuration(enable secret, console, vty, aux passwords)
 Vlans (Data, Voice, Wireless, Management)
 Trunk port
Routers:
Office-A
 Basic security configuration (passwords length, user name, console- aux-vty
passwords, password-encryption)
 Authentication radius-server
 Loopback 0 (ISP simulation)
 Sub interfaces (fa0/0.10 ; fa0/0.11 ; fa0/0.15 ; fa0/0.20)
 DHCP pools (Data, Voice, Wireless)
 Frame-relay (dlci 102)
 Routing protocol (eigrp 1)
 ACLs
 Telephony-service
 Voip routing
Full routerconfigurationsseeappendix1

19
Office-B
 Basic security configuration (passwords length, user name, console-aux-vty
passwords, password-encryption)
 Authentication radius-server
 Sub interfaces (fa0/0.10 ; fa0/0.11 ; fa0/0.15 ; fa0/0.20)
 DHCP pools (Data, Voice, Wireless)
 Frame-relay (dlci 201)
 Routing protocol (eigrp 1)
 ACLs
 Telephony-service
 Voip routing
Full routerconfigurationsseeappendix2
Voip:
Configured telephony services on both routers,
Enabled `no auto-reg-ephone` command to manually
assign ephones by entering mac addresses,
Created maximum number of ephones to register
Created maximum number of directory numbers
Set up voice vlan source ip address,
Created ephone numbers
set up target sessions
Wan:
We used frame-relay wan technology between local area
networks (LANs) over a wide area network (WAN).
Also we created virtual interface (loopback0) to present
ISP connection.

20
Wireless:
Office-A
Autonomous AP
Security (authentication type WPA2-PSK, encryption
type AES)
Bandwidth 100Mbs
Half-duplex
Office-B
Autonomous AP
Security (authentication type WEP, encryption key 64 bits)
Bandwidth 100Mbs
Half-duplex
Security:
Enable password (projectTest)
Console password (projectPass)
VTY password (projectPass)
AUX password (projectPass)
Passwords encryption (md-5)
AAA server (username `user1`, password `test`)
ACLs (permit access from outside hosts to the email server, deny web traffic initiated from
internal hosts)
Testing
Before we could introduce the concept of monitoring the software, We had to conduct basic
connectivity tests.
We conducted Ping tests from all routers, Switches and PC’s. We conducted voice calls
between subnets.
We conducted tests to ensure ACL’s were functioning correctly.
We tested our log-on security

21
Chapter 4
WireShark
How to get WireShark
WireShark is Open Source software.
It is compatible with most operating systems and platforms, including Windows, Apple Mac
and Linux.
Its latest stable release is 1.10.6 and is available for free download at
http://www.wireshark.org/
Download and installation is facilitated by a step by step installation wizard (Foundation,
2014)
WireShark Brief Overview
WireShark is a powerful network Monitoring tool.
WireShark can capture packets, gather and display statistics, analysis and define by filtering,.
It is an excellent tool for network trouble shooting, optimization and examine security
problems.
You can track the individual packets being sent across the network and from this data, you
can identify where problems are occurring. However it is not recommended for long tern
monitoring.
Data packets are the most basic form of network traffic.
By viewing the contents of a segment of a packet is referred to packet sniffing and by
recording and logging this data is referred to as packet logging.
Wireshark is computer software which can intercept and log traffic passing through the
digital network and can decode and analyze the content according to specified protocols or
filters.
Wireshark has a sophisticated wireless protocol analysis support which can help
administrator’s trouble shoot wireless networks. Wireshark can capture packets from the air
and decode them which can help administrators identify potential problems or threats or
issues which are causing poor performance or intermittent connectivity

22
Using WireShark
Wireshark provides the capability of capturing packets travelling over the entire network on a
particular interface at a particular time.
The first thing we done was to open wire shark and view all traffic passing through the
interface
Wireshark displayed all connections and all traffic traveling through the interface.
By selecting a particular packet i.e. from a particular source IP, we could then press capture
and wireshark captured all data relating to that IP address, MAC address, Protocol or port.
We then wanted to look at internet traffic only for a specific address. So we put HTTP into
the filter box and selected capture. This then showed us the Http traffic only
You can also see SSDP Packets; these are Simple Service Discovery Protocol.
The SSDP protocol can discover Plug & Play devices, with uPnP (Universal Plug and Play).
SSDP uses unicast and multicast address (239.255.255.250). SSDP is HTTP like protocol and
work with NOTIFY and M-SEARCH methods.
With Wireshark, the SSDP dissector is partially functional: there is no SSDP filter, but, the
http filter show HTTP and SSDP protocols. The solution is to filter with the destination port
Number of
packets
Packet
traveling
time
Source
Hardware
MAC address
Source
Hardware IP
address
Source
port
Destination
Hardware
MAC address
Destination
Hardware
IP address
Destination
port
Type of
communication
protocol
Packet
length
(bytes)
Other
informa
tion

23
Similarly, we were able to monitor traffic but exclude certain protocols.
In this example we were able to exclude TCP traffic and UDP traffic by using “!TCP and
!UDP“ command in the filter box. (Note the command will turn green if correct, otherwise
the input is incorrect.

24
We then looked at UDP traffic only:

25
The purpose of this exercise was to demonstrate how we could concentrate on, or eliminate
certain protocols, reducing the level of data being captured and making it easier to investigate
area where there are potential problems.
In the above sample, looking at HTTP only, we could see in clear text what web sites were
being accessed and from what source.
This could be used to identify security risks or to identify inappropriate use of the network.
We thenconductedVOIPCalls overthe network
We then conducted VOIP Calls over the network; here we can see the conversations going
across the network. In this scenario where we captured the packets of the conversation, we
were also able to replay the audio conversation.
Here we have filtered the protocol “SKINNY”
Skinny Client Control Protocol (SCCP) is a Cisco proprietary
standard for terminal control for use with voice over IP (VoIP).
The audio communication between end stations makes use of the
User Datagram Protocol (UDP) and the Internet Protocol (IP).
Variants of SCCP are used by several companies other than Cisco.
Screen shot of wireshark Audio Capture:-

26
Telnet v’s SSH:
Telnet is a network protocol used on the Internet or local area networks to provide a
bidirectional interactive text-oriented communication facility using a virtual terminal
connection. User data is interspersed in-band with Telnet control information in an 8-bit byte
oriented data connection over the Transmission Control Protocol (TCP).
Secure Shell (SSH) is a cryptographic network protocol for secure data communication,
remote command-line login, remote command execution, and other secure network services
between two networked computers that connects, via a secure channel over an insecure
network, a server and a client (running SSH server and SSH client programs, respectively). It
was designed as a replacement for Telnet and other insecure remote shell protocols such as
the Berkeley rsh and rexec protocols, which send information, notably passwords, in
plaintext, rendering them susceptible to interception and disclosure using packet analysis.
Telnet:
We captured a telnet conversation and were able to demonstrate how un-secure this type of
communication is, by capturing the login in details and password in clear text
To demonstrate this we used torfree.net website which is a one of Canadians ISP.
We used word “hello” for username and password.
see picture below:
Here we have filtered“telnet”protocol outof all traffic

27
Each telnet packet consist of one letter, so to see all data conversation between two end users,
we used a TCP stream analyzer. Here we can see that all our conversation is sent in clear text,
this demonstrates how telnet has serious security issues when communicating over an open
network such as the Internet.
See picture below:
SSH:
We captured a SSH conversation and were able to demonstrate how secure this type of
communication is by capturing logging details.
To demonstrate this we used torfree.net website which is a one of Canadians ISP.

28
We used word “hello” for username and password.
see picture below:
SSH clients and servers can use a number of encryption methods. In the older SSH-1
protocol, 3DES and DES are typically used. SSH-2 adds support for additional encryption
methods including AES and Blowfish. In our example We are using SSH version 2 that
supports AES encryption method with a key length 256 bites.
See pictures below:

29
Here we can see all data conversationbetween twoendusers;againwe usedaTCP stream
analyzer.
We see thatall data is encryptedbyusingAES algorithm.
Measuring Bandwidth using Wireshark
Wireshark has several ways of showing the bandwidth being used, each method displays the
information with different features. We demonstrate a couple of ways of how wireshark can
measure bandwidth. In our test we demonstrate how we can see the web traffic (http)
bandwidth. To demonstrate this we have create the http traffic. In our example we
downloaded the Ubuntu image from their website, in the background leaving wireshark
running. After download is completed we stop capturing and applying the filter to display
only the traffic we are interested in. Once you identify a packet belonging to the network flow
you are interested in, right click on it > conversation filter > ip / tcp. This will create ip/tcp
filter to isolate traffic we interested.
The first method we will use to seeing bandwidth is by selecting menu items: Statistics >
Protocol Hierarchy

30
On the screenshot above we can see the breakdown analysis of bandwidth by protocol. In this
test we are observing the http, we drill down to TCP, and we observe the Mbits/sec, which is
about 1.6 in this case.
The second method to seeing bandwidth is by selecting menu items: Statistics > Summary
Here we also can see the display filter, and the bandwidth used.
The last methodproducesanice graph. Go to satistics> IO graphs:

31
In thisstatisticwe applymultiple filters anddisplaythensimultaneously,forexample tocompare
twoIPs.
Find network vulnerabilities by using Wireshark
Another way how we can use Wireshark is by monitoring the network to identify unusual
activity. To do that we need exclude all trusted traffics by applying specific filters. For
example after taking out all trusted traffics we found that we have traffic between internal
hosts and external port 80 or in other words web-traffic. If we know that this traffic should be
blocked then we can say that something wrong with ACLs or Firewall configuration. Or we
found that there is to high broadcast traffic which can overload or network. In this situation
we need make changes in network configurations to reduce this traffic.
Some Filtering options
To get the full benefitof wire shark,itisimportanttoget familiarwithhow tofilteroutthe traffic
youwant to see or don’twantto see.Below isalistof useful examplesof trafficfiltering.
What do youwant to do Filter
Capture only traffic to or from IP address
172.168.5.4:
Host 172.168.5.4
Capture traffic to or from a range of IP
addresses
net172.168.0.0/24
Capturetrafficfroma rangeofIP
addresses:
Src net 172.168.0.0/24
Capture traffic to a range of IP
addresses
dst net172.168.0.0/24
CaptureonlyDNS (port53) traffic: Port 53
Capture non-HTTP and non-SMTP
traffic on your server
hostwww.example.comandnotport80 and not port
25
Captureexceptall ARPand DNS traffic: port not53 andnot arp
Capturetrafficwithina range ofports (tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] >
1500 and tcp[2:2] < 1550)
Capture only Ethernet type EAPOL: etherproto0x888e
Rejectethernet framestowardsthe
LinkLayer DiscoveryProtocol
Multicastgroup:
not etherdst01:80:c2:00:00:0e
Capture only IP traffic ip
Capture only unicast traffic not broadcastand not multicast

32
Anotheruseful example is,if youwishedtolookfora worm Virusfor example;
Many wormstry to spreadby contactingotherhostson ports135, 445, or 1433. Thisfilteris
independentof the specificworminsteaditlooksforSYN packetsoriginatingfromalocal network
on those specificports.
dst port135 or dst port 445 or dstport 1433 and tcp[tcpflags] &(tcp-syn) !=0 and tcp[tcpflags] &
(tcp-ack) = 0 and src net192.168.0.0/24

33
Chapter 5
Conclusion
Our Journey through Computer Network Monitoring and Performance has examined, the
scale of networks globally and the anticipated extraordinary growth over the next 3-5 years.
We have examined the Types of Monitoring and explained the functions of both Passive and
Active Monitoring,
We have looked at how Network Monitoring has evolved, from it’s infancy in the 70’s,
through the development of the protocols a in the 80’s and 90’s , up to the very advanced and
sophisticated tools that we have today.
We discussed the Functions of Network Monitoring and explained, how monitoring is not
just performance and security driven, but can also be revenue driven, by observing and
recording usage by clients
We have discussed the importance on Network Performance and Monitoring, and how this
task, which is virtually un-noticed to the end user, is a vital function, which maintains the
performance, the availability, the reliability, the integrity and the security of every network
throughout the world.
We then looked at some of countless software packages which assist in the task of Network
Monitoring and performance. We concentrated on some of the open Source packages. Apart
from Monitory reasons, we wished to demonstrate the high quality and functionality of the
open source software.
After reviewing various options of open Source Software and giving a brief description of
them, we decided to select WireShark as our software package of preference.
In Order to Display wireshark functionality, We firstly had to create a Network, for us to
demonstrate traffic flow over a network, capture the data and show the output.
We constructed a network both physically and by Packet tracer, we utilized as much
equipment, functions and features as we had at our disposal and the knowledge we gained
over our two semesters
We programed Switches, Routers, Wireless controllers and utilized Wireless Ap’s, IP
Phones, PC’s and Servers.
We created Ethernet, Serial and Wireless networks, and configured Frame Relay, Security ,
VOIP and Wireless technology.
We then tested the system extensively before we introduced the concept of wireshark and
Network Monitoring.
This document demonstrates many functions of WireShark which help you analyse many
network problems.

34
Network Problems can derive from poor configuration, hardware problems and internal or
external attacks.
In order to analyse a network successfully, capturing packets travelling over a network is
important, but is only part of the solution. Due to the volume, speed and types of packets
travelling at any point in time, it is extremely difficult to extract the data which is of any
relevance without a tool such as wireshark.
This is where Wireshark excels. With a very advanced filtering facility, Wireshark can either
show the packets that you wish to see OR filter out the packets that you are confident with;
leaving data that you may wish to investigate further. By continuing to filter the traffic, you
break the volume of data down into workable chucks where a trained eye can then easily
identify potential problems.
We demonstrated how Wireshark offers graphical displays which can assist in decision
making and we also demonstrated how you can interrogate individual packets, identifying its
source, destination or content.
We showed how telnet or http is vulnerable to sniffing and how VoIP can be recorded and
played back.
In order to resolve any problem, you must ensure you have sufficient data. WireShark gathers
that data for you.
Tools like WireShark are vital for any network administrator to gather data in order to resolve
problems such as poor performance or simply No performance. The lack of this type of
information could have a direct impact on availability of the network or the confidentiality of
the information on the network.
Wireshark, apart from being one of the best protocol analyzers today, is an excellent source
of knowledge for any network or communications enthusiast.
Bibliography
Alam,M. J., 2006. Survey Of NetworkPerformanceMonitoring Tools. [Online]
Available at:http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_perf_monitors2/index.html#sec3.2
[Accessed5thJanuary2014].
Cisco,2013. Cisco VisualNetworking Index. [Online]
Available at:
http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/white_paper_c
11-481360_ns827_Networking_Solutions_White_Paper.html
[Accessed3rdJanuary2104].
Duffield,N.,2004. SamplingforPassive InternetMeasurement:A Review. StatisticalScience, 19(1),
p. No.3.
Foundation,W.,2014. Wireshark. [Online]
Available at:http://www.wireshark.org/download.html
[Accessed6thMarch 2014].

35
Hauben,R.,2004. The Internet:On its Internationaloriginsand collaborativeVision. [Online]
Available at:http://www.ais.org/~jrh/acn/ACn12-2.a03.txt
[Accessed20thOctober2013].
KimS. Nash,A.B., 2013. CIO. [Online]
Available at:
http://www.cio.com/article/133700/Network_Monitoring_Definition_and_Solutions?page=1&taxon
omyId=3071
[Accessed30thDec 2013].
Klienrock,L.,2011. The Birth of the Internet. [Online]
Available at:http://www.lk.cs.ucla.edu/personal_history.html
[Accessed20thOctober2019].
Ohlhorst,F.J.,2012. NetworkComputing.com. [Online]
Available at:http://www.networkcomputing.com/next-gen-network-tech-center/smart-taps-define-
future-of-network-inte/232601819?pgno=2
[Accessed6thJanuary2014].
SolarWinds,n.d. theReferenceGuide to NetworkManagementProtocols. [Online]
Available at:
http://www.solarwinds.com/resources/whitepapers/SolarWinds_Network_Mgmt_Protocols.pdf
[Accessed3rdJanuary2014].
Appendices
Appendix1 Router-OfficeA Configuration
service password-encryption
security passwords min-length 10
!
hostname Rtr-Office-A
!
enable secret 5 $1$mERr$ye005E91umUqwCQ3tVmZF0
!
ip dhcp excluded-address 10.10.0.1 10.10.0.10
!
ip dhcp pool Data
network 10.10.0.0 255.255.255.0
default-router 10.10.0.1
option 150 ip 10.10.0.1
ip dhcp pool Voice
network 10.15.0.0 255.255.255.0
option 150 ip 10.15.0.1
ip dhcp pool Wireless
network 10.20.0.0 255.255.255.0

36
option 150 ip 10.20.0.1
!
aaa new-model
!
aaa authentication login default group radius local
!
username user01 secret 5 $1$mERr$lvOoTqkNNZ4VM9Krhr0V70
!
ip ssh version 2
no ip domain-lookup
!
spanning-tree mode pvst
!
interface Loopback0
ip address 172.16.1.1 255.255.255.252
ip access-group 110 in
ip access-group 120 out
!
interface FastEthernet0/0
noip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
description Data vlan
encapsulation dot1Q 10
ip address 10.10.0.1 255.255.255.0
!
description Management vlan
ip address 10.11.0.1 255.255.255.0
!
description Voice vlan
ip address 10.15.0.1 255.255.255.0
!
description Wi-Fi vlan
ip address 10.20.0.1 255.255.255.0
!
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 20.0.0.2 255.255.255.0
encapsulation frame-relay
frame-relay map ip 20.0.0.1 102 broadcast
frame-relay map ip 20.0.0.2 102
!
noip address
shutdown

37
!
interface Vlan1
noip address
shutdown
!
router eigrp 1
network 20.0.0.0
network 10.0.0.0
network 192.168.0.0
noauto-summary
!
ip classless
!
access-list 110 permit ip any host 192.168.0.254
access-list 110 deny ip any any
access-list 120 deny tcp 10.0.0.0 0.255.255.255 any eq www
access-list 120 permit ip any any
!
radius-server host 192.168.0.254 auth-port 1645 key projecttest
!
dial-peer voice 10 voip
destination-pattern 2..
session target ipv4:20.0.0.1
!
telephony-service
max-ephones 5
max-dn 10
ip source-address 10.15.0.1 port 2000
autoassign 1 to 5
!
ephone-dn 1
number 101
!
ephone-dn 2
number 102
!
ephone-dn 3
number 103
!
ephone 1
device-security-mode none
mac-address 0002.4A12.E911
type 7960
button 1:1
!
line con 0
exec-timeout 5 0
password 7 08315E41031C0603220A1F17
logging synchronous
login authentication default
!
line aux 0
password 7 08315E41031C0603220A1F17
!
line vty 0 4
exec-timeout 5 0
password 7 08315E41031C0603220A1F17

38
!
end
appendix2 Router-Office B Configuration
service password-encryption
security passwords min-length 10
!
hostname Rtr-Office-B
!
enable secret 5 $1$mERr$ye005E91umUqwCQ3tVmZF0
!
!
ip dhcp pool Data
network 10.30.0.0 255.255.255.0
option 150 ip 10.30.0.1
ip dhcp pool Voice
network 10.35.0.0 255.255.255.0
option 150 ip 10.35.0.1
ip dhcp pool Wireless
network 10.40.0.0 255.255.255.0
option 150 ip 10.40.0.1
!
aaa new-model
!
aaa authentication login default group radius local
!
username user01 secret 5 $1$mERr$lvOoTqkNNZ4VM9Krhr0V70
!
no ip domain-lookup
!
spanning-tree mode pvst
!
noip address
duplex auto
speed auto
!
description Data vlan
ip address 10.30.0.1 255.255.255.0
!
description Management vlan
ip address 10.31.0.1 255.255.255.0
!

39
description Voice vlan
ip address 10.35.0.1 255.255.255.0
!
description Wi-Fi vlan
ip address 10.40.0.1 255.255.255.0
!
noip address
duplex auto
speed auto
shutdown
!
noip address
shutdown
!
ip address 20.0.0.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 20.0.0.2 201 broadcast
frame-relay map ip 20.0.0.1 201
!
interface Vlan1
noip address
shutdown
!
router eigrp 1
network 20.0.0.0
network 10.0.0.0
noauto-summary
!
ip classless
!
radius-server host 192.168.0.254 auth-port 1645 key projecttest
!
!
!
telephony-service
max-ephones 5
max-dn 10
ip source-address 10.35.0.1 port 2000
autoassign 1 to 5
!
ephone-dn 1
number 201
!
ephone-dn 2
number 202
!

40
ephone-dn 3
number 203
!
ephone 1
device-security-mode none
mac-address 000C.CFAA.A29E
type 7960
button 1:1
!
line con 0
exec-timeout 5 0
password 7 08315E41031C0603220A1F17
logging synchronous
!
line aux 0
password 7 08315E41031C0603220A1F17
!
line vty 0 4
exec-timeout 5 0
password 7 08315E41031C0603220A1F17
!
end

Computer Network Monitoring & Performance

Recommended

Recommended

More Related Content

What's hot

What's hot (15)

Viewers also liked

Viewers also liked (20)

Similar to Computer Network Monitoring & Performance

Similar to Computer Network Monitoring & Performance (20)

Computer Network Monitoring & Performance