Advertisment

Analyzing Network Traffic

author-image
PCQ Bureau
New Update

Analyzing network traffic is a complex task suited for someone with sound knowledge of networking. To get started with this, you need to do several things. For one, you need a network-packet analyzer, which will capture and display all the packets flowing on your network. If it’s a software packet analyzer, you must ensure that the network adapter on the machine it’s installed in, is set to promiscuous mode. This allows the adapter to capture all packets flowing across it, rather than just the ones meant for itself. Next, you need to know where to place this packet analyzer. This depends upon whether you want to analyze traffic for a particular network segment or the entire network. It also depends upon the network size and structure.

Advertisment

If it’s a hub-based network, then you can place the machine with packet-analyzer software anywhere, because all network packets get forwarded to all ports in this case. However, if it’s a large network consisting of multiple network switches and routers, you have to take care of other issues. You can’t analyze traffic across the entire network from one place in this case. You’ll have to pick multiple key points, such as the server or the router, which most of your users access. Then capture packets from these key points and determine the performance levels.

Keep a lookout for the overall network statistics, such as packet size and network utilization

To analyze traffic on a particular switch on your network, you have to configure one of its ports to capture packets flowing to all other ports. This is known as port mirroring. It copies packets flowing across all other ports to the mirrored port. You’ll have to connect the packet analyzer to this port to view packets flowing across it. If you want to be able to capture packets across your entire network, then you’ll have to put the packet analyzer on the main backbone switch of your network. One problem in this case is when there’s a simple switch that doesn’t allow port mirroring. In this case, you have to identify the key point where most of the traffic is going, such as the server, and place a hub between this point and the switch. Put the packet sniffer on this hub, and you’ll be able to see which nodes are communicating with the server.

Advertisment

To analyze traffic on a large network, you either need to have multiple installations of your packet-capturing software, or you’ll have to carry it to different locations. In this case, having it installed on a notebook is a good choice, because it’s portable. Once your packet analyzer is in place, it’s time to do some troubleshooting.

Collecting and analyzing data



The most important part of packet analysis is the collection of data at regular intervals. If you want to be able to determine anomalies on your network, you need to have gathered data over a sufficiently long period of time. This will allow you to distinguish normal network activity from abnormal one. You must gather data at different times of the day to see the various traffic patterns. Once you have the data, there are several key parameters to observe, such as packet errors, packet size and number of protocols flowing on the network.

Any decent packet analyzer should be able to display packet errors. These include errors related to CRC checksum failure, frame alignment, runt, and jabbers or oversized packets. Whenever a packet is sent across a network, four bytes are sent towards the end, which result in a known checksum. If the checksum is something other than this, then a CRC error occurs, meaning the packet is corrupt. Frame alignment errors occur when packet sizes are not a multiple of eight, which should always be the case. Runt errors are packets between 8 and 64 bytes. Ideally, Ethernet packet sizes should be between 64 and 1,518 bytes. On the extreme side, jabbers are oversized packets, larger than 1,518 bytes. The only problem with runts and jabbers is their size.

Advertisment

Observe the number of protocols on your network, and sort them according to how much noise each makes. In this case, 21% of the traffic is IPX NetBIOS

Besides packet errors, you should also keep a close eye on packet size. As mentioned the ideal packet size is between 64 to 1,518 bytes. Ensure that there aren’t too many packets of different sizes floating around. This should be fairly consistent.

Gathering protocol information is the next step. Most packet analyzers can display the captured packets according to the protocols. So you must see which protocols are flowing across your network. Usually, it’s better to use a single protocol stack on your network, and TCP/IP wins hands down in this case. Try to shift everything to TCP/IP. If there are reasons why you can’t do this, then observe which protocols are making the most noise. For instance, IPX is among the known chirpy protocols.

Advertisment

Once you’ve analyzed the number of protocols, observe the node making the maximum noise, and the kind of noise it’s generating. For example, if it’s a node generating unnecessary broadcast traffic, which might be something worth investigating.

Try and isolate the traffic flowing from this node. This is called packet filtering.

Analyzing filtered packets requires an understanding of their structures. This can be used to sniff out trouble on your network.

This could be an Internet attack like IP spoofing, oversized packets or pimps, etc. It can also be used to determine whether someone is using applications not allowed on your network. Packet capturing utilities can also be used to determine security loopholes on your network. You could place it across a firewall, and see whether it’s leaking across any unwanted traffic. 



Finally, set alarms and triggers, which will automatically raise an alert in case of trouble.

Anil Chopra

Advertisment