This document discusses network monitoring and performance. It provides an overview of how network monitoring has evolved from early computer networks to today's sophisticated tools. It describes key aspects of network monitoring like functions, commonly used protocols like ICMP and SNMP, and popular open source monitoring tools. The document also discusses measuring network performance and how monitoring will be important for handling future networking demands like increased video traffic and more mobile users.
In today’s Era data security is one of the major concerns while transferring the data through wireless media.Due to the popularity of computer and Internet technology, network communication has penetrated into all aspects of society. Information security issues get more and more attention. Data encryption is the core in data confidentiality, integrity, effectiveness, and network security [1]. There are different algorithm and protocols available to address this issue. Encryption is the one of the best and highly used technology to secure the data. Encryption is the process of encoding a message or information in such a way that only authorized parties can access it. There are many Encryption algorithms available to encrypt the data. Symmetric key algorithms and Asymmetric key algorithms are two types of an encryption algorithm. In Symmetric key algorithms, both sender and recipient use the same private key to encrypt and decrypt the data. In another hand, Asymmetric key algorithms use different but related keys to encrypt and decrypt the message.
Redundant Gateway for industrial Ethernet ring. White Paper. WoMasterWoMaster
The White Paper issued by WoMaster explains the redundant gateway mechanism for industrial Ethernet ring network. The White Paper explains the difference between Gateway and Default Gateway and introduces WoMaster's redundant gateway solution.
In today’s Era data security is one of the major concerns while transferring the data through wireless media.Due to the popularity of computer and Internet technology, network communication has penetrated into all aspects of society. Information security issues get more and more attention. Data encryption is the core in data confidentiality, integrity, effectiveness, and network security [1]. There are different algorithm and protocols available to address this issue. Encryption is the one of the best and highly used technology to secure the data. Encryption is the process of encoding a message or information in such a way that only authorized parties can access it. There are many Encryption algorithms available to encrypt the data. Symmetric key algorithms and Asymmetric key algorithms are two types of an encryption algorithm. In Symmetric key algorithms, both sender and recipient use the same private key to encrypt and decrypt the data. In another hand, Asymmetric key algorithms use different but related keys to encrypt and decrypt the message.
Redundant Gateway for industrial Ethernet ring. White Paper. WoMasterWoMaster
The White Paper issued by WoMaster explains the redundant gateway mechanism for industrial Ethernet ring network. The White Paper explains the difference between Gateway and Default Gateway and introduces WoMaster's redundant gateway solution.
The vital signs monitor used in hospitals and clinics is used
to monitor the vital organs of a critically ill person
To find out the Blood Pressure measure, a visit to the
doctor is needed. In rural areas, there are no clinics or proper medical facilities available. Also, people cannot afford repeat visits. To tackle these problems, a portable, cost effective and
necessary product which would reduce the burden on the
medical system is needed. Our project provides one
solution. The GSM and WiFi capabilities gives it ease of
accessibility to both doctor as well as patient, reduce
diagnosis and treatment time.
IReHMo: An efficient IoT-Based Remote health Monitoring System for Smart RegionsKaran Mitra
The ageing population worldwide is constantly rising, both in urban and regional areas. There is a need for IoT-based remote health monitoring systems that take care of the health of elderly people without compromising their convenience and preference of staying at home. However, such systems may generate large amounts of data. The key research challenge addressed in this paper is to efficiently transmit healthcare data within the limit of the existing network infrastructure, especially in remote areas. In this paper, we identified the key network requirements of a typical remote health monitoring system in terms of real-time event update, bandwidth requirements and data generation. Furthermore, we studied the network communication protocols such as CoAP, MQTT and HTTP to understand the needs of such a system, in particular the bandwidth requirements and the volume of generated data. Subsequently, we have proposed IReHMo - an IoT-based remote health monitoring architecture that efficiently delivers healthcare data to the servers. The CoAP-based IReHMo implementation helps to reduce up to 90% volume of generated data for a single sensor event and up to 56% required bandwidth for a healthcare scenario. Finally, we conducted a scalability analysis to determine the feasibility of deploying IReHMo in large numbers in regions of north Sweden.
This document will help you create and understand IPSec VPN between on-premise and cloud. This document also helps you understand what happens behind the scenes when traffic is initiated. This is written keeping focus on on-premise and cloud.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
KURCS: Key Updating for Removing & replacement of Compromised Sensor Nodes fr...iosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
In the last academic year, 2012-13, we have trained more than 8000 project students. So far we have trained more than 35000 project students. We have been conducting seminars on the recent trends of technology in various colleges. Our research projects had participated in various National and International Conferences. Most of our projects were identified by the industries as suitable for their needs. Our number of projects were focused by media and awarded by various industrial & Government bodies. We have offered Projects to students of various Engineering Colleges in India as well as abroad.
Hypervisors and Virtualization - VMware, Hyper-V, XenServer, and KVMvwchu
With co-presenter Maninder Singh, delivered a presentation about hypervisors and virtualization technology for an independent topic study project for the Operating System Design (EECS 4221) course at York University, Canada in October 2014.
Virtualization, briefly, is the separation of resources or requests for a service from the underlying physical delivery of that service. It is a concept in which access to a single underlying piece of hardware is coordinated so that multiple guest operating systems can share a single piece of hardware, with no guest operating system being aware that it is actually sharing anything at all.
Step by Step guide to set up a simple network in Packet TracerSorath Asnani
This document shows the detailed Steps to set up a simple network inside Packet Tracer. You will get familiarity with the software after following the Steps.
The vital signs monitor used in hospitals and clinics is used
to monitor the vital organs of a critically ill person
To find out the Blood Pressure measure, a visit to the
doctor is needed. In rural areas, there are no clinics or proper medical facilities available. Also, people cannot afford repeat visits. To tackle these problems, a portable, cost effective and
necessary product which would reduce the burden on the
medical system is needed. Our project provides one
solution. The GSM and WiFi capabilities gives it ease of
accessibility to both doctor as well as patient, reduce
diagnosis and treatment time.
IReHMo: An efficient IoT-Based Remote health Monitoring System for Smart RegionsKaran Mitra
The ageing population worldwide is constantly rising, both in urban and regional areas. There is a need for IoT-based remote health monitoring systems that take care of the health of elderly people without compromising their convenience and preference of staying at home. However, such systems may generate large amounts of data. The key research challenge addressed in this paper is to efficiently transmit healthcare data within the limit of the existing network infrastructure, especially in remote areas. In this paper, we identified the key network requirements of a typical remote health monitoring system in terms of real-time event update, bandwidth requirements and data generation. Furthermore, we studied the network communication protocols such as CoAP, MQTT and HTTP to understand the needs of such a system, in particular the bandwidth requirements and the volume of generated data. Subsequently, we have proposed IReHMo - an IoT-based remote health monitoring architecture that efficiently delivers healthcare data to the servers. The CoAP-based IReHMo implementation helps to reduce up to 90% volume of generated data for a single sensor event and up to 56% required bandwidth for a healthcare scenario. Finally, we conducted a scalability analysis to determine the feasibility of deploying IReHMo in large numbers in regions of north Sweden.
This document will help you create and understand IPSec VPN between on-premise and cloud. This document also helps you understand what happens behind the scenes when traffic is initiated. This is written keeping focus on on-premise and cloud.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
KURCS: Key Updating for Removing & replacement of Compromised Sensor Nodes fr...iosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
In the last academic year, 2012-13, we have trained more than 8000 project students. So far we have trained more than 35000 project students. We have been conducting seminars on the recent trends of technology in various colleges. Our research projects had participated in various National and International Conferences. Most of our projects were identified by the industries as suitable for their needs. Our number of projects were focused by media and awarded by various industrial & Government bodies. We have offered Projects to students of various Engineering Colleges in India as well as abroad.
Hypervisors and Virtualization - VMware, Hyper-V, XenServer, and KVMvwchu
With co-presenter Maninder Singh, delivered a presentation about hypervisors and virtualization technology for an independent topic study project for the Operating System Design (EECS 4221) course at York University, Canada in October 2014.
Virtualization, briefly, is the separation of resources or requests for a service from the underlying physical delivery of that service. It is a concept in which access to a single underlying piece of hardware is coordinated so that multiple guest operating systems can share a single piece of hardware, with no guest operating system being aware that it is actually sharing anything at all.
Step by Step guide to set up a simple network in Packet TracerSorath Asnani
This document shows the detailed Steps to set up a simple network inside Packet Tracer. You will get familiarity with the software after following the Steps.
The following resources come from the 2009/10 BSc in Computer and Network Technologies (course number 2ELE0072) from the University of Hertfordshire. All the mini projects are designed as level two modules of the undergraduate programmes.
The objectives of this project are to demonstrate by building a virtual local area network environment:
• Installation and configuration of virtual network/server operating systems (virtual)
• Installation and configuration of virtual workstations (operating systems)
• Ensure a suitable level of security and access control exists for the virtual network.
• Ensure that the network can be easily managed.
This project entails using a virtual network to demonstrate a typical setup for a networked office environment. Students are expected to be able to perform simple installation of workstation and server operating systems. Students are required to investigate important management tools on a server operating system and to configure these tools to simplify management of the network. The network environment should have a suitable level of security and access control.
5 продвинутых технологий VMware, которые нужно знатьSkillFactory
Константин Кряженков – ведущий инструктор онлайн-школы SkillFactory по виртуализации и облачным вычислениям – подготовил список из пяти самых перспективных технологий, которые нужно знать администратору ЦОД.
Network tomography to enhance the performance of software defined network mon...Sabidur Rahman
Monitoring and management of SDN is a challenging and active field of research. In this project, we have used Network Tomography techniques to enhance performance of SDN monitoring and management.
Enhancement of Routing Performance for Energy Efficiency and Critical Event M...iosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
Distributed Network Monitoring - Interopnet class by NetBeezNetBeez, Inc.
This course provides an overview of distributed network monitoring in modern network environments and describes its benefits and use cases. Referencing the network topology of InteropNet, we will discuss the goals of the installation, review the deployment locations of the NetBeez agents, and explain the configured monitoring tests. During the last part of the session, we will generate reports and analyze in detail the statistics of the performance data captured and processed by the system.
Network monitoring of processes in Linux, using Linux dynamic Kernel instrumentation (KProbes)
Monitoring network interactions of one process accessing the network is not always simple and it has some performance issues.
A Linux Kernel Module was developed, which uses dynamic instrumentation and monitors the target user process for interactions and registers the information to a repository.
When packets pass through the network interface the repository is queried to decide if the packet should be captured for further analysis.
To control this monitoring mechanism an interface was developed which can be modified through files in the virtual filesystem, DebugFS.
To use this monitoring mechanism it is necessary to have the Linux Kernel Module loaded and have a user process running that performs the network monitoring (such as TCPDump). This monitoring process can use this mechanism without changing its own source code.
4 декабря 2015 года Алексей Семеняка, исполнительный директор Qrator Labs, выступил на конференции UAdom, посвященной развитию доменной политики Украины.
Из доклада вы узнаете, почему защищать веб-ресурсы становится все сложнее, а также какие средства и ресурсы лежат в основе «взрослого» бизнеса DDoS-атак.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Performance Evaluation of a Network Using Simulation Tools or Packet TracerIOSRjournaljce
Today, the importance of information and accessing information is increasing rapidly. With the advancement of technology, one of the greatest means of achieving knowledge are, computers have entered in many areas of our lives. But the most important of them are the communication fields. This study will be a practical guide for understanding how to assemble and analyze various parameters in network performance evaluation and when designing a network what is necessary to looking for to remove the consequences of degrading performance. Therefore, what can you do in a network performance evaluation using simulation tools such as Network Simulation or Packet tracer and how various parameters can be brought together successfully? CCNA, CCNP, HCNA and HCNP educational level has been used and important setting has been simulated one by one. At the result this is a good guide for a local or wide area network. Finally, the performance issues precautions described. Considering the necessary parameters, imaginary networks were designed and evaluated both in CISCO Packet Tracer and Huawei's eNSP simulation program. But it should not be left unsaid that the networks have been designed and evaluated in free virtual environments, not in a real laboratory. Therefore, it is impossible to make actual performance appraisal and output as there is no actual data available.
A 10 page paper examining why network troubleshooting is so challenging and exploring opportunities to improve incident response times with a divide and conquer strategy. The paper addresses how automation can be applied to a traditional troubleshooting methodology for isolating the problem, gathering information, and automating the analysis of critical data.
2. Network Monitoring and Performance 2014
1
Contents
Chapter 1.....................................................................................................................................2
Introduction............................................................................................................................. 3
Chapter 2.....................................................................................................................................4
Literary Review......................................................................................................................... 4
Network Monitoring.............................................................................................................. 4
Network Performance ...........................................................................................................5
How Has Network Monitoring evolved:...................................................................................... 5
Functions of network Monitoring............................................................................................... 6
Overview of some Commonly Used protocols............................................................................. 7
ICMP: ...................................................................................................................................7
SNMP:..................................................................................................................................7
Overview of some popular tools ................................................................................................ 8
CommView:.......................................................................................................................... 9
HostMonitor....................................................................................................................... 10
GFI Network Server Monitor................................................................................................ 11
Argus.................................................................................................................................. 12
SmokePing.......................................................................................................................... 12
Axence NetVision................................................................................................................ 12
PRTG Network Monitor........................................................................................................ 13
Performance (lookingforward)................................................................................................ 14
General Findings:- ............................................................................................................... 14
Video Findings:-................................................................................................................... 15
Mobile Findings:-................................................................................................................. 15
Global Business Findings:-.................................................................................................... 16
Conclusion.............................................................................................................................. 16
Chapter 3................................................................................................................................... 17
Simulating a network .............................................................................................................. 17
Objective:........................................................................................................................... 17
Link to packet tracer: project-lab.pkt.................................................................................... 17
Network Configuration........................................................................................................ 18
Switches:............................................................................................................................ 18
Routers:.............................................................................................................................. 18
Voip:................................................................................................................................... 19
Wan:................................................................................................... 19
3. Network Monitoring and Performance 2014
2
Wireless:............................................................................................................................. 20
Security:............................................................................................................................. 20
Testing................................................................................................................................ 20
Chapter 4................................................................................................................................... 21
WireShark .............................................................................................................................. 21
How to get WireShark.......................................................................................................... 21
WireShark Brief Overview.................................................................................................... 21
Using WireShark.................................................................................................................. 22
Telenet vs SSH:.................................................................................................................... 26
Measuring Bandwidth using Wireshark................................................................................. 29
Some Filtering options......................................................................................................... 31
Chapter 5................................................................................................................................... 33
Conclusion.............................................................................................................................. 33
Bibliography............................................................................................................................... 34
Appendices ................................................................................................................................ 35
Appendix1 Router-Office A Configuation.................................................................................. 35
appendix 2 ............................................................................................................................. 38
Chapter 1
4. Network Monitoring and Performance 2014
3
Introduction
By 2017, over 1.4 zettabytes of data will be flowing over global networks
Faster broadband speeds, more devices and connections, and more global internet videos.
Around 3.6 billion people will be on line, which represents 48% of the world’s population;
this is up from 32%(presently) or an increase of 2.3 billion.
The number of devices and connection will grow with a projection of 19 billion network
connections (Cisco,2013)
With current volumes and looking at the growth patterns of data and networks, Network
monitoring is vital to the performance, availability and security.
For these reasons, we have decided to look at Network Performance and Monitoring.
Global figures are extremely large and can be quite daunting to even imagine, but these
global figures consist of a combination of millions of micro networks.
We decided to build a micro network, consisting of many of the everyday functions and
capabilities of a common network.
We will configure Routers, Switches, Pc’s, Servers, Wireless Ap’s
We will configure Wan, Lans , Wireless and VOIP
We will implement Security features such as AAA, ACL’s, Console, AUX & VTY security
We will create Frame Relay configuration for our WAN
We will create a VoIP network
And We will create a wireless network using WEP and WPA2
Firstly, this System will be configured on packet tracer, ensuring our configuration is correct,
and using the option of adding more end devices ( which is not practical to do physically)
Secondly, this network will be physically built in the lab using Cisco 2811 Routers, Cisco
3560 Switches, Cisco 2600 ap’s, cisco 7945 IP Phones, windows server 2008 and personnel
Pc’s and Laptops
The network will be connected using Serial and Ethernet cabling plus wireless connections
In this report we will look at a number of Open Source Network Performance and Monitoring
Tools and we will give a brief description of their functionalities.
Based on our preferences of open Source Software, we will look in more depth at the uses
and Functionalities of WireShark.
Use active and passive monitoring over the network we created and we will demonstrate how
the data can be captured.
One of the primary uses of the software is the ability to filter the traffic, enabling you reduce
the amount of visible data, extract the data you wish to see and break it down into small bite
size pieces that you can work with and understand.
5. Network Monitoring and Performance 2014
4
Chapter 2
Literary Review
Network Monitoring
Whatis network monitoring?
Network Monitoring and Network Management are terms often interchanged for the same
function.
In Simple terms, Network Monitoring is a system with the capability of continually
monitoring a network, and will notify a network administrator of any faults, failures or
outages. There are various software packages available to conduct this task automatically.
The software packages will vary greatly in their capabilities and cost, depending on the level
of monitoring, the size of the network, the amount of resources available and the budget
available to spend.
Network monitoring for large corporations is a critical IT function. By checking on the
network performance and employee productivity, can save the company a lot of money. A
network monitoring system monitors an internal network for problems. It can identify and
help resolve, network vulnerabilities, bad configuration, slow downloads, lost e-mails and
monitor user activity for misuse of the network. It will also highlight overloading, servers-
down and bad connections.
A network Monitoring system will be capable of detecting any failures of devices or
connections.
It will measure the CPU usage of Hosts and the utilization of the bandwidths. Messages are
sent back to a central server or system administrator known as “watchdog” messages
advising of the current status. If the system detects failures, unacceptable slow responses or
unexpected behaviours or responses, the system will send additional messages known as
“alerts” to the administrator, where corrective action can be taken if required.
The most basic of monitoring tests would be a “ping” which is available on all machines and
will test the connection between two devices, this may be of use in a small peer to peer
environment, but as networks grow i.e. in large organizations where a large number of web
servers may be in use and are spread all around the world, a lot more sophisticated software is
required
Network Monitoring uses tools to ensure that the availability and performance of the
network is functioning at an acceptable level for the end hosts/users.
In today’s environment, any downtime with a computer or network, means lost time,
opportunity, business and MONEY, So monitoring your network and ensuring a high level of
performance is vital to any organisation
6. Network Monitoring and Performance 2014
5
Network Performance
Whatis network performance?
Network performance is normally measured by its bandwidth. Bandwidth, is the amount of
data that can be carried from one point to another in a given period of time. The Bandwidth
refers to the overall capacity of the network which has a direct relationship to the speed at
which your network is operating at. A network performance is measured in bits per second,
i.e. Kbps, Mbps, Gbps. This is impacted by the medium used i.e. LAN, Wi-Fi, satellite and
the ISP providers hardware.
Another measurement in the bandwidth is the latency.
Latency refers to several types of delay in the network, which can be caused by a variety of
reasons. Low Latency in a network refers to small delays, where high latency refers to long
delays. When there is excessive latency, bottlenecks occur and hence reduce the bandwidth.
Latency may be due to propagation delays but also involve transmission delays, i.e. passing
through proxy servers, involving additional hops. Latency can be easily measured using tools
like “traceroute” and “ping” tests.
Other Network performance measures would look at packet loss, uptime of routers, switches
and review protocols such as SNMP and others.
Software packages will ensure Alerts are made to the network administrator by text, paging ,
email, or telephone advising of various predetermined scenarios.
How Has Network Monitoring evolved:
Prior to networking and the Internet as we know it today, communications was limited to
stations directly connected on the network. A common networking practice was to have
computers connected to one central mainframe via leased lines, this type method was used
by project RAND in the 1950’s which connected researchers in Pennsylvania and Santa
Monica (Hauben,2004)
ARPANET and X.25 were standards being used in the United Stated and Europe.
TCP/IP protocol was only created in 1977, and spread rapidly throughout the world to
become the standard protocol. The first Wide area network using the TCP/IP protocol was
created in 1984. In 1984, University College London replaced its transatlantic satellite links
with TCP/IP over IPSS. All links were all converted to TCP/IP in 1982. The ARPANET was
renamed the “Internet” in 1995. (Klienrock,2011)
Traditionally, most of the effort and research concentrated on the physical layer, looking at
speed improvements, routing & transport protocols. As networks increased, with the number
of Nodes, protocols and port numbers and new applications such as multi-media and internet
increased at a rapid rate, much more than had been predicted, so it quickly became evident
that network monitoring and tools were very necessary.
Two types of monitoring were identified, Active Monitoring and Passive monitoring...
7. Network Monitoring and Performance 2014
6
With Active monitoring, active data such as PING and SNMP are sent over the network and
the performance of the network is extrapolated from the performance of the sent data ,routers
of a domain then have to be queried periodically to gather statistics and general system status
information. This can cause its own challenges, as huge amounts of data needs to be stored in
order to get meaningful results, which in turn increase the overhead on high speed core
routers. For this reason, active monitoring is typically kept to periodic route discovery and
topology analysis.
Nowadays, there are many software packages or combination PnP hardware and software
available to conduct whatever type of monitoring you require for your organisation. Virtually
any kind of network can be monitored. The type of network may vary from LAN, to Wan to
VPN and can include Mobiles, server’s routers or switches. The systems available today will
help identify the customer’s specific needs and performance metrics, whether they be
compliance requirements or eliminating internal security threats of providing more
operational visibility. (Kim S. Nash, 2013)
Functions of network Monitoring
There are many types of traffic which is measured. Each piece of information is monitored by
the packet. Types of measured traffic would consist of
Service Development. Using TCP/UDP port numbers, track new customers and the
applications that they use.
Heavy Hitters. Monitor the number of hits etc (most popular web sites) determined from the
packet ip addresses
Security. Checking for network intrusion
Network Engineering. This could involve rerouting certain traffic due to congestion
Charge back. Allocating cost to certain divisions with in a network based on usage
Customer Billing. An ISP may charge customers for their byte usage and this may also vary
due to the type of application the customer is using ( this can be identified by the TCP/UDP
port numbers)
Path Measurement. Measuring the entire path of a packet through the network and
determining its class usage along the paths enables the passive measurement of network path
performance, route trouble shooting and network attack tracing (Duffield,2004)
Traffic Structure. Checking the duration of traffic flows and the composition of the traffic
8. Network Monitoring and Performance 2014
7
Overview of some Commonly Used protocols
ICMP:
ICMP is another one of the core protocols used in IP. ICMP operates outside of TCP/UDP.
ICMP has a very limited set of commands, and its most common and powerful is the “Ping”,
which is most useful when troubleshooting. ICMP traffic is common in almost all networks
bar the very highly secured networks. The Ping will determine the connectivity of the
network, but will also determine the Latency. The Latency is the transfer speed between the
source and the target.
A ping response will also inform you of the number of hops a packet has had to take, this is
communicated as a function of its “Time to live” TTL
Lastly a ping will inform you of the quality of the link, stating number of packets lost
(SolarWinds, n.d.)
SNMP:
ICMP is a very simplistic protocol by design and the information you receive will be basic
information about a hosts connection. In order to get greater more detailed information you
need to use alternative protocols. One of the most common protocols is SNMP
SNMP stands for “Simple Network Management tool” It is a commonly used tool, used for
gathering information and configuring devices such as servers, printers, routers, switches
using internet protocol.
This software is especially useful when a network is very large (with many hundreds or
thousands of nodes). SNMP will allow you monitor the network through a management host.
From here you can monitor performance, check network usage, faults or check for
inappropriate access or usage.
SNMP requests information from its host using GET and GET-NEXT commands. These
commands enable you to obtain specific information from the host. It uses port161/UDP for
communication which is a configurable port on all devices. Each piece of information has its
“Own Identifier” OID.
From a NMS you can remotely call OIDs obtaining much information such as performance,
configurations environmental information statistics etc.
SNMP was developed in 1988 and was designed to work on TCP/IP based networks. It was
approved by the IAB as the internet standard 1990 and is widely used ever since. Virtually all
network equipment is SNMP compatible.
As SNMP is a common solution for gathering data from all devices on your network, it goes
without saying that security is to be a major consideration with its implementation. This can
9. Network Monitoring and Performance 2014
8
be achieved through firewalls, access lists and using the privacy and encryption facilities
which is available in SNMPv3 (SolarWinds, n.d.)
Both ICMP and SNMP are widely used in today’s Network Management systems. ICMP is
typically used on a per device basis checking availability and latency for specific devices.
SNMP will enhance this data giving device behaviours and characteristics. SNMP will gather
data such as the internal performance statistics or configuration. It will check items such as
CPU, memory, Disk utilization. Performance and errors
Overview of some popular tools
In the table belowliststhe Networkperformance toolsdevelopedbetween1996 and 2006
Year Name of Tools
1996
mrtg, NetNow, NetraMet, Network Probe Daemon, InterMapper, Lachesis, Optimal
Networks, Digex
1997
INS Net Perf Mgmt survey, tcpspray, Mapnet, Keynote, prtraceroute clflowd flstats,
fping, tcpdpriv, NetMedic Pathchar, CAIDA Measurement Tool Taxonomy, bprobe
and cprobe
1998 NetOps, Triticom, Maple, PV-Wave, S-Plus, VisualRoute.
1999
Cheops, Ganymede, hping2, Iperf, JetMon, MeasureNet, MatLab, MTR, NeoTrace,
Netflow, NetLogger, Network health, NextPoint, Nmap, Pchar, Qcheck, SAA, SafeTP,
Sniffit, SNMP from UCSD, Sting, ResponseNetworks, Tcpshow, Tcptrace WinTDS.
2000
Analyzer, bbftp, Big Brother, Bronc, Cricket, EdgeScape, Ethereal (now renamed
Wireshark), gen_send/gen_recv, GSIFTP, Gtrace, Holistix, InMon, NcFTP, Natas,
NetAlly, NetScout, Network Simulator, Ntop, PingGraph, PingPlotter, Pipechar, RRD,
Sniffer, Snoop, StatScope, Synack, View2000, VisualPulse, WinPcap, WU-FTPD,
WWW performance monitoring, Xplot.
2001
AdventNet SNMP API, Alchemy Network Monitor, Anasil analyzer, Argent, Autobuf,
Bing, Clink, DSLReports, Firehose, GeoBoy, PacketBoy, Internet Control Portal,
Internet Periscope, ISDNwatch, Metrica/NPR, Mon, NetPredict, NetTest, Nettimer,
Net-One-1, Pathrate, RouteView, sFlow, Shunra, Third Watch, Traceping, Trellian,
HighTower, WCAT, What¡¯s Up Gold, WS_FTP, Zinger.
2002
ANL Web100 Network Configuration Tester, Anritsu, aslookup, AlertCenter, Alertra,
AlertSite, Analyse-it, bbcp, BestFit, Bro, Chariot, CommView, Crypto-Pan,
elkMonitor, DotCom, Easy Service Monitor, Etherpeek, Fidelia, Finisar, Fpinger,
GDChart, HipLinkXS, ipMonitor, LANExplorer, LinkFerret, LogisoftAR, MGEN,
Netarx, NetCrunch, NetDetector, NetGeo, NEPM, NetReality, NIST Net, NLANR
AAD, NMIS, OpenNMS PageREnterprise, PastMon, Pathprobe, remstats, RIPmon,
RFT, ROMmon, RUDE, Silverback, SmokePing, Snuffle, SysOrb, Telchemy,
TCPTune, TCPurify, UDPmon, WebAttack, Zabbix.
2003
AbwE, ActivXpets, AdventNet Web NMS, Analyse It, Argus, Big Sister, CyberGauge,
eGInnovations, Internet Detective, Intellipool Network Monitor, JFF Network
Management System, LANsurveyor, LANWatch, LoriotPro, MonitorIT, Nagios,
10. Network Monitoring and Performance 2014
9
NetIntercept, NetMon, NetStatus, Network Diagnostic Tool, Network Performance
Advisor, NimBUS, NPS, Network Probe, NetworksA-OK, Sniff¡¯em, Spong, NetStat
Live, Open NerveCenter, OPENXTRA, Packeteer, PacketStorm, Packetyzer,
PathChirp, Integrien, StableNet PME, TBIT, Tcptraceroute, Tping, Trafd, Trafshow,
TrapBlaster, Traceroute-nanog, Ultra Network Sniffer, Vivere Networks.
2004
MonitorMagic, N-central, N-vision, Netmeter, CleverEye, CueVision, D-ITG, Network
Physics, FastCopy, internetVista, IPCheck Server, OSSMon, H.323
Beacon,Monitor,FREEping,NetMechnica, NetVizor, Observer, Overseer, ZTI Network
Monitor, Orca, PRTG Traffic Grapher, QOVIA, Qradar, Wombat, Route Explorer,
Scriptroute, Server Nanny, SNMP Explorer, Ganglia, GFI Network Services Monitor,
Little:eye, STAB a Linux tracepath, SolarWinds Orion, Vantage, Vigilix, VitalNet,
WatchTower Website Monitoring, WindowsNetworking.com, ServerFiles.com, SNMP
Informant,
2005
bulk, BWCTL, Caligare Flow Inspector, Cittio, ClearSight, Distinct Network Monitor,
EM7, EZMgt, GigaMon, Host Grapher II, HPN-SSH, Javvin Packet Netcool, netdisco,
Netflow Monitor, NetQoS, Pathneck, OWAMP, RANCID, SiteMonitor, STC,
SwitchMonitor, SysUpTime, TansuTCP, thrulay, Torrus, Tstat, VSS Monitoring,
WebWatchBot, WildPackets, ZoneRanger, Advanced HostMonitor, Just-ping,
LinkRank, MoSSHe, mturoute, N-able OnDemand, Scamper, SCAMPI, Simple
Infrastructure Capacity Monitor, Spirent, Alvias, Airwave, AppMonitor, BitTorrent,
PingER, Analyzer,
2006
Cacti, CSchmidt collection, Cymphonix Network Composer, Darkstat, Ey-on
Bandwidth, SNM,Etherape, EZ-NOC, IPTraf, Jnettop, Zenoss, Gigamon Uni- versity,
LITHIUM, mrtg-ping-probe, NetMRG, NetworkActiv Scanner, Web Server Stress
Tool, NimTech, NPAD, Nsauditor, Nuttcp, OpenSMART, Plab, WatchMouse, Pandora
FMS, PIAFCTM, PolyMon, PSentry, Rider, Sysmon, SpiceWorks,SftpDrive,
SpeedTest, TruePath, Unbrowse, Unsniff, Webalizer, RSP, Pktstat
(Alam,2006)
This section presents brief introduction of the some popular tools used for monitoring
network performance.
CommView:
CommView runs on a Windows platform. It analyses all packets that pass through the
network, bot local and internet traffic. It collects all the data that passes through the Ethernet
port and decodes them listing all the IP addresses and examines the individual packets.
11. Network Monitoring and Performance 2014
10
Screenshotsof CommView
(Alam,2006)
HostMonitor
HostMonitor is another useful tool that a network administrator can use. It monitors and
analysis’s all traffic flowing through the network, it checks hosts status and statistics and
reports them in log files and reports.
Screenshortsof HostMonitor
(Alam,2006)
12. Network Monitoring and Performance 2014
11
GFI Network Server Monitor
GFI works on both Windows and Linux platforms. It maximizes the availability of the
network by monitoring all stations connected to the network, (i.e. workstations, servers,
routers, switches printers etc.) It checks for failures and irregularities and will send alerts by
multiple media to the network administrator when it detects a fault. GFI’S Monitoring service
and its management service run on separate interfaces. The network engine is multi-threaded
and can run up to 40 checks simultaneously. This makes it a good platform for both small and
large organisations as it is easily scalable
GFI Network Server Monitor can check the status of a terminal server by actually performing
a complete login and checking if the session is established correctly. GFI Network Server
Monitor can check the availability of all leading database applications. GFI Network Server
Monitor includes extensive checks for monitoring Linux servers. All CPU usage, printer
availability, file existence, process running, folder size, file size, users and groups
membership, disk partition check and disk space can be monitored by GFI Network Serve.
You can also access the GFI network server monitor remotely which will allow you changes
rules and settings and check local and remote network status
GFI Screenshot
(Alam,2006)
13. Network Monitoring and Performance 2014
12
Argus
Argus is a real-time flow monitor, which checks metrics such as connectivity, delay, packet
loss, capacity and jitter on a per transaction basis. It supports Linux, Solaris, FreeBSD,
OpenBSD, NetBSD, and MAC OS X
Argus can be used for security management, Network Billing, Network oprations
management and performance management. It can be used to monitor specific individual
sectins of the network or the entire enterprise
SmokePing
SmokePing works on a Unix platform and is an open source software. It measures and stores
Latency in the network. It stores long term data and can graphically display the information
in an easy to read format. It has a smart alarm system which will trigger alarms for
anticipated Latency of loss based on predefined patterns.
SmokePingScreenshot
(Alam,2006)
Axence NetVision
NetVision is relatively recent, developed in 2006. It runs on all platforms. Once it runs, it
detects all hosts on the entire network and scan the services running on them. It displays the
hosts on an interactive map along with the critical information, making it easy for the
administrator to visually check for potential problems
15. Network Monitoring and Performance 2014
14
Performance (looking forward)
Enhancing performance is about more than increasing bandwidth.
Millions of dollars have been spent by It organizations throughout the world on tools and
processes to maximize network availability and eliminate faults. However every day, network
traffic is growing in both volume and complexity and an enormous rate, creating performance
issues. So it is vital that Network and Application improvements need to focus on the
performance and not just the availability.
With the phenomenal growth of the World Wide Web, computer networks are challenged and
are pulled in two different directions. On one hand, you have desktop applications consuming
bandwidth with Images and video. Then you have thin client devices, (Less powerful devices
using a central server or site for its applications and resources) which are mainly connected
by wireless devices at the edge of the network. There is also a mismatch between fiber optic
speeds and computer speeds. This is a gap that needs to be bridged.
(Cisco, 2013)
One growth area is the smart tap intrusion detection market.
Seeing the big picture, knowing what is going on and where it is coming from is the core to
network security and performance management. A tool that is having a big impact on
networking abilities right now is the “smart Tap”.
Network taps are commonly used for network intrusion detection, VoIP recording packet
sniffers. They are used in a number of security applications as they are non-detectable on the
network.
Smart taps provide the ability of dissecting and filtering traffic into manageable chunks.
Smart tap has the capability of preventing a failed tap interrupting the network traffic. Smart
tap also captures all network traffic and does not suffer from lost traffic or network
congestion. It is a more user friendly than standard tap and allows administrators to filter or
direct traffic captures to different devices for analysis.
You could for example use smart tap to only look at HTTPS traffic and ignore all other traffic
if you were checking a particular security problem.
A report from Frost and Sullivan believes that smart tap technology will have additional
growth and that the Europe, Middle East and Africa Market will have revenues of 1.34
Billion euro by 2017
(Ohlhorst, 2012)
The major players in the Networking market are continuously trying to anticipate where the
market is going and what demands will be made on them over the coming years. Cisco being
one such company has recently completed one such analysis.
Cisco has forecasted through its Visual networking index the following:-
General Findings:-
Annual global IP traffic will surpass the zettabyte threshold (1.4 zettabytes (Ohlhorst,
2012)) by the end of 2017.
Global IP traffic has increased more than fourfold in the past 5 years, and will
increase threefold over the next 5 years
16. Network Monitoring and Performance 2014
15
Busy hour Internet traffic is growing more rapidly than average Internet traffic
Metro traffic will surpass long-haul traffic in 2014, and will account for 58 percent of
total IP traffic by 2017.
Content Delivery Networks (CDNs) will carry over half of Internet traffic in 2017
Nearly half of all IP traffic will originate with non-PC devices by 2017
Traffic from wireless and mobile devices will exceed traffic from wired devices by
2016
In 2017, the gigabyte equivalent of all movies ever made will cross global IP
networks every 3 minutes
The number of devices connected to IP networks will be nearly three times as high as
the global population in 2017.
Video Findings:-
It would take an individual over 5 million years to watch the amount of video that will
cross global IP networks each month in 2017
Globally, consumer Internet video traffic will be 69 percent of all consumer Internet
traffic in 2017, up from 57 percent in 2012
Internet video to TV doubled in 2012
Video-on-demand traffic will nearly triple by 2017
Content Delivery Network (CDN) traffic will deliver almost two-thirds of all video
traffic by 2017
Mobile Findings:-
IP traffic is growing fastest in the Middle East and Africa
IP traffic in North America will reach 40.7 Exabyte’s per month by 2017
IP traffic in Western Europe will reach 16.8 Exabyte’s per month by 2017
IP traffic in Asia Pacific will reach 43.4 Exabyte’s per month by 2017
IP traffic in Latin America will reach 7.4 Exabyte’s per month by 2017
IP traffic in Central and Eastern Europe will reach 8.8 Exabyte’s per month by 2017
IP traffic in the Middle East and Africa will reach 3.5 Exabyte’s per month by 2017
17. Network Monitoring and Performance 2014
16
Global Business Findings:-
Business IP traffic will grow at a rate of 21 percent from 2012 to 2017
Business Internet traffic will grow at a faster pace than IP WAN
Business IP traffic will grow fastest in the Middle East and Africa.
(Cisco,2013)
Conclusion
Based on trends and research findings, network traffic will continue to grow at a phenomenal
rate worldwide for the next decade. The data will continue to grow in size and complexity,
with video media becoming more and more prevalent.
The need for network management and performance management will become ever
increasingly critical to the success of the anticipated growth
To meet the volume of traffic which is anticipated in the near future, it is likely that the
medium for networks will move more towards the Optical network (Photonic network). This
type network would give speeds up to 10Gbps on a single optic and a lot more if divided into
channels.
While it is relatively easy to tap into copper cables and read the data running over them, it is
difficult to do this with optical signals running over fibre. Many organizations that need
secure networks, such as government and defense installations, already make extensive use of
optical networks, sometimes right to the desktop.
Network Administration, network monitoring and Network Performance will continue to
evolve, develop and expand with the ever growing demand for information and will continue
to play a key role in the future success of all IT systems and applications
18. Network Monitoring and Performance 2014
17
Chapter 3
Simulating a network
Objective:
Create a network which will consists of the various types of traffic, various mediums of
communication, incorporate standard security protocols and procedures and monitor the
traffic across the network.
This network will be simulated physically in the lab and we will utilize Packet tracer, so we
can expand our network and testing.
1
Networksimulationmap(PacketTracer)
Linkto packet tracer: project-lab.pkt
19. Network Monitoring and Performance 2014
18
Network Configuration
Devices:
Routers (cisco 2811)
Switches (cisco 3560-24ps)
Frame-relay switch simulator (cisco cloud-pt)
Server (AAA, Email) may we need more
PCs, Laptops, IP phones, Tablets
Wireless APs
Switches:
Basic Security configuration(enable secret, console, vty, aux passwords)
Vlans (Data, Voice, Wireless, Management)
Trunk port
Routers:
Office-A
Basic security configuration (passwords length, user name, console- aux-vty
passwords, password-encryption)
Authentication radius-server
Loopback 0 (ISP simulation)
Sub interfaces (fa0/0.10 ; fa0/0.11 ; fa0/0.15 ; fa0/0.20)
DHCP pools (Data, Voice, Wireless)
Frame-relay (dlci 102)
Routing protocol (eigrp 1)
ACLs
Telephony-service
Voip routing
Full routerconfigurationsseeappendix1
20. Network Monitoring and Performance 2014
19
Office-B
Basic security configuration (passwords length, user name, console-aux-vty
passwords, password-encryption)
Authentication radius-server
Sub interfaces (fa0/0.10 ; fa0/0.11 ; fa0/0.15 ; fa0/0.20)
DHCP pools (Data, Voice, Wireless)
Frame-relay (dlci 201)
Routing protocol (eigrp 1)
ACLs
Telephony-service
Voip routing
Full routerconfigurationsseeappendix2
Voip:
Configured telephony services on both routers,
Enabled `no auto-reg-ephone` command to manually
assign ephones by entering mac addresses,
Created maximum number of ephones to register
Created maximum number of directory numbers
Set up voice vlan source ip address,
Created ephone numbers
set up target sessions
Wan:
We used frame-relay wan technology between local area
networks (LANs) over a wide area network (WAN).
Also we created virtual interface (loopback0) to present
ISP connection.
21. Network Monitoring and Performance 2014
20
Wireless:
Office-A
Autonomous AP
Security (authentication type WPA2-PSK, encryption
type AES)
Bandwidth 100Mbs
Half-duplex
Office-B
Autonomous AP
Security (authentication type WEP, encryption key 64 bits)
Bandwidth 100Mbs
Half-duplex
Security:
Enable password (projectTest)
Console password (projectPass)
VTY password (projectPass)
AUX password (projectPass)
Passwords encryption (md-5)
AAA server (username `user1`, password `test`)
ACLs (permit access from outside hosts to the email server, deny web traffic initiated from
internal hosts)
Testing
Before we could introduce the concept of monitoring the software, We had to conduct basic
connectivity tests.
We conducted Ping tests from all routers, Switches and PC’s. We conducted voice calls
between subnets.
We conducted tests to ensure ACL’s were functioning correctly.
We tested our log-on security
22. Network Monitoring and Performance 2014
21
Chapter 4
WireShark
How to get WireShark
WireShark is Open Source software.
It is compatible with most operating systems and platforms, including Windows, Apple Mac
and Linux.
Its latest stable release is 1.10.6 and is available for free download at
http://www.wireshark.org/
Download and installation is facilitated by a step by step installation wizard (Foundation,
2014)
WireShark Brief Overview
WireShark is a powerful network Monitoring tool.
WireShark can capture packets, gather and display statistics, analysis and define by filtering,.
It is an excellent tool for network trouble shooting, optimization and examine security
problems.
You can track the individual packets being sent across the network and from this data, you
can identify where problems are occurring. However it is not recommended for long tern
monitoring.
Data packets are the most basic form of network traffic.
By viewing the contents of a segment of a packet is referred to packet sniffing and by
recording and logging this data is referred to as packet logging.
Wireshark is computer software which can intercept and log traffic passing through the
digital network and can decode and analyze the content according to specified protocols or
filters.
Wireshark has a sophisticated wireless protocol analysis support which can help
administrator’s trouble shoot wireless networks. Wireshark can capture packets from the air
and decode them which can help administrators identify potential problems or threats or
issues which are causing poor performance or intermittent connectivity
23. Network Monitoring and Performance 2014
22
Using WireShark
Wireshark provides the capability of capturing packets travelling over the entire network on a
particular interface at a particular time.
The first thing we done was to open wire shark and view all traffic passing through the
interface
Wireshark displayed all connections and all traffic traveling through the interface.
By selecting a particular packet i.e. from a particular source IP, we could then press capture
and wireshark captured all data relating to that IP address, MAC address, Protocol or port.
We then wanted to look at internet traffic only for a specific address. So we put HTTP into
the filter box and selected capture. This then showed us the Http traffic only
You can also see SSDP Packets; these are Simple Service Discovery Protocol.
The SSDP protocol can discover Plug & Play devices, with uPnP (Universal Plug and Play).
SSDP uses unicast and multicast address (239.255.255.250). SSDP is HTTP like protocol and
work with NOTIFY and M-SEARCH methods.
With Wireshark, the SSDP dissector is partially functional: there is no SSDP filter, but, the
http filter show HTTP and SSDP protocols. The solution is to filter with the destination port
Number of
packets
Packet
traveling
time
Source
Hardware
MAC address
Source
Hardware IP
address
Source
port
Destination
Hardware
MAC address
Destination
Hardware
IP address
Destination
port
Type of
communication
protocol
Packet
length
(bytes)
Other
informa
tion
24. Network Monitoring and Performance 2014
23
Similarly, we were able to monitor traffic but exclude certain protocols.
In this example we were able to exclude TCP traffic and UDP traffic by using “!TCP and
!UDP“ command in the filter box. (Note the command will turn green if correct, otherwise
the input is incorrect.
26. Network Monitoring and Performance 2014
25
The purpose of this exercise was to demonstrate how we could concentrate on, or eliminate
certain protocols, reducing the level of data being captured and making it easier to investigate
area where there are potential problems.
In the above sample, looking at HTTP only, we could see in clear text what web sites were
being accessed and from what source.
This could be used to identify security risks or to identify inappropriate use of the network.
We thenconductedVOIPCalls overthe network
We then conducted VOIP Calls over the network; here we can see the conversations going
across the network. In this scenario where we captured the packets of the conversation, we
were also able to replay the audio conversation.
Here we have filtered the protocol “SKINNY”
Skinny Client Control Protocol (SCCP) is a Cisco proprietary
standard for terminal control for use with voice over IP (VoIP).
The audio communication between end stations makes use of the
User Datagram Protocol (UDP) and the Internet Protocol (IP).
Variants of SCCP are used by several companies other than Cisco.
Screen shot of wireshark Audio Capture:-
27. Network Monitoring and Performance 2014
26
Telnet v’s SSH:
Telnet is a network protocol used on the Internet or local area networks to provide a
bidirectional interactive text-oriented communication facility using a virtual terminal
connection. User data is interspersed in-band with Telnet control information in an 8-bit byte
oriented data connection over the Transmission Control Protocol (TCP).
Secure Shell (SSH) is a cryptographic network protocol for secure data communication,
remote command-line login, remote command execution, and other secure network services
between two networked computers that connects, via a secure channel over an insecure
network, a server and a client (running SSH server and SSH client programs, respectively). It
was designed as a replacement for Telnet and other insecure remote shell protocols such as
the Berkeley rsh and rexec protocols, which send information, notably passwords, in
plaintext, rendering them susceptible to interception and disclosure using packet analysis.
Telnet:
We captured a telnet conversation and were able to demonstrate how un-secure this type of
communication is, by capturing the login in details and password in clear text
To demonstrate this we used torfree.net website which is a one of Canadians ISP.
We used word “hello” for username and password.
see picture below:
Here we have filtered“telnet”protocol outof all traffic
28. Network Monitoring and Performance 2014
27
Each telnet packet consist of one letter, so to see all data conversation between two end users,
we used a TCP stream analyzer. Here we can see that all our conversation is sent in clear text,
this demonstrates how telnet has serious security issues when communicating over an open
network such as the Internet.
See picture below:
SSH:
We captured a SSH conversation and were able to demonstrate how secure this type of
communication is by capturing logging details.
To demonstrate this we used torfree.net website which is a one of Canadians ISP.
29. Network Monitoring and Performance 2014
28
We used word “hello” for username and password.
see picture below:
SSH clients and servers can use a number of encryption methods. In the older SSH-1
protocol, 3DES and DES are typically used. SSH-2 adds support for additional encryption
methods including AES and Blowfish. In our example We are using SSH version 2 that
supports AES encryption method with a key length 256 bites.
See pictures below:
30. Network Monitoring and Performance 2014
29
Here we can see all data conversationbetween twoendusers;againwe usedaTCP stream
analyzer.
We see thatall data is encryptedbyusingAES algorithm.
Measuring Bandwidth using Wireshark
Wireshark has several ways of showing the bandwidth being used, each method displays the
information with different features. We demonstrate a couple of ways of how wireshark can
measure bandwidth. In our test we demonstrate how we can see the web traffic (http)
bandwidth. To demonstrate this we have create the http traffic. In our example we
downloaded the Ubuntu image from their website, in the background leaving wireshark
running. After download is completed we stop capturing and applying the filter to display
only the traffic we are interested in. Once you identify a packet belonging to the network flow
you are interested in, right click on it > conversation filter > ip / tcp. This will create ip/tcp
filter to isolate traffic we interested.
The first method we will use to seeing bandwidth is by selecting menu items: Statistics >
Protocol Hierarchy
31. Network Monitoring and Performance 2014
30
On the screenshot above we can see the breakdown analysis of bandwidth by protocol. In this
test we are observing the http, we drill down to TCP, and we observe the Mbits/sec, which is
about 1.6 in this case.
The second method to seeing bandwidth is by selecting menu items: Statistics > Summary
Here we also can see the display filter, and the bandwidth used.
The last methodproducesanice graph. Go to satistics> IO graphs:
32. Network Monitoring and Performance 2014
31
In thisstatisticwe applymultiple filters anddisplaythensimultaneously,forexample tocompare
twoIPs.
Find network vulnerabilities by using Wireshark
Another way how we can use Wireshark is by monitoring the network to identify unusual
activity. To do that we need exclude all trusted traffics by applying specific filters. For
example after taking out all trusted traffics we found that we have traffic between internal
hosts and external port 80 or in other words web-traffic. If we know that this traffic should be
blocked then we can say that something wrong with ACLs or Firewall configuration. Or we
found that there is to high broadcast traffic which can overload or network. In this situation
we need make changes in network configurations to reduce this traffic.
Some Filtering options
To get the full benefitof wire shark,itisimportanttoget familiarwithhow tofilteroutthe traffic
youwant to see or don’twantto see.Below isalistof useful examplesof trafficfiltering.
What do youwant to do Filter
Capture only traffic to or from IP address
172.168.5.4:
Host 172.168.5.4
Capture traffic to or from a range of IP
addresses
net172.168.0.0/24
Capturetrafficfroma rangeofIP
addresses:
Src net 172.168.0.0/24
Capture traffic to a range of IP
addresses
dst net172.168.0.0/24
CaptureonlyDNS (port53) traffic: Port 53
Capture non-HTTP and non-SMTP
traffic on your server
hostwww.example.comandnotport80 and not port
25
Captureexceptall ARPand DNS traffic: port not53 andnot arp
Capturetrafficwithina range ofports (tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] >
1500 and tcp[2:2] < 1550)
Capture only Ethernet type EAPOL: etherproto0x888e
Rejectethernet framestowardsthe
LinkLayer DiscoveryProtocol
Multicastgroup:
not etherdst01:80:c2:00:00:0e
Capture only IP traffic ip
Capture only unicast traffic not broadcastand not multicast
33. Network Monitoring and Performance 2014
32
Anotheruseful example is,if youwishedtolookfora worm Virusfor example;
Many wormstry to spreadby contactingotherhostson ports135, 445, or 1433. Thisfilteris
independentof the specificworminsteaditlooksforSYN packetsoriginatingfromalocal network
on those specificports.
dst port135 or dst port 445 or dstport 1433 and tcp[tcpflags] &(tcp-syn) !=0 and tcp[tcpflags] &
(tcp-ack) = 0 and src net192.168.0.0/24
34. Network Monitoring and Performance 2014
33
Chapter 5
Conclusion
Our Journey through Computer Network Monitoring and Performance has examined, the
scale of networks globally and the anticipated extraordinary growth over the next 3-5 years.
We have examined the Types of Monitoring and explained the functions of both Passive and
Active Monitoring,
We have looked at how Network Monitoring has evolved, from it’s infancy in the 70’s,
through the development of the protocols a in the 80’s and 90’s , up to the very advanced and
sophisticated tools that we have today.
We discussed the Functions of Network Monitoring and explained, how monitoring is not
just performance and security driven, but can also be revenue driven, by observing and
recording usage by clients
We have discussed the importance on Network Performance and Monitoring, and how this
task, which is virtually un-noticed to the end user, is a vital function, which maintains the
performance, the availability, the reliability, the integrity and the security of every network
throughout the world.
We then looked at some of countless software packages which assist in the task of Network
Monitoring and performance. We concentrated on some of the open Source packages. Apart
from Monitory reasons, we wished to demonstrate the high quality and functionality of the
open source software.
After reviewing various options of open Source Software and giving a brief description of
them, we decided to select WireShark as our software package of preference.
In Order to Display wireshark functionality, We firstly had to create a Network, for us to
demonstrate traffic flow over a network, capture the data and show the output.
We constructed a network both physically and by Packet tracer, we utilized as much
equipment, functions and features as we had at our disposal and the knowledge we gained
over our two semesters
We programed Switches, Routers, Wireless controllers and utilized Wireless Ap’s, IP
Phones, PC’s and Servers.
We created Ethernet, Serial and Wireless networks, and configured Frame Relay, Security ,
VOIP and Wireless technology.
We then tested the system extensively before we introduced the concept of wireshark and
Network Monitoring.
This document demonstrates many functions of WireShark which help you analyse many
network problems.
35. Network Monitoring and Performance 2014
34
Network Problems can derive from poor configuration, hardware problems and internal or
external attacks.
In order to analyse a network successfully, capturing packets travelling over a network is
important, but is only part of the solution. Due to the volume, speed and types of packets
travelling at any point in time, it is extremely difficult to extract the data which is of any
relevance without a tool such as wireshark.
This is where Wireshark excels. With a very advanced filtering facility, Wireshark can either
show the packets that you wish to see OR filter out the packets that you are confident with;
leaving data that you may wish to investigate further. By continuing to filter the traffic, you
break the volume of data down into workable chucks where a trained eye can then easily
identify potential problems.
We demonstrated how Wireshark offers graphical displays which can assist in decision
making and we also demonstrated how you can interrogate individual packets, identifying its
source, destination or content.
We showed how telnet or http is vulnerable to sniffing and how VoIP can be recorded and
played back.
In order to resolve any problem, you must ensure you have sufficient data. WireShark gathers
that data for you.
Tools like WireShark are vital for any network administrator to gather data in order to resolve
problems such as poor performance or simply No performance. The lack of this type of
information could have a direct impact on availability of the network or the confidentiality of
the information on the network.
Wireshark, apart from being one of the best protocol analyzers today, is an excellent source
of knowledge for any network or communications enthusiast.
Bibliography
Alam,M. J., 2006. Survey Of NetworkPerformanceMonitoring Tools. [Online]
Available at:http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_perf_monitors2/index.html#sec3.2
[Accessed5thJanuary2014].
Cisco,2013. Cisco VisualNetworking Index. [Online]
Available at:
http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/white_paper_c
11-481360_ns827_Networking_Solutions_White_Paper.html
[Accessed3rdJanuary2104].
Duffield,N.,2004. SamplingforPassive InternetMeasurement:A Review. StatisticalScience, 19(1),
p. No.3.
Foundation,W.,2014. Wireshark. [Online]
Available at:http://www.wireshark.org/download.html
[Accessed6thMarch 2014].
36. Network Monitoring and Performance 2014
35
Hauben,R.,2004. The Internet:On its Internationaloriginsand collaborativeVision. [Online]
Available at:http://www.ais.org/~jrh/acn/ACn12-2.a03.txt
[Accessed20thOctober2013].
KimS. Nash,A.B., 2013. CIO. [Online]
Available at:
http://www.cio.com/article/133700/Network_Monitoring_Definition_and_Solutions?page=1&taxon
omyId=3071
[Accessed30thDec 2013].
Klienrock,L.,2011. The Birth of the Internet. [Online]
Available at:http://www.lk.cs.ucla.edu/personal_history.html
[Accessed20thOctober2019].
Ohlhorst,F.J.,2012. NetworkComputing.com. [Online]
Available at:http://www.networkcomputing.com/next-gen-network-tech-center/smart-taps-define-
future-of-network-inte/232601819?pgno=2
[Accessed6thJanuary2014].
SolarWinds,n.d. theReferenceGuide to NetworkManagementProtocols. [Online]
Available at:
http://www.solarwinds.com/resources/whitepapers/SolarWinds_Network_Mgmt_Protocols.pdf
[Accessed3rdJanuary2014].
Appendices
Appendix1 Router-OfficeA Configuration
service password-encryption
security passwords min-length 10
!
hostname Rtr-Office-A
!
enable secret 5 $1$mERr$ye005E91umUqwCQ3tVmZF0
!
ip dhcp excluded-address 10.10.0.1 10.10.0.10
ip dhcp excluded-address 10.15.0.1 10.15.0.10
ip dhcp excluded-address 10.20.0.1 10.20.0.10
!
ip dhcp pool Data
network 10.10.0.0 255.255.255.0
default-router 10.10.0.1
option 150 ip 10.10.0.1
ip dhcp pool Voice
network 10.15.0.0 255.255.255.0
default-router 10.15.0.1
option 150 ip 10.15.0.1
ip dhcp pool Wireless
network 10.20.0.0 255.255.255.0
37. Network Monitoring and Performance 2014
36
default-router 10.20.0.1
option 150 ip 10.20.0.1
!
aaa new-model
!
aaa authentication login default group radius local
!
username user01 secret 5 $1$mERr$lvOoTqkNNZ4VM9Krhr0V70
!
ip ssh version 2
no ip domain-lookup
!
spanning-tree mode pvst
!
interface Loopback0
ip address 172.16.1.1 255.255.255.252
ip access-group 110 in
ip access-group 120 out
!
interface FastEthernet0/0
noip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
description Data vlan
encapsulation dot1Q 10
ip address 10.10.0.1 255.255.255.0
!
interface FastEthernet0/0.11
description Management vlan
encapsulation dot1Q 11
ip address 10.11.0.1 255.255.255.0
!
interface FastEthernet0/0.15
description Voice vlan
encapsulation dot1Q 15
ip address 10.15.0.1 255.255.255.0
!
interface FastEthernet0/0.20
description Wi-Fi vlan
encapsulation dot1Q 20
ip address 10.20.0.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 20.0.0.2 255.255.255.0
encapsulation frame-relay
frame-relay map ip 20.0.0.1 102 broadcast
frame-relay map ip 20.0.0.2 102
!
interface Serial0/0/1
noip address
shutdown
38. Network Monitoring and Performance 2014
37
!
interface Vlan1
noip address
shutdown
!
router eigrp 1
network 20.0.0.0
network 10.0.0.0
network 192.168.0.0
noauto-summary
!
ip classless
!
access-list 110 permit ip any host 192.168.0.254
access-list 110 deny ip any any
access-list 120 deny tcp 10.0.0.0 0.255.255.255 any eq www
access-list 120 permit ip any any
!
radius-server host 192.168.0.254 auth-port 1645 key projecttest
!
dial-peer voice 10 voip
destination-pattern 2..
session target ipv4:20.0.0.1
!
telephony-service
max-ephones 5
max-dn 10
ip source-address 10.15.0.1 port 2000
autoassign 1 to 5
!
ephone-dn 1
number 101
!
ephone-dn 2
number 102
!
ephone-dn 3
number 103
!
ephone 1
device-security-mode none
mac-address 0002.4A12.E911
type 7960
button 1:1
!
line con 0
exec-timeout 5 0
password 7 08315E41031C0603220A1F17
logging synchronous
login authentication default
!
line aux 0
password 7 08315E41031C0603220A1F17
!
line vty 0 4
exec-timeout 5 0
password 7 08315E41031C0603220A1F17
login authentication default
39. Network Monitoring and Performance 2014
38
!
end
appendix2 Router-Office B Configuration
service password-encryption
security passwords min-length 10
!
hostname Rtr-Office-B
!
enable secret 5 $1$mERr$ye005E91umUqwCQ3tVmZF0
!
ip dhcp excluded-address 10.30.0.1 10.30.0.10
ip dhcp excluded-address 10.35.0.1 10.35.0.10
ip dhcp excluded-address 10.40.0.1 10.40.0.10
!
ip dhcp pool Data
network 10.30.0.0 255.255.255.0
default-router 10.30.0.1
option 150 ip 10.30.0.1
ip dhcp pool Voice
network 10.35.0.0 255.255.255.0
default-router 10.35.0.1
option 150 ip 10.35.0.1
ip dhcp pool Wireless
network 10.40.0.0 255.255.255.0
default-router 10.40.0.1
option 150 ip 10.40.0.1
!
aaa new-model
!
aaa authentication login default group radius local
!
username user01 secret 5 $1$mERr$lvOoTqkNNZ4VM9Krhr0V70
!
no ip domain-lookup
!
spanning-tree mode pvst
!
interface FastEthernet0/0
noip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
description Data vlan
encapsulation dot1Q 10
ip address 10.30.0.1 255.255.255.0
!
interface FastEthernet0/0.11
description Management vlan
encapsulation dot1Q 11
ip address 10.31.0.1 255.255.255.0
!
interface FastEthernet0/0.15
40. Network Monitoring and Performance 2014
39
description Voice vlan
encapsulation dot1Q 15
ip address 10.35.0.1 255.255.255.0
!
interface FastEthernet0/0.20
description Wi-Fi vlan
encapsulation dot1Q 20
ip address 10.40.0.1 255.255.255.0
!
interface FastEthernet0/1
noip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
noip address
shutdown
!
interface Serial0/0/1
ip address 20.0.0.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 20.0.0.2 201 broadcast
frame-relay map ip 20.0.0.1 201
!
interface Vlan1
noip address
shutdown
!
router eigrp 1
network 20.0.0.0
network 10.0.0.0
noauto-summary
!
ip classless
!
radius-server host 192.168.0.254 auth-port 1645 key projecttest
!
dial-peer voice 10 voip
destination-pattern 1..
session target ipv4:20.0.0.2
!
dial-peer voice 20 voip
destination-pattern 1..
session target ipv4:10.1.1.1
!
telephony-service
max-ephones 5
max-dn 10
ip source-address 10.35.0.1 port 2000
autoassign 1 to 5
!
ephone-dn 1
number 201
!
ephone-dn 2
number 202
!
41. Network Monitoring and Performance 2014
40
ephone-dn 3
number 203
!
ephone 1
device-security-mode none
mac-address 000C.CFAA.A29E
type 7960
button 1:1
!
line con 0
exec-timeout 5 0
password 7 08315E41031C0603220A1F17
logging synchronous
login authentication default
!
line aux 0
password 7 08315E41031C0603220A1F17
!
line vty 0 4
exec-timeout 5 0
password 7 08315E41031C0603220A1F17
login authentication default
!
end