Analysis of traffic on a local network through a router. Abstract: Network analyzers. netstat command for analyzing network activity

tcpdump

The main tool for almost all network traffic collections is tcpdump. This is an open source application that installs on almost all Unix-like systems. operating systems Oh. Tcpdump is an excellent data collection tool and comes with a very powerful filtering engine. It's important to know how to filter data during collection to end up with a manageable piece of data for analysis. Capturing all the data from a network device, even on a moderately busy network, can create too much data for simple analysis.

In some in rare cases tcpdump allows you to output the output directly to your screen, which may be enough to help you find what you're looking for. For example, while writing an article, some traffic was captured and it was noticed that the machine was sending traffic to an unknown IP address. It turns out that the machine was sending data to the Google IP address 172.217.11.142. Since no Google products were launched, the question arose as to why this was happening.

A system check showed the following:

Leave your comment!

Network analyzers are reference measurement instruments for diagnosing and certifying cables and cabling systems. They can measure all electrical parameters of cable systems with high accuracy, and also operate at higher levels of the protocol stack. Network analyzers generate sinusoidal signals over a wide frequency range, which makes it possible to measure amplitude-frequency response and crosstalk, attenuation, and total attenuation on the receiving pair. The network analyzer is a laboratory instrument large sizes, quite difficult to handle.

Many manufacturers supplement network analyzers with statistical traffic analysis functions - segment utilization, broadcast traffic level, percentage of erroneous frames, as well as protocol analyzer functions that provide packet capture of different protocols in accordance with filter conditions and packet decoding.

7.3.4. Cable scanners and testers

Main purpose cable scanners - measurement of electrical and mechanical parameters of cables: cable length, NEXT parameter, attenuation, impedance, wiring diagram of pairs of conductors, level of electrical noise in the cable. The accuracy of the measurements made by these devices is lower than that of network analyzers, but is quite sufficient to assess the cable's compliance with the standard.

To determine the location of a cable system fault (break, short circuit, incorrectly installed connector, etc.), the Time Domain Reflectometry (TDR) method is used. The essence of this method is that the scanner emits a short electrical pulse into the cable and measures the delay time before the reflected signal arrives. The polarity of the reflected pulse determines the nature of the cable damage (short circuit or break). In a correctly installed and connected cable, the reflected pulse is almost absent.

The accuracy of distance measurement depends on how accurately the speed of propagation of electromagnetic waves in the cable is known. It will be different for different cables. The speed of propagation of electromagnetic waves in a cable (Nominal Velocity of Propagation, NVP) is usually set as a percentage of the speed of light in a vacuum. Modern scanners contain a spreadsheet of NVP data for all major cable types, which allows the user to set these parameters themselves after preliminary calibration.

Cable scanners are portable devices that service personnel can carry with them at all times.

Cable testers- the simplest and cheapest devices for cable diagnostics. They allow you to determine the continuity of the cable, however, unlike cable scanners, they do not answer the question of where the failure occurred.

7.3.5. Multifunctional portable monitoring devices

Recently, multifunctional portable devices have begun to be produced that combine the capabilities of cable scanners, protocol analyzers and even some functions of control systems, while at the same time maintaining such an important property as portability. Multifunction monitoring devices have a specialized physical interface that allows you to identify problems and test cables at the physical level, which is complemented by a microprocessor with software to perform high-level functions.

Let's consider a typical set of functions and properties of such a device, which turns out to be very useful for diagnosing the causes of various network problems that occur at all levels of the protocol stack, from physical to application.

User Interface

The device usually provides the user with a user-friendly and intuitive interface based on a menu system. The graphical user interface is implemented with a multi-line LCD display and LED status indicators that notify the user of the most common problems of the monitored networks. There is an extensive file of operator tips with level

access according to the context. Network status information is presented in a way that users of all skill levels can quickly understand.

Hardware and cable testing functions

The multi-function instruments combine the most commonly used cable scanner features with a range of new testing capabilities.

Cable scanning

The function allows you to measure the cable length, the distance to the most serious defect and the impedance distribution along the cable length. When checking an unshielded twisted pair cable, the following errors may be detected: split pair, breaks, short circuits and other types of connection failure.

For Ethernet-on-coax networks, these tests can be performed on a live network.

Function for determining the distribution of cable cores Checks the correct connection of the cores, the presence of intermediate breaks and jumpers on twisted pairs. The display shows a list of interconnected contact groups.

Cable map detection function

Used to map the main cables and cables branching from the central room.

Automatic cable check

Depending on the configuration, it is possible to determine the length, impedance, wire connection pattern, attenuation and NEXT parameter at frequencies up to 100 MHz. Automatic checking is performed for:

coaxial cables;

shielded twisted pair cable with an impedance of 150 Ohms;

unshielded twisted pair cable with a resistance of 100 Ohms.

DC continuity test

This function is used when testing coaxial cables to verify that the correct terminators are being used and that they are installed correctly.

Determination of the nominal speed of propagation

The function calculates the Nominal Velocity of Propagation (NVP) over a cable of known length and optionally stores the results in a file for a User Defined cable type or standard cable.

Comprehensive automatic verification of the network adapter-hub pair

This comprehensive test allows you to connect the device in series between the end node of the network and the hub. The test makes it possible to automatically determine

share the location of the source of the fault - cable, hub, network adapter or station software.

Automatic check of network adapters

Checks the correct functioning of newly installed or “suspicious” network adapters. For Ethernet networks, based on the results of the test, the following are reported: MAC address, signal voltage level (as well as the presence and polarity of Link Test pulses for 10BASE-T). If no signal is detected on the network adapter, the test automatically scans the connector and cable to diagnose them.

Statistics collection functions

These functions allow you to monitor in real time changes in the most important parameters that characterize the “health” of network segments. Statistics are usually collected in varying degrees of detail for different groups.

Network statistics

This group contains the most important statistical indicators - segment utilization rate (utilization), collision level, error level and broadcast traffic level. If these indicators exceed certain thresholds, they primarily indicate problems in the network segment to which the multifunctional device is connected.

Frame error statistics

This feature allows you to track all types of erroneous frames for a specific technology. For example, Ethernet technology is characterized by the following types of erroneous frames.

Short frames. These are frames that are less than the maximum length, that is, less than 64 bytes. Sometimes this type of frame is differentiated into two classes - simply short frames, which have a correct checksum, and runts, which do not have a correct checksum. The most likely causes of shortened frames are faulty network adapters and their drivers.

Extended frames (Jabbers). These are frames that are longer than the allowed value of 1518 bytes with a good or bad checksum. Long frames are a consequence of delayed transmissions that occur due to faulty network adapters.

Frames of normal size, but with a bad checksum (Bad FCS) and frames with byte alignment errors. Frames with an incorrect checksum are the result of many reasons - bad adapters, cable interference, bad contacts, incorrectly functioning repeater ports, bridges, switches and routers. An alignment error is always accompanied by a checksum error, so some traffic analysis tools do not differentiate between them. An alignment error may result from frame transmission being stopped when the transmit adapter detects a collision.

Ghost frames are the result of electromagnetic interference on the cable. They are perceived by network adapters as frames that do not have the normal start-of-frame flag - 10101011. Ghost frames are longer than 72 bytes, otherwise they are classified as remote collisions. The number of ghost frames detected largely depends on the connection point of the network analyzer. They are caused by ground loops and other problems with the cabling system.

Knowing the percentage distribution of the total number of erroneous frames by their types can tell the administrator a lot about possible reasons network problems. Even a small percentage of erroneous frames can lead to a significant reduction in useful bandwidth networks, if the protocols that restore corrupted frames operate with large timeouts for waiting for receipts. It is believed that in a normally operating network, the percentage of erroneous frames should not exceed 0.01%, that is, no more than 1 erroneous frame out of 10,000.

Collision statistics

This group of characteristics provides information about the number and types of collisions noted on a network segment and allows you to determine the presence and location of the problem. Protocol analyzers usually cannot provide a differentiated picture of the distribution of the total number of collisions by their individual types, at the same time, knowledge of the predominant type of collisions can help to understand the cause of poor network performance.

The following are the main types of Ethernet collisions.

Local Collision. It is the result of simultaneous transmission of two or more nodes belonging to the segment in which the measurements are made. If a multifunctional device does not generate frames, then local collisions are not detected in a twisted-pair or fiber-optic cable network. Too much high level local collisions are a consequence of problems with the cable system.

Remote Collision. These collisions occur on the other side of the repeater (relative to the segment in which the measuring device). In networks built on multiport repeaters (10Base-T, 10Base-FL/FB, 100Base-TX/FX/T4, Gigabit Ethernet), all measured collisions are remote (except for those cases when the analyzer itself generates frames and may be the culprit of the collision ). Not all protocol analyzers and monitoring tools capture remote collisions in the same way. This is due to the fact that some measuring tools and systems do not detect collisions that occur during the transmission of the preamble.

Late Collision. This is a collision that occurs after the first 64 bytes of the frame have been transmitted (according to the Ethernet protocol, a collision must be detected when the first 64 bytes of the frame are transmitted). The result of a late collision will be a frame that is more than 64 bytes long and contains an incorrect checksum value. Most often, this indicates that the network adapter at the source of the conflict is unable to properly listen on the line and therefore cannot stop the transfer in time. Another reason for late collision is that the cable system is too long or too long. a large number of intermediate repeaters, leading to exceeding the maximum value of the double signal turnaround time. The average collision rate in a normally operating network should be less than 5%. Large spikes (more than 20%) may be an indicator of cable problems.

Distribution of network protocols used

This statistical group refers to network layer protocols. The display shows a list of major protocols in descending order relative to the percentage of frames containing packets of this protocol to the total number of frames in the network.

Top Senders

The function allows you to track the most active transmitting nodes of the local network. The device can be configured to filter by a single address and identify a list of the main frame senders for a given station. The data is displayed on the display in the form of a diagram along with a list of the main senders of frames.

Top Receivers

The function allows you to monitor the most active recipient nodes on the network. The information is displayed in a format similar to the one shown above.

Top Broadcasters

The function identifies network stations that generate frames with broadcast and multicast addresses more than others.

Traffic Generation

The device can generate traffic to test network operation under increased load. Traffic can be generated in parallel with activated functions Network statistics, Frame error statistics And Collision statistics.

The user can set the parameters of the generated traffic, such as intensity and frame size. For testing bridges and routers, the device can automatically generate IP and IPX packet headers, and all that is required of the operator is to enter the source and destination addresses.

During testing, the user can increase the frame size and frame rate on the fly using the cursor keys. This is especially valuable when locating the source of network performance problems and failure conditions.

Protocol analysis functions

Typically, portable multifunction instruments support decoding and analysis of only major LAN protocols, such as TCP/IP, Novell NetWare, NetBIOS, and Banyan VINES protocol stacks.

Some multifunction instruments do not have the ability to decode captured packets like protocol analyzers, but instead collect statistics about the most important packets that indicate problems in the networks. For example, when analyzing protocols of the TCP/IP stack, statistics are collected on ICMP protocol packets, with the help of which routers inform end nodes about the occurrence of various types of errors. To manually check the reachability of network nodes, the devices include support for the IP Ping utility, as well as similar utilities NetWare Ping and NetBIOS Ping.

Many network administrators often encounter problems that can be resolved by analyzing network traffic. And here we come across such a concept as a traffic analyzer. So what is it?

The term " NetFlow" refers to a Cisco protocol designed to collect IP traffic information and monitor network traffic. NetFlow has been adopted as the standard protocol for streaming technologies.

NetFlow software collects and analyzes flow data generated by routers and presents it in a user-friendly format.

Several other network equipment vendors have their own protocols for monitoring and data collection. For example, Juniper, another highly respected network device vendor, calls its protocol " J-Flow". HP and Fortinet use the term " s-Flow". Although the protocols are called differently, they all work in a similar way. In this article, we'll look at 10 free network traffic analyzers and NetFlow collectors for Windows.

SolarWinds Real-Time NetFlow Traffic Analyzer

This free tool is limited to one NetFlow monitoring interface and only stores 60 minutes of data. This Netflow analyzer is a powerful tool that is worth using.

Colasoft Capsa Free

Other features include network security analysis. For example, tracking DoS/DDoS attacks, worm activity and ARP attack detection. As well as packet decoding and information display, statistical data about each host on the network, packet exchange control and flow reconstruction. Capsa Free supports all 32-bit and 64-bit versions of Windows XP.

Minimum system requirements for installation: 2 GB random access memory and a 2.8 GHz processor. You must also have an Ethernet connection to the Internet ( NDIS 3 compliant or higher), Fast Ethernet or Gigabit with mixed mode driver. It allows you to passively capture all packets transmitted over an Ethernet cable.

Angry IP Scanner

ManageEngine NetFlow Analyzer Professional

Free version Linux traffic analyzer allows unlimited use of the product for 30 days, after which you can monitor only two interfaces. System requirements for NetFlow Analyzer ManageEngine depend on the flow rate. Recommended requirements for a minimum flow rate of 0 to 3000 threads per second are a 2.4 GHz dual-core processor, 2 GB of RAM, and 250 GB of available hard drive space. As the speed of the flow to be monitored increases, the requirements also increase.

The Dude

JDSU Network Analyzer Fast Ethernet

The application supports the creation of highly detailed graphs and tables that allow administrators to monitor traffic anomalies, filter data to sift through large volumes of data, and much more. This tool for entry-level professionals, as well as experienced administrators, allows you to take complete control of your network.

Plixer Scrutinizer

Wireshark

System requirements: Windows XP and higher, any modern 64/32-bit processor, 400 Mb of RAM and 300 Mb of free disk space. Wireshark NetFlow Analyzer is a powerful tool that can greatly simplify the work of any network administrator.

Paessler PRTG

The free version allows you to use an unlimited number of sensors for 30 days, after which you can only use up to 100 for free.

nProbe

nProbe supports IPv4 and IPv6, Cisco NetFlow v9 / IPFIX, NetFlow-Lite, contains functions for VoIP traffic analysis, flow and packet sampling, log generation, MySQL/Oracle and DNS activity, and much more. The application is free if you download and compile the traffic analyzer on Linux or Windows. Executable file The setting limits the capture volume to 2000 packets. nProbe is completely free for educational institutions, non-profits and scientific organizations. This tool will work on 64-bit versions of Linux and Windows operating systems.

This list of 10 free NetFlow traffic analyzers and collectors will help you get started monitoring and troubleshooting a small office network or a large, multi-site corporate WAN.

Each application presented in this article makes it possible to monitor and analyze network traffic, detect minor failures, and identify bandwidth anomalies that may indicate security threats. And also visualize information about the network, traffic and much more. Network administrators must have such tools in their arsenal.

This publication is a translation of the article “ Top 10 Best Free Netflow Analyzers and Collectors for Windows", prepared by the friendly project team

In some cases, network traffic analysis is used to detect problems in the functioning of the network stack of a host and network segments. There are tools that allow you to display (listen) and analyze the operation of the network at the level of transmitted frames, network packets, network connections, datagrams and application protocols.

Depending on the situation, both the traffic of the node on which network traffic is being listened and the traffic of a network segment, router port, etc. can be available for diagnostics. Advanced traffic interception capabilities are based on "promiscuous" mode work network adapter: all frames are processed (and not just those destined for a given MAC address and broadcast, as in normal operation).

On an Ethernet network, the following basic capabilities for listening to traffic exist:

• In a hub-based network, all collision domain traffic is available to any network station.
• In networks based on network station switches, its traffic, as well as all broadcast traffic of this segment, is available.
• Some managed switches have the ability to copy traffic from a given port to the monitoring port(“mirroring”, port monitoring).
• Usage special means(tappers) that are included in a network connection break and transmit connection traffic to a separate port.
• "Trick" with a hub- the switch port whose traffic needs to be listened to is turned on through a hub, also connecting a monitor node to the hub (in this case, in most cases, the performance of the network connection is reduced).

There are programs ( network monitors or analyzers, sniffer), which implement the function of listening to network traffic (including in promiscuous mode), displaying it or writing it to a file. Additionally, analysis software can filter traffic based on rules, decode (decipher) protocols, read statistics and diagnose some problems.

Note: Good choice basic tool for analyzing network traffic in graphical environment is a free package wireshark[43], available for Windows and in the repositories of some Linux distributions.

tcpdump utility

The tcpdump console utility is included with most Unix systems and allows you to intercept and display network traffic [44]. The utility uses libpcap, a portable C/C++ library to capture network traffic.

To install tcpdump on Debian you can use the command:

# apt-get install tcpdump

To run this utility you must have rights superuser(in particular, due to the need to put the network adapter into "promiscuous" mode). IN general view The command format is as follows:

tcpdump<опции> <фильтр-выражение>

For console output header description(decrypted data) of intercepted packets, you must specify an interface for traffic analysis (option -i):

# tcpdump -i eth0

You can disable the conversion of IP addresses to domain names (since large volumes of traffic create a large number of requests to the DNS server) - option -n:

# tcpdump -n -i eth0

To output link level data (for example, mac addresses, etc.) use the -e option:

# tcpdump -en -i eth0

Conclusion additional information(e.g. TTL, IP options) - -v option:

# tcpdump -ven -i eth0

Increasing the size of captured packets (more than 68 bytes by default) - option -s indicating the size (-s 0 - capture entire packets):

Writing to a file (directly packages - "dump") - option -w indicating the file name:

# tcpdump -w traf.dump

Reading packages from a file - option - r specifying the file name:

# tcpdump -r traf.dump

By default, tcpdump runs in promiscuous mode. The -p switch tells tcpdump to intercept only traffic destined for that host.

For more information on tcpdump filter switches and format, see the reference manual (man tcpdump).

Traffic analysis at the network interface level and network level using tcpdump

To allocate Ethernet frames, the following tcpdump constructs are used (general view):

tcpdump ether ( src | dst | host ) MAC_ADDRESS

where src is the source MAC address, dst- destination MAC address, host - src or dst, as well as for highlighting broadcast traffic.

Each member of the ][ team has their own preferences regarding software and utilities for
pen test. After consulting, we found out that the choice varies so much that it is possible
create a real gentleman's set of proven programs. That's it
decided. In order not to make a hodgepodge, we divided the entire list into topics - and in
This time we’ll touch on utilities for sniffing and manipulating packets. Use it on
health.

Wireshark

Netcat

If we talk about data interception, then Network Miner will be taken off the air
(or from a pre-prepared dump in PCAP format) files, certificates,
images and other media, as well as passwords and other information for authorization.
A useful feature is to search for those sections of data that contain keywords
(for example, user login).

Scapy

Website:
www.secdev.org/projects/scapy

A must-have for any hacker, it is a powerful tool for
interactive packet manipulation. Receive and decode packets of the most
different protocols, respond to the request, inject the modified and
a package created by yourself - everything is easy! With its help you can perform a whole
a number of classic tasks such as scanning, tracorute, attacks and detection
network infrastructure. In one bottle we get a replacement for such popular utilities,
like: hping, nmap, arpspoof, arp-sk, arping, tcpdump, tetheral, p0f, etc. At that
it's about time Scapy allows you to perform any task, even the most specific
a task that can never be done by another developer already created
means. Instead of writing a whole mountain of lines in C to, for example,
generating the wrong packet and fuzzing some daemon is enough
throw in a couple of lines of code using Scapy! The program does not have
graphical interface, and interactivity is achieved through the interpreter
Python. Once you get the hang of it, it won’t cost you anything to create incorrect
packets, inject the necessary 802.11 frames, combine different approaches in attacks
(say, ARP cache poisoning and VLAN hopping), etc. The developers themselves insist
to ensure that Scapy's capabilities are used in other projects. Connecting it
as a module, it’s easy to create a utility for various types of local area research,
search for vulnerabilities, Wi-Fi injection, automatic execution of specific
tasks, etc.

packeth

Website:
Platform: *nix, there is a port for Windows

An interesting development that allows, on the one hand, to generate any
ethernet packet, and, on the other hand, send sequences of packets with the purpose
bandwidth checks. Unlike other similar tools, packeth
has a graphical interface, allowing you to create packages as simply as possible
form. Further more. The creation and sending are especially elaborated
sequences of packets. You can set delays between sending,
send packets with maximum speed to check bandwidth
section of the network (yep, this is where they’ll be filing) and, what’s even more interesting -
dynamically change parameters in packets (for example, IP or MAC address).