Merezhev analyzers. Network packet analyzer Local network traffic analyzer

REVIEW OF THE PROGRAM FOR ANALYSIS AND MONITORING OF LIMITED TRAFFIC

A.I. KOSTROMITSKY, Ph.D. tech. Sciences, V.S. VOLOTKA

Entry

Monitoring traffic is important for life management. Vіn є zherelom іnformatsiії about the functioning of corporate supplements, how to be protected in case of rozpodіlі koshtіv, planned obsluvalnyh intensities, designated and localization of vіdmov, vіrіshennі nutritional safety.

Not long ago, traffic monitoring will be visibly forgiven for tasks. As a rule, computers were connected in a merger based on bus topology, so that the transmission medium was small. Tse allowed pod'ednati to the merezhі single attachments, for the help of which it was possible to follow the traffic. However, in order to increase the throughput capacity and the development of packet switching technologies, which called for a drop in prices for switches and routers, zoomed in on a quick transition from the transmission medium to high-segmented topologies. Hot traffic cannot be generated from one point. To take a fresh picture, it is necessary to monitor the skin port. Vicoristannya z'ednan type "point-to-point" to rob the inept connection of devices, that one would need a great number to listen to all the ports that are being turned on the way of the factory. Before that, the switches and routers themselves can fold the architecture, and the speed of processing and transferring packets becomes an important factor that determines the productivity of the network.

One of the most relevant scientific tasks for the present hour is the analysis (and further forecasting) of the self-similar traffic structure in modern multiservice networks. For the improvement of this task, it is necessary to select and further analyze various statistics (swedishness, obligations of transferring data only) in the wild chains. The choice of such statistics in that case seems to be possible with different software tools. However, there is a set of additional parameters and adjustments, which are even more important in case of practical selection of various benefits.

Various successors vikoristovuyut various programs for monitoring traffic. For example, in the past, the program - an analyzer (sniffer) of Ethreal (Wireshark) tethered traffic was victorious.

Looking around, they recognized the free versions of the programs, which are available on , , .

1. Overview of the monitoring program for merging traffic

About ten programs-analyzers of traffic (sniffers) and more than a dozen programs for monitoring tasseled traffic were reviewed, from which we chose according to our opinion, and we suggest you look at their main capabilities.

1) BMExtreme(Fig.1).

The price of the new name is well known to the richness of the Bandwidth Monitor program. Previously, the program was expanded without cost, now there are three versions, and without cost and only basic. This version does not have enough feasibility, except for traffic monitoring, which can hardly be considered a competitor of other programs. For locking BMExtreme is similar to Internet traffic, as well as for traffic at a local network, monitoring at a LAN for a traffic can be switched off.

Mal. 1

2) BWMeter(Fig.2).

This program may have not one, but two veins of traffic: in one, activity on the Internet is displayed, and in the other, in the local area.

Mal. 2

The program can be set up to monitor traffic. With help, you can determine whether it is necessary to receive and transfer data to the Internet only from the third computer or from other computers connected to the local network, insert the range of the IP address, port the protocols, for which we will or to be monitoring. Krim tsgogo, you can keep up the pace for traffic at the same time of the day. System administrators, singly, evaluate the possibility of spreading traffic between computers in a local area. So, for the skin PC, you can set the maximum speed for receiving and transmitting data, as well as for one click of the mouse to save the least activity.

In the case of a miniature expansion of the program, there are impersonal possibilities, some of which can be imagined as follows:

Monitoring of any kind of interfacing and any kind of interfacing traffic.

The system of filters is strained, which allows you to evaluate whether any part of the traffic - right up to a specific site at the specified site or traffic from the skin machine at the local area at the time of delivery.

A number of adjusted graphs of the activity of merezhevyh z'ednans on the basis of selected filters are not subject to change.

Upravl_nnya (obmezhennya, pozupinennya) traffic flow on any filter.

The system of statistics (from year to date) from the function of export is smart.

Possibility to review statistics from remote computers from BWMeter.

Gnuchka alert system and alerts to reach the singing voice.

The maximum possible setting, incl. good-looking.

Ability to launch as a service.

3) Bandwidth Monitor Pro(Fig.3).

Її retailers have already added a lot of respect to setting up a traffic monitoring window. In the first place, you can signify that the very information of the program is permanently displayed on the screen. Tse mozhe buti otrimanih that transferred data (like okremo, so in sum) for today and for whether there are any appointments for an hour, an average, that is the maximum speed of the day. If you have a small number of adapters installed, you can check the statistics for their skin care. Whenever you need information for a skin-tissue card, it can also be used for monitoring.

Mal. 3

Okremo varto say about the notification system, as it is implemented here more successfully. It is possible to set the behavior of the program in case of typing tasks, which can be the transfer of the first amount of data for the indication period per hour, reaching the maximum speed of the charge, changing the speed of the data and the number. service. For this type of Bandwidth Monitor Pro, we select the statistics of all logged in users, so that you log into the system with your logins.

4) DUTraffic(Fig.4).

From the previous programs, I look at DUTraffic and check the no-cost status.

Mal. 4

Like commercial analogues, DUTraffic can win over various minds for a quiet hour. So, for example, you can play an audio file, show a reminder, or start a connection with the Internet, if the average speed or streaming speed is less than the specified value, if the Internet session is overwhelmed by the specified number it is a year, if the kіlkіst danikh is transferred to the pevn. Krіm tsgogo, raznі dії can vikonuvatysya cyclically, for example, schorazu, if the program fixes the transmission of the given obyagu information. DUTraffic statistics are maintained only for skin contact and for skin contact over the Internet. The program shows how the general statistics for vibranium intervals, as well as information about the speed, the number of transfers and received data and financial charges for the skin session.

5) Monitoring system Cacti(Fig.5).

Cacti is an open-source web add-on (depending on the daily installation file). Cacti collects statistical data for several hourly intervals and allows them to be displayed in a graphical way. The system allows you to use graphics with the help of RRDtool. It is important to select standard templates for displaying statistics from the processor load, viewing operational memory, the number of running processes, and selecting input/output traffic.

The interface for displaying statistics, selected from framing outbuildings, representations of a visual tree, the structure of which is determined by the coristuvach himself. As a rule, graphs are grouped according to the same criteria, moreover, one and the same graph can be present in different branches of the tree (for example, traffic through the server interface - in this one, as the main picture is assigned to the company's Internet traffic, the one in the gallery with the parameters of this I will add ) . Є variant of revisiting behind a folded set of graphics and є forward revisiting mode. You can look at the skin from the graphs, if there will be performances for the rest of the day, week, month and night. Possibility of an independent choice of a time interval, for any future schedule generation, moreover, it is possible to work, as if having indicated the calendar parameters, so having seen a teddy bear on a new one.

Table 1

2. Overview of program-analyzers (sniffers) of merging traffic

A traffic analyzer, or a sniffer - a network traffic analyzer, a program or software and hardware attachments, assignments for further analysis, or even an analysis of network traffic assigned to other nodes.

Analysis of traffic passing through the sniffer allows:

Cross over any unencrypted (and sometimes encrypted) traffic of the coristuvacha with the method of removing passwords and other information.

Localize the fault of the measure or pardon the configuration of the measure agents (for this purpose, the sniffers are often vicorated by the system administrators).

Sniffers in the "classic" sniffer analyze the traffic manually, because of the simplest automation tools (analysis of protocols, update to the TCP stream), the wines need to be analyzed for only small volumes.

1) Wireshark(Earlier - Ethereal).

Traffic analyzer software for Ethernet and other computer networks. May graphical interface of the koristuvach. Wireshark is an addendum, which "knows" the structure of different meshing protocols, and that allows you to sort out the meshing package, showing the value of the skin field to the protocol of any kind. Shards for burying packets are pcap, it is possible to bury these only less, as they are supported by the library. Tim is no less, Wireshark can work with anonymous formats of input data, you can obviously open data files that have been hoarded by other programs, which expands the possibility of hoarding.

2) irisnetworkTrafficAnalyzer.

Krim standard functions for collection, filtering and searching for packages, as well as prompting the program to offer unique opportunities for the reconstruction of data. Iris The Network Traffic Analyzer helps to check in detail the sessions of the robots with different web-resources and allows you to change passwords for access to secure web-servers for additional cookies. The unique technology of data reconstruction, implemented in the decryption module, transforms hundreds of selected double-mesh packages in front of the electronic mailbox, web-side, ICQ notifications and other information. eEye Iris allows you to view unencrypted web-mail notifications and software exchanges by expanding the capabilities of monitoring and auditing.

The eEye Iris packet analyzer allows you to capture various details of an attack, such as the date and hour, IP addresses and DNS names of the computers of the hacker and the victim, as well as vikoristani spoilers.

3) ethernetInternettrafficstatistical.

Ethernet Internet traffic Statisticshows the number of received and received data (in bytes - total for the rest of the session), and display the connection rate. For clarity, the data that are collected are displayed in real time on the chart. Work without installation, interface - Russian and English.

Utility for monitoring the level of merging activity - showing the amount of data taken, keeping statistics for the session, day, day and month.

4) CommTraffic.

It is a useful utility for collecting, processing and displaying statistics for Internet traffic via modem (dial-up) or for viewing the connection. When monitoring a local network segment, CommTraffic shows Internet traffic for the skin computer in the segment.

CommTraffic includes an easy-to-integrate, intelligible interface that shows the statistics of the work and the network by looking at graphs and numbers.

Table 2

Visnovok

In a nutshell, we can say that there will be more than enough opportunities for more home-grown speakers, like Bandwidth Monitor Pro. Well, let's talk about the most functional program for monitoring network traffic, ce, insanely, BWMeter.

In addition, I would like to see Wireshark, as there are more functional possibilities.

The Cacti monitoring system maximally supports the development of traffic, as it is observed at the time of the follow-up of the merging traffic with a scientific method. The authors of the article have now planned to develop the very system of winning for the selection and analysis of traffic from the corporate multiservice network of the department "Merezhi zv'yazku" of the Kharkiv National University of Radio Electronics.

List of references

Platov V.V., Petrov V.V. Research on the self-similar structure of teletraffic without a dart line // Radiotechnical research. M: OKB MEI. 2004. No. 3. Z. 58-62.

Petrov V.V. The structure of teletraffic and the algorithm for ensuring the quality of service while infusing the effect of self-similarity. Dissertation on the health of the scientific level of the candidate of technical sciences, 05.12.13, Moscow, 2004, 199 p.

Zagalni vіdomostі

The tools, which are called mesh analyzers, took their name from the Sniffer Network Analyzer. This product was released in 1988 by the Network General company (now - Network Associates) and became one of the first extensions that allow managers to literally not walk around the table to find out about those who work at the great network. The first analyzers read the headers of the data packets that are sent as needed, thus providing the administrators with information about the addresses of the executives and the holders, the expansion of the files and other low-level data bridges. Moreover, all the price is for an addition to the verification of the correctness of the transfer of packages. For additional graphs and text descriptions, the analyzers helped the network administrators to diagnose servers, network channels, concentrators and switches, as well as add-ons. Roughly seemingly, the mesh analyzer listens to "sniffs" packets of the single physical segment of the mesh. This allows you to analyze traffic for the presence of certain templates, correct any problems and reveal suspicious activity. Merezheva's system detected intrusion as nothing else, like an analyser, which puts a skin package in the merezhі s data base in order to detect high-speed traffic, similarly to the fact that an anti-virus program finds files in a computer. On the vіdmіnu vіd zabіv, describ earlier, analyzers deyut lower equal.

As if going back to the reference model of the VOC, then the analyzers re-verify the two lower levels - the physical one and the channel one.

Physical rіven - tse real physical carrying out, or else the middle, zastosovane for the creation of the border. On the channel level, the code for these transmissions through a specific medium is considered. A range of link level standards include wireless 802.11, Arcnet, coaxial cable, Ethernet, Token Ring and more. Analyzers sound to lie in the type of merezhі, de stinks work. For example, to analyze traffic in an Ethernet network, you need an Ethernet analyzer.

Establish commercial-grade analyzers such as Fluke, Network General and others. Call, tse spetsіalnі aparatnі pristroї, yakі can cost tens of thousands of dollars. If you want more hardware to do more in-depth analysis, you can create an inexpensive wire analyzer for additional software security with clear visual texts and an inexpensive PC on an Intel platform.

See analyzers

At the same time, impersonal analyzers are released, as if divided into two types. Until the first, autonomous products are seen, as they are installed on a mobile computer. The consultant can take yoga with him for an hour in the office of the client and connect to the border, in order to collect the data of diagnostics.

A handful of portable attachments, designated for testing of robots and wires, were re-insurance inclusively for rechecking the technical parameters of the cable. However, in the course of time, the compilers endowed their possession with a number of protocol analyzer functions. Modern fencing analyzers of buildings reveal the widest range of possible faults - from physical damage to the cable to the fencing of fencing resources.

Another type of analyzer is a part of the broadest category of hardware and software, which is recognized for monitoring an array and allows organizations to control their local and global array services, including the Web. Qi programs to give administrators a notification about the camp of the enterprise. For example, for the help of such products, it is possible to determine which programs are being used at the moment, which are registered in the industry, and who generates the main traffic from them.

Krіm vyavlennya nizko_vnevyh characteristics merezhі, for example, zherelo paktіv i point їх recognition, modern analyzers decode tranny vіdomosti on all seven layers of the mesh stack Open System Interconnection (OSI) and often see recommendations for solving problems. Since the analysis on the level of the program does not allow to give an adequate recommendation, the analyzers carry out further studies on the lower, merezhny level.

Modern analyzers sound out the standards for remote monitoring (Rmon and Rmon 2) to automatically capture key performance data, such as uptake information from available resources. Analysts who monitor Rmon can regularly review the sizing of the shearing components and take back the data collected earlier. It is necessary, if necessary, to pass the stink ahead of time, that the traffic flow or the productivity will outweigh the exchange, installed by the administrators.

NetScout Systems has introduced the nGenius Application Service Level Manager system, which is recognized for monitoring the response time on a few sites, a channel for accessing a Web site, and a function of streaming productivity of servers. This program can analyze the productivity of the globally accessible yard, in order to create a global picture on the computer of the koristuvach. The Danish company NetTest (a lot of GN Nettest) started to promote Fastnet - a system of tethered monitoring, as a way to help companies that are engaged in electronic business, to plan the capacity of channels, to detect and fix faults in the tether.

Analysis of convergent (multiservice) networks

The expansion of multiservice networks (converged networks) can lead to the development of telecommunication systems and data transmission systems in the future. The idea of ​​combining in a single infrastructure, foundations on a packet protocol, the possibility of transmitting data, voice streams, and video information - turned out to be even more attractive for providers that specialize in these telecommunication services iv, even if it’s a mile away, it’s possible to expand the range of services, like a stench.

In addition, as corporations begin to ensure the efficiency and cost of convergent merging based on the IP protocol, merger tool builders are actively developing different types of analyzers. In the first half of the year, a lot of companies presented components for their products of tethered administration, insurance for voice transmission by IP tethers.

“Convergence has given rise to new collaboratives, which are the mother of all business administrators,” respected Glen Grossman, director of product management at NetScout Systems. - Voice traffic is more sensitive to teamwork. Analyzers can look at the skin bits and bytes that are transmitted over the wires, interpret headers and automatically assign data priority.

The adoption of technology convergence to voice and data can awaken a new wave of interest in analyzers, shards of increasing the priority of traffic on the equal IP-packets in the same vein for the functioning of voice and video services. For example, Sniffer Technologies has released Sniffer Voice, a toolkit for multiservice administrators. This product not only provides traditional diagnostic services for handling e-mail traffic, Internet and databases, but also reveals some problems, as well as gives recommendations on how to use it to ensure the correct transmission of voice traffic by IP-measures.

Zvorotny bik of the analyzers' polling station

A trace of memory, that two sides of the medal were tied with analyzers. The stench helps to improve the border in the workplace, but they can also be blocked by hackers for searching in packages of given names and passwords. To protect passwords from additional analyzers, encryption of packet headers is used (for example, for the additional Secure Sockets Layer standard).

Well, there is still no alternative to the merger analyzer in such situations, if it is necessary to understand what is expected from the global corporate merger. A good analyzer allows you to expand in the middle segment and determine the total traffic, as well as install how it varies by the length of the day, how short it is to create the most interest, in some situations blame problems with increased traffic but not a smug smug pass. It is possible to analyze all fragments of data in a single segment for a given period.

Protemerezhі analyzers are costly. If you are planning to come yoga, then first of all, clearly state what you see.

Peculiarities of planting mesh analyzers

In order to establish a network of analyzers efficiently and productively, it is necessary to make such recommendations.

Always needed allowed

Analysis of the measure, as well as many other security functions, may have the potential for inappropriate retrieval. spitting everything data that is transmitted across the border, you can look at passwords for different systems, instead of postal updates and other critical data, both internally and externally, most systems do not encrypt their traffic from local networks. As such, it is given to waste hands with the filth, tse, maybe, you can cause serious damage to security. In addition, it might damage the privacy of employees. Nasampered, next to take away the letter, let the ker_vnitstva, the bagan, the first rozpochinati similar to the diyalnist. Slid also to say that work with the tributes after the otrimannya. Password protection can be other critical data. As a rule, the protocols of the merezhnogo analysis are due to be cleared from the system, as the stench is not necessary for the criminal and civil re-examination. Establish documented precedents when well-meaning system administrators were fired for unauthorized data manipulation.

It is necessary to understand the topology of the mesh

The first step is to update the analyzer, it is necessary to revisit the physical and logical organization of the network. Carrying out analysis at the wrong place, you can take l pardon the results, or simply do not know those that are necessary. It is necessary to reconsider the nature of the router between the working station, which is being analyzed, and the watchful eye. Routers overpower the traffic at the segment of the merezhі, only as soon as it is connected to the node that has been sorted there. Similarly, in the least, what to communicate, it is necessary to configure the port, with which the connection is installed, like the port of the "monitor" or "mirror". There are different types of vicorists, but, in fact, it is necessary that the port is like a hub, and not like a switch, because all the traffic that goes through the switch, and not only those that are direct to the working station, is to blame. Without such an adjustment, the port of the monitor will be deprived of those that are directed to the port, with which a connection is installed, and there is a wide range of traffic.

It is necessary to quizze the short criteria for a search

It is important to look at what you need to know, to use an open filter (to show everything) to see more data that is important for analysis. The best way to pick up special criteria is to search for the speed of whiskers, what kind of analyzer. If you don't know exactly what you need to search, you can write a filter to exchange search results. If it is necessary to know the internal machine, it would be correct to set the criteria for reviewing only the outer addresses of the middle of the city. If you need to use the same type of traffic, let's say, FTP traffic, you can get results without having to go to the port, victorious addendum. By doing this, one can achieve significantly better results in analysis.

Installation of a reference frame

Stopped mesh analyzer during normal work hours , that having recorded the sub-bag results, a reference standard is reached, which can be compared with the results, subtracting the first hour of trying to see the problem. The Ethereal analyzer, which is viewed below, creates a sprinkling of visible sounds. Thus, deeds will be taken away for the purpose of victorious merezha fallow at the hour. For help, these data can be counted, if there is a network and what are the main reasons for this - server shifts, increasing the number of coristuvachiv, changing the type of traffic too thin. As a point of view, it is easier to understand who is to blame for whom.

Analyzers of mesh packets, or sniffers, were later expanded as a solution to mesh problems. The stench vm_yut perehoplyuvati, іnpretuvati and zberіgati for further analysis of the packets that are transmitted by measure. On the one hand, it allows system administrators and engineers of the technical support service to follow up, as data is transmitted by measure, to diagnose and fix problems that are blamed. For this sense, packet sniffers are a tight tool for diagnosing mesh problems. From the other side, similarly to the richness of the other laborious tasks, which were assigned to the administration for an hour, snifers began to stop for absolutely other purposes. In fact, the sniffer in the hands of an evildoer can be hacked with a non-secure way and you can win passwords for that other confidential information. However, it’s not good to think that a sniffer is a magical tool, for the help of which, be a hacker, you can easily look at confidential information that is transmitted along the way. First, let me tell you what is not safe, what to go out of snifers is not so great, as it is often given, let's look at the principles of their functioning in more detail.

Principles of the work of packet snifers

Further, within the framework of this article, we can only consider software sniffers, recognized for Ethernet networks. Sniffer is a program that works on the level of the network adapter NIC (Network Interface Card) (channel line) and by hook-up ranks all traffic. Sniffer chips work on the OSI channel model, the stench is not to blame for the protocol rules of the higher level. Sniffers bypass the filtering mechanisms (addresses, mess up), like Ethernet drivers and the TCP / IP stack, to interpret data. Packet sniffers hoot out of the dart everything that comes in a new way. Sniffers can save frames in double format and later decrypt them, in order to reveal the information of the highest level, captured in the middle (Fig. 1).

In order for the sniffer to instantly pass on all packets that pass through the merging adapter, the merging adapter driver is responsible for setting the promiscuous mode to work. In the same mode of the robotic adapter, the building sniffer will transfer all packets. This mode of operation of the sniffer adapter is automatically activated at the start of the sniffer, or it is manually set by the sniffer settings.

All interleaved traffic is passed to the packet decoder, which identifies and splits the packets for different levels of the hierarchy. Depending on the possibilities of a particular sniffer, information about packages can be further analyzed and filtered.

Exchange of whistleblower snifers

Sniffers were the most important in those hours, if the information was transmitted by means of a closed source (without encryption), and local links were based on concentrators (hubs). However, the hours have irrevocably gone, and at this time of day, sniffing for access to confidential information is not an easy task.

On the right, when there are local networks based on concentrators, the main medium of data transmission (a network cable) and all nodes of the network exchange packets, competing for access to the middle medium (Fig. 2), It is transmitted to all ports of the concentrator and this packet is listened to by the node of the node, and then it is received only from that node, to which addressing address. If so, a packet sniffer is installed on one of the links in the link, you can switch over all the links that can be sent to the given segment of the link (the link established by the concentrator).

Switches with intelligent attachments, low wide concentrators, and isolation of network traffic. The switch knows the addresses of the attachments connected to the skin port, and transmits packets only between the required ports. Tse allows rozvantazhiti іnshi porti, not transferring them to the leather package, as if to break the concentrator. In this way, when a packet is sent by a node of a merezhі, the packet is transmitted only to that port of the switch, until such a connection is received by the packet, and all other nodes of the merezhі cannot be able to display the packet (Fig. 3).

Therefore, the network was created on the basis of a commutator, then a sniffer, installations on one of the computers in the network, building only packets, which are exchanged between this computer and other nodes of the network. As a result, in order to be able to interchange packets, like a computer or a server, to chirp an intruder, exchange with other nodes of the network, it is necessary to install the sniffer itself on your computer (server), which is really not so simple. Truth be told, packet sniffers are launched from the command line and may be the mother of the graphical interface. Such sniffers, in principle, can be installed and launched remotely and incomprehensibly for a koristuvach.

In addition, it is also necessary for mothers on the street, if they want switches to isolate interfering traffic, all wired switches may have the function of redirection or port mirroring. So the port of the switch can be patched in such a way that all packets that need to be found on the other ports of the switch are duplicated on the new one. If a computer with a packet sniffer is connected to such a connection port, then it can transfer all packets that are used by computers in this segment of the network. However, as a rule, the ability to configure the switch is only available to the administrator of the network. This, of course, does not mean that you cannot be a villain, but the merging administrator has other impersonal ways to control all the shortcomings of the local network, and it is unlikely that we will follow you in such a subtle way.

Another reason, through the sniffers, the floorings have ceased to be unsafe, as before, I believe in the fact that in this hour the most important data is transmitted in an encrypted format. Open unencrypted services are easily accessible from the Internet. For example, the SSL (Secure Sockets Layer) protocol is more often victorious during the development of websites; Instead of encrypted FTP, SFTP (Secure FTP) is encrypted, and for other services that do not standard encryption, virtual private networks (VPN) are more and more often encrypted.

Also, those who are worried about the possibility of a malicious blockage of packet snifers, blame the mother on the way. First, in order to become a serious threat to your yard, sniffers are located in the middle of the yard. In another way, today's encryption standards make the process of interfering with confidential information much easier. Therefore, at this hour, package snifers step by step waste their relevance as tools of hackers, but at the same time they are filled with devils and an exhausting tool for diagnosing a problem. Moreover, sniffers can successfully work not only for diagnosing and localizing networking problems, but also for auditing networking security. Zocrema, zastosuvannya packet analyzers allow detecting unauthorized traffic, detecting and identifying unauthorized software security, identifying protocols that are not vikoristovuyutsya, for the detection of these measures, zdiyasnyuvat generation traffic for penetration testing (penetration test) . Intrusion Detection System, IDS).

Overview of software packet snifers

All software sniffers can be mentally divided into two categories: sniffers, which support the launch from the command line, and sniffers, which can display a graphical interface. If so, it is significant that snifers are aware, as if they were hurt by their own ability. In addition, sniffers use one type of one protocol, like stench, a deep analysis of scrambled packages, the ability to adjust filters, and also the possibility of consistency with other programs.

Sound every time a sniffer with a graphical interface consists of three areas. In the first їх, there are sub-bags given of overpacked bags. Sound at this galusi, you get a minimum of watering, and at the same time: the hour of the package overflow; IP-addresses of the owner of the packet; MAC-addresses of the source and owner of the packet, the source and destination addresses of the ports; type of protocol (merezhevy, transport chi applied rіven); deak sumar information about the data transfer. The other region displays statistical information about the number of vibrations of the package, i, nareshti, the third region displays the package of representations in hexadecimal form or in ASCII character form.

Almost all packet sniffers allow analysis of decoded packets (for this reason, packet sniffers are also called packet analyzers, or protocol analyzers). Sniffer rozpodіlyaє reshoplenі packets for equals and protocols. Deyakі analyzers of packets in zdatnі razzpіnavati the protocol and vіdobrazhati perehoplenu іnformatsiyu. This type of information is displayed in another area of ​​the sniffer window. For example, a custom skin sniffer recognizes the TCP protocol, and a sniffer can be inserted as a source of traffic generation. Most analyzers of protocols recognize over 500 different protocols and can describe and decode them by names. The more information you can decode and submit on the sniffer screen, the less you have to decode manually.

One of the problems that packet analyzers can stumble upon is the impossibility of correctly identifying the protocol that the host port is using to port for locking. For example, due to the method of improving the security of the deacons in the programs, the zastosuvannya of ports, other types of ports for locking can be increased. So instead of the traditional port 80, reserved for the web server, this server can be remapped to port 8088 or whatever. In such a situation, packet analyzers do not correctly select the protocol and display only information about the lower level protocol (TCP or UDP).

Use software sniffers, to which plugins or modules are added software analytical modules that allow you to create calls with basic analytical information about traffic overflows.

Another characteristic of rice is the large number of software analyzers of packages - the possibility of adjusting filters before that traffic is captured. The filters are seen from the global traffic of the same packets according to the given criteria, which allows the data to be received when analyzing the traffic.

Merezhevі analyzers є etalonnі vymіryuvalnі prilad for diagnostics and certification of cables and cable systems. They can measure all electrical parameters of cable systems with high accuracy, and also work on higher levels of the protocol stack. Merezhevі analyzers generate sinusoidal signals in a wide range of frequencies, which allows you to simulate on the receiving pair the amplitude-frequency characteristic and crosstalk, switching off and total switching off. Merezhevy analyzer is a laboratory fixture of great expansions, it is foldable in volume.

A rich variety of variables supplement the array of analyzers with the functions of statistical analysis of traffic - the factor of the number of segments, the ratio of wide-range traffic, the number of parity frames, as well as the functions of the protocol analyzer, which ensures the storage of packets of various protocols in povidno to the minds of filters and decoding of packets.

7.3.4. Cable scanners and testers

Main recognition cable scanners - mitigation of electrical and mechanical parameters of cables: increase the cable, NEXT parameter, extinguishing, impedance, wiring diagram of pairs of conductors, equalization of electrical noise at the cable. Accuracy of vibrations, vibrations with attachments, lower, lower for framing analyzers, but also sufficient for assessing the cable's resistance to the standard.

To pinpoint a cable system failure (shaving, short flickering, incorrectly inserted socket too thin), the Time Domain Reflectometry (TDR) method is used. The essence of this method lies in the fact that the scanner vibrates the cable with a short electric pulse and vimiryuє hour of fading before the arrival of the received signal. According to the polarity of the beaten pulse, the nature of the short cable is shown (short flickering of the ear). A properly installed and connected cable will have a daily pulse.

Accuracy of vimiryuvannya vіdstanі lie down in addition, naskіlki exactly vіdmі vіdkіst rozpovsyudzhennya elektromagnіtnyh khvili і kabelі. Different cables won't be different. The width of the width of the electromagnetic waves at the cable (Nominal Velocity of Propagation, NVP) is set for several hundred of the width of the light at the vacuum. Modern scanners can create an NVP spreadsheet for all major types of cables, which allows you to set the parameters independently after the front calibration.

Cable scanners are portable devices that can be carried around by service personnel.

Cable testers- the most simple and cheap accessory for cable diagnostics. The stench allows you to designate the safety of the cable, however, on the view of cable scanners, do not give evidence on the power supply about those de becoming zbіy.

7.3.5. Rich functional portable accessories for monitoring

In the rest of the hour, richly functional portable devices began to be launched, which would combine the capabilities of cable scanners, protocol analyzers and implement the functions of control systems, saving at the same time such an important power as portability. Bagatofunktsiyonal Hooley Monitoring May, the specialized izhny izhterephas, the Proble Problem Testewati Kabeli on the Fіzichny Rivni, Yaki Knowly, the Mro -Procedes Iza Knotsenski for Vikannel Voskoravnevichi.

Let's look at a typical set of functions and powers of such an accessory, which is more appropriate for diagnosing the causes of various malfunctions in a measure, which are found on all levels of the stack of protocols, from physical to applied.

Koristuvach interface

The appliqué sounds richly slick and intuitively intelligent interface based on the menu system. The graphical interface of the coristuvach implementation on a multi-layered red-crystal display and indicators will be on light diodes, which tell the coristuvach about the most serious problems and problems that are guarded. Є great file of hints to the operator z equal

access to the context. Information about the camp of the merezhі is hoped for in such a rank that the coristuvachs, whether they are qualified, can її quickly understand.

Functions for checking equipment and cables

Rich functional accessories combine the functions of cable scanners, which are most often used in practice, with a number of new testing possibilities.

Cable scanning

The function allows you to reduce the length of the cable, to overcome the most serious defect and to subdue the impedance along the length of the cable. In case of reversal of unscreened twists of the bet, such pardons can be revealed: the couple is split, shaved, short-circuited and otherwise see the damage to the day.

For Ethernet tethers on coaxial cable, rewiring can be done on the right tether.

The function of designating the subdivision of cable cores Re-verification of the correctness of the arrival of cores, the presence of intermediate openings and jumpers on twisted pairs. The display shows a list of links between contact groups.

Cable mapping function

Vykoristovuetsya for folding maps of the main cables and cables that are visible from the central location.

Automatic cable re-wiring

Depending on the configuration, it is possible to set the voltage, impedance, wire connection scheme, switching off the NEXT parameter at a frequency of up to 100 MHz. Automatic reverification is counted for:

coaxial cables;

screened torsion bet with 150 Ohm impedance;

unscreened torsion bet with 100 ohm support.

The integrity of the lansyug at the hour of re-verification with a fast strum

This function is reversed when rewiring coaxial cables to verify the correctness of the terminators of that installation.

Designation of the nominal speed of the day

The function calculates the Nominal Velocity of Propagation (NVP) over the cable length and additionally takes the results from the file for the User Defined cable type or the standard cable, which is considered to be short.

Comprehensive automatic reconciliation of the bet "merezhevy adapter-concentrator"

This complex test allows you to sequentially connect the attachment between the terminal node of the merezhі and the concentrator. The test gives you the ability to automatically recognize

troubleshooting troubleshooting - cable, hub, fencing adapter for software security station.

Automatic verification of mesh adapters

Checking the correct functioning of the newly restored chi "suspected" lace adapters. For Ethernet networks, the following information is used for reverification bags: MAC addresses, signal voltage level (as well as the presence and polarity of Link Test pulses for 10BASE-T). If no signal is detected on the tether adapter, the test automatically scans the connecting plug and cable for diagnostics.

Functions for collecting statistics

These functions allow, on a real scale, to change the most important parameters that characterize the "health" of the segment in the area. The statistics are collected at different levels of detail from different groups.

Merezheva statistics

In this group, the most important statistical indicators are the coefficient of the number of segments (utilization), the ratio of kolіzіy, the ratio of pardons, and the ratio of wide-range traffic. Traveling with them by showcases of singing thresholds, we must first talk about the problems with that segment of the measure, which is connected to a richly functional device.

Pardon statistics

This function allows you to use all types of flexible frames for singing technology. For example, Ethernet technology is characterized by such types of pardon personnel.

Short frames. Tse frame, scho may dovzhina, less for admissible, then less than 64 bytes. Different types of frames are differentiated into two classes - just short frames (short), which can be correct checksum, and "short" (runts), which can be correct checksum. The most common reasons for the appearance of short frames are faulty adapters and drivers.

Move Frames (Jabbers). Tse frame, scho mayut dovzhina, scho transfer the allowable value of 1518 bytes with a garnoy or a filthy checksum. Downgraded frames are the result of a failed transmission, as the fault is due to faulty mesh adapters.

Frames of normal expansions, but with a filthy checksum (Bad FCS) and frames with pardons, vir_vnyuvannya between bytes. Frames with an incorrect checksum for the last impersonal reasons - filthy adapters, cable shifts, filthy contacts, ports of repeaters, bridges, switches and routers, which are incorrectly processed. The pardon of virіvnyuvannya is always accompanied by a pardon for the control amount, so that you can make sure the analysis-traffic does not slacken between them. The pardon can be later attached to the transmission of the frame when recognizing the collision with the adapter that is being transmitted.

Frame-ghost is the result of electromagnetic guidance on the cable. The stench is accepted by the framed adapters as a frame, as it can be normal signs on the cob of the frame - 10101011. The number of revealed cadres-primars of the great world to lie at the point of connection of the fencing analyzer. The reasons for the blame are ground loops and other problems with the cable system.

Knowing the height of the number of pardon personnel for these types can give a good indication to the administrator about the possible causes of malfunctions in the merezh. To create a small number of pardon frames can lead to a significant reduction in the core throughput capacity, as protocols that induce twisted frames, work with large timeouts for clearing receipts. It is important that in the measure, that it is normal practice, the number of pardon personnel is not guilty of exceeding 0.01%, that is not more than 1 pardon personnel per 10,000.

Collision Statistics

This group of characteristics gives information about the number and type of collisions assigned to the segments of the border, allowing you to identify the presence and scope of the problem. The analyzers of the protocols cannot give a differentiated picture of the difference between the total number of colonies for these other types, while knowing the prevailing type of colonies, they can help to understand the cause of the nasty robots.

Below are the main types of Ethernet networks.

Local collision (Local Collision). As a result of a one-hour transmission, there are two or more knots, which lie before the segment, in which they fight. Although a richly functional attachment does not generate frames, then in the measure of torsion pairs or a fiber-optic cable, local collisions are not fixed. Too high rіven local kolіzіy є naslіdkom problems іz cable system.

Remote Collision. Numbers of kolіzії v_dbuvayutsya from the other side of the repeater (one hundredth of the segment, which has a vimіryuvalny attachment). In networks that are used on buggy-port repeaters (10Base-T, 10Base-FL/FB, 100Base-TX/FX/T4, Gigabit Ethernet), all collisions that are compatible can be removed (crim quiet fluctuations, if the analyzer itself generates frames and can be the culprit of the coli). Not all protocol analyzers and monitoring tools, however, fix the remote collisions. Tse vіdbuvaєtsya through those deyakі vymіryuvalnі zasobi that system does not fix kolіzії, scho vіdbuvayutsya under the hour of transmission of the preamble.

Late Collision. This collision, as it happens after the transmission of the first 64 bytes of the frame (behind the Ethernet protocol, the collision is responsible for the first hour of the transmission of the first 64 bytes of the frame). The result of a random collision will be a frame that may be over 64 bytes long and correct the wrong checksum value. Most of all, I point out to those that have a wired adapter that is in conflict, cannot listen to the line correctly and cannot immediately ring up the transmission. The second reason for the accident is the too large length of the cable system, or the number of intermediate repeaters is too large, which leads to the transfer of the maximum hour of the signal turnover. The average intensity of colis in a normally working measure is to blame for less than 5%. Large surges (greater than 20%) can be an indicator of cable problems.

Rozpodіl vykorivovuvanyh merezhevyh protocolіv

Tsya statistical group to lie before the protocols of the merezhny equal. The display shows a list of the main protocols in the lower order of the number of personnel, so that the packets of this protocol can be reduced to the highest number of personnel in the network.

Top Sendes

The function allows you to select the most active transmission nodes of the local network. The attachment can be adjusted to filter for a single address and display a list of the main manpower directors for the given station. The data is displayed on the display at the sight of diagrams at once from the transfer of the main directors of personnel.

Top Receivers

The function allows you to follow the most active master nodes of the chain. The information is displayed in a view similar to the hovered one.

Main broadband traffic generators (Top Broadcasters)

The function shows the stations of the network, which is the most likely to generate frames with wide and group addresses.

Traffic Generation

The attachment can generate traffic for re-verification of robots and measures for increased demand. Traffic can be generated in parallel with activating functions Merezheva statistics, Statistics of pardon personnelі Statistics from the colonies.

Koristuvach can set the parameters of the generated traffic, such as the intensity and frame size. To test bridges and routers, the attachment can automatically create IP- and IPX-packet headers, and everything that is necessary for the operator - just enter the addresses of the dzherel and recognition.

In the course of testing the koristuvach, you can increase the roaming and frame rate on the go for the help keys of the cursor. It is especially valuable for an hour to ask for problems with the productivity of the city and the minds of the minds of the minds of the minds.

Protocol Analysis Functions

Use portable, richly functional tools to decode and analyze more than the main protocols in local networks, such as the protocols of the TCP / IP stacks, Novell NetWare, NetBIOS and Banyan VINES.

Some richly functional attachments have the ability to decode buried packets, like protocol analyzers, and statistics are collected about the most important packets, which indicates the presence of problems in the networks. For example, when analyzing the protocols of the TCP / IP stack, the statistics of packets in the ICMP protocol are collected, with the help of which routers inform terminal nodes about the vindication of different pardons. For manual verification of the reachability of nodes in a network, the utility includes support for the IP Ping utility, as well as similar utilities NetWare Ping and NetBIOS Ping.

tcpdump

The main tool for collecting merged traffic is tcpdump. This program has a valid code, as it is practically installed in all Unix-like operating systems. Tcpdump is a powerful data collection tool that comes with a much tighter filtering mechanism. It is important to know how to filter the data for the first time in the collection, to take the fragment of the data for analysis. Burying all the data from the merezhny I will build it up at the peacefully zavantazhenіy merezhі, you can create a lot of data for simple analysis.

In some lonely cases, tcpdump allows you to display the result of the robot directly on your screen, and it may be enough to know what you are looking for. For example, when the statistic was written, some traffic was hoarded and it was noted that the machine was sending traffic to an unknown IP address. It appears that the machine was downloading data on the Google IP address 172.217.11.142. Oskіlki was not launched last year Google products, winery food, why do you need it.

The re-testing of the system showed the following:

Leave your comment!