Friday, July 18, 2008

DIY Packet Sniffer

This isn’t going to put Netscout or Network Instruments out of business anytime soon, but if you have a network with several switches eventually you are going to run into a problem where you’re going to need the ability to do a packet capture and I’m here to show you how to build your own.

The first thing to note is that this is not meant to be a line rate packet capture system so don’t come into this thinking your going to be able to capture several Gigabit Ethernet interfaces. The idea is to be able to have a system deployed that you can access remotely to do basic packet captures without having to take a laptop out and plug into a switch.

The first thing that you should identify is the hardware you want to use. I would recommend that you have a recent processor (2Ghz+) and plenty of memory (2GB+) in the system. You want to make sure that you have plenty of memory because the packets will be stored in memory. From there, I just loaded up the system with dual port NICS (I recommend Intel NICS due to their ability to capture packets with VLAN tags). I used the Intel PRO 100/S Dual Port Server NICS (as used Compaq DL380 G2 servers for my hardware base). You can find a list of NIC's that support Dot1Q VLAN tags and how to modify the registry to capture them here:


http://www.intel.com/support/network/sb/CS-005897.htm
As far as OS goes, I went the cheap route and used Windows XP Pro (which is interesting to install on server hardware). This allows you to natively use the Remote Desktop Protocol (RDP) to access the system. However, Windows is not a requirement and Linux is a better option when it comes to trying to capture at speeds approaching line rate.

For software I decided to use the tried and true, free and open source Wireshark (formerly known as Ethereal). Wireshark uses the libpcap library (WinPCAP on Windows) to capture packets just like tcpdump. Where Wireshark really excels is in its filtering ability. The ability to easily write filter strings based on any field in a packet makes it my choice for even decoding packet captures that I get from our Infinitstream sniffers.

I would also recommend installing Cisco Discovery Protocol Reporter (CDPR) on the system if you’re connecting up to Cisco switches. This can be helpful it you have a “Roaming” port on your sniffer that you move to different switches as needed so that you can identify which switch and port it is connected to.

Once you have all of the software installed, I created a directory and shared it out called “Packet Captures” that I then mapped to my PC so that once I performed the capture I could quickly copy the capture to my PC for decoding.

My only frustration with Wireshark was that we were permanently wiring interfaces into dedicated SPAN ports on our switches and when you have 4 interfaces that all have descriptions of “Intel PRO 100/S NIC” its hard to remember where its hooked up to. I searched high and low trying to find a way to rename these so I could put in a description of which switch and port it was connected to. Finally, while I was doing the registry addition for VLAN tags I noticed that the description that “DriverDesc” had the same description that Wireshark (and for that matter CDPR) reported. A quick edit of that field and a reboot will change the value that’s displayed to anything that you want. You can find the key in:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}

Under this you will find several sub entries and you will need to figure out which interface goes to which entry and then name it.

That's it for this post, I hope somebody finds this helpful.

Friday, July 4, 2008

Managing small(er) Cisco networks


Not everyone out there managing a network is a service provider and until recently I never had the pleasure of working in an environment where I wasn't using literally the largest routers and switches Cisco manufactures. Nowadays I am working with networks that may only have a few dozen devices per site. For managing these smaller networks that may not have the resources to purchase a suite such as Ciscoworks, Cisco has a free tool called Network Assistant which can be downloaded here http://www.cisco.com/pcgi-bin/tablebuild.pl?topic=279230132 (Free CCO Account required).

Unfortunately it doesn't support much of the older (or larger) equipment that you may have deployed, but odds are if you purchased it within the last couple of years this software can manage it. Additionally it can only manage 40 devices however you can pick and chose what you are going to manage with the software.

The list of features feels like reading those of its much more expensive Ciscoworks relative:

Configuration management
Troubleshooting advice
Inventory reports
Event notification
Network security settings
Task-based menu
File management
Drag-and-drop Cisco IOS Software upgrades
Even if you don't want to use all of the features, the interface graphing option can be helpful if you need to quickly see the utilization or errors on an interface. Additionally the configuration backup and restore can be very helpful. In short, if you have a Cisco network, its a small and free download that may save you some headaches.