Professional Documents
Culture Documents
Ethernet Network Analysis and Troubleshooting
Ethernet Network Analysis and Troubleshooting
Network Associates
Sniffer University
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Slide Title:
Ethernet Network Analysis and Troubleshooting Section 1 of TNV-202-GUI Start: Day 1 Approx. 9am Finish: Day 1 Approx. 12:00 noon
Section Timing:
Section 1 title slide. Files: Traces: Exercises: 01_frm_g.PPT Mixed01.cap 01_frm_g.DOC Mixed02.cap
Which Frames are on the Network? Isolating Frame Types with Pattern Matching (optional) A Surprise at 23:00 Be sure to practice before you teach this new version! You will need to tighten up on all the sections so you will have time to cover the new materials. It will be a challenge! Pace it carefully. There are several new concepts and exercises, so go through the class very carefully before you teach it. Practice all the exercises and look at the trace beyond what we focus on in the exercises so you are not blindsided by questions outside of the exercise. Please remember this instructor guide is a living document. It is not complete to start and is intended to grow with time. Add to your own copy as you gain experience. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.
Note:
Page 1 - 1
Network Associates
Sniffer University
1-2
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Original Traces for the Course: (all were saved as .CAP files none were recaptured)
01.CAP 05.CAP 09.CAP 13.CAP 17.CAP 21.CAP (giant.enc) BAD03.CAP BUSY-JAM.CAP HUBPORT1.CAP MIXED-02.CAP 02.CAP 06.CAP 10.CAP 14.CAP 18.CAP 100MBFIL.CAP BADCABLE.CAP COL100_3.CAP HUBPORT2.CAP SCBRIDGE.CAP 03.CAP 07.CAP 11.CAP 15.CAP 19.CAP BACKPRES.CAP BADCRC.CAP FRAGS.CAP JABBER.CAP TCPDEMO6.CAP 04.CAP 08.CAP 12.CAP 16.CAP 20.CAP BACKPRES2.CAP BADCRC-1.CAP HUB6ARC.CAZ MIXED-01.CAP
Page 1 - 2
Housekeeping
1-3
BREAKS LUNCH TELEPHONES
Call the office Net Down!!!
BEEPERS IN SILENT MODE CELL PHONES IN SILENT MODE REST ROOMS EMERGENCY INFORMATION
Sniffer University
QUESTIONS
All phone calls must be made outside the classroom during breaks.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Page 1 - 3
Sniffer University
1-4
Thank You!
Students are not permitted to audio or video tape the course presentation. Duplication of Course Materials or the Trace File CD is strictly prohibited by copyright. The Trace File CD that comes with this manual contains: All Class Traces - which can be copied to the C:\ drive or used in the CD-ROM Drive Reference materials- ATM Forum Docs, RFCs, Product Guides and other Documentation
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Keep going Briefly review the policy. The trace files for this class are placed in the 202GUI directory on the trace file CD in the student manual. Mention that there are additional trace files that are copied to Sniffer Pros program directory if they would like to practice with those samples.
Page 1 - 4
1-5
Upper-Layer Analysis & Troubleshooting Technologies TCP/IP Applications: Concepts & Troubleshooting
TCP/IP Network Analysis & Troubleshooting
Sniffer University
ATM Network Analysis & Troubleshooting WAN Analysis & Troubleshooting Token Ring Network Analysis & Troubleshooting Ethernet Network Analysis & Troubleshooting Implementing Distributed Sniffer System / RMON Pro Troubleshooting with the Sniffer Pro Network Analyzer Sniffer Pro for DOS Sniffer Experts
Visit our website for more information on our classes and a current schedule: www.sniffer.com >> follow the Sniffer University Links
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
These are the 11 active courses in the curriculum as of Oct 2, 2000 for Version 4.0. Point out where you are in the curriculum. Mention other GUI courses available and highlight next step courses such as: 3 day WAN- TNV-207-GUI 5day TCP/IP curriculum TNV-303-GUI and TNV-304-GUI. 5day ATM- TNV-218-GUI Keep going.
Page 1 - 5
Table of Contents
Course Overview Ethernet Frame Formats Ethernet Sniffer Pro Hardware Ethernet Physical and Data Link Layers Timing Specifications Troubleshooting Tips Ethernet Bridging and Switching Concepts Bridges Switches VLAN Tagging 100 Mbps Fast Ethernet Full Duplex Ethernet Gigabit Ethernet Optional Technologies - LLC and Coax Glossary of Terms Student Exercises Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page 1-7 Day 1 1-18 2-1 3-1 3-25 4-1 5-1 Day 2 5-3 5-15 5-27 6-1 7-1 8-1 9-1 9-41 10-1
Network Associates
Sniffer University
1-6
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Run down the list of topics. Mainly here for student reference. Use this to let them know what we will cover in class. The redundant list after this was removed. A dotted line has been added to give the students an indication of when the topics will be covered. Timing: Day one: Afternoon: Day two: Afternoon: Optional: A guideline for timing: Morning: Section 1 and 2. Section 3. Morning: Section 4 and Section 5 (Bridges). Section 5 (Switches), Sections 6-8. Logical Link Control
Page 1 - 6
1-7
Course Overview
Sniffer University
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Page 1 - 7
Course Objectives
1-8 Upon completion of the course, you will be able to: Discuss the details of the Ethernet (802.3) specification Effectively use the Sniffer Pro analyzer to manage and troubleshoot Ethernet LANs Use practical hands-on troubleshooting methods and partner with the Network Associates Sniffer Pro Network Analyzer in Ethernet environments
Network Associates
Sniffer University
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
We are here to learn something about Ethernet technology, how to use the Sniffer Pro analyzer in an Ethernet environment, and how to interpret the data captured. State the course objectives.
Page 1 - 8
Prerequisites
1-9
Sniffer Pro Analyzer TNV-101-GUI: Troubleshooting with the Sniffer Pro Network Analyzer or TNV-112-GUI: Sniffer Pro for DOS Sniffer Experts
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Cover quickly. Determine if all of the students meet the prereqs and discuss any problems if you have some that have not taken TNV-101-GUI or TNV-112-GUI.
Page 1 - 9
Ethernet Layers
The Data Link layer provides for communications between electrical end-points (network interface cards) The Physical layer provides the conductive path that includes media, connectors, electrical or optical signaling levels and coding characteristics
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
This is now a build slide that builds on mouse clicks. The Ethernet layers are set off to emphasize this is where the Ethernet specifications reside. Everything else is upper layer to Ethernet. Review the functions of each layer, so the students may apply the binary search method against the OSI stack. Upper Layer protocols control the communications between the applications themselves. They are connection-oriented and take care of any error handling not done by the lower layers. Transport protocols can be connection or connectionless. If connection oriented, then we can determine whether or not the network is good by simply following the sequence numbers. Network layer protocols are also connectionless. All of the protocols in the layers above Ethernet are taught in many other Sniffer University courses. We will not focus on them here. Physical and data link are the layers directly involved in Ethernet. All these processes (without LLC) are connectionless.
Page 1 - 10
Sniffer University
Physical Layer
Physical Layer
Physical Layer
Physical Layer
The lower part of the Data Link Layer is called the MAC layer, an abbreviation for Media Access Control. In addition, 802.14 Standard Protocol for Cable-TV-based Broadband Communication Network is another protocol in development in 1998. 802.7 standard is a recommended practice for common Physical Layer technologies, IEEE Recommended Practice for Broadband Local Area Networks. The ANSI number for the 802.3 1996 edition of the specs is 8802-3:1996 IEEE Specifications can be purchased through http://www.ieee.com
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
History of where the Standards came from. The relationship among the standards committees. This is the official IEEE diagram based on the drawing in the IEEE Std 802.3ab -1999. The 802.1 layer has the bridging standards listed individually and 802.14 for Cable-TV based broadband is not on this drawing due to space constraints.
Page 1 - 11
Sniffer University
802.3ad
Many other specification documents cover many facets of the Ethernet specifications. A complete list is available from the IEEE web site. WIP = Work in Process
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
This is a quick list of the Ethernet standards we will cover in this class. It is not a comprehensive list, since there are numerous other addenda as seen by the lettering of the standard. You might want to note the large gap between the original 802.3 standard approved in 1985 and the u standard approved in 1995. This does not mean to indicate there was no change in 10 years. Quite the contrary: as the original spec was improved for thin coax, then twisted pair with all the other changes to devices were defined in the a through t addenda.
Page 1 - 12
Ethernet Evolution
1-13
1972 1982
Work on Ethernet begins at Xerox PARC
1983
Novell NetWare Proprietary Frame
1985
1990
10Base-T
Sniffer University
IEEE 802.3
Ethernet Switching
Design Goals: 1. 2. 3. 4. 5. Definition simplicity Efficient use of shared resources Ease of reconfiguration and maintenance Compatibility Low cost
V1 Ethernet: Used an unbalanced signaling method (+5 volts referenced against ground). V2 Ethernet: Used a balanced signaling method (+5, -5 volts). Added SQE (Heartbeat). 802.3: V1 and V2: Added jabber inhibit. Specified thick coax, thin coax, twisted pair cabling and fiber. Specified thick coax cable. Cannot co-exist on the same segment due to the different signaling methods.
V2 and 802.3: Can co-exist on the same segment, as the same signaling methods are used.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Discuss the milestones and the Design Goals. New dates and milestones have been added. All frame types that use CSMA/CD are now valid 802.3.
Page 1 - 13
Media Evolution
1-14
Thick Coax
Thin Coax
Twisted Pair
Optical Fiber
Sniffer University
RJ45 Connectors
RJ45 Connectors
& Twinax..
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
New Slide. Do just a quick review of how Ethernet media has changed over the years. We started with the old thick cable in the ceiling. Then thin coax took over. Twisted pair changed the whole layout of the network structure, bring all the connections back to wiring closet. Cat 3 evolved to cat4, evolved to cat 5, now on to cat 6, 7 ???? Cables attach to connectors in the wall or cube, the wire then goes to a punch-down block and finally to a hub or switch. Dedicated wires for receive and transmit meant that cards could no longer listen on the same wire, so new ways of learning of collisions had to be developed. The latest is optical fiber. This is generally used as a backbone or for high-speed servers. Our diagram shows the ordinary users connected with cat 5 cabling with an uplink on the hub or switch to the high-speed optical backbone. High performance servers may be connected directly with optical cable. There is mention of Twinax on the bottom. It is used in one Gigabit Ethernet configuration.
Page 1 - 14
Sniffer University
Switch
Switch
Dedicated RX/TX lines Dedicated media full-duplex without carrier sense or collision detection
Dedicated RX/TX lines Dedicated media half-duplex with carrier sense and collision detection - (collisions avoided)
Coax cables are broadcast in nature. Every station sees every signal on the wire. Each must wait its turn to use the wire and only one signal can be on the wire at a time. Twisted pair cabling provides dedicated receive and transmit wires in the cable, but only one wire can be active at a time. Concentrators or hubs repeat the signals out to all stations attached, so each station must sense whether the wire is busy, wait the interframe gap and sense collisions and retransmit if a collision occurs. The introduction of full duplex connections allowed bandwidth to double, since each direction can be busy simultaneously. The advent of the switch allowed dedicated connections between two devices in a switched temporary point-to-point connection. Even though collisions are avoided in this configuration, the same adapter cards are used, so the devices still sense for carrier, wait the interframe gap and sense collisions. When faster technologies were introduced, full duplex switched point-to-point connections allowed signals on each wire simultaneously. Since the links are point-to-point, there is no need to sense carrier or detect collisions.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
New Slide. This attempts to show how access to the wire has changed over the years. The birth of CSMA/CD meant everyone listening, waiting their turn, then transmitting while listening for collisions. The cards can either send or receive, not both simultaneously. All of the newer technologies still have this as the basis for their specifications. The introduction of twisted pair wiring to a central repeater still maintained the need for CSMA/CD, since everything received on one port was repeated out to all the others. When full duplex was developed, each device had two lines in a point-to-point connection to the other end. There was no need to wait for the line- you always had access to the receive port on the other side. But the listen-and-wait and retry was maintained for backward compatibility. With the introduction of switches, every port is its own collision domain. Collisions are almost non-existent. But there still is the little matter of being able to talk to the older NICs and devices, so even the faster devices know how to deal with CSMA/CD.
Page 1 - 15
Sniffer University
Variable size frames Best effort delivery Various data encoding techniques are used
The minimum frame size is 64 bytes. This includes 4 bytes of frame check sequence but does not include the 8 bytes of preamble sequence. The maximum frame size is 1518 bytes including CRC.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Original specifications are based on bus technology and CSMA/CD. CSMA/CD has always been the defining feature of Ethernet. With the introduction of switches and Full Duplex Ethernet, this can no longer be the feature common to all varieties, since some dont use carrier sense (CS), are not multiple access (MA), and do not have collisions to detect (CD). Nevertheless, there are other details that have been maintained through all the iterations, so the name has stuck. This is the beginning of the real class.
Page 1 - 16
Sniffer University
Bit Cell
Bit Cell
Bit Cell
Bit Cell
Bit Cell
Bit Cell
TTL is used on circuit boards Manchester Encoding is used in 10 Mb/s Ethernet/802.3 Differential Manchester Encoding is used by Token Ring/802.5 Faster Technologies use different encoding schemes
Manchester and Differential Manchester encoding are methods of embedding the clock into the data stream so the adapter can determine whether a bit is a one or a zero. TTL has no timing encoded in the data. It is used on circuit boards where synchronized clocking can be applied to multiple circuits. The encoding techniques for Fast Ethernet and Gigabit Ethernet are covered in section five.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Dont dwell on this slide. It is only really important for the students to understand that the timing is imbedded in the data stream so that adapters can tell a 1 from a 0. Fast Ethernet and Gigabit Ethernet use different encoding methods. They will be covered in their respective sections.
Page 1 - 17
1-18
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Page 1 - 18
Section Objectives
1-19
Network Associates
Sniffer University
Upon completion of this section, you will be able to: Describe protocol concepts Differentiate between Ethernet Frame Formats Recognize network configuration issues with different frame formats Identify frame format incompatibilities
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
State the objectives for this section. This prepares the students and set expectations about the desired outcome of learning this information.
Page 1 - 19
Detail Window Label Ethertype 802.3 length but no LLC header 802.3 length and LLC header SAP = AA, then SNAP Header
LLC: Logical Link Control. A protocol that provides connection control and multiplexing to subsequent embedded protocols; standardized as IEEE 802.2 and ISO/DIS 8802/2. SAP: Service Access Point. (1) A small number used by convention or established by a standards group, that defines the format of subsequent LLC data; a means of demultiplexing alternative protocols supported by LLC. (2) Service Advertising Protocol. Used by NetWare servers to broadcast the names and locations of servers and to send a specific response to any station that queries it. SNAP: Sub-Network Access Protocol (also sometimes called Sub-Network Access Convergence Protocol). An extension to IEEE 802.2 LLC that permits a station to have multiple network-layer protocols. The protocol specifies that DSAP and SSAP addresses must be AA hex. A field subsequent to SSAP identifies one specific protocol. Interpreted in the TCP/IP PI suite and the AppleTalk PI suite. (See RFC 1042 for further information on SNAP.) MAC frames are used in Full Duplex Ethernet The Expert Detail Panel shows the frame type associated with each device at the DLC layer.
Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Sniffer University
Section 1 TNV-202-GUI
This is a list of what we will cover in the next set of slides. Ethertype, LLC DSAP and SSAP are addresses. SNAP defines a different location in the frame for the address of the receiving process. NetWare originally started with a proprietary frame but now supports everything. Carrier extend and MAC Control are mentioned in this section, but will be explained fully in section five.
Page 1 - 20
Sniffer University
CRC:
64 bits (8 bytes) of synchronization (6 bytes) address of destination node (6 bytes) address of source node (2 bytes) specifies upper-layer protocol Data link layer views all information handed to it by higher layers as data, whether it is protocol information or user data Cyclic Redundancy Check Frame Check Sequence (FCS), or checksum value
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Emphasize the preamble and its function. Hit the bit pattern and reference the AAAAs and 55555s. Demo:Demonstrate frame structure with TCPDEMO6.CAP. Walk the students through performing a pattern match on a version two Ethertype. Repeat this for each frame type, each time using a different match. Be sure to name the matches. After the last frame type in this section, walk the students through saving setups so that they now have a predefined filter that can be used later.
Page 1 - 21
Sniffer University
Pre-dates IEEE specs Identifies the hardware address of the adapters for both receiving and sending stations Identifies the receiving process with a two byte Type field in the DLC header Requires the Network Layer to ensure a minimum packet size of 46 bytes of data Only provides connectionless services
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Page 1 - 22
1010...10101011
Sniffer University
Data: CRC:
64 bits (8 bytes) of synchronization (6 bytes) address of destination node (6 bytes) address of source node (2 bytes) specifies the number of bytes (46-1500) in the data field IPX Header starting with 2 bytes checksum (usually FFFF) followed by NetWare higher layers (data) Cyclic Redundancy Check Frame Check Sequence (FCS), or checksum value
Novell developed their frame type before the IEEE committee was finished. As a result, they identified the length but did not use LLC. This is not a problem provided all stations use the same frame type. It does have a negative impact on IEEE compliant implementations when Novell issues broadcast frames. Service Access Point of FF is the broadcast SAP. All stations have to copy.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Use a third match as you take the students through this process. If performed correctly, you will certainly speed up the exercises at the end of this section, if not eliminate them. Point out that Novells frame type was defined while the IEEE committees were still meeting. It really did not matter, since one only installed a single operating system. We were not designing enterprise networks with LANs and we certainly were not interfacing a lot of dissimilar systems. In todays environment however, it is definitely an issue.
Page 1 - 23
Sniffer University
Only uses the bottom half of the DLC Layer MAC layer contains hardware addresses of destination and sending stations Uses a two byte length identifier Does not use LLC Specified while IEEE was formulating 802.3 specs MAC Layer ensures minimum frame length
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Page 1 - 24
1 or 2
42 - 1497
1010...10101011
Sniffer University
CRC:
Stations know if a frame is Version 2 or 802.3 by evaluating the 2 bytes following the source address. If they are greater than 05DC hex (1500 decimal), then the frame is Version 2; if they are less, they are assumed to be a length field. IEEE defines the preamble as 56 bits (7 bytes) of alternating 10101010...etc., followed by 8 bits (1 byte) of starting delimiter with bit pattern of 10101011.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Repeat of previous page. Be sure to select a different match and to disable the first match. Stations know if a frame is Version 2 or 802.3 by evaluating the 2 bytes following the source address. If they are greater than 05DC hex (1500 decimal), then the frame is Version 2; if they are less, they are assumed to be a length field. Note: the exception is PUP, which uses Ethertype 2. (PUP stands for PARC Universal
Packet.)
Page 1 - 25
Sniffer University
IEEE Networks (e.g., 1BASE5, 802.3, 802.5) Splits the DLC layer into two distinct sublayers MAC layer contains hardware addresses of destination and sending stations Provides LLC services Receiving and sending processes identified by SAP addressing Accommodates both connectionless and connection oriented implementations Provides for the use of SNAP MAC Layer ensures minimum frame length
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Page 1 - 26
Control 1 3
Type
CRC
AA
AA
1010...10101011
Preamble: SFD: DA: SA: Length: DSAP: SSAP: Control: SNAP:
Vndr Code
56 bits (7 bytes) of synchronization (1 byte) start frame delimiter (6 bytes) Destination Address: address of destination node (6 bytes) Source Address: address of source node (2 bytes) specifies the number of bytes (3-1500) in the LLC and data fields (1 byte) Destination Service Access Point; receiving process at destination (1 byte) Source Service Access Point; sending process in source (1 byte) Various control information (5 bytes) First three bytes identify the vendor. Last two bytes identify the protocol The data link layer views all information handed to it by higher layers as data, whether it is protocol information or user data Pads frame to minimum of 46 bytes total for the data and LLC (so collisions can be detected) Cyclic Redundancy Check Frame Check Sequence (FCS), or checksum value
SNAP allows vendors who do not have an assigned Service Access Point to become IEEE compliant. Service Access Point of AA identifies a SNAP header immediately following the LLC header. A Snap header is five bytes. The first three bytes identify the vendor and the last two bytes identify the protocol used. The first three bytes (the vendor ID) are usually padded with zeroes. The version 2 Ethertype is generally used as the identifier.
Network Associates
Sniffer University
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Finish with the pattern match and save setups. TIP: TCPDEMO6 is a good trace to use to show this.
Page 1 - 27
Network Associates
Sniffer University
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Is a subset of LLC.
Page 1 - 28
Sniffer University
Length/Type
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
This is an automated build slide that will display on a timer. Dont click until youre ready for the next slide! A + in the lower left corner of the build slides tells you how many clicks you need before it goes to the next slide. When there is no number after the +, the slide is totally automated. The next click shows the next slide. This brings the previous information into the present definition of the Ethernet frame type. Point out the field values at the bottom that devices use to tell what type of frame is arriving. Of course, theyve always done it this way, but now the specification matches the process.
Page 1 - 29
Note: A comprehensive listing of Ethertypes and SAPs is in the appendix. Http://www.iana.org keeps an updated list of Ethertypes. SnifferPro maintains a list of the Ethertypes and SAPs and decodes the Upper Layer Protocols (ULP) based on the Ethertype or SAP found in the Data Link header.
Network Associates
Sniffer University
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
There is a more complete list from the Sniffer Pro analyzers main menu. Go to Define Filters and demonstrate for the students the protocol filters. Use data pattern matching to filter on specific SAPs and Ethertypes.
Page 1 - 30
YES
You have just determined that the frame is an Ethernet version 2 frame
Look at the Ethertype values to determine what ULP the frame is carrying
Sniffer University
STOP
YES
You have just determined that the frame is a Novell 802.3 raw frame You have just Look at the determined that the Ethertype values to frame is an 802.3 determine what ULP SNAP frame the frame is carrying Look at the SAP values to determine what ULP the frame is carrying
STOP
YES
You have just determined that the frame is a standard 802.3 frame
+3
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Student reference. This is a semi-automated build slide. There are 3 clicks; one at each stop sign after each determination has been made.
Page 1 - 31
Version 2 frames are shown as Ethertype Frames. All others are shown as 802.3 Frames.
Network Associates
Sniffer University
1-32
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Student reference. You may want to demonstrate this with a trace file. Beware, only Ethertype frames are differentiated in this window. All the other frames show up as 802.3
Page 1 - 32
Version 2 Frame
Sniffer University
802.3 Frame
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
This is a quick visual shot of how version 2 and 802.3 frames appear in the Detail window. 802.3 Ethernet II 802.3 Frame Demo: Mixed01.cap frame 1 Demo: Mixed01.cap frame 75
Page 1 - 33
Sniffer University
SNAP Frame
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Page 1 - 34
To filter SNAP, use DSAP and SSAP equal to AA By determining what frame formats are in use on the network, you can make sure no incompatibilities exist
Highlight frame in Summary window before accessing this window Create a new profile Summary of the match will build here Choose your operand first then click Add Pattern 2 1 1) 2) 3) 4) Summary of the match 4
2 1
Change Frame
Highlight the data in the Detail window Click Set Data Data will be pasted into the pattern area Click OK
Choose your next operand and repeat the steps until all your matches are pasted in
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
This replaces the several data pattern match slides in the previous version of the course. Those screen shots are placed in the student notes on this page for their reference. The exercise that used pattern matching has been replaced by one using the Expert.
Page 1 - 35
Devices using different frame formats will not be able to communicate directly
They must send their frames to a translating bridge or router which converts and forwards the frames This creates a local router situation which doubles the traffic
Devices configured with multiple unnecessary frame formats load the network
NetWare servers RIP and SAP for each frame type
Upper Layer Protocols expect a certain frame type and may not be able to communicate if the wrong frame type is in use
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
New Slide. This helps to link this information to practical uses for the information.
Page 1 - 36
Network Associates
Sniffer University
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
This exercise has been modified. It no longer uses data pattern matching. Be sure to practice this before class so you are ready for it!
Page 1 - 37
1-38
If you have no questions about the previous exercise then continue with the next exercise or if you need a demonstration or explanation ask your instructor to help you now
Network Associates
Sniffer University
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Slide Title:Yield
Important Points to Cover:
Page 1 - 38
Network Associates
Sniffer University
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Page 1 - 39
Summary
1-40 In this section, you learned how to: Differentiate between Ethernet Frame Formats
Ethernet Version 2 Novell 1983 proprietary frame format IEEE 802.3 IEEE 802.3 SNAP
Sniffer University
Recognize network configuration issues with different frame formats Identify frame format incompatibilities
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Slide Title:Summary
Important Points to Cover:
Wrap up the section by reviewing the labs and the objectives. Ask the students if they have any questions.
Page 1 - 40
2-1
Section 2 TNV-202-GUI
Slide Title:
Section Timing:
02_snf_g.PPT bcast.cap
02_snf_g.DOC GB.cap
100mbfile.caz
Comparing Ethernet Data This is a new section. We hope that by putting this information at the front of the course, the students will feel this is an up-to-date course. They get to see the new faster Ethernet products right away and see in an exercise that Ethernet looks almost the same on the Sniffer, no matter what the speed of the network.
Please remember this instructor guide is a living document. It is not complete to start and is intended to grow with time. Add to your own copy as you gain experience. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.
Page 2 - 1
Section Objectives
2-2 Upon completion of this section, you will be able to:
Select the appropriate Sniffer configuration for each type of Ethernet network Ensure system requirements are met for each type of Sniffer Attach Sniffer Pro to the various Ethernet networks
Network Associates
Sniffer University
Section 2 TNV-202-GUI
Slide Title:
Important Points to Cover:
Section Objectives
Page 2 - 2
2-3
10/100 Ethernet
Network Associates
Sniffer University
Section 2 TNV-202-GUI
Slide Title:
Important Points to Cover:
10/100 Ethernet
Page 2 - 3
Windows 95c*/98 or NT SP3 server or workstation Sniffer 10/100 Ethernet adapter 85 MB Disk space for software
Much more for traces
Sniffer University
64 MB RAM
Some topologies require more
Windows 95c requires Winsock 2. Windows NT has been tested through SP 6a. Consult the Sniffer documentation for a list of the adapters supported with this release. On heavily loaded Ethernet networks, increase the receive buffer size and capture rate on the Ethernet adapter. In Windows 95/98: 1.In the Windows control panel, select the Network icon. 2.In the list box at the top of the Configuration tab, select the adapter, then click Properties. 3.Click the Advanced tab. 4.In the Property list box, select Receive Buffers and increase the value to a larger number. We recommend you increase the buffer size in increments of 10 to the highest possible setting, which still enables the card to load. 5.Change the Capture Rate to High - No CPU Throttling. In Windows NT: 1.In the Windows control panel, select the Network icon. 2.Click the Adapter tab. 3.Select the adapter, then click Properties. 4.Increase the Receive Buffers value to a larger number. We recommend you increase the buffer size in increments of 10 to the highest possible setting, which still enables the card to load. 5.Change the Capture Rate to High - No CPU Throttling.
Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware
Section 2 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. Quickly review the three options Notebook Desktop (this means that desktops are included in the NAI suite of portable software, though desktops are not really portable!) Dolch Review the system requirements The readme instructions for setting the Ethernet card parameters for heavily loaded networks in included in the student notes.
Page 2 - 4
Ethernet Hub
Attach the RJ45 jack into a port on the switch Sniffer University
Use the Switch Expert or switch software to mirror the port(s) to the Sniffer port
Ethernet Switch
PAC 64
PAC 64
Network Associates
Section 2 TNV-202-GUI
Slide Title:
Important Points to Cover:
Discuss the various ways they can attach the Sniffer. It doesnt matter if it is notebook, Dolch or desktop. All attach the same way.
Page 2 - 5
DSPro Agents
DS Pro consists of two computers: Agents permanently installed in production networks 2-6
DSPro Agent
Attach the Agents Ethernet monitor card to the production network to be analyzed Ethernet Attach the transport Ethernet card to Network either a dedicated network or the production network
Sniffer University
DSPro Console
Sniffer University has a two day TNV-012-DSP class that teaches the unique configuration processes required for the DS Pro system.
Network Associates
Section 2 TNV-202-GUI
Slide Title:
Important Points to Cover:
DSPro Agents
Dont get sidetracked into explaining the DS Pro system. Direct them to the TNV-201-DSP class!
Page 2 - 6
2-7
Section 2 TNV-202-GUI
Page 2 - 7
System Requirements
2-8 PAC 63, 64 or 65 or CardBus compatible notebook PC Windows 95c/98 or NT SP3 server or workstation Sniffer 10/100 Ethernet adapter
Set to 100 Mbps
Sniffer University
64 MB RAM (128 is better) DSPro also has a 4 port Ethernet adapter you can configure in several modes
A Fast Ethernet Full Duplex Pod installation consists of the following major components: A PC with Sniffer Pro or Sniffer agent (Distributed Sniffer) software installed on the hard disk (the Sniffer PC). A supported Fast Ethernet network adapter installed in the Sniffer PC. Consult the Sniffer documentation for a list of the adapters supported with this release of the Full Duplex Pod. A Fast Ethernet Full Duplex Pod is connected to the Sniffer PC via the Fast Ethernet adapter and the Ethernet port on the Fast Ethernet Full Duplex Pod labeled, "Host Channel 10/100 UTP.
Network Associates
Section 2 TNV-202-GUI
Slide moved here from section five of the previous version. Needs a 10/100 adapter in the main PC Pod attaches through the Ethernet cable Pod attaches into the network Needs lots of buffer and disk space, since the traffic load is very high and will create large trace files.
Page 2 - 8
Sniffer University
Troubleshoots and analyzes all traffic on 10/100 fullduplex backbone connections 148,800 Packets per Second (PPS) wire speed packet capture Full line rate on two channels in High Speed mode Near 100 Mbps in streaming mode Stores to a hardware buffer configurable to 512 MB Full-duplex Dual-channel Synchronous capture
Section 2 TNV-202-GUI
Slide moved here from section five of the previous version. Buffer is in the pod. Frames captured on the pod are encapsulated into Ethernet frames, then delivered to the PC for analysis. This is listed in the order list as Pod-FEDC-NA-100 for Fast Ethernet Dual Channel Pod.
Page 2 - 9
Probe Channel B
Sniffer University
Serial Port
10/100 UTP
MII
Connection
Connection button Channel B Channel A Connect straightselects between connections to connections to the through Ethernet Pass-through and the network (UTP network (UTP and cable to the laptop Terminate Modes and MII) MII)
The Fast Ethernet Full Duplex Pod captures network data off the connected circuit and stores it in its own internal buffer. The captured data is then encapsulated in Ethernet frames and sent to the Sniffer PC over a Fast Ethernet connection. There, the analyzer strips the encapsulated capture data out of the Ethernet frame, making it available to the full set of Sniffer features. The pod can capture frames up to 4082 bytes in length (including CRC). Frames larger than 4082 bytes will be treated as illegal frames. Normal Ethernet frames are 1518 bytes maximum.
Network Associates
Section 2 TNV-202-GUI
Slide moved here from section five of the previous version. Point out the separate channel connector. They can attach to TX via UTP or FX via the MII (Media Independent Interface) connectors. The connection button allows you to set pod to either pass-through or terminate mode. The right-most UTP connector attaches the pod to the 10/100 card in the PC. The Synch In and Out connectors are not used.
Page 2 - 10
Sniffer University
Passthrough
Terminate
Clock
Activity
Power
HW Chk
LED Description Passthrough Lit when pod is in passthrough mode. Switch with the button on the back of the pod Terminate Lit when pod is in terminate mode Clock Lit periodically to indicate the pods software is alive and active Activity Lit when there is potential loss of data.The data may be lost when there is more data than the pod can handle Power Lit when the pod is receiving power HW Chk Lit when there is pod hardware or software failure Flashes in test mode
Network Associates
Section 2 TNV-202-GUI
Page 2 - 11
Power on the PC Connect the power to the pod Connect the pod to the network
When the pod is powered on before the host, pod initialization may fail. Turn the pod off, then on if this occurs. The pod provides a pass-through mode. When you remove power from the pod in pass-through mode, the link will go down! You may wish to install a splitter in the line that will enable you to attach the pod when needed without bringing down the link. Be sure it meets the dB loss specifications so the link is not degraded.
Network Associates
Section 2 TNV-202-GUI
New Slide. Emphasize that this pod has a different power adapter from the rest. It is huge and heavy and nicknamed the brick for good reason its as big and heavy as a brick. Its important they follow this order. They may damage the pod and/or PC if they dont or the Sniffer may not be able to see the pod.
Page 2 - 12
Routers /Switches
Beam Splitters Tap Optical Signal from Channels A and B and Send to Pod
To Channel A
Ethernet Hub
Network Associates
Section 2 TNV-202-GUI
Slide moved here from section five of the previous version. Three ways: Break open the link and insert the pod. Push the button to place it in pass-through mode. Keep splitters in the line at all times so you wont need to break the connection to attach the Sniffer. Set the button to terminate mode so the signals are not repeated back onto the wire! Attach to a monitor port on the switch. This is vendor-specific, but will probably allow you to select which channels you want to monitor.
Page 2 - 13
Monitor Cable
Sniffer University
Ethernet Network
Channel A
DSPro Console
Network Associates
Section 2 TNV-202-GUI
New Slide. Included here mainly to emphasize this pod can be used on the DS Pro system. There is also a 4 port Ethernet card that can be used in the DS Pro to monitor several different full-duplex connections, including 400 MB pipes that combine full-duplex channels. It is covered in the 201-DSP class.
Page 2 - 14
2-15
Gigabit Sniffer
Sniffer University
There are several paragraphs of information in the 4.0 Readme.wri that is copied to the Sniffer Pro program directory when you load the Sniffer Pro software. Read them before you use the Sniffer!
Network Associates
Section 2 TNV-202-GUI
Title slide.
Page 2 - 15
Windows 95 is not supported for the Gigabit Sniffer. Use a compatible portable (Dolch) or desktop that has a Peripheral Component Interconnect (PCI ) slot. AMI and Award are popular BIOS chips. The BIOS version should be AI5TVD2-0617 You can contact DOLCH to get the BIOS Flash upgrade. There should be two files: awdflash.exe, size=7,847 Bytes, Dated 3/8/96 Dolch-2.bin, size=131,072 Bytes, Dated 6/19/97 Upgrade the Flash BIOS for PAC-64 To Upgrade the Flash BIOS for PAC-64, follow these instructions: 1. Insert the Flash BIOS upgrade diskette into driver A: 2. Run the awdflash.exe file. 3. You will be prompted to enter bios file name, enter Dolch-2.bin and save the BIOS. 4. You then will be prompted to save a file. Give this file the name Dolch-1.bin. 5. Save and program the BIOS. 6. Reboot after update.
Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware
Sniffer University
Section 2 TNV-202-GUI
Slide moved here from section five of the previous version Slide is adequate.
Page 2 - 16
Hardware Included
2-17 Xyratex 1250 SX or LX Protocol Analyzer Adapter Card
SC connectors SX Short Wave 850 nm LX Long Wave The Xyratex Gigabit card is designed to analyze network; on installing the card, it will not bind to the TCP/IP binding, in other words, no IP address should be assigned for the card.
Network Associates
Sniffer University
Long and Short External Trigger Cables Duplex Fiber Optic Cable 3.3v Voltage Regulator Card PC Power Supply Y cable Voltage Regulator to Protocol Analyzer Power Cable
Section 2 TNV-202-GUI
Slide moved here from section five of the previous version Slide is adequate.
Page 2 - 17
Interfaces
2-18 Sniffer University
1000 Base -SX 1000 Base -LX 1000 Base -CX through external adapter 1000 Base -T Can analyze both sides of full-duplex connection or two separate single links Captures and analyzes raw bits from the link
Sees 10-bit codes, autonegotiation, error propagation, collisions, preambles, packet encapsulation, idles and code violations
Network Associates
Section 2 TNV-202-GUI
Page 2 - 18
3.3v Power
2-19 Two sources: Mother boards in newer CPUs have 3.3v power supply connector
Dolch PAC 65 and newer has 3.3 v power, PAC 64 needs the card (PAC 63 and older are not supported for Gigabit) Attach to the Protocol Analyzer card
Sniffer University
3.3v Voltage Regulator half-slot ISA card for CPUs without the 3.3v power supply
Generates 3.3v from PCs 5v power supply Drives up to 3 Protocol Analyzer cards Y cable inserts between power supply and CD-ROM/floppy disk Connects to Protocol Analyzer boards with short cable
Network Associates
Section 2 TNV-202-GUI
Slide moved here from section five of the previous version Needs 3volts power. If the motherboard doesnt have it, you need another card that supplies it. Jumper from this card to the PacketMaster card.
Page 2 - 19
Sniffer University
Two 1000Base-SX or LX Gigabit Ethernet SC Connections External trigger in and trigger out connections
Available external connections are: two 1000Base SX Short Wave Fiber Optic connector pairs a single micro coax external trigger input a single micro coax external trigger output Trigger conditions can be independently defined for each channel or combined for both channels, just as for filtering. The system can accept external inputs and can also be synchronized to other test equipment. The system can also provide external TTL output from a trigger. Interfaces available: 1000 Base -SX 1000 Base -LX 1000 Base -CX through an external adapter 1000 Base -T* coming later SX and LX transceivers are available. * T Specification under development
Network Associates
Section 2 TNV-202-GUI
Slide moved here from section five of the previous version Slide is adequate.
Page 2 - 20
Tx Tx
Rx2
PA C 62
Sniffer University
Full Duplex connection between switch and end node Attached to hub or switched port (can be a SPAN port) Use this for traffic generation also
Rx1
PA C 62
Rx2
Tx
Rx1
PA C 62
Tx
Network Associates
Section 2 TNV-202-GUI
Slide moved here from section five of the previous version This will help those students who have the Sniffer now. (They are very lucky- they are in high demand and short supply.) Slide is self-explanatory.
Page 2 - 21
Gigabit DSPro
2-22
Sniffer University
The Xyratex card is also supported in the DSPro Agent Attach this card to the Gigabit network as you do for the portable Sniffer Attach the 10/100 monitor adapter to the transport network
DSPro Agent
Transport Cable
Monitor Cable
Gigabit Network
Network Associates
Section 2 TNV-202-GUI
New Slide. Mainly FYI Screens still look the same when you connect to the Agent.
Page 2 - 22
Network Associates
Sniffer University
Turn to the lab section to complete this exercise. Use the diagram on the next page as a reference to the network layout
Section 2 TNV-202-GUI
New Exercise. This exercise is here to let them see right up front how the data looks in almost all speeds of the Sniffer. I was unable to get a 100 MB full-duplex trace file, so it has been mentioned briefly. Do not mention the 10 bit hex decode in the Gigabit screens now! Wait until they have been explained in the Gigabit section.
Page 2 - 23
Summary
2-24 In this section, you learned how to:
Select the appropriate Sniffer configuration for each type of Ethernet network Ensure system requirements are met for each type of Sniffer Attach Sniffer Pro to the various Ethernet networks
Network Associates
Sniffer University
Section 2 TNV-202-GUI
Review the section objectives and answer any remaining questions. Target Time: Day 1 at noon or earlier if possible.
Page 2 - 24
3-1
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Ethernet Physical and Data Link Layers Section 3 Start: Day 1 Approx. 1pm Finish: Day 1 End of day
Section Timing:
03_PHY_g.DOC
This is a critical section that must be covered thoroughly so the students understand the basis of all Ethernet standards. The exercise comes close to the end, so your challenge will be to keep the students engaged through the lecture. The 10BASE5 and 10BASE2 specific slides are now in the Optional Technologies section. Be prepared to jump there if you have students who still want to see the physical components of the old technologies. The diagrams have been spiffed up so they show mainly star configurations. Please remember this instructor guide is a living document. It is not complete to start and is intended to grow with time. Add to your own copy as you gain experience. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.
Page 3 - 1
Section Objectives
3-2 Upon completion of this section, you will be able to:
Describe the access method used in Ethernet Discuss the responsibilities of the MAC layer Differentiate the various types of Physical Layer devices Explain the importance of the physical size limitations of the Ethernet networks Determine when the physical characteristics of the Physical Layer have been extended beyond the specifications
Network Associates
Sniffer University
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Section Objectives
State the objectives. The focus of the prior revision was on the new components most customers have in their environments. The specifications for 10BASE2 and 10BASE5 are still the basis for the newer environments and need to be covered. Weve tried to make it as painless as possible while still giving them everything they need to know to understand the buzz words and more importantly why collision domains and timing specifications are still important! Most of our students think they know the Ethernet nitty gritty details, but they invariably learn new things in this section.
Page 3 - 2
3-3
Sniffer University
There is a wide variety of configurations and options available All still adhere to core concepts that define Ethernet Segments are extended logically by chaining hubs or switches, or by using bridges Networks are segmented using routers Switches
OFF ON
Router Hubs
OFF ON
Hubs Network B
Ethernet networks are undergoing unprecedented change. Standard hubs and switching hubs are becoming commonplace. Fast Ethernet is being included. Full Duplex Ethernet may be installed. Fast transmit adapters enable large amounts of data to be transmitted and received.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Today networks are undergoing change. We are installing switches and hubs now. No one is really installing 10BASE5 or 10BASE2 today. Fast Ethernet Full duplex Fast transmit adapters Gigabit Ethernet Yesterday, hubs were the new devices in networks, pushing out the older 10BASE5 and 10BASE2 networks. Today, switches may start to push out hubs. The only constant we really have is change. Emphasize the fact that whether we are talking about 10BASE5 or switches, Ethernet is still contention-based, designed to a bus concept.
Page 3 - 3
Concentrator or Hub
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
No inherent line control is used. The only requirement to transmit data is that the wire is quiet for 9.6 bit times.
Page 3 - 4
3-5
CSMA/CD
Multiple Access
Designed for a broadcast environment Every station hears every frame
Sniffer University
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 3 - 5
Sniffer University
Calculate and append the CRC Sense Carrier: Defer to stations already transmitting Observe Interframe spacing: There is always at least a 96 bit time delay between frame transmission
9.6 s for 10 Mbps, .96 s for 100 Mbps, 96 ns for 1000 Mbps
Transmit and listen Detect collisions Backoff and retransmit if collisions occur
All adapters are manufactured to the Ethernet specifications. The card has no knowledge of whether it is plugged into a switch or hub port. These specifications apply to all speeds of Ethernet. The interframe spacing is always 96 bit times. The actual time between frames is dependant on the speed of the network and shrinks in proportion to the increase in speed. Specifications dictate that there be a minimum 9.6 micro-second delay between frames in 10 Mbps Ethernet. An adapter must sense that the wire has been quiet at least 9.6 micro-seconds before it can transmit. In Fast Ethernet, the interframe gap is .96 microseconds. The gap in Gigabit Ethernet is 96 nanoseconds.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
With IEEE MAC layer, it is the MACs job to ensure the minimum frame length. This is a departure from the V2 specifications, which forced the network layer protocol to guarantee the minimum frame size. Now the version two frames have been brought under the IEEE, so all versions must pad. The MAC layer is responsible for accessing the channel and ensuring correct transmission of the data. MAC functions reside on the adapter on the chipset. Import change: The Interframe gap has been changed from 96 microseconds to 96 bit times to imply this is used in all speeds. Use this term throughout this section. The Interframe Gap is 9.6 microseconds in 10 Mbps, 960 nanoseconds in 100 Mbps and 96 nanoseconds in Gigabit 1000 Mbps.
Page 3 - 6
Frame Transmission
3-7 After sensing that there is no carrier on the wire during the
interframe gap period, stations with data to send transmit the frame The signal is propagated everywhere The source station listens while transmitting It assumes the frame was delivered if it sensed no interference
101..101 0101
10 10 .. 10 10
Sniffer University
Concentrator or Hub
0101 0 1.. 01
10101
1010101..0101
1001000110101101..0101
Dest Address
Preamble
Dest Address
Preamble
..010
01
Source Station +
Even in switched environments, stations must wait the interframe time after the line goes silent before they start transmitting.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Frame Transmission
This is a timed build slide and covers only the transmission part of the process. It builds automatically. The station that wants to transmit listens for carrier When it senses there is no carrier, it waits the interframe gap time, then begins to transmit. This is a good time to discuss the adapters that jump the gun and start transmitting before the interframe gap time. This is mentioned in the student notes and should be discussed in class. When the signal is transmitted, it is intended to go everywhere. All stations hear it. Stations continue to listen while they transmit.
Page 3 - 7
Collisions
3-8
When two stations with data to transmit sense that the media is available at the same time, they both transmit and a collision occurs
Transmit Jam
Collision
Transmit Jam
Concentrator or Hub
Sniffer University
+3
The transmitting adapters sense the collision and continue to transmit a 32-bit jam signal, and wait a random amount of time before retransmitting If there are repeated collisions, the adapter tries again (up to a total of 16 times) It uses truncated binary exponential backoff to ensure that two stations will not collide with each other again during the wait cycle Each time it retries, it waits a random amount of time
*Timing slowed to show process
Stations continue to listen as they transmit. Twisted pair environments are basically point-to-point communications. While an adapter is transmitting, it listens on its receive pair. If a receive signal is detected, the adapter has detected a collision. On a bus, the transceiver detects an increase in voltage on the wire if another station transmits at the same time. The transceiver notifies the adapter of a collision. Any other stations with frames queued sense the wire is busy and they wait until the interframe gap has passed after the wire goes silent.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Collisions
This is a timed build slide. Some is automated on a timer, and some requires a mouse click to activate. Wait to click until the first collision occurs. There are three clicks for the slide. -------------------------------------------------------------------------------The signal from the transmitting station will not be heard by the second station some distance from it, so it begins to send its frame. If a collision occurs, the participating stations output a minimum of 32 bits as a jam. Its purpose is simply to busy out the wire on a 500 meter segment. Import change: The wording was changed slightly to indicate it does not stop transmitting, but just continues to transmit the jam signal instead of the frame. IEEE states a minimum jam of 32 bits but does not specify a maximum jam period past 150 ms. There is no specified jam pattern for the adapters. Manufacturers can do what they want as long as it is not the CRC of the bits that were just transmitted. The transmitting adapters back off a random amount of time. The first station to timeout tries again. In the meantime, a totally different station may have gotten a frame out onto the network. Each time the adapter is involved in a collision trying to transmit the same frame, it waits a longer period of time before listening for carrier. It gives up after 16 unsuccessful attempts and purges the frame from its transmit buffer. The upper layer protocol must queue it again. This of course involves more delay than the collisions and backoff induced.
Page 3 - 8
Sniffer University
The backoff time is measured using the propagation delay of the media (slot time). The figures above are for 10 Mbps Ethernet. 100 Mbps times are one 1/10th these times, gigabit are 1/100th of these times.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
For student reference. Dont spend any time here. The previous two slides are now combined on this single slide.
Page 3 - 9
Sniffer University
Calculate and add CRC Transmit Carrier No Data Sense? Wait 96 bit Listen for Yes times collision Defer
Compute backoff. Wait backoff time Detect Yes Collision? No Yes Done. Transmit OK! Send Jam
All speeds of Ethernet follow this flowchart. Only the timing changes.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Spend time taking the students through the process. Make sure they understand. There is a new diagram similar to this in the Full Duplex section now.
Page 3 - 10
Frame Reception
3-11
All adapters synchronize clocks to the preamble bit pattern Upon receipt of end of preamble flag, adapters copy the DLC destination address If the destination DLC address is equal to their own or a broadcast, stations continue to copy, otherwise they stop copying and release the buffer
Destination 080069020FD3
..AAAAA ..AAAAA
Sniffer University
C788CD8097823DF020960080BAAAAAA..AAAAAAAAA
..AAAAA
Concentrator or Hub
..AAAAA
Preamble
C788CD809782 Source +1
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Frame Reception
This is an automated build slide. Click the mouse when you are ready to show the action after you have covered the bullets. Stations hear the preamble and synchronize their clocks to it. The Start if Frame delimiter indicates the destination field is coming next. Stations listen for as long as it takes to determine if the frame is addressed to them or not. If it is addressed to them, they copy it. If the frame is not intended for them, they discard the bits from their receive buffer and passively wait for a new signal or the quiet time so that they may send their own data.
Page 3 - 11
>512 Bits?
Yes
CRC Valid?
Yes
No
Sniffer University
Runt Frame
Discard Frame
Alignment Error
MAC Frame Reception: Recognize if frame is destined for this station Discard frame if it is too short (runt) If frame does not end on an 8-bit boundary, truncate it to the nearest 8-bit boundary Calculate CRC. If the calculated CRC does not match the CRC in the frame, discard the frame (If the discarded frame does not end on an 8-bit boundary, report Alignment Error; otherwise report CRC error) Pass good data to upper-layer Frames are always truncated because transmitters have a hard time stopping immediately after the last data bit. Transmitters are allowed 1.6 bit times after the final data bit to let their transmission level reach 0. Any bits whose signal level is less than the receiving adapters minimum level requirements will be disregarded. It is possible for a transmitting adapter to send an extra bit or two after sending the CRC field, and for these bits to be of sufficient amplitude to be seen as bits by a receiving adapter. In these circumstances, the bits are referred to as dribble bits and will be truncated by the receiving adapter to the nearest 8-bit boundary. Dribble bits become more evident in Fast Ethernet and Gigabit Ethernet networks, due to the increased number of bit times required for transmitting adapters to return to zero.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 3 - 12
Repeaters
3-13
10BASE5
OFF ON
Repeater
10BASE5 AUI
AUI
Multiport Repeater
OFF ON
10BASE2 10BASE-T 1 2 3 4 5 6
10BASE5 AUI
Hub or Concentrator
Sniffer University
A repeater is a physical layer device that extends the network length and topology by regenerating and retiming the signal one bit at a time A repeater repeats every signal that comes in on one port onto every other port. A repeater does not isolate traffic or collisions A repeater is transparent to other stations on the network. A repeater is not addressable. It does not store and forward data A 10BASE-T hub acts as a multiport repeater
A repeater can cause more collisions, since a collision signal is propagated out all ports.Hubs managed through SNMP have an IP address assigned to the interface that communicates with the management application. This address is NOT used in frame regeneration.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Repeaters
Repeaters are required to quickly forward data from one port onto all others. A repeater doesnt isolate collisions, it propagates them. A hub graphic has been added to the slide.
Page 3 - 13
Data Repeat
Repeat all signals received on one segment to all other segments attached to the repeater
Sniffer University
Signal Amplification
Ensure the amplitude of signals is correct
Signal Retiming
Ensure encoded data output is within jitter tolerances
Fragment Extension
Extend repeated signal if less than 96 bits (including preamble)
Preamble: 8 bytes of 1010101...10101011 at the beginning of each Ethernet frame. The preamble is discussed in more detail in the data link layer section. A repeater uses the preamble to sync up to bits, just like any station does. Some bits may be lost, in which case the repeater regenerates a new preamble. If a repeater receives a little fragment (runt) frame that is less than 32 bits plus preamble, the repeater will extend the bits to at least 96 bits. This ensures that the signal meets the next repeater while the repeater is still transmitting, so that the attached segments are busied out for the duration of the original collision.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Repeaters do not repeat preamble. They create a new preamble. When they see the 11 indicating the end of preamble, they go into repeat mode. Repeaters jam out all ports on detection of a collision. They are the only devices for which IEEE has defined a jam pattern (documented in the student notes).
Page 3 - 14
Sniffer University
Media = .4 to .6 mm diameter (26 to 22 AWG) unshielded wire in a multipair cable Maximum distance from hub to transceiver = 100 meters A hierarchical star topology is allowed, with up to four levels of concentrators
Telephone wire meets the requirements because it is usually unshielded twisted-pair cable composed of .5 mm (24 AWG) twisted pairs. When unshielded twisted pair cabling is used, you must be concerned with electromagnetic and radio interference, as well as cross-talk. Cross-talk is caused by excessive coupling of signals from one line to another, due to the geometry of the twist. Use a cable scanner to test for cross talk. The 10BASE-T specification states that any two stations communicating cannot traverse more than four hubs. This follows the four repeater rule contained in the IEEE 802.3 specification. Each hub contains repeater functionality. The limit of 100 meters is for the worst case of 11.5dB of signal attenuation. Many manufacturers now use transceiver chips that drive typically from 125 meters to 200 meters (626 feet). However, the moment you attach a hub with these cable lengths to another hub, overall propagation delay comes into play. If you're using a standalone hub AND your new and improved TDR says all of the requirements for segment signal conformance are being met, you don't have to worry about using the longer UTP cable.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Page 3 - 15
Sniffer University
Workstation
Workstation
File Server File Server
Concentrators (hubs) are the equivalent of a bus in a box and function like multiport repeaters. A signal received from a transmitting station is repeated onto the backplane and then repeated (flooded) out all other ports. Hubs and repeaters do not repeat preamble. They regenerate a new one. When the end of preamble is reached, repeaters then go into repeat mode. Fragments are extended to the minimum of 96 bits. Concentrators (hubs) do not segment collision domains. Upon detection of a collision, hubs jam out all ports. Repeaters are the only devices that have an IEEE-specified jam pattern. The first 62 bits (of 96) must be 10101010...etc. The concentrator may partition any port with 32 consecutive collisions. Unmanaged hubs will re-enable the port upon receipt of any good data frame. Managed hubs tend to require that the administrator re-enable the port through the elemental manager.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Note the edition of 100Base info here. This is an automated build slide showing the signal propagation. Its still a bus with the backplane propagating the signal everywhere.
Page 3 - 16
Sniffer University
Workgroup Hubs The need for autonomous work groups requires backplane segmentation of larger hubs Hub backplanes are physically separated into 2 or 3 or 4 different Ethernet segments 10/100 Autosensing
Interconnection of these separate LANs is accomplished by the inclusion of bridge-on-a-card or router-on-a-card modules to one of the segmented LANs. Standalone bridges and routers are also used, but the trend is toward spaceconserving configurations. Some vendors offer tiny micro bridges to connect one Ethernet to another. All networking components reside within the hub or networking platform, which makes them ideal for locked wiring closets. Workgroup hubs typically have an element manager that will support both inband (Telnet via TCP/IP on Ethernet) and out-of-band (RS232 for modems) access. These element managers provide physical level data about the health of the LAN and can send SNMP traps to, or respond to SNMP polls from integrated network management systems or umbrella managers. Some hubs are equipped with redundant hot-standby power supplies for maximum uptime. Power supply or line card swaps can be performed during off-peak times. The reality: although hubs have evolved into the heterogeneous networking platform, they have also become the single point-of-failure for many workgroups.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Student notes and slide are adequate. The names of the hubs have changed to reflect how they are marketed today.
Page 3 - 17
Backbone Hubs
3-18
OFF ON
OFF ON
SNMP Management applications are used to control these sophisticated hubs. Many offer click and drag operations to logically move stations. SNMP agents collect port, backplane and other statistics. The management stations periodically poll the devices for the statistics. Data is collected and reports are generated to track the health of the device and network.
Network Associates
Sniffer University
Multiple flavors of backbone hubs proliferate today. Some offer dedicated functions, while others offer add-in functionality via line cards like: Multiple media Ethernet segments: AUI, BNC, 10/100BASE-T, FOIRL Multiple media Token Ring segments: STP, UTP, fiber repeaters Multiport local and remote bridges with FDDI backbone interfaces Multiport, multi-protocol local and remote routers Ethernet packet switches. These are discussed in more detail later LAT and TCP/IP terminal servers for RS232-based devices X.25 gateways, SNA gateways Novell NetWare file servers Etc. The list continues to grow
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Backbone Hubs
Page 3 - 18
3-19
TX RX COL LINK
NIC
10Mbps link test pulses are 100 nanoseconds (100 nanoseconds = 0.1 microseconds = 1 bit time) in size, and are transmitted every 201 microseconds. Unless there is a regular link test pulse, data is not transferred from the wire to the receiver, or from the transmitter to the wire. Polarization or phase is the correct match of TX+ to RX+ instead of TX+ to RX-. Some early 10BASE-T products did not incorporate auto-polarity and autophase matching capabilities. The wires connecting these devices must be oriented correctly. Subsequent products do incorporate these features. 100BASE-T Link Integrity pulses are sent continuously on the T4 primary transmit pair about 1 ms apart. Failure to detect these pulses generates an error.
Network Associates
Sniffer University
Many transceivers and hub ports feature a Link LED (usually green in color) that provides a confidence check of wire pair integrity A pulse is transmitted on one ends transmit pair to the other ends receive pair every 201 s. The pulse is unique and will not be mistaken for a data frame or a collision It provides status of the hubs transmit wire pair to the nodes receive wire pair (node Link LED), and the nodes transmit pair to the hubs receive pair (hub Link LED) An illuminated Link LED is not a guarantee that the wire pair is polarized or phased correctly (TX+ to RX+, TX- to RX-) or that the wire pair is twisted together end-to-end (pin 3 twisted with pin 6, for example: orange/white wire twisted with white/orange wire)
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
The link pulse test does check for correct phasing of the signal. It is simply a continuity test. If the pulse is not there, the devices will not communicate. We are going to be doing some comparisons of these link pulses as we discuss Fast and Gigabit Ethernet. The characteristics of the 10 Mbps links pulses is important to mention here. One pulse Evenly spaced at 201 microseconds
Page 3 - 19
Contact
1 white/orange 2 orange/white 3 white/green
Signal
Transmit + Transmit Receive + Not used Not used Receive Not used Not used
X-over
3 white/orange 6 orange/white 1 white/green
Sniffer University
4 5 6 green/white 7 8
2 green/white
The 8-pin connector is used as the mechanical interface to the twisted pair cable. The connector is used on the hub as well as the NIC. Typically the NIC connects to a wall outlet using a twisted pair patch cord. Wall outlets connect through building wiring and a cross-connect function to the repeater hub. The cross connect (or crossover) function connects the transmitter at one end of the twisted pair link to the receiver at the other end of the twisted pair link. The cross connect can be built into the receiving end. There are two pairs used for each station attachment. Two wires (one pair) are used to receive data from the hub to which it is attached. The second pair is used to transmit data to the hub. Normally a light on the hub indicates the pair from the station to the hub are attached correctly (this is the TX+ and TXfrom the station to the RX+ and RX- on the hub). A light (Link LED) on the card indicates the pair from the hub to the station are correct (this is the TX+ and TX- from the hub to the RX+ and RX- on the station). Most 10 and 100 MBPS twisted-pair Ethernet is still half duplex: a station is either transmitting or receiving, not both.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Ethernet hubs used to require correct phasing. You could not get away with reversing the leads. Most hubs today will auto-sense and compensate if the polarity is reversed. Pins 4 and 5 are not used. They were reserved for tip and ring. Pins 7 and 8 were used in the old days for a second line or to power a phone with auxiliary features.
Page 3 - 20
Sniffer University
1 2 3 4 5 6 7 8
receive pair has been split out If the receive pair is not twisted together, the wires will not be mutually affected by the same noise, thus Common Mode Rejection will not be effective
How will you know if noise is affecting data to a station? For one thing, you will see lots of CRC errors on the Sniffer with that station as the destination address. There will also be various other errors (especially retransmissions) associated with the station. The EIA/TIA 568 wiring standards shown above is somewhat different from the widely used USOC wiring scheme (not shown) for telephone signals. Because of the wire-pair layouts, a 568 link can be used for voice signals; however, USOC wiring is not properly paired for Ethernet signals. EIA/TIA 568 standards specify an 8-pin connector (RJ-45), pinned out in one of the two options--568A or 568B--shown above. Todays connecting hardware is color-coded to match the wires, and modern cable testers can quickly determine if the link is capable of carrying a 10 or 100 Megabit Ethernet signal.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
10BASE-T requires the transmit leads and the receive leads to be discreet pairs. It does not matter how your plant is cabled, but you need to know so that the pairing can be maintained. 10BASE-T will not work if the pairs are not maintained.
Page 3 - 21
RX+ RX-
Sniffer University
TX+ TX-
For CMR to function properly, a pair of wires need to be twisted around each other CMR uses the voltage differences between each signal (TX+) and its mirror image (TX-) to determine the logic state of each bit. (The differential voltage is typically either 5v or 0v) Voltage spikes, when they occur, will induce themselves onto the wire pair but the difference in voltage (5v or 0v) will remain the same CMR is not perfect, as excessive electrical noise may defeat the cancellation process and destroy the transceivers at the hub and the node
For Common Mode Rejection (balanced signaling, or longitudinal voltages) to work properly, the signal and its reference need to be subject to the same interference. For the signals to be subject to the same interference, they are treated as a pair and mutually twisted. There are several different schemes of pairings. Unshielded twisted pair wiring that is correct for Ethernet may not be correct for telephony, or wire that is correct for Token Ring may not be correct for Ethernet. Observe standard wiring guidelines such as NOT routing UTP over florescent lights, near high-voltage or high-current sources, etc. The diagram above depicts the hex pattern of 6E, which Intel uses as the cable test pattern.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
This is what allows 10BASE-T to work. The important concept is that you want the same amount of noise on the receive minus wire as the noise on the receive plus wire. Equal noise maintains the relationship of the signal and can be filtered out so that the chips can still determine a one from a zero. When wires are not twisted together and noise hits, the relationship is not constant and common mode rejection doesnt work.
Page 3 - 22
Cabling Installations
3-23
NIC Card Connection Wall Plate 1 3 2 7
0 1 2 3 4 5 6 7 8 9 10 11 0 1 2 3 4 5 6 7 8 9 10 11
OFF
Sniffer University
ON
8
0 1 2 3 4 5 6 7 8 9 10 11 0 1 2 3 4 5 6 7 8 9 10 11
OFF ON
10 Port
Patch Panels
Beware of too many connections. Each one contributes to signal attenuation and represents a potential failure point
The diagram above can apply to Ethernet or Token Ring. The connections in the diagram are: 1) PC NIC and UTP patch cord 2) UTP patch cord and wall plate 3) Wall plate and UTP cable 4) UTP cable and punchdown block Punch down blocks include BIX 1A, Telco 66, and/or AT&T MT 110 (for level 5) 5) Punchdown block and 25-pair cable 6) 25-pair cable and first patch panel 7) First patch panel and UTP patch cord 8) UTP patch cord and second patch panel 9) Second patch panel and 25-pair cable 10) 25-pair cable and interface module This cabling diagram may be simplified in most locations. The shaded area from points 4-9 are the equivalent of a harmonica, a device in common usage in many installations.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
This cabling diagram does not represent the ideal, but rather is an example of how things should NOT be done. Unfortunately, this is the cabling found in some environments. Each mechanical connection induces loss and an opportunity for a failure point. This cabling diagram represents the way things were done in the past -- to meet category 3 standards. Most new installations DO NOT install wiring this way. Each mechanical connection induces loss and an opportunity for a failure point. New installations wire the network to category 5 specifications. An example would be to connect the wallplate (3) to the back of the patch panel (8). Cross connects are made directly to the hub.
Page 3 - 23
Hub-to-Hub Connections
3-24
Hubs typically cross internally over the transmit and receive pairs from the nodes Hub-to-hub connections must be crossed over so that the transmit pair of one hubs port goes to the receive pair of the other hubs port and vice-versa This can be done with a crossover cable, or at the punchdown block, or via an MDI-X port that internally crosses the pairs
Sniffer University
OFF ON
OFF ON
OFF ON
OFF ON
Some manufacturers do not support hubs being connected via node ports. Some of these manufacturers are circumventing the IEEE rules by using special connections for hub-to-hub connections, and advertise themselves as half-hop hubs, that may be cascaded further (to more hops) than the IEEE rules allow, using the special connections, and no crossovers. Some hub manufacturers are now offering proprietary higher speed synchronous links between THEIR hubs. Other manufacturers have developed Full Duplex Ethernet hubs. MDI-X should only be enabled on one end.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Hub-to-Hub Connections
Page 3 - 24
3-25
Timing Specifications
Sniffer University
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Timing Specifications
Page 3 - 25
Collision Domain
3-26
A transmission on this segment...
Sniffer University
...and news of a problem, if any, must propagate all the way back, while the original station is still transmitting
Repeaters
A "collision domain" is defined as the physical area within which a collision is propagated. Repeaters propagate everything, even bad frames.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Collision Domain
This is an automated build slide. This slide was updated to show repeaters (hubs) instead of coax cable. The rule still applies, whether were using thick, thin or twisted pair as long as the media is shared. Extremely important concept. All equipment (old and new) must follow this rule. All timing specifications are based on the collision domain. The round-trip time for the worst-case scenario must be less than the time to transmit the minimum-sized frame, since the card only listens while it is transmitting. Cable lengths, repeater rules and propagation delay all must reach this target.
Page 3 - 26
Sniffer University
Determination of the maximum topology and minimum frame size depends on information about the speed that data travels Data travels at less than the speed of light (c) c = speed of light in a vacuum = 300,000 kilometers per second (approximately 1 foot per nanosecond) Thick Coax Cable: Signal travels at .77c (231,000 km/sec) Thin Coax Cable: Signal travels at .65c (195,000 km/sec) Twisted Pair Cable: Signal travels at .59c (177,000 km/sec) Fiber Cable: Signal travels at .66c (198,000 km/sec) AUI Cable: Signal travels at .65c (195,000 km/sec)
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
This is a lead-in to the next slide. This information comes from the 802.3 spec. It is an auto build slide.
Page 3 - 27
Sniffer University
For thick Ethernet, the basis of the specification: 231,000 km/sec divided by 10 million bits per second = 23.1 meters A bit occupies 23.1 meters on thick Ethernet, slightly fewer meters for thin and twisted pair Ethernet An extension of 32 bits would cause an additional 32 x 23.1 meters or 739 meters to be busy, which makes it possible to busy out a maximum size Ethernet segment This explains why a repeater extends a fragment frame by at least 32 bits. It also explains the 32 bit jam added to a collision frame For 10Base-T: 177,000 km/sec10 million bits per second = 17.7 meters 32 x 17.7 meters = 566.4 meters are busy on jam, easily exceeding the maximum length between end devices
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Our favorite slide. (Lightbulb goes on.) The pictures you see of a tiny frame on a big network are all wrong. The frame quickly envelopes the entire cable segment, thus collisions are much more rare than you have been led to believe.
Page 3 - 28
Station 1
Repeater Set 1
Repeater Set 2
Repeater Set 3
Repeater Set 4
Station 2
This information is taken from the 1992 edition of the 802.3 specification. Maximum end-to-end propagation delay is derived by dividing the maximum length by the speed. See previous page for speed. For thick coax, this is 500 m divided by 231,000 km/sec = 2165 nanoseconds. For thin coax, this is 185 meters divided by 195,000 km/sec = 950 nanoseconds. Each tap and each device adds additional delay, so the total network must not introduce more than 51.2 micro seconds of delay. Even though these rules are specified for coax cable, the 5-4-3 rule still applies to the newer fast technologies. Cable lengths are modified and delay characteristics are calculated to obtain the maximum topology rules.
Network Associates
Sniffer University
The maximum transmission path permitted between any two stations is five segments and four repeater sets Of the five segments, a maximum of three may be coax segments; the remainder are link segments A coax segment is a cable terminated at both ends in its characteristic impedance, with a maximum end-to-end propagation delay of 2165 Ns for 10BASE5 and 950 Ns for 10BASE2 A point-to-point link segment is a non-coax segment, terminated in a repeater set at each end, with a maximum end-to-end propagation delay of 2570 Ns. A 10BASE-T connection between a hub and station is also considered a point-topoint link If there are no link segments on a transmission path, there may be a maximum of three coax segments on that path given current repeater technology.
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
These rules are derived from the collision domain concept. They are taken directly from the IEEE specs that have been in place for many, many years. The slide is a lead-in to the new concept of transmission models explained on the next pages. Explain the 5-4-3 rule so they understand it fully. The newer transmission models 1 and 2 slides have been moved to the Optional Technologies section since most people are not using equipment where it is important. You can still go there to show them if you think a student needs them for clarification.
Page 3 - 29
Sniffer University
Station Station Repeater Repeater Repeater Repeater Station 1 Set 2 Set 3 Set 1 Set 4 2 3 The minimum length for an Ethernet frame is 64 bytes or 512 bits. This is based on the round-trip propagation delay on a frame for the worst-case scenario Station 1 transmits to adjacent Station 2 on Segment 1 Station 3 just misses hearing Station 1s transmission and also transmits. Station 3s transmission collides with Station 1s transmission The damaged frame travels back down the network to inform Station 1 that a collision has occurred. This takes approximately 50 microseconds or 500 bit times The minimum frame length is defined such that the:
Message from Station 1 is long enough so that Station 1 is still sending when the collision is detected The resulting runt message from Station 1 is short enough such that Station 2 (the receiver) can throw out the message on the basis of it being too short (less than 64 bytes)
The node needs to know it had a collision, so the damaged frame can be resent at the MAC level. Retransmitting at the MAC level is very fast: within microseconds. A retransmission at the LLC level takes a few milliseconds. A retransmission at upper-layers can take a few seconds per frame.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 3 - 30
5
R4 Populating one of these repeaters would break the rule 3 R3
2
R2
Sniffer University
The frames must be long enough so that stations 1 and 5 are still transmitting when the collision signal gets back to them Count the repeaters between the furthest end stations to ensure you have not broken the 5-4-3 rule
A "collision domain" is defined as the physical area within which a collision is propagated. Repeaters propagate everything, even bad frames.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. Automated build slide. Shown to emphasize that hubs / concentrators must follow the 5-43 rule. Its easy to inadvertently break the rule when you have them all stacked in racks in a wiring closet. Perhaps they should label the devices so unused ports are not used incorrectly.
Page 3 - 31
Sniffer University
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to
Cover:
Yes. This is a 10BASE-T network with a 3-level cascade. The topmost concentrator serves as the backbone to the other hubs. The middle-end hubs are populated, whereas the middle-center hub is not: it is a link segment to the two lower populated hubs. Note that no frame needs to traverse more than 5 segments or 4 repeaters (hubs) to its destination.
This is the recommended configuration by the 10BASE-T vendor SMC.Follow the path of every station to ensure that it obeys the 5-4-3 rule. The development of the 5-4-3 rule can be summarized as follows. (1) The length of any given segment of a network is limited by the electrical and physical properties of the cable type employed. The primary characteristic is the rate of attenuation over a given length of the cable. For example, for thick coax, 500 meters is considered to be the maximum length over which we can transmit a signal while ensuring that the signal does not attenuate or otherwise degrade to the point of being unacceptable to a receiver. (2) Based on section 13.4.2 of the 802.3 specification, the number of repeaters that can be used is limited by the potential for shrinkage of the interframe gap. If the interframe gap is reduced, the potential for misinterpretation of frames increases. Shrinkage of the gap will likely prevent receiving network interfaces from having sufficient time to perform housekeeping functions such as posting interrupts, managing the buffer, and updating statistical counters, etc. Specifically the IEEE specifications say, "The worst-case variabilities of transmission elements in the network plus some of the signal reconstruction facilities required in the 10 Mbps baseband repeated specification combine in such a way that the gap between two packets travelling across the network may be reduced below the interframe gap specified in section 4.4.2.1. This parameter limits the equipment (i.e. number of repeaters) between any two DTEs." (3) Knowing the facts as given in (1) and (2) above, we can now see how the minimum frame length of 64 bytes was calculated. We have segments of 500 m due to the signal characteristics of the cable. We can have a maximum of 4 repeaters and, therefore, 5 segments between any two stations. This creates a maximum topology as described in the text. Then, knowing that we must guarantee collision detection while the stations participating in the collision are still transmitting, we must specify a minimum frame length of 64 bytes due to the inherent normal propagation delay of the maximum topology size described above.
Page 3 - 32
Network Associates
Sniffer University
Turn to the lab section to complete this exercise. Use the diagram on the next page as a reference to the network layout
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Use the instructor notes in the back of the instructor manual to review the exercise. Go over the diagram on the next page before they begin.
Page 3 - 33
Hub 6
Sniffer University
Node 3 Sniffer
Bridge 50 meters
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Review the network configuration. Note that the picture is not complete. For example, there probably were other stations on the thin Ethernet. The Sniffer analyzer was connected somewhere near the end of the thin Ethernet. (Otherwise the Sniffer technician probably would have noticed the ARCNET cable!?!) We dont know exactly what was on the other side of the bridge shown on the left. Originally the Sniffer analyzer was placed at the end of the topology and saw no errors. In the actual trace, the Sniffer analyzer was placed at the junction and saw errors. The node was moved to the end of the topology and worked without incident. Client addresses in the trace all exist off of the Concentrator with the Server Coffee.1 Since the transmission model slides were moved to the back, you will probably not cover this with the class. The calculations are left here just in case you need them. To calculate the p v v, we calculate from right to left:
50 meters N N FS B N S H H H H H H
8+8+8+8+8+16 = 56 This does not exceed the delay, but it is higher than the 49 p v v allowed in Model 2.
Page 3 - 34
Degree of Degradation
3-35
Network Associates
Sniffer University
Ethernet retransmission occurs, typically, within a few hundred microseconds Type II LLC retransmissions may occur within milliseconds Transport layer retransmissions may occur within seconds Application layer retransmissions may occur within tens of seconds User programs may wait minutes before timing out Conclusion: The higher the layer responsible for retransmission, the longer the user has to wait
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Degree of Degradation
Important concept. Physical layer recovery is fast. Each layer higher takes more time to recover from an error.
Page 3 - 35
Sniffer University
3-36
Retransmissions
943: NFS request. 944: Unanswered request (943) is retransmitted 0.7s later. 945: Unanswered request (944) is retransmitted 3s later. 946: Frame 945 is collided and is retransmitted 0.2mS later. 947: Frame 946 is collided and is retransmitted 0.3mS later. 948: Frame 947 is collided and is retransmitted 0.2mS later. 949: Frame 948 is collided and is retransmitted 2.6mS later.
950: Frame 949 is collided and is retransmitted 24.2mS later. 951: Frame 950 is collided and is retransmitted 11.4mS later. 952: Frame 951 is collided and is retransmitted 50mS later. 953: Unanswered request (952) is retransmitted 12.3s later. 954: Frame 953 is collided and is retransmitted 0.3mS later. 955: pc150 times out after request is unanswered and ARPs for natco-4 26.9s later.
Trace file FRAGS.ENC. Note that all frames with a CRC flag are actually collided. At the time that the trace was taken, Network Associates was using an adapter which was incapable of counting or flagging frames as collided. The client NFS request to look up the file wp50 in the directory handle E71D is retransmitted four times without answer for a total of 43.4 seconds before the user application gives up and ARPs to see if its server is still alive. The Truncated Binary Exponential Backoff Algorithm (progressively larger multiples of the slot time) is demonstrated in frames 945 to 952: the random backoff timer is lengthening until the first good request in frame 952. Once NFS retransmits in frame 953, which is collided, we see the algorithm start over again at the beginning. The NFS retransmissions occur at 0.7s, 3s, 12.2s, and 26.8s or so, when the client finally gives up.
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Retransmission timer as revealed in the Sniffer Pro analyzer screens. FRAGS.CAP Frames 945-952 show the retransmission timer in action.
Demo:
Page 3 - 36
Summary
3-37 In this section, you learned how to:
Describe the access method used in Ethernet Discuss the responsibilities of the MAC layer Differentiate the various types of Physical Layer devices Explain the importance of the physical size limitations of the Ethernet networks Ensure the physical characteristics of the Physical Layer have not been extended beyond the specifications
Network Associates
Sniffer University
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Slide Title:
Important Points to Cover:
Summary
Wrap up the section by reviewing the objectives and answering any questions the students may have.
Target Time: End of Day 1. Go further is you can, since the stuff thats coming is what they want to hear.
Page 3 - 37
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Section 3 TNV-202-GUI
Page 3 - 38
4-1
Troubleshooting Methodologies
Sniffer University
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Troubleshooting Methodologies Section 4 Start: Day 2 Beginning of the day Finish: Day 2 Late morning if possible!
Section Timing:
Files:
04_tbls_g.PPT
04_tbls_g.DOC
Traces: HUBPORT1.CAP BAD03. CAP 05.CAP 17.CAP Badcrc.cap HUBPORT2. CAP FRAGS. CAP 06.CAP 19.CAP Badcrc-1.cap BADCABLE. CAP 01.CAP 16.CAP 20.CAP 21.CAP (was GIANT.ENC)
Exercises:
Optional-
Hubports More Problems Test Your Skill Errors Evaluating Hub Jams Ethernet Physical Errors Modifications were made for the new software version. Some answers have changed. Be sure to review them before you teach! There are too many to do all and have time to cover the newer technologies. Choose those you feel will meet your students needs.
Page 4 - 1
Section Objectives
4-2 Upon completion of this section, you will be able to:
Recognize and isolate failures in the network using the Sniffer Pro Network Analyzer Examine Monitor Statistics to determine whether there are problems Use the Expert symptoms and diagnoses to get the details Gather Monitor statistics for trend analysis and baselining
Network Associates
Sniffer University
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Section Objectives
State the objectives. This section is just troubleshooting with lots of suggestions and practice.
Page 4 - 2
You must use NAI-supported adapters with enhanced drivers to observe and capture physical error frames
NAI-21140UC Sniffer University
Adaptec (Cogent) ANA-6911A/TX PCI Adaptec (Cogent) ANA-6911A/TXC PCI
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. Use this slide to emphasize they need to use NAI supported cards and drivers in order to capture the error frames. These cards capture both 10 and 100 Mbps networks.
Page 4 - 3
Frame Corruption
Collisions Propagation delay Reflected signals Electrical noise Hardware failure
Sniffer University
With any of these problems, users will see decreased performance due to multiple frame retransmissions
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 4 - 4
Some Guidelines
4-5
The IEEE specifications stipulate that the Bit Error Rate (BER) should not exceed 10-8 in worst case. A typical LAN 10Mbps segment should have a BER of 10-11 or better. This translates to a frame loss rate of 10-7.
Network Associates
Sniffer University
More than one bad frame per Mbyte of data deserves attention Any unexplained change in the baseline deserves attention More than 1% Error Rate deserves attention
Section 4 TNV-202-GUI
These are important guidelines for determining when they need to act. Be sure to cover these, since these are important CNX numbers they need to know. CNX guidelines do not allow you to specifically state that this is a CNX concept, however, so do not say this is on the test!
Page 4 - 5
Sniffer University
The adapter waits for carrier to drop and 96 bit times to elapse before it sends the complete frame
Partial frame on the wire Frame from upper layer CRC Error!
+4
Do not count these incomplete bad CRC frames in the 1 bad frame /MB calculation
The name depends on the vendor. The adapter may also be called a parallel tasking adapter.
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
This is a new slide that discusses the effect of fast transmit or parallel tasking adapters. (They may be known by other vendorspecific names) It is a build slide that is partially timed and partially relies on mouse clicks. The slide is pretty self-explanatory and should help you explain away some of the false CRC errors the Sniffer reports.
Page 4 - 6
Troubleshooting Tip
4-7
Network Associates
Sniffer University
It is always easier to identify what is wrong if one knows how it is supposed to work One recommendation would be to capture an example of how it looks when the network is working Save the captured data to a file When the network stops working, capture another snapshot and compare the working scenario with the nonworking scenario Then simply identify what is different between the two examples
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Troubleshooting Tip
Page 4 - 7
+1
Some hubs will autopartition devices out of the network that have too many bad CRCs or if they are jabbering. You can also look at the hub with a solid activity light. That usually indicates problems.
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
This is an automated build slide. Its an old method tried and true on bus topology Ethernet. It still works on star configurations, too. Of course, managed hubs and switches provide a lot of information to the management software, so this may be a last resort technique. A star configuration should prompt a discussion about hubs and switches. Be sure to mention the student notes topics, too. A blinking light on the hub/switch is there to remind you to talk about autopartitioning hubs and looking at the lights in the wiring closet for lights that are abnormal. Not all hubs and switches support them, but they need to know which is supported on their equipment and use those clues, too.
Page 4 - 8
Exercise: Hubports
4-9
Turn to the lab section to complete this exercise. Use the diagram on the next page for reference
Network Associates
Sniffer University
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Exercise: Hubports
Page 4 - 9
Network Diagram
10BASE-T Hub Hubport1: known good port Hubport2: suspect port NetWare client: Novell~FAA NetWare file server: 3Com~704
Sniffer University
replaced by a Sniffer. The same cable connecting the PC was used Another Sniffer is plugged into a known good port. Both Sniffers were capturing simultaneously
1) The network is broadcast-oriented: every node hears everything on the wire, including bad or collided frames. 2) Communication is half-duplex and asynchronous in nature: each node must wait until the wire is quiet before accessing the network. 3) Although the network is physically wired as a star, it is still logically a bus.
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Give the background information before the students begin the exercise. They may not catch all the clues, but thats the fun of the exercise.
10BASE-T Hub
NetWare client: Sniffer analyzer: suspect port NetWare client: NetWare file server:
NetWare client:
Page 4 - 10
Legal Collisions
4-11 Sniffer University Collision occurs within the first 512 bits (64 bytes) of data Preamble collisions have no recoverable frame data Typical collisions occur within the first 48 bytes of data Sniffer Pro Analyzer needs to see 96 bits to capture the frame, otherwise it just increments the collision counter
This includes the preamble and the first bytes of the destination address 64 bits of Preamble 32 bits of the destination address
Network Associates
Section 4 TNV-202-GUI
These collisions are a normal part of Ethernet. Sniffer adapters: The Sniffer Network Analyzer uses two basic types of adapters: Those that can report collisions. The adapter senses that a collision has occurred and marks the frame with an x. Those that do not report collisions. Sniffer Pro software uses a soft collision counter. If the packet is analyzed and has a CRC error nd the last 2 bytes of the packet are 0xAAAA or 0x5555, then the packet is considered to be a soft collision.
Page 4 - 11
Normal Collisions
4-12 Sniffer University Preamble collisions are not captured Local coax collisions do not have AAs or 55s in the data Remote collisions show AAs and 55s in the data field inserted by the repeater They may be labeled collision fragments or runts
Runts
Preamble D Addr S Addr Tp/Ln Headers 8 6 6 2 varies Data varies CRC 4
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Normal Collisions
New slide Screen shot showing a normal collision. It is labeled as a collision fragment in the Detail window. This is from 01.CAP
Page 4 - 12
Late Collisions
4-13 On coax, the signal becomes much more negative when the collision occurs. The squelch filter drops this signal, so you see good data then nothing. On UTP repeated sections, look for evidence of jam from the repeater after 6010 bytes
Either aa aa aa aa... or 55 55 55 55 101010101010 is aa aa aa, 010101010101 is 55 55 55 64 byte minimum minus the 4 byte CRC 6010 = 3D16
Sniffer University
Late Collisions
Preamble D Addr S Addr Tp/Ln Headers 8 6 6 2 varies Data varies CRC 4
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Late Collisions
This is a screen capture that draws the line in the hex window to show where the dividing line is between a normal and late collision. The Expert gives a symptom that indicates when it has seen a collision after the 64th byte when the frame meets certain criteria. 17.cap has a lot of collisions, some are marked as occurring after the 64th byte. There are no AAs or 55s in the hex data, so it was captured on a local coax segment. Badcrc.cap has a late collision in frame 6 way out at offset 38F, but it must be beyond what the Sniffer uses to call a late collision. This should help you in teaching them how to determine when the collision was too late.
Page 4 - 13
Rogue nodes with hearing problems may think the wire is quiet when they send their frame in the middle of someone elses frame Bad hubs can also cause late collisions Calculate the math pertaining to network size
If collisions are occurring well beyond where they should be, suspect a rogue node or bad hub
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. Sniffer recognizes when a collision occurs too late and shows it in the Expert and on the Summary and Detail panels in the decode window. 05.cap and 04.cap both have frames marked as collision after 64 bytes. This slide was suggested by Don Prefontaine. Thanks, Don!
Page 4 - 14
Cause: Cable is too long, or out of spec, or there are too many repeaters or hubs
The faster technologies have shorter cable specifications and require high quality cables, old legacy cables may have been overlooked and are still in use
FRAGS.ENC shows an example of propagation delay. Filter out the good frames and turn off symptoms. Look at frames 958-964 in the hex panel.
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Important skill which allows you to know what may have caused the corruption the Sniffer analyzer is showing.
Page 4 - 15
Sniffer University
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Important skill which allows you to know what may have caused the corruption the Sniffer analyzer is showing.
Page 4 - 16
A victim nodes frame will typically be corrupted at the same offset Sniffer University
Corruption often occurs prior to the 32nd byte (3210 = 1F16) Collision data may be visible
If signal reflection is suspected, the best way to examine it is to examine the coax segments with a Time Domain Reflectometer (TDR)
Sniffer Pro
Transmit
+1
Signal reflection problems occur everywhere on every medium. They cannot be observed on UTP because, unlike coax, a node cannot see the bits it is transmitting. It is simply looking for link pulse to know if the link is still there. It does not do current sensing, voltage sensing, and Manchester encoding detection like it can with coax. On coax, one pair is used for both transmission and reception. On UTP, one pair is for transmission and the other is for reception. When a node sends bits to a hub, the hub repeats it out all ports except the one it received on. That means that a node cannot see what it is transmitting. Reflections are also the result of poor termination or no termination. If a hub uplink or switch uplink is not working properly, change the cable to a known good cable and test again. If the UTP cable is flexed too much, it can create a near open (resistance too high; exceeds the 110 ohms or 130 ohms of normal termination) that will not pass enough current, thus creating a signal reflection. A TDR will tell you if the cable is good, bad, or ugly.
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Important skill which allows you to know what may have caused the corruption the Sniffer analyzer is showing. Important point: This shows up almost exclusively in coax Ethernet, so you can skip it if no one has it anymore. The diagram is automated. You may want to discuss some of the things that may show up in the Sniffers hex window. Of course, where the Sniffer was attached in relation to the open cable and where the transmitting station is located directly affect it. There may be reflected preamble in the frame. It is doubtful that you would see any of the destination address folding back.
Page 4 - 17
Users see intermittent disconnections and problems connecting to network services Sniffer Pro Analyzer sees:
Physical errors symptoms or diagnoses Damaged frames resulting in CRC errors The frames are the right size but have incorrect data, maybe only one or a few bits got changed Not many more runts or collisions than baseline
Cause:
Radio Frequency Interference (RFI) Electromagnetic Interference (EMI) Poor quality cabling not meant for high speed data transmission Sniffer Pro Transmit CRC errors
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 4 - 18
Noise typically has no effect on frame length Worst case scenario: Sniffer University
If the damaged frame is greater than 64 bytes, it will appear as a CRC or Alignment in the status field If the damaged frame is less than 64 bytes, it will appear as a Runt or Fragment in the status field Noise disrupts the clock; adapter thinks the frame ended
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 4 - 19
A hardware card that is jabbering can jabber with preamble sequence or all ones.
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 4 - 20
Jabbering NIC
4-21 Lots of ones or zeros that seem to go on forever Sniffer University
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Jabbering NIC
New slide. Screen shot showing jabber in a frame. This shot was taken from jabtest.enc from HQ engineering. It may have been created, but it meets the Experts criteria for jabber as you see on the screens. Warning- the Jabber.cap file we previously used for jabber may not actually show jabber. The Expert doesnt label it that way and you will see the same pattern of bits in the frame that was retransmitted and others around it.
Page 4 - 21
Alignment # Alignment
Look for 8 to 12 bytes of AAAAs or 5555s. If not there, or greater amount, see comments.
CRC Runt
No specific pattern.
Sniffer University
Runts have the same causes as Alignments. May contain the AA/55 pattern, usually from 8 12 bytes. Fragments are defined as Runts with an invalid May contain the AA/55 pattern, usually CRC. Handle the same as Alignments. from 8 12 bytes. Greater than 12 bytes of AAs or 55s. Pattern will include lots of AAs and 55s. The cause is hardware, usually a NIC or repeater.
Fragment
<64 bytes
Jabber
Oversize
Hardware has failed and is streaming data. Managed hubs may permanently partition node streaming for more than 150ms; unmanaged hubs may not.
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Review quickly. Do not attempt to read this fine print from the screen.
Have them mark this page for future reference for labs and when they get back to the job.
Page 4 - 22
Network Associates
Sniffer University
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Tell the students whether to go on to this or wait for you to discuss the previous exercise.
Page 4 - 23
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
When the hub senses a collision, it sends a 96 bit jam out all of the ports.
Page 4 - 24
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
New slide. Two screen captures showing both 5s and As. Both the Summary and Hex windows are shown so you can point out how the Sniffer shows in each panel. The screen shots are taken from 02.cap and busy-jam.cap.
Page 4 - 25
Sniffer University
1-A collision occurs here 2-The hub propagates jam signals out to all devices
+
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
New slide. This slide shows what you see in Sniffer screens in a hub-based network.
Page 4 - 26
Cause:
Driver software configured incorrectly Some implementations support only Ethernet or only IEEE 802.3
If the network is not experiencing physical layer problems, verify the frame types being used by both communicating parties.
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Review quickly.
Page 4 - 27
Sniffer University
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
The following screen shots enable you to discuss the areas of Sniffer Pro that help them to troubleshoot Ethernet specifically. This should be familiar if they have been to the 101 G class, but it never hurts to re-emphasize these. You may want to do a demo of this. Open a trace file and display the decode windows. Either use the traffic generator screen from the tools menu or right click over the Summary panel and choose Generate current buffer and send it out continuously so youll have plenty of time to show these next screens. Click the Dashboard icon to show this screen.
Page 4 - 28
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Click the Detail tab to show this view. Point out the important fields: Utilization Errors CRCs Runts Oversize Fragments Jabber Alignment Collisions
Page 4 - 29
6 0 5 0 10 0 9
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. Show all of the lower timelines and relate them to Ethernet counts. Be aware that this data cannot be exported it shows real-time statistics. You can start history sample if you want to save this type of information. The lower graph was fabricated by adding lines to the display. There is no trace that will generate this type of display. Heaven help the people who would be on a network this bad!
Page 4 - 30
Sniffer University
Run these and save the data as a .CSV file Open in Excel or a reporting application
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 4 - 31
Collect the data, then save to a file to import into a spreadsheet or reporting program
To create a multiple history report, open the History Samples window from either the Monitor menu > History Samples or by clicking the History Samples icon. Click the Add Multiple History icon, assign a name to your sample and modify the sample interval and Graph Type on the General dialog box. Click the Selection tab, then the New (Insert) icon and scroll and click to choose a sample from the Statistics List window. Repeat this process until you have chosen all the statistics you want included in your report. Use the up and down arrow icons to place the statistics that will have the highest values at the bottom. Adjust any colors as you wish. Click OK when done. Double click the icon with the sample name to start collecting the statistics. Minimize the window to get it out of your way if you wish. It will continue to gather statistics in the background. When you want to save the statistics to a file, click the Export icon and name the file and choose the file type (comma, tab or space delimited) and path. The application will continue to gather statistics until you close the window. You will also be able to save the information in graphic format when you close the sample window. This can be viewed later within the History samples application. If you want to import a snapshot of this screen, just press the alt and print screen keys to copy it to the clipboard. Then paste it into your document or a paint program for further editing.
Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Demonstrate how to create a Multiple History report of the Ethernet errors. Suggest they may want to run this as a baseline and for trend analysis or scheduled reports for the boss. Run for a specific time and save the file as comma, space or tab delimited file for import into a spreadsheet or database. They can also save a snapshot of this graph as a .HST file when they close the window.
Page 4 - 32
Sniffer University
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Demonstrate this screen under Global Statistics. The 37% given here will re-emphasize this statistic they need for CNX. If they are seeing a high level of physical errors, they should check first if the network is overloaded. If the traffic is within normal ranges, they need to look at a possible physical reason for the errors.
Page 4 - 33
Sniffer University
Whos the source? Is this really the culprit, or is it just impacted? Check the Symptoms and Diagnoses
The physical errors include: CRC errors Runts Oversize Fragments Jabber Alignment errors Collision packets
Network Associates
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
This emphasizes troubleshoot from the bottom up. The DLC layer is the only place they will see Ethernet-related specific information. Demonstrate with your favorite trace file that shows several DLC layer symptoms and diagnoses. Point out the information available for each symptom or diagnosis in the Expert Detail panel on the lower right. This is not the place to teach the Expert. They learned this in TNV101-GUI (we hope they went). Expert help is available for symptoms and diagnoses by clicking the ? icon.
Page 4 - 34
Troubleshooting Exercises
4-35
Network Associates
Sniffer University
Your instructor will choose the exercises to meet class needs. Turn to the lab section to complete the selected exercises. Test Your Skill Errors Ethernet Physical Errors Evaluating Hub Jams If you complete them early, try another one. Come back to them when you get back to work and need review.
Section 4 TNV-202-GUI
Slide Title:
Troubleshooting Exercises
This single slide points to all of the exercises for this section. These are time-consuming. You may wish to eliminate any that you feel do not meet the needs of the class you are teaching. Emphasize that you are selecting based on the needs of the students in this class so they dont feel you are skipping things they really want to see. Test Your Skill Exercise This one is very important. It gives them a chance to look at traces with no clues of the problems in them. Have them mark the matrix on page 22 to help them determine what the problems might be. Errors Exercise The conversation always recovers prior to frame 941. The damage appears to be hardware related. We dont know what was causing that damage and can only speculate that it was bad hardware (the original repeater? A bad NIC card on the segment?)or an out of spec network (unlikely since they are on the same segment, but w/o a network map it is difficult to know). The administrator suspected the repeater and replaced it with another that was not being used. This replacement was defective. It was replaced prior to frame 941 which is the reason for the large delta time and since it was defective, it is the reason there is no recovery in the conversation starting with frame 941. Ethernet Physical Errors See impact of Parallel Tasking feature of some Ethernet cards Evaluating Hub Jams Practice troubleshooting hub jams.
Page 4 - 35
Summary
4-36
Network Associates
Sniffer University
Use a bottom-up process for troubleshooting Ethernet network problems Work on the crises first, then spend time doing proactive monitoring to look for areas where performance is degrading and make appropriate changes Eventually, the crises should be fewer and the proactive preventive work will take on more importance Use the clues in the Sniffer Pro Monitor, Expert and Decode screens to help you determine the cause of frame damage
Section 4 TNV-202-GUI
Slide Title:
Important Points to Cover:
Summary
Wrap up the section by reviewing the bullets and answering any questions the students may have. Add your own suggestions to this list thats here.
Were trying to emphasize using the tool for proactive network management here to plant a seed. Good technicians try to avoid problems by looking for signs of degradation and fixing them before they become crises. The Sniffer is much more than a troubleshooting tool!
Page 4 - 36
5-1
Section 5 TNV-202-GUI
Slide Title: Ethernet Bridging and Switching Concepts Section 5 Section Timing: Start: Day 2 Before Lunch bridging section if you can Finish: Day 2 Mid-afternoon
Important Points to Cover:
Files: Traces:
Exercises:
Short Circuited Bridges Busy Jam Switch Traffic (Optional) new The bridging and switching sections are somewhat short to allow time for the VLAN and expanded Fast Ethernet, Full Duplex and Gigabit Ethernet sections. VLAN tagging information has been added. Move through it as quickly as you can to have time for the new section. The bridging section is also used as an introduction to concepts for the switching section. Spanning Tree is covered very briefly in this course. Refer the students who need more to the 315 course, which covers it in great detail.
Page 5 - 1
Section Objectives
5-2 Upon completion of this section, you will be able to: Differentiate between bridging and switching on a conceptual level Recognize network configuration issues with bridges and switches View VLAN information in frames Use Sniffer Pro to identify common problems associated with bridges and switches
Network Associates
Sniffer University
Section 5 TNV-202-GUI
Page 5 - 2
5-3
Bridges
Sniffer University
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
Bridges
Page 5 - 3
Ethernet Bridges
5-4
LOCAL HUB HUB REMOTE HUB HUB
Bridge
Bridge
Sniffer University
A bridge is a store-and-forward Data Link layer device A bridge increases the size of a network without increasing bandwidth contention, since segments separated by a bridge are in different collision domains A bridge is protocol independent. A bridge bases its forwarding decision on the Data Link layer destination address in a frame Bridges only pass valid frames An Ethernet bridge is transparent from the end nodes point of view
Bridges work at the Data Link layer of the OSI Reference Model, specifically at the MAC sub-layer. Bridges are only concerned with physical layer addresses. They learn the address of each device on each segment to which the bridge is connected, typically two segments. When a frame is received on one port of the bridge, it examines the physical layer address to determine whether or not the frame should be forwarded to the other segment. The bridge stores this information in a "Forwarding Table." Bridges are also what is termed "Protocol Transparent." Since they work at the MAC layer and are only concerned with physical layer address (like Ethernet), they have no reason to be concerned with higher layer protocols like DECnet, XNS, TCP/IP. One bridge can forward (or filter) all of these higher layer protocols. Some bridges allow complex filters to be used to determine which frames get forwarded and which frames don't. This might be used in the case where a router was previously installed to route IP frames. Due to company growth, a new protocol is added and eventually a bridge to allow access to a second segment. Since an IP router is already being used to forward IP frames, the bridge must not forward these same frames. The bridge is programmed (using a filter) not to forward IP frames, but allow remaining frames to be forwarded if the destination address deems it necessary. With any luck at all your bridge is sophisticated enough to have some sort of bridge manager. The bridge manager will allow you to configure the bridge, maintain its address table, as well as allow you to examine how effective the bridge is to forward and filter frames. Additionally, consider this: is your vendor's manager going to manage another vendor's bridge? When determining a vendor for your bridge purchase, you may want to consider its management capability.
Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
Ethernet Bridges
Work at the Data Link Layer. Forward frames based on the MAC layer address. Bridges learn the addresses on each of their ports and build a forwarding table. They are protocol transparent. Some may do complex filtering. Many are managed by bridge management programs. Label was added to indicate the link can be LAN or WAN.
Page 5 - 4
Hub
OFF ON
OFF ON
Mini-Hubs
Sniffer University
Learns the addresses of devices that reside off each port Maintains a list of the addresses for each port in hardware Content Addressable RAM Logically extends the cabling segment, but physically separates into separate collision domains RAM for storage usually holds 1024 addresses Can be increased, but the maximum limit is vendor specific
A list must be kept of what node addresses lie beyond a bridge port. The list can be lengthy. The number of addresses are vendor dependent, but usually start with 1024.
Network Associates
Section 5 TNV-202-GUI
Page 5 - 5
Sniffer University
Flooding: If the destination address is unknown, or if its a multicast/broadcast destination address, the bridge sends the frame out each port except the port on which the frame was received Learning: A bridge is promiscuous and sees every frame on the segments to which it is attached. By examining the source address in frames, a bridge learns which stations are on which side of it Forwarding: Once a bridge learns where stations are, it only sends a frame out the correct port to reach the destination station Filtering: If the destination and source addresses are on the same port, the bridge just drops the frame User Filtering: Allows a network manager to filter, based on protocols, addresses, packet type, etc., to increase the network's efficiency or add security measures
The filtering function might seem so obvious it's not worth mentioning, but actually it is worth mentioning in order to compare a bridge to a repeater: a repeater repeats everything, even if the two stations communicating are on the same side of the repeater. Since a bridge looks at the data link header, it learns the locations, it does not need to forward unnecessarily. The filtering rate advertised for a bridge is the number of frames per second on which the bridge can make forwarding/nonforwarding decisions. User filtering may employ a technique similar to the Sniffer analyzers pattern match function, allowing some manufacturers to claim to filter on layer three protocol addresses, even though a bridge is a layer two device.
Section 5 TNV-202-GUI
Page 5 - 6
Sniffer University
+
Bridges are Store and Forward devices They must copy the entire frame and verify the CRC before forwarding If the CRC is good, the bridge will forward as it should If the CRC is bad, the bridge will discard the frame A higher layer protocol will time out and attempt retransmissions
This technique requires the bridge to look at the entire frame before making a forwarding decision. A benefit of this feature is that the bridge can determine whether there is an error in the frame before making a forwarding decision. Error frames are removed from the network. A drawback is that the bridge will introduce latency (delay).
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
This is now an animated build slide. Slide and notes are adequate to explain the concept. Review them.
Page 5 - 7
Sniffer University
5-8
All speeds of Ethernet follow this flowchart. Only the timing changes.
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
New partially automated build slide. Click to reveal each step in the decision process as you discuss it.
Page 5 - 8
Bridging Loop
5-9
Forward Broadcast Frames circle Forward endlessly Forward Forward Forward Forward
Sniffer University
Ethernet bridges are susceptible to loops The Spanning Tree Algorithm handles loops by disabling alternate routes
All traffic flows toward the root bridge
Bridges use Bridge Protocol Data Unit (BPDU) frames to negotiate a unique device-to-device path The picture above does not have Spanning Tree enabled. When Station A sends a broadcast frame, the frame can be forwarded by all bridges in a constant loop
The Spanning Tree specification is defined in IEEE 802.1d. Topology loops can occur in a switched network just like a bridged network. Bridges are assigned an ID by the administrator (two byte field). The MAC address of the adapter is appended to the two byte ID, and the result becomes the Bridge Identifier. The lowest value Bridge Identifier becomes the Root bridge. The network manager configures a cost for each port on the bridge. For example, the cost for a T1 link could default to 100, while the cost for a 56 kbps line could default to 500. Costing information is exchanged with BPDU frames.
Network Associates
Section 5 TNV-202-GUI
Broadcast frames will be forwarded continuously when Spanning Tree is not enabled. IEEE 802.1d is the specification covering Spanning Tree.
Page 5 - 9
Spanning Tree
5-10 Sniffer University Bridges in a mesh configuration use a cost metric to determine the best (cheapest) path
The best path is used for forwarding The other paths are backups and not used unless the best path fails
Co s t=
Co s
t=
Best Backup
s Co
t=
Co st
t= os C
= 2
Many switches in meshed configurations use Spanning Tree to prevent loops. Anytime you see BPDUs in your traces, youll know it is active. Many vendors have proprietary protocols that allow you to do load balancing in a mesh environment. If you are using one of these and see BPDUs, check to make sure Spanning Tree is not needed, then disable it on the bridge(s) sending the frames.
= st Co 1
Cost = 5
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
Spanning Tree
New Slide. You might want to mention here that switches frequently use Spanning Tree to maintain forwarding tables to indicate the continued use of Spanning Tree and BPDU frames. Each bridge/switch has a unique identifier. Administrators can assign IDs to control which bridge/switch becomes the root of the tree. The administrator can control paths by assigning a high cost to an expensive, slow link used as a backup path and a low cost to a fast primary path. The fast primary path will be used until it fails. The bridges/switches exchange BPDU frames when a link fails to reconfigure the tree to cover the segment thats down. You need a good logical drawing of the bridged/switched segments to plan the best paths and assign costs appropriately.
Page 5 - 10
BPDU Frames
5-11 Sent by the bridge to neighbors to share configuration information Sniffer University
Multicast Dest. Address
Type of frame
The destination address is a functional address assigned to all bridges. The source address is the address of the port sending the BPDU The Root ID in the frame is the bridge this one assumes is the root Sending bridge ID is the ID of the bridge sending this frame The cost is the least cost path to the root from this bridge Bridges build forwarding tables from the BPDU frames When a bridge receives a BPDU frame from its neighbor, it compares the message received from that port with what it would send out that port. It changes its table if it discovers a better route and stops sending configuration messages on that LAN. If the message age reaches a certain threshold, the message is considered stale and the bridge recalculates the best route as if it had not received the message. For a detailed explanation of the Spanning Tree algorithm, see Section 3 in Interconnections, Bridges and Routers, Radia Perlman, Addison Wesley, 1992 ISBN 0-201-56332-0.
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
BPDU Frames
New Slide.
Cover only the basics in this class. TNV-315 Interconnection Concepts and Troubleshooting will teach the specifications and structure of the BPDU frames in detail. There is no time for it here.
Page 5 - 11
Node D Node E
HUB
Node A Node B
HUB
Sniffer University
Node F
SnifferPro
Node C
The Sniffer Pro Network Analyzer will: See frames going between Nodes A, B and C. See traffic bridged between the two networks. Not see frames going between Nodes D, E and F. At the data link layer, the source and destination addresses will be the end nodes addresses. You will not see the bridges addresses. Example: Node A is communicating with Node D via a bridge. The Sniffer Pro Network Analyzer will show Node A and Node D's Ethernet addresses.
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. (Actually a resurrection of the slides we always included in this class updated to star wiring. You might want to mention the bridge could actually be a switch.
Page 5 - 12
Network Associates
Sniffer University
Section 5 TNV-202-GUI
Page 5 - 13
192 Kb Link
Sniffer University
192 Kb Link
Network Associates
Section 5 TNV-202-GUI
Page 5 - 14
5-15
Switches
Sniffer University
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
Switches
Page 5 - 15
Switches
5-16 Switches are similar to bridges and do these actions:
Learn which addresses are available at each port Maintain lookup tables by port (as bridges do) Look at the destination address and forward immediately if possible Switch packets between ports Switching fabric maintains multiple, simultaneous conversations on different ports (unlike bridges) Provide full bandwidth at each port Do not verify the validity of the CRC (unlike bridges)
Sniffer University
A switch connects LAN segments like a hub does, but unlike a hub, which divides the bandwidth among all attached segments, a switch provides full bandwidth at each port. A port can be dedicated to a single file server, for example. Like a bridge, a switch learns which addresses are available at each port. Unlike a bridge, when forwarding a packet a switch may look at just the destination address, instead of the whole packet, and forward immediately if possible. If the destination segment is busy, the frame is queued in a buffer, just like a bridge, until the destination segment is free. Usually the destination segment is not busy. Packets are processed in parallel by very fast hardware. One vendor claims a switching delay of only 40 microseconds, which they measure as the time between the first bit of a packet received and the first bit of the packet sent. Some switches support software configuration to specify which ports can talk to which ports, sort of an electronically controlled patch panel. It really is hard to compare switches, especially because they have very different architectures and because vendors are getting very creative in combining the functions of layer 1, layer 2 and layer 3 relays. The late 1990s started major innovations in this area. Issues with using switches instead of bridges or routers include: 1. A switch may forward a bad CRC and a runt that has a destination address. 2. Switches will not isolate broadcast storms. They often cannot be set up for protocol filtering. They generally wont do fragmentation and re-assembly. 3. Using the switchs electronically controlled patch panel feature sounds great, but could wreak havoc with IP addressing and subnet mask schemes.
Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
Switches
Vendors are doing many things to improve the performance of their products. Read the fine print! Will it work with what you have?
Page 5 - 16
Switched Networking
5-17 Sniffer University Switched networking provides a simple solution to existing networks suffering from traffic congestion In Ethernet environments, each switch port is a separate collision domain Switches allow you to micro-segment Some switches provide monitor ports to attach a Sniffer Pro Switches are not governed by standards, so a combination of vendor switches is difficult
There are many proprietary implementations
Microsegmentation means that there is only one device at each switch port, rather than a shared LAN on a port as in segmented network. The overall benefit of switching is that multiple conversations can occur simultaneously on a single switched hub, providing the user or segment with almost dedicated bandwidth. Switching extends the life of existing legacy LAN networks, provide increased performance without replacing existing wiring plant, and increase network throughput, reducing response times. Switches are a small cost, when compared to other alternatives. Switches are plug and play, easy to implement, but much pre-planning is required. As an example, if your bandwidth is being eaten up by DLC layer broadcasts, a switch will not improve the condition. Traffic is aggregated on the backplane of the switch. This backplane should be between 1.5 - 10 Gbps with recent announcements for 85 Gbps backplanes.
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
Switched Networking
Page 5 - 17
Server
A switch allows devices or segments to have a unique dedicated path to each other. The path is active for the duration of the frame, then is broken down and made available for the next frame. Each port on a switch is, in effect, a separate collision domain or ring. Switches can act like fast bridges, they are layer 2 devices. But some vendors are adding layer 3 functions to switches, like the ability to route IP and IPX. In 12 port switches, backplane speed needs to equal six times the individual wire speeds of the ports. Similar ratios apply to other size switches. The VLAN concept, by which you can logically group switch ports, is growing in acceptance. VLAN schemes are proprietary to the different vendors. A VLAN generally divides your network into broadcast domains. VLAN is popular in today's dynamic environment where Tiger Teams are created across departmental lines to address a particular problem or project and then disbanded once that problem or project has been resolved.
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
Collisions are in switched environments. Each pair of communicating devices has the entire bandwidth (in this case 10 Mbps) for their frame. The path is active for the duration of the frame only. It is torn down after each frame has been transmitted. Each port is a separate collision domain. The Virtual LAN (VLAN) concept allows the administrator to group ports through software for workgroup segmentation. A bullet and student note was added that addresses the issues of the speed of the switching fabric.
Many switches implement Spanning Tree to avoid topology loops where broadcast frames circulate endlessly. Other manufacturers use proprietary methods to avoid loops. A switch should have a very low PLR or Packet Loss Rate. It can have congestion control, where a switch will slow things down if ports become overloaded. Switching times may degrade noticeably, but at least you wont lose any packets which will cause retransmissions. For switches without active congestion control, the ability to handle 100 to 300 back-to-back, min. and max. size frames pretty much assures negligible packet loss no matter what the traffic pattern. Switches that can buffer more than 100 1518 byte packets are considered very robust.
Page 5 - 18
Sniffer University
Vendor Dependent
The Sniffer Pro Network Analyzer sees different things based on the switch technology and how the switch has been set up. At the data link layer, the source and destination addresses will be the end nodes addresses. You will not see the switchs addresses. Switch vendors have provided various mechanisms for network analysis tools to evaluate network traffic and conversations.
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
What you see is what the vendor allows you to see. Addresses are like the addresses in a bridged environment. DLC addresses are the end stations.
Page 5 - 19
Sniffer University
+2
Tapping the backplane of the switch does not limit the traffic sent to the monitor port. You will get all traffic that occurs on any port in the hub. This may present problems due to high utilization on the monitor port. It will work well when overall use of the switch is low, but if several users of the switch are demanding high amounts of bandwidth individually, their combined traffic may be greater than the switch can process through a single monitor port. You will most likely lose packets. A port tap limits traffic seen to just what happens on that one port.
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
Several separate slides are now combined so you can cover them quickly and compare them more easily. All traffic to a Monitor Port (This is not an industry-standard label for this port.)
Issues:
Is the port able to handle the aggregate bandwidth of the backplane? Is the Sniffer Pro analyzer able to handle the aggregate bandwidth of the backplane? You cant just put a Fast Ethernet Sniffer Pro analyzer here. The signals and timing are different in Fast Ethernet. Youll need to set a capture filter to focus on the traffic that will help you solve the problem. Station address filter Address class filter Protocol filter Gives a very limited view of just one stations traffic. Selected port or VLAN traffic to a monitor port But if the port cant deliver it, you still cant capture it.
Page 5 - 20
Sniffer University
Server SnifferPro
Workstations
Server
Monitor Card
The hub should be attached when the server is inactive, and left in place to enable real-time monitoring. There are several inexpensive mini-hubs on the market. This is a very easy solution to implement and, in some environments, a very effective solution. For example, when there are only a couple of servers in a server-client environment, everyone will be talking to those servers, therefore youre actually getting all traffic on the switch by just monitoring the servers ports. This also works well with unsophisticated switches that have do not have a built-in monitor port. Several companies make matrix switches. Portable Sniffer Pro Network Analyzers can also be used in place of the DSS/RMON. If you are using a DSS/RMON Agent, you should use a Network Associates supported switch like the DataComm switch. There are several advantages to using a Network Associates supported switch. Remember, though, you can only monitor one port at a time. Adding the hub may change the timing characteristics of the segment and may introduce its own set of errors if you exceed the collision domain. Be sure you are not introducing a repeater into a full-duplex link by mistake.
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
Permanently install minihubs in the line to your servers. Allows you to see all the traffic to and from the server. Permanently install a minihub in the line to your bridges and routers. Allows you to see all traffic directed to or from them. SniffView allows you to switch the DS Pro Agent into multiple segments so you can monitor the conversations to multiple servers (or routers) one at a time. There are several vendors that supply switches from DS Pro. Some of them can be controlled directly with SniffView. We also sell DSS/RMON Multiview, which is a DS Pro in a matrix switch. There are several models that can attach into a combination of Ethernet and other topologies.
Page 5 - 21
Sniffer University
Switch
SPAN Port Port or VLAN
Configuration adapter
+
SNMP Commands
Sniffer Pro version 4.0 switch expert supports: Cisco models: * = this versions or newer 2900 v.4.5(2) 2916XL v11.2(8)SA5* 2924(M)XL v12.0(5.1)XP* 2926 v4.5(2) 5000 v4.5(2)* 5002 v4.5(2)* 5500 v4.5(2)* 5505 v4.5(2)* 5509 v4.5(2)* 6000 v5.4(1)* 6002 v5.4(1)* 6500 v5.4(1)* 6509 v5.4(1)* Nortel models: Baystack 450 v HW:RevB, FW:V1.04, SW:V1.1.0 Not all features are supported. Contact NAI tech support for specific issues. SPAN (Switched Port ANalyzer) is a proprietary Cisco protocol used to mirror traffic from a port or VLAN to a monitor port. If you have just one adapter in your Sniffer, it must have TCP/IP bound to it so it can connect to the switch to control it. It is connected to the switch control port which cannot be a monitor port. You would need to stop Sniffer Pro and reconnect it into the monitor port and restart it as a Sniffer to sniff the monitor port. You then would not be able to control the switch or see the MIB data. Mirroring places a heavy load on the switch. Be sure to disable it when you have completed your analysis or capture! The TNV-201-DSP and TNV-315-GUI classes have more information on switch control and Expert.
Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. Unfortunately we just dont have time to delve into this in this class. You also need a switch to demonstrate all the functions of this feature. It is covered in detail in the TNV-201-DSP class. That class has a switch, so all of the MIB and control screens can be demonstrated. It will also be shown in the Advanced TNV-102-GUI class being written. The basics: You can get all the MIB data from the switch and see it in the Sniffer windows. You can use these MIB screens to mirror a port or VLAN to the port where the Sniffer is attached. (VLAN mirroring is not supported for all switch models.) You can do all the Sniffer functions on the mirror port i.e. start Monitor screens, capture, set triggers, etc. Try to attend a TNV-210-DSP class to see this in action so you can discuss it better. You need the second card only if you want to do the Sniffer functions. You can get the MIB data with a single adapter. You cannot use a single card to send the SNMP commands to the switch to control it AND then turn around and sniff using the same card. Port mirroring (or SPAN) puts a big load on the switch. DO NOT leave it enabled constantly. Turn the mirroring off when you are done!
Page 5 - 22
Switch Frames
5-23
Network Associates
Sniffer University
Once you get the frames from the switch, they look just like any other Ethernet frame Expert shows symptoms and diagnoses plus valuable VLAN information Use the skills youve gained here to determine where problems lie
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
Switch Frames
New Slide. The main difference in the Sniffer screens is the VLAN information in the Expert. The students will see that in the VLAN section. Any VLAN symptoms and diagnoses will be labeled in the Summary display. You can filter from the Experts VLAN symptoms and diagnoses. You can get the switch MIB statistics on adapter and VLAN MIB counts that can be very helpful.
Page 5 - 23
Switch Performance
5-24
Switches are often faster than bridges They segment collision domains Cut Through switches are fastest
They read only the destination address and forward to a new or established port The provide the least amount of data integrity (they only verify the destination MAC address)
Sniffer University
Switch latency increases the further into a frame the switch checks for data integrity Switches forward damaged frames if damage occurs past their check point
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
Switch Performance
Slide is adequate.
Page 5 - 24
Network Associates
Sniffer University
Section 5 TNV-202-GUI
Page 5 - 25
Sniffer University
Client Stations
Network Associates
Section 5 TNV-202-GUI
Page 5 - 26
5-27
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 5 - 27
VLANs
5-28 Many switches allow you to set up virtual LANs
A VLAN is roughly a broadcast domain Stations in different physical locations can communicate as if they were on a common LAN Some manufacturers allow you to place ports on more than one switch in a VLAN There are many vendor-specific implementations
Sniffer University
HR VLAN
1st Floor
Exec VLAN
Finance VLAN
Port configurations aggregate stations based on the port where they are attached. This was the first implementation of VLAN groups. It is a good way to isolate groups using non-routable protocols. Protocol-based VLANs group stations based on their protocol type or layer 3 address. The switches use standard routing protocols to communicate with routers, but all traffic in the VLAN is switched. MAC address-based VLANs group stations based on their MAC address. This is useful when you have laptop users who carry them around and attach their PCMCIA cards in different locations. Problems arise when they dock these laptops and use the docking stations NIC card or software overwrites the MAC address. IP Multicast address groups segregate the multicast traffic and send only to those devices that are in the VLAN. This extends beyond the normal networkmaintenance address types for routing and bridging support to specialized applications like broadcast audio or video data. 802.1Q VLAN tagged frames is a new IEEE standard that uses an additional header in the frames between the switches that identifies the VLAN. Since many of the mechanisms are vendor-specific, you should try to buy all your switches from one vendor or only use switches that support the 802.1Q standard.
Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
VLANs
New Slide. VLANs have been around for a long time and most students will have basic knowledge about them. What they may not know is how their traffic looks on the wire. Emphasize the broadcast domains. See, the stuff we taught in the technology section hasnt gone away! VLANs provide a way to logically link devices in different layer 1-2 physical network segments into a logical layer- three network segment.
Page 5 - 28
Sniffer University
MAC address
Assign each NIC to a particular VLAN IP multicast address Good for laptops that move around
Multicast Address
Proxy address for a group of devices
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 5 - 29
VLAN Tagging
5-30 Sniffer University
When devices are spread across several physical segments, there needs to be a way to quickly send them to the proper switch Cisco developed a proprietary protocol called Interswitch Link Protocol (ISL) which added a few bytes or tag at the beginning of the frame
The tag identifies the VLAN This eliminated the need to do a table lookup for each frame - just send them to the right port
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
VLAN Tagging
New Slide. This is just a page to introduce the reason for tags and the VLAN tagging methods
Page 5 - 30
Sniffer University
The Grandfather of the IEEE 802.1Q tagging standard A proprietary Cisco protocol developed to support trunks between Cisco switches Tags added to the frames between the switches include a VLAN group identifier to route them to the proper VLAN Several other vendors licensed ISL 3Com used VLT frame tagging method
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. This is a Cisco vendor proprietary protocol. Other vendors licensed it. Tags are carried on the trunk links between Cisco Switches We can see them and decode them on frames captured on these links
Page 5 - 31
Ethernet frame is attached after the 26 byte ISL Header VLAN identifier
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. This screen capture was taken from VLANprob.caz frame 1. The students will use it in the exercise at the end of this section. Dont go into details of this protocol. Let Cisco teach that in their classes!
Page 5 - 32
VLAN information shown at the Global Layer VLAN list in the Detail Tree Statistics and details in the Expert Detail panel
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. This screen capture was taken from VLANprob2.cap Expert view with the Global symptoms highlighted. Explore more of the Expert information with the students.
Page 5 - 33
802.1Q uses frame tagging to carry VLAN membership information across multiple multivendor devices Sniffer University
The security header from 802.10 is modified to support VLAN tagging Tags allow frames to be forwarded quickly to other switches within the VLAN
Several issues need to be addressed when implementing VLANs: Management: Even though most vendors use management software to create the VLANs and move ports into the VLAN, there is an issue of keeping up with all the moves (though this is certainly easier than moving cable to keep a person in the same network segment!). People also may feel isolated when they are moved out of the area where their co-workers are. 80/20 Rule: It is difficult to maintain the 80/20 where 80% of the traffic remains local and 20% goes outside the area and through a router. Shared resources like servers and printers need to be managed so people in a different VLAN can print to the local printer and access their server. You may choose to put these devices into more than one VLAN so all who need them can access them.
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. This is the IEEE standard for VLAN tagging. The headers are different. Highlight the last bullet. All the switches in the VLAN must support the same tagging method or frames will not get where they need to go!
Page 5 - 34
Data
Sniffer University
2 bytes 2 bytes
Tag Protocol Type field identifies the 802.1Q header Tag Control field has three fields: 3 bits user priority 1 bit tunnel type i.e. Ethernet or Token Ring 12 bit VLAN ID
802.1Q standard works hand in hand with the 802.1P standard for assigning priority levels to frames. You may see it called 802.1 Q/p in some publications. The user priority field allows applications that require guaranteed bandwidth to be delivered before applications that are not time-sensitive. 3 bits allow for 8 different priority levels. The switches must maintain internal queues for each priority. Incoming frames are placed in the queue for the priority in the field and the highest priority frames are transmitted out before the lower priority frames. This enables lower cost Ethernet installations to compete with the highmaintenance and cost ATM networks that provide robust Quality of Service guarantees. Keep in mind that this is priority done at layer 2. RSVP at the network layer in the stack needs to inform layer 2 to set the priority bits to match the level of the data being sent. To have end-to-end priority, all devices in the intervening path must recognize the priority levels at both layers. The 802.3ac standard has extended the maximum frame size to 1522 bytes to allow for these 4 additional bytes.
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. This shows a breakout of the fields in the tag to prepare them for what the Sniffer shows. Point out that the tag comes in the MAC header! This was very confusing when I first viewed these frames. I wanted to put the Type/Length field in with the tag, because the Sniffer puts it there without identifying that it is part of the DLC header. The number of bytes in the spec didnt match what I saw in the frames that way. The destination and source addresses come first, then the tag, then the MAC type or length field.
Page 5 - 35
802.1Q Header
5-36 Sniffer University Ethernet frame is encapsulated inside the 802.1Q Header VLAN identifier
Maximum length frames grow to 1518 bytes Sniffer does not capture the last 4 bytes of the frame
No CRC error is posted
The tag Protocol Type is used for FDDI, Token Ring and SNAP encoded fields. Ethernet sets this to 8100.
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
802.1Q Header
New Slide. Hey the Ethernet maximum frame size has been exceeded! If a max size Ethernet frame is encapsulated in a tagged frame, it is 1518 bytes. The Sniffer knows this is OK when it sees the 8100 Type field and it doesnt post an oversize symptom or count is as bad. It does indicate only the first 1514 bytes were captured in the Detail window. That shouldnt create problems for us, since it still has almost the entire frame, certainly enough to get through all the ULP layers to see if there are problems there. BTW a question has been raised about how the Sniffer handles the max size Ethernet frames captured by a pod. Remember it encapsulates them in Ethernet frames to send them to the PC. The pod transparently fragments these oversize frames and the PC reassembles them in the driver software before they are sent up the stack for analysis.
Page 5 - 36
VLAN information is shown at the Global layer Symptoms and diagnoses break out stations in the VLAN
VLAN Info
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. You might want to demonstrate this on your Sniffer using the 8021q.cap trace file the students will use for their exercise. If time is running short, give them the details and skip the exercise. If youre doing OK, cover it very briefly here and let them discover the details on their own in the exercise. There is another 8021q-gig.cap trace that shows this information captured from a gigabit Sniffer. Point out the [A] and [B] in the status column and show the Statistics tab where 1000 is the line speed. This was a serendipity trace I found just before press time.
Page 5 - 37
VLAN Frames
5-38 Sniffer sees VLAN headers only between switches that support them
Tap into the trunk link or mirror the trunk port to the Sniffer port with Switch control
Sniffer University
HR VLAN
1st Floor
Exec VLAN
Finance VLAN
More details on the switch Expert are available in these Sniffer University classes: TNV-101-GUI, Troubleshooting with the Sniffer Pro Analyzer TNV-201-DSP, Implementing Distributed Sniffer System/RMON Pro TNV-315-GUI, Interconnection Concepts and Troubleshooting
Network Associates
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
VLAN Frames
New Slide. This is just a visual reminder you will see these only if you tap into the trunk link either physically or by spanning the trunk port to the Sniffer. This is risky!
Page 5 - 38
Network Associates
Sniffer University
Section 5 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Exercise. The students will observe several types of traffic in a switched environment. They will look at typical switch-related protocols and the different VLAN tagging encapsulation methods. This is a great exercise to satisfy the students who came to see switch troubleshooting. Try to allow time to do it so they feel good about at least seeing the Expert part of switch analysis and see the frame tagging. They wont see the MIB data or be able to do a SPAN, but this will help.
Page 5 - 39
Summary
5-40
Network Associates
Sniffer University
In this section, you learned how to: Differentiate between bridging and switching on a conceptual level Attach Sniffer Pro to bridged and switched networks View VLAN identifying information in tagged frames Use Sniffer Pro to identify common problems associated with bridges and switches
Section 5 TNV-202-GUI
Wrap up the section by reviewing the objectives and answering any questions the students may have.
Target Time: Day 2 early afternoon. This is a good place for a break if you havent already done so.
Page 5 - 40
6-1
Section 6 TNV-202-GUI
Slide Title:
100Mbps Fast Ethernet Section 6 Start: Day 2 Mid-afternoon Finish: Day 2 Approx. 3:00
Section Timing:
Files: Traces:
06_fe_g.PPT
06_fe_g.DOC
100MBFIL.CAP, BACKPRES.CAP, BACKPRES1.CAP , Big_bad_rich.caz Fast Ethernet Troubleshooting and Back Pressure Fast Ethernet Problems 10/100 Hubs The former three-part section covering all the fast technologies has been split into sections for each. Please allow enough time to present it if the class is interested. By now, they have seen Fast Ethernet several times, so this section can be taught very quickly. Have the students do the exercises if possible. The first shows various different vendor implementations of back pressure. The second is a filtered trace and shows lots of hub jams and collisions. References: Fast Ethernet: dawn of a New Network by Howard W. Johnson, 1996, Prentice Hall Publishing, ISBN 0-13-352643-7 Switched, Fast and Gigabit Ethernet 3rd Edition by Robert Breyer and Sean Riley, 1999, Macmillan Technical Publishing, ISBN 1-57870-073-6
Exercises:
Page 6 - 1
Section Objectives
6-2 Upon completion of this section, you will be able to:
Summarize the features of Fast Ethernet Summarize 100BASE-T4, 100BASE-TX, and 100BASE-FX implementations Recognize back pressure frames in a trace Attach Sniffer Pro to your Fast Ethernet networks Use the Sniffer Pro statistics and decodes to locate areas of concern
Network Associates
Sniffer University
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Section Objectives
Page 6 - 2
IEEE802.3u (100BASE-T) adopted in 1995 as a supplement to IEEE802.3 Several clauses are included in the specification. Earlier versions of 802.3 are defined in clauses 1-20. 802.3u is defined in clauses 21-30 Clause 21 100BASE-T Introduction Clause 22 Medium Independent Interface Clause 23 100BASE-T4 Transceiver Clause 24 100BASE-X Transceiver Clause 25 100BASE-TX PMD* Clause 26 100BASE-FX PMD* Clause 27 Repeaters Clause 28 Autonegotiation Clause 29 Topologies Clause 30 Management
Network Associates
Sniffer University
100Mbps version of the Ethernet standard Uses the same timing criteria as 10 Mbps Ethernet 100BASE-Tx supports Category 3,4 and 5 twisted-pair wiring and fiber cabling Standard defined by IEEE 802.3u Many switches and hubs combine 10 Mbps and 100 Mbps ports to link legacy networks into high speed backbones
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
The specification calls for a few changes from the previous spec, but mostly outlines the new features.
Page 6 - 3
Sniffer University
Firewall Router
Hub
Token Ring
Due to the small collision domain and repeater limitations, most Fast Ethernet hub installations will be in workgroup areas. It is not useful in the backbones of large enterprise networks. Fast Ethernet switches or other technologies are needed to go the distances.
Network Associates
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Key words: In place of does not mean pull out all of your FDDI and use Fast Ethernet instead. FDDI has been around a long time and is a proven technology. This is to say, If you need to install a new highspeed backbone, consider Fast Ethernet. Pulling out FDDI would be a real waste of money, and Fast Ethernet is probably inferior. Fast Ethernet is, however, cheaper to implement, and easier, since troubleshooting skills students already have transfer over to this technology.
Also mention the environments listed in the student notes section where Fast Ethernet could be implemented.
Page 6 - 4
Sniffer University
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Point out just how similar the two are. The differences do not affect us as the protocol analyst. Of course, as a network manager concerned with the installation and overall network design, the similarities and differences are critical.
Page 6 - 5
100BASE-T Features
6-6 Sniffer University 100BASE-T transmits ten times as much data in the same amount of time It has new PHY standards The network design is more compact The interframe gap is .96 microseconds instead of 9.6 microseconds
It is still 96 bit times for 10/100/100, the times just get shorter as the speed increases
100BASE-T does have some important differences from 10BASE-T. Changes have been made to the PHYsical layer components. New sub-layers such as the Reconciliation sub-layer and an interface called the MII (Media Independent Interface) have been defined in the specification. There are new rules defining the number of repeaters allowed.
Network Associates
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
100BASE-T Features
This slide shows key differences Point out the interframe gap is still 96 bit times, the bit times are just 10 times shorter!
Page 6 - 6
Sniffer University
Network Associates
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 6 - 7
Sniffer University
Transmission over two pairs of Category 5 UTP or IBM Type 1 STP wire RJ-45 connector is exactly the same as that used by 10-BASE-T where the RJ-45 links two pairs of wires The punchdown blocks in the wiring closet must be Category 5 certified Traditional DB-9 connector used for STP wiring 4B5B coding
Section 6 TNV-202-GUI
Page 6 - 8
TIA/EIA Cabling standards Category 1 2 3 4 5 5 5E 6 7 Application Support Voice only Voice or low speed data Voice, 10BASE-T 16 Mbps Token Ring CDDI, 100BASE-TX, ATM 155 1000BASE-T (higher specs) 1000BASE-T TBD TBD (Work in Process) Bandwidth voice 1 16 MHz 20 MHz 100 MHz 100 MHz 100 MHz 200 MHz 600 MHz Year Std 1950s 1960s 1991 1993 1994 1999 1998 1999 9/2000
Network Associates
Section 6 TNV-202-GUI
Page 6 - 9
Signal
Transmit 3 Receive 3 Transmit 2 Receive 1 Transmit 1 Receive 2 Transmit 4 Receive 4
Wire Color
white/green green/white white/orange blue/white white/blue orange/white white/brown brown/white
Signal
Transmit 2 Receive 2 Transmit 3 Receive 1 Transmit 1 Receive 3 Transmit 4 Receive 4
Wire Color
white/orange orange/white white/green blue/white white/blue green/white white/brown brown/white
Sniffer University
4 5 6 7 8
It doesnt matter which wiring spec you choose, you just need to ensure you follow through with the same pinouts for all the cables. Both T4 and 1000BASE-T require four pairs. Gigabit requires a higher quality connector. Wiring specification Page 131 of IEEE 802.3U - 1995 spec details the pinouts for internal and external crossover cables
Network Associates
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. For student reference. 10BASE-T required only: pin 1 Transmit 2 white/orange pin 2 Receive 2 orange/white pin 3 Transmit 3 white/green pin 6 Receive 3 green/white If they are upgrading NICs to 100 or 1000 Mbps, they will need to connect all eight of the pins to make the old cable work for the new speed!
Page 6 - 10
The Fiber MIC connector uses one keyed connector. It is quite large and is being replaced by the SC connector. The ST connector is the bayonet-style connectors that twist onto separate fiber cables. It is the most popular connector.
The SC connector is smaller and uses a duplex connector. It is the connector of choice for future designs.
Network Associates
Sniffer University
Section 6 TNV-202-GUI
Page 6 - 11
6-12
ULP MAC
Sniffer University
Clocking information is carried within the data stream 100BASE-FX uses a two-state NRZI signal
A change in signal level represents a binary code-one; no signal level change represents a binary code-zero
PHY
The conversion from 4 bits to 5 bits does not involve any mathematical calculations - it is merely a table lookup. Q: How does 4B5B contribute to making Fats Ethernet fast? A: By processing bits in parallel blocks as they pass through the MAC layer rather than serially as in Manchester encoding. Fast Ethernet operates at 100 Mbps as data passes through the NIC. After the addition of the extra bit, it theoretically transmits at 125 MHz.
Network Associates
Section 6 TNV-202-GUI
New diagram requested by Linda Richman. Thank you! Encoding is red bold to emphasize this is and encoding scheme to differentiate it from the purpose of the next slide. This is nice to know information but not needed to troubleshoot Fast Ethernet. Cover it quickly so you have time to present the stuff that will help them. The codes do not directly map to the hex value of the byte, so dont get hung up on the fact that a 1 maps to 01001 and F to 11101. The codes were defined to keep the number of sequential zeros less than 3 to maintain clock. In 4B5B, every four bits will be sent out over five bit times. Look at the beginning of the bit cell to see if theres a transition. If there is, youve got a one, otherwise its a zero. What makes 4B5B different from other encoding schemes is that the kind of transition is not always the same. The transition order (+1,0,-1,0,+1,0) tells us that if there is going to be a transition, this is where the signal goes.
Page 6 - 12
Sniffer University
Hex 1F to 4B5B: 1 maps to 01001, F maps to 11101 A transition = binary 1; No transition = binary 0 Transition order: +1 0 -1 0 +1 0 -1 0 endlessly
Each 4 bit nibble is translated into a 5 bit symbol. The five bit symbol for 1 is 01001, the 5 bit symbol for F is 11101. What happens if you connect a 10 Mbps hub to a 100 Mbps port? Autonegotiation signals will not be sent by the 10Mbps hub, so the 100 Mbps hub will adjust the port to 10 Mbps. The slow hub will send frames using Manchester encoding, the fast hub converts it to 4B5T encoding and uses MLT-3 ternary signaling to forward it out a fast port. It does the opposite conversion before forwarding any frames from the fast port to the slow port.
Network Associates
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
This is electrical signaling how we get the bits we just converted form 4 bit patterns into 5 bit symbols.
Notice that after each group of four bits, theres a transition. This transition does not provide data but is used for clocking.
Page 6 - 13
(100BASE-T4)
Based on a ternary symbol - meaning it may take on one of three values: 1,0 or -1 also represented as +, 0 or Each byte is mapped to a 6 bit-time ternary code symbol, called a 6T symbol
(i.e., to represent 1F, the 6T code group is 0 - + 0 + -) A lookup table is used to convert the 8 bit byte into the 10 bit symbol
Sniffer University
Each 6T code symbol is fanned out onto the three pairs in round robin fashion Preamble is still 8 bytes in length
A special pattern is used to help the receiver locate the beginning of data on each pair The receiver strips this pattern and returns an ordinary preamble to the MAC
Network Associates
Section 6 TNV-202-GUI
This is nice to know information but not needed to troubleshoot Fast Ethernet. Cover it quickly so you have time to present the stuff that will help them.
The 802.3u spec defines a six part code for each byte.
Page 6 - 14
8B6T Example
6-15 Taken from the 802.3u specification: 1F uses code word 0 - + 0 + Data octet 00 01 02 : 1F 6T code group +-00+0+-+-0 +-0+-0 : 0-+0+-
Sniffer University
+3.5 Volts +/- 10% 0 Volts +/- 50 mV -3.5 Volts +/- 10%
0 - + 0 + -
Network Associates
Section 6 TNV-202-GUI
Cover quickly.
Page 6 - 15
to to to to to to
6T 6T 6T 6T 6T 6T
Sniffer University
3 ( of t he 4 p airs)
Network Associates
Section 6 TNV-202-GUI
As we showed earlier, 100BASE-T4 operates over four pairs of UTP wiring. Three are used for transmission, the fourth does collision detection. Each byte goes to a different wire in a round robin fashion.
Page 6 - 16
Sniffer University
Because of these constraints, switches are frequently used to extend the distances.
The 512 bit-time propagation limitation still applies. However, 512-bit times equals only 5.12 micro-seconds. Therefore, the performance of the repeater determines the number of repeaters allowed. To make things easier, certain classifications regarding the repeaters characteristics have been defined.
Network Associates
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 6 - 17
Class I Repeaters
6-18 Used to connect unlike physical signaling systems Only one Class I repeater can reside within a single collision domain when maximum cable lengths are used Standard Class I repeater has maximum round-trip delay of 140 bit times Sniffer University
Late collisions result if limits are exceeded
100m UTP 100Base-TX
Class I
200m
Class one repeaters convert each incoming analog signal to digital before the data is placed on the backbone and repeated out. The digital data then must be converted back to analog at each port before it is sent out. This allows translation between different encoding, but adds latency to the repeater. For this reason, only one level one repeater is allowed in the collision domain. Analog Analog Analog Analog Analog Analog Analog Digital Digital Digital Digital Digital Digital Digital Backplane
Network Associates
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Class I Repeaters
A little more clarification has been added to help differentiate between Class 1 and 2 repeaters. Because Class 1 repeaters can do translation between different cabling systems, it takes longer to repeat the signal. This limits you to just one repeater due to the longer propagation delay.
Page 6 - 18
Class II Repeaters
6-19 Provide ports for only one physical signaling system type
Timing constraints do not allow translation between 100BASETX and 100BASE-T4
Sniffer University
Have smaller internal delays so that two class II repeaters may reside within a given collision domain when maximum cable lengths are used Standard Class II repeater has 92 bits as its maximum round trip delay
67 bits for Class II repeaters with any T4 ports
Class II
100m UTP
5m UTP 205m
Class II
100m UTP
Class II repeaters repeat the analog signal BEFORE it is converted to digital. The latency of these repeaters is less, but no conversion between encoding can be done. Analog Analog Analog Analog Analog Analog Analog Backplane Digital
Network Associates
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Class II Repeaters
Because Class II repeaters cannot translate, they can forward the information much more rapidly. That allows for two in a collision domain.
Page 6 - 19
Stackable hubs are multiport repeaters Their backbones are connected with external cables to repeat all the frames The stack acts like a single repeater
+1
Network Associates
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. Stackable hubs allow you to put a lot more devices in a collision domain than you could with single hubs. Essentially the backbone is extended through the external cables so the stack acts like a single repeater.
Page 6 - 20
Fiber Repeaters
6-21
Fiber cabling allows much larger collision domains Class II Class II 18m
105m Fiber Fiber 105m Fiber 228m
Class II
Fiber and UTP can be mixed Just be sure the end-to-end propagation delay does not exceed 512 bit times
+Delay for each cable to the node (x2) +Delay for each repeater +Delay for cable between repeaters
Network Associates
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Fiber Repeaters
New Slide. Since fiber optic is becoming quite common now, (especially on the backbone) this slide was added to show the optical repeater specifications. The calculations for maximum collision domains need to add the delay of each wire based on type and length plus the delay of the repeater(s), expressed in bit times. The Switched, Fast, and Gigabit Ethernet book mentioned on the front of this section has great information on how to calculate all the different combinations. If you carry a book with you, this is the one to carry.
Page 6 - 21
Auto-Negotiation
6-22 Sniffer University
The algorithm that allows two devices at either end of a link segment to negotiate common data service functions RJ-45 connector may have any one of five different Ethernet signals: 10BASE-T, 10BASE-T full-duplex, 100BASE-TX, 100BASE-TX full-duplex or 100BASE-T4 Both 100BASE-T NICs and hubs send a modified 10BASE-T link integrity test pulse sequence (called Fast Link Pulses -FLP)
10BaseT devices dont understand the pulses and ignore them 100BaseT devices adjust to 10 Mbps when they receive 10BASE-T link pulses
Hub and NIC automatically adjust their speed to the highest common denominator both can accommodate
10 or 100? Full or half? AUTONEGOTIATE!
OFF ON
OFF ON
?? Hub or switch
Useful if youre unsure what youre plugging into AND when upgrading to 100BASE-T hubs or cards
10BASE-T link pulses are a single signal every 201 s. Fast Ethernet link pulses are bursts containing information about the capabilities of the adapter. They are used for all the faster Ethernet interfaces. Priority bits in the pulses identify the type of the device connection capabilities and are assigned as below. The highest common connection type is used for the connection. Priority Connection type 1 1000BASE-T full-duplex 2 100BASE-T2 full-duplex 3 100BASE-T2 4 100BASE-TX full-duplex 5 100BASE-T4 6 100BASE-TX 7 10BASE-T full-duplex 8 10BASE-T Autonegotiation is a common source of incompatibility problems when using a 10/100 card from one vendor and a hub from another vendor.
Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Auto-Negotiation
Good coverage of this on pages 133 through 135 of the Seifert book. Autonegotiation created a lot of problems in the early NICs. Not vendors used the same algorithm and things worked OK until you introduced a new brand of NIC into the network. These early implementation problems are now corrected and most cards are compatible. Most hubs allow you to turn autonegotiation off to force the network to specific parameters. Autonegotiation is done on power up. Generally there are devices on the network that are never powered down, so they control the parameters of a broadcast segment. The negotiation is done for a specific link. Most hubs and switches can negotiate on each port, so you may have a combination of 10 and 100 MB stations on the ports. The pulses sent to negotiate are ignored by any cards that do not support it. 16 bit pages are sent that carry information that identifies the parameters. There is a larger discussion of these in the gigabit section. Cards are able to differentiate between the link pulses, autonegotiation and data signals on the wire. The Sniffer will not capture any of these signals, so we will not see them in traces. Autonegotiation is used only on 100 Mbps twisted pair networks. The IEEE has not been able to overcome the negotiation problems in fiber optic networks, so the ends of the links must be manually configured. The Sniffer does not capture Fast Ethernet autonegotiation the gigabit Sniffer Pro does.
Page 6 - 22
Network Associates
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. Slide information is adequate. This slide also answers the question of what if I plug in the wrong Sniffer? (We address it later, too.) The best advice is to leave the 10/100 Ethernet card in your Sniffer set to autonegotiate the speed. Attach it to the network, then power it up. It will learn automatically the correct speed and begin to watch the frames even before you start any monitor or capture processes. If you plug any 10/100 card into the wrong port, the worst that happens is the card (including the Sniffer) wont see anything!
Page 6 - 23
Devices with a mixture of port speeds must provide buffers to hold the data between the high and low speed devices
Flow control must be used to signal devices to stop sending data when the buffer is full Half-duplex uses back pressure signals
Network Associates
Sniffer University
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. This is a lead-in to the back pressure discussion and the exercise where we see two traces from a 10/100 autosensing hub. There will be a delay between the 10 and 100 connections because of the bridging effect inside the hub or switch.
Page 6 - 24
Back Pressure
6-25 Sniffer University Switches send back pressure frames as a busy signal to end stations to prevent them from sending frames when the switches internal buffers have reached their capacity
Switches that do not use back pressure or some other flow control mechanism will simply DROP FRAMES when their internal buffers cannot handle the traffic flow
Switches discard frames when their buffers are full. This causes retransmissions at the higher layers, which degrades performance. If the switch causes collisions when the buffer is full to keep from discarding frames, the backoff algorithm in the end station will keep incrementing the time the card waits to retransmit and will finally give up. Back pressure eliminates this problem. By keeping the line busy with bits, the cards can transmit as soon as they sense the line is free and the backoff algorithm will not be started.
Network Associates
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Back Pressure
This slide discusses the features of back pressure and how to deal with and identify it in the network. If you dont have time for the exercise in class, show the BACKPRES.CAP and BACKPRES1.CAP trace files. If they will do the exercise, let them discover it. Here is the text of an email from a former instructor while she was working at 3 Com about the BACKPRES.CAP trace. It is copied verbatim from the IFAQ. The same patterns can be used as jams, too. I differentiate by looking at the fragments in the trace. (The suggestion in the last bullets are hers.) 3 Com calls it Intelligent Flow Management (IMF) in its documentation. Heres how it works: Theres an input buffer (size varies by device); lets use 256k for our example. When the switch detects theres 254k in the input buffer, it sends those signals to the network. The filling of the input buffer could mean the outbound segment is busy and the switch is having difficulty sending frames out, etc. A few things to remember: Since these are not valid frames, their only function is to trigger carrier detect on the cards on that segment. There is no meaning to their content. Backpressure is a good thing! It looks like collisions, but keep this in mind. Ethernet cards are designed to backoff and retransmit if they detect a collision while transmitting. This takes microseconds. Backpressure will prevent them from transmitting in the first place or may cause a few collisions here and there (the switches dont carrier sense before they output backpressure). Anyway, its the physical layer that handles this. If you disable backpressure, frames may be dropped at the switch. This means no collision occurs and the upper layer has to time out to detect the lost packet. With LLC this could be a matter of milliseconds. With TCP, this could be a matter of hundreds of milliseconds. Thats an eternity, especially on Fast Ethernet. Bottom line, leave backpressure on. Thanks, Michelle!!!
Demo:
Page 6 - 25
Sniffer University
Network Associates
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
The slide is self-explanatory. Refer them back to the hubports exercise we did. The same technique applies in Fast Ethernet.
Page 6 - 26
Sniffer University
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 6 - 27
Sniffer University
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 6 - 28
Network Associates
Sniffer University
Turn to the lab section to complete the Fast Ethernet exercises Fast Ethernet Troubleshooting and Back Pressure Fast Ethernet Problems
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Please do these two exercises. They teach valuable skills and give them another chance to work with Fast Ethernet and how it impacts the network. Fast Ethernet Troubleshooting and Back Pressure The first shows Fast Ethernet traffic. At the end are 2 trace files showing different types of backpressure. If you run out of time, you could use these trace files to demonstrate the patterns. The second exercise discusses some of the issues in the 10/100 autosensing hubs. Look back to page 25 for the backpres.cap story. This is the story that came with the backpres2.cap file: This trace came from a company that was having problems from a line running in the proximity of a generator in a warehouse using cat 5 cabling. The errors coming from the EMI was overflowing the buffer on the 10/100 switch so the switch was sending out the backpressure. To solve the situation the customer installed a fiber zip cord and it worked. This proves the point that the back pressure was not the problem but the EMI was. I hope this fills in the gaps for everyone. Michael "Mickey" Giovingo
Page 6 - 29
Summary
6-30 In this section, you learned how to:
Summarize the features of Fast Ethernet Differentiate the 100BASE-T4, 100BASE-TX, and 100BASE-FX implementations Recognize back pressure frames in a trace Attach Sniffer Pro to your Fast Ethernet networks Use the Sniffer Pro statistics and decodes to locate areas of concern
Network Associates
Sniffer University
Section 6 TNV-202-GUI
Slide Title:
Important Points to Cover:
Summary
Review the section objectives and answer any remaining questions. Target Time: Day two at afternoon break.
Page 6 - 30
7-1
Network Associates
Sniffer University
Section 7 TNV-202-GUI
Slide Title:
Full Duplex Ethernet Start: Day 2 after break Finish: Day 2 Approx. 3:00
Section Timing:
Files: Traces:
07_fd_g.PPT
07_fd_g.DOC
This section looks back to Fast Ethernet and forward to Gigabit Ethernet. Both use Full Duplex. Please remember this instructor guide is a living document. It is not complete to start and is intended to grow with time. Add to your own copy as you gain experience. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.
Page 7 - 1
Section Objectives
7-2 Upon completion of this section, you will be able to:
Summarize the features of Full Duplex Ethernet Differentiate Full Duplex Ethernet standards and cabling Recognize Pause frames in the trace and why they are sent Attach Sniffer Pro Full Duplex pod to your Full Duplex Ethernet networks Configure Sniffer Pros full duplex features Use the Sniffer Pro statistics and decodes to locate areas of concern Attach the Full Duplex pod to analyze full duplex connections
Network Associates
Sniffer University
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
Section Objectives
You will not have access to the FDX pod for this class. This section, Full Duplex, has no exercises accompanying them and consist of many slides depicting configuration. How you handle these sections will depend on your comfort level with the material. Since many students may have questions regarding how the Sniffer will handle Full Duplex and Gigabit, you have these sections as an overview. References: Fast Ethernet: dawn of a New Network by Howard W. Johnson, 1996, Prentice Hall Publishing, ISBN 0-13-352643-7 Gigabit Ethernet, Technology and Applications for High Speed LANs by Rich Seifert, 1998, Addison Wesley Publishing, ISBN 0-201-18553-9 Switched, Fast and Gigabit Ethernet 3rd Edition by Robert Breyer and Sean Riley, 1999, Macmillan Technical Publishing, ISBN 1-57870-073-6
Page 7 - 2
Switch
Full-duplex Uplinks
Sniffer University
Half-duplex Workstations
Simultaneous Transmit and Receive on separate cables Eliminates collisions Must be supported by both hub and end-node Can allow full distance limitation of media (2km for fiber optic cable) Defined in the 802.3x Specification Many half-duplex switches have full-duplex uplink ports
Full duplex cards are usually practical only for servers with high levels of traffic on both the receive and transmit lines. Adding a full duplex card to a workstation is only practical for one with a multitasking operating system running applications that require and can handle simultaneous read and write operations.
Network Associates
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
Each station has two cables: one to transmit to the port, the other to receive. They can send and receive simultaneously. Because there are no collisions, the cables can be much longer. Full duplex doubles the aggregate channel capacity, but does not double the maximum data transfer rate due to the nature of the traffic. Most connections send a lot of data in one direction and acknowledgements in the other direction. This imbalance will be most apparent in a client-server link between a single user and server. With a server or router connected to a backbone and many stations accessing them, the receive and transmit channels are more likely to have an equal amount of traffic. Each link must be a dedicated connection. If they were shared, youd need the CSMA/CD and all the advantages go out the window.
Page 7 - 3
Workgroup Hubs
Sniffer University
Router
Traffic management for frames going to non-duplex stations is handled by the internal buffering on the switch.
Network Associates
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
In the backbone so edge devices can have full bandwidth in each direction. In powerful servers that service many clients. Anywhere there is a need for a huge fast pipe. Note that is can be used in 10, 100 or 1000 Mbps networks. This is a very simplified diagram. Most companies will have much larger configurations!
Page 7 - 4
No collisions
No backoff delays No Carrier Sense, No Multiple Access, No Collision Detection No CSMA/CD!
Network Associates
Section 7 TNV-202-GUI
Emphasize the first bullet. Idea from Seifert: Ethernet has always been defined as CSMA/CD. If it didnt do it, it was Token Ring, FDDI, Token Passing- you get the idea. Now we have an environment that doesnt do CS, isnt MA and doesnt need to do CD, but we still call it Ethernet!
Page 7 - 5
Network Associates
Sniffer University
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
This slide is animated. If you have a frame to send, by golly, just put it on the wire! If you have a bunch of frames to send, just keep pumping them out, but be sure to put the interframe gap for the technology between them so the receiver can catch its breath, send the frame up the stack and get ready to synch up for the next one.
Page 7 - 6
Assemble Frame
Network Associates
Sniffer University
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
This is a modified version of the 10 Mb flow chart. A couple of things have been added here that were assumed in the 10 Mb chart: SFD recognition, frame assembly, address recognition. The other one had so many things going on, that we just didnt have room for them there! Question: Does the receiver need the gap to tell when the frame has ended? Nope. It has the length filed to tell it how long the frame is.
Page 7 - 7
Network Associates
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
MAC frames in Ethernet????? And they still call it Ethernet??? The PAUSE is the only MAC frame defined yet. It is anticipated more will be added as needed. These frames replace backpressure.
Page 7 - 8
The destination address is a multicast address that has previously been reserved. Only stations that support the PAUSE function will accept the frame. All MAC Control frames will be type 8808. The opcode specifies the type of control frame. PAUSE frames are opcode 0001 and are the only MAC Control frames currently defined. They are sent by either side when their buffer is full and are used to notify the receiving side to wait a certain period of time before sending more frames. A time is included in the MAC Control Parameter field that indicates the amount of time the receiver must wait. It is measured in 512-bit times so it is specific to each data rate. It can be used for 10, 100 and 1000 Mbps Ethernet. 10 Mbps will be 51.2 second increments, 100 Mbps is 5.12 seconds, 1000 Mbps is 512 nanosecond increments. The station can modify the wait time by sending a new PAUSE frame with the timer set either shorter or longer to reflect current buffer conditions.
Network Associates
Sniffer University
Preamble and SFD Destination Address Source Address Type = 8808 MAC Control Opcode MAC Control Parameters Pad to 44 bytes CRC
0180C2000001 Sending Stations Address MAC Control Frame Type PAUSE = 0001 Pause time in 512 bit-time increments
Section 7 TNV-202-GUI
The 8808 type filed identifies this as a MAC Control frame. The opcode indicates which type of MAC frame. Right now the only one is 0001 for the PAUSE. The time is always listed in 512 bit-time intervals. Conceivably they can be used for all speeds- the spec was written with that in mind. Later on there may be control frames that need more fields. Space is reserved for more parameters. Question: Does the full duplex Sniffer capture these control frames?
Page 7 - 9
Device drivers and software configure full-duplex adapters NAIs DSPro has a card that can sniff these links
NAI sells a four port Ethernet adapter and tap card for DSPro Agents which allows you to designate all four ports as an EtherChannel. The TNV-201-DSP course has more information on this card.
Network Associates
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. This slide is here to answer questions from students about whether the Sniffer can capture on these high-speed links. DO NOT try to give them details here. It is only for the DS Pro and we cover this card and all the other non-portable solutions in the TNV-201-DSP class.
Page 7 - 10
7-11
Section 7 TNV-202-GUI
Page 7 - 11
Sniffer University
When configuring the new agent, you must select the Ethernet network card before you check the Full Duplex pod radio button. This will enable the IP address box. The Host adapter must be configured with a fixed IP address. DHCP for the host is not supported. Set the pods IP address one higher than the address of the Ethernet card in your computer if the address is not automatically sensed.
Network Associates
Section 7 TNV-202-GUI
Remind them the system requirement and pod information was covered in section two so we havent repeated it here. Use the familiar File > Select Settings to create the new agent. First select the Ethernet adapter in the PC When you select the Full Duplex pod in the Netpod type field, the IP address becomes active. Important: the IP address for the pod must be one host number higher than the address of the Ethernet card. They can use Ipconfig.exe or open the Windows network window to get the address if they dont know it. When you click OK on this screen and select it from the Select Settings window, youll see some progress report messages as the code is downloaded to the pod. If all goes well, you should see the Sniffer window open and the agent name and pod speed shows up in the title bar.
Page 7 - 12
Before you start a capture, check the line speed settings in Tools > Options > Full Duplex Pod
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
The first thing you need to do is set the line speed of the link. Use Tools > Options > Full Duplex pod tab window to do that. All of the choices are shown in the drop-down list.
Page 7 - 13
Pod Memory
The physical memory installed in the box Up to 512 MB Frames from the network are copied here Sniffer University
Sniffer PC Memory
Set through the Buffer tab on Capture Filters Frames from the pod are copied here
Network Associates
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
This is preparation for the next slide that shows the options you have in capturing this traffic. Explain it quickly and move on.
Page 7 - 14
Set by clicking the icons on the toolbar or the Capture Menu Stream Mode
The pod streams the data to the analyzer application as it is captured off the network Counts appear in the Sniffer window
Sniffer University
Network Associates
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
Stream Mode the pod sends the frames to the Sniffer PC as they arrive on the network. The pod may miss capturing some frames as the frames are transferred to the PC on very busy networks. The software decodes the frames and shows statistics, but does not so real-time Expert analysis. You must stop the capture and upload the frames to the PC before you get Expert analysis. High Speed Capture Mode is used on very busy networks. This allows you to focus on capturing the frames without the holes introduced in Stream Mode. Youll want to watch the buffer dial to make sure you stop the capture before the pod buffer recycles and writes over the first frames. You can also configure the Sniffer to stop when the pod buffer is full and upload the frames to the PC. How? Read on..>
Page 7 - 15
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 7 - 16
Capture < Define Filter > Buffer Set the Sniffer Buffer actions here
Same options as other Sniffers
Network Associates
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
This panel controls the PC buffer actions. There are no unique Full Duplex settings here.
Page 7 - 17
Sniffer Statistics
View Both Shown when you start a capture from the capture menu or icon
Sniffer University
Pod Statistics
The Decode window Summary panel shows the channel number as [A] and [B] in the Status column
Network Associates
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
This is the display when you have enabled the View Both option. PC statistics at the top. Pod statistics at the bottom. The graphs on the lower panel are color-coded for each channel. The pod counts show numbers for each channel and total counts.
Page 7 - 18
View Both
Split screen to show statistics for both
Network Associates
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
These icons control which panels are open on the Sniffer capture screen. You can select just the Sniffer PC counts, just the pod counts or both.
Page 7 - 19
Pod Gauges
7-20
Frames Received per second on each channel Percentage of free memory on each channel Number of errors per second received on each channel
Network Associates
Sniffer University
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
Pod Gauges
Slide is self-explanatory.
Page 7 - 20
Click the Properties icon in the Full Duplex pod window or click the right mouse button over the capture window and select the Properties option Identify shows:
Sniffer University Pod version Pod IP Address Pod Ethernet Mac Address Connection mode Line Speeds Total Memory
Pod Version number specifies the version of the software on the pod IP Address shows the IP address assigned to the pod MAC Address shows the hardware address of the Ethernet adapter in the pod Connection shows whether the pod is set to passthrough or terminate mode Channel A Line Speed shows the line speed of the network segments attached to Channel A Channel B Line Speed shows the line speed of the network segments attached to Channel B Total Memory shows the amount of memory installed on the pod (in DIMMs)
Network Associates
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
Slide is self-explanatory.
Page 7 - 21
Address Filters
7-22 If Mode is set to Include and you set address filters with less than or equal to 16 sources and 16 destinations, the filter is applied as a hardware filter If Mode is set to Exclude or if you have more than 16 sources or 16 destination, the filter is applied as a software filter
Type of address filter # Sources 2 1 0 # Destinations 2 0 1
Sniffer University
Hardware filters are applied at the pod as the frames are captured from the network. The frames excluded by hardware filters are not saved in the pod buffer. Software filters are applied by the Sniffer application to the frames uploaded from the pod buffer to the Sniffer buffer. Hardware filters
Software filters
Network Associates
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
Address Filters
Slide is self-explanatory.
Page 7 - 22
Sniffer University
When capturing in high speed at full line rate, address filters are particularly helpful When the mode is set to High Speed, the frames are stored in the pod buffer until the capture is stopped Limiting the frames that are accepted ensures you will have the frames needed to isolate the problem When hardware filters are in effect, the pod will automatically filter out all frames shorter than 55 bytes, CRC included
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
Slide is self-explanatory. Set capture filters to save room for what you need to see!
Page 7 - 23
Valid CRC
Illegal
Sniffer University
Fragment CRC
For more details, see Appendix A in the Full Duplex Product Manual on your student CD.
Network Associates
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
Slide is self-explanatory. If you want more details, look at Appendix 2 in the Full Duplex pod use documentation on the student CD.
Page 7 - 24
Sniffer University
PA C 62
Network Associates
Section 7 TNV-202-GUI
Slide Title:
Important Points to Cover:
This is the same diagram we had before. It is possible to use two regular Fast Ethernet Sniffers attached to a splitter to capture each channel separately. Remind them to time synchronize them as close as they can before they start to capture and start the capture as simultaneously as they can. They will need to match request and reply sequences in the frames to line up the frames for comparison. Once they have the trace files saved, both can be opened in Sniffer Pro and their windows set side by side to compare them directly as we did in the hubports exercise.
Page 7 - 25
Summary
7-26 In this section, you learned how to:
Differentiate Full Duplex Ethernet standards and cabling Recognize Pause frames in the trace and why they are sent Attach Sniffer Pro Full Duplex pod to your Full Duplex Ethernet networks Configure Sniffer Pros full duplex features Use the Sniffer Pro statistics and decodes to locate areas of concern Attach the Full Duplex pod to analyze full duplex connections
Network Associates
Sniffer University
Section 7 TNV-202-GUI
Slide Title:Summary
Important Points to Cover:
Review the section objectives and answer any remaining questions. Target Time: Day 2 at 3:30
Page 7 - 26
8-1
Gigabit Ethernet
Network Associates
Sniffer University
Section 8 TNV-202-GUI
Slide Title:
Section Timing:
This section was updated to reflect the new technologies customers are beginning to employ in their networks. There should be a gigabit dummy driver defined on the class Sniffers. There is a warning that Monitor mode is disabled, Just click OK to move beyond it. This will enable you to create a new agent and show the features of the Sniffer. Please remember this instructor guide is a living document. It is not complete to start and is intended to grow with time. Add to your own copy as you gain experience. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.
Page 8 - 1
Section Objectives
8-2 Upon completion of this section, you will be able to:
Summarize the features Gigabit Ethernet Differentiate Gigabit Ethernet standards and cabling
Summarize 1000Base-SX, 1000Base-LX, 1000Base-CX and 1000BaseT implementations
Network Associates
Sniffer University
Attach Sniffer Pro to your Gigabit Ethernet networks Configure Sniffer Pros gigabit-specific features View the autonegotiation process in the Sniffer and determine if there is a problem Use the Sniffer Pro statistics and decodes to locate areas of concern
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
Section Objectives
Cover the objectives quickly. We do have dummy drivers so you can show the Gigabit screens. Practice with them so can present the information in this section. References: Gigabit Ethernet, Technology and Applications for High Speed LANs by Rich Seifert, 1998, Addison Wesley Publishing, ISBN 0-201-18553-9 Switched, Fast and Gigabit Ethernet 3rd Edition by Robert Breyer and Sean Riley, 1999, Macmillan Technical Publishing, ISBN 1-57870-073-6
Page 8 - 2
Gigabit Overview
8-3 Sniffer University
1000 Mbps Ethernet is able to transmit a frame at ten times the data rate of 100 Mbps Ethernet It allows you to use familiar Ethernet technology while providing much higher bandwidth The standard using optical cabling is defined in 802.3z addendum 802.3ab addendum defines the Physical Layer parameters for 4-pair over Cat 5 balanced copper cabling Switches with 10/100 and Gigabit port link legacy networks into high speed Gigabit backbones
Frequently used in server clusters, links between switches and servers Some implementations even allow you to aggregate 1000BASE-X or 1000BASE-T segments into 10 Gigabit links
The aggregate data rate of 100 Mbps is achieved by transmission at a data rate of 250 Mbps over each UTP wire pair. Full duplex transmission allows symbols to be transmitted and received on the same wire pairs at the same time. Baseband signaling with a modulation rate of 125 Mbaud is used on each of the wire pairs. The period for each symbol is 8 ns.
T R T R T R T R
T R T R T R T R
Network Associates
Section 8 TNV-202-GUI
You may want to poll the class to see what their plans are for gigabit vs. ATM. Review the bullets quickly.
Page 8 - 3
Workgroup LANs
Campus 10/100 Mbps Hubs and Switches with Gigabit Uplinks Workgroup Hubs
Sniffer University
Due to the cost of Gigabit switches, only high throughput links will initially use or need Gigabit Ethernet.
Network Associates
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
One last slide like this. Early implementations will concentrate these very expensive high speed connections where the highest levels of traffic exist. Fast Ethernet switches for the LANs will have gigabit uplinks to multiplex the traffic onto the high speed backbone. Later slides address the move to gigabit to the desktop.
Page 8 - 4
Sniffer University
Uses the Physical Layer of the Fiber Channel Uses the MAC and LLC layers of the 802.3 specification Increases data rate to 1.25 Gbps
FC-4 Upper Layer Mapping FC-3 Common Services FC-2 Signaling FC-1 Encode/ Decode FC-0 Interface and Media ANSI X3T11 Fibre Channel
The Gigabit Ethernet standard draws from two separate specifications. The Physical layers are derived from the ANSI X3T11 Fibre Channel specification. The Data link layers are derived from the IEEE 802.3 Ethernet specification that specifies CSMA/CD for half duplex or full duplex rules for media access control. The LLC layer is moved intact from the IEEE specification.
Network Associates
Section 8 TNV-202-GUI
Page 8 - 5
The large number of cable choices allows for a maximum network diagram to range from 200 meters with category 5 UTP to 550 meters using 1300 nm single mode 500Mhx/km fiber at attenuation 2.32 all the way to 5000 meters using 1300 nm single mode 10/125 m cables fiber at attenuation 4.5.
Network Associates
Section 8 TNV-202-GUI
A VERY small collision domain IF you use it in a half-duplex configuration. Emphasize again we are still building on the old 10Base5 specs if we are going to share the media.
Page 8 - 6
Sniffer University
Most Gigabit implementations will use Full Duplex mode to enable long cable lengths. P DA SA L/T DS SS Ctr Data F Preamble Destination Address Source Address Length/Type Destination SAP Source SAP LLC Control A SNAP header not shown here may follow this field Frame data Frame Check Sequence (CRC)
Carrier Extend allows the network diameter to remain at the 200 meter limit used by Fast Ethernet over twisted pair media. This is also inefficient. If a device only has 64 bytes of data to send (a minimum-length Ethernet frame), it still must send 512 bytes, most of which is only a carrier signal. It imposes a great deal of overhead for a network where smaller frames predominate.
Network Associates
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
This is a multi-faceted tool. Extend small frames to the 512 byte minimum in half-duplex so all stations will hear the transmission and wait to transmit. Fill the interframe gap in burst mode (covered on the next slide). One or more inserted between each frame in full-duplex mode. The Carrier Extend length is purposely written as 448 1 bytes, since it is dependent on how long the frame is.
Page 8 - 7
Network Associates
Sniffer University
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
This shows how to enable the Sniffer to display the 10 bit codes. This may help in resolving vendor interoperability problems.
Page 8 - 8
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
If the station has multiple frames queued in its transmit buffer, packet bursting allows it to send them until the 64Kbit timer runs out. The station waits until there is no carrier sensed, then it begins to transmit the first frame. It extends it to the slot time if it is short. If a collision occurs, it backs off and waits its turn to transmit. When the first frame is out, it keeps the line busy by transmitting nondata symbols (carrier extension symbols) to fill the interframe gap, then it transmits the second frame. It can continue to transmit frames separated by carrier extend until the 64 Kbit timer runs out (8192 bytes). If it has a frame in process, it finishes sending it, then yields the line. Collisions should not occur during the burst, since all stations should hear carrier and wait. If the collision domain limit is exceeded or a device has failed, it may cause a late collision. If this occurs, the adapter stops transmitting data and starts jamming, then it backs off and retries, starting the process over again. Packet bursting is not used in full-duplex, since the stations owns the wire in each direction and has full bandwidth to transmit at all times.
Page 8 - 9
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 8 - 10
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
Review the bullets quickly. This is a quick recap of the problems of shared media 9and why full duplex is the choice for everyone. Emphasize again the IEEE chose to build on the old 10Base5 specs for backward compatibility. But fortunately they moved on to create an environment where Gigabit can really speed things up.
Page 8 - 11
Most switches offer full-duplex ports which will effectively double the potential throughput to 2 Gbps and extend the cable length. Many 100 Mbps hubs and switches will be equipped with gigabit uplink ports to provide connectivity with the networks gigabit backbone Pause frames are used for flow control Jumbo frames are now allowed
Up to 9,000 bytes!
Single mode fiber increases the length of the cable substantially. One vendor supports single mode cable lengths up to 9 miles. Since sending frames requires CPU processing, sending a lot of small frames is inefficient. By allowing servers to send large frames, the CPU can queue a large frame, then work on other tasks while it is being sent.
Network Associates
Section 8 TNV-202-GUI
Can you imagine Gigabit without using switches? Each connection is its own collision domain. There still can be collisions between the switch and the end station, but these will be very rare. Half duplex still does contention, full duplex doesnt need it. The best solution is full duplex gigabit. You get full bandwidth in both directions, reduce the overhead doing contention and increase the cable lengths.
Page 8 - 12
Sniffer University
m = micron nm = nanometers
Network Associates
Section 8 TNV-202-GUI
This is the first of 3 slides that discuss the various types of media. Cover them quickly. Lasers are expensive. See big bucks
$$$$$$$$$
Page 8 - 13
Copper Cable
8-14 1000BASE-CX
Can only be used as patch cables or jumpers due to a distance limit of 25 meters Created to help reduce cost of the many short connections required in a wiring closet Consists of 2 pairs of shielded 150-ohm Twinax cable Much like Type 1 STP used in traditional token ring environments, but with higher electrical quality standards
1000BASE-T clock frequency is 125 MHz (v.s. 25 MHz for 100BASE-T2). It simultaneously transmits on all four pairs to achieve the 1000 Gbps rate. Each wire transmits 250 Mbps which aggregate to 1000 Mbps. The Twinax cable consists of two center conductors surrounded by an insulated spacer which is surrounded by a tubular outer conductor (usually braid, foil or both.) It is then covered entirely by an insulating and protective cover. It is similar to twisted pair in that it uses differential or balanced transmission.
Network Associates
Section 8 TNV-202-GUI
Slide is adequate.
Page 8 - 14
The gigabit transceiver chip on the board contains more than 200,000 transistors, about the processing capability of an Intel 486 chip. Many different manufacturers use this chip on the r boards.
Network Associates
Sniffer University
Use a 64 bit 66 MHz PCI slot so the CPU bus can handle the amount of traffic
Section 8 TNV-202-GUI
Big challenges: Coax cable limitations for such high speeds Big Bucks
$$$$$$$$
Page 8 - 15
Sniffer University
IBM developed and patented the 8B10B encoding standard and it licensed it for Fibre Channel and Gigabit Ethernet. It ensures there are enough clock transitions for receiver clock recovery and allows control signals to be embedded in the data stream. Single and multiple bit errors can be corrected. The data code words never include more than 4 consecutive ones or zeros or the ten bit codes do have an imbalance of more than one, i.e., 5 ones and 5 zeros, 6 ones and 4 zeros or 4 ones and 5 zeros. The IEEE std 802.3ab -1999 spec lists the entire bit-to-symbol mapping table of codes. It is also referred to as 8B1Q4 coding technique. The conversion process is called 4D-PAM5 and refers to the 4 Dimensional 5-level Pulse Code Amplitude Modulation process.
Network Associates
Section 8 TNV-202-GUI
Nice to know information. Wont help troubleshoot. Cover quickly. A table of symbols is included in the spec and table A-1 page 387 of Seiferts book and the IEEE spec (of course). The Gigabit Sniffer interface in current use gives statistics of the D and K group bits.
Page 8 - 16
Autonegotiation
8-17 Gigabit autonegotiation is used to configure operational parameters
Fast Ethernet negotiates the speed with fast pulses
16 bit message pages are exchanged on link initialization, multiple pages can be used
If only one side supports full duplex, the connection will use half-duplex if each side allows negotiation. The PAUSE and Asymmetry direction bits are used together to determine if the device supports flow control and if it does, whether is is capable of asymmetric flow control. (Asymmetric refers to a large discrepancy between the amount of data on each line at the same time. If the device is a server, it can process requests from multiple clients on the transmit and receive lines, so the traffic will be somewhat even on the two sides. If the device is a node, data transfer will occur on only one line with acknowledgments on the other, so the traffic tends to be heavy on one line and light on the other line.) There are four possibilities with the two bits: 1) No flow control 2) Asymmetric flow control toward the node 3) Asymmetric flow control from the node and 4) Symmetric flow control. The Remote Fault bits indicate error conditions that prevent normal operation. Codes are shown Remote Fault bit 1, Remote Fault bit 2. 00 = No error, 01 = Device Offline, 10 = Link failure, 11 = Auto-negotiation failure Autonegotiation messages are sent repeatedly until the sender receives an acknowledgement. The acknowledgement bit indicates the sender has received 3 sequential autonegotiation messages with the same contents. The next page bit is reserved for future use when more than 16 bits are required to negotiate parameters. Special K and D combinations identify the autonegotiation signals so they are not interpreted as data.
Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
Autonegotiation
Weve talked about autonegotiation before in the Fast Ethernet section. Here are the details about the 16 bit message pages and the significance of each of the bits. This shows all the different parameters that can be negotiated. Student notes should help you present this.
Page 8 - 17
Autonegotiation Process
8-18
PHY comes up as Slave Enter slave silent mode Start wait timer & send 0s Scan for carrier
Sniffer University
No
The fast link pulses are identical to the Fast Ethernet pulses. They indicate the type of connection the system is able to use. The highest level for both sides becomes the negotiated transmission characteristic. Priority 1 2 3 4 5 6 7 8 Connection type 1000BASE-T full-duplex 100BASE-T2 full-duplex 100BASE-T2 100BASE-TX full-duplex 100BASE-T4 100BASE-TX 10BASE-T full-duplex 10BASE-T
Network Associates
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
Autonegotiation Process
Use this flow chart to explain the autonegotiation process and the symbolism of the Master and Slave bits they will see in the Sniffer screens. They will look at this in the exercise, so you can cover it in the slide now and let them discover it in the exercise if you have time for it.
Page 8 - 18
Sniffer University
9-11 Reserved 12 13 14 15 0 15
This is very useful when you need to troubleshoot vendor incompatibility issues.
Network Associates
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. The bits are listed on the side. You can send multiple pages of information in the process. We see two duplicate pages here. Developer note: I tried very hard to get new Full Duplex and Gigabit traces, but no one came through for me. I asked a couple of different mailing lists and HQ people and there just dont seem to be many floating around. I surely hope to get one showing the autonegotiation process through real work for the next revision!
Page 8 - 19
Sniffer University
Network Associates
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 8 - 20
Right-click in the Hex window and select 10 Bit to see the autonegotiation decodes
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 8 - 21
8-22
Gigabit Sniffer
Sniffer University
Network Associates
Section 8 TNV-202-GUI
Page 8 - 22
Some Advice
8-23
Network Associates
Sniffer University
Full wire speed transmission can create 125 MB of data every second! Thats just too many frames to analyze Run Monitor applications to gather statistics and narrow in on problem areas Set capture filters to accept the frames where you see problems Turn off real-time Expert analysis and view Expert after you stop the capture
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
Some Advice
Page 8 - 23
First of all, the media and connectors will limit the number of mistakes you can make Then theres autonegotiation
If you have the wrong speed card, the autonegotiation will fail, so you wont get any data at all (and will get a failure to open the adapter message)
Sniffer University
If you plug a 10/100 adapter into a full-duplex Fast Ethernet port, youll just get one side of the conversation
Network Associates
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 8 - 24
The Gigabit Sniffer now has the Sniffer Pro interface. Due to the complexity of the products, it and Full Duplex Ethernet will be covered in detail in a separate High Speed Ethernet class.
Network Associates
Sniffer University
Section 8 TNV-202-GUI
The Monitor screens and Expert are the same The capture panel has a tab for Channel Info that shows counts for each channel The Summary window shows [A] and [B] to indicate which channel the frame was captured from.
Page 8 - 25
Other Differences
8-26 Sniffer University
The Dashboard and Capture Panel show counts for each channel History samples are doubled- one for each channel Global Statistics shows individual channel statistics and colored-coded graphs for each The Summary window shows [A] and [B] in the status columns to indicate which channel captured the frame Packet Generator has tabs to set the rate, override addresses and preamble and change the CRC
Network Associates
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
Page 8 - 26
Adapter Memory
144 MB trace buffer memory
72 MB per channel (2)
Configure parameters on the Tools > Options > Gigabit tab Sniffer University
Monitor or Emulation mode Enable Jumbo frames SPAN port connection
PAC 62
Network Associates
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. Two on the card, one on the PC Note there are no choices for uploading since the frames are already in the Sniffer buffer.
Page 8 - 27
Sniffer University
The Gigabit Packet Generator has more options than the other Ethernet Sniffers: The Rate tab allows you to set the Interpacket Delay, Packets per seconds, and Network Utilization The Address tab allows you to override the source and destination address in several different ways The Advanced tab (single frames only) choices are: random size packets, set data offsets, include sequence numbers, adjust timestamps and generate certain types of errors. The Gigabit tab allows you to set the preamble length and change the CRC.
Network Associates
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
New Slide. These two screens adjust how you want to control the buffers and the behavior of the ports. The Define Filter > Gigabit Ethernet tab shows up from Display > Define Filter, but not all of the options are enabled. The Tools > Options > Gigabit tab sets the action of the port. Yes, you can span a gigabit port to the Sniffer. The 8021q-gig.cap trace file shows VLAN information from a spanned gigabit port. Explain the options as shown on the screen caps. Use the Sniffer with the dummy driver to demonstrate these options when needed. There is a good bit of information on the gigabit packet generator in the student notes. Open a trace file, then use Tools > Packet Generator to show these new tabs, choosing both a new frame and buffer option.
Page 8 - 28
Section 8 TNV-202-GUI
Slide Title:
Important Points to Cover:
These notes are based on a conversation with the Gigabit Ethernet people in the University of New Hampshire Interoperability lab.
Page 8 - 29
Summary
8-30 In this section, you learned how to:
Differentiate between Gigabit Ethernet standards and cabling Attach the Gigabit Sniffer to Gigabit networks Configure Sniffer Pros gigabit-specific features Use the Sniffer Pro statistics and decodes to locate areas of concern Analyze autonegotiation frames to look for incompatibilities and downgraded connection setup
Network Associates
Sniffer University
Section 8 TNV-202-GUI
Slide Title:Summary
Important Points to Cover:
Review the section objectives and answer any remaining questions. Wrap up the class. Thank them for coming. Gather student evaluations. Distribute certificates. Make sure the students have deleted their probes and have them Run > Clean to empty the CLASS directories of files theyve saved. Make sure that the HUBPORT3 and 4 trace files are removed. Remove demo Sniffer software from rental PCs using the uninstall program on the first installation disk if you have been instructed to do that. Target Time: Day 2 at 5pm
Page 8 - 30
9-1
Optional Technologies
Sniffer University
Network Associates
Section 9 TNV-202-GUI
09_app_g.DOC
Observing LLC Traffic (new) This section is now called Optional Technologies.
Time:
The LLC section has 2 hours of material in it if a student asks for it. It is not expected you will need to cover this very often.
Please remember this instructor guide is a living document. It is not complete to start and is intended to grow with time. Add to your own copy as you gain experience. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.
Page 9 - 1
Contents
9-2
Logical Link Control (LLC) 10BASE-5 and 10BASE-2 Ethernet Exponential Backoff Formula Transmission Models 1 and 2 Details
Sniffer University
The backoff time is an integral random multiple of the Slot Time. 0 is considered by some to be an integer, and some implementations do choose 0 constantly. It is rather rude: some chipsets will see the resulting transmission not as a runt followed by a good frame, but as a single oversize frame, or may not see the good frame at all.This is the basis of some of the accusations of the Sniffer analyzer losing frames. Choosing 0, by the way, assumes that no one else on the net is playing the same rude trick, or that everyone who is playing that trick can sense a new frame at 1.6 instead of 9.6 bit times. It can cause repeated collisions between the same two stations.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 2
9-3
Network Associates
Section 9 TNV-202-GUI
LLC was designed by the IEEE 802.2 committee to provide transparent connectivity between any IEEE-compliant LAN physical layer to any upper-layer protocol. It does this by using Service Access Points (SAPs) in the header to address the network layer protocol. Members of the IEEE pushed for more functionality, so 3 types of data exchange were defined. (One more may be coming, according to Radia Perlman in Interconnections, Bridges and Routers.) LLC uses a subclass of the HDLC superset and is classified as BA (Balanced links, Asynchronous balanced mode), with several options on how to use the functional extensions. It acts like HDLC, but is intended for a LAN. It is independent of, yet utilized by, all the various media access protocols defined by the 802 working group.
Page 9 - 3
Objectives
9-4 Sniffer University Upon completion of this section, you will be able to: Explain the three types of LLC connections and when each one is used Know the purpose of the LLC frames and when they are used Follow a connection-oriented LLC conversation from setup through data exchange and shutdown
Network Associates
Section 9 TNV-202-GUI
Page 9 - 4
Sniffer University
Layer MAC
Point to point data integrity Flow control Link maintenance Service access point addressing Connection oriented or connectionless services Functions independently of MAC layer
Many of these connection-oriented features of Type II LLC are found in reliable Transport layer protocols like TCP. The IEEE specifications refer to the frames as Protocol Data Units or PDUs.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 5
MAC Sublayer
LLC Sublayer
Sniffer University
DSAP:
(1 byte) Destination Service Access Point; receiving process at destination SSAP: (1 byte) Source Service Access Point; sending process in source Control: (1 byte) Various control information (2 bytes for connection-oriented LLC)
The control field used in type 1 datagrams is always one byte long. The control field can use one or two bytes for LLC type 2.
Network Associates
Section 9 TNV-202-GUI
The control field byte(s) are very complex, with the different types of functions having different bit meanings. No attempt has been made here to delineate all the various frame headers, since the Sniffer analyzer decodes them.
Page 9 - 6
Sniffer University
SAPs are a pass-through between any IEEE-compliant physical layer and any upper-layer protocol. 00 is a Null SAP. Only real use at this time is by IBM which forces SAP negotiation for connection to 3745s. This is the only SAP initially active on a 3745 so the initial request must be addressed to the Null SAP.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 7
Sniffer University
MAC Sublayer
LLC Sublayer
SNAP
Organization Code: (3 bytes) Identifies the vendor or manufacturer. Same as vendor code in MAC layer address. Often 0000 if Upper-Layer Protocol (ULP) did not change. Type: (2 bytes) Identifies the ULP. Same as Ethertype for protocols that came from the Ethernet environment.
The SNAP field allows version 2 Ethertype fields to be included in IEEEcompliant frames. It also allows vendors to specify their "type" within the SNAP header. The vendor code is usually not supplied when the upper-layer protocol is unchanged to run on SNAP instead of 802.X or Ethernet. For example, you will see that TCP/IP implementations on SNAP do not supply the vendor code. A nifty expression: SNAP allows us to snap Ethertypes into 802.x frames.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 8
LLC Functions
9-9 Some protocols use LLC merely as a pass-through header to carry data. All control of the connection is handled by higher layers. The frames are Unnumbered Information frames Other protocols use the additional functionality that the IEEE provides Sniffer University
LLC connection-oriented service at OSI layer 2 offers many of the data integrity functions we expect to find at OSI layer 4 the transport layer The primary difference is that LLC deals with point-to-point connections, whereas layer 4 protocols like TCP deal with endto-end connections
Network Associates
Section 9 TNV-202-GUI
Page 9 - 9
Information frames:
Transport user data and higher-layer protocols Increment sequence numbers
These frames are identified by bits in the LLC headers. There are many types of fields in LLC frames. Fortunately, the Sniffer Network Analyzer knows all of them and decodes them in the Summary and Detail windows for you, so we will not break them out here.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 10
Sniffer University
SABME is used to set up a duplex connection, using a modulo 128 window. UA acknowledges a SABME or DISC message. DISC requests connection termination. DM is transmitted by the receiver of a DISC to let the other side know it has received the DISC. FRMR indicates the receipt of an invalid frame. XID is used only with Type 1. An XID command from the transmitter informs the receiver of the identity of the transmitter and which LLC types the transmitter supports. A response is required to an XID command. It contains the same information as the command. TEST also has command and response frames. The transmitter can send this to see if the recipient can receive and return a packet. Data can be included that the recipient must return in the response frame. Unnumbered Information frames are used for connection control and to carry unsequenced data.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 11
Sniffer University
Information
Command/Response
Receive Ready is an acknowledgment frame. It contains a sequence number of the frame it is next expecting to receive and indicates the receiver is ready to receive more data. Receive Not Ready is an acknowledgment for previously received frames. The Next expect to Receive sequence number (NR) is included in the RNR frame. It also indicates that the receiver is temporarily busy and further frames should not be transmitted until the busy station sends a receive ready frame. REJect frames are sent when the receiver is requesting retransmission of frames. The REJ frame includes the sequence number of the next frame it expects. LLC rejects only once. If it doesnt get an ACK, it starts polling with RRs. Information frames are sequence numbered data frames.
Network Associates
Section 9 TNV-202-GUI
Command/Response
LLC rejects only once. When it doesnt get an ACK, it starts polling with Receiver Ready. (Hello? Are you still there?) LLC Information Frame Connection oriented only I Information Command/Response These carry the data and acknowledgments. This is a building block for looking at the Sniffer analyzer displays.
Page 9 - 12
No connection establishment is required. Type 1 supports point-to-point, multicast and broadcast communications. Messages are not sequenced. No flow control is provided. Delivery is not guaranteed. There is no retransmission on error. Sequential delivery is not guaranteed. Type 1 service is unreliable, but this is not a problem as long as an upperlayer protocol can recover from the error. Higher layers are responsible for flow control, error recovery and reliability. Three types of frames are supported: Unnumbered Information (UI), Exchange Identification (XID), and TEST. The control byte indicates the frame type.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 13
Sniffer University
Disconnect ACK
Like making a telephone call: The endto-end connection is setup before your conversation begins, then torn down when you hang up
+
Type 2 is very similar to HDLC. Connection establishment and termination are required. Type 2 service provides a sequenced, acknowledged delivery of data. Each side of the connection maintains independent sequence numbers. Acknowledgments can be sent in separate frames or can be piggy-backed onto data frames, making it capable of very efficient use of the wire. Error recovery processes are available. Type 2 uses sliding window flow control (modulo 128). Example: Sessions between IBM LAN Manager and IBM bridges make use of this connection type when they're talking to each other. Type 2 frames can use one or two byte control fields. Frames with a one byte control field are: Set Asynchronous Balanced Mode Extended (SABME), DISConnect, Disconnected Mode, Frame Reject (FRMR) and Unnumbered Acknowledgment (UA). Frames with a two byte control field are: Information, Receive Ready, Receiver Not Ready and REJect.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 14
Sniffer University
Some upper-layer applications will send TEST frames to make sure both sides can communicate. They may follow with one or two pairs of XID frames to negotiate the type of connection both can support. The first frame that establishes the connection is the SABME. You can do a Search for text on SABME to find the first instance of a connection being setup. Once the connection is made, the data will be sequenced and acknowledged. The Poll bit when set to a 1 forces the other side to respond. The Final bit is set to a 1 in the response frame.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 15
So what is the difference between a REJect and a DISConnect? A REJect is sent when a problem occurs. The two sides will attempt to get resynchronized. If that fails, they will DISConnect. You can look for this by doing a Search for text on REJ, then follow through to see if they were able to roll back to a point where they can move forward again. A DISC is the normal conclusion of a connection. The first side will send the DISC when it has completed its work. The other side responds with the Disconnect Mode, indicating it is finished, too. A DISC will also be used when one of the two stations determines that the efforts to resolve a problem are fruitless and it needs to shut the connection down. Upper-layer protocols will determine whether a new attempt is made to open a new connection.
Network Associates
Section 9 TNV-202-GUI
DISC is used to shut down a connection for either a normal End of Operation or upon the failure of a resynchronization effort. REJ does not end the conversation. It is sent when a problem is encountered. Attempts are made to back up to a point where sequence numbers can be synchronized. The data exchange will restart if synchronization is achieved; if not, then a DISC will be sent to close the connection. * This is according to the IEEE802.3 specification.
Page 9 - 16
Sniffer University
of of of of
an an an an
unsolicited Final (F) bit set to one unexpected UA unsupported frame type I frame that exceeds the established maximum
of an invalid receive sequence number N(R) of an invalid send sequence number N(S)
Upon receipt of an FRMR a station should: Send a SABME or DISC. Upon receipt of a REJ a station should: Send the corresponding I frame as soon as it is available. Resend any unacknowledged I frames. Behavior upon receipt of an invalid send sequence number varies: If the data is within the receive window, then an REJ should be sent. If the data is not within the receive window, then a FRMR should be sent. The receive window size can be specified in an XID frame. In the real-world, we see more REJs than FRMRs. REJ is preferable because the session doesnt need to be re-established.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 17
Sniffer University
Connectionless service Guaranteed in-sequence delivery of data Uses stop and wait flow control
Like a conversation where one side is saying Uh huh, Yes, I see
LLC Type 3 was developed primarily for process control applications over a token bus, so it is very seldom seen today.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 18
Now sending 0
From Server LLC R D=F0 S=F0 RR NR=0 F Response D=F0 Destination Service Access Point = F0 (NetBIOS) S=F0 Source Service Access Point = F0 (NetBIOS) RR Receive Ready NR=0 Frame Number Server expects to receive is 0 Final bit is on: Response to Workstation's Poll
Sniffer University
From Workstation LLC C D=F0 S=F0 I NR=0 NS=0 Command D=F0 Destination Service Access Point = F0 (NetBIOS) S=F0 Source Service Access Point = F0 (NetBIOS) Information frame: Higher layer data is included NR=0 Workstation is still expecting to receive frame 0 next NS=0 Workstation is sending frame number 0
The easiest way to view LLC conversations is to set up a Station address filter for the two communicating stations. Then turn on Two station format in the Summary window. The top line is what you would see in the Summary window. In the first two frames, we see both ends of the logical connection advertise the sequence numbered frame they expect to receive next (NR = Receive sequence Number). These are also the initial frames. In the third frame, the workstation issues the sequence numbered Information frame the server expects (NS = Send sequence Number). In the fourth frame, the server both acknowledges the workstations frame by specifying the next frame it expects to receive (NR), and also sends the frame the workstation asked for earlier (NS).
Network Associates
Section 9 TNV-202-GUI
Page 9 - 19
Sniffer University
# 1 2 3 4 5 6 7 8 9
+
Here we see a graphical representation of the first 4 frames. We are also witnessing a window of 1 because each I(nformation) frame is ACKnowledged before the next is issued. If we assume that the piggybacking of an I frame onto the ACK continues, we will see frames 5 and 6. The server expands its window to 3, so we see 3 sequenced I frames (NS=1,2,3) starting in frame 6 to frame 8, with the subsequent ACK (NR=4) by the workstation in frame 9. Many times, upper-layer protocols start their sessions by setting up an LLC connection first, then you can watch the middle layer set up connections until the highest layer protocol establishes its connection. You may want to set a protocol filter so you see just the LLC layer, or you may choose to enable All layers so you can see the progression of the connections being established at each layer. LLC can be set to efficiently use the wire. Data can be being piggybacked on the ACK frame from the server.
Network Associates
Section 9 TNV-202-GUI
As you explain this, use the terms Now sending and Next expect to receive to help them make the link between the
NS and the NR. This slide has a build that will display one line per click. Frames 1 and 2 are the Receive Ready setup- each side tells the other their first sequence number will be 0. Frame 3 Workstation Now sending number 0, next expects to receive 0. Frame 4 Server Now sending number 0, next expects to receive 1. (In other words, Im acknowledging I got frame 0.) Frame 5 Workstation now sending frame 1, next expects to receive frame 1 (acknowledges frame 0). Frame 6 Server now sending frame 1, next expects to receive frame 2 (acknowledges frame 1). Frame 7-8 Server sends frames 2-3. Frame 9 Workstation acknowledges frames 1 through 3 by saying I next expect 4. Question: If frame 7 (NS=2) becomes lost or is damaged and the workstation receives frames 6 and 8 (NS=1 and NS=3), which frame will the workstation ACK (NR=?)? Answer: The workstation will ACK 2 (NR=2).
Page 9 - 20
LLC is usually very reliable When problems happen the most common reasons are:
Connection reset Unsupported LLC frame types Flow control lockup Frame sequence retransmission Excessive length information field Expired timers Expired counters
Sniffer University
Connections get reset when one side stops responding or stops sending correctly sequenced frames. We will see an example in the exercise. Unsupported LLC frame types and excessive length information fields shouldn't happen if the implementation follows the LLC specification. Flow control lockup happens when a station continually sends Receive Not Ready due to lack of buffers or other resource problems. Retransmissions may be happening because the sender's timer isn't set correctly, and the sender isn't waiting long enough for acknowledgment. Counters refer to how many times a station will retransmit. Timers and counters are configurable.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 21
Sniffer University
Network Associates
Section 9 TNV-202-GUI
Page 9 - 22
9-23
Network Associates
Section 9 TNV-202-GUI
Page 9 - 23
Sniffer University
10BASE-T Hub
Network Interface Card (NIC) 50 Ohm Terminator Repeater 10BASE2 Thin Ethernet Network Interface Card (NIC) Ground 50 Terminator
Transceiver: Used to physically and electrically attach DTE equipment to the network. Transceivers sense carrier and detect collisions. If a collision occurs, the transceiver notifies the adapter by outputting a voltage on the collision present circuit. V2 Ethernet added SQE. The Transceiver notifies the adapter during the interframe gap time that it is capable of informing the adapter if a collision occurs. With 802.3 specs, a transceiver provided a jabber latch. There are three versions: Version 1 used with the early Ethernet specification, Version 2 Ethernet (Heartbeat added), and IEEE 802.3 version (changes to the AUI wiring). A transceiver can be built into the Network Interface Controller (Card). This is used in 10BASE-T and 10BASE2. A fourth type of transceiver is the Fiber Optic transceiver. Repeaters: Used to extend the cable segment beyond the maximum segment distance for the topology used. Repeaters are also used when changing from one media type to another (that is, from thick to thin Ethernet).
Network Associates
Section 9 TNV-202-GUI
Page 9 - 24
Coax cable
Transceiver
50 terminator
Sniffer University
Maximum segment length = 500 meters Each end terminated with 50 ohm terminators Maximum number of attachments per segment = 100 Maximum length of AUI cable = 50 meters* Minimum separation between attachments = 2.5 meters
2.5m minimum separation makes sure that signal reflections, when they occur (that is, the cable is unterminated), do not add up in phase, which would probably blow the transceiver. The 500 meter segment does not need to be made from a single length of cable. Cable sections can be joined together using "N" type barrel connectors. The IEEE 802.3 specification recommends the following when slicing thick cable: 1. Use cable sections from the same manufacturer and cable lot number, to avoid impedance mis-match and other problems. 2. To minimize signal reflection problems, use segments that are lengths of 23.4m, 70.2m, and 117m. Since these lengths are odd integral multiples of a half wavelength in the cable at 5 MHz, reflections do not have a high probability of adding in phase. (A 5MHz signal is achieved when the transceiver is outputting only alternating ones and zeros, as it does with the preamble.) *The maximum length of the AUI cables refers to the transmission model one which we will discuss later.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 25
10BASE5 Components
Thick Coax Cable Transceiver
50 terminator
9-26
AUI Cable
Terminal Server
Transceiver
AUI Cable
Sniffer University
Multi-Port Transceiver
Transceiver
AUI Cable
50 terminator to ground
Multi-Port Repeater
A terminal server could be used to support RS-232 connected ASCII "dumb" terminals to the Ethernet. CSMA/CD is done in the terminal server. The Multi-Port Transceiver is also known as a Fan Out box, Delni, or a multi-tap. It is a dumb wiring concentrator that connects multiple workstations using a single tap in the thick Ethernet cable. CSMA/CD is done by the end stations.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 26
Transceiver
AUI cable
Sniffer University
SQE is used to test the collision presence circuit After successfully transmitting data, the Transceiver asserts the SQE signal on the collision presence circuit When the Network Interface Card sees the SQE signal asserted, it knows the Transceiver can inform the Network Interface Card when a collision does occur Not supported by Ethernet Version 1 equipment Turn off SQE on a transceiver attached to an AUI port on a repeater or repeating hub Transceivers that are integral to the NIC do not require SQE to test the AUI link between NIC and transceiver: the link is hard-wired
From 802.3: "At the conclusion of the output function, the Data Terminal Equipment opens a time window during which it expects to see the SQE signal asserted on the Control In (collision presence) circuit. The time window begins when CARRIER_STATUS becomes CARRIER_OFF. The duration of the window shall be at least 4.0 microseconds but no more than 8.0 microseconds. During the window, the Carrier Sense Function is inhibited." SQE should be turned off on transceivers connected to repeaters because a repeater can't be inhibited for 4.0 microseconds. It may receive bits on its other port and need to send them. Most people just turn SQE off because it causes confusion when counting collisions. Some transceivers and network management tools will count the SQE test as a collision (for example, the Collision LED may be lit when the SQE test is asserted).
Network Associates
Section 9 TNV-202-GUI
Page 9 - 27
2nd station
50m AUI cables
450 m
Sniffer Pro 1
R3
50m AUI cables
8 0 0 m F i b e r L i n k
(Point of collision)
Evidence of collision will arrive at station A ______ bytes into station As transmission
Sniffer University
R1
50m AUI cable
R2
Sniffer Pro 2
Transmitting station
50m AUI cable
Sniffer Pro 3
Once you understand the concepts of signal propagation delay, you can begin to apply them to perform more precise analysis of the collision frames you find in your Sniffer Pro analyzer traces. As shown in the diagram above, what you will see in the trace will depend upon: 1) The point of collision. 2) The location of the Sniffer Pro analyzer relative to the collision point. The diagram shows one collision event. However, each of the three Sniffer Pro analyzers will show different indications of the event. This fact is key to effective troubleshooting. All components are given in terms of their equivalent lengths in Thicknet coax R1 = 231 m (10 bit times) R2 and R3 pair = 231 m 50 m AUI segment = 59 m 800 m fiber segment = 933 m Total equivalent Thicknet distance between points A & B
Network Associates
Section 9 TNV-202-GUI
Page 9 - 28
Sniffer University
Maximum segment length = 185 meters Maximum number of attachments per segment = 30 Minimum separation between stations = .5 meters
Thin Ethernet, at 0.18 inches in diameter, is also known as Cheapernet. T connectors must be right at the network interface card. Adding additional cable to go from the T to a network interface card is not permitted, though people do it. This will suffice if you're not approaching length limitations, though the signal will attenuate. The problem with this solution is that most people forget to count it in their length considerations.
Network Associates
Section 9 TNV-202-GUI
Again, focus on the termination rules. Mention the drawing in their notes section.
Page 9 - 29
9-30
Network Associates
Section 9 TNV-202-GUI
Page 9 - 30
Sniffer University
BackoffTime = RandomNumber multiplied by SlotTime SlotTime = time to propagate 512 bits (i.e., 51.2 seconds) RandomNumber is greater than or equal to 0 and less than 2n n = number of times it has tried for first 10 times or n = 10 for the 11th through 16th try After 16 tries, report error to the upper-layer protocol
Network Associates
Section 9 TNV-202-GUI
Page 9 - 31
Sniffer University
There are two methods, or transmission models, for calculating the round-trip collision delay (i.e., maximum copper and fiber lengths), according to the standard
Model 1 closely follows the 5-4-3 rule Model 2 assigns a value to each type and length of copper or fiber media, which corresponds to a worst-case round-trip delay for the Ethernet signal
The new standards allow you to mix media types in your networks. More details on these specifications are in the appendix.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 32
Sniffer University
Model two is more cumbersome than model 1, but has the advantage of extending the topology farther. It also more accurately reflects the types of distances found in real networks.
Network Associates
Section 9 TNV-202-GUI
Page 9 - 33
Transmission Model 1
9-34 Closely matches the traditional 5-4-3 rule of traditional Ethernet networks
FOIRL, 10baseFL, 10baseFB and 10baseFP links are included AUI cables, if used, are restricted to 25 meters in length The maximum allowable length of any inter-repeater fiber segment is restricted to 1000 meters (FOIRL, FL, and FB) If all five segments are present, the maximum length of any fiber segment shall not exceed 500 meters The maximum length for a fiber hub-to-station (repeater-toDTE) drop is 400 meters in an Ethernet network that also contains a 1000-meter link segment If fiber link segments are held to 500 meters, the maximum fiber hub-to-station drop is increased to 500 meters Since no vendors are known to manufacture to 10baseFP standards, we will not consider 10baseFP in this course. FOIRL = Fiber Optic Repeater Link FP = Fiber Passive FL = Fiber Link (replaces FOIRL) FB = Specification for fiber with lower repeater delay that allows for longer length
Sniffer University
Network Associates
Section 9 TNV-202-GUI
Most similar to 5-4-3. AUI cables 25 meters maximum. Maximum interrepeater fiber cable is 1000 meters, but if 5 are used, then the maximum of each is reduced to 500 meters. Add diagram here.
Page 9 - 34
Starting from the point of highest variability your network (call it the left end), calculate the length of each segment across repeaters to the farthest station on the network (called the right end)
Add the individual segment values to arrive at a total Path Delay Value, or PDV The total should not exceed 572 bit times The number of repeaters on any path may exceed the Model 1 limit of four
Delay A
Delay E
The standards add an additional value of 5 to the Path Delay Value for a margin of error.
Network Associates
Section 9 TNV-202-GUI
Calculations are made using two types of variables: Path Delay Values and Interpacket Gap Shrinkage. Well cover the first one here and the second one on the next slide.
Tables have been established that set delay for segments. Delay values reflect the media type and repeater. Total delay of A + B + C + D + E must be less than 572. There may be no more than four repeaters.
Page 9 - 35
9-36
Transmission Model 2
Sniffer University
The calculation is made by adding the path variability values, (or P V V) for each segment across repeaters that the signal must pass
The total value must not exceed 49 bit times
PvvA
PvvB
PvvC
PvvD
The starting point is called the transmitting end, the center segments are called mid-segments. The far end (receive end) across the last repeater is not taken into consideration. We will be using a network diagram in the next exercise to determine if it passes the model 1 or 2 requirements.
Network Associates
Section 9 TNV-202-GUI
Here is part two. Repeaters shrink the interpacket gap as they regenerate the preambles. Each successive repeater shortens it more. This calculation is the deciding factor in how many repeaters can be in a segment.
Page 9 - 36
Repeater
Sniffer University
500 m 10Base5 or 185m 10Base2 Coax Links 100 m 10BaseT or 500m 10BaseFL Link
Repeater
Repeater
Meter coax cable segments Meter fiber optic link Meter AUI cables
The fiber link is called FOIRL (Fiber Optic Inter-repeater Link). Youll often hear the maximum distance between two stations on an Ethernet network is 2.8 kilometers. That number is derived by drawing the topology shown above. The 2.8 kilometers limit is mentioned in the Ethernet Version 2 Blue Book specification. It is not mentioned in 802.3. (802.3 has the picture from the previous page.) Note: the Ethernet maximum distance specification does abide by the newer 802.3 specification: the 2.8 Km limit is a special case of the general rules.
Network Associates
Section 9 TNV-202-GUI
Here is a graphic representation of allowable cable lengths for various types of media.
Page 9 - 37
Sniffer University
AUI Cables
Network Associates
Section 9 TNV-202-GUI
This is the first of two diagrams showing different allowed maximum path configurations. These diagrams are modified from the diagrams in section 13 of the 802.3 spec. The 10Base FP sections were replaced with FL or T since FP is not used in current networks. The slide is complete.
Page 9 - 38
25 m AUI Cables
DTE
Sniffer University
25 m AUI Cables
DTE
Network Associates
Section 9 TNV-202-GUI
This is the second two of four diagrams showing different allowed maximum path configurations. The slide is complete.
Page 9 - 39
Network Associates
Section 9 TNV-202-GUI
Page 9 - 40
Section 9
Helpful Information
Helpful Information ........................................................................................... 41 List of Known Ethertypes ................................................................................. 43 Ethernet Frame Type References.................................................................... 46 An explanation of the Analyzing Coax Collisions diagrams in the appendix .... 47 Recommended Reading List............................................................................ 48 Helpful WWW Links ......................................................................................... 49
Page 9 - 41
Section 9
Network Layer Spanning Tree Bridge Management Manufacturing Message Service X.25 over 802.2 Type 2 LLC
Active station list maintenance Address Resolution Protocol (ARP) Subnetwork Access Protocol Network Layer Routing
Individual Group Remote Program Load (RPL) Network Layer Protocol Global LSAP
Page 9 - 42
Section 9
PUP PUP VIP IP Simnet PCS Basic BI Simnet MOP MOP Phase IV DRP LAT
Trailer Negotiation Trailer Block Encapsulation Valid System Protocol Private Unassigned Dump Load Assistance Remote Console Routing Local Area Transport Diagnostics User Protocol System Communication Architecture Unassigned Download
UB Xerox Xerox Banyan Berkely Berkley BBN BBN DEC DEC DEC DEC DEC DEC DEC DEC DEC 3Com UB UB UB LRT Proteon Caletrom
LAVC
NIU BootDiagLoop
Page 9 - 43
Section 9
Ethertype 8003 8004 8005 8006 8008 8010 8013 8014 8015 8016 8019 802E 802F 8035 8036 8038 8039 803A 803B 803C 803D 803E 803F 8040 8041 8042 8044 8046-8047 8049 805B 805C 805D 8060 8062 8065-8066 8067 8068 8069 806A 806C 806D 806E-8077
Protocol VLN Direct Probe Protocol Local Use AT&T Diagnostics Network Games
Purpose
LAST
Unassigned Encryption Time Service LAN Traffic Monitor NetBIOS Emulator Local Area System Transport Future Use
Integrated Automation
Graphics
Organization Chronus Chronus HP Nestar Stanford Excelan SGI SGI SGI Stanford HP Apollo Tymeshare Tigan, Inc DOD Aenoic Systems DEC DEC DEC DEC DEC DEC DEC DEC DEC DEC DEC Plan Res Co AT&T Expert Data Stanford Stanford Evans & Suther Lt Machines Counterpoint Univ of Mass Veeco General Dynamics AT&T Autophon ComDesign Compugraphic Landmark
Page 9 - 44
Section 9
Ethertype 807A 807B 807C 807D-807F 8080 8081-8083 8088-808A 809B 809C-809E 809F 80A3 80A4--80B3 80C0-80C3 80C6 80C7 80C8-80CC 80CD-80CE 80CF-80D3 80D4 80D5 80DD 80DE 80DF 80E0-80E3 80E4-80F0 80F2 80F3 80F4-80F5 80F7 80FF-8103 8107-8109 8130 8131 8137-8138 8139-813D 9000 9001 9002 9003 FF00
Purpose
Ether-Talk
Organization Matra Dansk Merti Vitalink Vitalink Counterpoint Xyplex Kinetics Datability Spider Nixdorf Seimans DCA Pacer Software Applitek Corp Intergraph Inc Harris/3M Taylor Rosemont IBM Varian Integrated Systems Integrated Systems Allen Bradley Datability Retix Apple Shiva HP Apollo Wellfleet Symbolics Waterloo VG Labs Novell KTI DEC Xerox 3Com 3Com BBN
Page 9 - 45
Section 9
6 6 2 1 1 42 to 1497 4
L L C S N A P
Page 9 - 46
Section 9
Page 9 - 47
Section 9
Page 9 - 48
Section 9
Page 9 - 49
Instructor Exercises
________________________________________________
Table of Contents
Table of Contents............................................................................................................................. 1 Exercise Section 1: Which Frames Are on the Network? ................................................................ 3 Exercise Section 1: Isolating Frame Types with Pattern Matching (Optional)................................. 7 Exercise Section 1: A Surprise at 23:00 (Optional) ....................................................................... 11 Exercise Section 2: Comparing Ethernet Data .............................................................................. 13 Exercise Section 3: Cable Specifications....................................................................................... 15 Exercise Section 4: Hubports......................................................................................................... 21 Exercise Section 4: More Problems............................................................................................... 25 Exercise Section 4: Test Your Skill ................................................................................................ 27 Exercise Section 4: Errors.............................................................................................................. 31 Exercise Section 4: Evaluating Hub Jams ..................................................................................... 35 Exercise Section 4: Ethernet Physical Errors (Optional) ............................................................... 37 Exercise Section 5: Short Circuited Bridges .................................................................................. 41 Exercise Section 5: Busy Jam ....................................................................................................... 43 Exercise Section 5: Switch Traffic (Optional)................................................................................. 47 Exercise Section 6: Fast Ethernet Troubleshooting and Back Pressure ....................................... 51 Exercise Section 6: Fast Ethernet Problems ................................................................................. 55 Exercise Section 6: 10/100 Hubs ................................................................................................... 57 Exercise Section 8: Gigabit Traffic................................................................................................. 59 Exercise Section 9: Observing LLC ............................................................................................... 63
A word of explanation about the formatting of the exercises Choices you need to make in the menus or configuration windows are in bold. When you are navigating through a series of steps, they have been shortened and separated with a right arrow. Example: Pull down the Monitor menu, choose Select Filter, click Select Filter becomes Use Monitor > Select Filter > Select Filter. As you work through the exercises, you will be opening a series of windows. When asked to close many of them, Sniffer Pro will ask if you want to save them. Do not save the data unless specifically instructed to save the data.
There are more exercises here than can be done in the allotted class time. The instructor will choose exercises that meet the needs of the majority of the students in each class. All of the trace files needed for these exercises are on the CD in your class manual. You may wish to work on these independently if you finish your exercises early or do them outside of class time.
4.0-OCT2000
Network Associates
10-1
4.0-OCT2000
Network Associates
10-2
Procedure:
1. Configure the analyzer then open the file: a. Create a new Agent for this class called "TNV202": File > Select Settings... > New. Name it TNV202 and choose the 10/100 Ethernet adapter. Dont copy any settings. Click OK twice. b. Use Display > Display Setup> General to enable the Expert and Post Analysis tabs. (They may already be enabled.) Click OK. c. Set the agent to loopback with File > Loopback Mode.
d. Open the file C:\202GUI\Mixed_01.cap. 2. From the Expert click on DLC layer Objects. There should be 35. The frame types for each object (adapter) are shown in the Expert Detail panel on the lower right. Hint: on the Expert Summary screen, identify the separator bar on the right. If you drag that up, youll see the Objects listed in the upper right, highlighting each in the top right shows its details in the lower right panel. Click the arrow on the top of the upper left window to enlarge the right windows. Separator bar Expert Detail panel
3. Observe the frame types shown for each adapter. How many different frame types (other than broadcast and multicast) are shown? Just 2 types, 802.3 and Ethertype. There are actually 3 frame types in this trace file: one standard 802.3 frame with the LLC header and 10 Raw Ethernet frames. Unfortunately, the Expert doesnt distinguish between them. 4. Display the Decode windows and click the Monitors Protocol Distribution icon. Well use this tool to determine the protocols on the network and their distribution. Well need to generate the trace file once to see the protocols. Right-click over the Decode window and choose Send Current Buffer and click OK to send the buffer 1 time. 5. Fill in the table on the next page as you answer the questions from the Protocol Distribution view when the entire trace has been sent (wait until the counter on the lower right goes blank). a. With the MAC layer and Table view selected, which protocols are listed and how many frames were sent for each protocol?
4.0-OCT2000
Network Associates
10-3
b. Look at the Pie Chart view and note the percentages of each protocol shown by clicking on each slice or look at the Bar Graph view and click on each bar to see the stats.) DECnet 35 45.45% IP 27 35.06% IPX 10 12.99% IP_ARP 1 1.30% LAT 1 1.30% Others 3 3.90%
You may want to mention that LAT is a part of DECnet, so the total is 36 packets and 46.75% 6. Close the Protocol Distribution window. From the Decode display, we can get a quick summary of frame types by using Display > Display Setup. On the Summary Display tab, exclude All protocols in the lower window, and then click on Ethernet to enable it. You now see which frames are version 2, but no differentiation is made between the rest. Highlight the non-Ethertype frames, then look in the Detail panel and note the frame types you see. Most are raw, but frame 75 is 802.3 with the LLC header. There are no SNAP frames. 7. To see which station is using each protocol, click the Matrix tab. a. With the Traffic Map showing the MAC layer, click off all protocols except Other. Ctrl click to select all those end station addresses with Other traffic, then press the Visual filter icon to display only these frames. How many frames did you get? What frame type(s) are they using? 2
Stations HP1 012BB4 and 090009012BB4 (multicast) are using 802.3 frames with the LLC header (SAP FC); stations DECnet 00C8CC and broadcast are using version 2 frames (Ethertype 0804 for Chaosnet). b. Click back on the Matrix tab (this still reflects the original trace file with all the frames). Now enable only the IPX stations in the Matrix Traffic Map view. Ctrl click on each IPX address to select all of them, then press the Visual filter icon and display the frames. How many frames are there? 10 Does this agree with the number you noted in the chart above? Yes Does the frame type match what you anticipated it would? Yes, they are raw frames, typical of NetWare frames c. Well use a similar process to determine the frame types the DECnet stations are using. Click the Matrix tab. Enable only DECnet on the MAC layer of the Traffic Map. Looking at the pattern of the frames on the traffic map, what do you observe? Almost all of the traffic is to and from the level one router. Only two stations are talking to each other.
4.0-OCT2000
Network Associates
10-4
CTRL click to select all DECnet addresses, then filter them into a new window. How many frames do you have? 35 Use Display > Display Setup > Summary Display to exclude none of the protocols. What information is being sent? Most are Router hellos, end node hellos and route advertisements. Only one (frame 40) carries NSP data between 51.4 and 51.30. What frame type does DECnet use? Version 2. d. Last, lets look at the IP traffic next. Well use a protocol filter to see those frames. Start with the Decode tab with 77 frames (this is the original unfiltered trace file.) e. Right click over the Summary window, choose Define Filter, then create a new profile called IP using Profiles > New > name = IP, copy the Default filter. Click OK, then Done. f. Now click the Advanced tab and enable only the IP and IP ARP protocols, click OK.
g. Right click over the Summary window and use Select filter to choose the IP filter. How many frames did you get in the new window? 28 What version frames are they? Version 2. This is a fairly quick way of seeing what frames are on your network. The traffic map is especially useful to see IP local router situations. If you see a lot of frames going to a router when they should stay local, you need to look for local router diagnoses in the Expert. In a NetWare environment, you normally see most of the client traffic going to the servers, since it is a client-server environment. If you see a lot of traffic between servers, investigate to see if a server is being used to forward frames that are not compatible with the intended servers configuration. If you are migrating from an IPX-based network to NetWare 5 on IP and are using an intermediate server to forward the frames to the new server, this is a normal phenomenon. This should be an interim short-term solution, since the traffic is doubled with that configuration. 8. Close the window. Do not go on to the next exercise.
4.0-OCT2000
Network Associates
10-5
4.0-OCT2000
Network Associates
10-6
Procedure:
1. You can also use pattern match filtering to eliminate frames based on data patterns. We'll repeat this process until you have filtered most frame types present on the network. When the frames you want to exclude are gone, you will see what remains. Exit the Sniffer application, then start it again so your filtered tabs start at 1. Open the file C:\202GUI\Mixed_01.cap. 2. Which frame format is being used in Frame 1? Ethernet Version 2 3. Eliminate all frames using the Ethertype in Frame 1. We'll start a new profile and configure a hexadecimal pattern match display filter. Highlight frame 1. a. Look at the DLC header in the Detail window and note the Ethertype here: 6003 b. From Display > Define Filter. Click Profiles > New > Name it Pattern Match, c. Copy Existing Profile = Default.
d. Click OK > Done. e. Click the Data Pattern tab, click Add NOT, then Add Pattern (This window opens).
4.0-OCT2000
Network Associates
10-7
f.
Make sure Pkt: 1 is displayed (If not, use the Previous button).
g. Click on Ethertype = 6003 (DECNET) in the DLC layer of the frame data. h. Click Set Data. Note the pattern 60 03 is pasted in the data area above and the offset field is updated to C. FYI: If you wanted to do a different type of pattern match, you would need to click the Format button and choose from Binary, ASCII, EBCDIC before pasting in the data. You can paste up to 32 bytes of data for matching. i. Click OK here, then OK on the Define Filter window.
4. That's a start, but the filter hasn't been applied yet. Lets apply the filter now. a. Right click in the display window, click Select Filter and select the Display Pattern Match filter. Note: Data Pattern should read (NOT DLC: Ethertype = 6003[DECNET]). Click OK. b. You should have a new Filtered x window with a frame count in the title bar. c. How many frames are there? 42 5. Note this new filtered window has maintained the original frame numbers. The window should start with frame 3, a DNS OK status frame. What frame format is being used in Frame 3? V2 6. Well add this Ethertype to our filter to eliminate all frames with the Ethertype in the DNS OK frame. Write the Ethertype here: 0800 a. Display > Define Filter > Data Pattern tab. b. Add NOT > Add Pattern. c. Highlight DLC: Ethertype = 0800 (IP) then click on Set Data. 08 00 pastes in at C.
d. Then click OK. Your match should now look like this:
e. Hold your cursor over the AND line to see how the match has been built this far. Click OK if it matches. Go back and fix it if it doesn't.
4.0-OCT2000 Network Associates 10-8
f.
Right click in the Filtered x display window, click Select Filter > select the Display Pattern Match filter. Click OK.
g. You should get a new Filtered x window with 15 frames that starts with a LAT change node frame. Is the LAT frame the same frame format as the previous frames? Yes. 7. Eliminate all frames with the Ethertype in the LAT frame. Write the Ethertype here: 6004 8. Repeat the same filtering process to eliminate this frame type: a. Display > Define Filter > Data Pattern tab > Add NOT > Add Pattern. b. Highlight Ethertype 6004 (DEC LAT), click on Set Data, then click OK. c. Click OK to save the updated filter.
9. Display > Select Filter > select the Display Pattern Match filter again. Click OK. How many frames are in the new Filtered x window that pops up? 14 a. What is the frame format in the NSAP frame? Novell Raw. b. What field can be used to filter this frame type? IPX Checksum. c. What is the hex pattern and offset used to perform this filter? FFFF at offset 0E. 10. First, we'll create a filter to view only the Novell Raw frames then we'll change it so we exclude these frames along with the previously excluded Ethertype frames. a. Since we plan to filter out the Novell Raw frames in the last step, we'll start by adding a NOT before we add the pattern as we did before. b. Display > Define Filter > Data Pattern tab > Add NOT > Add Pattern. c. Highlight IPX Checksum = 0xFFFF, click on Set Data, then click OK.
d. Before we finish, remember that we want to include all of the Novell Raw frames and exclude all of the others. To make this happen, click on the NOT left of the IPX Checksum entry so it turns to a solid red (the NOT disappears). Your match should now look like this:
4.0-OCT2000 Network Associates 10-9
e. Click OK if it matches. Go back and fix it if it doesn't. 11. Display > Select Filter > select the Pattern Match filter again. Click OK. How many frames are in the new Filtered x window that pops up? 10 12. Review the DLC header in each frame. These should all be 802.3 Raw frames. 13. Let's change our filter to exclude these frames and see what type of frames are left in the trace. a. Display > Define Filter > Data Pattern tab. b. Enable the NOT above the IPX Checksum pattern by clicking on the red block. c. Click OK when finished.
14. Now we need to apply this filter as we did before. What do you think will happen if we apply the filter to this filtered window? You'll get the error message "No frames matched the filter!" because this window only contains the 802.3 Raw frames (all other frames were filtered out earlier). a. Let's go back to our original trace window by clicking the Decode tab. b. Display > Select Filter > select the Pattern Match filter again. Click OK. How many frames are in the new Filtered 5 window that pops up? 4 15. You have now eliminated all Novell NetWare frames and enough Version 2 traffic so that you can easily examine the remaining frames. Answer the following questions: a. How many standard 802.3 frames (with only an LLC header) are there? One - RPL Unknown b. How many 802.3 SNAP frames are there? zero c. How many Version2 frames remain? Three - ARP, LOOP Reply Receipt, Chaosnet 16. Close the window. Do not go on to the next exercise.
4.0-OCT2000
Network Associates
10-10
Instructor Note: You will want to omit this exercise, demo it, or do it with the class if you have chosen not to do the previous optional pattern match filtering exercise. The pattern match required here is not detailed in these steps since it was detailed in the previous exercise. 1. Open the file C:\202GUI\Mixed_02.cap. Display the Decode view. 2. What is the frame format used in Frame 1? 802.3 Raw as evidenced by the 802.3 Length field and missing LLC header. 3. What field will you use to eliminate all these packets to see what else might be on this network? You will use the IPX Checksum field ('FFFF' pattern). 4. Create a new Data Pattern match called No Raw Frames to eliminate all frames using this frame format. Select the filter. 5. Carefully study your results. Can you explain the 5 frames? These frames DON'T GO AWAY! When you examine the HEX you will see the '1111' padding bytes between the LENGTH field and the 'FFFF' checksum in the XNS Header. Sniffer Pro assumes they are IPX and decodes them as IPX, posting a message in the Detail window noting the incorrect IPX length field. 6. Close the window. Stop here. Do not proceed to the next exercise. Instructor Note: Here's the story behind the problem: These bytes were included when IBM, Sytek (the broadband vendor) and Novell built the IBM Broadband/Ethernet bridge. Although we don't know exactly why Novell put them there we do know that the request came from Novell. One speculation is that something moved data in 4 byte words and the header, when padded from 14 to 16 bytes, provided 4 even 4-byte words. You will only encounter this in some obscure environments. The exercise is intended to give the student an opportunity to encounter a strange situation and make reasonable observations about it. (Think about a bridge set to filter FFFF!)
4.0-OCT2000
Network Associates
10-11
4.0-OCT2000
Network Associates
10-12
Background:
1. Well look at a 10 Mbps trace first. Open C:\202GUI\bcast.cap to the Decode window. This is a trace where every device on the network responded to the RWHO in frame 1 about as fast as they could get them onto the network. There are no physical errors to confuse the timing, but there is one long pause well ignore. a. What is the range of Delta times between the ARP frames? (Ignore frame 20) 0.002.985 to 0.003.150 about 3 milliseconds apart (frame 54 is about 4 ms) b. Click the Statistics tab. What is the line speed shown here? 10 Mbps 2. Now lets see whats different in the 100 Mbps screens. Open C:\202GUI\100mbfile.caz to the Decode window. a. Click the Statistics tab. What is the line speed? 100 Mbps b. What is the Delta time of frame 108, one of the shortest delta times? 0.000. 161 = 161 microseconds, a good improvement. 3. Finally, well look at some Gigabit data. Open C:\202GUI\GB.cap to the Decode window. Instructor note: There are CRC errors and Code Violations (CV) errors in this trace. The help screens give this definition: Gigabit Ethernet uses the 8B/10B transmission code 10 to map signals into 10-bit code groups. 8B/10B coding provides a set of 2 possible code groups. A given 10-bit code group can be categorized as either legal, showing a positive running disparity error, showing a negative running disparity error, or as an illegal code group. The Sniffer Pro reports a code violation when it sees a code group that is either illegal or that has a running disparity error as compared to the previous code group. The students will look at the help screen in the Gigabit section exercise. a. Click the Statistics tab. What is the line speed shown? 1000 Mbps
4.0-OCT2000
Network Associates
10-13
b. In the Decode view, what is the Delta time of frame 16, one of the shortest delta times in this trace? (Expand the width of the Delta Time column to see the entire value.) 0.000.000.012 = 12 nanoseconds! c. Note that an extra 3-digit column has been added to the Delta and Relative time columns to compensate for this faster speed. It can measure down to 32 nanoseconds.
d. What is different about the Status column? It shows [A] and [B] to indicate which channel captured the frame. The Fast Ethernet Full Duplex pod captures show the [A] and [B] indicators, too. 4. This has been just a short comparison of what you see in the Sniffer windows. We hope it points out that once you learn how to use the Sniffer for one speed, you can apply those same techniques to looking at the other speeds. In the next sections well give you more specific information on how to look in different areas to help you analyze your traffic. 5. Close all the open windows. Do not go on until instructed.
4.0-OCT2000
Network Associates
10-14
Node 1 WstDig178C41 Node 2 WstDig96EC2C File Server COFFEE.1 WstDigFF965F Student note: Hub 1 Hub 2 Hub 3 Hub 3 Hub 3 Hub 3
Bridge
Node 3
Sniffer
Note that the picture is not complete. For example, there probably were other stations on the thin Ethernet. The Sniffer analyzer was connected somewhere near the end of the thin Ethernet. We don't know exactly what was on the other side of the bridge shown on the left. Originally the Sniffer analyzer was placed at the end of the topology and saw no errors. In the actual trace, the Sniffer analyzer was traded with Node 3 and saw errors. Node 3 was moved to the end of the topology and worked without incident. Client addresses and the Server COFFEE.1 all exist off of Hub 1.
Instructor Note: Questions in step 13 have been changed to reflect the actual forwarding delay of 15 bits on the Gandolf hubs. Please review them and be ready for new numbers! Questions 14 and 15 have also been reworded with new assumptions. 1. Configure the Alarm settings. a. Select Tools > Expert Options > Alarms tab. b. Click on the + next to Global to expand it. c. Under the LAN overload entry, notice the value of 50 (percent) as the threshold for LAN Overload.
4.0-OCT2000
Network Associates
10-15
d. Click in the Lan Load field and change the value to 30 so we will be alerted when the lower threshold is exceeded. e. Click on the Apply button. Click OK to exit the Alarms. f. When you change these settings for your own Sniffer, adjust the Dashboard settings, too, so it will reflect the same thresholds.
g. Open the Dashboard, click the Set Thresholds button. Change the Utilization(%) High Threshold setting to 30. Click OK and note the red area on the Utilization dial now starts at 30%. (This will have no effect unless we generate some traffic for the Dashboard to monitor.) Close the Dashboard. 2. Open the file C:\202GUI\HUB6ARC.caz. 3. Click on Global Symptoms. What are the symptoms? LAN overload and Bad CRC 4. Let's take a closer look at these errors. a. Click on the Objects tab on the upper right. (Drag the separator bar to the bottom if the tab is not visible on the right.) Specific information about the condition should now appear. b. Click the icon to see the Expert Explain on the LAN Overload symptom. Read the explanation of the problem and possible remedies. Close the Help window when done. c. What is the First Time for the LAN Overload symptom? 16:36:56.765 (or 4:36:56:765 PM as it will show later) d. What is the Duration of the symptom? 1s 436 ms (1.436 seconds) (4:36:56:765 + 1:436 = 4:37:492:765 PM end time) e. What was the value recorded for Maximum and Average LAN Overloads? 35% Maximum, 11% Average f. Record the stations involved. 4 stations: WstDig0A065A, WstDigFF965F, Gandlf100738, and WstDig178C41 g. Click the F7 key and observe the similar information on the Bad CRC symptom. 5. Click on the Summary tab to return to the Expert Overview window. What are the symptoms at the DLC layer? What stations are involved? Runt frames (2 stations: WstDigFF965F and Gandlf100738)
4.0-OCT2000
Network Associates
10-16
What are the diagnoses at the DLC layer? What stations are involved? High rate of physical errors (3 stations: WstDigFF965F, WstDig96EC2C and WstDig178C41) Are any of the stations involved in the LAN Overload condition also reporting errors at the DLC layer? Yes, 2 out of 4 were involved in the DLC Diagnosis (WstDigFF965F and WstDig178C41 sent bad frames); 2 out of 4 were involved in the DLC Symptoms (WstDigFF965F and Gandlf100738 sent or received Runt frames). 6. Press the Decode tab to display the data. Enable Relative time if the column is not visible. What is the total time of this capture? Only 11.201 seconds 7. In the next few steps we are going to try to determine what, if any, correlation exists between the LAN Overload condition and the bad frames. This is a common approach used by analysts when troubleshooting. The questions one might ask are: Are the bad frames the result of excessive collisions that will occur whenever utilization on an Ethernet network starts to reach a critical state? If so, with the topology involved, at what maximum point within a frame could one expect damage to occur? In this example, one simple way to begin to rule out a correlation is to look for bad frames occurring at times when no LAN overload condition exists. 8. Reference the time you recorded earlier for the start and duration of the LAN Overload, let's use a filter to display only bad frames. a. Select Display > Define Filter > Profiles > New. Name it allbadframes. Click OK and Done b. Select the Advanced tab. c. Disable Packet Type Normal, which will leave only problem frames enabled. Click OK.
d. Select the allbadframes display filter. Display > Select Filter > allbadframes > OK. A new Filtered x window should open with 2503 frames. 9. Zoom in (F4) on the Summary window. Were going to examine the Status column. a. Enable the Summary Display Optional Fields, Status, Absolute Time and Bytes (Len) by clicking on Display > Display Setup > Summary Display > Optional Fields. Click OK. b. What types of errors do you observe? Lots of Alignments and Runts, 21 Collisions, 1 Fragment, and 11CRCs 10. Scroll over to the far right-hand column and scan through the Absolute Time values.
4.0-OCT2000 Network Associates 10-17
a. Did most of the bad frames happen during the LAN Overload? The bad frames were happening before the LAN Overload, during the LAN Overload, and after the LAN Overload. (Expert shows military time, decode shows AM, PM) b. In your judgement, are the bad frames the result of the LAN Overload condition? The error frames are not just due to the network being busy. c. If not, what else could be a cause of the bad frames?
The errors could be caused by signal reflections, noise, hardware problems, propagation delay, etc., at this point we dont know enough to isolate the problem. 11. Scan through the LEN (Bytes) column values. The Sniffer stops capturing a frame when a collision causes the bits to no longer be recognizable. With a network only 50 meters in length, would you expect to see collisions occurring so far into the Ethernet frames? No 12. We're now going to determine how far into the frames collision damage is occurring. To do that, you will need to define and select a new display filter. a. Display > Define Filter... b. Create a New Profile called Collisions (copy the Default profile). c. OK > Done.
d. Select the Advanced tab. e. In the Packet Type text window, clear all of the boxes except for the Collision box. f. Click OK to save the filter.
g. Display > Select Filter... When you select the Collisions filter, you should see a new Filtered x window appear with 21 frames. h. Zoom into the Summary window and observe the LEN (bytes) column. What is the largest collision frame recorded? 11 bytes 13. With a network of six repeaters in series and a total cable distance of fifty meters between end stations in the collision domain, do the collision frame sizes seem appropriate? (Hint: each of these hubs adds about 15 bit times of latency to the network. Also, in 10BaseT each bit is 17.7 meters long.) To determine the answer to this question, let's calculate the round trip delay: (use the Windows calculator if you like)
4.0-OCT2000
Network Associates
10-18
a. Cable latency in bit times = total distance \ length of bit: 50 / 17.7 = 2.82 bits b. Total Hub Latency in bit times = latency of each hub * number of hubs: 15 * 6 = 90 bits (/ 8 = 11.25 bytes) c. Total Delay = cable latency + total hub latency: 2.8 +90 = ~93 bits ( / 8 = 11.6 bytes) d. Round trip latency = Total Delay * 2: 93 * 2 = 186 bits (23.2 bytes) e. Subtract preamble (preamble is on the wire only): 186 bits 64 bits = 122 bits (15 bytes) f. Subtract CRC (CRC is on the wire only): 122 bits 32 bits = 90 bits (11 bytes) g. Total number of bytes displayed in the Sniffer: 90 bits/8 = approx. 11.25 bytes or > 11 h. Compare your calculations to what youre seeing on the Sniffer Pro analyzer. Does your worst case calculation concur? The collisions (maximum of 11 Bytes) are Legal (appropriate) for this network design. These collisions are also within 64 bytes, which is an IEEE "LEGAL" collision. 14. Was the fact that the network broke the 5-4-3 rule the reason the collision is occurring so far into the frame? No, the network is only 50m or 3 bits in length. The accumulated propagation delay of the 6 hubs is what caused the collision to occur so far into the frame. 15. Will extending the length of each of the hub lengths to their maximum of 100m cause late th collisions that occur beyond the 64 byte mark in the frame? Potentially yes. 16. In the next few steps, we are going to look at a conversation in the original trace file and attempt to isolate the location of the problem on this LAN. Note that on the network diagram, the Sniffer Pro is behind the suspect cable. Sniffer Pro will therefore, see error frames from this conversation that really do not exist due to the intermittent cable problem. a. Select the Expert tab to return to the main file. b. Click on the DLC Objects column.
4.0-OCT2000 Network Associates 10-19
c.
d. Click on the Display Filter icon to filter on this node, a new Filtered x window appears. e. What are the errors noted in the Status column? Mostly Alignment and a few Runt errors. f. Notice that throughout the conversation between these two nodes, not one frame is resent even the runt frames!
g. Is this conversation operating normally? It must be. h. Apply your filter for Collision frames. Are there any collisions in the conversation between these two nodes? No i. There are Runt frames in the trace file between these two nodes. What are they if not the results of a collision? To find out, define a new filter for Runt frames only and select it. How long are the frames? All 56 bytes- could be an indication of a partial reflection but it is more like a standing wave that can run the entire length of the cable after the node has nd finished sending. True reflections occur BEFORE the 32 byte in a frame. There are no AAs or 55s in the frames, either, indicating it was a local collision on a coax segment. 17. Based on the errors reported in the Sniffer, is the conversation working correctly? No (at the Sniffer end of the network). 18. Where is the "Fault Domain" and what is causing this problem? The conversation is working correctly between the workstation and the server -- so something is damaging the frames between the workstation and the Sniffer. 19. If you could physically inspect the cabling in the Fault Domain, you would notice a piece of ARCnet cable (RG62) connecting a machine to the Thinnet (RG58) segment. Could replacing bad cable correct physical layer errors? Yes! 20. Close the trace file window. 21. Stop here. Do not proceed to the next exercise.
j.
4.0-OCT2000
Network Associates
10-20
Background:
We are going to show you how you can use a single Sniffer Pro to perform analysis and comparison on two trace files. 10BaseT Hub Hubport 1: Sniffer on known good port Hubport 2: Sniffer on suspect port NetWare client: Novell~FAA NetWare File Server: 3Com~704
NetWare Client: 3Com~F91 Fact One: The user's PC was replaced by a Sniffer analyzer. Fact Two: Another Sniffer analyzer is plugged into a known good port. Both Sniffer analyzers were capturing simultaneously. 1. Evaluate the network diagram then proceed. 2. Think about different ways to approach isolating the source of the problem. What have you come up with? 3. Use the Display menu > Display Setup..., disable the Expert tab. 4. Open the files C:\202GUI\ Hubport1.cap and Hubport2.cap. 5. Use Window > Tile to display both files simultaneously and do a frame to frame comparison. (Use the Ctrl-Tab keys to switch between the windows.) 6. How many frames are in the file Hubport1.cap? 71 Hubport2.cap? 75
7. These two trace files start at different frames because the captures could not be started at exactly the same time. You will need to "align" the two trace files to start at the same frame.
4.0-OCT2000
Network Associates
10-21
Think about different ways to approach aligning the two trace files to start at the same packet before continuing with the lab. 8. We're going to align the two trace files by examining the first frame in Hubport1.cap for a unique string of data and then search for that string in Hubport2.cap. a. In frame 1 of Hubport1.cap, notice the NCP read command ("Read 512 at 2812416"). The offset value (2812416) is the unique string we will use to align these trace files. b. Ctrl-Tab to Hubport2.cap > click on frame 1 in the Summary window. c. Use the Find Frame feature to find the first frame that matches this string: - Right Click in the Summary window > Select Find Frame - Choose Text tab - Input the value of the offset (2812416) - Search from = Summary text - Search Direction = Down d. Click OK. 9. What is the frame number in Hubport2.cap that matches Frame 1 of Hubport1.cap? Frame 5 If the "found frame" in Hubport2.cap matches the first frame in Hubport1.cap, can we assume that the rest of the trace will match as well? If they were both set to capture without a filter, yes. 10. Since we have found a frame in Hubport2.cap that matches Frame 1 in Hubport1.cap, we should be able to select all of the rest of the frames as well. If we select these frames as a group, we should have a file that matches Hubport1.cap exactly. Let's give it a try: a. Right Click in the Summary window of Hubport2.cap. b. Click Select Range. c. Choose Range, From = 5, To = 75.
d. Click Select. Note: The boxes to the far left of frames 5 to the end of the trace should contain an X. e. Right Click in the Summary view. f. Click Save Selected. A new window titled Snif(n) should appear (The n represents a number). The new window should have 71 frames and be aligned frame for frame with Hubport1.cap. We dont need the Hubport2.cap file any longer so close it now.
4.0-OCT2000
Network Associates
10-22
11. Do a quick comparison of the first few frames to verify that the traces are aligned. 12. Choose Window menu > Tile so we can see parts of both windows. 13. The next thing we need to do is quickly search through each of the trace files to locate any bad Ethernet frames. We'll use the Find Frame feature again: a. Highlight the Snif(n) window, select Alt-F3 (the Find Frame window should pop up). Choose the Status tab and select all frame error boxes under Trigger, then select OK. b. Were any bad frames located? If so, write down the frame number(s) here: Yes Frame 40 c. Repeat the search until there are no other error frames.
14. Repeat the search process with the Hubport1.cap window. a. Were any bad frames located here? No b. What could account for the differences in the traces? One trace was captured from a known good port on the hub, the other was taken from a suspect port. 15. While looking at the Hubport1.cap Summary view, use Display > Go to Frame, to go to the frame number of the bad frame from the Snif(n) window (recorded in Step 13). Compare the two frames in each of the windows. Have you gotten closer to isolating the problem? You should be able to see that the frame is damaged in one trace and is not in the other- think about the situation that might cause this to happen. You may think the problem in frame 40 of HUBPORT2.cap was caused by a collision. But if it were a collision, HUBPORT1.cap would have seen a damaged frame also. In addition, if a collision had occurred, the NetWare client would have retransmitted the data. But in HUBPORT1.cap , we can see that the client and the server seem to think there was nothing wrong with frame 40. It seems that only the Sniffer analyzer on hubport 2 saw a problem. In fact, that was the case: the port was bad. The hub took a good frame off the backplane and output a bad frame at the bad port only. 16. Use Display > Display Setup and Enable the Expert tab on the General window and close all open windows without saving. 17. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-23
4.0-OCT2000
Network Associates
10-24
1. Open the file C:\202GUI\BADCABLE.cap. What are the Expert diagnosis and symptoms at the DLC layer? How many are there? 1 diagnosis - High rate of physical errors, 18 symptoms - Runt frame, DLC source address multicast and DLC source address broadcast. View the Decode window. How many frames are there in this trace? The total number of frames is 79 2. Select the allbadframes display filter to show only error frames. a. How many damaged frames are there in the Filtered x window? 56 frames b. Based on the number of Runt, Alignment and Bad CRC frames, do you think there's a problem? Absolutely! 56 out of 79 frames in error is a 71% error rate. We'll discuss later some of the rules of thumb for excessive damaged frames. 3. Scroll right in the Summary panel. What is the range of the size (in bytes) of the damaged frames? 2 ~ 566 bytes 4. Evaluate the Delta times between some of the damaged frames. Is there any consistency to the delta times? No, it varies between .0001 and 1.9 seconds. 5. Look in the Hex window for evidence of hardware-related problems. Do you think this is a hardware-related problem? How would you describe the damaged frames? Yes. Many of the longer damaged frames include more than 8 bytes of FFs. 6. What would you do next to fix this problem? Consider using binary search method to isolate the problem and identify where the damage is occurring. The problem here is that someone put his own plugs on UTP and incorrectly connected the wire pairs so there was no Common Mode Rejection of noise. It might
4.0-OCT2000 Network Associates 10-25
as well have been flat satin wire. The FFFFs show that noise was affecting the traffic and changing the 0 bits to 1s. Unfortunately, noise is not always so obvious and does not always leave the telltale FFFFs. 7. Close the window. 8. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-26
1. Configure the Display options to show DLC addresses in the Summary view Display > Display Setup > Summary Display tab > disable Show Network Addresses 2. For each of the following files, write down the characteristics of the damaged frames (length, any pattern present at the end of the frame, whether frame appears to be repeated, etc.) and assess the probable type of frame corruption demonstrated in the trace. Assume that the trace shows a representative sample of the error. Close each window when youve answered the questions. Choose between: a. C:\202GUI\01.cap Normal collisions Propagation delay Reflected signals Electrical noise Hardware problems
Sniffer Pro shows collision indication in the Status column. The Hex window shows that the bad frame, Frame 2, is perfectly truncated at Byte 12, indicating that this trace was taken from coaxial-based media. Frame 3 is most likely a retransmission of Frame 2. Probable cause: Legal local coax collision. This trace came from a pulp and paper mill where the thick and thinnet cables were occasionally run over by forklifts carrying a large roll of paper. The steel pipe that was embedded in the grooved concrete floor (it carried the coax) had become crushed over time. The problem always surfaced for a moment whenever the forklifts ran over the crushed pipe containing the coax cable b. C:\202GUI\05.cap
(Note: For a detailed review of this trace file, please consult the document "trace file addendum" located at the back of this manual.) Legal and late collisions caused by a faulty (crushed) cable. Sniffer Pro shows frames with collision indication in the Status column. Also, the Summary window indicates that the collision on frames 4 and 6 occurred after 64 bytes. This is accurate, but on these larger size frames it is difficult to tell if the frames have been truncated because Sniffer Pro does not decode past the DLC layer. So we can't tell (from layer 3 info) how big the frame was supposed to be unless we manually draw out the layer 3 details. (Protocol forcing does not give us an option for the DECnet DRP protocol, only LAT.)
4.0-OCT2000
Network Associates
10-27
c.
C:\202GUI\06.cap
Sniffer Pro shows frames with collision indication in the Status column. All are small 24 byte frames. Contains DLC addresses, no pattern at end of frame. Probable cause: If this were truly representative of the traffic, it's probably signal reflection. d. C:\202GUI\16.cap
Variable but small-sized frames. All have 11-12 bytes of 55s, representing hub/repeater jam, appended to 43 bytes of data. Probable cause: repeated collisions on a remote 10BASE-T network. They look like reflections but cannot be. Remember, the majority of the signal moves towards the termination and will not be reflected back. That means that in a full-size 32-byte network, the collision can never be more than one-half the network thats 16 bytes from the center to the unterminated end and 16 bytes back towards the sender headed towards the termination. Thats 32 bytes total. This is jut a lucky break. The frames were selected to create the individual trace to ensure the students learned to identify this pattern as hub jam, not reflection. It is strictly coincidental that the collision occurs 55 bytes into the frame. e. C:\202GUI\17.cap
Sniffer Pro indicates that frames 5 through 8 are damaged by collisions. Frame 7 and frame 8 are late collisions, as indicated in the Summary and Expert views. Four damaged frames come from same source. Frames 5 and 6 are truncated at byte 42. Frames 7 and 8 are truncated late at byte 86. Frames 7 and 8 are evidence of late collisions combined with signal reflection. There are possibly multiple problems with this network. Probable cause, in order: Propagation delay, hardware, and signal reflection. f. C:\202GUI\21.cap. (Be sure to look at frames 124, 178,179 and 321.)
Sniffer Pro reports Alignment and CRC errors in the decode Status column. The Expert doesnt report any errors other than the Global CRC errors. This may seem odd with so many problems in this trace. The answer is that the Expert builds the object database from addresses seen in frames without CRC errors. Then, when it sees what it knows is a valid address associated with a problem frame it reports the Symptom/Diagnoses. Since every frame in this trace has a CRC error, the Expert never builds the object database, never learns the valid addresses and therefore has nothing to associate a Symptom/Diagnoses with even though the addresses here are most likely valid the Expert would not have learned that.
4.0-OCT2000 Network Associates 10-28
If you need to demonstrate this, load FRAGS.cap. Select the allbadframes filter. You will have a decode full of Alignment, Fragment and Runt frames. Select a few of one kind and Save Selected. You will notice that Alignment and Fragment frames all have CRC errors and the Expert will not learn about any DLC objects associated with those frames. However, Runt frames do not have a CRC error and the Expert will learn about those DLC objects. Probable cause: Hardware, a jabbering NIC. 3. Close all open windows. 4. Use Display > Display Setup > Summary Display to reset the Display option to Show Network Addresses. 5. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-29
4.0-OCT2000
Network Associates
10-30
1. Open the file C:\202GUI\FRAGS.cap. Click on the Decode tab and note the frame count. How many frames? 1173 2. Let's investigate how many of the frames in this trace have been damaged in some way. Apply the allbadframes filter to only show the bad frames. a. How many frames are bad in the Filtered x window? 111 b. Does this seem to be a problem? 111 bad frames in 1173 is more than a 9% error rate. It certainly warrants more of an investigation. c. Return to the Decode tab to show the original entire trace. 3. Look at the detail of frame 1. This should be part of a conversation between [192.9.200.150] pc150 and [192.9.200.203] natco-4. The subnet mask for these devices is 255.255.255.0. Are they on the same or different subnets? The same subnet.
4.0-OCT2000
Network Associates
10-31
b. When a bad frame occurs, notice who is sending the frame and the C/R sequence, does the conversation recover after each error? Yes, for error frames up to Frame 940. Starting with Frame 941 it does not recover. c. Prior to frame 941, is [192.9.200.203] or [192.9.200.150] always receiving a bad frame? Both are receiving bad frames. This would rule out a bad NIC card in one of the nodes d. Repeat the process to find and analyze all of the error frames in this conversation. How many symptom frames are there? 17 frames have symptoms, some are physical errors, others are NFS problems. e. Apply the allbadframes filter to this trace to see how many frames contain physical errors. How many frames do we see in the new filtered trace? 11 f. What types of physical errors are found in this display? Alignment errors g. Does the number of errors found here seem excessive? 11 errors in 947 frames equals slightly more than 1% errors. This does not seem to be a problem. h. Use F4 to zoom in the Hex window and look at the damaged frames. What do you notice about the damage? 4 of the frames show 5555s . All frames are damaged beyond 64 bytes. 6. Can we draw any conclusions? 5555s are evidence of hardware problems or collisions. If they are collisions, they all extend beyond 64 bytes and would be late or illegal collisions indicating a possible out of spec network or propagation delay. 7. Press the Decode tab to return to the FilteredFramesx.cap display window with 947 frames. GoTo Frame 943 and evaluate the conversation. a. Does the conversation seem to continue normally at this point? No, we see PC150 sending messages but Natco-4 never responds. The conversation always recovered prior to frame 943.
4.0-OCT2000
Network Associates
10-32
b.
What is the delta time between frames 941 and 943? 206.953.080 seconds!
c.
What could cause this type of delay? A number of problems or changes in the physical network could cause the network to go down for this amount of time (over 3 minutes!)- all of them caused by human intervention.
8. Based on what we know now, draw a diagram of this network including the cabling, PC150 and Natco-4, the repeater, the Sniffer, and any other devices that you can identify. Use the diagram to try and isolate the problem.
9. Close the windows without saving. 10. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-33
4.0-OCT2000
Network Associates
10-34
Procedure:
4.0-OCT2000
Network Associates
10-35
4.0-OCT2000
Network Associates
10-36
Background:
1. Manually create address book entries for the two stations communicating in this trace. Assign the name Server to 161.69.97.200 and Client to 161.69.97.202. Enable Show network address in Display < Display Setup > Summary Display. 2. Open and display the trace file C:\202GUI\BADCRC.cap. Press the Decode tab to display the data. 3. In Frame 1, we see Client (NGC 030B4D) issue an SMB Read command for 32 kb of data, starting at offset 3964928 (00803c00h) for the file handle (F=) 1009. 4. Frames 2 and onwards show Server using NetBIOS to move 1460-byte blocks of data (over a TCP connection) until the TCP window is filled and an acknowledgement is received. (Note that the first block of data is 1456 bytes.) a. What is unusual about frame 6? Bad CRC b. What is the frame length? 978 bytes c. From the information within the IP header, what size frame did the IP stack on Server indicate that it was sending to the DLC layer for encapsulation?
1500 bytes a maximum size frame. The Sniffer also notes the frame was retransmitted in frame 13, but the Summary window associates it with frame 14. Frame 13 is the retransmission looking at the hex data and the TCP sequence number. 5. Let's change our display to show only the TCP protocol information: a. Display > Display Setup > Summary Display tab. b. Click on the All button on the bottom to exclude all protocols, then press T repeatedly until you find Transmission Control Protocol. Uncheck the box for it, then click on OK. c. You should now see only the TCP layer displayed.
d. Lastly, adjust the width of the Summary column in the main display to allow the ACK, SEQ, LEN and WIN values to be displayed. (Instructor Note: Note that the column will retain this length for all future trace files until you change it again, or until you delete the Sniffer.INI file in your operating system's configuration files directory.)
4.0-OCT2000
Network Associates
10-37
6. Examine the LEN= value in the Summary view for Frame 6. What is the value? 924 bytes a. Look at the Len(Bytes) column in the Summary window. How many bytes are there in the frame? 978 bytes b. What it the IP total length? 1500 (Sniffer is showing the actual length of the data in the Summary panel line rather than what was originally sent.) 7. What is the delta time between Frames 7 and 8? 323.6 milliseconds.
a. Does this appear consistent with the times for previous exchanges of data between these two stations? No, it is much longer. b. Frame 8 is a retransmission of which previous frame? Frame 2, from the sequence number 60142096. (If you go back to frame 2, the Sniffer tells you it was retransmitted in frame 8.) c. Why is the Server retransmitting frames?
It did not receive an ACK from Client before before the retransmit timer expired. 8. Look for the retransmitted frame that has the same SEQ number as frame 6 (the bad frame). In which frame did you find it? Frame 13 (The first line of the TCP header in frame 6 points us to frame 13) 9. To confirm that the communication continues normally, compare Client's next SMB Read in Frame 38 with that of Frame 1. Is the Read 32KB further into file 1009? Look in the SMB detail of this frame at Starting offset. Yes, the next read is 32KB further into the file, 3997696. 10. We have just seen a scenario where a corrupted Ethernet frame causes the upper layer protocol to time out and retransmit. Now, let's examine a scenario where things do not proceed as we expect. 11. Close the trace file, in preparation to load a new one. Also, return to the Display Setup > Summary Display tab, and click on the None button to clear all the protocol filters. Click OK. 12. Click on the Address Book icon on the main toolbar. Change the Server's address to 206.116.6.132, and the Client's address to 206.116.6.135. When you have edited both stations, close the address book. 13. Open the trace file C:\202GUI\BADCRC-1.cap and click on the Decode tab to display the frames. 14. In Frame 1 Client opens the file PRO40A1.TMP. In Frame 3 it issues a command to the server of Write Block Raw 65520 bytes at offset 0 of the file. Then Client starts sending the data using NetBIOS in frames 4 and 5. Frame 6 is a TCP Ack to frames 4 and 5.
4.0-OCT2000
Network Associates
10-38
15. Frame 7 shows Server's response to Client's write request in frame 3. Look in the SMB Write Raw Data header. It indicates Server is ready to write the data Client will send. The Bytes actually written shows 0, the bytes remaining to be read is 65535 (actually a little more than the client said it would send.) Evidently it has not read the NetBIOS data sent in frames 4 and 5 yet. 16. In Frame 8 we see Client use NetBIOS to write another 1456 bytes of data. 17. Examine the Status and LENgth columns in the Summary view along with the Detail window of Frame 9. a. What kind of error does SnifferPro post against the frame? CRC error b. What is the frame length? c. 516 bytes
What type of problem do we normally associate with this type of frame corruption? Electrical noise
18. Now examine Frame 10. With the exception of the actual frame length, do Frames 9 and 10 appear to be the same? To be sure, compare the unique IP Identification fields, IP Length fields, the unique TCP Sequence numbers and Hex ASCII data patterns. Both Frames 9 and 10 are identical: same IP Identification fields (14342, incremented by at least one for each frame sent), same IP Length fields of 1500 (although the first frame contains considerably less than 1500 bytes), and same TCP Sequence numbers (60550401). Even the TCP Checksum fields are the same, although the first frame contains less data than the second frame, which means the Checksum must be different as Sniffer analyzer points out (8722). The Hex data matches to the point of corruption. 19. When a frame is damaged in transit that is not the result of a legal collision, the receiver will request the SMB Write again. Does this occur? No, Server does not request the write again in Frame 73. In fact, the client continues onward, with Server's permission, in writing the next 64KB of data in Frame 75. 20. Now examine the Delta time between Frames 9 and 10. a. How much time elapses between when Expert Sniffer Analyzer sees the beginning of Frame 9 and when it sees the beginning of Frame 10? 1.6 ms elapses between Frames 9 and 10. b. How is it possible that Client knew it had sent an undersized and error frame and compensated by retransmitting it immediately? Normally, it is impossible for a sender to know it transmitted a bad frame or that its frame became damaged in transit and, subsequently, retransmit it immediately. Normally, the receiver's transport layer protocol makes the decision to have the original frame retransmitted properly, which may include repeating the entire write process of all 64KB as we saw in the earlier example.
4.0-OCT2000
Network Associates
10-39
c.
After reviewing a typical retransmission as in the earlier trace file, doesn't this seem more like "magic" than a protocol with a structured retransmission mechanism at work?
Yes, this does defy convention and seems more like magic than normal communication. 21. Use F8 repeatedly to advance to Frame 17. Use the same method to compare Frames 17 and 19. Does the earlier situation repeat itself or is this a different problem? The situation repeats itself in Frames 17 & 19. 22. There is a general performance guideline for baselining that suggests a network segment should have no more than one CRC error per MB of data seen "on the wire." Do the cumulative physical errors exceed this guideline? There are 2 physical errors, specifically CRC errors, for 153,902 bytes seen on the wire. If 1 CRC error for 1MB of data = 100%, then 2 CRC errors for 154KB = 1,300%. This exceeds the guideline substantially! 23. It may be difficult for us to speculate as to what is causing the CRC-error frames to be retransmitted so quickly in the second trace file. In reality, it is the implementation of a relatively new performance feature called early transmit. The frame is copied from the PC's memory buffer directly to the network, instead of going through the NIC's memory buffer first. Unfortunately, the PC in this trace file couldn't provide the data fast enough to the NIC card, which was creating and transmitting the frame simultaneously. Subsequently, the first frame was undersized and aborted. Fortunately, the entire frame was ready for transmittal the second time, in both instances. There are actually two scenarios that can cause this kind of problem. One scenario involves incompatibilities between PCI-based personal computers and PCI-based Ethernet NICs. Another scenario involves early transmit. This trace file deals with early transmit of newer high performance NIC cards with parallel tasking or pipelining features. This trace file came from a client and server using 100Mhz Pentium PCs with 64MB of RAM and 3COM 3C59x PCI-bus based Ethernet NICs. Although the PCs were fast, the NIC was faster. (Note that an operating system and concurrently executing applications can also bog down a fast PC so as to cause the transmit underrun situation.) Periodically, the PC couldn't provide the data for an entire frame before the NIC had sensed the 10BASET network was free and started sending the frame it was creating on the fly. The result is a 516 byte frame instead of a 1514 (Sniffer analyzer interprets the last 4 bytes in an Ethernet frame as the CRC and doesn't show them to us). SMC uses an Early Transmit Threshold (ETT) of 64 bytes with an increment of 8 bytes for each transmit underrun situation. It appears as though 3COM uses an ETT of 516B. 24. Close all open windows. 25. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-40
Background:
Instructor Note: This trace file was taken in a lab network. The bridges were buffering and were doing 8:1 compression. The WAN links are true full-duplex.
192 Kb
Bridge
Bridge
Bridge
192 Kb
Bridge
1. Evaluate the network diagram, then proceed. 2. What should Spanning Tree accomplish in this network? Spanning tree should disable one of the 192 Kb links. 3. Open the trace file C:\202GUI\SCBRIDGE.caz. 4. Select the DLC Objects. How many station (non-broadcast) addresses are displayed? Only one (WstDigFD965F). 5. Select the Global Symptoms. Record the two symptoms displayed. Broadcast / Multicast Storm and LAN overload. 6. Does this seem logical, given the number of devices detected by the Sniffer Pro? Not really. 7. Press the Decode tab to display the Summary window. 8. What is the range of Delta times for the first 10 frames? From .076 to .172 milliseconds.
4.0-OCT2000
Network Associates
10-41
9. Are all the frames the same size? Yes. They are all 60 bytes. 10. Press the End key to go to the last frame of the trace. How many frames were captured? 12,406. a. Observe the value in the Relative Time column. How long did it take for all the frames to be captured by Sniffer Pro? 1.576 seconds. 11. What conclusions do you make? Either that the adapter is streaming with the same frame or there is a bridging loop in the network. In fact, this is indicative of a bridging loop. All the frames are copies of the same frame endlessly circulating the network. If there had been more stations then you would see two, maybe three stations at the maximum, transmitting. 12. If the speed of the bridged links was 10 Mbps instead of the two 192 Kbps links, what effect do you think it would have on the utilization value? Nearly 100%. What would happen to the Delta times? They would decrease to about half their current range values. 13. Close the window. 14. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-42
Sniffer Pro
NetWare Clients
1. Evaluate the network diagram, then proceed. 2. Open the trace file C:\202GUI\BUSY-JAM.caz. 3. How many DLC addresses does Expert Overview display? 18
Instructor note: the DOS Sniffer showed 13. Sniffer Pro counts all stations receiving valid frames as objects, even if they have not transmitted any frames. 4. Click on the number posted in the Global Symptoms column. a. What symptom is posted? LAN overload. b. How long has this symptom been active? 10.096 seconds c. Press the Decode tab. Using the value in the Relative Time column at the end of the trace, can you determine if this symptom was occurring throughout the duration of the trace?
Yes, the trace took 10.61 seconds total; Sniffer Pro adds the minimum time that the LAN will remain at overload before resolving itself, if it does.
4.0-OCT2000
Network Associates
10-43
5. Back in the Expert view, double-click on the LAN overload symptom to display more detail related to the problem. (Drag the separator bar to the bottom if you do not see the Objects tab on the top right.) a. What value is recorded for Maximum LAN Overload? Maximum was 94%. b. What value is recorded for Average LAN Overload? Average was 80% c. Click on the for an explanation of this problem.
6. Given the number of DLC addresses identified by the Sniffer analyzer does it seem logical that we have a switch loop in our network? Not really. There are too many stations participating for a loop to be the cause. 7. Can we always rely upon the correctness of our network map? In most networks, no. They should be close, however. 8. Display the data and evaluate the delta times. Do the Delta times posted by the Sniffer analyzer seem consistent with a switch or bridge loop in our network? No. They are larger than one would expect to see with a loop. They are not the same frame, either. 9. Frame 1 shows an NCP command to open a file. The destination address of A1.1 is the address of the Novell File Server. If you cannot see the entire client address, adjust the width of both of the address columns until the entire address is visible. 10. Let's take a look at the lower two layers to see what's happening there. a. Apply our Allbadframes filter (Display > Select Filter) b. A new Filtered x window with 618 frames should appear. 11. Looking through the frames, do you see signs of physically damaged frames? 8 or 9 bytes of AAAAAs for the destination address and question marks for the source address. Each frame is also 8 or 9 bytes long. 12. What problems do we associate with this pattern of damaged frames? Signal Reflection and Hub Jams.
4.0-OCT2000
Network Associates
10-44
13. With the network topology (type of equipment and design) and indicators from the data, what conclusions do you reach? This is most likely not a Signal Reflection problem. We are using hubs and switches exclusively. These devices reduce the network to a series of point-to-point links with a bus compliance. Each station transmits its data to the hub/switch; the hub/switch either repeats or switches the data to the appropriate port. The transmit leads from each device are a discreet pair, as are the receive leads. We are witnessing Hub Jams (either from the hub or the switch). The real problem is that the server is still on a 10Mbps link. By installing a switch we have done nothing to eliminate the bottleneck in the network (it is now the switch instead of the cable segment that existed earlier). The switch will also introduce one full frame of latency to all buffered frames. If the server is responding to the client, then the client port must buffer the incoming client frames. This really adds latency to all transactions and is a classic example of poor network design. Switches can be very helpful, provided they are deployed correctly. 14. Close the window. 15. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-45
4.0-OCT2000
Network Associates
10-46
Background:
4.0-OCT2000
Network Associates
10-47
a. What is the Priority ID of the root bridge before and after the change? b. Before: 0001.0060478F9A00 After: 012c.00100706D000
4. Click the Decode tab. Look at the details of the first BPDU frame. What type of encapsulation is it using? Are all the frames encapsulated? It is a standard Ethernet frame encapsulated in an ISL header. The Ethernet frame is directed to the multicast address 0180C2000000 No, all the frames are not encapsulated. Some of the DISL frames have just a DISL header with two parts: one that looks like a version 2 DLC header followed by a Pseudo LLC/SNAP header that contains the DISL information. CDP frames are not encapsulated, either. They look like standard LLC/SNAP frames. (In the original unfiltered trace, there were also NSAP frames that were not encapsulated.) 5. Notice that frame 9 has a different Pri number from the earlier frames. Look at the BPDU header of frame 9. Compare the BPDU header information with frames 1-8. What is different about the flags in this frame? It is a topology change frame a. Compare the root ID in frame 8 and frame 9. Does this agree with what we saw in the Expert? No, frame 8 shows the root as 8000.Cisco58F9AFD, frame 9 shows 0001.Cisco58F9A00 as root. These frames are repeated in frames 29 and 30. 6. Since these frames didnt apply to the information we saw in the Expert, go back to the Expert and highlight the VLAN #1 Spanning Tree Topology Change symptom, then press the Experts Display Filter icon. 7. Compare the root identifier in frames 9 and 113. Does this match what we saw in the Expert? Yes, this is what triggered the symptom. The BPDUs in the trace allowed the Expert to build the BEFORE and AFTER table. 8. Lets go back to the Expert and look at those VLAN changes we saw. a. Look at the Global symptoms and highlight the VTP Versions Different symptom. Click on the ? help icon to see what this symptom means. From the lower right panel, what was the last VTP version received? 2 b. What VLAN was removed? 333 We can assume this is related to the VTP version problem. If you look at the VLAN Removed from Domain symptom, youll see that it is this same VLAN and the incorrect version shows in these panels. c. Click on the TNV layer in the Detail Tree in the center bottom panel. What is the VTP version being used? 1
d. What VLANs are in this domain? 1, 225, 226, 1002, 1003, 1004, and 1005
4.0-OCT2000
Network Associates
10-48
e. Highlight the VTP Versions Different symptom, then click on the Display Filter icon to see the frames associated with this symptom. Find the VTP frames and locate the frame that shows version 2. Which frame shows version 2? Frame 64 What is the updater's IP address? 161.69.225.250 This and the DLC address should make it quite easy to locate the device that needs the upgrade. If you want to isolate the VTP frames, youll need to do a data pattern match filter on the SNAP Type = 203 (VTP) which pastes 20 03 at offset 2E. (There are 12 in the trace.) f. In the Expert, highlight one of the VLAN Not Operational symptoms and click the ? help button to get some information about what caused this symptom. Note the reason for the non-operational state shown in the lower right window. This information will help you reconfigure the devices so you can bring them up. # 2 is Undefined, # 10 shows MTU Too Big For Trunk, # 11 shows MTU Too Big For Device, and # 12 shows Suspended. g. If you want to find the frame(s) that triggered these symptoms, go to the Decode window and right click, then Find Frame. Type MTU too big and click to search in the Detail window and disable match case. Frame 106 shows all the VLAN that are Not Operational. 9. Last, lets look at some 802.1Q headers. This trace is using ISL, so well close it and look at another trace. Open C:\NAI\202GUI\8021q.cap. This trace is pretty clean, fortunately, so well just look at the frames in the Decode window. a. Scroll up in the Detail window and look at the 8021Q headers. Its pretty simple- showing just the 8100 protocol type field that identifies this field as a tag, then the next byte showing the frame priority, tunnel type and the VLAN ID. Remember that the Ethertype field shown in this header actually belongs to the part of the DLC header the tag is inserted between the source DLC address and the type/length field. b. Scroll down to one of the 1518 byte frames just to see how the Sniffer labels these maximum size 1518 byte Ethernet frames that have the 4 byte header added. There is no CRC error posted, but you will see a TCP checksum error message. c. We may see longer frames in the future as the specifications are changed to make Ethernet more efficient at the higher speeds.
10. Close the 8021q.cap trace and open C:\202GUI\8021q-gig.cap trace. This is a trace taken from the trunk between gigabit switches, since we see the VLAN tags in the frames and the telltale full-duplex channel identifiers in the Status column. The Statistics tab shows the link is 1000 Mbps. 11. Check the tag header in the Detail window. Is it like the one we saw from the 100 Mbps link? Yes 12. There are some frames labeled Oversize in this trace. Evidently the Sniffer allows 1518 byte 802.1Q frames because it knows the tag adds 4 bytes to the maximum size Ethernet frame. Because these are greater than 1518 bytes, it labels them as Oversize.
4.0-OCT2000
Network Associates
10-49
13. Remember that Sniffer Pros switch Expert and Control functions also shows the MIB data for switches. MIB data allows you to see the version of the switchs operating system and statistics for each module, port and VLAN. This is covered in more detail in the TNV-201-DSP and TNV-112-GUI classes. 14. Close all windows. Do not go on to the next exercise.
4.0-OCT2000
Network Associates
10-50
Background:
1. Open C:\202GUI\100MBFIL.caz. 2. Look at the Expert. What symptoms do you see at the Global layer? Broadcast/Multicast Storm. a. How many stations are involved in this? Thirteen. Several of them are DECnet stations, which tends to be a very chatty Protocol. 3. What diagnoses do you see at the DLC layer? High rate of physical errors. a. What symptoms do you see at the DLC layer? Lots of runts and DLC address is a multicast address caused by frame corruption in the destination address field. If you highlight a station with this symptom in the upper right window and look at the DLC addresses in the Detail tree, youll see that many of them have 5s or As in the address. 4. Look at the Decode window and frame 13.Decnet stations periodically send these Hello frames. a. What is the DLC address for 46.307? DECnet0033B9 (WISHPB) b. Highlight that address in the Expert DLC object list and click on the Display Filter icon. A new Filtered x window with 6 frames will open. Enable Relative Time column if not shown. How often is 46.307 sending these Hello frames? Every 14.5 seconds DECnet nodes multicasting at this rate will contribute to Broadcast/Multicast storms. Based on this, you will want to adjust your Expert Alarm thresholds for broadcast storms to a much higher level to eliminate these Global symptoms.
4.0-OCT2000
Network Associates
10-51
5. Apply your allbadframes filter to the unfiltered Decode window. How many frames have errors? 219. a. Of the 6059 frames in the original trace, what is the percentage of frames with physical errors? 219/6059 = 3.6%. This is outside what is considered normal and should be corrected. b. Analyze the problem by looking at the hex of the damaged frames. What conclusions can you draw? Frames are damaged anywhere from 2 to 51 bytes into the frame. AAAAs and 5555s appear in most of the damaged frames. Wed rule out normal collisions because there are far more than 8 bytes of AAAAs and 5555s. It is most likely a hardware problem or backpressure. (We dont have the story on this trace.) Wed need a network map or the actual network to probe further. Fix the physical problems before moving on to the upper layer problems. 6. Lets look at a couple of traces with backpressure so you will recognize it. System Engineers gave these traces to us. They were captured from different networks using different hubs. Close the 100mbfil.caz window and open the C:\202GUI\Backpres.cap trace file. This is a filtered trace that shows only bad frames. Normally, backpressure will not have such a catastrophic effect on the network. What data patterns do you see in Decode window? D0D0D0, 434343 and 343434 patterns. a. What size range are most of the frames? 12 to 20 bytes (a few are larger). This trace was from Michelle Coomes when she was at 3Com. 7. Now open the C:\202GUI\Backpres2.cap trace file. From the Expert, what symptoms or diagnoses do you see at the DLC layer? Collision after 64 bytes. a. What station is involved? 0008C7A4ACB3. This is coincidental-- it happened on many stations. 8. View the Decode window and look at the hex data for the frame with this symptom. What type of errors do you see in this frame? Repeating 55s starting at offset 236 in frame 6. 9. Follow the sequence of the bytes and offsets in this file transfer. Frame 9 below the damaged frame, youll see a burst frame from the client requesting retransmission of the frame that got damaged. Look in the Detail window for the offset and size. Which frame retransmits the damaged frame? Novells Pburst has selective retransmission of frames not received in a burst. Use Two station format to show this sequence. Disable Show Network Addresses, then use the Matrix to set a filter on the 2 MAC addresses. It becomes very easy to
4.0-OCT2000 Network Associates 10-52
see the effects of the backpressure on the transfer and how the upper layers handle any collisions that result. The Intel client requests a big read in frame 4 The server sends packets 5, 6, 7 and 8 with the data, but 6 gets damaged. The client comes back in frame 9 with the request for the missing frame Frame 10 is the retransmission of frame 6. This trace came from a company that was having problems from a line running in the proximity of a generator in a warehouse using cat 5 cabling. The errors coming from the EMI was overflowing the buffer on the 10/100 switch so the switch was sending out the backpressure. To solve the situation the customer installed a fiber zip cord and it worked. This proves the point that the backpressure was not the problem but the EMI was. I hope this fills in the gaps for everyone. Michael "Mickey" Giovingo 10. These are two examples of backpressure sent by switches to slow the stations. Evidently the buffer is full and they need to slow things down so they can free buffer space. Remember that the specification allows the switch to send preamble bits (alternating ones and zeros) to keep the line busy. This shows up as 5s or As in the traces. If the vendor chooses to use another bit pattern, you will see other bit patterns. To determine the bit pattern for your switches, capture during a busy period and look for frames with suspicious patterns. Disable backpressure on your switch, while capturing a trace. See which patterns are missing. Document the information for your co-workers. If you see a lot of errors like this on your Fast Ethernet segments, look at where the back pressure bits show up in the frames to ensure you dont have a different problem. You may need to segment a network if the switch is unable to keep up with the normal traffic.
11.
12.
4.0-OCT2000
Network Associates
10-53
4.0-OCT2000
Network Associates
10-54
1. Open C:\202GUI\Big_bad_rich.caz. What problems does the Expert see and how long did they last? Bad CRC errors at the global layer, lasting 3 minutes, 45 seconds and 723 ms 2. How many DLC objects are shown? Only two, both have NGC cards 3. Look at the Decode window. What type of errors are reported in the status column? CRC, alignment, collision, unknown 4. What conclusions can you draw from what youve learned in class? The 55s are collision data that are the result of the two colliders and the hub all jamming at about the same time. On bigger networks, the jam is accumulated. On small networks, the jam overwrites each other. Result: big networks can have 8 to 12 bytes of jam, small networks can have 0 to 8 bytes of jam, depending on where it started in the frame or preamble. The partial frames showing the conversation from 10.10.0.7 (NGC 100D4E) to 10.10.0.9 (NGC 100EF8) show CRC errors, probably due to a marginal or failing card. 5. Close the window. Stop; do not go on to the next exercise.
4.0-OCT2000
Network Associates
10-55
4.0-OCT2000
Network Associates
10-56
Background:
Instructors:
1. Open these two trace files: C:\NAI\202GUI\Hawk10b.enc and Hawk100b.enc. Use Windows > Tile to see both of the traces Expert overview simultaneously. 2. How many frames are in the Hawk10b.enc trace? 130 The Hawk100b.enc trace? 42
(This does not imply that there is a difference in what the Sniffers saw, it may just be a matter of when each was started and stopped.) 3. Note any differences in Expert information here. Hawk10b.enc has 2 ICMP redirect symptoms and 1 Router Storm diagnosis at the Station layer, and 1 WINS No Response diagnosis at the Session layer. Hawk100b.enc has only the router storm diagnosis There are different object counts at the Session, Connection, Station and Subnet layers, too. 4. Adjust each window so it occupies one half of the screen vertically so you can compare the traces frame by frame. Press F4 to zoom each Summary panel. Look at the frame data so you can align the first matching frames side by side. What are the first two identical frames? Frames 1-5 in each trace are identical. Starting at frame 6, the Hawk100b.enc has frames that are not found in the Hawk10b.enc trace. 5. Lets see if we can filter out some of the frames to get an idea of the criteria this device is using to forward the frames. First lets find out how many are broadcast frames. Create a new profile called Broadcast. Use the Address tab, leave the Address type set to Hardware, then click the + in front of the Broadcast/Multicast Address icon. Scroll down and highlight Broadcast(FFFFFFFFFFFF), drag it to the top Station 1 field, click in the Station 2 top field to select Any, then click OK. Select this filter on each trace. How many frames are there in each trace? Both have 24 broadcast frames, so we know the hub forwarded all of those as it should have.
4.0-OCT2000
Network Associates
10-57
6. Now go back to your Broadcast filter and click the Exclude button and apply the filter to each of the Decode-tabbed windows again. How many non-broadcast frames are in each trace? Hawk10b.enc has 106 frames, Hawk100b.enc has 18 frames. 7. Click the Host Table tab for each trace and compare the IP addresses. How many hosts are in each trace and which ones appear in each trace? Both traces have 192.168.1.13, 192.168.1.192, 192.168.1.252-255. Hawk10b.enc also has 192.168.1.251, 10.1.1.11, 10.1.1.53, 161.69.33.11, 161.69.5.203 8. Change the layer to MAC. How many DLC addresses are in each trace? The same six devices appear in both traces. This means there is at least one router. 9. What conclusions can you draw from the behavior of this hub/multiport repeater? This device seems to be doing more than bridging the frames between the backplane. It is forwarding frames based on criteria above the datalink layer. Note that only the Ping and ARP frames between .13 and .192 are in the Hawk100b.enc trace. These frames are also in the Hawk10b.enc trace, but there are lots of WINS Refresh Name frames in the Hawk10b.enc that arent in the Hawk100b.enc trace. All the WINS non-broadcast frames were filtered by the hub on the 100 Mbps port. 10. This seems like non-standard behavior. You may want to do a similar check of any odd connection problems you see on your 10/100 hubs. You may find that this type of behavior might impact what you see on the Sniffer, security devices, network management tools, etc. 11. Enlarge both trace file windows to normal size, then close them. Stop here. Do not go on to the next exercise unless directed by your instructor.
4.0-OCT2000
Network Associates
10-58
1. Use File > Select Settings to create a new Gigabit agent. Click New. Name it Gigabit and choose the Network Associates Gigabit Ethernet PCI Adapter_x from the Network Adapter drop-down list. Dont copy any settings. Click OK twice. Click OK on the Failed to Set Monitor Mode message. You should see Gigabit, SX in the title bar. Ignore the blinking Channels A and B Link Faults indicator in the title bar. 2. Open C:\202GUI\GBAutonegotiation.cap. This trace has 12 frames captured between channels A and B. Zoom the Detail window and press F8 to advance frame by frame. Note the contents of C1 for each. Frame 1 2 3 All zeros Asymmetric & Symmetric Pause, Full Duplex Channel A Direction Idle All zeros Channel B
Ack, Asymmetric & Symmetric Pause, Full Duplex Idle All zeros Asymmetric & Symmetric Pause, Full Duplex
6 7 8
10
11 12
3. Though we dont see definitive frames where both agree in this trace, we can assume they will settle on Symmetric Pauses and Full Duplex as the highest common denominator. They will maintain this mode until they are reset or reboot. The rule is to acknowledge after a side
4.0-OCT2000
Network Associates
10-59
has received 3 consecutive identical frames. These devices do not seem to follow the rule. There is no field to indicate the media type in use. 4. Notice the 10 bit decodes in the Hex panel are automatically enabled for autonegotiation signals. 5. The proof of success lies in seeing whether the devices go on to exchange data (we dont see that in this trace). If they do, then the inconsistencies with the specification dont matter. If they dont exchange data, you have the frames to follow to see where the sides disagree and work from that point. Close this file. 6. Open C:\202GUI\GB.cap. You will see in the Expert that this trace file has 5 Time-to-Live Expiring symptoms at the Station layer. We wont worry about those thats for another course! We can do some examination of the Global symptom of a Bad CRC. 7. Looking in the Decode window, we see that almost every frame has a symptom associated with it. Lets pull in only the frames with bad CRCs. From Display > Define Filter > Profiles > New name the filter CRC Errors, click Done and OK. On the Advanced tab select 3 only the CRC errors. Now right-click on the Summary window and choose Select Filter from the menu and choose the CRC Errors filter. A new window will open with 24 frames showing CRC and CV (code violation) errors. 8. Use Help > Help Topics > Find. Wait while the help files build. Enter code vi to find the explanation for these. Highlight the Code Violation Errors in the bottom panel and click Display. Close the Help screen when youve learned how the Sniffer makes this determination. 9. Do you see any single source address that might indicate a bad card? No, there are several different IP source addresses, though all of them are sent to the same IP and DLC multicast address. 10. Lets look for evidence of physical damage or other erroneous data in these frames. Tab into the Hex window and press F4 to zoom it. Now press F8 to advance one frame at a time. Do you see evidence of physical damage? No, the frames look pretty normal. 11. Now click back on the Decode tab to view the entire trace again. Well check to see if any of these frames were retransmitted. Highlight frame 10 and note the IP identification number in the frame. ID = 52848. 12. Right-click and choose Find Frame, type in this ID number in the text search window and click the Detail window radio button, then click OK. Repeat this for a couple of the other CRC error frames. Are they retransmitted? No, they are not, so it appears the other side got them OK. 13. Lets do one last thing with this trace. Right-click over the Hex window and choose 10 Bit so we can see the 10 bit decodes. (This is automatically enabled for Autonegotiation frames, but you must set it manually for gigabit data frames.) Scroll through the Hex window to see how this data looks. You will see some Carrier Extend and idle bits at the end of most of them. Even though Carrier Extend was developed for half-duplex links, one or more are inserted between each frame in full-duplex mode, too.
4.0-OCT2000
Network Associates
10-60
14. We dont have more information on this trace to tell you how this was resolved. We hope this has given you some confidence that you can use the skills youve learned here to analyze Gigabit Ethernet frames. Use File > Select Settings to return to your 10/100 Ethernet agent.
4.0-OCT2000
Network Associates
10-61
4.0-OCT2000
Network Associates
10-62
1. Open the file C:\202GUI\LLCnetb2.cap. You should have 221 frames. 2. View the Detail of frame 1. Is this an Ethernet Version 2 or 802.3 frame? 802.3 frame.
3. Use Display > Display Setup > Summary Display to enable Two-station format and exclude All protocols, then click Logical Link Control to enable only LLC, click OK. 4. Is this an LLC Type 1 (connectionless) or LLC Type 2 (connection-oriented) session? LLC TYPE 2 (connection-oriented). There are send [N(S)] and receive [N(R)] numbers for connection-oriented sequencing. There are also two bytes in the Control Field in the hex window. 5. Which frame starts a new LLC connection? Frame 10 is the SABME 6. Which is the first frame where data is sent? Who sent it? What sequence number is sent? Frame 14 is sent by Intel B41D55 using sequence number 0 7. In which frame does Dell D45AE8 send sequence number 3? 23 8. Which frame shuts down the connection? Who sent it? The Intel B41D55 sends the DISC in frame 107 9. What is the response to this frame? Dell D45AE8 sends a UA in frame 108 and thats the end of this session. 10. What was the purpose of all those frames where no LLC data was sent? Hint: Enable the display of all protocols in Display > Display Setup > Summary Display > enable Show all layers, then click None at the bottom. The first LLC data frame (14) carried the NetBIOS session initialization frame. Frame 18 begins the CIFS/SMB protocol negotiation and account setup process Once that is done, it appears that the LLC frames are just keep alives. There is no upper layer activity. CIFS/SMB ends the session in frame 105 and LLC disconnects in frame 107. 11. Close all open windows without saving and disable Two-station format. 12. Shut down the Sniffer. We hope this class will enable you to effectively troubleshoot your Ethernet networks back at your company
4.0-OCT2000
Network Associates
10-63
4.0-OCT2000
Network Associates
10-64