Ethernet Network Analysis and Troubleshooting

1-1
Ethernet Network Analysis and Troubleshooting
Network Associates
Sniffer University
Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Section 1 TNV-202-GUI
Slide Title:
Ethernet Network Analysis and Troubleshooting Section 1 of TNV-202-GUI Start: Day 1 Approx. 9am Finish: Day 1 Approx. 12:00 noon
Section Timing:
Section 1 title slide. Files: Traces: Exercises: 01_frm_g.PPT Mixed01.cap 01_frm_g.DOC Mixed02.cap
Which Frames are on the Network? Isolating Frame Types with Pattern Matching (optional) A Surprise at 23:00 Be sure to practice before you teach this new version! You will need to tighten up on all the sections so you will have time to cover the new materials. It will be a challenge! Pace it carefully. There are several new concepts and exercises, so go through the class very carefully before you teach it. Practice all the exercises and look at the trace beyond what we focus on in the exercises so you are not blindsided by questions outside of the exercise. Please remember this instructor guide is a living document. It is not complete to start and is intended to grow with time. Add to your own copy as you gain experience. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.
Note:
Page 1 - 1
Network Associates
Sniffer University
1-2
Slide Title:NAI Sniffer University

Important Points to Cover:
Logo page. Skip past this quickly.
Original Traces for the Course: (all were saved as .CAP files none were recaptured)
01.CAP 05.CAP 09.CAP 13.CAP 17.CAP 21.CAP (giant.enc) BAD03.CAP BUSY-JAM.CAP HUBPORT1.CAP MIXED-02.CAP 02.CAP 06.CAP 10.CAP 14.CAP 18.CAP 100MBFIL.CAP BADCABLE.CAP COL100_3.CAP HUBPORT2.CAP SCBRIDGE.CAP 03.CAP 07.CAP 11.CAP 15.CAP 19.CAP BACKPRES.CAP BADCRC.CAP FRAGS.CAP JABBER.CAP TCPDEMO6.CAP 04.CAP 08.CAP 12.CAP 16.CAP 20.CAP BACKPRES2.CAP BADCRC-1.CAP HUB6ARC.CAZ MIXED-01.CAP
New traces added in version 4.0

Name GB.CAP Gigabit data trace GBAUTONEGOTIATION. CAP Gigabit autonegotiation VLANProb.caz Cisco ISL VLAN VLANprob2.cap Cisco ISL VLAN Hawk10b.enc & Hawk100b.enc Jabtest.enc (1 frame) Overtest.cap Big_Bad_Rich.caz Llcnetb2.cap Bcast.cap 8021Q-gig.cap 8021q.cap Source Sniffer Pro 4.0 Samples Directory HQ server HQ lab trace filtered to remove HQ names & info HQ lab trace filtered to remove HQ names & info Steve Hammill classroom setup traces HQ engineering HQ Engineering Don Prefontaine created in an on-site class Bev Mannes home network 303 trace file HQ engineering (Subset of dc_01.caz) HQ engineering Speed 1000 1000 100 100 10 100 10 10 100 100 10 1000 100 Course Location Screen caps 2 Exercises Screen caps 2 exercises Screen caps & exercise Screen Cap Demo Exercise Screen shot Extra-demo Exercise LLC exercise Exercise Demo, screen cap Screen caps & exercise
Page 1 - 2
Housekeeping
1-3
BREAKS LUNCH TELEPHONES
Call the office Net Down!!!
BEEPERS IN SILENT MODE CELL PHONES IN SILENT MODE REST ROOMS EMERGENCY INFORMATION
Sniffer University
QUESTIONS
All phone calls must be made outside the classroom during breaks.
Network Associates
Slide Title: Housekeeping

Important Points to Cover: Use your normal way of presenting this information. Instructor History Paperwork (Student information forms) Student Introductions: Company name Operating systems Connection technologies at their site Networking experience, etc. Location of: Exits Washrooms Telephones Lunchroom or lunch arrangements Time intervals Break Lunch Start Finish Note: You may negotiate different start and end times provided it does not place undue hardship on anyone in the class. Instructor availability
Page 1 - 3
Sniffer University
1-4
Use Your Trace File CD for the exercises in this class
Thank You!
Students are not permitted to audio or video tape the course presentation. Duplication of Course Materials or the Trace File CD is strictly prohibited by copyright. The Trace File CD that comes with this manual contains: All Class Traces - which can be copied to the C:\ drive or used in the CD-ROM Drive Reference materials- ATM Forum Docs, RFCs, Product Guides and other Documentation
Network Associates
Slide Title:Thank You!

Keep going Briefly review the policy. The trace files for this class are placed in the 202GUI directory on the trace file CD in the student manual. Mention that there are additional trace files that are copied to Sniffer Pros program directory if they would like to practice with those samples.
Page 1 - 4
1-5
Sniffer University's Total Network Visibility Curriculum

Interconnection Concepts & Troubleshooting
Upper-Layer Analysis & Troubleshooting Technologies TCP/IP Applications: Concepts & Troubleshooting
TCP/IP Network Analysis & Troubleshooting
Microsoft Windows NT & Windows 2000 Network
Sniffer University
Network Interfaces Tools & Systems
ATM Network Analysis & Troubleshooting WAN Analysis & Troubleshooting Token Ring Network Analysis & Troubleshooting Ethernet Network Analysis & Troubleshooting Implementing Distributed Sniffer System / RMON Pro Troubleshooting with the Sniffer Pro Network Analyzer Sniffer Pro for DOS Sniffer Experts
Visit our website for more information on our classes and a current schedule: www.sniffer.com >> follow the Sniffer University Links
Network Associates
Slide Title:Sniffer University's TNV Curriculum

These are the 11 active courses in the curriculum as of Oct 2, 2000 for Version 4.0. Point out where you are in the curriculum. Mention other GUI courses available and highlight next step courses such as: 3 day WAN- TNV-207-GUI 5day TCP/IP curriculum TNV-303-GUI and TNV-304-GUI. 5day ATM- TNV-218-GUI Keep going.
Page 1 - 5
Table of Contents
Course Overview Ethernet Frame Formats Ethernet Sniffer Pro Hardware Ethernet Physical and Data Link Layers Timing Specifications Troubleshooting Tips Ethernet Bridging and Switching Concepts Bridges Switches VLAN Tagging 100 Mbps Fast Ethernet Full Duplex Ethernet Gigabit Ethernet Optional Technologies - LLC and Coax Glossary of Terms Student Exercises Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page 1-7 Day 1 1-18 2-1 3-1 3-25 4-1 5-1 Day 2 5-3 5-15 5-27 6-1 7-1 8-1 9-1 9-41 10-1
Network Associates
Sniffer University
1-6
Slide Title:Table of Contents

Run down the list of topics. Mainly here for student reference. Use this to let them know what we will cover in class. The redundant list after this was removed. A dotted line has been added to give the students an indication of when the topics will be covered. Timing: Day one: Afternoon: Day two: Afternoon: Optional: A guideline for timing: Morning: Section 1 and 2. Section 3. Morning: Section 4 and Section 5 (Bridges). Section 5 (Switches), Sections 6-8. Logical Link Control
Page 1 - 6
1-7
Course Overview
Sniffer University
Network Associates
Slide Title:Course Overview

Standard title slide only.
Page 1 - 7
Course Objectives
1-8 Upon completion of the course, you will be able to: Discuss the details of the Ethernet (802.3) specification Effectively use the Sniffer Pro analyzer to manage and troubleshoot Ethernet LANs Use practical hands-on troubleshooting methods and partner with the Network Associates Sniffer Pro Network Analyzer in Ethernet environments
Network Associates
Sniffer University
Slide Title:Course Objectives

We are here to learn something about Ethernet technology, how to use the Sniffer Pro analyzer in an Ethernet environment, and how to interpret the data captured. State the course objectives.
Page 1 - 8
Prerequisites
1-9
Basic LAN knowledge and experience using the

Sniffer University
Sniffer Pro Analyzer TNV-101-GUI: Troubleshooting with the Sniffer Pro Network Analyzer or TNV-112-GUI: Sniffer Pro for DOS Sniffer Experts
Network Associates
Slide Title: Prerequisites

Cover quickly. Determine if all of the students meet the prereqs and discuss any problems if you have some that have not taken TNV-101-GUI or TNV-112-GUI.
Page 1 - 9
OSI Functional Protocol Layers

1-10 The Session, Presentation, and Application layers are not clearly differentiated in most network protocols The Transport layer provides for communications between programs The Network layer provides for communications between devices Sniffer University
Ethernet Layers
The Data Link layer provides for communications between electrical end-points (network interface cards) The Physical layer provides the conductive path that includes media, connectors, electrical or optical signaling levels and coding characteristics
Network Associates
Slide Title:OSI Functional Protocol Layers

This is now a build slide that builds on mouse clicks. The Ethernet layers are set off to emphasize this is where the Ethernet specifications reside. Everything else is upper layer to Ethernet. Review the functions of each layer, so the students may apply the binary search method against the OSI stack. Upper Layer protocols control the communications between the applications themselves. They are connection-oriented and take care of any error handling not done by the lower layers. Transport protocols can be connection or connectionless. If connection oriented, then we can determine whether or not the network is good by simply following the sequence numbers. Network layer protocols are also connectionless. All of the protocols in the layers above Ethernet are taught in many other Sniffer University courses. We will not focus on them here. Physical and data link are the layers directly involved in Ethernet. All these processes (without LLC) are connectionless.
Page 1 - 10
IEEE 802 Standards

1-11
802.10 LAN/MAN Security 802.2 Logical Link Control (LLC) describes peer-to-peer procedures for the transfer of information and control between any pair of Service Access Points on any 802.X LAN 802.1B LAN/MAN Management 802.1D MAC Bridging 802.1E System Load Protocol 802.1F Common Definitions & procedures 802.1G Remote Media Access Control Bridging 802.1H MAC Bridging of Ethernet in V2.0 in LANs 802.4 Token Passing Medium Access over bus Physical Layer 802.5 Token Passing Medium Access over ring Physical Layer 802.6 Dristributed Queue Dual Bus Medium Access Physical Layer 802.9 Integrated Services at Medium Access Physical Layer 802.11 Wireless Medium Access 802.12 Demand Priority Medium Access
Sniffer University
802.3 CSMA/CD Medium Access
Data Link Layer
Physical Layer
Physical Layer
Physical Layer
Physical Layer
The lower part of the Data Link Layer is called the MAC layer, an abbreviation for Media Access Control. In addition, 802.14 Standard Protocol for Cable-TV-based Broadband Communication Network is another protocol in development in 1998. 802.7 standard is a recommended practice for common Physical Layer technologies, IEEE Recommended Practice for Broadband Local Area Networks. The ANSI number for the 802.3 1996 edition of the specs is 8802-3:1996 IEEE Specifications can be purchased through http://www.ieee.com
Network Associates
Slide Title:IEEE 802 Standards

History of where the Standards came from. The relationship among the standards committees. This is the official IEEE diagram based on the drawing in the IEEE Std 802.3ab -1999. The 802.1 layer has the bridging standards listed individually and 802.14 for Cable-TV based broadband is not on this drawing due to space constraints.
Page 1 - 11
Major IEEE Ethernet Standards

1-12
802.3 802.3u 802.3x 802.3z 802.3ab 802.3ac 1985 Carrier Sense Multiple Access with Collision Detection (Original Ethernet Specification) 1995 Media Access Control (MAC) Parameters, Physical Layer, Medium Attachment Units and Repeater for 100 Mb/s Operation, Type 100BASE-T 1997 Specification for Full Duplex Operation 1998 Media Access Control Parameters, Physical Layers, Repeater and Management Parameters for 1000 Mb/s (Gigabit) Operation 1999 Physical Layer parameters for 1000 Mb/s Operation over 4-Pair Cat 5 Balanced Copper Cabling, Type 1000BASE-T 1998 Carrier Sense Multiple Access with Collision Detection (CSMA/CD) frame extensions for Virtual Bridged Local Area Networks (VLAN) tagging on 802.3 networks 2000 Carrier Sense Multiple access with Collision Detection (CSMA/CD) access method and physical layer specification- Aggregation of Multiple Link Segments (Parallel Point-to-Point link segments)
Sniffer University
802.3ad
Many other specification documents cover many facets of the Ethernet specifications. A complete list is available from the IEEE web site. WIP = Work in Process
Network Associates
Slide Title:Major IEEE Ethernet Standards

This is a quick list of the Ethernet standards we will cover in this class. It is not a comprehensive list, since there are numerous other addenda as seen by the lettering of the standard. You might want to note the large gap between the original 802.3 standard approved in 1985 and the u standard approved in 1995. This does not mean to indicate there was no change in 10 years. Quite the contrary: as the original spec was improved for thin coax, then twisted pair with all the other changes to devices were defined in the a through t addenda.
Page 1 - 12
Ethernet Evolution
1-13
1972 1982
Work on Ethernet begins at Xerox PARC
1983
Novell NetWare Proprietary Frame
1985
1990
10Base-T
1993 1995 1996 1997 1998 2000

Fast Ethernet (802.3u) Full Duplex (802.3x) Gigabit standard (802.3z) VLANs Terabit stds in process
Sniffer University
V2 Ethernet Spec completed by DEC, Intel and Xerox
IEEE 802.3
Ethernet Switching
Gigabit Ethernet proposed. Switch sales exceed shared hubs
Design Goals: 1. 2. 3. 4. 5. Definition simplicity Efficient use of shared resources Ease of reconfiguration and maintenance Compatibility Low cost
V1 Ethernet: Used an unbalanced signaling method (+5 volts referenced against ground). V2 Ethernet: Used a balanced signaling method (+5, -5 volts). Added SQE (Heartbeat). 802.3: V1 and V2: Added jabber inhibit. Specified thick coax, thin coax, twisted pair cabling and fiber. Specified thick coax cable. Cannot co-exist on the same segment due to the different signaling methods.
V2 and 802.3: Can co-exist on the same segment, as the same signaling methods are used.
Network Associates
Slide Title:Ethernet Evolution

Discuss the milestones and the Design Goals. New dates and milestones have been added. All frame types that use CSMA/CD are now valid 802.3.
Page 1 - 13
Media Evolution
1-14
Thick Coax
Thin Coax
Twisted Pair
Optical Fiber
Sniffer University
DB15 Connectors attaches to External transceiver with AUI cable
BNC Connectors with T connectors
RJ45 Connectors
RJ45 Connectors
& Twinax..
Network Associates
Slide Title:Media Evolution

New Slide. Do just a quick review of how Ethernet media has changed over the years. We started with the old thick cable in the ceiling. Then thin coax took over. Twisted pair changed the whole layout of the network structure, bring all the connections back to wiring closet. Cat 3 evolved to cat4, evolved to cat 5, now on to cat 6, 7 ???? Cables attach to connectors in the wall or cube, the wire then goes to a punch-down block and finally to a hub or switch. Dedicated wires for receive and transmit meant that cards could no longer listen on the same wire, so new ways of learning of collisions had to be developed. The latest is optical fiber. This is generally used as a backbone or for high-speed servers. Our diagram shows the ordinary users connected with cat 5 cabling with an uplink on the hub or switch to the high-speed optical backbone. High performance servers may be connected directly with optical cable. There is mention of Twinax on the bottom. It is used in one Gigabit Ethernet configuration.
Page 1 - 14
Media Access Evolution

1-15
Hub or Concentrator
Shared media halfduplex with collisions
Dedicated RX/TX lines Shared media halfduplex with collisions
Sniffer University
Switch
Switch
Dedicated RX/TX lines Dedicated media full-duplex without carrier sense or collision detection
Dedicated RX/TX lines Dedicated media half-duplex with carrier sense and collision detection - (collisions avoided)
Coax cables are broadcast in nature. Every station sees every signal on the wire. Each must wait its turn to use the wire and only one signal can be on the wire at a time. Twisted pair cabling provides dedicated receive and transmit wires in the cable, but only one wire can be active at a time. Concentrators or hubs repeat the signals out to all stations attached, so each station must sense whether the wire is busy, wait the interframe gap and sense collisions and retransmit if a collision occurs. The introduction of full duplex connections allowed bandwidth to double, since each direction can be busy simultaneously. The advent of the switch allowed dedicated connections between two devices in a switched temporary point-to-point connection. Even though collisions are avoided in this configuration, the same adapter cards are used, so the devices still sense for carrier, wait the interframe gap and sense collisions. When faster technologies were introduced, full duplex switched point-to-point connections allowed signals on each wire simultaneously. Since the links are point-to-point, there is no need to sense carrier or detect collisions.
Network Associates
Slide Title: Media Access Evolution

New Slide. This attempts to show how access to the wire has changed over the years. The birth of CSMA/CD meant everyone listening, waiting their turn, then transmitting while listening for collisions. The cards can either send or receive, not both simultaneously. All of the newer technologies still have this as the basis for their specifications. The introduction of twisted pair wiring to a central repeater still maintained the need for CSMA/CD, since everything received on one port was repeated out to all the others. When full duplex was developed, each device had two lines in a point-to-point connection to the other end. There was no need to wait for the line- you always had access to the receive port on the other side. But the listen-and-wait and retry was maintained for backward compatibility. With the introduction of switches, every port is its own collision domain. Collisions are almost non-existent. But there still is the little matter of being able to talk to the older NICs and devices, so even the faster devices know how to deal with CSMA/CD.
Page 1 - 15
Summary of Ethernet Features

1-16 Uses Carrier Sense Multiple Access/Collision Detection (CSMA/CD) for its media access control
Switches and faster technologies avoid collisions with dedicated and/or full-duplex connections
Original specifications defined as a bus technology

Usually installed as a star topology today
Sniffer University
Variable size frames Best effort delivery Various data encoding techniques are used
The minimum frame size is 64 bytes. This includes 4 bytes of frame check sequence but does not include the 8 bytes of preamble sequence. The maximum frame size is 1518 bytes including CRC.
Network Associates
Slide Title:Summary of Ethernet Features

Original specifications are based on bus technology and CSMA/CD. CSMA/CD has always been the defining feature of Ethernet. With the introduction of switches and Full Duplex Ethernet, this can no longer be the feature common to all varieties, since some dont use carrier sense (CS), are not multiple access (MA), and do not have collisions to detect (CD). Nevertheless, there are other details that have been maintained through all the iterations, so the name has stuck. This is the beginning of the real class.
Page 1 - 16
Digital Signal Encoding

1-17 0
TTL
Manchester (10 Mbps Ethernet)
Sniffer University
Differential Manchester (Token Ring)

Bit Cell
Bit Cell
Bit Cell
Bit Cell
Bit Cell
Bit Cell
TTL is used on circuit boards Manchester Encoding is used in 10 Mb/s Ethernet/802.3 Differential Manchester Encoding is used by Token Ring/802.5 Faster Technologies use different encoding schemes
Bit Cell Boundaries
Manchester and Differential Manchester encoding are methods of embedding the clock into the data stream so the adapter can determine whether a bit is a one or a zero. TTL has no timing encoded in the data. It is used on circuit boards where synchronized clocking can be applied to multiple circuits. The encoding techniques for Fast Ethernet and Gigabit Ethernet are covered in section five.
Network Associates
Slide Title:Digital Signal Encoding

Dont dwell on this slide. It is only really important for the students to understand that the timing is imbedded in the data stream so that adapters can tell a 1 from a 0. Fast Ethernet and Gigabit Ethernet use different encoding methods. They will be covered in their respective sections.
Page 1 - 17
1-18
Ethernet Frame Formats

Sniffer University
Network Associates
Slide Title:Ethernet Frame Formats

Topic Title slide only. Keep going.
Page 1 - 18
Section Objectives
1-19
Network Associates
Sniffer University
Upon completion of this section, you will be able to: Describe protocol concepts Differentiate between Ethernet Frame Formats Recognize network configuration issues with different frame formats Identify frame format incompatibilities
Slide Title:Section Objectives

State the objectives for this section. This prepares the students and set expectations about the desired outcome of learning this information.
Page 1 - 19
Ethernet Frame Formats

1-20
Frame Type Version 2 Novell Raw 802.3 802.3 SNAP
Detail Window Label Ethertype 802.3 length but no LLC header 802.3 length and LLC header SAP = AA, then SNAP Header
Expert DLC Label Ethertype 802.3 802.3 802.3
LLC: Logical Link Control. A protocol that provides connection control and multiplexing to subsequent embedded protocols; standardized as IEEE 802.2 and ISO/DIS 8802/2. SAP: Service Access Point. (1) A small number used by convention or established by a standards group, that defines the format of subsequent LLC data; a means of demultiplexing alternative protocols supported by LLC. (2) Service Advertising Protocol. Used by NetWare servers to broadcast the names and locations of servers and to send a specific response to any station that queries it. SNAP: Sub-Network Access Protocol (also sometimes called Sub-Network Access Convergence Protocol). An extension to IEEE 802.2 LLC that permits a station to have multiple network-layer protocols. The protocol specifies that DSAP and SSAP addresses must be AA hex. A field subsequent to SSAP identifies one specific protocol. Interpreted in the TCP/IP PI suite and the AppleTalk PI suite. (See RFC 1042 for further information on SNAP.) MAC frames are used in Full Duplex Ethernet The Expert Detail Panel shows the frame type associated with each device at the DLC layer.
Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats
Sniffer University
Slide Title:Ethernet Frame Formats

This is a list of what we will cover in the next set of slides. Ethertype, LLC DSAP and SSAP are addresses. SNAP defines a different location in the frame for the address of the receiving process. NetWare originally started with a proprietary frame but now supports everything. Carrier extend and MAC Control are mentioned in this section, but will be explained fully in section five.
Page 1 - 20
Ethernet Version 2 Frame

1-21
Preamble Dest 8 1010...10101011 Sniffer Pro Capture Range 6 Source 6 Type 2 Data 46 - 1500 CRC 4
Sniffer University
Preamble: Destination: Source: Type: Data:
CRC:
64 bits (8 bytes) of synchronization (6 bytes) address of destination node (6 bytes) address of source node (2 bytes) specifies upper-layer protocol Data link layer views all information handed to it by higher layers as data, whether it is protocol information or user data Cyclic Redundancy Check Frame Check Sequence (FCS), or checksum value
Ethertypes are managed by Xerox.
Network Associates
Slide Title:Ethernet Version 2 Frame Format

Emphasize the preamble and its function. Hit the bit pattern and reference the AAAAs and 55555s. Demo:Demonstrate frame structure with TCPDEMO6.CAP. Walk the students through performing a pattern match on a version two Ethertype. Repeat this for each frame type, each time using a different match. Be sure to name the matches. After the last frame type in this section, walk the students through saving setups so that they now have a predefined filter that can be used later.
Page 1 - 21
Ethernet Version 2 Data Link Layer

1-22
Network Layer Data Link Control Layer Physical Layer Non-IEEE Networks (e.g., Ethernet, ARCNET, Local Talk)
Sniffer University
Pre-dates IEEE specs Identifies the hardware address of the adapters for both receiving and sending stations Identifies the receiving process with a two byte Type field in the DLC header Requires the Network Layer to ensure a minimum packet size of 46 bytes of data Only provides connectionless services
Network Associates
Slide Title:Ethernet Version 2 Data Link Layer

Information on slide should suffice.
Page 1 - 22
Novell NetWare 802.3 Raw Frame

1-23
Preamble Dest 8 6 Source Length 6 2 FFFF Data CRC 4
1010...10101011
Sniffer Pro Capture Range
Sniffer University
Preamble: Destination: Source: Length:
Data: CRC:
64 bits (8 bytes) of synchronization (6 bytes) address of destination node (6 bytes) address of source node (2 bytes) specifies the number of bytes (46-1500) in the data field IPX Header starting with 2 bytes checksum (usually FFFF) followed by NetWare higher layers (data) Cyclic Redundancy Check Frame Check Sequence (FCS), or checksum value
Novell developed their frame type before the IEEE committee was finished. As a result, they identified the length but did not use LLC. This is not a problem provided all stations use the same frame type. It does have a negative impact on IEEE compliant implementations when Novell issues broadcast frames. Service Access Point of FF is the broadcast SAP. All stations have to copy.
Network Associates
Slide Title:Novell NetWare 802.3 Raw Frame Format

Use a third match as you take the students through this process. If performed correctly, you will certainly speed up the exercises at the end of this section, if not eliminate them. Point out that Novells frame type was defined while the IEEE committees were still meeting. It really did not matter, since one only installed a single operating system. We were not designing enterprise networks with LANs and we certainly were not interfacing a lot of dissimilar systems. In todays environment however, it is definitely an issue.
Page 1 - 23
802.3 Raw Data Link Layer

1-24
Network Layer Data Link Layer Media Access Control Sublayer Physical Layer
Sniffer University
IEEE Networks (e.g., 1BASE5, 802.3, 802.5)
Only uses the bottom half of the DLC Layer MAC layer contains hardware addresses of destination and sending stations Uses a two byte length identifier Does not use LLC Specified while IEEE was formulating 802.3 specs MAC Layer ensures minimum frame length
Network Associates
Slide Title: 802.3 Raw Data Link Layer

NetWare IEEE 802.3. Information on slide should suffice.
Page 1 - 24
IEEE 802.3 Frame

1-25
Logical Link Control (LLC) 802.2
Preamble SFD DA SA Length DSAP SSAP Control Data +Pad CRC
1 or 2
42 - 1497
1010...10101011
Sniffer Pro Capture Range

Preamble: SFD: DA: SA: Length: DSAP: SSAP: Control: Data/Pad: 56 bits (7 bytes) of synchronization (1 byte) start frame delimiter (transition from synch to DA) (6 bytes) Destination Address: address of destination node (6 bytes) Source Address: address of source node (2 bytes) specifies the number of bytes (3-1500) in the LLC and data fields (1 byte) Destination Service Access Point; receiving process at destination (1 byte) Source Service Access Point; sending process in source (1 byte) Various control information (2 bytes for connection-oriented LLC) The upper-layer protocol information, if any. The MAC layer pads the field to ensure overall 64-byte minimum frame size requirement Cyclic Redundancy Check Frame Check Sequence (FCS), or checksum value
Sniffer University
CRC:
Stations know if a frame is Version 2 or 802.3 by evaluating the 2 bytes following the source address. If they are greater than 05DC hex (1500 decimal), then the frame is Version 2; if they are less, they are assumed to be a length field. IEEE defines the preamble as 56 bits (7 bytes) of alternating 10101010...etc., followed by 8 bits (1 byte) of starting delimiter with bit pattern of 10101011.
Network Associates
Slide Title:IEEE 802.3 Frame Format

Repeat of previous page. Be sure to select a different match and to disable the first match. Stations know if a frame is Version 2 or 802.3 by evaluating the 2 bytes following the source address. If they are greater than 05DC hex (1500 decimal), then the frame is Version 2; if they are less, they are assumed to be a length field. Note: the exception is PUP, which uses Ethertype 2. (PUP stands for PARC Universal
Packet.)
Page 1 - 25
IEEE 802.3 Data Link Layer

1-26
Network Layer Logical Link Control Sublayer Media Access Control Sublayer Physical Layer
Data Link Layer
Sniffer University
IEEE Networks (e.g., 1BASE5, 802.3, 802.5) Splits the DLC layer into two distinct sublayers MAC layer contains hardware addresses of destination and sending stations Provides LLC services Receiving and sending processes identified by SAP addressing Accommodates both connectionless and connection oriented implementations Provides for the use of SNAP MAC Layer ensures minimum frame length
Network Associates
Slide Title:IEEE 802.3 Data Link Layer

Information on slide should suffice.
Page 1 - 26
IEEE 802.3 SNAP Frame

1-27
Preamble SFD DA 7 1 6 SA 6 Length 2
Logical Link Control (LLC) 802.2 SNAP Header
Control 1 3
Type
CRC
AA
AA
2 38 - 1492 4 Data +Pad
1010...10101011
Preamble: SFD: DA: SA: Length: DSAP: SSAP: Control: SNAP:
DSAP SSAP Sniffer Pro Capture Range
Vndr Code
Data: Pad: CRC:
56 bits (7 bytes) of synchronization (1 byte) start frame delimiter (6 bytes) Destination Address: address of destination node (6 bytes) Source Address: address of source node (2 bytes) specifies the number of bytes (3-1500) in the LLC and data fields (1 byte) Destination Service Access Point; receiving process at destination (1 byte) Source Service Access Point; sending process in source (1 byte) Various control information (5 bytes) First three bytes identify the vendor. Last two bytes identify the protocol The data link layer views all information handed to it by higher layers as data, whether it is protocol information or user data Pads frame to minimum of 46 bytes total for the data and LLC (so collisions can be detected) Cyclic Redundancy Check Frame Check Sequence (FCS), or checksum value
SNAP allows vendors who do not have an assigned Service Access Point to become IEEE compliant. Service Access Point of AA identifies a SNAP header immediately following the LLC header. A Snap header is five bytes. The first three bytes identify the vendor and the last two bytes identify the protocol used. The first three bytes (the vendor ID) are usually padded with zeroes. The version 2 Ethertype is generally used as the identifier.
Network Associates
Sniffer University
Slide Title:IEEE 802.3 SNAP Format

Finish with the pattern match and save setups. TIP: TCPDEMO6 is a good trace to use to show this.
Page 1 - 27
IEEE 802.3 SNAP Data Link Layer

1-28
Network Layer SNAP Data Link Layer LLC Media Access Control Sublayer Physical Layer IEEE Networks (e.g., 1BASE5, 802.3, 802.5) SNAP (Sub-Network Access Protocol) SNAP is a sub-set of LLC Allows Protocols without an assigned IEEE SAP to implement an IEEE compliant MAC layer Provides for an additional 5 byte header to specify the receiving process (three bytes identify the vendor and two bytes identify the protocol) MAC layer contains hardware addresses of destination and sending stations MAC Layer ensures minimum frame length
Network Associates
Sniffer University
Slide Title:IEEE 802.3 SNAP Data Link Layer

Is a subset of LLC.
Page 1 - 28
IEEE Ethernet Frame Evolution

1-29 Version 2 was historically not an IEEE recognized frame As of 1997, it is a part of the Ethernet frame formats The field formerly called the length field by IEEE is now labeled length/type field This provides backward compatibility for version 2
Preamble SFD 7 1 DA 6 SA 6 Length DSAP SSAP Control Data +Pad CRC X 2 1 1 1 or 2 42 - 1497 4
Sniffer University
Length/Type
0-1500 = Length 1536 - 65,535 = Type 1501-1535 reserved
Network Associates
Slide Title:IEEE Ethernet Frame Evolution

This is an automated build slide that will display on a timer. Dont click until youre ready for the next slide! A + in the lower left corner of the build slides tells you how many clicks you need before it goes to the next slide. When there is no number after the +, the slide is totally automated. The next click shows the next slide. This brings the previous information into the present definition of the Ethernet frame type. Point out the field values at the bottom that devices use to tell what type of frame is arriving. Of course, theyve always done it this way, but now the specification matches the process.
Page 1 - 29
Ethertypes and SAPs

1-30
E-Type NetWare XNS IP IP (VINES) ARP RARP DRP LAT LAVC ARP (ATalk) Value 8137 0600, 0807 0800 0BAD, 80C4 0806 8035 6003 6004 6007 80F3 SAP NetWare XNS NetBIOS IP BPDU SNA X.25 ISO SNAP Value E0 80 F0 06 42 04, 05, 08, 0C 7E 20, 34, EC, FE, 14, 54 AA
Note: A comprehensive listing of Ethertypes and SAPs is in the appendix. Http://www.iana.org keeps an updated list of Ethertypes. SnifferPro maintains a list of the Ethertypes and SAPs and decodes the Upper Layer Protocols (ULP) based on the Ethertype or SAP found in the Data Link header.
Network Associates
Sniffer University
Slide Title: Ethertypes and SAPs

Important Points to Cover: Demo:
There is a more complete list from the Sniffer Pro analyzers main menu. Go to Define Filters and demonstrate for the students the protocol filters. Use data pattern matching to filter on specific SAPs and Ethertypes.
Page 1 - 30
Determining Ethernet Frame Types

1-31
Start here Observe the hex value of the field following the DLC source address
STOP
Is the value of the field greater than 5DC hex?

NO
YES
Look at the 2 bytes at offset E
You have just determined that the frame is an Ethernet version 2 frame
Look at the Ethertype values to determine what ULP the frame is carrying
Sniffer University
STOP
Are the 2 bytes equal to FF FF hex?

NO
YES
You have just determined that the frame is a Novell 802.3 raw frame You have just Look at the determined that the Ethertype values to frame is an 802.3 determine what ULP SNAP frame the frame is carrying Look at the SAP values to determine what ULP the frame is carrying
STOP
Are the 2 bytes at offset E equal to AA AA hex?

NO
STOP
YES
You have just determined that the frame is a standard 802.3 frame
+3
Network Associates
Slide Title: Determining Ethernet Frame Types

Student reference. This is a semi-automated build slide. There are 3 clicks; one at each stop sign after each determination has been made.
Page 1 - 31
Expert Shows Frame Types

The DLC Layer Objects show the frame types received and transmitted
Shows only as Ethertype or 802.3
Version 2 frames are shown as Ethertype Frames. All others are shown as 802.3 Frames.
Network Associates
Sniffer University
1-32
Slide Title:Expert Shows Frame Types

Student reference. You may want to demonstrate this with a trace file. Beware, only Ethertype frames are differentiated in this window. All the other frames show up as 802.3
Page 1 - 32
Examine the DLC Details

1-33
Version 2 Frame
Sniffer University
802.3 Frame
Network Associates
Slide Title:Examine the DLC Details

This is a quick visual shot of how version 2 and 802.3 frames appear in the Detail window. 802.3 Ethernet II 802.3 Frame Demo: Mixed01.cap frame 1 Demo: Mixed01.cap frame 75
Page 1 - 33
Examine the DLC Details

1-34
NetWare Raw Frame
Sniffer University
SNAP Frame
Network Associates
Slide Title:Examine the DLC Details

Important Points to Cover: This is a quick visual shot of how NetWare raw and SNAP frames appear in the Detail window. 802.3 SNAP Demo: TCPDEMO6.CAP frame 547 802.3 Raw Demo: Mixed01.cap frame 22
Page 1 - 34
Sniffer Pro Filter Elimination Patterns

1-35 To filter Version 2, use the Ethertype To filter 802.3, use the SAP To filter NetWare, use the FFFF checksum bytes Sniffer University
If the checksum is in use, use the IPX Packet Type (but be careful, because a one-byte pattern match may be ambiguous)
To filter SNAP, use DSAP and SSAP equal to AA By determining what frame formats are in use on the network, you can make sure no incompatibilities exist
Highlight frame in Summary window before accessing this window Create a new profile Summary of the match will build here Choose your operand first then click Add Pattern 2 1 1) 2) 3) 4) Summary of the match 4
2 1
Change Frame
Highlight the data in the Detail window Click Set Data Data will be pasted into the pattern area Click OK
Choose your next operand and repeat the steps until all your matches are pasted in
Network Associates
Slide Title:Sniffer Pro Filter Elimination Patterns

This replaces the several data pattern match slides in the previous version of the course. Those screen shots are placed in the student notes on this page for their reference. The exercise that used pattern matching has been replaced by one using the Expert.
Page 1 - 35
So How Does This Matter?

1-36 Sniffer University
Devices using different frame formats will not be able to communicate directly
They must send their frames to a translating bridge or router which converts and forwards the frames This creates a local router situation which doubles the traffic
Devices configured with multiple unnecessary frame formats load the network
NetWare servers RIP and SAP for each frame type
Upper Layer Protocols expect a certain frame type and may not be able to communicate if the wrong frame type is in use
Network Associates
Slide Title: So How Does This Matter?

New Slide. This helps to link this information to practical uses for the information.
Page 1 - 36
Exercise: Which Frames Are on the Network?

1-37
Turn to the lab section to complete this exercise
Network Associates
Sniffer University
Slide Title:Exercise: Which Frames Are on the Network?

This exercise has been modified. It no longer uses data pattern matching. Be sure to practice this before class so you are ready for it!
Page 1 - 37
1-38
If you have no questions about the previous exercise then continue with the next exercise or if you need a demonstration or explanation ask your instructor to help you now
Network Associates
Sniffer University
Slide Title:Yield
This slide is here so you can control the exercise process.
Page 1 - 38
Exercise: A Surprise at 23:00

1-39
Network Associates
Sniffer University
Slide Title:Exercise: A Surprise at 23:00

This exercise is unchanged.
Page 1 - 39
Summary
1-40 In this section, you learned how to: Differentiate between Ethernet Frame Formats
Ethernet Version 2 Novell 1983 proprietary frame format IEEE 802.3 IEEE 802.3 SNAP
Sniffer University
Recognize network configuration issues with different frame formats Identify frame format incompatibilities
Network Associates
Slide Title:Summary
Wrap up the section by reviewing the labs and the objectives. Ask the students if they have any questions.
Target Time: Breaktime of Day 1
Page 1 - 40
2-1
Ethernet Sniffer Pro Hardware

Sniffer University
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware
Slide Title:
Ethernet Sniffer Pro Hardware Section 2
Section Timing:
Start: Day 1 Approx. ______ Finish: Day 1 Early afternoon
Section 2 title slide only.
Files: Traces: Exercises:
02_snf_g.PPT bcast.cap
02_snf_g.DOC GB.cap
100mbfile.caz
Comparing Ethernet Data This is a new section. We hope that by putting this information at the front of the course, the students will feel this is an up-to-date course. They get to see the new faster Ethernet products right away and see in an exercise that Ethernet looks almost the same on the Sniffer, no matter what the speed of the network.
Please remember this instructor guide is a living document. It is not complete to start and is intended to grow with time. Add to your own copy as you gain experience. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.
Page 2 - 1
Section Objectives
2-2 Upon completion of this section, you will be able to:
Select the appropriate Sniffer configuration for each type of Ethernet network Ensure system requirements are met for each type of Sniffer Attach Sniffer Pro to the various Ethernet networks
Network Associates
Sniffer University
Slide Title:
Section Objectives
State the objectives.
Page 2 - 2
2-3
10/100 Ethernet
Network Associates
Sniffer University
Slide Title:
10/100 Ethernet
Title Slide Only.
Page 2 - 3
10/100 Portable System Requirements

2-4 PAC 64 or 65 or CardBus compatible notebook PC
Can also be loaded on a desktop PC Pentium 200 MHz CPU or higher
Windows 95c*/98 or NT SP3 server or workstation Sniffer 10/100 Ethernet adapter 85 MB Disk space for software
Much more for traces
Sniffer University
64 MB RAM
Some topologies require more
Keyboard and Pointing Device

PAC 64
Windows 95c requires Winsock 2. Windows NT has been tested through SP 6a. Consult the Sniffer documentation for a list of the adapters supported with this release. On heavily loaded Ethernet networks, increase the receive buffer size and capture rate on the Ethernet adapter. In Windows 95/98: 1.In the Windows control panel, select the Network icon. 2.In the list box at the top of the Configuration tab, select the adapter, then click Properties. 3.Click the Advanced tab. 4.In the Property list box, select Receive Buffers and increase the value to a larger number. We recommend you increase the buffer size in increments of 10 to the highest possible setting, which still enables the card to load. 5.Change the Capture Rate to High - No CPU Throttling. In Windows NT: 1.In the Windows control panel, select the Network icon. 2.Click the Adapter tab. 3.Select the adapter, then click Properties. 4.Increase the Receive Buffers value to a larger number. We recommend you increase the buffer size in increments of 10 to the highest possible setting, which still enables the card to load. 5.Change the Capture Rate to High - No CPU Throttling.
Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware
Slide Title:
10/100 Portable System Requirements
New Slide. Quickly review the three options Notebook Desktop (this means that desktops are included in the NAI suite of portable software, though desktops are not really portable!) Dolch Review the system requirements The readme instructions for setting the Ethernet card parameters for heavily loaded networks in included in the student notes.
Page 2 - 4
Attaching Sniffer Pro to the Network

2-5 Attach the RJ45 jack into a port on the hub
All signals are seen on the Sniffer
Ethernet Hub
Attach the RJ45 jack into a port on the switch Sniffer University
Use the Switch Expert or switch software to mirror the port(s) to the Sniffer port
Ethernet Switch
PAC 64
Attach in series on coax cable segments
PAC 64
Network Associates
Slide Title:
Attaching Sniffer Pro to the Network
Discuss the various ways they can attach the Sniffer. It doesnt matter if it is notebook, Dolch or desktop. All attach the same way.
Page 2 - 5
DSPro Agents
DS Pro consists of two computers: Agents permanently installed in production networks 2-6
DSPro Agent
Attach the Agents Ethernet monitor card to the production network to be analyzed Ethernet Attach the transport Ethernet card to Network either a dedicated network or the production network
Sniffer University
A console to access Agents remotely

Attach the Console to a network that has access to the networks where the DS Pro Agents are installed SniffView application accesses them remote Sniffers and controls them with the familiar user interface
Ethernet Network DSPro Agent
Optional Transport Network
DSPro Console
Sniffer University has a two day TNV-012-DSP class that teaches the unique configuration processes required for the DS Pro system.
Network Associates
Slide Title:
DSPro Agents
Dont get sidetracked into explaining the DS Pro system. Direct them to the TNV-201-DSP class!
Page 2 - 6
2-7
Full Duplex Sniffer Pro

Sniffer University
Network Associates
Slide Title: Full Duplex Sniffer Pro
Title Slide Only.
Page 2 - 7
System Requirements
2-8 PAC 63, 64 or 65 or CardBus compatible notebook PC Windows 95c/98 or NT SP3 server or workstation Sniffer 10/100 Ethernet adapter
Set to 100 Mbps
Sniffer University
Full Duplex pod 85 MB Disk space for software

Much more for traces
64 MB RAM (128 is better) DSPro also has a 4 port Ethernet adapter you can configure in several modes
A Fast Ethernet Full Duplex Pod installation consists of the following major components: A PC with Sniffer Pro or Sniffer agent (Distributed Sniffer) software installed on the hard disk (the Sniffer PC). A supported Fast Ethernet network adapter installed in the Sniffer PC. Consult the Sniffer documentation for a list of the adapters supported with this release of the Full Duplex Pod. A Fast Ethernet Full Duplex Pod is connected to the Sniffer PC via the Fast Ethernet adapter and the Ethernet port on the Fast Ethernet Full Duplex Pod labeled, "Host Channel 10/100 UTP.
Network Associates
Slide Title: System Requirements
Slide moved here from section five of the previous version. Needs a 10/100 adapter in the main PC Pod attaches through the Ethernet cable Pod attaches into the network Needs lots of buffer and disk space, since the traffic load is very high and will create large trace files.
Page 2 - 8
Full Duplex Pod

2-9
The Fast Ethernet Full Duplex Pod is a separate network interface pod provided by Network Associates for use with Sniffer Pro and the Distributed Sniffer. The Fast Ethernet Full Duplex Pod provides two separate receive channels (one for each side of a full duplex Fast Ethernet network) and can capture at full Fast Ethernet line rate speeds in either a passthrough mode or a terminated mode. The Fast Ethernet Full Duplex Pod lets you use the Sniffer with a Fast Ethernet card installed to monitor or capture data from Ethernet, Fast Ethernet, Full Duplex Fast Ethernet, and Half Duplex Fast Ethernet. This is called the Pod-FEDC-NA-100 for Fast Ethernet Dual Channel in the NAI order book.
Network Associates
Sniffer University
Troubleshoots and analyzes all traffic on 10/100 fullduplex backbone connections 148,800 Packets per Second (PPS) wire speed packet capture Full line rate on two channels in High Speed mode Near 100 Mbps in streaming mode Stores to a hardware buffer configurable to 512 MB Full-duplex Dual-channel Synchronous capture
Slide Title: Full Duplex Pod

Slide moved here from section five of the previous version. Buffer is in the pod. Frames captured on the pod are encapsulated into Ethernet frames, then delivered to the PC for analysis. This is listed in the order list as Pod-FEDC-NA-100 for Fast Ethernet Dual Channel Pod.
Page 2 - 9
Full Duplex Pod Connectors

2-10 Connects to High-Speed 100Base-TX and 100Base-FX Ethernet Networks
RJ-45 ports offer a power-off pass-through Fiber and T4 supported through MII connectors
Probe Channel B
Probe Channel A 10/100 UTP MII
Sniffer University
Power Synch Synch Connector In Out
Serial Port
10/100 UTP
MII
Host Channel 10/100 UTP
Connection
Connection button Channel B Channel A Connect straightselects between connections to connections to the through Ethernet Pass-through and the network (UTP network (UTP and cable to the laptop Terminate Modes and MII) MII)
The Fast Ethernet Full Duplex Pod captures network data off the connected circuit and stores it in its own internal buffer. The captured data is then encapsulated in Ethernet frames and sent to the Sniffer PC over a Fast Ethernet connection. There, the analyzer strips the encapsulated capture data out of the Ethernet frame, making it available to the full set of Sniffer features. The pod can capture frames up to 4082 bytes in length (including CRC). Frames larger than 4082 bytes will be treated as illegal frames. Normal Ethernet frames are 1518 bytes maximum.
Network Associates
Slide Title: Full Duplex Pod Connectors

Slide moved here from section five of the previous version. Point out the separate channel connector. They can attach to TX via UTP or FX via the MII (Media Independent Interface) connectors. The connection button allows you to set pod to either pass-through or terminate mode. The right-most UTP connector attaches the pod to the 10/100 card in the PC. The Synch In and Out connectors are not used.
Page 2 - 10
Full Duplex Pod LEDs

2-11 Separate LNK (Link) and ACT (Activity) LEDs show the status of each port
The LNK LED illuminates when the indicated prt is connected and working properly The ACT LED blinks when there is activity on the indicated port
Sniffer University
Host Channel A Channel B LINK ACT
Passthrough
Terminate
Clock
Activity
Power
HW Chk
LED Description Passthrough Lit when pod is in passthrough mode. Switch with the button on the back of the pod Terminate Lit when pod is in terminate mode Clock Lit periodically to indicate the pods software is alive and active Activity Lit when there is potential loss of data.The data may be lost when there is more data than the pod can handle Power Lit when the pod is receiving power HW Chk Lit when there is pod hardware or software failure Flashes in test mode
Network Associates
Slide Title: Full Duplex Pod LEDs

Important Points to Cover: Slide moved here from section five of the previous version. Review quickly. Mainly for reference.
Page 2 - 11
Connecting the Pod to the Sniffer

2-12 Sniffer University Power down the Sniffer and unplug the pod Attach the pod to the Sniffer with a standard Ethernet cable
Connect between the Ethernet port on the PC and the Host Channel 10/100 UTP port on the pod
Power on the PC Connect the power to the pod Connect the pod to the network
When the pod is powered on before the host, pod initialization may fail. Turn the pod off, then on if this occurs. The pod provides a pass-through mode. When you remove power from the pod in pass-through mode, the link will go down! You may wish to install a splitter in the line that will enable you to attach the pod when needed without bringing down the link. Be sure it meets the dB loss specifications so the link is not degraded.
Network Associates
Slide Title: Connecting the Full Duplex Pod to the Sniffer

New Slide. Emphasize that this pod has a different power adapter from the rest. It is huge and heavy and nicknamed the brick for good reason its as big and heavy as a brick. Its important they follow this order. They may damage the pod and/or PC if they dont or the Sniffer may not be able to see the pod.
Page 2 - 12
Attaching FDX Pod to the Network

2-13 Insert directly in the link
Copper pass-through prevents losing link, even when powered off
Ethernet Hubs or Switches Channel A Channel B
Tap into the line with a splitter Sniffer University

Can leave the splitter in at all times and tap the line when necessary Use a copper or fiber splitter/transceiver
Routers /Switches
Beam Splitters Tap Optical Signal from Channels A and B and Send to Pod
Tap into the line through a monitor port on a switch or hub
To Channel A
Ethernet Hub
Network Associates
Slide Title: Attaching Full Duplex Pod to the Network

Slide moved here from section five of the previous version. Three ways: Break open the link and insert the pod. Push the button to place it in pass-through mode. Keep splitters in the line at all times so you wont need to break the connection to attach the Sniffer. Set the button to terminate mode so the signals are not repeated back onto the wire! Attach to a monitor port on the switch. This is vendor-specific, but will probably allow you to select which channels you want to monitor.
Page 2 - 13
Attaching FDX Pod to DSPro Agents

2-14 When using the Distributed Sniffer System, attach the Full Duplex pod to the Agent and use the remote console to configure the options. Attach using the diagrams on the previous page
DSSPro Agent
Transport Cable Channel B
Monitor Cable
Sniffer University
Ethernet Network
Channel A
DSPro Console
Network Associates
Slide Title: Attaching Full Duplex Pod to DSPro Agents

New Slide. Included here mainly to emphasize this pod can be used on the DS Pro system. There is also a 4 port Ethernet card that can be used in the DS Pro to monitor several different full-duplex connections, including 400 MB pipes that combine full-duplex channels. It is covered in the 201-DSP class.
Page 2 - 14
2-15
Gigabit Sniffer
Sniffer University
There are several paragraphs of information in the 4.0 Readme.wri that is copied to the Sniffer Pro program directory when you load the Sniffer Pro software. Read them before you use the Sniffer!
Network Associates
Slide Title: Gigabit Sniffer

Title slide.
Page 2 - 15
Gigabit Sniffer Pro Minimum Host CPU

2-16 Microsoft Windows 98 or NT4.0 SP6 233 MHz Pentium or better 128 MB RAM for traffic generation 800 x 600 Screen 256 Color Monitor Large GB disk for huge trace files Full length PCI slot for Gigabit Ethernet card Half length ISA slot for power adapter if CPU doesnt have 3.3v power available PCI to PCI bridge support v2.1 Plug and Play v1.0a AMI or Award BIOS xx0617
PAC 64
Windows 95 is not supported for the Gigabit Sniffer. Use a compatible portable (Dolch) or desktop that has a Peripheral Component Interconnect (PCI ) slot. AMI and Award are popular BIOS chips. The BIOS version should be AI5TVD2-0617 You can contact DOLCH to get the BIOS Flash upgrade. There should be two files: awdflash.exe, size=7,847 Bytes, Dated 3/8/96 Dolch-2.bin, size=131,072 Bytes, Dated 6/19/97 Upgrade the Flash BIOS for PAC-64 To Upgrade the Flash BIOS for PAC-64, follow these instructions: 1. Insert the Flash BIOS upgrade diskette into driver A: 2. Run the awdflash.exe file. 3. You will be prompted to enter bios file name, enter Dolch-2.bin and save the BIOS. 4. You then will be prompted to save a file. Give this file the name Dolch-1.bin. 5. Save and program the BIOS. 6. Reboot after update.
Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware
Sniffer University
Slide Title: Gigabit Sniffer Pro Minimum Host CPU

Slide moved here from section five of the previous version Slide is adequate.
Page 2 - 16
Hardware Included
2-17 Xyratex 1250 SX or LX Protocol Analyzer Adapter Card
SC connectors SX Short Wave 850 nm LX Long Wave The Xyratex Gigabit card is designed to analyze network; on installing the card, it will not bind to the TCP/IP binding, in other words, no IP address should be assigned for the card.
Network Associates
Sniffer University
Long and Short External Trigger Cables Duplex Fiber Optic Cable 3.3v Voltage Regulator Card PC Power Supply Y cable Voltage Regulator to Protocol Analyzer Power Cable
Slide Title: Hardware Included

Page 2 - 17
Interfaces
1000 Base -SX 1000 Base -LX 1000 Base -CX through external adapter 1000 Base -T Can analyze both sides of full-duplex connection or two separate single links Captures and analyzes raw bits from the link
Sees 10-bit codes, autonegotiation, error propagation, collisions, preambles, packet encapsulation, idles and code violations
SX and LX transceivers are available.
Network Associates
Slide Title: Interfaces

New slide. Just run down the list.
Page 2 - 18
3.3v Power
2-19 Two sources: Mother boards in newer CPUs have 3.3v power supply connector
Dolch PAC 65 and newer has 3.3 v power, PAC 64 needs the card (PAC 63 and older are not supported for Gigabit) Attach to the Protocol Analyzer card
Sniffer University
3.3v Voltage Regulator half-slot ISA card for CPUs without the 3.3v power supply
Generates 3.3v from PCs 5v power supply Drives up to 3 Protocol Analyzer cards Y cable inserts between power supply and CD-ROM/floppy disk Connects to Protocol Analyzer boards with short cable
ATX mother boards include the 3.3 v connector.
Network Associates
Slide Title: 3.3V Power

Slide moved here from section five of the previous version Needs 3volts power. If the motherboard doesnt have it, you need another card that supplies it. Jumper from this card to the PacketMaster card.
Page 2 - 19
Xyratex 1250 Connectors

2-20
Rx 2 Connector 1 to Device 1 Tx 1 Rx 1 Connector 2 to Device 2 Tx 2 PacketMaster 1250 Card Channel 2 Channel 1
Sniffer University
Two 1000Base-SX or LX Gigabit Ethernet SC Connections External trigger in and trigger out connections
Sync In (Trigger In) Sync Out (Trigger Out)
Available external connections are: two 1000Base SX Short Wave Fiber Optic connector pairs a single micro coax external trigger input a single micro coax external trigger output Trigger conditions can be independently defined for each channel or combined for both channels, just as for filtering. The system can accept external inputs and can also be synchronized to other test equipment. The system can also provide external TTL output from a trigger. Interfaces available: 1000 Base -SX 1000 Base -LX 1000 Base -CX through an external adapter 1000 Base -T* coming later SX and LX transceivers are available. * T Specification under development
Network Associates
Slide Title: Xyratex 1250 Connectors

Page 2 - 20
Connecting the Analyzer

2-21
Full Duplex connection between 2 hubs, switches Full Duplex connection between end nodes
Rx1
PA C 62
Tx Tx
Rx2
Tx Rx1 Tx2 Rx2 Tx1 Rx Tx Rx Tx
PA C 62
Sniffer University
Full Duplex connection between switch and end node Attached to hub or switched port (can be a SPAN port) Use this for traffic generation also
Rx1
PA C 62
Rx2
Tx
Rx1
PA C 62
Tx
Loopback between Tx1 & Rx2
Network Associates
Slide Title: Connecting the Analyzer

Slide moved here from section five of the previous version This will help those students who have the Sniffer now. (They are very lucky- they are in high demand and short supply.) Slide is self-explanatory.
Page 2 - 21
Gigabit DSPro
2-22
Sniffer University
The Xyratex card is also supported in the DSPro Agent Attach this card to the Gigabit network as you do for the portable Sniffer Attach the 10/100 monitor adapter to the transport network
DSPro Agent
Transport Cable
Monitor Cable
10/100 Ethernet Network
Gigabit Network
Network Associates
Slide Title: Gigabit DSPro

New Slide. Mainly FYI Screens still look the same when you connect to the Agent.
Page 2 - 22
Exercise: Comparing Ethernet Data

2-23
Network Associates
Sniffer University
Turn to the lab section to complete this exercise. Use the diagram on the next page as a reference to the network layout
Slide Title: Exercise: Comparing Ethernet Data

New Exercise. This exercise is here to let them see right up front how the data looks in almost all speeds of the Sniffer. I was unable to get a 100 MB full-duplex trace file, so it has been mentioned briefly. Do not mention the 10 bit hex decode in the Gigabit screens now! Wait until they have been explained in the Gigabit section.
Page 2 - 23
Summary
2-24 In this section, you learned how to:
Select the appropriate Sniffer configuration for each type of Ethernet network Ensure system requirements are met for each type of Sniffer Attach Sniffer Pro to the various Ethernet networks
Network Associates
Sniffer University
More details on using these Sniffers are in the sections following
Slide Title: Summary

Review the section objectives and answer any remaining questions. Target Time: Day 1 at noon or earlier if possible.
Page 2 - 24
3-1
Ethernet Physical and Data Link Layers

Sniffer University
Network Associates
Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers
Slide Title:
Ethernet Physical and Data Link Layers Section 3 Start: Day 1 Approx. 1pm Finish: Day 1 End of day
Section Timing:
Files: Traces: Exercise:
03_phy_g.PPT HUB6ARC.caz Cable Specifications
03_PHY_g.DOC
This is a critical section that must be covered thoroughly so the students understand the basis of all Ethernet standards. The exercise comes close to the end, so your challenge will be to keep the students engaged through the lecture. The 10BASE5 and 10BASE2 specific slides are now in the Optional Technologies section. Be prepared to jump there if you have students who still want to see the physical components of the old technologies. The diagrams have been spiffed up so they show mainly star configurations. Please remember this instructor guide is a living document. It is not complete to start and is intended to grow with time. Add to your own copy as you gain experience. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.
Page 3 - 1
Section Objectives
Describe the access method used in Ethernet Discuss the responsibilities of the MAC layer Differentiate the various types of Physical Layer devices Explain the importance of the physical size limitations of the Ethernet networks Determine when the physical characteristics of the Physical Layer have been extended beyond the specifications
Network Associates
Sniffer University
Slide Title:
Section Objectives
State the objectives. The focus of the prior revision was on the new components most customers have in their environments. The specifications for 10BASE2 and 10BASE5 are still the basis for the newer environments and need to be covered. Weve tried to make it as painless as possible while still giving them everything they need to know to understand the buzz words and more importantly why collision domains and timing specifications are still important! Most of our students think they know the Ethernet nitty gritty details, but they invariably learn new things in this section.
Page 3 - 2
Ethernet Components Today

Switched Segment Dedicated Connections: Only Broadcasts are propagated to all Switches Switches
3-3
Sniffer University
Broadcast Segment Everything broadcast to all
There is a wide variety of configurations and options available All still adhere to core concepts that define Ethernet Segments are extended logically by chaining hubs or switches, or by using bridges Networks are segmented using routers Switches
OFF ON
Router Hubs
OFF ON
Network Interface Card (NIC) Network A
Hubs Network B
Ethernet networks are undergoing unprecedented change. Standard hubs and switching hubs are becoming commonplace. Fast Ethernet is being included. Full Duplex Ethernet may be installed. Fast transmit adapters enable large amounts of data to be transmitted and received.
Network Associates
Slide Title:
Ethernet Components Today
Today networks are undergoing change. We are installing switches and hubs now. No one is really installing 10BASE5 or 10BASE2 today. Fast Ethernet Full duplex Fast transmit adapters Gigabit Ethernet Yesterday, hubs were the new devices in networks, pushing out the older 10BASE5 and 10BASE2 networks. Today, switches may start to push out hubs. The only constant we really have is change. Emphasize the fact that whether we are talking about 10BASE5 or switches, Ethernet is still contention-based, designed to a bus concept.
Page 3 - 3
Ethernet Contention Access Control

Broadcast environment All network stations contend for available network bandwidth Simultaneous transmissions cause collisions, which produce runt frames Contention Access Control works well with bursty traffic
Concentrator or Hub
Network Associates
Slide Title:
Ethernet Contention Access Control
No inherent line control is used. The only requirement to transmit data is that the wire is quiet for 9.6 bit times.
Page 3 - 4
3-5
The Basis for Ethernet Specifications

Carrier Sense
Listen until no carrier is sensed, then transmit after a delay
CSMA/CD
Multiple Access
Designed for a broadcast environment Every station hears every frame
Sniffer University
with Collision Detection

Listen for a collision while you transmit
Designed for a bus, usually implemented as a star

The rules are observed in half-duplex switched networks even though collisions are usually avoided by using dedicated connections
Network Associates
Slide Title:
CSMA/CD The Basis for Ethernet Specifications
The basics. Preparing the students for what is to come later.
Page 3 - 5
MAC Frame Transmission

3-6 Construct a frame from data supplied by upper-layer
A legal frame must be at least 64 bytes long and no longer than 1518 bytes (counting the CRC, but not the Preamble) If necessary, the 802.3 MAC layer adds a pad so that the frame is at least 64 bytes
Sniffer University
Calculate and append the CRC Sense Carrier: Defer to stations already transmitting Observe Interframe spacing: There is always at least a 96 bit time delay between frame transmission
9.6 s for 10 Mbps, .96 s for 100 Mbps, 96 ns for 1000 Mbps
Transmit and listen Detect collisions Backoff and retransmit if collisions occur
All adapters are manufactured to the Ethernet specifications. The card has no knowledge of whether it is plugged into a switch or hub port. These specifications apply to all speeds of Ethernet. The interframe spacing is always 96 bit times. The actual time between frames is dependant on the speed of the network and shrinks in proportion to the increase in speed. Specifications dictate that there be a minimum 9.6 micro-second delay between frames in 10 Mbps Ethernet. An adapter must sense that the wire has been quiet at least 9.6 micro-seconds before it can transmit. In Fast Ethernet, the interframe gap is .96 microseconds. The gap in Gigabit Ethernet is 96 nanoseconds.
Network Associates
Slide Title:
Media Access Control (MAC) Frame Transmission
With IEEE MAC layer, it is the MACs job to ensure the minimum frame length. This is a departure from the V2 specifications, which forced the network layer protocol to guarantee the minimum frame size. Now the version two frames have been brought under the IEEE, so all versions must pad. The MAC layer is responsible for accessing the channel and ensuring correct transmission of the data. MAC functions reside on the adapter on the chipset. Import change: The Interframe gap has been changed from 96 microseconds to 96 bit times to imply this is used in all speeds. Use this term throughout this section. The Interframe Gap is 9.6 microseconds in 10 Mbps, 960 nanoseconds in 100 Mbps and 96 nanoseconds in Gigabit 1000 Mbps.
Page 3 - 6
Frame Transmission
3-7 After sensing that there is no carrier on the wire during the
interframe gap period, stations with data to send transmit the frame The signal is propagated everywhere The source station listens while transmitting It assumes the frame was delivered if it sensed no interference
101..101 0101
10 10 .. 10 10
Sniffer University
Concentrator or Hub
0101 0 1.. 01
10101
1010101..0101
1001000110101101..0101
Dest Address
Preamble
Dest Address
Preamble
..010
01
Source Station +
*Timing slowed to show process
Even in switched environments, stations must wait the interframe time after the line goes silent before they start transmitting.
Network Associates
Slide Title:
Frame Transmission
This is a timed build slide and covers only the transmission part of the process. It builds automatically. The station that wants to transmit listens for carrier When it senses there is no carrier, it waits the interframe gap time, then begins to transmit. This is a good time to discuss the adapters that jump the gun and start transmitting before the interframe gap time. This is mentioned in the student notes and should be discussed in class. When the signal is transmitted, it is intended to go everywhere. All stations hear it. Stations continue to listen while they transmit.
Page 3 - 7
Collisions
3-8
When two stations with data to transmit sense that the media is available at the same time, they both transmit and a collision occurs
Transmit Jam
Collision
Transmit Jam
Concentrator or Hub
Sniffer University
+3
The transmitting adapters sense the collision and continue to transmit a 32-bit jam signal, and wait a random amount of time before retransmitting If there are repeated collisions, the adapter tries again (up to a total of 16 times) It uses truncated binary exponential backoff to ensure that two stations will not collide with each other again during the wait cycle Each time it retries, it waits a random amount of time
Stations continue to listen as they transmit. Twisted pair environments are basically point-to-point communications. While an adapter is transmitting, it listens on its receive pair. If a receive signal is detected, the adapter has detected a collision. On a bus, the transceiver detects an increase in voltage on the wire if another station transmits at the same time. The transceiver notifies the adapter of a collision. Any other stations with frames queued sense the wire is busy and they wait until the interframe gap has passed after the wire goes silent.
Network Associates
Slide Title:
Collisions
This is a timed build slide. Some is automated on a timer, and some requires a mouse click to activate. Wait to click until the first collision occurs. There are three clicks for the slide. -------------------------------------------------------------------------------The signal from the transmitting station will not be heard by the second station some distance from it, so it begins to send its frame. If a collision occurs, the participating stations output a minimum of 32 bits as a jam. Its purpose is simply to busy out the wire on a 500 meter segment. Import change: The wording was changed slightly to indicate it does not stop transmitting, but just continues to transmit the jam signal instead of the frame. IEEE states a minimum jam of 32 bits but does not specify a maximum jam period past 150 ms. There is no specified jam pattern for the adapters. Manufacturers can do what they want as long as it is not the CRC of the bits that were just transmitted. The transmitting adapters back off a random amount of time. The first station to timeout tries again. In the meantime, a totally different station may have gotten a frame out onto the network. Each time the adapter is involved in a collision trying to transmit the same frame, it waits a longer period of time before listening for carrier. It gives up after 16 unsuccessful attempts and purges the frame from its transmit buffer. The upper layer protocol must queue it again. This of course involves more delay than the collisions and backoff induced.
Page 3 - 8
Truncated Binary Exponential Backoff

3-9
Retry Random Time Range 1 2 3 4 5 6 7 8 21 = 0....2 x 51.2sec 22 = 0....4 x 51.2 sec 23 = 0....8 x 51.2 sec 24 = 0....16 x 51.2 sec 25 = 0....32 x 51.2 sec 26 = 0....64 x 51.2 sec Retry Random Time Range 9 10 11 12 13 14 29 = 0...512 x 51.2 sec 210 = 0....1024 x 51.2 sec 210 = 0....1024 x 51.2 sec 210 = 0....1024 x 51.2 sec 210 = 0....1024 x 51.2 sec 210 = 0....1024 x 51.2 sec 210 = 0....1024 x 51.2 sec 210 = 0....1024 x 51.2 sec
Sniffer University
27 = 0....128 x 51.2 sec 15 28 = 0...256 x 51.2 sec 16
(1024 x .0000512 = 52.4 milliseconds)
The backoff time is measured using the propagation delay of the media (slot time). The figures above are for 10 Mbps Ethernet. 100 Mbps times are one 1/10th these times, gigabit are 1/100th of these times.
Network Associates
Slide Title:
For student reference. Dont spend any time here. The previous two slides are now combined on this single slide.
Page 3 - 9
Half Duplex MAC Transmit

3-10
Data to send No Pad to 60 bytes
< 60 bytes? Yes
Sniffer University
Calculate and add CRC Transmit Carrier No Data Sense? Wait 96 bit Listen for Yes times collision Defer
Compute backoff. Wait backoff time Detect Yes Collision? No Yes Done. Transmit OK! Send Jam
No Too many attempts? Yes Done. Excessive errors
Transmit No End of Until End data?
All speeds of Ethernet follow this flowchart. Only the timing changes.
Network Associates
Slide Title:
Half Duplex MAC Transmit
Spend time taking the students through the process. Make sure they understand. There is a new diagram similar to this in the Full Duplex section now.
Page 3 - 10
Frame Reception
3-11
All adapters synchronize clocks to the preamble bit pattern Upon receipt of end of preamble flag, adapters copy the DLC destination address If the destination DLC address is equal to their own or a broadcast, stations continue to copy, otherwise they stop copying and release the buffer
Destination 080069020FD3
..AAAAA ..AAAAA
Sniffer University
C788CD8097823DF020960080BAAAAAA..AAAAAAAAA
..AAAAA
Concentrator or Hub
..AAAAA
Source Address Dest Address
Preamble
C788CD809782 Source +1
Network Associates
Slide Title:
Frame Reception
This is an automated build slide. Click the mouse when you are ready to show the action after you have covered the bullets. Stations hear the preamble and synchronize their clocks to it. The Start if Frame delimiter indicates the destination field is coming next. Stations listen for as long as it takes to determine if the frame is addressed to them or not. If it is addressed to them, they copy it. If the frame is not intended for them, they discard the bits from their receive buffer and passively wait for a new signal or the quiet time so that they may send their own data.
Page 3 - 11
Assessment of Received Frames

3-12
>512 Bits?
Yes
CRC Valid?
Yes
Good Frame! Pass to higher layer protocol
No
No End on 8-bit Boundary? No Yes CRC Error
Sniffer University
Runt Frame
Discard Frame
Alignment Error
MAC Frame Reception: Recognize if frame is destined for this station Discard frame if it is too short (runt) If frame does not end on an 8-bit boundary, truncate it to the nearest 8-bit boundary Calculate CRC. If the calculated CRC does not match the CRC in the frame, discard the frame (If the discarded frame does not end on an 8-bit boundary, report Alignment Error; otherwise report CRC error) Pass good data to upper-layer Frames are always truncated because transmitters have a hard time stopping immediately after the last data bit. Transmitters are allowed 1.6 bit times after the final data bit to let their transmission level reach 0. Any bits whose signal level is less than the receiving adapters minimum level requirements will be disregarded. It is possible for a transmitting adapter to send an extra bit or two after sending the CRC field, and for these bits to be of sufficient amplitude to be seen as bits by a receiving adapter. In these circumstances, the bits are referred to as dribble bits and will be truncated by the receiving adapter to the nearest 8-bit boundary. Dribble bits become more evident in Fast Ethernet and Gigabit Ethernet networks, due to the increased number of bit times required for transmitting adapters to return to zero.
Network Associates
Slide Title:
Assessment Of Received Frames
Cover well. A similar diagram is in the Full Duplex section.
Page 3 - 12
Repeaters
3-13
10BASE5
OFF ON
Repeater
10BASE5 AUI
AUI
Multiport Repeater
OFF ON
10BASE2 10BASE-T 1 2 3 4 5 6
10BASE5 AUI
Hub or Concentrator
Sniffer University
A repeater is a physical layer device that extends the network length and topology by regenerating and retiming the signal one bit at a time A repeater repeats every signal that comes in on one port onto every other port. A repeater does not isolate traffic or collisions A repeater is transparent to other stations on the network. A repeater is not addressable. It does not store and forward data A 10BASE-T hub acts as a multiport repeater
A repeater can cause more collisions, since a collision signal is propagated out all ports.Hubs managed through SNMP have an IP address assigned to the interface that communicates with the management application. This address is NOT used in frame regeneration.
Network Associates
Slide Title:
Repeaters
Repeaters are required to quickly forward data from one port onto all others. A repeater doesnt isolate collisions, it propagates them. A hub graphic has been added to the slide.
Page 3 - 13
Repeaters are Responsible For:

3-14 Preamble Regeneration
Remove preamble from received frame and regenerate it on sending frame
Data Repeat
Repeat all signals received on one segment to all other segments attached to the repeater
Sniffer University
Signal Amplification
Ensure the amplitude of signals is correct
Signal Retiming
Ensure encoded data output is within jitter tolerances
Fragment Extension
Extend repeated signal if less than 96 bits (including preamble)
Preamble: 8 bytes of 1010101...10101011 at the beginning of each Ethernet frame. The preamble is discussed in more detail in the data link layer section. A repeater uses the preamble to sync up to bits, just like any station does. Some bits may be lost, in which case the repeater regenerates a new preamble. If a repeater receives a little fragment (runt) frame that is less than 32 bits plus preamble, the repeater will extend the bits to at least 96 bits. This ensures that the signal meets the next repeater while the repeater is still transmitting, so that the attached segments are busied out for the duration of the original collision.
Network Associates
Slide Title:
Repeaters Are Responsible For:
Repeaters do not repeat preamble. They create a new preamble. When they see the 11 indicating the end of preamble, they go into repeat mode. Repeaters jam out all ports on detection of a collision. They are the only devices for which IEEE has defined a jam pattern (documented in the student notes).
Page 3 - 14
10BASE-T Ethernet Cabling

3-15
Concentrator or Hub RJ-45 jacks UTP 100 meters max RJ-45 jack Older Implementations External Transceiver AUI cable
Internal Transceiver on NIC and RJ-45 jack
Sniffer University
Media = .4 to .6 mm diameter (26 to 22 AWG) unshielded wire in a multipair cable Maximum distance from hub to transceiver = 100 meters A hierarchical star topology is allowed, with up to four levels of concentrators
Telephone wire meets the requirements because it is usually unshielded twisted-pair cable composed of .5 mm (24 AWG) twisted pairs. When unshielded twisted pair cabling is used, you must be concerned with electromagnetic and radio interference, as well as cross-talk. Cross-talk is caused by excessive coupling of signals from one line to another, due to the geometry of the twist. Use a cable scanner to test for cross talk. The 10BASE-T specification states that any two stations communicating cannot traverse more than four hubs. This follows the four repeater rule contained in the IEEE 802.3 specification. Each hub contains repeater functionality. The limit of 100 meters is for the worst case of 11.5dB of signal attenuation. Many manufacturers now use transceiver chips that drive typically from 125 meters to 200 meters (626 feet). However, the moment you attach a hub with these cable lengths to another hub, overall propagation delay comes into play. If you're using a standalone hub AND your new and improved TDR says all of the requirements for segment signal conformance are being met, you don't have to worry about using the longer UTP cable.
Network Associates
Slide Title: 10BASE-T Ethernet Cabling

Hubs are repeaters. Cover the cable distance specifications.
Page 3 - 15
10/100Base-T Frame Transmission

3-16 10/100Base-T Hub or Concentrator
A group of multiport repeaters Signal received off of a Flooded port is repeated onto the out to all backplane, then flooded other out all other ports
ports
Sniffer University
Inbound signal from transmitting station
Workstation
Workstation
File Server File Server
Concentrators (hubs) are the equivalent of a bus in a box and function like multiport repeaters. A signal received from a transmitting station is repeated onto the backplane and then repeated (flooded) out all other ports. Hubs and repeaters do not repeat preamble. They regenerate a new one. When the end of preamble is reached, repeaters then go into repeat mode. Fragments are extended to the minimum of 96 bits. Concentrators (hubs) do not segment collision domains. Upon detection of a collision, hubs jam out all ports. Repeaters are the only devices that have an IEEE-specified jam pattern. The first 62 bits (of 96) must be 10101010...etc. The concentrator may partition any port with 32 consecutive collisions. Unmanaged hubs will re-enable the port upon receipt of any good data frame. Managed hubs tend to require that the administrator re-enable the port through the elemental manager.
Network Associates
Slide Title: 10/100Base-T Frame Transmission

Note the edition of 100Base info here. This is an automated build slide showing the signal propagation. Its still a bus with the backplane propagating the signal everywhere.
Page 3 - 16
The Hierarchy of Ethernet Hubs

3-17
Simple, low-cost Desktop Hubs Standalone hubs typically support 8-16 ports Some larger multi-slot hubs support from 4-12 line cards, each containing 12-24 ports, for a total of about 288 physical ports All users are connected to same backplane, hence the same LAN 10/100 Autosensing
Sniffer University
Workgroup Hubs The need for autonomous work groups requires backplane segmentation of larger hubs Hub backplanes are physically separated into 2 or 3 or 4 different Ethernet segments 10/100 Autosensing
Interconnection of these separate LANs is accomplished by the inclusion of bridge-on-a-card or router-on-a-card modules to one of the segmented LANs. Standalone bridges and routers are also used, but the trend is toward spaceconserving configurations. Some vendors offer tiny micro bridges to connect one Ethernet to another. All networking components reside within the hub or networking platform, which makes them ideal for locked wiring closets. Workgroup hubs typically have an element manager that will support both inband (Telnet via TCP/IP on Ethernet) and out-of-band (RS232 for modems) access. These element managers provide physical level data about the health of the LAN and can send SNMP traps to, or respond to SNMP polls from integrated network management systems or umbrella managers. Some hubs are equipped with redundant hot-standby power supplies for maximum uptime. Power supply or line card swaps can be performed during off-peak times. The reality: although hubs have evolved into the heterogeneous networking platform, they have also become the single point-of-failure for many workgroups.
Network Associates
Slide Title: The Hierarchy of Ethernet Hubs

Student notes and slide are adequate. The names of the hubs have changed to reflect how they are marketed today.
Page 3 - 17
Backbone Hubs
3-18
OFF ON
OFF ON
SNMP Management applications are used to control these sophisticated hubs. Many offer click and drag operations to logically move stations. SNMP agents collect port, backplane and other statistics. The management stations periodically poll the devices for the statistics. Data is collected and reports are generated to track the health of the device and network.
Network Associates
Sniffer University
Multiple flavors of backbone hubs proliferate today. Some offer dedicated functions, while others offer add-in functionality via line cards like: Multiple media Ethernet segments: AUI, BNC, 10/100BASE-T, FOIRL Multiple media Token Ring segments: STP, UTP, fiber repeaters Multiport local and remote bridges with FDDI backbone interfaces Multiport, multi-protocol local and remote routers Ethernet packet switches. These are discussed in more detail later LAT and TCP/IP terminal servers for RS232-based devices X.25 gateways, SNA gateways Novell NetWare file servers Etc. The list continues to grow
Slide Title:
Backbone Hubs
Student notes and slide are adequate.
Page 3 - 18
Link Test Pulse

TX RX COL LINK
RX TX TX RX
3-19
TX RX COL LINK
NIC
10Mbps link test pulses are 100 nanoseconds (100 nanoseconds = 0.1 microseconds = 1 bit time) in size, and are transmitted every 201 microseconds. Unless there is a regular link test pulse, data is not transferred from the wire to the receiver, or from the transmitter to the wire. Polarization or phase is the correct match of TX+ to RX+ instead of TX+ to RX-. Some early 10BASE-T products did not incorporate auto-polarity and autophase matching capabilities. The wires connecting these devices must be oriented correctly. Subsequent products do incorporate these features. 100BASE-T Link Integrity pulses are sent continuously on the T4 primary transmit pair about 1 ms apart. Failure to detect these pulses generates an error.
Network Associates
Sniffer University
Many transceivers and hub ports feature a Link LED (usually green in color) that provides a confidence check of wire pair integrity A pulse is transmitted on one ends transmit pair to the other ends receive pair every 201 s. The pulse is unique and will not be mistaken for a data frame or a collision It provides status of the hubs transmit wire pair to the nodes receive wire pair (node Link LED), and the nodes transmit pair to the hubs receive pair (hub Link LED) An illuminated Link LED is not a guarantee that the wire pair is polarized or phased correctly (TX+ to RX+, TX- to RX-) or that the wire pair is twisted together end-to-end (pin 3 twisted with pin 6, for example: orange/white wire twisted with white/orange wire)
Slide Title:
Link Test Pulse
The link pulse test does check for correct phasing of the signal. It is simply a continuity test. If the pulse is not there, the devices will not communicate. We are going to be doing some comparisons of these link pulses as we discuss Fast and Gigabit Ethernet. The characteristics of the 10 Mbps links pulses is important to mention here. One pulse Evenly spaced at 201 microseconds
Page 3 - 19
10 Base T Ethernet Pinouts

3-20
Jack at NIC RJ-45 Plug
8 1
Contact
1 white/orange 2 orange/white 3 white/green
Signal
Transmit + Transmit Receive + Not used Not used Receive Not used Not used
X-over
3 white/orange 6 orange/white 1 white/green
Sniffer University
4 5 6 green/white 7 8
2 green/white
The 8-pin connector is used as the mechanical interface to the twisted pair cable. The connector is used on the hub as well as the NIC. Typically the NIC connects to a wall outlet using a twisted pair patch cord. Wall outlets connect through building wiring and a cross-connect function to the repeater hub. The cross connect (or crossover) function connects the transmitter at one end of the twisted pair link to the receiver at the other end of the twisted pair link. The cross connect can be built into the receiving end. There are two pairs used for each station attachment. Two wires (one pair) are used to receive data from the hub to which it is attached. The second pair is used to transmit data to the hub. Normally a light on the hub indicates the pair from the station to the hub are attached correctly (this is the TX+ and TXfrom the station to the RX+ and RX- on the hub). A light (Link LED) on the card indicates the pair from the hub to the station are correct (this is the TX+ and TX- from the hub to the RX+ and RX- on the station). Most 10 and 100 MBPS twisted-pair Ethernet is still half duplex: a station is either transmitting or receiving, not both.
Network Associates
Slide Title: 10BASE-T Ethernet Pinouts

Ethernet hubs used to require correct phasing. You could not get away with reversing the leads. Most hubs today will auto-sense and compensate if the polarity is reversed. Pins 4 and 5 are not used. They were reserved for tip and ring. Pins 7 and 8 were used in the old days for a second line or to power a phone with auxiliary features.
Page 3 - 20
Which Wires are Paired at the Jack/Plug?

3-21
Wire #
Sniffer University
1 2 3 4 5 6 7 8
white/green green white/orange blue white/blue orange white/brown brown 4 1 2 pair 3
white/orange orange white/green blue white/blue green white/brown brown 4 1 3 pair 2
T+ TR+ Ethernet (802.3)
RToken ring (802.5)
568A wiring standard
568B wiring standard
If you suspect noise is damaging data to a station, check to see if the
receive pair has been split out If the receive pair is not twisted together, the wires will not be mutually affected by the same noise, thus Common Mode Rejection will not be effective
How will you know if noise is affecting data to a station? For one thing, you will see lots of CRC errors on the Sniffer with that station as the destination address. There will also be various other errors (especially retransmissions) associated with the station. The EIA/TIA 568 wiring standards shown above is somewhat different from the widely used USOC wiring scheme (not shown) for telephone signals. Because of the wire-pair layouts, a 568 link can be used for voice signals; however, USOC wiring is not properly paired for Ethernet signals. EIA/TIA 568 standards specify an 8-pin connector (RJ-45), pinned out in one of the two options--568A or 568B--shown above. Todays connecting hardware is color-coded to match the wires, and modern cable testers can quickly determine if the link is capable of carrying a 10 or 100 Megabit Ethernet signal.
Network Associates
Slide Title: Which Wires are Paired at the Jack/Plug?

10BASE-T requires the transmit leads and the receive leads to be discreet pairs. It does not matter how your plant is cabled, but you need to know so that the pairing can be maintained. 10BASE-T will not work if the pairs are not maintained.
Page 3 - 21
Common Mode Rejection (CMR)

3-22
TX+ TX+2.5v 0 volts -2.5v +2.5v 0 volts -2.5v RX+ RX-
RX+ RX-
Sniffer University
+2.5v 0 volts -2.5v
+2.5v 0 volts -2.5v
TX+ TX-
For CMR to function properly, a pair of wires need to be twisted around each other CMR uses the voltage differences between each signal (TX+) and its mirror image (TX-) to determine the logic state of each bit. (The differential voltage is typically either 5v or 0v) Voltage spikes, when they occur, will induce themselves onto the wire pair but the difference in voltage (5v or 0v) will remain the same CMR is not perfect, as excessive electrical noise may defeat the cancellation process and destroy the transceivers at the hub and the node
For Common Mode Rejection (balanced signaling, or longitudinal voltages) to work properly, the signal and its reference need to be subject to the same interference. For the signals to be subject to the same interference, they are treated as a pair and mutually twisted. There are several different schemes of pairings. Unshielded twisted pair wiring that is correct for Ethernet may not be correct for telephony, or wire that is correct for Token Ring may not be correct for Ethernet. Observe standard wiring guidelines such as NOT routing UTP over florescent lights, near high-voltage or high-current sources, etc. The diagram above depicts the hex pattern of 6E, which Intel uses as the cable test pattern.
Network Associates
Slide Title: Common Mode Rejection (CMR)

This is what allows 10BASE-T to work. The important concept is that you want the same amount of noise on the receive minus wire as the noise on the receive plus wire. Equal noise maintains the relationship of the signal and can be filtered out so that the chips can still determine a one from a zero. When wires are not twisted together and noise hits, the relationship is not constant and common mode rejection doesnt work.
Page 3 - 22
Cabling Installations
3-23
NIC Card Connection Wall Plate 1 3 2 7
0 1 2 3 4 5 6 7 8 9 10 11 0 1 2 3 4 5 6 7 8 9 10 11
Punch Down 4 Block 5

TX+ TX- RX+ TX+ TX- RX+ TX+ TX- RX+ TX+ TX- RX+ TX+ TX- RX+ TX+ TX- RX+ RXRXRXRXRXRXTX+ TX- RX+ TX+ TX- RX+ TX+ TX- RX+ TX+ TX- RX+ TX+ TX- RX+ TX+ TX- RX+ RXRXRXRXRXRXTX+ TX- RX+ TX+ TX- RX+ TX+ TX- RX+ TX+ TX- RX+ TX+ TX- RX+ TX+ TX- RX+ RXRXRXRXRXRX-
OFF
Sniffer University
ON
8
0 1 2 3 4 5 6 7 8 9 10 11 0 1 2 3 4 5 6 7 8 9 10 11
OFF ON
10 Port
Patch Panels
Beware of too many connections. Each one contributes to signal attenuation and represents a potential failure point
The diagram above can apply to Ethernet or Token Ring. The connections in the diagram are: 1) PC NIC and UTP patch cord 2) UTP patch cord and wall plate 3) Wall plate and UTP cable 4) UTP cable and punchdown block Punch down blocks include BIX 1A, Telco 66, and/or AT&T MT 110 (for level 5) 5) Punchdown block and 25-pair cable 6) 25-pair cable and first patch panel 7) First patch panel and UTP patch cord 8) UTP patch cord and second patch panel 9) Second patch panel and 25-pair cable 10) 25-pair cable and interface module This cabling diagram may be simplified in most locations. The shaded area from points 4-9 are the equivalent of a harmonica, a device in common usage in many installations.
Network Associates
Slide Title: Cabling Installations

This cabling diagram does not represent the ideal, but rather is an example of how things should NOT be done. Unfortunately, this is the cabling found in some environments. Each mechanical connection induces loss and an opportunity for a failure point. This cabling diagram represents the way things were done in the past -- to meet category 3 standards. Most new installations DO NOT install wiring this way. Each mechanical connection induces loss and an opportunity for a failure point. New installations wire the network to category 5 specifications. An example would be to connect the wallplate (3) to the back of the patch panel (8). Cross connects are made directly to the hub.
Page 3 - 23
Hub-to-Hub Connections
3-24
Hubs typically cross internally over the transmit and receive pairs from the nodes Hub-to-hub connections must be crossed over so that the transmit pair of one hubs port goes to the receive pair of the other hubs port and vice-versa This can be done with a crossover cable, or at the punchdown block, or via an MDI-X port that internally crosses the pairs
Sniffer University
OFF ON
OFF ON
OFF ON
TX+ 1 TX- 2 RX+ 3 RX- 6
RX+ 3 6 RX1 TX+ 2 TX-
OFF ON
Some manufacturers do not support hubs being connected via node ports. Some of these manufacturers are circumventing the IEEE rules by using special connections for hub-to-hub connections, and advertise themselves as half-hop hubs, that may be cascaded further (to more hops) than the IEEE rules allow, using the special connections, and no crossovers. Some hub manufacturers are now offering proprietary higher speed synchronous links between THEIR hubs. Other manufacturers have developed Full Duplex Ethernet hubs. MDI-X should only be enabled on one end.
Network Associates
Slide Title:
Hub-to-Hub Connections
Page 3 - 24
3-25
Timing Specifications
Sniffer University
Network Associates
Slide Title:
Timing Specifications
Title slide only.
Page 3 - 25
Collision Domain
3-26
A transmission on this segment...
Sniffer University
...is propagated through repeaters all the way to all segments!
...and news of a problem, if any, must propagate all the way back, while the original station is still transmitting
Repeaters
A "collision domain" is defined as the physical area within which a collision is propagated. Repeaters propagate everything, even bad frames.
Network Associates
Slide Title:
Collision Domain
This is an automated build slide. This slide was updated to show repeaters (hubs) instead of coax cable. The rule still applies, whether were using thick, thin or twisted pair as long as the media is shared. Extremely important concept. All equipment (old and new) must follow this rule. All timing specifications are based on the collision domain. The round-trip time for the worst-case scenario must be less than the time to transmit the minimum-sized frame, since the card only listens while it is transmitting. Cable lengths, repeater rules and propagation delay all must reach this target.
Page 3 - 26
Ethernet Signal Propagation Speed

3-27
Its important to be aware of this information (though not memorize the numbers) to gain an understanding of the maximum Ethernet topology and the minimum Ethernet frame size. Twisted pair cable is the slowest data mover. We must be concerned about over-extending the network length, which will exceed the propagation budget, and contribute to late collisions, which in turn results in extremely slow response to most network users.
Network Associates
Sniffer University
Determination of the maximum topology and minimum frame size depends on information about the speed that data travels Data travels at less than the speed of light (c) c = speed of light in a vacuum = 300,000 kilometers per second (approximately 1 foot per nanosecond) Thick Coax Cable: Signal travels at .77c (231,000 km/sec) Thin Coax Cable: Signal travels at .65c (195,000 km/sec) Twisted Pair Cable: Signal travels at .59c (177,000 km/sec) Fiber Cable: Signal travels at .66c (198,000 km/sec) AUI Cable: Signal travels at .65c (195,000 km/sec)
Slide Title:
Ethernet Signal Propagation Speed
This is a lead-in to the next slide. This information comes from the 802.3 spec. It is an auto build slide.
Page 3 - 27
So, How Long is a Bit?

3-28
This information is used to determine where a collision can reasonably be expected to occur in a worst case scenario in your specific network. Collisions that occur past this point are the result of defective hardware somewhere in the network. For example: If your maximum latency is 300 meters (includes delay in hubs and all equipment), would you expect to see a collision 20 bytes into the frame? On thick Ethernet, 1 bit = 23 meters. 300 meters total. 300 divided by 23 = approx. 13 bits. Multiply by 2 for the round trip. A collision in a network with latency equivalent to 300 meters should never occur past bit number 26. You should not see a collision past the preamble. [(300 / 23) = 13] x 2 = 26 bits. (This information is taken from the 1992 edition of the 802.3 specification.) On twisted pair Ethernet, the maximum cable length from hub port to transceiver is 100 meters (200 meters from end device to end device). [(200 / 17.7) = 11.3] x 2 = ~23 bits. In twisted pair, then, a collision should never occur beyond bit number 23, still within the preamble.
Network Associates
Sniffer University
For thick Ethernet, the basis of the specification: 231,000 km/sec divided by 10 million bits per second = 23.1 meters A bit occupies 23.1 meters on thick Ethernet, slightly fewer meters for thin and twisted pair Ethernet An extension of 32 bits would cause an additional 32 x 23.1 meters or 739 meters to be busy, which makes it possible to busy out a maximum size Ethernet segment This explains why a repeater extends a fragment frame by at least 32 bits. It also explains the 32 bit jam added to a collision frame For 10Base-T: 177,000 km/sec10 million bits per second = 17.7 meters 32 x 17.7 meters = 566.4 meters are busy on jam, easily exceeding the maximum length between end devices
Slide Title:
So, How Long is a Bit?
Our favorite slide. (Lightbulb goes on.) The pictures you see of a tiny frame on a big network are all wrong. The frame quickly envelopes the entire cable segment, thus collisions are much more rare than you have been led to believe.
Page 3 - 28
Historical IEEE 802.3 Maximum Topology (5-4-3 Rule)

3-29
Segment 1 Segment 2 Segment 3 Segment 4 Segment 5
Station 1
Repeater Set 1
Repeater Set 2
Repeater Set 3
Repeater Set 4
Station 2
This information is taken from the 1992 edition of the 802.3 specification. Maximum end-to-end propagation delay is derived by dividing the maximum length by the speed. See previous page for speed. For thick coax, this is 500 m divided by 231,000 km/sec = 2165 nanoseconds. For thin coax, this is 185 meters divided by 195,000 km/sec = 950 nanoseconds. Each tap and each device adds additional delay, so the total network must not introduce more than 51.2 micro seconds of delay. Even though these rules are specified for coax cable, the 5-4-3 rule still applies to the newer fast technologies. Cable lengths are modified and delay characteristics are calculated to obtain the maximum topology rules.
Network Associates
Sniffer University
The maximum transmission path permitted between any two stations is five segments and four repeater sets Of the five segments, a maximum of three may be coax segments; the remainder are link segments A coax segment is a cable terminated at both ends in its characteristic impedance, with a maximum end-to-end propagation delay of 2165 Ns for 10BASE5 and 950 Ns for 10BASE2 A point-to-point link segment is a non-coax segment, terminated in a repeater set at each end, with a maximum end-to-end propagation delay of 2570 Ns. A 10BASE-T connection between a hub and station is also considered a point-topoint link If there are no link segments on a transmission path, there may be a maximum of three coax segments on that path given current repeater technology.
Slide Title:
Historical IEEE802.3 Maximum Topology (5-4-3 Rule)
These rules are derived from the collision domain concept. They are taken directly from the IEEE specs that have been in place for many, many years. The slide is a lead-in to the new concept of transmission models explained on the next pages. Explain the 5-4-3 rule so they understand it fully. The newer transmission models 1 and 2 slides have been moved to the Optional Technologies section since most people are not using equipment where it is important. You can still go there to show them if you think a student needs them for clarification.
Page 3 - 29
Minimum Frame Length Determination

3-30
Segment 1 Segment 2 Segment 3 Segment 4 Segment 5
Sniffer University
Station Station Repeater Repeater Repeater Repeater Station 1 Set 2 Set 3 Set 1 Set 4 2 3 The minimum length for an Ethernet frame is 64 bytes or 512 bits. This is based on the round-trip propagation delay on a frame for the worst-case scenario Station 1 transmits to adjacent Station 2 on Segment 1 Station 3 just misses hearing Station 1s transmission and also transmits. Station 3s transmission collides with Station 1s transmission The damaged frame travels back down the network to inform Station 1 that a collision has occurred. This takes approximately 50 microseconds or 500 bit times The minimum frame length is defined such that the:
Message from Station 1 is long enough so that Station 1 is still sending when the collision is detected The resulting runt message from Station 1 is short enough such that Station 2 (the receiver) can throw out the message on the basis of it being too short (less than 64 bytes)
The node needs to know it had a collision, so the damaged frame can be resent at the MAC level. Retransmitting at the MAC level is very fast: within microseconds. A retransmission at the LLC level takes a few milliseconds. A retransmission at upper-layers can take a few seconds per frame.
Network Associates
Slide Title:
Minimum Frame Length Determination
These rules are derived from the collision domain concept.
Page 3 - 30
So How Does this Apply to TP?

3-31
1
R1
5
R4 Populating one of these repeaters would break the rule 3 R3
2
R2
Sniffer University
The frames must be long enough so that stations 1 and 5 are still transmitting when the collision signal gets back to them Count the repeaters between the furthest end stations to ensure you have not broken the 5-4-3 rule
Repeaters Hubs or Concentrators
A "collision domain" is defined as the physical area within which a collision is propagated. Repeaters propagate everything, even bad frames.
Network Associates
Slide Title:
So How Does This Apply to TP?
New Slide. Automated build slide. Shown to emphasize that hubs / concentrators must follow the 5-43 rule. Its easy to inadvertently break the rule when you have them all stacked in racks in a wiring closet. Perhaps they should label the devices so unused ports are not used incorrectly.
Page 3 - 31
Is this a Valid Application of 5-4-3?

3-32
ACME 10BASE-T Concentrator
Sniffer University
Network Associates
Slide Title:
Important Points to
Is This a Valid Application of 5-4-3 with 10BASE-T?
Cover:
Yes. This is a 10BASE-T network with a 3-level cascade. The topmost concentrator serves as the backbone to the other hubs. The middle-end hubs are populated, whereas the middle-center hub is not: it is a link segment to the two lower populated hubs. Note that no frame needs to traverse more than 5 segments or 4 repeaters (hubs) to its destination.
This is the recommended configuration by the 10BASE-T vendor SMC.Follow the path of every station to ensure that it obeys the 5-4-3 rule. The development of the 5-4-3 rule can be summarized as follows. (1) The length of any given segment of a network is limited by the electrical and physical properties of the cable type employed. The primary characteristic is the rate of attenuation over a given length of the cable. For example, for thick coax, 500 meters is considered to be the maximum length over which we can transmit a signal while ensuring that the signal does not attenuate or otherwise degrade to the point of being unacceptable to a receiver. (2) Based on section 13.4.2 of the 802.3 specification, the number of repeaters that can be used is limited by the potential for shrinkage of the interframe gap. If the interframe gap is reduced, the potential for misinterpretation of frames increases. Shrinkage of the gap will likely prevent receiving network interfaces from having sufficient time to perform housekeeping functions such as posting interrupts, managing the buffer, and updating statistical counters, etc. Specifically the IEEE specifications say, "The worst-case variabilities of transmission elements in the network plus some of the signal reconstruction facilities required in the 10 Mbps baseband repeated specification combine in such a way that the gap between two packets travelling across the network may be reduced below the interframe gap specified in section 4.4.2.1. This parameter limits the equipment (i.e. number of repeaters) between any two DTEs." (3) Knowing the facts as given in (1) and (2) above, we can now see how the minimum frame length of 64 bytes was calculated. We have segments of 500 m due to the signal characteristics of the cable. We can have a maximum of 4 repeaters and, therefore, 5 segments between any two stations. This creates a maximum topology as described in the text. Then, knowing that we must guarantee collision detection while the stations participating in the collision are still transmitting, we must specify a minimum frame length of 64 bytes due to the inherent normal propagation delay of the maximum topology size described above.
Page 3 - 32
Exercise: Cable Specifications

3-33
Network Associates
Sniffer University
Turn to the lab section to complete this exercise. Use the diagram on the next page as a reference to the network layout
Slide Title:
Use the instructor notes in the back of the instructor manual to review the exercise. Go over the diagram on the next page before they begin.
Page 3 - 33

3-34
Node 1 WstDig178C4 Node 2 WstDig96EC2 Hub 1
Network Diagram UTP Hub 2 Hub 3 Hub 4 Hub 5 ?? coax
Thin Ethernet RG58 coax
Hub 6
Sniffer University
Node 3 Sniffer
File Server COFFEE.1 WstDigFF965F
Bridge 50 meters
Network Associates
Slide Title:
Exercise: Cable Specifications-network diagram
Review the network configuration. Note that the picture is not complete. For example, there probably were other stations on the thin Ethernet. The Sniffer analyzer was connected somewhere near the end of the thin Ethernet. (Otherwise the Sniffer technician probably would have noticed the ARCNET cable!?!) We dont know exactly what was on the other side of the bridge shown on the left. Originally the Sniffer analyzer was placed at the end of the topology and saw no errors. In the actual trace, the Sniffer analyzer was placed at the junction and saw errors. The node was moved to the end of the topology and worked without incident. Client addresses in the trace all exist off of the Concentrator with the Server Coffee.1 Since the transmission model slides were moved to the back, you will probably not cover this with the class. The calculations are left here just in case you need them. To calculate the p v v, we calculate from right to left:
50 meters N N FS B N S H H H H H H
8+8+8+8+8+16 = 56 This does not exceed the delay, but it is higher than the 49 p v v allowed in Model 2.
Page 3 - 34
Degree of Degradation
3-35
Network Associates
Sniffer University
Ethernet retransmission occurs, typically, within a few hundred microseconds Type II LLC retransmissions may occur within milliseconds Transport layer retransmissions may occur within seconds Application layer retransmissions may occur within tens of seconds User programs may wait minutes before timing out Conclusion: The higher the layer responsible for retransmission, the longer the user has to wait
Slide Title:
Degree of Degradation
Important concept. Physical layer recovery is fast. Each layer higher takes more time to recover from an error.
Page 3 - 35
Sniffer University
3-36
MAC Layer vs. Application Layer
Retransmissions
943: NFS request. 944: Unanswered request (943) is retransmitted 0.7s later. 945: Unanswered request (944) is retransmitted 3s later. 946: Frame 945 is collided and is retransmitted 0.2mS later. 947: Frame 946 is collided and is retransmitted 0.3mS later. 948: Frame 947 is collided and is retransmitted 0.2mS later. 949: Frame 948 is collided and is retransmitted 2.6mS later.
950: Frame 949 is collided and is retransmitted 24.2mS later. 951: Frame 950 is collided and is retransmitted 11.4mS later. 952: Frame 951 is collided and is retransmitted 50mS later. 953: Unanswered request (952) is retransmitted 12.3s later. 954: Frame 953 is collided and is retransmitted 0.3mS later. 955: pc150 times out after request is unanswered and ARPs for natco-4 26.9s later.
Trace file FRAGS.ENC. Note that all frames with a CRC flag are actually collided. At the time that the trace was taken, Network Associates was using an adapter which was incapable of counting or flagging frames as collided. The client NFS request to look up the file wp50 in the directory handle E71D is retransmitted four times without answer for a total of 43.4 seconds before the user application gives up and ARPs to see if its server is still alive. The Truncated Binary Exponential Backoff Algorithm (progressively larger multiples of the slot time) is demonstrated in frames 945 to 952: the random backoff timer is lengthening until the first good request in frame 952. Once NFS retransmits in frame 953, which is collided, we see the algorithm start over again at the beginning. The NFS retransmissions occur at 0.7s, 3s, 12.2s, and 26.8s or so, when the client finally gives up.
Network Associates
Slide Title:
MAC Layer vs. Application Layer Retransmissions
Retransmission timer as revealed in the Sniffer Pro analyzer screens. FRAGS.CAP Frames 945-952 show the retransmission timer in action.
Demo:
Page 3 - 36
Summary
Describe the access method used in Ethernet Discuss the responsibilities of the MAC layer Differentiate the various types of Physical Layer devices Explain the importance of the physical size limitations of the Ethernet networks Ensure the physical characteristics of the Physical Layer have not been extended beyond the specifications
Network Associates
Sniffer University
Slide Title:
Summary
Wrap up the section by reviewing the objectives and answering any questions the students may have.
Target Time: End of Day 1. Go further is you can, since the stuff thats coming is what they want to hear.
Page 3 - 37
Network Associates
Page 3 - 38
4-1
Troubleshooting Methodologies
Sniffer University
Network Associates
Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies
Slide Title:
Troubleshooting Methodologies Section 4 Start: Day 2 Beginning of the day Finish: Day 2 Late morning if possible!
Section Timing:
Files:
04_tbls_g.PPT
04_tbls_g.DOC
Traces: HUBPORT1.CAP BAD03. CAP 05.CAP 17.CAP Badcrc.cap HUBPORT2. CAP FRAGS. CAP 06.CAP 19.CAP Badcrc-1.cap BADCABLE. CAP 01.CAP 16.CAP 20.CAP 21.CAP (was GIANT.ENC)
Exercises:
Optional-
Hubports More Problems Test Your Skill Errors Evaluating Hub Jams Ethernet Physical Errors Modifications were made for the new software version. Some answers have changed. Be sure to review them before you teach! There are too many to do all and have time to cover the newer technologies. Choose those you feel will meet your students needs.
Page 4 - 1
Section Objectives
Recognize and isolate failures in the network using the Sniffer Pro Network Analyzer Examine Monitor Statistics to determine whether there are problems Use the Expert symptoms and diagnoses to get the details Gather Monitor statistics for trend analysis and baselining
Network Associates
Sniffer University
Slide Title:
Section Objectives
State the objectives. This section is just troubleshooting with lots of suggestions and practice.
Page 4 - 2
Capturing Error Frames

4-3
You must use NAI-supported adapters with enhanced drivers to observe and capture physical error frames
NAI-21140UC Sniffer University
Adaptec (Cogent) ANA-6911A/TX PCI Adaptec (Cogent) ANA-6911A/TXC PCI
Xircom CBE-10/100 BTX CardBus Xircom CBE2-10/100 BTX CardBus
Network Associates
Slide Title:
Capturing Error Frames
New Slide. Use this slide to emphasize they need to use NAI supported cards and drivers in order to capture the error frames. These cards capture both 10 and 100 Mbps networks.
Page 4 - 3
Analyzing the Ethernet Physical Layer

4-4
Frame Corruption
Collisions Propagation delay Reflected signals Electrical noise Hardware failure
Sniffer University
With any of these problems, users will see decreased performance due to multiple frame retransmissions
Network Associates
Slide Title:
Analyzing the Ethernet Physical Layer
Look for evidence of these in the Sniffer Pro analyzer.
Page 4 - 4
Some Guidelines
4-5
The IEEE specifications stipulate that the Bit Error Rate (BER) should not exceed 10-8 in worst case. A typical LAN 10Mbps segment should have a BER of 10-11 or better. This translates to a frame loss rate of 10-7.
Network Associates
Sniffer University
More than one bad frame per Mbyte of data deserves attention Any unexplained change in the baseline deserves attention More than 1% Error Rate deserves attention
Slide Title:Some Guidelines

These are important guidelines for determining when they need to act. Be sure to cover these, since these are important CNX numbers they need to know. CNX guidelines do not allow you to specifically state that this is a CNX concept, however, so do not say this is on the test!
We have met the requirement that it is documented in the course materials.
Page 4 - 5
Fast Transmit Adapters

4-6 Some adapters start transmitting before the entire frame has arrived in their transmit buffer
If the remainder of the frame has not arrived when the first part is on the wire, it just quits transmitting, leaving the short incomplete frame on the wire Since it has no CRC, the Sniffer calculates the CRC based on the last 4 bytes and shows a CRC error
Sniffer University
The adapter waits for carrier to drop and 96 bit times to elapse before it sends the complete frame
Partial frame on the wire Frame from upper layer CRC Error!
Complete frame on the wire Transmit Buffer
+4
Do not count these incomplete bad CRC frames in the 1 bad frame /MB calculation
The name depends on the vendor. The adapter may also be called a parallel tasking adapter.
Network Associates
Slide Title:
Fast Transmit Adapters
This is a new slide that discusses the effect of fast transmit or parallel tasking adapters. (They may be known by other vendorspecific names) It is a build slide that is partially timed and partially relies on mouse clicks. The slide is pretty self-explanatory and should help you explain away some of the false CRC errors the Sniffer reports.
Page 4 - 6
Troubleshooting Tip
4-7
Network Associates
Sniffer University
It is always easier to identify what is wrong if one knows how it is supposed to work One recommendation would be to capture an example of how it looks when the network is working Save the captured data to a file When the network stops working, capture another snapshot and compare the working scenario with the nonworking scenario Then simply identify what is different between the two examples
Slide Title:
Troubleshooting Tip
Page 4 - 7
Divide and Conquer

4-8 Sniffer University All speeds of half-duplex Ethernet are contentionbased Because of its nature, we are still troubleshooting Ethernet with the Binary Search method Divide the domain in half. Which half does the problem follow?
This is still valid for star networks
We could always use a network map!

Problem? Problem?
+1
Some hubs will autopartition devices out of the network that have too many bad CRCs or if they are jabbering. You can also look at the hub with a solid activity light. That usually indicates problems.
Network Associates
Slide Title:
Divide and Conquer
This is an automated build slide. Its an old method tried and true on bus topology Ethernet. It still works on star configurations, too. Of course, managed hubs and switches provide a lot of information to the management software, so this may be a last resort technique. A star configuration should prompt a discussion about hubs and switches. Be sure to mention the student notes topics, too. A blinking light on the hub/switch is there to remind you to talk about autopartitioning hubs and looking at the lights in the wiring closet for lights that are abnormal. Not all hubs and switches support them, but they need to know which is supported on their equipment and use those clues, too.
Page 4 - 8
Exercise: Hubports
4-9
Turn to the lab section to complete this exercise. Use the diagram on the next page for reference
Network Associates
Sniffer University
Slide Title:
Exercise: Hubports
Use the diagram on the next page to introduce this exercise.
Page 4 - 9
Exercise: Hubports Continued

4-10
Network Diagram
10BASE-T Hub Hubport1: known good port Hubport2: suspect port NetWare client: Novell~FAA NetWare file server: 3Com~704
The users PC was
Sniffer University
NetWare client: 3Com~F91
replaced by a Sniffer. The same cable connecting the PC was used Another Sniffer is plugged into a known good port. Both Sniffers were capturing simultaneously
1) The network is broadcast-oriented: every node hears everything on the wire, including bad or collided frames. 2) Communication is half-duplex and asynchronous in nature: each node must wait until the wire is quiet before accessing the network. 3) Although the network is physically wired as a star, it is still logically a bus.
Network Associates
Slide Title:
Exercise: Hubports Diagram
Give the background information before the students begin the exercise. They may not catch all the clues, but thats the fun of the exercise.
10BASE-T Hub
NetWare client: Sniffer analyzer: suspect port NetWare client: NetWare file server:
NetWare client:
Page 4 - 10
Legal Collisions
4-11 Sniffer University Collision occurs within the first 512 bits (64 bytes) of data Preamble collisions have no recoverable frame data Typical collisions occur within the first 48 bytes of data Sniffer Pro Analyzer needs to see 96 bits to capture the frame, otherwise it just increments the collision counter
This includes the preamble and the first bytes of the destination address 64 bits of Preamble 32 bits of the destination address
Networks up to 37% sustained utilization are often very clean
Network Associates
Slide Title: Legal Collisions

These collisions are a normal part of Ethernet. Sniffer adapters: The Sniffer Network Analyzer uses two basic types of adapters: Those that can report collisions. The adapter senses that a collision has occurred and marks the frame with an x. Those that do not report collisions. Sniffer Pro software uses a soft collision counter. If the packet is analyzed and has a CRC error nd the last 2 bytes of the packet are 0xAAAA or 0x5555, then the packet is considered to be a soft collision.
Page 4 - 11
Normal Collisions
4-12 Sniffer University Preamble collisions are not captured Local coax collisions do not have AAs or 55s in the data Remote collisions show AAs and 55s in the data field inserted by the repeater They may be labeled collision fragments or runts
Runts
Preamble D Addr S Addr Tp/Ln Headers 8 6 6 2 varies Data varies CRC 4
Network Associates
Slide Title:
Normal Collisions
New slide Screen shot showing a normal collision. It is labeled as a collision fragment in the Detail window. This is from 01.CAP
Page 4 - 12
Late Collisions
4-13 On coax, the signal becomes much more negative when the collision occurs. The squelch filter drops this signal, so you see good data then nothing. On UTP repeated sections, look for evidence of jam from the repeater after 6010 bytes
Either aa aa aa aa... or 55 55 55 55 101010101010 is aa aa aa, 010101010101 is 55 55 55 64 byte minimum minus the 4 byte CRC 6010 = 3D16
Sniffer University
Late Collisions
Preamble D Addr S Addr Tp/Ln Headers 8 6 6 2 varies Data varies CRC 4
Network Associates
Slide Title:
Late Collisions
This is a screen capture that draws the line in the hex window to show where the dividing line is between a normal and late collision. The Expert gives a symptom that indicates when it has seen a collision after the 64th byte when the frame meets certain criteria. 17.cap has a lot of collisions, some are marked as occurring after the 64th byte. There are no AAs or 55s in the hex data, so it was captured on a local coax segment. Badcrc.cap has a late collision in frame 6 way out at offset 38F, but it must be beyond what the Sniffer uses to call a late collision. This should help you in teaching them how to determine when the collision was too late.
Page 4 - 13
Rogue Nodes or Bad Hubs

Network Associates
Rogue nodes with hearing problems may think the wire is quiet when they send their frame in the middle of someone elses frame Bad hubs can also cause late collisions Calculate the math pertaining to network size
If collisions are occurring well beyond where they should be, suspect a rogue node or bad hub
Slide Title:
Rogue Nodes or Bad Hubs
New Slide. Sniffer recognizes when a collision occurs too late and shows it in the Expert and on the Summary and Detail panels in the decode window. 05.cap and 04.cap both have frames marked as collision after 64 bytes. This slide was suggested by Don Prefontaine. Thanks, Don!
Page 4 - 14
Propagation Delay Problems

4-15 Sniffer University Propagation delay is part of normal communications
Example: a signal sent from the Moon takes 1.29 seconds to reach Earth
Excessive propagation delay causes corruption Corruption is random

Size of corrupted frame is random Victim (source) is random, but skewed by participation
Corruption typically occurs before the 64th byte

This is NOT an absolute rule
Cause: Cable is too long, or out of spec, or there are too many repeaters or hubs
The faster technologies have shorter cable specifications and require high quality cables, old legacy cables may have been overlooked and are still in use
FRAGS.ENC shows an example of propagation delay. Filter out the good frames and turn off symptoms. Look at frames 958-964 in the hex panel.
Network Associates
Slide Title:
Propagation Delay Problems
Important skill which allows you to know what may have caused the corruption the Sniffer analyzer is showing.
Page 4 - 15
Excessive Propagation Delay

4-16 Users at end of topology may have more problems than other users Sniffer Pro Analyzer sees:
Physical errors symptoms or diagnoses Damaged frames (CRC errors) Only a few runts (many frames will be legal minimum length) Collision counter will be high if cable is too long
May not be high if collisions are across a repeater
Sniffer University
Examine frames for Collision data visible at end of frame

aa aa aa or 55 55 55...
Network Associates
Slide Title:
Excessive Propagation Delay
Important skill which allows you to know what may have caused the corruption the Sniffer analyzer is showing.
Page 4 - 16
Signal Reflection Problems

4-17 These problems occur on all media, but are not seen in UTP frames because the adapter does not see them. They are easy to detect on coax. Corruption is non-random
Frames are corrupted by their own reflected preamble
A victim nodes frame will typically be corrupted at the same offset Sniffer University
Corruption often occurs prior to the 32nd byte (3210 = 1F16) Collision data may be visible
If signal reflection is suspected, the best way to examine it is to examine the coax segments with a Time Domain Reflectometer (TDR)
Sniffer Pro
Transmit
+1
CRC errorscollision data
Signal reflection problems occur everywhere on every medium. They cannot be observed on UTP because, unlike coax, a node cannot see the bits it is transmitting. It is simply looking for link pulse to know if the link is still there. It does not do current sensing, voltage sensing, and Manchester encoding detection like it can with coax. On coax, one pair is used for both transmission and reception. On UTP, one pair is for transmission and the other is for reception. When a node sends bits to a hub, the hub repeats it out all ports except the one it received on. That means that a node cannot see what it is transmitting. Reflections are also the result of poor termination or no termination. If a hub uplink or switch uplink is not working properly, change the cable to a known good cable and test again. If the UTP cable is flexed too much, it can create a near open (resistance too high; exceeds the 110 ohms or 130 ohms of normal termination) that will not pass enough current, thus creating a signal reflection. A TDR will tell you if the cable is good, bad, or ugly.
Network Associates
Slide Title:
Signal Reflection Problems
Important skill which allows you to know what may have caused the corruption the Sniffer analyzer is showing. Important point: This shows up almost exclusively in coax Ethernet, so you can skip it if no one has it anymore. The diagram is automated. You may want to discuss some of the things that may show up in the Sniffers hex window. Of course, where the Sniffer was attached in relation to the open cable and where the transmitting station is located directly affect it. There may be reflected preamble in the frame. It is doubtful that you would see any of the destination address folding back.
Page 4 - 17
Electrical Noise Problems

+1
Users see intermittent disconnections and problems connecting to network services Sniffer Pro Analyzer sees:
Physical errors symptoms or diagnoses Damaged frames resulting in CRC errors The frames are the right size but have incorrect data, maybe only one or a few bits got changed Not many more runts or collisions than baseline
Cause:
Radio Frequency Interference (RFI) Electromagnetic Interference (EMI) Poor quality cabling not meant for high speed data transmission Sniffer Pro Transmit CRC errors
Network Associates
Slide Title:
Electrical Noise Problems
Review quickly. The diagram is automated.
Page 4 - 18
Troubleshooting Electrical Noise

4-19 Corruption is random No collision data is visible
This is an absolute!
Noise typically has no effect on frame length Worst case scenario: Sniffer University
If the damaged frame is greater than 64 bytes, it will appear as a CRC or Alignment in the status field If the damaged frame is less than 64 bytes, it will appear as a Runt or Fragment in the status field Noise disrupts the clock; adapter thinks the frame ended
Network Associates
Slide Title:
Troubleshooting Electrical Noise
Page 4 - 19
Hardware Problems / Issues

4-20 Corruption can look like all the other types of physical errors Typical evidence is too many bytes
Much more than 8 bytes of corrupted data
Corrupted data may resemble preamble sequence of AAs and 55s
Could be a jabbering transceiver or NIC Sniffer University

The 802.3 specification states that a transceiver should contain a self-interrupt capability to inhibit a station from sending for more than 150 milliseconds. The Ethernet V1 and V2 specifications did not have this feature
A managed hub will autopartition the port out quickly

An unmanaged hub waits until it misbehaves for .25 to .75 s The port LED will flash and Sniffer shows chronic errors
A hardware card that is jabbering can jabber with preamble sequence or all ones.
Network Associates
Slide Title:
Hardware Problems / Issues
Page 4 - 20
Jabbering NIC
4-21 Lots of ones or zeros that seem to go on forever Sniffer University
Network Associates
Slide Title:
Jabbering NIC
New slide. Screen shot showing jabber in a frame. This shot was taken from jabtest.enc from HQ engineering. It may have been created, but it meets the Experts criteria for jabber as you see on the screens. Warning- the Jabber.cap file we previously used for jabber may not actually show jabber. The Expert doesnt label it that way and you will see the same pattern of bits in the frame that was retransmitted and others around it.
Page 4 - 21
Sniffer Pro Ethernet Error Analysis

4-22
Sniffer Label #Collision Frame Size Error patterns Probable Causes Representative of late collisions on coaxial media. Frames will be truncated. Causes include propagation delay or faulty hardware. Alignment errors with the AA/55 pattern are most often caused by normal collisions on UTP cable. The data pattern is caused by the repeater jam signal. If data length is greater than 64 bytes on any damaged frame, include propagation delay and hardware as causes. If the AA/55 pattern exceeds 12 bytes, a jabbering NIC or repeater is most likely. Most commonly caused by noise or hardware, especially damaged or improperly installed wiring. 64 bytes or greater N/A (Truncated)
Alignment # Alignment
<64 bytes >64 bytes
Look for 8 to 12 bytes of AAAAs or 5555s. If not there, or greater amount, see comments.
CRC Runt
>64 bytes <64 bytes
No specific pattern.
Sniffer University
Runts have the same causes as Alignments. May contain the AA/55 pattern, usually from 8 12 bytes. Fragments are defined as Runts with an invalid May contain the AA/55 pattern, usually CRC. Handle the same as Alignments. from 8 12 bytes. Greater than 12 bytes of AAs or 55s. Pattern will include lots of AAs and 55s. The cause is hardware, usually a NIC or repeater.
Fragment
<64 bytes
Jabber
May be any size. The pattern is important >1514 bytes
Oversize
Hardware has failed and is streaming data. Managed hubs may permanently partition node streaming for more than 150ms; unmanaged hubs may not.
Sniffer Pro Physical Error Descriptions

CRC Errors Short/Runt Soft Collision Alignment Jabber Oversize Fragment A legal frame with a CRC error, a frame whose CRC does not agree with the actual bytes received A frame that is less than 60 bytes with a good CRC A runt frame with a CRC error and one of the following patterns in the last three bytes: 0X5555, 0XAAAA, 0X0D0D, 0X1A1A, 0XA1A1, 0X6868, -X8989, -X3434, 0X4343 A frame with a dribbling bit set that is larger than 60 bytes with a CRC error or the frame contains a non-integer multiple of 8 bits A frame with a CRC error and size larger than 1514 bytes A frame with a good CRC and size larger than 1514 bytes A frame with a CRC error and size less than 60 bytes
Network Associates
Slide Title:
Sniffer Pro Ethernet Error Analysis
Review quickly. Do not attempt to read this fine print from the screen.
Have them mark this page for future reference for labs and when they get back to the job.
Page 4 - 22
Exercise: More Problems

4-23
Network Associates
Sniffer University
Slide Title:
Exercise: More Problems
Tell the students whether to go on to this or wait for you to discuss the previous exercise.
Page 4 - 23
Most Hubs Bit Jam on a Collision

4-24 Sniffer University Per 802.3: If a collision is detected on any of the ports to which the repeater (hub) is transmitting, the repeater transmits a 96 bit Jam, such that the first 62 bits transmitted are a pattern of alternate 1s and 0s. The 96 bits is 12 bytes if 55 or AA, 4 from source collider, 4 from destination collider, and 4 bytes from the hub
Sniffer Pro Analyzer
Network Associates
Slide Title:
Most Hubs Bit Jam on a Collision
When the hub senses a collision, it sends a 96 bit jam out all of the ports.
Page 4 - 24
Hub Jam Signatures

Look for AAAAAAs or 55555555s in the hex window
Network Associates
Slide Title:
Hub Jam Sniffer Signatures
New slide. Two screen captures showing both 5s and As. Both the Summary and Hex windows are shown so you can point out how the Sniffer shows in each panel. The screen shots are taken from 02.cap and busy-jam.cap.
Page 4 - 25
Analyzing Collisions and Hub Jam

4-26
Sniffer Pro 2 sees a partial frame with jam bits
Sniffer University
1-A collision occurs here 2-The hub propagates jam signals out to all devices
+
Collision Jam Repeaters
Network Associates
Slide Title:
Analyzing Collisions and Hub Jam
New slide. This slide shows what you see in Sniffer screens in a hub-based network.
Page 4 - 26
Frame Type Interoperability Problems

4-27 User sees:
Inability to connect to specific network services
Sniffer Pro Analyzer sees:

No more error frames than usual
Examine frames to see: Sniffer University

If the users system is using Ethernet frame format and the network service IEEE 802.3 frame format (or vice versa) If the users system is using SNAP frame format while the network service is not (or vice versa)
Cause:
Driver software configured incorrectly Some implementations support only Ethernet or only IEEE 802.3
If the network is not experiencing physical layer problems, verify the frame types being used by both communicating parties.
Network Associates
Slide Title:
Frame Type Interoperability Problems
Review quickly.
Page 4 - 27
Check Dashboard Statistics

4-28 Look here for indications of high utilization and errors
Network Associates
Sniffer University
Slide Title:
Check Dashboard Statistics
The following screen shots enable you to discuss the areas of Sniffer Pro that help them to troubleshoot Ethernet specifically. This should be familiar if they have been to the 101 G class, but it never hurts to re-emphasize these. You may want to do a demo of this. Open a trace file and display the decode windows. Either use the traffic generator screen from the tools menu or right click over the Summary panel and choose Generate current buffer and send it out continuously so youll have plenty of time to show these next screens. Click the Dashboard icon to show this screen.
Page 4 - 28
Monitor Dashboard Details

Reminder: You must have the enhanced drivers loaded to detect and capture error frames. Supported Ethernet adapters are: Adaptec Fast Ethernet Adapter Network Associates Card Bus Ethernet 10/100 Adapter (Xircom)
Network Associates
Use the Dashboard Detail counters to find physical errors
Slide Title:
Monitor Dashboard Details
Click the Detail tab to show this view. Point out the important fields: Utilization Errors CRCs Runts Oversize Fragments Jabber Alignment Collisions
Page 4 - 29
Dashboard Error Timeline

4-30 Sniffer University Click on the Network and Detail Error sections to see a graphic representation of Ethernet physical errors
6 0 5 0 10 0 9
Network Associates
Slide Title:
Dashboard Error Timeline
New Slide. Show all of the lower timelines and relate them to Ethernet counts. Be aware that this data cannot be exported it shows real-time statistics. You can start history sample if you want to save this type of information. The lower graph was fabricated by adding lines to the display. There is no trace that will generate this type of display. Heaven help the people who would be on a network this bad!
Page 4 - 30
Track Errors with History Samples

4-31
Network Associates
Sniffer University
Run these and save the data as a .CSV file Open in Excel or a reporting application
Slide Title:
Track Errors with History Samples
There are more. Demonstrate on your Sniffer.
Page 4 - 31
Create a Multiple History Report

4-32 Sniffer University Include the errors you need to see
Collect the data, then save to a file to import into a spreadsheet or reporting program
To create a multiple history report, open the History Samples window from either the Monitor menu > History Samples or by clicking the History Samples icon. Click the Add Multiple History icon, assign a name to your sample and modify the sample interval and Graph Type on the General dialog box. Click the Selection tab, then the New (Insert) icon and scroll and click to choose a sample from the Statistics List window. Repeat this process until you have chosen all the statistics you want included in your report. Use the up and down arrow icons to place the statistics that will have the highest values at the bottom. Adjust any colors as you wish. Click OK when done. Double click the icon with the sample name to start collecting the statistics. Minimize the window to get it out of your way if you wish. It will continue to gather statistics in the background. When you want to save the statistics to a file, click the Export icon and name the file and choose the file type (comma, tab or space delimited) and path. The application will continue to gather statistics until you close the window. You will also be able to save the information in graphic format when you close the sample window. This can be viewed later within the History samples application. If you want to import a snapshot of this screen, just press the alt and print screen keys to copy it to the clipboard. Then paste it into your document or a paint program for further editing.
Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies
Slide Title:
Create a Multiple History Report
Demonstrate how to create a Multiple History report of the Ethernet errors. Suggest they may want to run this as a baseline and for trend analysis or scheduled reports for the boss. Run for a specific time and save the file as comma, space or tab delimited file for import into a spreadsheet or database. They can also save a snapshot of this graph as a .HST file when they close the window.
Page 4 - 32
Check Utilization In Global Stats

4-33 Remember, for best performance, utilization should be below 37% sustained utilization to be considered clean
Network Associates
Sniffer University
Slide Title:
Check Utilization in Global Stats
Demonstrate this screen under Global Statistics. The 37% given here will re-emphasize this statistic they need for CNX. If they are seeing a high level of physical errors, they should check first if the network is overloaded. If the traffic is within normal ranges, they need to look at a possible physical reason for the errors.
Page 4 - 33
Look at the Experts DLC Layer

4-34
Sniffer University
Whos the source? Is this really the culprit, or is it just impacted? Check the Symptoms and Diagnoses
The physical errors include: CRC errors Runts Oversize Fragments Jabber Alignment errors Collision packets
Network Associates
Slide Title:
Look at the Experts DLC layer
This emphasizes troubleshoot from the bottom up. The DLC layer is the only place they will see Ethernet-related specific information. Demonstrate with your favorite trace file that shows several DLC layer symptoms and diagnoses. Point out the information available for each symptom or diagnosis in the Expert Detail panel on the lower right. This is not the place to teach the Expert. They learned this in TNV101-GUI (we hope they went). Expert help is available for symptoms and diagnoses by clicking the ? icon.
Page 4 - 34
Troubleshooting Exercises
4-35
Network Associates
Sniffer University
Your instructor will choose the exercises to meet class needs. Turn to the lab section to complete the selected exercises. Test Your Skill Errors Ethernet Physical Errors Evaluating Hub Jams If you complete them early, try another one. Come back to them when you get back to work and need review.
Slide Title:
Troubleshooting Exercises
This single slide points to all of the exercises for this section. These are time-consuming. You may wish to eliminate any that you feel do not meet the needs of the class you are teaching. Emphasize that you are selecting based on the needs of the students in this class so they dont feel you are skipping things they really want to see. Test Your Skill Exercise This one is very important. It gives them a chance to look at traces with no clues of the problems in them. Have them mark the matrix on page 22 to help them determine what the problems might be. Errors Exercise The conversation always recovers prior to frame 941. The damage appears to be hardware related. We dont know what was causing that damage and can only speculate that it was bad hardware (the original repeater? A bad NIC card on the segment?)or an out of spec network (unlikely since they are on the same segment, but w/o a network map it is difficult to know). The administrator suspected the repeater and replaced it with another that was not being used. This replacement was defective. It was replaced prior to frame 941 which is the reason for the large delta time and since it was defective, it is the reason there is no recovery in the conversation starting with frame 941. Ethernet Physical Errors See impact of Parallel Tasking feature of some Ethernet cards Evaluating Hub Jams Practice troubleshooting hub jams.
Page 4 - 35
Summary
4-36
Network Associates
Sniffer University
Use a bottom-up process for troubleshooting Ethernet network problems Work on the crises first, then spend time doing proactive monitoring to look for areas where performance is degrading and make appropriate changes Eventually, the crises should be fewer and the proactive preventive work will take on more importance Use the clues in the Sniffer Pro Monitor, Expert and Decode screens to help you determine the cause of frame damage
Slide Title:
Summary
Wrap up the section by reviewing the bullets and answering any questions the students may have. Add your own suggestions to this list thats here.
Were trying to emphasize using the tool for proactive network management here to plant a seed. Good technicians try to avoid problems by looking for signs of degradation and fixing them before they become crises. The Sniffer is much more than a troubleshooting tool!
Target Time: Lunch or before if possible.
Page 4 - 36
5-1
Ethernet Bridging and Switching Concepts

Sniffer University
We are including a very brief overview of bridging and switching techniques here to enable you to troubleshoot a switched Ethernet environment. Since many of these same principles are used for Full Duplex and Fast Ethernet, this section will lay the groundwork for those discussions. Sniffer University has a three day class TNV-315-GUI with many more details.
Network Associates
Ethernet Network Analysis and Troubleshooting Bridging and Switching
Slide Title: Ethernet Bridging and Switching Concepts Section 5 Section Timing: Start: Day 2 Before Lunch bridging section if you can Finish: Day 2 Mid-afternoon
Work through the
Files: Traces:
05_brg_g.PPT scbridge.caz 8021q.cap
05_brg_g.DOC busy_jam.caz VLANprob2.cap VLANprob.caz 8021q-gig.cap
Exercises:
Short Circuited Bridges Busy Jam Switch Traffic (Optional) new The bridging and switching sections are somewhat short to allow time for the VLAN and expanded Fast Ethernet, Full Duplex and Gigabit Ethernet sections. VLAN tagging information has been added. Move through it as quickly as you can to have time for the new section. The bridging section is also used as an introduction to concepts for the switching section. Spanning Tree is covered very briefly in this course. Refer the students who need more to the 315 course, which covers it in great detail.
Page 5 - 1
Section Objectives
5-2 Upon completion of this section, you will be able to: Differentiate between bridging and switching on a conceptual level Recognize network configuration issues with bridges and switches View VLAN information in frames Use Sniffer Pro to identify common problems associated with bridges and switches
Network Associates
Sniffer University
Slide Title: Section Objectives

State the objectives for the section.
Page 5 - 2
5-3
Bridges
Sniffer University
Network Associates
Slide Title:
Bridges
Title slide only.
Page 5 - 3
Ethernet Bridges
5-4
LOCAL HUB HUB REMOTE HUB HUB
Bridge
LAN or WAN link
Bridge
Sniffer University
A bridge is a store-and-forward Data Link layer device A bridge increases the size of a network without increasing bandwidth contention, since segments separated by a bridge are in different collision domains A bridge is protocol independent. A bridge bases its forwarding decision on the Data Link layer destination address in a frame Bridges only pass valid frames An Ethernet bridge is transparent from the end nodes point of view
Bridges work at the Data Link layer of the OSI Reference Model, specifically at the MAC sub-layer. Bridges are only concerned with physical layer addresses. They learn the address of each device on each segment to which the bridge is connected, typically two segments. When a frame is received on one port of the bridge, it examines the physical layer address to determine whether or not the frame should be forwarded to the other segment. The bridge stores this information in a "Forwarding Table." Bridges are also what is termed "Protocol Transparent." Since they work at the MAC layer and are only concerned with physical layer address (like Ethernet), they have no reason to be concerned with higher layer protocols like DECnet, XNS, TCP/IP. One bridge can forward (or filter) all of these higher layer protocols. Some bridges allow complex filters to be used to determine which frames get forwarded and which frames don't. This might be used in the case where a router was previously installed to route IP frames. Due to company growth, a new protocol is added and eventually a bridge to allow access to a second segment. Since an IP router is already being used to forward IP frames, the bridge must not forward these same frames. The bridge is programmed (using a filter) not to forward IP frames, but allow remaining frames to be forwarded if the destination address deems it necessary. With any luck at all your bridge is sophisticated enough to have some sort of bridge manager. The bridge manager will allow you to configure the bridge, maintain its address table, as well as allow you to examine how effective the bridge is to forward and filter frames. Additionally, consider this: is your vendor's manager going to manage another vendor's bridge? When determining a vendor for your bridge purchase, you may want to consider its management capability.
Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching
Slide Title:
Ethernet Bridges
Work at the Data Link Layer. Forward frames based on the MAC layer address. Bridges learn the addresses on each of their ports and build a forwarding table. They are protocol transparent. Some may do complex filtering. Many are managed by bridge management programs. Label was added to indicate the link can be LAN or WAN.
Page 5 - 4
Multiport Ethernet Bridges

5-5
Multi-Port Bridge Port D Port B Port A Port C Address 1 Address 4 Address 5 Address 7 Address 2 Address 6 Address 8 Address 3
Hub
OFF ON
OFF ON
Mini-Hubs
Sniffer University
Learns the addresses of devices that reside off each port Maintains a list of the addresses for each port in hardware Content Addressable RAM Logically extends the cabling segment, but physically separates into separate collision domains RAM for storage usually holds 1024 addresses Can be increased, but the maximum limit is vendor specific
A list must be kept of what node addresses lie beyond a bridge port. The list can be lengthy. The number of addresses are vendor dependent, but usually start with 1024.
Network Associates
Slide Title: Important Points to Cover:
Multiport Ethernet Bridges
As noted on the slide.
Page 5 - 5
Ethernet Bridges are Responsible For:

5-6
Network Associates
Sniffer University
Flooding: If the destination address is unknown, or if its a multicast/broadcast destination address, the bridge sends the frame out each port except the port on which the frame was received Learning: A bridge is promiscuous and sees every frame on the segments to which it is attached. By examining the source address in frames, a bridge learns which stations are on which side of it Forwarding: Once a bridge learns where stations are, it only sends a frame out the correct port to reach the destination station Filtering: If the destination and source addresses are on the same port, the bridge just drops the frame User Filtering: Allows a network manager to filter, based on protocols, addresses, packet type, etc., to increase the network's efficiency or add security measures
The filtering function might seem so obvious it's not worth mentioning, but actually it is worth mentioning in order to compare a bridge to a repeater: a repeater repeats everything, even if the two stations communicating are on the same side of the repeater. Since a bridge looks at the data link header, it learns the locations, it does not need to forward unnecessarily. The filtering rate advertised for a bridge is the number of frames per second on which the bridge can make forwarding/nonforwarding decisions. User filtering may employ a technique similar to the Sniffer analyzers pattern match function, allowing some manufacturers to claim to filter on layer three protocol addresses, even though a bridge is a layer two device.
Slide Title: Important Points to Cover:
Ethernet Bridges Are Responsible For
Cover the slide points well.
Page 5 - 6
Store and Forward

5-7
A
HUB CRC good? If yes, then forward. CRC bad? If yes, throw frame away. DA = B HUB
Sniffer University
+
Bridges are Store and Forward devices They must copy the entire frame and verify the CRC before forwarding If the CRC is good, the bridge will forward as it should If the CRC is bad, the bridge will discard the frame A higher layer protocol will time out and attempt retransmissions
This technique requires the bridge to look at the entire frame before making a forwarding decision. A benefit of this feature is that the bridge can determine whether there is an error in the frame before making a forwarding decision. Error frames are removed from the network. A drawback is that the bridge will introduce latency (delay).
Network Associates
Slide Title:
Store and Forward
This is now an animated build slide. Slide and notes are adequate to explain the concept. Review them.
Page 5 - 7
Bridge Data Flow

Receive frame on Port x Read source address MAC Port Age MAC SA in Table? No Enter into Port x Table Yes Read Dest MAC Is it Bdcst? No MAC Port Age MAC DA in Table? No Yes DA on Port x? Yes Discard frame No Yes Flood to all ports except x
Sniffer University
5-8
Forward frame on correct port

+4
All speeds of Ethernet follow this flowchart. Only the timing changes.
Network Associates
Slide Title:
Bridge Data Flow
New partially automated build slide. Click to reveal each step in the decision process as you discuss it.
Page 5 - 8
Bridging Loop
5-9
Forward Broadcast Frames circle Forward endlessly Forward Forward Forward Forward
Sniffer University
Ethernet bridges are susceptible to loops The Spanning Tree Algorithm handles loops by disabling alternate routes
All traffic flows toward the root bridge
Bridges use Bridge Protocol Data Unit (BPDU) frames to negotiate a unique device-to-device path The picture above does not have Spanning Tree enabled. When Station A sends a broadcast frame, the frame can be forwarded by all bridges in a constant loop
The Spanning Tree specification is defined in IEEE 802.1d. Topology loops can occur in a switched network just like a bridged network. Bridges are assigned an ID by the administrator (two byte field). The MAC address of the adapter is appended to the two byte ID, and the result becomes the Bridge Identifier. The lowest value Bridge Identifier becomes the Root bridge. The network manager configures a cost for each port on the bridge. For example, the cost for a T1 link could default to 100, while the cost for a 56 kbps line could default to 500. Costing information is exchanged with BPDU frames.
Network Associates
Slide Title: Bridging Loop Important Points to Cover:
Broadcast frames will be forwarded continuously when Spanning Tree is not enabled. IEEE 802.1d is the specification covering Spanning Tree.
Page 5 - 9
Spanning Tree
5-10 Sniffer University Bridges in a mesh configuration use a cost metric to determine the best (cheapest) path
The best path is used for forwarding The other paths are backups and not used unless the best path fails
One bridge is elected root

All frames are directed towards the root
Cost = 2
= st Co 2
Co s t=
Co s
t=
Best Backup
s Co
t=
Co st
t= os C
= 2
Many switches in meshed configurations use Spanning Tree to prevent loops. Anytime you see BPDUs in your traces, youll know it is active. Many vendors have proprietary protocols that allow you to do load balancing in a mesh environment. If you are using one of these and see BPDUs, check to make sure Spanning Tree is not needed, then disable it on the bridge(s) sending the frames.
= st Co 1
Cost = 5
Network Associates
Slide Title:
Spanning Tree
New Slide. You might want to mention here that switches frequently use Spanning Tree to maintain forwarding tables to indicate the continued use of Spanning Tree and BPDU frames. Each bridge/switch has a unique identifier. Administrators can assign IDs to control which bridge/switch becomes the root of the tree. The administrator can control paths by assigning a high cost to an expensive, slow link used as a backup path and a low cost to a fast primary path. The fast primary path will be used until it fails. The bridges/switches exchange BPDU frames when a link fails to reconfigure the tree to cover the segment thats down. You need a good logical drawing of the bridged/switched segments to plan the best paths and assign costs appropriately.
Page 5 - 10
BPDU Frames
5-11 Sent by the bridge to neighbors to share configuration information Sniffer University
Multicast Dest. Address
Type of frame
Root Bridge Link Cost Source information Timers
The destination address is a functional address assigned to all bridges. The source address is the address of the port sending the BPDU The Root ID in the frame is the bridge this one assumes is the root Sending bridge ID is the ID of the bridge sending this frame The cost is the least cost path to the root from this bridge Bridges build forwarding tables from the BPDU frames When a bridge receives a BPDU frame from its neighbor, it compares the message received from that port with what it would send out that port. It changes its table if it discovers a better route and stops sending configuration messages on that LAN. If the message age reaches a certain threshold, the message is considered stale and the bridge recalculates the best route as if it had not received the message. For a detailed explanation of the Spanning Tree algorithm, see Section 3 in Interconnections, Bridges and Routers, Radia Perlman, Addison Wesley, 1992 ISBN 0-201-56332-0.
Network Associates
Slide Title:
BPDU Frames
New Slide.
Cover only the basics in this class. TNV-315 Interconnection Concepts and Troubleshooting will teach the specifications and structure of the BPDU frames in detail. There is no time for it here.
Page 5 - 11
Capturing in a Bridged Environment

5-12
Node D Node E
HUB
Node A Node B
HUB
Sniffer University
Node F
SnifferPro
Node C
Frames seen by Sniffer Pro
The Sniffer Pro Network Analyzer will: See frames going between Nodes A, B and C. See traffic bridged between the two networks. Not see frames going between Nodes D, E and F. At the data link layer, the source and destination addresses will be the end nodes addresses. You will not see the bridges addresses. Example: Node A is communicating with Node D via a bridge. The Sniffer Pro Network Analyzer will show Node A and Node D's Ethernet addresses.
Network Associates
Slide Title:
Capturing in a Bridged Environment
New Slide. (Actually a resurrection of the slides we always included in this class updated to star wiring. You might want to mention the bridge could actually be a switch.
Page 5 - 12
Exercise: Short Circuited Bridges (Optional)

5-13
Network Associates
Sniffer University
Slide Title: Exercise: Short Circuited Bridges (Optional)

This exercise is optional due to the time constraints of the class. Since the Spanning Tree discussion has been expanded again, you may not want to skip this exercise. Fit it in, as you are able.
Page 5 - 13
Exercise: Short Circuited Bridges

5-14
192 Kb Link
Sniffer University
192 Kb Link
Sniffer Pro analyzer
Network Associates
Slide Title: Exercise: Short Circuited Bridges (Diagram)

If you are questioned about the small delta times that appear in this trace file, you may want to work through the following math with the students. For this discussion, label the bridges 1-4 starting in the upper left-hand corner and continue on clockwise. Time to transmit a minimum length Ethernet frame across the 192 Kb link Minimum frame = 512 bits Preamble = + 64 bits ============= Total bits transmitted = 576 bits 576 bits / 19,200 bits/second = .03 seconds Time to transmit one frame on an Ethernet where 1 bit = 1/10,000,000 Seconds = .000001 Seconds = 1 microsecond. Therefore to transmit 576 bits takes 576 microseconds. (.000576 Seconds or roughly half a millisecond.) Assume the propagation delay across the Ethernet or WAN link is 0. We can assume this because the network as shown is symmetrical. TIME LINE Station on left sends ARP. Assume within 576 microseconds Bridge 1 and Bridge 4 receive the frame. .03 seconds later Bridge 1 has transmitted the frame to Bridge 2. During the same time period Bridge 4 to Bridge 3. Either Bridge 2 or Bridge 3 will be able to access the Ethernet media on the right. Assume Bridge 2 puts the frame out. (For arguments sake, let's say this is the ARP Frame 1 we see on the Sniffer.) Within 576 microseconds, Bridge 3 is receiving the frame Bridge 2 transmitted. Bridge 3 begins transmitting Frame 1 back towards Bridge 4. Bridge 3 begins transmitting its frame out on to the Ethernet (Frame 2 on the Sniffer). Bridge 2 receives Frame 2 after 576 microseconds. During which time, Bridge 4 begins putting Frame 1 onto the left Ethernet segment. Bridge 2 will transmit the frame back toward Bridge 1 and then the process continues...
Page 5 - 14
5-15
Switches
Sniffer University
Network Associates
Slide Title:
Switches
Title slide only.
Page 5 - 15
Switches
5-16 Switches are similar to bridges and do these actions:
Learn which addresses are available at each port Maintain lookup tables by port (as bridges do) Look at the destination address and forward immediately if possible Switch packets between ports Switching fabric maintains multiple, simultaneous conversations on different ports (unlike bridges) Provide full bandwidth at each port Do not verify the validity of the CRC (unlike bridges)
Sniffer University
Most switch vendors implement Spanning Tree Algorithm
A switch connects LAN segments like a hub does, but unlike a hub, which divides the bandwidth among all attached segments, a switch provides full bandwidth at each port. A port can be dedicated to a single file server, for example. Like a bridge, a switch learns which addresses are available at each port. Unlike a bridge, when forwarding a packet a switch may look at just the destination address, instead of the whole packet, and forward immediately if possible. If the destination segment is busy, the frame is queued in a buffer, just like a bridge, until the destination segment is free. Usually the destination segment is not busy. Packets are processed in parallel by very fast hardware. One vendor claims a switching delay of only 40 microseconds, which they measure as the time between the first bit of a packet received and the first bit of the packet sent. Some switches support software configuration to specify which ports can talk to which ports, sort of an electronically controlled patch panel. It really is hard to compare switches, especially because they have very different architectures and because vendors are getting very creative in combining the functions of layer 1, layer 2 and layer 3 relays. The late 1990s started major innovations in this area. Issues with using switches instead of bridges or routers include: 1. A switch may forward a bad CRC and a runt that has a destination address. 2. Switches will not isolate broadcast storms. They often cannot be set up for protocol filtering. They generally wont do fragmentation and re-assembly. 3. Using the switchs electronically controlled patch panel feature sounds great, but could wreak havoc with IP addressing and subnet mask schemes.
Slide Title:
Switches
Vendors are doing many things to improve the performance of their products. Read the fine print! Will it work with what you have?
Page 5 - 16
Switched Networking
5-17 Sniffer University Switched networking provides a simple solution to existing networks suffering from traffic congestion In Ethernet environments, each switch port is a separate collision domain Switches allow you to micro-segment Some switches provide monitor ports to attach a Sniffer Pro Switches are not governed by standards, so a combination of vendor switches is difficult
There are many proprietary implementations
Microsegmentation means that there is only one device at each switch port, rather than a shared LAN on a port as in segmented network. The overall benefit of switching is that multiple conversations can occur simultaneously on a single switched hub, providing the user or segment with almost dedicated bandwidth. Switching extends the life of existing legacy LAN networks, provide increased performance without replacing existing wiring plant, and increase network throughput, reducing response times. Switches are a small cost, when compared to other alternatives. Switches are plug and play, easy to implement, but much pre-planning is required. As an example, if your bandwidth is being eaten up by DLC layer broadcasts, a switch will not improve the condition. Traffic is aggregated on the backplane of the switch. This backplane should be between 1.5 - 10 Gbps with recent announcements for 85 Gbps backplanes.
Network Associates
Slide Title:
Switched Networking
Slide and notes points.
Page 5 - 17
Basic LAN Switching Defined

5-18 A switch allows dedicated communications paths to be rapidly built and torn down between multiple sources and destinations. The total aggregate bandwidth goes up with switch technology A 12 port switch can support six simultaneous conversations Sniffer University
Server Workstation Workstation

+
Server
A switch allows devices or segments to have a unique dedicated path to each other. The path is active for the duration of the frame, then is broken down and made available for the next frame. Each port on a switch is, in effect, a separate collision domain or ring. Switches can act like fast bridges, they are layer 2 devices. But some vendors are adding layer 3 functions to switches, like the ability to route IP and IPX. In 12 port switches, backplane speed needs to equal six times the individual wire speeds of the ports. Similar ratios apply to other size switches. The VLAN concept, by which you can logically group switch ports, is growing in acceptance. VLAN schemes are proprietary to the different vendors. A VLAN generally divides your network into broadcast domains. VLAN is popular in today's dynamic environment where Tiger Teams are created across departmental lines to address a particular problem or project and then disbanded once that problem or project has been resolved.
Network Associates
Slide Title:
Basic LAN Switching Defined
Collisions are in switched environments. Each pair of communicating devices has the entire bandwidth (in this case 10 Mbps) for their frame. The path is active for the duration of the frame only. It is torn down after each frame has been transmitted. Each port is a separate collision domain. The Virtual LAN (VLAN) concept allows the administrator to group ports through software for workgroup segmentation. A bullet and student note was added that addresses the issues of the speed of the switching fabric.
Many switches implement Spanning Tree to avoid topology loops where broadcast frames circulate endlessly. Other manufacturers use proprietary methods to avoid loops. A switch should have a very low PLR or Packet Loss Rate. It can have congestion control, where a switch will slow things down if ports become overloaded. Switching times may degrade noticeably, but at least you wont lose any packets which will cause retransmissions. For switches without active congestion control, the ability to handle 100 to 300 back-to-back, min. and max. size frames pretty much assures negligible packet loss no matter what the traffic pattern. Switches that can buffer more than 100 1518 byte packets are considered very robust.
Page 5 - 18
Capturing in a Switched Environment

5-19
SnifferPro sees only
Broadcast Traffic plus...
Sniffer University
Node D Node E Node F
Node A Node B Node C
Vendor Dependent
The Sniffer Pro Network Analyzer sees different things based on the switch technology and how the switch has been set up. At the data link layer, the source and destination addresses will be the end nodes addresses. You will not see the switchs addresses. Switch vendors have provided various mechanisms for network analysis tools to evaluate network traffic and conversations.
Network Associates
Slide Title:
Capturing in a Switched Environment
What you see is what the vendor allows you to see. Addresses are like the addresses in a bridged environment. DLC addresses are the end stations.
Page 5 - 19
Seeing the Frames

5-20 Switch sends all traffic to a monitor port
SnifferPro
Sniffer University
Switch sends selected port or VLAN traffic to a monitor port

SnifferPro
+2
Tapping the backplane of the switch does not limit the traffic sent to the monitor port. You will get all traffic that occurs on any port in the hub. This may present problems due to high utilization on the monitor port. It will work well when overall use of the switch is low, but if several users of the switch are demanding high amounts of bandwidth individually, their combined traffic may be greater than the switch can process through a single monitor port. You will most likely lose packets. A port tap limits traffic seen to just what happens on that one port.
Network Associates
Slide Title:
Seeing the Frames
Several separate slides are now combined so you can cover them quickly and compare them more easily. All traffic to a Monitor Port (This is not an industry-standard label for this port.)
Issues:
Is the port able to handle the aggregate bandwidth of the backplane? Is the Sniffer Pro analyzer able to handle the aggregate bandwidth of the backplane? You cant just put a Fast Ethernet Sniffer Pro analyzer here. The signals and timing are different in Fast Ethernet. Youll need to set a capture filter to focus on the traffic that will help you solve the problem. Station address filter Address class filter Protocol filter Gives a very limited view of just one stations traffic. Selected port or VLAN traffic to a monitor port But if the port cant deliver it, you still cant capture it.
Page 5 - 20
Seeing the Frames Continued

5-21 Attach a shared media hub between a server and the port to see all server traffic Install a matrix switch to view several segments
Switched Media Hub
Sniffer University
Shared Media Hub (mini-hub)
Shared Media Hubs
Server SnifferPro
Workstations
Server Transport Card DSS/RMON Agent
Server
Server Matrix Switch
Monitor Card
The hub should be attached when the server is inactive, and left in place to enable real-time monitoring. There are several inexpensive mini-hubs on the market. This is a very easy solution to implement and, in some environments, a very effective solution. For example, when there are only a couple of servers in a server-client environment, everyone will be talking to those servers, therefore youre actually getting all traffic on the switch by just monitoring the servers ports. This also works well with unsophisticated switches that have do not have a built-in monitor port. Several companies make matrix switches. Portable Sniffer Pro Network Analyzers can also be used in place of the DSS/RMON. If you are using a DSS/RMON Agent, you should use a Network Associates supported switch like the DataComm switch. There are several advantages to using a Network Associates supported switch. Remember, though, you can only monitor one port at a time. Adding the hub may change the timing characteristics of the segment and may introduce its own set of errors if you exceed the collision domain. Be sure you are not introducing a repeater into a full-duplex link by mistake.
Network Associates
Slide Title:
Seeing the Frames (Continued)
Permanently install minihubs in the line to your servers. Allows you to see all the traffic to and from the server. Permanently install a minihub in the line to your bridges and routers. Allows you to see all traffic directed to or from them. SniffView allows you to switch the DS Pro Agent into multiple segments so you can monitor the conversations to multiple servers (or routers) one at a time. There are several vendors that supply switches from DS Pro. Some of them can be controlled directly with SniffView. We also sell DSS/RMON Multiview, which is a DS Pro in a matrix switch. There are several models that can attach into a combination of Ethernet and other topologies.
Page 5 - 21
Switch Control and Expert

5-22 Switch control allows you to access supported switches and span one port or VLAN to a monitor port Two adapters are required to span a port
The configuration adapter sends SNMP signals to the switchs IP address to control the switch and retrieve MIB data
Attach to the switch control port
The monitor adapter does the assigned Sniffer tasks

Attach to the mirrored port
Sniffer University
One adapter is enough if you just want MIB data

Monitor adapter
Frames
Switch
SPAN Port Port or VLAN
Configuration adapter
+
SNMP Commands
Sniffer Pro version 4.0 switch expert supports: Cisco models: * = this versions or newer 2900 v.4.5(2) 2916XL v11.2(8)SA5* 2924(M)XL v12.0(5.1)XP* 2926 v4.5(2) 5000 v4.5(2)* 5002 v4.5(2)* 5500 v4.5(2)* 5505 v4.5(2)* 5509 v4.5(2)* 6000 v5.4(1)* 6002 v5.4(1)* 6500 v5.4(1)* 6509 v5.4(1)* Nortel models: Baystack 450 v HW:RevB, FW:V1.04, SW:V1.1.0 Not all features are supported. Contact NAI tech support for specific issues. SPAN (Switched Port ANalyzer) is a proprietary Cisco protocol used to mirror traffic from a port or VLAN to a monitor port. If you have just one adapter in your Sniffer, it must have TCP/IP bound to it so it can connect to the switch to control it. It is connected to the switch control port which cannot be a monitor port. You would need to stop Sniffer Pro and reconnect it into the monitor port and restart it as a Sniffer to sniff the monitor port. You then would not be able to control the switch or see the MIB data. Mirroring places a heavy load on the switch. Be sure to disable it when you have completed your analysis or capture! The TNV-201-DSP and TNV-315-GUI classes have more information on switch control and Expert.
Slide Title:
Switch Control and Expert
New Slide. Unfortunately we just dont have time to delve into this in this class. You also need a switch to demonstrate all the functions of this feature. It is covered in detail in the TNV-201-DSP class. That class has a switch, so all of the MIB and control screens can be demonstrated. It will also be shown in the Advanced TNV-102-GUI class being written. The basics: You can get all the MIB data from the switch and see it in the Sniffer windows. You can use these MIB screens to mirror a port or VLAN to the port where the Sniffer is attached. (VLAN mirroring is not supported for all switch models.) You can do all the Sniffer functions on the mirror port i.e. start Monitor screens, capture, set triggers, etc. Try to attend a TNV-210-DSP class to see this in action so you can discuss it better. You need the second card only if you want to do the Sniffer functions. You can get the MIB data with a single adapter. You cannot use a single card to send the SNMP commands to the switch to control it AND then turn around and sniff using the same card. Port mirroring (or SPAN) puts a big load on the switch. DO NOT leave it enabled constantly. Turn the mirroring off when you are done!
Page 5 - 22
Switch Frames
5-23
Network Associates
Sniffer University
Once you get the frames from the switch, they look just like any other Ethernet frame Expert shows symptoms and diagnoses plus valuable VLAN information Use the skills youve gained here to determine where problems lie
Slide Title:
Switch Frames
New Slide. The main difference in the Sniffer screens is the VLAN information in the Expert. The students will see that in the VLAN section. Any VLAN symptoms and diagnoses will be labeled in the Summary display. You can filter from the Experts VLAN symptoms and diagnoses. You can get the switch MIB statistics on adapter and VLAN MIB counts that can be very helpful.
Page 5 - 23
Switch Performance
5-24
Switches are often faster than bridges They segment collision domains Cut Through switches are fastest
They read only the destination address and forward to a new or established port The provide the least amount of data integrity (they only verify the destination MAC address)
Sniffer University
Some switches offer FFCT (fragment-free cut-through) mode

Only frames at least 64 bytes in size are forwarded
Switch latency increases the further into a frame the switch checks for data integrity Switches forward damaged frames if damage occurs past their check point
Network Associates
Slide Title:
Switch Performance
Slide is adequate.
Page 5 - 24
Exercise: Busy Jam

5-25
Network Associates
Sniffer University
Slide Title: Exercise: Busy Jam
Page 5 - 25
Exercise: Busy Jam Diagram

5-26 Switch
Sniffer University
Hub 10 Mbps Server
Client Stations
Network Associates
Slide Title: Exercise: Busy Jam Diagram

Network Diagram
Page 5 - 26
5-27
Virtual LANs (VLANs)

Sniffer University
Network Associates
Slide Title:
Virtual LANs (VLANs)
New Section - New title Slide.
Page 5 - 27
VLANs
5-28 Many switches allow you to set up virtual LANs
A VLAN is roughly a broadcast domain Stations in different physical locations can communicate as if they were on a common LAN Some manufacturers allow you to place ports on more than one switch in a VLAN There are many vendor-specific implementations
Sniffer University
HR VLAN
1st Floor
2nd Floor 3rd Floor
Exec VLAN
Finance VLAN
Port configurations aggregate stations based on the port where they are attached. This was the first implementation of VLAN groups. It is a good way to isolate groups using non-routable protocols. Protocol-based VLANs group stations based on their protocol type or layer 3 address. The switches use standard routing protocols to communicate with routers, but all traffic in the VLAN is switched. MAC address-based VLANs group stations based on their MAC address. This is useful when you have laptop users who carry them around and attach their PCMCIA cards in different locations. Problems arise when they dock these laptops and use the docking stations NIC card or software overwrites the MAC address. IP Multicast address groups segregate the multicast traffic and send only to those devices that are in the VLAN. This extends beyond the normal networkmaintenance address types for routing and bridging support to specialized applications like broadcast audio or video data. 802.1Q VLAN tagged frames is a new IEEE standard that uses an additional header in the frames between the switches that identifies the VLAN. Since many of the mechanisms are vendor-specific, you should try to buy all your switches from one vendor or only use switches that support the 802.1Q standard.
Slide Title:
VLANs
New Slide. VLANs have been around for a long time and most students will have basic knowledge about them. What they may not know is how their traffic looks on the wire. Emphasize the broadcast domains. See, the stuff we taught in the technology section hasnt gone away! VLANs provide a way to logically link devices in different layer 1-2 physical network segments into a logical layer- three network segment.
Page 5 - 28
VLAN Grouping Techniques

5-29 Port
Assign each port to a particular VLAN Quick and simple, moves require reconfiguration
Protocol (Layer 3 grouping)

Groups all devices with the same protocol - isolates protocolspecific broadcasts Stations with multiple protocols belong to multiple VLANs Router required between different protocols and IP subnet VLANs
Sniffer University
MAC address
Assign each NIC to a particular VLAN IP multicast address Good for laptops that move around
Multicast Address
Proxy address for a group of devices
Network Associates
Slide Title:
VLAN Grouping Techniques
New Slide. Quickly review the ways vendors implement VLANs.
Page 5 - 29
VLAN Tagging
When devices are spread across several physical segments, there needs to be a way to quickly send them to the proper switch Cisco developed a proprietary protocol called Interswitch Link Protocol (ISL) which added a few bytes or tag at the beginning of the frame
The tag identifies the VLAN This eliminated the need to do a table lookup for each frame - just send them to the right port
The IEEE modified this for the 802.1Q specification
Network Associates
Slide Title:
VLAN Tagging
New Slide. This is just a page to introduce the reason for tags and the VLAN tagging methods
Page 5 - 30
Interswitch Link (ISL) Protocol

5-31
Network Associates
Sniffer University
The Grandfather of the IEEE 802.1Q tagging standard A proprietary Cisco protocol developed to support trunks between Cisco switches Tags added to the frames between the switches include a VLAN group identifier to route them to the proper VLAN Several other vendors licensed ISL 3Com used VLT frame tagging method
Slide Title:
Interswitch Link (ISL) Protocol
New Slide. This is a Cisco vendor proprietary protocol. Other vendors licensed it. Tags are carried on the trunk links between Cisco Switches We can see them and decode them on frames captured on these links
Page 5 - 31
Cisco ISL Frame Tags

Inter Switch Link (ISL) protocol was developed by Cisco and has been incorporated into the 802.1Q standard. ISL adds a 10 bit address to every frame as it enters the switch fabric. The frame is forwarded only to switches and interconnected links with the same 10 bit address. This tag is removed before the frame is forwarded to the end station or switch outside the VLAN.
Network Associates
Ethernet frame is attached after the 26 byte ISL Header VLAN identifier
Slide Title:
Cisco ISL Frame Tags
New Slide. This screen capture was taken from VLANprob.caz frame 1. The students will use it in the exercise at the end of this section. Dont go into details of this protocol. Let Cisco teach that in their classes!
Page 5 - 32
Cisco ISL Expert Information

Network Associates
VLAN information shown at the Global Layer VLAN list in the Detail Tree Statistics and details in the Expert Detail panel
Slide Title:
Expert Cisco ISL Information
New Slide. This screen capture was taken from VLANprob2.cap Expert view with the Global symptoms highlighted. Explore more of the Expert information with the students.
Page 5 - 33
802.1Q VLAN Standard

5-34 The 802.1Q standard is based on the 802.10 standard
802.10 is the Interoperable LAN/MAN Security (SLIS) standard which defines a single Protocol Data Unit (PDU) with an 802.10 header inserted between the MAC header and the frame data for secure transmission of data
802.1Q uses frame tagging to carry VLAN membership information across multiple multivendor devices Sniffer University
The security header from 802.10 is modified to support VLAN tagging Tags allow frames to be forwarded quickly to other switches within the VLAN
Routers are required to forward frames between VLANs

Can be internal to the switch or external one-armed routers
Vendor proprietary implementations are still also used

This creates vendor interoperability problems
Several issues need to be addressed when implementing VLANs: Management: Even though most vendors use management software to create the VLANs and move ports into the VLAN, there is an issue of keeping up with all the moves (though this is certainly easier than moving cable to keep a person in the same network segment!). People also may feel isolated when they are moved out of the area where their co-workers are. 80/20 Rule: It is difficult to maintain the 80/20 where 80% of the traffic remains local and 20% goes outside the area and through a router. Shared resources like servers and printers need to be managed so people in a different VLAN can print to the local printer and access their server. You may choose to put these devices into more than one VLAN so all who need them can access them.
Network Associates
Slide Title:
802.1Q VLAN Standard
New Slide. This is the IEEE standard for VLAN tagging. The headers are different. Highlight the last bullet. All the switches in the VLAN must support the same tagging method or frames will not get where they need to go!
Page 5 - 34
802.1Q VLAN Headers

5-35 Fits between the Source MAC address and Type/Length field of the MAC header of the Ethernet frame
MAC D & S Type Tag Control MAC Type/Length
8100 User Priority Tunnel Type VLAN ID
Data
Sniffer University
2 bytes 2 bytes
Tag Protocol Type field identifies the 802.1Q header Tag Control field has three fields: 3 bits user priority 1 bit tunnel type i.e. Ethernet or Token Ring 12 bit VLAN ID
802.1Q standard works hand in hand with the 802.1P standard for assigning priority levels to frames. You may see it called 802.1 Q/p in some publications. The user priority field allows applications that require guaranteed bandwidth to be delivered before applications that are not time-sensitive. 3 bits allow for 8 different priority levels. The switches must maintain internal queues for each priority. Incoming frames are placed in the queue for the priority in the field and the highest priority frames are transmitted out before the lower priority frames. This enables lower cost Ethernet installations to compete with the highmaintenance and cost ATM networks that provide robust Quality of Service guarantees. Keep in mind that this is priority done at layer 2. RSVP at the network layer in the stack needs to inform layer 2 to set the priority bits to match the level of the data being sent. To have end-to-end priority, all devices in the intervening path must recognize the priority levels at both layers. The 802.3ac standard has extended the maximum frame size to 1522 bytes to allow for these 4 additional bytes.
Network Associates
Slide Title:
802.1Q VLAN Headers
New Slide. This shows a breakout of the fields in the tag to prepare them for what the Sniffer shows. Point out that the tag comes in the MAC header! This was very confusing when I first viewed these frames. I wanted to put the Type/Length field in with the tag, because the Sniffer puts it there without identifying that it is part of the DLC header. The number of bytes in the spec didnt match what I saw in the frames that way. The destination and source addresses come first, then the tag, then the MAC type or length field.
Page 5 - 35
802.1Q Header
5-36 Sniffer University Ethernet frame is encapsulated inside the 802.1Q Header VLAN identifier
Maximum length frames grow to 1518 bytes Sniffer does not capture the last 4 bytes of the frame
No CRC error is posted
The tag Protocol Type is used for FDDI, Token Ring and SNAP encoded fields. Ethernet sets this to 8100.
Network Associates
Slide Title:
802.1Q Header
New Slide. Hey the Ethernet maximum frame size has been exceeded! If a max size Ethernet frame is encapsulated in a tagged frame, it is 1518 bytes. The Sniffer knows this is OK when it sees the 8100 Type field and it doesnt post an oversize symptom or count is as bad. It does indicate only the first 1514 bytes were captured in the Detail window. That shouldnt create problems for us, since it still has almost the entire frame, certainly enough to get through all the ULP layers to see if there are problems there. BTW a question has been raised about how the Sniffer handles the max size Ethernet frames captured by a pod. Remember it encapsulates them in Ethernet frames to send them to the PC. The pod transparently fragments these oversize frames and the PC reassembles them in the driver software before they are sent up the stack for analysis.
Page 5 - 36
Expert 802.1Q Information

VLAN information is shown at the Global layer Symptoms and diagnoses break out stations in the VLAN
8021Q Protocol in use
VLAN numbers and switch MAC addresses
VLAN Info
Network Associates
Slide Title:
Expert 802.1Q Information
New Slide. You might want to demonstrate this on your Sniffer using the 8021q.cap trace file the students will use for their exercise. If time is running short, give them the details and skip the exercise. If youre doing OK, cover it very briefly here and let them discover the details on their own in the exercise. There is another 8021q-gig.cap trace that shows this information captured from a gigabit Sniffer. Point out the [A] and [B] in the status column and show the Statistics tab where 1000 is the line speed. This was a serendipity trace I found just before press time.
Page 5 - 37
VLAN Frames
5-38 Sniffer sees VLAN headers only between switches that support them
Tap into the trunk link or mirror the trunk port to the Sniffer port with Switch control
Sniffer University
HR VLAN
1st Floor
2nd Floor 3rd Floor
Exec VLAN
Finance VLAN
More details on the switch Expert are available in these Sniffer University classes: TNV-101-GUI, Troubleshooting with the Sniffer Pro Analyzer TNV-201-DSP, Implementing Distributed Sniffer System/RMON Pro TNV-315-GUI, Interconnection Concepts and Troubleshooting
Network Associates
Slide Title:
VLAN Frames
New Slide. This is just a visual reminder you will see these only if you tap into the trunk link either physically or by spanning the trunk port to the Sniffer. This is risky!
Page 5 - 38
Optional Exercise: Switch Traffic

5-39
Network Associates
Sniffer University
Slide Title:
Optional Exercise: Switch Traffic
New Exercise. The students will observe several types of traffic in a switched environment. They will look at typical switch-related protocols and the different VLAN tagging encapsulation methods. This is a great exercise to satisfy the students who came to see switch troubleshooting. Try to allow time to do it so they feel good about at least seeing the Expert part of switch analysis and see the frame tagging. They wont see the MIB data or be able to do a SPAN, but this will help.
Page 5 - 39
Summary
5-40
Network Associates
Sniffer University
In this section, you learned how to: Differentiate between bridging and switching on a conceptual level Attach Sniffer Pro to bridged and switched networks View VLAN identifying information in tagged frames Use Sniffer Pro to identify common problems associated with bridges and switches
Slide Title: Summary

Wrap up the section by reviewing the objectives and answering any questions the students may have.
Target Time: Day 2 early afternoon. This is a good place for a break if you havent already done so.
Page 5 - 40
6-1
100 Mbps Fast Ethernet

Sniffer University
Network Associates
Ethernet Network Analysis and Troubleshooting Fast Ethernet
Slide Title:
100Mbps Fast Ethernet Section 6 Start: Day 2 Mid-afternoon Finish: Day 2 Approx. 3:00
Section Timing:
Files: Traces:
06_fe_g.PPT
06_fe_g.DOC
100MBFIL.CAP, BACKPRES.CAP, BACKPRES1.CAP , Big_bad_rich.caz Fast Ethernet Troubleshooting and Back Pressure Fast Ethernet Problems 10/100 Hubs The former three-part section covering all the fast technologies has been split into sections for each. Please allow enough time to present it if the class is interested. By now, they have seen Fast Ethernet several times, so this section can be taught very quickly. Have the students do the exercises if possible. The first shows various different vendor implementations of back pressure. The second is a filtered trace and shows lots of hub jams and collisions. References: Fast Ethernet: dawn of a New Network by Howard W. Johnson, 1996, Prentice Hall Publishing, ISBN 0-13-352643-7 Switched, Fast and Gigabit Ethernet 3rd Edition by Robert Breyer and Sean Riley, 1999, Macmillan Technical Publishing, ISBN 1-57870-073-6
Exercises:
Page 6 - 1
Section Objectives
Summarize the features of Fast Ethernet Summarize 100BASE-T4, 100BASE-TX, and 100BASE-FX implementations Recognize back pressure frames in a trace Attach Sniffer Pro to your Fast Ethernet networks Use the Sniffer Pro statistics and decodes to locate areas of concern
Network Associates
Sniffer University
Slide Title:
Section Objectives
Troubleshooting Fast Ethernet is basically the same as 10mb Ethernet.
Page 6 - 2
Overview of Fast Ethernet

6-3
IEEE802.3u (100BASE-T) adopted in 1995 as a supplement to IEEE802.3 Several clauses are included in the specification. Earlier versions of 802.3 are defined in clauses 1-20. 802.3u is defined in clauses 21-30 Clause 21 100BASE-T Introduction Clause 22 Medium Independent Interface Clause 23 100BASE-T4 Transceiver Clause 24 100BASE-X Transceiver Clause 25 100BASE-TX PMD* Clause 26 100BASE-FX PMD* Clause 27 Repeaters Clause 28 Autonegotiation Clause 29 Topologies Clause 30 Management
Network Associates
Sniffer University
100Mbps version of the Ethernet standard Uses the same timing criteria as 10 Mbps Ethernet 100BASE-Tx supports Category 3,4 and 5 twisted-pair wiring and fiber cabling Standard defined by IEEE 802.3u Many switches and hubs combine 10 Mbps and 100 Mbps ports to link legacy networks into high speed backbones
Slide Title:
Overview of Fast Ethernet
The specification calls for a few changes from the previous spec, but mostly outlines the new features.
Page 6 - 3
Where to Deploy Fast Ethernet

6-4
Remote LAN Remote Router Workgroup LANs Campus 10/100 Mbps Hubs and Switches Network Center 10/100 Mbps Workgroup Switches Hubs/Switches Router Fractional T1,
WAN T1, X.25, Frame Relay
Sniffer University
Firewall Router
Faster Server Links Router Server Cluster
Hub
Token Ring
Due to the small collision domain and repeater limitations, most Fast Ethernet hub installations will be in workgroup areas. It is not useful in the backbones of large enterprise networks. Fast Ethernet switches or other technologies are needed to go the distances.
Network Associates
Slide Title:
Where to Deploy Fast Ethernet
Key words: In place of does not mean pull out all of your FDDI and use Fast Ethernet instead. FDDI has been around a long time and is a proven technology. This is to say, If you need to install a new highspeed backbone, consider Fast Ethernet. Pulling out FDDI would be a real waste of money, and Fast Ethernet is probably inferior. Fast Ethernet is, however, cheaper to implement, and easier, since troubleshooting skills students already have transfer over to this technology.
Also mention the environments listed in the student notes section where Fast Ethernet could be implemented.
Page 6 - 4
Similarities between 10BASE-T and 100BASE-T

6-5 Both use CSMA/CD Frame formats and frame lengths are the same Both can run on Category 3, 4 and 5 UTP
It must be four-pairs for 100BASE-T to run on 3 and 4 Fortunately, 100BASE-T makes use of CSMA/CD and the same frame formats as 10Mbps Ethernet. Therefore, most of what has been covered in this course is applicable to 100BASE-T also. Wiring specification Page 131 of IEEE 802.3U - 1995 spec details the pinout for internal and external crossover cables.
pin 1 ----------| Dedicated Transmit pair + 2 ----------| Dedicated Transmit pair 3 ----------| Dedicated Receive pair + 4 ----------| Bi-directional pair 1 + 5 ----------| Bi-directional pair 1 6 ----------| Dedicated Receive pair 7 ----------| Bi-directional pair 2 + 8 ----------| Bi-directional pair 2 Network Associates
Sniffer University
Interconnections are made with hubs, repeaters, switches, etc.
Slide Title:
Similarities Between 10BASE-T and 100BASE-T
Point out just how similar the two are. The differences do not affect us as the protocol analyst. Of course, as a network manager concerned with the installation and overall network design, the similarities and differences are critical.
Page 6 - 5
100BASE-T Features
6-6 Sniffer University 100BASE-T transmits ten times as much data in the same amount of time It has new PHY standards The network design is more compact The interframe gap is .96 microseconds instead of 9.6 microseconds
It is still 96 bit times for 10/100/100, the times just get shorter as the speed increases
Coding schemes 4B5B and 8B6T replace Manchester encoding
100BASE-T does have some important differences from 10BASE-T. Changes have been made to the PHYsical layer components. New sub-layers such as the Reconciliation sub-layer and an interface called the MII (Media Independent Interface) have been defined in the specification. There are new rules defining the number of repeaters allowed.
Network Associates
Slide Title:
100BASE-T Features
This slide shows key differences Point out the interframe gap is still 96 bit times, the bit times are just 10 times shorter!
Page 6 - 6
Physical Layer Specifications

6-7 100BASE-TX: Fast Ethernet for Category 5 UTP
Most widely used physical layer specification for 100BASE-T today
100BASE-T4: Fast Ethernet for CAT3 UTP

Use when you have a large installed base of voice grade wiring Requires four wires of the cable Not implemented very often, so there is very little vendor support for it
Sniffer University
100BASE-FX: Fast Ethernet for Fiber Optic Cabling

Used in sites that are considering fiber cabling or have it installed Usually used between floors of a building
Network Associates
Slide Title:
Physical Layer Specifications
Use this page as a preview of what we will cover in more detail.
Page 6 - 7
100BASE-TX for Category 5 UTP

6-8
Network Associates
Sniffer University
Transmission over two pairs of Category 5 UTP or IBM Type 1 STP wire RJ-45 connector is exactly the same as that used by 10-BASE-T where the RJ-45 links two pairs of wires The punchdown blocks in the wiring closet must be Category 5 certified Traditional DB-9 connector used for STP wiring 4B5B coding
Slide Title:100BASE-TX for Category 5 UTP

Slide information is adequate.
Page 6 - 8
100BASE-T4 for Category 3 UTP

6-9 Sniffer University Operates over four pairs of Category 3, 4, or 5 UTP wiring Three pairs are used for transmission and the fourth wire is used for collision detection Since it can run on Category 3, provides for easier migration to 100BASE-T without rewiring Three of the four pairs are used to transmit or receive, so full-duplex operation is not possible 8B6T coding
TIA/EIA Cabling standards Category 1 2 3 4 5 5 5E 6 7 Application Support Voice only Voice or low speed data Voice, 10BASE-T 16 Mbps Token Ring CDDI, 100BASE-TX, ATM 155 1000BASE-T (higher specs) 1000BASE-T TBD TBD (Work in Process) Bandwidth voice 1 16 MHz 20 MHz 100 MHz 100 MHz 100 MHz 200 MHz 600 MHz Year Std 1950s 1960s 1991 1993 1994 1999 1998 1999 9/2000
Network Associates
Slide Title:100BASE-T4 for Category 3 UTP

Page 6 - 9
100 Base T Ethernet Pinouts

6-10
RJ45 EIA/TIA-T568A Pin
1 2 3 8 1
AT&T 258A and EIA/TIA-568B Pin

1 2 3 4 5 6 7 8
Signal
Transmit 3 Receive 3 Transmit 2 Receive 1 Transmit 1 Receive 2 Transmit 4 Receive 4
Wire Color
white/green green/white white/orange blue/white white/blue orange/white white/brown brown/white
Signal
Transmit 2 Receive 2 Transmit 3 Receive 1 Transmit 1 Receive 3 Transmit 4 Receive 4
Wire Color
white/orange orange/white white/green blue/white white/blue green/white white/brown brown/white
Sniffer University
4 5 6 7 8
It doesnt matter which wiring spec you choose, you just need to ensure you follow through with the same pinouts for all the cables. Both T4 and 1000BASE-T require four pairs. Gigabit requires a higher quality connector. Wiring specification Page 131 of IEEE 802.3U - 1995 spec details the pinouts for internal and external crossover cables
Network Associates
Slide Title:
100BASE-T Ethernet Pinouts
New Slide. For student reference. 10BASE-T required only: pin 1 Transmit 2 white/orange pin 2 Receive 2 orange/white pin 3 Transmit 3 white/green pin 6 Receive 3 green/white If they are upgrading NICs to 100 or 1000 Mbps, they will need to connect all eight of the pins to make the old cable work for the new speed!
Page 6 - 10
100BASE-FX for Fiber Optic Cabling

6-11 Operates over two strands of multimode or singlemode fiber cabling (just like FDDI) Fiber optic media transmits over greater distances than UTP; useful for connections between interconnect devices on a Fast Ethernet backbone Uses the MIC, ST or SC fiber connectors defined for FDDI and 10BASE-FX networks 4B5B coding
The Fiber MIC connector uses one keyed connector. It is quite large and is being replaced by the SC connector. The ST connector is the bayonet-style connectors that twist onto separate fiber cables. It is the most popular connector.
The SC connector is smaller and uses a duplex connector. It is the connector of choice for future designs.
Network Associates
Sniffer University
Slide Title:100BASE-FX: Fast Ethernet for Fiber Optic Cabling

Page 6 - 11
6-12
(100BASE-FX and 100BASE-TX )

Upper layer protocols send data in 8 bit bytes The MAC driver splits the bytes into 4 bit nibbles
A look-up table is used to convert the 4bit nibble to a 5-bit symbol or symbol code 8 bit bytes
4B5B Encoding Technique
ULP MAC
4 bit nibbles 5 bit symbols
Sniffer University
Clocking information is carried within the data stream 100BASE-FX uses a two-state NRZI signal
A change in signal level represents a binary code-one; no signal level change represents a binary code-zero
PHY
The conversion from 4 bits to 5 bits does not involve any mathematical calculations - it is merely a table lookup. Q: How does 4B5B contribute to making Fats Ethernet fast? A: By processing bits in parallel blocks as they pass through the MAC layer rather than serially as in Manchester encoding. Fast Ethernet operates at 100 Mbps as data passes through the NIC. After the addition of the extra bit, it theoretically transmits at 125 MHz.
Network Associates
Slide Title: 4B5B Encoding Technique (100BASE-FX and 100BASE-TX)

New diagram requested by Linda Richman. Thank you! Encoding is red bold to emphasize this is and encoding scheme to differentiate it from the purpose of the next slide. This is nice to know information but not needed to troubleshoot Fast Ethernet. Cover it quickly so you have time to present the stuff that will help them. The codes do not directly map to the hex value of the byte, so dont get hung up on the fact that a 1 maps to 01001 and F to 11101. The codes were defined to keep the number of sequential zeros less than 3 to maintain clock. In 4B5B, every four bits will be sent out over five bit times. Look at the beginning of the bit cell to see if theres a transition. If there is, youve got a one, otherwise its a zero. What makes 4B5B different from other encoding schemes is that the kind of transition is not always the same. The transition order (+1,0,-1,0,+1,0) tells us that if there is going to be a transition, this is where the signal goes.
Page 6 - 12
4B5B Ternary Example

6-13
100BASE-TX uses MLT-3 ternary signaling

Any signal change in TX is represented by circulating among three progressive levels: (+1, 0,1, 0, +1, 0,-1, 0 ...)
No transition +1 present, 0 so this is a -1 binary 0 Transition present, so this is a binary 1
0 1 0 1 0 1 1 1 1 F 0 1
Sniffer University
Hex 1F to 4B5B: 1 maps to 01001, F maps to 11101 A transition = binary 1; No transition = binary 0 Transition order: +1 0 -1 0 +1 0 -1 0 endlessly
Each 4 bit nibble is translated into a 5 bit symbol. The five bit symbol for 1 is 01001, the 5 bit symbol for F is 11101. What happens if you connect a 10 Mbps hub to a 100 Mbps port? Autonegotiation signals will not be sent by the 10Mbps hub, so the 100 Mbps hub will adjust the port to 10 Mbps. The slow hub will send frames using Manchester encoding, the fast hub converts it to 4B5T encoding and uses MLT-3 ternary signaling to forward it out a fast port. It does the opposite conversion before forwarding any frames from the fast port to the slow port.
Network Associates
Slide Title:
4B5B Ternary Example
This is electrical signaling how we get the bits we just converted form 4 bit patterns into 5 bit symbols.
Notice that after each group of four bits, theres a transition. This transition does not provide data but is used for clocking.
Page 6 - 13
8B6T Encoding Technique

6-14
(100BASE-T4)
Based on a ternary symbol - meaning it may take on one of three values: 1,0 or -1 also represented as +, 0 or Each byte is mapped to a 6 bit-time ternary code symbol, called a 6T symbol
(i.e., to represent 1F, the 6T code group is 0 - + 0 + -) A lookup table is used to convert the 8 bit byte into the 10 bit symbol
Sniffer University
Each 6T code symbol is fanned out onto the three pairs in round robin fashion Preamble is still 8 bytes in length
A special pattern is used to help the receiver locate the beginning of data on each pair The receiver strips this pattern and returns an ordinary preamble to the MAC
Network Associates
Slide Title: 8B6T Encoding Technique (100BASE-T4)

This is nice to know information but not needed to troubleshoot Fast Ethernet. Cover it quickly so you have time to present the stuff that will help them.
The 802.3u spec defines a six part code for each byte.
Page 6 - 14
8B6T Example
6-15 Taken from the 802.3u specification: 1F uses code word 0 - + 0 + Data octet 00 01 02 : 1F 6T code group +-00+0+-+-0 +-0+-0 : 0-+0+-
Sniffer University
+3.5 Volts +/- 10% 0 Volts +/- 50 mV -3.5 Volts +/- 10%
0 - + 0 + -
Network Associates
Slide Title: 8B6T Example

Cover quickly.
Page 6 - 15
Data Frame Transmission in 8B6T

6-16
BYTES
Convert Convert Convert Convert Convert Convert
to to to to to to
6T 6T 6T 6T 6T 6T
code code code code code code
group group group group group group
Sniffer University
3 ( of t he 4 p airs)
Network Associates
Slide Title: Data Frame Transmission in 8B6T

As we showed earlier, 100BASE-T4 operates over four pairs of UTP wiring. Three are used for transmission, the fourth does collision detection. Each byte goes to a different wire in a round robin fashion.
Page 6 - 16
Maximum Collision Domain

6-17 The physical size and number of repeaters is limited in order to meet the round-trip propagation delay requirements
100 meters (328 feet) is the maximum for each UTP link A maximum of two repeaters is allowed Two classes of repeaters are used (depending on their latency characteristics): Class I and Class II The maximum collision domain for Fast Ethernet over cat 5 UTP using one class I repeater is 200 meters (672.4 feet) Two class II repeaters extend it to 205 meters
Sniffer University
Because of these constraints, switches are frequently used to extend the distances.
The 512 bit-time propagation limitation still applies. However, 512-bit times equals only 5.12 micro-seconds. Therefore, the performance of the repeater determines the number of repeaters allowed. To make things easier, certain classifications regarding the repeaters characteristics have been defined.
Network Associates
Slide Title:
Maximum Collision Domain
Page 6 - 17
Class I Repeaters
6-18 Used to connect unlike physical signaling systems Only one Class I repeater can reside within a single collision domain when maximum cable lengths are used Standard Class I repeater has maximum round-trip delay of 140 bit times Sniffer University
Late collisions result if limits are exceeded
100m UTP 100Base-TX
Class I
100m UTP 100Base-T4
200m
Class one repeaters convert each incoming analog signal to digital before the data is placed on the backbone and repeated out. The digital data then must be converted back to analog at each port before it is sent out. This allows translation between different encoding, but adds latency to the repeater. For this reason, only one level one repeater is allowed in the collision domain. Analog Analog Analog Analog Analog Analog Analog Digital Digital Digital Digital Digital Digital Digital Backplane
Network Associates
Slide Title:
Class I Repeaters
A little more clarification has been added to help differentiate between Class 1 and 2 repeaters. Because Class 1 repeaters can do translation between different cabling systems, it takes longer to repeat the signal. This limits you to just one repeater due to the longer propagation delay.
Page 6 - 18
Class II Repeaters
6-19 Provide ports for only one physical signaling system type
Timing constraints do not allow translation between 100BASETX and 100BASE-T4
Sniffer University
Have smaller internal delays so that two class II repeaters may reside within a given collision domain when maximum cable lengths are used Standard Class II repeater has 92 bits as its maximum round trip delay
67 bits for Class II repeaters with any T4 ports
Class II
100m UTP
5m UTP 205m
Class II
100m UTP
Class II repeaters repeat the analog signal BEFORE it is converted to digital. The latency of these repeaters is less, but no conversion between encoding can be done. Analog Analog Analog Analog Analog Analog Analog Backplane Digital
Network Associates
Slide Title:
Class II Repeaters
Because Class II repeaters cannot translate, they can forward the information much more rapidly. That allows for two in a collision domain.
Page 6 - 19
Stackable Hubs Provide More Ports

Stackable hubs are multiport repeaters Their backbones are connected with external cables to repeat all the frames The stack acts like a single repeater
+1
Timing slowed for demonstration!
Network Associates
Slide Title:
Stackable Hubs Provide More Ports
New Slide. Stackable hubs allow you to put a lot more devices in a collision domain than you could with single hubs. Essentially the backbone is extended through the external cables so the stack acts like a single repeater.
Page 6 - 20
Fiber Repeaters
6-21
Fiber cabling allows much larger collision domains Class II Class II 18m
105m Fiber Fiber 105m Fiber 228m
Class II Sniffer University
Class II
Fiber and UTP can be mixed Just be sure the end-to-end propagation delay does not exceed 512 bit times
+Delay for each cable to the node (x2) +Delay for each repeater +Delay for cable between repeaters
Network Associates
Slide Title:
Fiber Repeaters
New Slide. Since fiber optic is becoming quite common now, (especially on the backbone) this slide was added to show the optical repeater specifications. The calculations for maximum collision domains need to add the delay of each wire based on type and length plus the delay of the repeater(s), expressed in bit times. The Switched, Fast, and Gigabit Ethernet book mentioned on the front of this section has great information on how to calculate all the different combinations. If you carry a book with you, this is the one to carry.
Page 6 - 21
Auto-Negotiation
The algorithm that allows two devices at either end of a link segment to negotiate common data service functions RJ-45 connector may have any one of five different Ethernet signals: 10BASE-T, 10BASE-T full-duplex, 100BASE-TX, 100BASE-TX full-duplex or 100BASE-T4 Both 100BASE-T NICs and hubs send a modified 10BASE-T link integrity test pulse sequence (called Fast Link Pulses -FLP)
10BaseT devices dont understand the pulses and ignore them 100BaseT devices adjust to 10 Mbps when they receive 10BASE-T link pulses
Hub and NIC automatically adjust their speed to the highest common denominator both can accommodate
10 or 100? Full or half? AUTONEGOTIATE!
OFF ON
OFF ON
?? Hub or switch
Useful if youre unsure what youre plugging into AND when upgrading to 100BASE-T hubs or cards
10BASE-T link pulses are a single signal every 201 s. Fast Ethernet link pulses are bursts containing information about the capabilities of the adapter. They are used for all the faster Ethernet interfaces. Priority bits in the pulses identify the type of the device connection capabilities and are assigned as below. The highest common connection type is used for the connection. Priority Connection type 1 1000BASE-T full-duplex 2 100BASE-T2 full-duplex 3 100BASE-T2 4 100BASE-TX full-duplex 5 100BASE-T4 6 100BASE-TX 7 10BASE-T full-duplex 8 10BASE-T Autonegotiation is a common source of incompatibility problems when using a 10/100 card from one vendor and a hub from another vendor.
Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet
Slide Title:
Auto-Negotiation
Good coverage of this on pages 133 through 135 of the Seifert book. Autonegotiation created a lot of problems in the early NICs. Not vendors used the same algorithm and things worked OK until you introduced a new brand of NIC into the network. These early implementation problems are now corrected and most cards are compatible. Most hubs allow you to turn autonegotiation off to force the network to specific parameters. Autonegotiation is done on power up. Generally there are devices on the network that are never powered down, so they control the parameters of a broadcast segment. The negotiation is done for a specific link. Most hubs and switches can negotiate on each port, so you may have a combination of 10 and 100 MB stations on the ports. The pulses sent to negotiate are ignored by any cards that do not support it. 16 bit pages are sent that carry information that identifies the parameters. There is a larger discussion of these in the gigabit section. Cards are able to differentiate between the link pulses, autonegotiation and data signals on the wire. The Sniffer will not capture any of these signals, so we will not see them in traces. Autonegotiation is used only on 100 Mbps twisted pair networks. The IEEE has not been able to overcome the negotiation problems in fiber optic networks, so the ends of the links must be manually configured. The Sniffer does not capture Fast Ethernet autonegotiation the gigabit Sniffer Pro does.
Page 6 - 22
10/100 Hubs and Switches

6-23
There are many varieties of 10/100 hubs

Hubs with separate linked backbones for each speed
Frames between different speed devices crosses over the link
10 Mbps hubs with 100Mbps uplinks Sniffer University

10 Mpbs traffic is aggregated onto the high speed uplink The frames are buffered until they can be forwarded Be sure the uplink is switched to enable longer distances
Each 100 Mbps device autonegotiates the speed of the port

Since 10BASE-T devices have no autonegotiate pulses, their port is set to 10Mbps
Network Associates
Slide Title:
10/100 Hubs and Switches
New Slide. Slide information is adequate. This slide also answers the question of what if I plug in the wrong Sniffer? (We address it later, too.) The best advice is to leave the 10/100 Ethernet card in your Sniffer set to autonegotiate the speed. Attach it to the network, then power it up. It will learn automatically the correct speed and begin to watch the frames even before you start any monitor or capture processes. If you plug any 10/100 card into the wrong port, the worst that happens is the card (including the Sniffer) wont see anything!
Page 6 - 23
10/100 Flow Control

6-24
Devices with a mixture of port speeds must provide buffers to hold the data between the high and low speed devices
Flow control must be used to signal devices to stop sending data when the buffer is full Half-duplex uses back pressure signals
Network Associates
Sniffer University
Slide Title:
10/100 Flow Control
New Slide. This is a lead-in to the back pressure discussion and the exercise where we see two traces from a 10/100 autosensing hub. There will be a delay between the 10 and 100 connections because of the bridging effect inside the hub or switch.
Page 6 - 24
Back Pressure
6-25 Sniffer University Switches send back pressure frames as a busy signal to end stations to prevent them from sending frames when the switches internal buffers have reached their capacity
Switches that do not use back pressure or some other flow control mechanism will simply DROP FRAMES when their internal buffers cannot handle the traffic flow
Frames are vendor-specific

IEEE specifies this as preamble bits not followed by a start of frame delimiter. Not all vendors follow the spec Show up in the Sniffer hex window with 5555555555, AAAAAAAA, 202020202, 34343434, D0D0D0D0 patterns To determine your back pressure patterns, disable back pressure and capture a trace
If fragments are there, it is jam If they are gone, it is back pressure
Switches discard frames when their buffers are full. This causes retransmissions at the higher layers, which degrades performance. If the switch causes collisions when the buffer is full to keep from discarding frames, the backoff algorithm in the end station will keep incrementing the time the card waits to retransmit and will finally give up. Back pressure eliminates this problem. By keeping the line busy with bits, the cards can transmit as soon as they sense the line is free and the backoff algorithm will not be started.
Network Associates
Slide Title:
Back Pressure
This slide discusses the features of back pressure and how to deal with and identify it in the network. If you dont have time for the exercise in class, show the BACKPRES.CAP and BACKPRES1.CAP trace files. If they will do the exercise, let them discover it. Here is the text of an email from a former instructor while she was working at 3 Com about the BACKPRES.CAP trace. It is copied verbatim from the IFAQ. The same patterns can be used as jams, too. I differentiate by looking at the fragments in the trace. (The suggestion in the last bullets are hers.) 3 Com calls it Intelligent Flow Management (IMF) in its documentation. Heres how it works: Theres an input buffer (size varies by device); lets use 256k for our example. When the switch detects theres 254k in the input buffer, it sends those signals to the network. The filling of the input buffer could mean the outbound segment is busy and the switch is having difficulty sending frames out, etc. A few things to remember: Since these are not valid frames, their only function is to trigger carrier detect on the cards on that segment. There is no meaning to their content. Backpressure is a good thing! It looks like collisions, but keep this in mind. Ethernet cards are designed to backoff and retransmit if they detect a collision while transmitting. This takes microseconds. Backpressure will prevent them from transmitting in the first place or may cause a few collisions here and there (the switches dont carrier sense before they output backpressure). Anyway, its the physical layer that handles this. If you disable backpressure, frames may be dropped at the switch. This means no collision occurs and the upper layer has to time out to detect the lost packet. With LLC this could be a matter of milliseconds. With TCP, this could be a matter of hundreds of milliseconds. Thats an eternity, especially on Fast Ethernet. Bottom line, leave backpressure on. Thanks, Michelle!!!
Demo:
Page 6 - 25
Troubleshooting Fast Ethernet

6-26 Troubleshooting Fast Ethernet is pretty much like troubleshooting 10 Mbps Ethernet Look for bad ports on the switch or hub
Check the Dashboard Detail panel for error counts Look for corruption in the frames hex window
Sniffer University
Check if the collision domain is too large

Collision domains are much smaller than 10BASE-T Are there too many repeaters in series? Is the fiber segment too large? Look for propagation delay clues in the frames: collision evidence late in the frame
Network Associates
Slide Title:
The slide is self-explanatory. Refer them back to the hubports exercise we did. The same technique applies in Fast Ethernet.
Page 6 - 26

6-27 Autonegotiation vendor incompatibilities
Not all vendors implement TX idles simulate jabber that keeps network busy View the Dashboard Detail panel for jabber and oversize frames Look for garbage in the frames May autonegotiate to T4 assuming cable may not be category 5 Result is lower performance for the higher quality wiring Turn off autonegotiate and enable TX with cat 5 Check your switch port information if this statistic is available
Network Associates
Sniffer University
Slide Title:
The slide is adequate.
Page 6 - 27

6-28 Cabling problems
All RJ-45 jacks look alike. Cables coming into the wiring closet may come from a lower speed NIC and cause problems without autonegotiation Updated NIC may connect to old wires and cause degradation in the signals Look for evidence of physical corruption, CRC errors, jabber, etc., in the Dashboard Detail panel Check for a link light 100BASE-TX NICS plugged into 10BASE-T ports
Their idle signals can cause collisions on the 10BASE-T hub
Network Associates
Sniffer University
Slide Title:
The slide is adequate.
Page 6 - 28
Fast Ethernet Exercises

6-29
Network Associates
Sniffer University
Turn to the lab section to complete the Fast Ethernet exercises Fast Ethernet Troubleshooting and Back Pressure Fast Ethernet Problems
Slide Title:
Fast Ethernet Exercises
Please do these two exercises. They teach valuable skills and give them another chance to work with Fast Ethernet and how it impacts the network. Fast Ethernet Troubleshooting and Back Pressure The first shows Fast Ethernet traffic. At the end are 2 trace files showing different types of backpressure. If you run out of time, you could use these trace files to demonstrate the patterns. The second exercise discusses some of the issues in the 10/100 autosensing hubs. Look back to page 25 for the backpres.cap story. This is the story that came with the backpres2.cap file: This trace came from a company that was having problems from a line running in the proximity of a generator in a warehouse using cat 5 cabling. The errors coming from the EMI was overflowing the buffer on the 10/100 switch so the switch was sending out the backpressure. To solve the situation the customer installed a fiber zip cord and it worked. This proves the point that the back pressure was not the problem but the EMI was. I hope this fills in the gaps for everyone. Michael "Mickey" Giovingo
Page 6 - 29
Summary
Summarize the features of Fast Ethernet Differentiate the 100BASE-T4, 100BASE-TX, and 100BASE-FX implementations Recognize back pressure frames in a trace Attach Sniffer Pro to your Fast Ethernet networks Use the Sniffer Pro statistics and decodes to locate areas of concern
Network Associates
Sniffer University
Slide Title:
Summary
Review the section objectives and answer any remaining questions. Target Time: Day two at afternoon break.
Page 6 - 30
7-1
Full Duplex Ethernet
Network Associates
Sniffer University
Ethernet Network Analysis and Troubleshooting Full Duplex
Slide Title:
Full Duplex Ethernet Start: Day 2 after break Finish: Day 2 Approx. 3:00
Section Timing:
Files: Traces:
07_fd_g.PPT
07_fd_g.DOC
None available sorry!
This section looks back to Fast Ethernet and forward to Gigabit Ethernet. Both use Full Duplex. Please remember this instructor guide is a living document. It is not complete to start and is intended to grow with time. Add to your own copy as you gain experience. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.
Page 7 - 1
Section Objectives
Summarize the features of Full Duplex Ethernet Differentiate Full Duplex Ethernet standards and cabling Recognize Pause frames in the trace and why they are sent Attach Sniffer Pro Full Duplex pod to your Full Duplex Ethernet networks Configure Sniffer Pros full duplex features Use the Sniffer Pro statistics and decodes to locate areas of concern Attach the Full Duplex pod to analyze full duplex connections
Network Associates
Sniffer University
Slide Title:
Section Objectives
You will not have access to the FDX pod for this class. This section, Full Duplex, has no exercises accompanying them and consist of many slides depicting configuration. How you handle these sections will depend on your comfort level with the material. Since many students may have questions regarding how the Sniffer will handle Full Duplex and Gigabit, you have these sections as an overview. References: Fast Ethernet: dawn of a New Network by Howard W. Johnson, 1996, Prentice Hall Publishing, ISBN 0-13-352643-7 Gigabit Ethernet, Technology and Applications for High Speed LANs by Rich Seifert, 1998, Addison Wesley Publishing, ISBN 0-201-18553-9 Switched, Fast and Gigabit Ethernet 3rd Edition by Robert Breyer and Sean Riley, 1999, Macmillan Technical Publishing, ISBN 1-57870-073-6
Page 7 - 2
Full Duplex Communication

7-3
Full-duplex Power Users
Switch
Full-duplex Uplinks
Full Duplex Switch
Sniffer University
Full Duplex Server or Routers
Half-duplex Workstations
Simultaneous Transmit and Receive on separate cables Eliminates collisions Must be supported by both hub and end-node Can allow full distance limitation of media (2km for fiber optic cable) Defined in the 802.3x Specification Many half-duplex switches have full-duplex uplink ports
Full duplex cards are usually practical only for servers with high levels of traffic on both the receive and transmit lines. Adding a full duplex card to a workstation is only practical for one with a multitasking operating system running applications that require and can handle simultaneous read and write operations.
Network Associates
Slide Title:
Full Duplex Communication
Each station has two cables: one to transmit to the port, the other to receive. They can send and receive simultaneously. Because there are no collisions, the cables can be much longer. Full duplex doubles the aggregate channel capacity, but does not double the maximum data transfer rate due to the nature of the traffic. Most connections send a lot of data in one direction and acknowledgements in the other direction. This imbalance will be most apparent in a client-server link between a single user and server. With a server or router connected to a backbone and many stations accessing them, the receive and transmit channels are more likely to have an equal amount of traffic. Each link must be a dedicated connection. If they were shared, youd need the CSMA/CD and all the advantages go out the window.
Page 7 - 3
Where to Deploy Full Duplex Ethernet

7-4
Remote LAN Campus Workgroup LANs 10/100 Mbps Hubs and Switches Network Center Full Duplex Connections Firewall Router Remote Router
Workgroup Hubs
Sniffer University
WAN SONET, ATM or ISDN with H channels
Router
Faster Server Links Server Cluster attached full duplex
Traffic management for frames going to non-duplex stations is handled by the internal buffering on the switch.
Network Associates
Slide Title:
Where to Deploy Full Duplex Ethernet
In the backbone so edge devices can have full bandwidth in each direction. In powerful servers that service many clients. Anywhere there is a need for a huge fast pipe. Note that is can be used in 10, 100 or 1000 Mbps networks. This is a very simplified diagram. Most companies will have much larger configurations!
Page 7 - 4
Switched Full Duplex

7-5 Sniffer University Only two devices on the segment - the node and switch port Simultaneous receive and transmit No need to wait for carrier, always available
Queue up the frames and send immediately
No collisions
No backoff delays No Carrier Sense, No Multiple Access, No Collision Detection No CSMA/CD!
Network Associates
Slide Title: Switched Full Duplex

Emphasize the first bullet. Idea from Seifert: Ethernet has always been defined as CSMA/CD. If it didnt do it, it was Token Ring, FDDI, Token Passing- you get the idea. Now we have an environment that doesnt do CS, isnt MA and doesnt need to do CD, but we still call it Ethernet!
Page 7 - 5
Full Duplex Transmit

7-6 Receive frame from the upper layer Transmit out the transmit port Wait interframe gap Transmit the next frame Frame Frame Frame Frame Frame IFG Frame
Network Associates
Sniffer University
Slide Title:
Full Duplex Transmit
This slide is animated. If you have a frame to send, by golly, just put it on the wire! If you have a bunch of frames to send, just keep pumping them out, but be sure to put the interframe gap for the technology between them so the receiver can catch its breath, send the frame up the stack and get ready to synch up for the next one.
Page 7 - 6
Full Duplex Receive

7-7 10101010...
Yes SFD? No Wait My Address? Yes CRC Valid? Yes Good Frame! Pass to higher layer protocol Yes >512 Bits? No No Discard Frame No
Assemble Frame
Network Associates
Sniffer University
Slide Title:
Full Duplex Receive
This is a modified version of the 10 Mb flow chart. A couple of things have been added here that were assumed in the 10 Mb chart: SFD recognition, frame assembly, address recognition. The other one had so many things going on, that we just didnt have room for them there! Question: Does the receiver need the gap to tell when the frame has ended? Nope. It has the length filed to tell it how long the frame is.
Page 7 - 7
Full Duplex Flow Control

7-8 Sniffer University Switches discard frames when their buffers overflow Full duplex transmission bursts can fill buffers, especially if different speed devices are conversing MAC Control Frames were developed to allow the switch to tell the nodes to throttle back
PAUSE is the only MAC Control frame defined today
MAC Control frames are part of the Data Link Layer

Sent to a well-known address Bridges and switches do not forward The switch sends the PAUSE to the device on the TX wire The NIC stops sending for the time specified in the PAUSE frame The switch can send multiple PAUSE frames until the buffers reach the lower threshold
Network Associates
Slide Title:
Full Duplex Flow Control
MAC frames in Ethernet????? And they still call it Ethernet??? The PAUSE is the only MAC frame defined yet. It is anticipated more will be added as needed. These frames replace backpressure.
Page 7 - 8
MAC Control Frame

7-9 Bytes 8 6 6 2 2 44 4
The destination address is a multicast address that has previously been reserved. Only stations that support the PAUSE function will accept the frame. All MAC Control frames will be type 8808. The opcode specifies the type of control frame. PAUSE frames are opcode 0001 and are the only MAC Control frames currently defined. They are sent by either side when their buffer is full and are used to notify the receiving side to wait a certain period of time before sending more frames. A time is included in the MAC Control Parameter field that indicates the amount of time the receiver must wait. It is measured in 512-bit times so it is specific to each data rate. It can be used for 10, 100 and 1000 Mbps Ethernet. 10 Mbps will be 51.2 second increments, 100 Mbps is 5.12 seconds, 1000 Mbps is 512 nanosecond increments. The station can modify the wait time by sending a new PAUSE frame with the timer set either shorter or longer to reflect current buffer conditions.
Network Associates
Sniffer University
Preamble and SFD Destination Address Source Address Type = 8808 MAC Control Opcode MAC Control Parameters Pad to 44 bytes CRC
0180C2000001 Sending Stations Address MAC Control Frame Type PAUSE = 0001 Pause time in 512 bit-time increments
Slide Title: MAC Control Frame

The 8808 type filed identifies this as a MAC Control frame. The opcode indicates which type of MAC frame. Right now the only one is 0001 for the PAUSE. The time is always listed in 512 bit-time intervals. Conceivably they can be used for all speeds- the spec was written with that in mind. Later on there may be control frames that need more fields. Space is reserved for more parameters. Question: Does the full duplex Sniffer capture these control frames?
Page 7 - 9
400+ Mbps Full Duplex

7-10 Sniffer University 802.3ad specifies link aggregation Port aggregation allows up to four full-duplex Fast Ethernet ports to be aggregated into what appears as a single high speed link Each channel runs 100 Mbps in each direction Can be used only in point-to-point configurations Some links can be configured as standby links
Failure of a primary link automatically switches the traffic to the backup link
Device drivers and software configure full-duplex adapters NAIs DSPro has a card that can sniff these links
NAI sells a four port Ethernet adapter and tap card for DSPro Agents which allows you to designate all four ports as an EtherChannel. The TNV-201-DSP course has more information on this card.
Network Associates
Slide Title:
400+ Mbps Full Duplex
New Slide. This slide is here to answer questions from students about whether the Sniffer can capture on these high-speed links. DO NOT try to give them details here. It is only for the DS Pro and we cover this card and all the other non-portable solutions in the TNV-201-DSP class.
Page 7 - 10
7-11
Full Duplex Sniffer Pro

Sniffer University
Network Associates
Slide Title: Full Duplex Sniffer Pro

Title page to lead into covering the Sniffer.
Page 7 - 11
Create an Agent for the Pod

7-12
File > Select Settings

1 Choose the Ethernet card 2 Choose the FDX pod 3 IP address should fill in one higher than your cards address
Sniffer University
Pod initializes when you click OK
When configuring the new agent, you must select the Ethernet network card before you check the Full Duplex pod radio button. This will enable the IP address box. The Host adapter must be configured with a fixed IP address. DHCP for the host is not supported. Set the pods IP address one higher than the address of the Ethernet card in your computer if the address is not automatically sensed.
Network Associates
Slide Title: Create an Agent for the Pod

Remind them the system requirement and pod information was covered in section two so we havent repeated it here. Use the familiar File > Select Settings to create the new agent. First select the Ethernet adapter in the PC When you select the Full Duplex pod in the Netpod type field, the IP address becomes active. Important: the IP address for the pod must be one host number higher than the address of the Ethernet card. They can use Ipconfig.exe or open the Windows network window to get the address if they dont know it. When you click OK on this screen and select it from the Select Settings window, youll see some progress report messages as the code is downloaded to the pod. If all goes well, you should see the Sniffer window open and the agent name and pod speed shows up in the title bar.
Page 7 - 12
Set Line Speed

Network Associates
Before you start a capture, check the line speed settings in Tools > Options > Full Duplex Pod
Slide Title:
Set Line Speed
The first thing you need to do is set the line speed of the link. Use Tools > Options > Full Duplex pod tab window to do that. All of the choices are shown in the drop-down list.
Page 7 - 13
Two Memory Pools

7-14
Pod Memory
The physical memory installed in the box Up to 512 MB Frames from the network are copied here Sniffer University
Sniffer PC Memory
Set through the Buffer tab on Capture Filters Frames from the pod are copied here
Network Associates
Slide Title:
Two Memory Pools
This is preparation for the next slide that shows the options you have in capturing this traffic. Explain it quickly and move on.
Page 7 - 14
Two Transfer Modes

7-15
Set by clicking the icons on the toolbar or the Capture Menu Stream Mode
The pod streams the data to the analyzer application as it is captured off the network Counts appear in the Sniffer window
Sniffer University
High Speed Capture Mode

The data is held in the pod buffer until the capture is stopped Use this mode when you are capturing from a very busy network You can set the options to stop the capture when the buffer is full
The frames are transferred to the PC for analysis
Network Associates
Slide Title:
Two Transfer Modes
Stream Mode the pod sends the frames to the Sniffer PC as they arrive on the network. The pod may miss capturing some frames as the frames are transferred to the PC on very busy networks. The software decodes the frames and shows statistics, but does not so real-time Expert analysis. You must stop the capture and upload the frames to the PC before you get Expert analysis. High Speed Capture Mode is used on very busy networks. This allows you to focus on capturing the frames without the holes introduced in Stream Mode. Youll want to watch the buffer dial to make sure you stop the capture before the pod buffer recycles and writes over the first frames. You can also configure the Sniffer to stop when the pod buffer is full and upload the frames to the PC. How? Read on..>
Page 7 - 15
Pod Buffer Action Configuration

Network Associates
Capture > Define Filter > Full Duplex Pod
Slide Title:
Pod Buffer Action Configuration
This configuration sets the actions on the pod buffer
Page 7 - 16
Sniffer Buffer Action Configuration

Capture < Define Filter > Buffer Set the Sniffer Buffer actions here
Same options as other Sniffers
Network Associates
Slide Title:
Sniffer Buffer Action Configuration
This panel controls the PC buffer actions. There are no unique Full Duplex settings here.
Page 7 - 17
Capture Panel Display Window

7-18
Sniffer Statistics
View Both Shown when you start a capture from the capture menu or icon
Sniffer University
Pod Statistics
The Decode window Summary panel shows the channel number as [A] and [B] in the Status column
Network Associates
Slide Title:
Capture Panel Display Window
This is the display when you have enabled the View Both option. PC statistics at the top. Pod statistics at the bottom. The graphs on the lower panel are color-coded for each channel. The pod counts show numbers for each channel and total counts.
Page 7 - 18
Special Icons on the Toolbar

7-19
View Full Duplex Pod Only

Provides statistics for the capture session on the pod itself
View Sniffer Only

Sniffer University Standard capture panel display and more Provides run-time statistics for the capture session on the PC
View Both
Split screen to show statistics for both
Network Associates
Slide Title:
Special Icons on the Toolbar
These icons control which panels are open on the Sniffer capture screen. You can select just the Sniffer PC counts, just the pod counts or both.
Page 7 - 19
Pod Gauges
7-20
Frames Received per second on each channel Percentage of free memory on each channel Number of errors per second received on each channel
Network Associates
Sniffer University
Slide Title:
Pod Gauges
Slide is self-explanatory.
Page 7 - 20
Setting Pod Properties

7-21
Click the Properties icon in the Full Duplex pod window or click the right mouse button over the capture window and select the Properties option Identify shows:
Sniffer University Pod version Pod IP Address Pod Ethernet Mac Address Connection mode Line Speeds Total Memory
Pod Version number specifies the version of the software on the pod IP Address shows the IP address assigned to the pod MAC Address shows the hardware address of the Ethernet adapter in the pod Connection shows whether the pod is set to passthrough or terminate mode Channel A Line Speed shows the line speed of the network segments attached to Channel A Channel B Line Speed shows the line speed of the network segments attached to Channel B Total Memory shows the amount of memory installed on the pod (in DIMMs)
Network Associates
Slide Title:
Setting Pod Properties
Page 7 - 21
Address Filters
7-22 If Mode is set to Include and you set address filters with less than or equal to 16 sources and 16 destinations, the filter is applied as a hardware filter If Mode is set to Exclude or if you have more than 16 sources or 16 destination, the filter is applied as a software filter
Type of address filter # Sources 2 1 0 # Destinations 2 0 1
Sniffer University
1 1 Any does not count as a source or destination
Hardware filters are applied at the pod as the frames are captured from the network. The frames excluded by hardware filters are not saved in the pod buffer. Software filters are applied by the Sniffer application to the frames uploaded from the pod buffer to the Sniffer buffer. Hardware filters
Software filters
Network Associates
Slide Title:
Address Filters
Page 7 - 22
Filters in High Speed Captures

7-23
Network Associates
Sniffer University
When capturing in high speed at full line rate, address filters are particularly helpful When the mode is set to High Speed, the frames are stored in the pod buffer until the capture is stopped Limiting the frames that are accepted ensures you will have the frames needed to isolate the problem When hardware filters are in effect, the pod will automatically filter out all frames shorter than 55 bytes, CRC included
Slide Title:
Filters in High Speed Captures
Slide is self-explanatory. Set capture filters to save room for what you need to see!
Page 7 - 23
Error Frames with the Full Duplex Pod

7-24
Frame Size <51+4
>50+4 & <60+4 Runt
60+4 to 1514+4 Normal
1514+4 & >4082+4 <4082+4 >4082+4 Oversized Illegal Jabber Illegal
Valid CRC
Illegal
Sniffer University
Invalid CRC Illegal
Fragment CRC
(frame sizes in bytes + CRC)
For more details, see Appendix A in the Full Duplex Product Manual on your student CD.
Network Associates
Slide Title:
Error Frames with the full Duplex Pod
Slide is self-explanatory. If you want more details, look at Appendix 2 in the Full Duplex pod use documentation on the student CD.
Page 7 - 24
2 LAN Sniffer Pros in Full Duplex

7-25
Interim solution when you dont have an FDX pod

FAST ETHERNET 100 Mbps SPLITTER Receive Transmit 1 Fast Ethernet 2 Switch 3 Receive Transmit Server Sniffer Port 2 Receives data from Server Transmit/Switch Receive
Sniffer University
Sniffer Port 1 Receives data from Server Receive/Switch Transmit
PA C 62
Fast Ethernet Sniffer Pro Analyzer
Fast Ethernet Sniffer Pro Analyzer
Network Associates
Slide Title:
Using 2 LAN Sniffer Pros in Full Duplex
This is the same diagram we had before. It is possible to use two regular Fast Ethernet Sniffers attached to a splitter to capture each channel separately. Remind them to time synchronize them as close as they can before they start to capture and start the capture as simultaneously as they can. They will need to match request and reply sequences in the frames to line up the frames for comparison. Once they have the trace files saved, both can be opened in Sniffer Pro and their windows set side by side to compare them directly as we did in the hubports exercise.
Page 7 - 25
Summary
Differentiate Full Duplex Ethernet standards and cabling Recognize Pause frames in the trace and why they are sent Attach Sniffer Pro Full Duplex pod to your Full Duplex Ethernet networks Configure Sniffer Pros full duplex features Use the Sniffer Pro statistics and decodes to locate areas of concern Attach the Full Duplex pod to analyze full duplex connections
Network Associates
Sniffer University
Slide Title:Summary
Review the section objectives and answer any remaining questions. Target Time: Day 2 at 3:30
Page 7 - 26
8-1
Gigabit Ethernet
Network Associates
Sniffer University
Ethernet Network Analysis and Troubleshooting Gigabit Ethernet
Slide Title:
Gigabit Ethernet Start: Day 2 late-afternoon Finish: Day 2 Approx. 5:00
Section Timing:
Files: Traces: Exercise:
08_gig_g.PPT GBautonegotiation.cap Gigabit Traffic
08_gig_g.DOC GB.cap 8021q-gig.cap
This section was updated to reflect the new technologies customers are beginning to employ in their networks. There should be a gigabit dummy driver defined on the class Sniffers. There is a warning that Monitor mode is disabled, Just click OK to move beyond it. This will enable you to create a new agent and show the features of the Sniffer. Please remember this instructor guide is a living document. It is not complete to start and is intended to grow with time. Add to your own copy as you gain experience. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.
Page 8 - 1
Section Objectives
Summarize the features Gigabit Ethernet Differentiate Gigabit Ethernet standards and cabling
Summarize 1000Base-SX, 1000Base-LX, 1000Base-CX and 1000BaseT implementations
Network Associates
Sniffer University
Attach Sniffer Pro to your Gigabit Ethernet networks Configure Sniffer Pros gigabit-specific features View the autonegotiation process in the Sniffer and determine if there is a problem Use the Sniffer Pro statistics and decodes to locate areas of concern
Slide Title:
Section Objectives
Cover the objectives quickly. We do have dummy drivers so you can show the Gigabit screens. Practice with them so can present the information in this section. References: Gigabit Ethernet, Technology and Applications for High Speed LANs by Rich Seifert, 1998, Addison Wesley Publishing, ISBN 0-201-18553-9 Switched, Fast and Gigabit Ethernet 3rd Edition by Robert Breyer and Sean Riley, 1999, Macmillan Technical Publishing, ISBN 1-57870-073-6
Page 8 - 2
Gigabit Overview
1000 Mbps Ethernet is able to transmit a frame at ten times the data rate of 100 Mbps Ethernet It allows you to use familiar Ethernet technology while providing much higher bandwidth The standard using optical cabling is defined in 802.3z addendum 802.3ab addendum defines the Physical Layer parameters for 4-pair over Cat 5 balanced copper cabling Switches with 10/100 and Gigabit port link legacy networks into high speed Gigabit backbones
Frequently used in server clusters, links between switches and servers Some implementations even allow you to aggregate 1000BASE-X or 1000BASE-T segments into 10 Gigabit links
Check the Gigabit Ethernet Alliance www.gigabitethernet.org
The aggregate data rate of 100 Mbps is achieved by transmission at a data rate of 250 Mbps over each UTP wire pair. Full duplex transmission allows symbols to be transmitted and received on the same wire pairs at the same time. Baseband signaling with a modulation rate of 125 Mbaud is used on each of the wire pairs. The period for each symbol is 8 ns.
T R T R T R T R
T R T R T R T R
Network Associates
Slide Title: Gigabit Overview

You may want to poll the class to see what their plans are for gigabit vs. ATM. Review the bullets quickly.
Page 8 - 3
Deploying Gigabit Ethernet

8-4
Remote LAN Remote Router Network Center Gigabit Backbone Connections
Workgroup LANs
Campus 10/100 Mbps Hubs and Switches with Gigabit Uplinks Workgroup Hubs
Sniffer University
WAN SONET, ATM or ISDN with H channels
Firewall Router Router
Server Cluster with Gigabit connections
Due to the cost of Gigabit switches, only high throughput links will initially use or need Gigabit Ethernet.
Network Associates
Slide Title:
Deploying Gigabit Ethernet
One last slide like this. Early implementations will concentrate these very expensive high speed connections where the highest levels of traffic exist. Fast Ethernet switches for the LANs will have gigabit uplinks to multiplex the traffic onto the high speed backbone. Later slides address the move to gigabit to the desktop.
Page 8 - 4
IEEE Gigabit Data Link Layer

8-5
IEEE 802.3 Ethernet IEEE 802.3 LLC IEEE 802.3 CSMA/CD IEEE 802.3 Physical Layer Network Layer IEEE 802.3 LLC CSMA/CD or Full Duplex MAC 8B/10B Encode/Decode Serializer/ Deserializer Connector
Sniffer University
Uses the Physical Layer of the Fiber Channel Uses the MAC and LLC layers of the 802.3 specification Increases data rate to 1.25 Gbps
Data Link Layer
FC-4 Upper Layer Mapping FC-3 Common Services FC-2 Signaling FC-1 Encode/ Decode FC-0 Interface and Media ANSI X3T11 Fibre Channel
IEEE Networks (1000Base-3z)
The Gigabit Ethernet standard draws from two separate specifications. The Physical layers are derived from the ANSI X3T11 Fibre Channel specification. The Data link layers are derived from the IEEE 802.3 Ethernet specification that specifies CSMA/CD for half duplex or full duplex rules for media access control. The LLC layer is moved intact from the IEEE specification.
Network Associates
Slide Title:IEEE Gigabit Link Layer

Dont spend much time on it here, since it is mainly FYI stuff.
Page 8 - 5
Physical Limitations of Shared Gigabit

8-6 Sniffer University Using the standard Ethernet specifications for copper wire, the half-duplex network diameter would be reduced to 20 meters - not very practical! Carrier extension is used to extend the frame so the diameter can be extended to 200 meters using fiber or copper media
Different cables yield higher diameters This compares to the 200 meter limit for 100Mbps Ethernet over copper Only one repeater (hub) can exist between any two devices on the network
The large number of cable choices allows for a maximum network diagram to range from 200 meters with category 5 UTP to 550 meters using 1300 nm single mode 500Mhx/km fiber at attenuation 2.32 all the way to 5000 meters using 1300 nm single mode 10/125 m cables fiber at attenuation 4.5.
Network Associates
Slide Title: Physical Limitations of Shared Gigabit

A VERY small collision domain IF you use it in a half-duplex configuration. Emphasize again we are still building on the old 10Base5 specs if we are going to share the media.
Page 8 - 6
Gigabit Carrier Extend

8-7 Carrier Extend is used in Half Duplex gigabit Ethernet to extend frames less than 512 bytes to the slot time minimum (4096 bit-times)
Fills the Inter Frame Gap (IFG) in burst mode This allows collisions to be sensed on shared media while both sides transmit, but contributes a lot of overhead to each small frame! The standards committee wanted to provide backward compatibility even though this is impractical It also appears at the end of some full-duplex frames
P DA SA L/T DS SS Ctr Data F Carrier Extend 448-1 bytes
Sniffer University
64 + 448 = 512 byte minimum bytes
Most Gigabit implementations will use Full Duplex mode to enable long cable lengths. P DA SA L/T DS SS Ctr Data F Preamble Destination Address Source Address Length/Type Destination SAP Source SAP LLC Control A SNAP header not shown here may follow this field Frame data Frame Check Sequence (CRC)
Carrier Extend allows the network diameter to remain at the 200 meter limit used by Fast Ethernet over twisted pair media. This is also inefficient. If a device only has 64 bytes of data to send (a minimum-length Ethernet frame), it still must send 512 bytes, most of which is only a carrier signal. It imposes a great deal of overhead for a network where smaller frames predominate.
Network Associates
Slide Title:
Gigabit Carrier Extend
This is a multi-faceted tool. Extend small frames to the 512 byte minimum in half-duplex so all stations will hear the transmission and wait to transmit. Fill the interframe gap in burst mode (covered on the next slide). One or more inserted between each frame in full-duplex mode. The Carrier Extend length is purposely written as 448 1 bytes, since it is dependent on how long the frame is.
Page 8 - 7
Carrier Extend in the Sniffer

8-8
Turn on 10 Bit decodes from the Hex rightclick menu

This frame was captured from a full duplex network
Note the [A] channel indicators Even the 1472 byte frame 23 has one Carrier_Extend field
Network Associates
Sniffer University
Slide Title:
Carrier Extend in the Sniffer
This shows how to enable the Sniffer to display the 10 bit codes. This may help in resolving vendor interoperability problems.
Page 8 - 8
Frame Bursting Part One

8-9 Sniffer University Frame bursting is used to overcome the overhead of carrier extend The first frame is transmitted using the normal procedures for half-duplex Gigabit Ethernet A frame burst timer is started to allow transmissions of up to 64 Kbits If additional frames are queued for transmission and the 64 Kbit timer has not expired, two things happen:
The first frame is followed by carrier extend The next frame is transmitted
Network Associates
Slide Title:
Frame Bursting Part One
If the station has multiple frames queued in its transmit buffer, packet bursting allows it to send them until the 64Kbit timer runs out. The station waits until there is no carrier sensed, then it begins to transmit the first frame. It extends it to the slot time if it is short. If a collision occurs, it backs off and waits its turn to transmit. When the first frame is out, it keeps the line busy by transmitting nondata symbols (carrier extension symbols) to fill the interframe gap, then it transmits the second frame. It can continue to transmit frames separated by carrier extend until the 64 Kbit timer runs out (8192 bytes). If it has a frame in process, it finishes sending it, then yields the line. Collisions should not occur during the burst, since all stations should hear carrier and wait. If the collision domain limit is exceeded or a device has failed, it may cause a late collision. If this occurs, the adapter stops transmitting data and starts jamming, then it backs off and retries, starting the process over again. Packet bursting is not used in full-duplex, since the stations owns the wire in each direction and has full bandwidth to transmit at all times.
Page 8 - 9
Frame Bursting Part Two

8-10 The process is repeated until there is no more data to send or until the timer expires If the 64 Kbit limit is reached during the transmission of a frame, that frame may be completely sent Sniffer University
In many cases a station could theoretically transmit more than 64 Kbits The actual maximum bits that could be sent would be seen where the 64 Kbit limit is reached on the first bit of a maximum-length frame In this case, the total bits transmitted would be 64 Kbits plus the length of that frame which would be 1518 bytes or 12,144 bits
Network Associates
Slide Title:
Frame Bursting, Part Two
Notes on previous page cover this page.
Page 8 - 10
Problems of Shared Media

8-11 Sniffer University Using hubs requires that all devices share the media to form a single collision domain Even with frame bursting, the overhead of carrier extension is still significant A topology with a maximum diameter of 200 meters is not workable in many large environments Therefore, shared media hubs are probably not a practical option with Gigabit Ethernet
All vendors offer Full-duplex switches to overcome the inefficiencies
Network Associates
Slide Title:
Problems of Shared Media
Review the bullets quickly. This is a quick recap of the problems of shared media 9and why full duplex is the choice for everyone. Emphasize again the IEEE chose to build on the old 10Base5 specs for backward compatibility. But fortunately they moved on to create an environment where Gigabit can really speed things up.
Page 8 - 11
Full-Duplex, Switches & Jumbo Frames

8-12 Sniffer University Gigabit switches will be the solution of choice
Since switches act like bridges - each port is a separate collision domain Switches can be connected in a hierarchical fashion to extend the network without the concern of collision detection
Most switches offer full-duplex ports which will effectively double the potential throughput to 2 Gbps and extend the cable length. Many 100 Mbps hubs and switches will be equipped with gigabit uplink ports to provide connectivity with the networks gigabit backbone Pause frames are used for flow control Jumbo frames are now allowed
Up to 9,000 bytes!
Single mode fiber increases the length of the cable substantially. One vendor supports single mode cable lengths up to 9 miles. Since sending frames requires CPU processing, sending a lot of small frames is inefficient. By allowing servers to send large frames, the CPU can queue a large frame, then work on other tasks while it is being sent.
Network Associates
Slide Title: Full Duplex, Switches & Jumbo Frames

Can you imagine Gigabit without using switches? Each connection is its own collision domain. There still can be collisions between the switch and the end station, but these will be very rare. Half duplex still does contention, full duplex doesnt need it. The best solution is full duplex gigabit. You get full bandwidth in both directions, reduce the overhead doing contention and increase the cable lengths.
Page 8 - 12
Physical Media - Optical Fiber

8-13
Three varieties of fiber are specified:

50 m multimode 62.5 m multimode 10 m single mode
Sniffer University
The specs allow for two types of laser drivers

1000BaseSX: 850 nm (short-wave) 1000BaseLX: 1350 nm (longwave)
m = micron nm = nanometers
Network Associates
Slide Title: Physical Media Optical Fiber

This is the first of 3 slides that discuss the various types of media. Cover them quickly. Lasers are expensive. See big bucks
$$$$$$$$$
Page 8 - 13
Copper Cable
8-14 1000BASE-CX
Can only be used as patch cables or jumpers due to a distance limit of 25 meters Created to help reduce cost of the many short connections required in a wiring closet Consists of 2 pairs of shielded 150-ohm Twinax cable Much like Type 1 STP used in traditional token ring environments, but with higher electrical quality standards
1000BASE-T Sniffer University

4 pairs of category 5 UTP balanced copper cable 100 meter cable limit Uses 4D-PAM5 (4-dimensional 5-level Pulse Amplitude Modulation) coding (8B1Q4)
8 bits are converted to 4 quinary symbols Levels are +2 +1 0 -1 -2 Start-of-Stream delimiter signals beginning of frame End-of_stream delimiter signals the end of the frame
1000BASE-T clock frequency is 125 MHz (v.s. 25 MHz for 100BASE-T2). It simultaneously transmits on all four pairs to achieve the 1000 Gbps rate. Each wire transmits 250 Mbps which aggregate to 1000 Mbps. The Twinax cable consists of two center conductors surrounded by an insulated spacer which is surrounded by a tubular outer conductor (usually braid, foil or both.) It is then covered entirely by an insulating and protective cover. It is similar to twisted pair in that it uses differential or balanced transmission.
Network Associates
Slide Title: Copper Cable

Slide is adequate.
Page 8 - 14
Gigabit to the Desktop

8-15 Very limited deployment - usually used in servers
Use multiple parallel high speed processors to handle the data flow effectively Install plenty of fast memory to cache the data, since disk drives operate in milliseconds, while gigabit data flows at nanosecond speeds
The gigabit transceiver chip on the board contains more than 200,000 transistors, about the processing capability of an Intel 486 chip. Many different manufacturers use this chip on the r boards.
Network Associates
Sniffer University
Use a 64 bit 66 MHz PCI slot so the CPU bus can handle the amount of traffic
Slide Title: Gigabit to the Desktop

Big challenges: Coax cable limitations for such high speeds Big Bucks
$$$$$$$$
Page 8 - 15
Encoding Technique: 8B10B

8-16 Used for fiber optic and 1000BASE-CX media Derived from 4B5B encoding used in 100BaseTX, 100BaseFX, and FDDI Each 8-bit byte is represented by a 10-bit code
There are two code groups or categories: D Group - Used for data transmission K Group - Used to send control signals Uses a look-up table for the conversion values
Sniffer University
The clock signal is embedded in the data stream

To insure that there are adequate voltage transitions, a data signal (D groups) never have more than 4 consecutive ones or zeros in them 8B10B includes a number of unique control signal patterns (known as commas) that allow devices to synchronize and align their bit cells
IBM developed and patented the 8B10B encoding standard and it licensed it for Fibre Channel and Gigabit Ethernet. It ensures there are enough clock transitions for receiver clock recovery and allows control signals to be embedded in the data stream. Single and multiple bit errors can be corrected. The data code words never include more than 4 consecutive ones or zeros or the ten bit codes do have an imbalance of more than one, i.e., 5 ones and 5 zeros, 6 ones and 4 zeros or 4 ones and 5 zeros. The IEEE std 802.3ab -1999 spec lists the entire bit-to-symbol mapping table of codes. It is also referred to as 8B1Q4 coding technique. The conversion process is called 4D-PAM5 and refers to the 4 Dimensional 5-level Pulse Code Amplitude Modulation process.
Network Associates
Slide Title: Encoding Technique 8B10B

Nice to know information. Wont help troubleshoot. Cover quickly. A table of symbols is included in the spec and table A-1 page 387 of Seiferts book and the IEEE spec (of course). The Gigabit Sniffer interface in current use gives statistics of the D and K group bits.
Page 8 - 16
Autonegotiation
8-17 Gigabit autonegotiation is used to configure operational parameters
Fast Ethernet negotiates the speed with fast pulses
Gigabit uses special normal-rate signaling Sniffer University

Signals indicate whether it is using full or half-duplex
16 bit message pages are exchanged on link initialization, multiple pages can be used
If only one side supports full duplex, the connection will use half-duplex if each side allows negotiation. The PAUSE and Asymmetry direction bits are used together to determine if the device supports flow control and if it does, whether is is capable of asymmetric flow control. (Asymmetric refers to a large discrepancy between the amount of data on each line at the same time. If the device is a server, it can process requests from multiple clients on the transmit and receive lines, so the traffic will be somewhat even on the two sides. If the device is a node, data transfer will occur on only one line with acknowledgments on the other, so the traffic tends to be heavy on one line and light on the other line.) There are four possibilities with the two bits: 1) No flow control 2) Asymmetric flow control toward the node 3) Asymmetric flow control from the node and 4) Symmetric flow control. The Remote Fault bits indicate error conditions that prevent normal operation. Codes are shown Remote Fault bit 1, Remote Fault bit 2. 00 = No error, 01 = Device Offline, 10 = Link failure, 11 = Auto-negotiation failure Autonegotiation messages are sent repeatedly until the sender receives an acknowledgement. The acknowledgement bit indicates the sender has received 3 sequential autonegotiation messages with the same contents. The next page bit is reserved for future use when more than 16 bits are required to negotiate parameters. Special K and D combinations identify the autonegotiation signals so they are not interpreted as data.
Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet
Slide Title:
Autonegotiation
Weve talked about autonegotiation before in the Fast Ethernet section. Here are the details about the 16 bit message pages and the significance of each of the bits. This shows all the different parameters that can be negotiated. Student notes should help you present this.
Page 8 - 17
Autonegotiation Process
8-18
PHY comes up as Slave Enter slave silent mode Start wait timer & send 0s Scan for carrier
Link Status = Fail

Send fast link pulses Yes Enter training mode Establish receive operation Send info to link partner Process fail? Yes No Yes Process fail? No
Sniffer University
Master on NW? Yes
No
Receive link info from partner
Send idles or data
Link Status = Fail
The fast link pulses are identical to the Fast Ethernet pulses. They indicate the type of connection the system is able to use. The highest level for both sides becomes the negotiated transmission characteristic. Priority 1 2 3 4 5 6 7 8 Connection type 1000BASE-T full-duplex 100BASE-T2 full-duplex 100BASE-T2 100BASE-TX full-duplex 100BASE-T4 100BASE-TX 10BASE-T full-duplex 10BASE-T
Network Associates
Slide Title:
Autonegotiation Process
Use this flow chart to explain the autonegotiation process and the symbolism of the Master and Slave bits they will see in the Sniffer screens. They will look at this in the exercise, so you can cover it in the slide now and let them discover it in the exercise if you have time for it.
Page 8 - 18
Autonegotiation Frame Details

8-19
Bits Parameter 0-4 5 6 7 8 Reserved Full-duplex Half-duplex PAUSE Asymmetry direction Remote Fault 1 Remote Fault 2 Acknowledgement Next Page Present
Sniffer University
9-11 Reserved 12 13 14 15 0 15
This is very useful when you need to troubleshoot vendor incompatibility issues.
Network Associates
Slide Title:
Autonegotiation Frame Details
New Slide. The bits are listed on the side. You can send multiple pages of information in the process. We see two duplicate pages here. Developer note: I tried very hard to get new Full Duplex and Gigabit traces, but no one came through for me. I asked a couple of different mailing lists and HQ people and there just dont seem to be many floating around. I surely hope to get one showing the autonegotiation process through real work for the next revision!
Page 8 - 19
Autonegotiation Frame Summary

8-20
Pulses- no addresses
Sniffer University
Number of ten bit codes in the set 32 nanosecond timestamps
10 bit Hex decodes are automatically enabled for autonegotiation signals
Network Associates
Slide Title:
Autonegotiation Frame Summary
Point out that there are not addresses in these signals
Page 8 - 20
10 Bit Decode of the Signals

Network Associates
Right-click in the Hex window and select 10 Bit to see the autonegotiation decodes
Slide Title:
10 Bit Decode of the Signals
This shows how to see the 10 bit decodes
Page 8 - 21
8-22
Gigabit Sniffer
Sniffer University
Network Associates
Slide Title: Gigabit Sniffer

Title Page. This is a brief overview.
Page 8 - 22
Some Advice
8-23
Network Associates
Sniffer University
Full wire speed transmission can create 125 MB of data every second! Thats just too many frames to analyze Run Monitor applications to gather statistics and narrow in on problem areas Set capture filters to accept the frames where you see problems Turn off real-time Expert analysis and view Expert after you stop the capture
Slide Title:
Some Advice
Capture filters! Turn off real-time Expert
Page 8 - 23
What if I Plug in the Wrong Sniffer?

8-24
First of all, the media and connectors will limit the number of mistakes you can make Then theres autonegotiation
If you have the wrong speed card, the autonegotiation will fail, so you wont get any data at all (and will get a failure to open the adapter message)
Sniffer University
If you plug a 10/100 adapter into a full-duplex Fast Ethernet port, youll just get one side of the conversation
Network Associates
Slide Title:
What If I Plug in the Wrong Sniffer?
New Slide. Slide is sufficient
Page 8 - 24
Gigabit User Interface

8-25
Uses the standard Sniffer Pro interface with enhancements for Gigabit technology
The Gigabit Sniffer now has the Sniffer Pro interface. Due to the complexity of the products, it and Full Duplex Ethernet will be covered in detail in a separate High Speed Ethernet class.
Network Associates
Sniffer University
Slide Title: Gigabit User Interface

The Monitor screens and Expert are the same The capture panel has a tab for Channel Info that shows counts for each channel The Summary window shows [A] and [B] to indicate which channel the frame was captured from.
Page 8 - 25
Other Differences
The Dashboard and Capture Panel show counts for each channel History samples are doubled- one for each channel Global Statistics shows individual channel statistics and colored-coded graphs for each The Summary window shows [A] and [B] in the status columns to indicate which channel captured the frame Packet Generator has tabs to set the rate, override addresses and preamble and change the CRC
Network Associates
Slide Title:
Other Display Differences
New Slide. Cover the bullets. Demo if you like.
Page 8 - 26
Three Separate Buffers

8-27
Adapter Memory
144 MB trace buffer memory
72 MB per channel (2)
Configure parameters on the Tools > Options > Gigabit tab Sniffer University
Monitor or Emulation mode Enable Jumbo frames SPAN port connection
PAC 62
SnifferPro software RAM
Configure Buffer size on the Buffer tab
Configuration process is similar to Full Duplex
Network Associates
Slide Title:
Three Separate Buffers
New Slide. Two on the card, one on the PC Note there are no choices for uploading since the frames are already in the Sniffer buffer.
Page 8 - 27
More New Options

8-28 Tools >Options >Gigabit
Set mode Enable jumbo frames
Sniffer University
Capture > Define Filter

Control card buffers Capture filters can be set on one channel or both
The Gigabit Packet Generator has more options than the other Ethernet Sniffers: The Rate tab allows you to set the Interpacket Delay, Packets per seconds, and Network Utilization The Address tab allows you to override the source and destination address in several different ways The Advanced tab (single frames only) choices are: random size packets, set data offsets, include sequence numbers, adjust timestamps and generate certain types of errors. The Gigabit tab allows you to set the preamble length and change the CRC.
Network Associates
Slide Title:
More New Options
New Slide. These two screens adjust how you want to control the buffers and the behavior of the ports. The Define Filter > Gigabit Ethernet tab shows up from Display > Define Filter, but not all of the options are enabled. The Tools > Options > Gigabit tab sets the action of the port. Yes, you can span a gigabit port to the Sniffer. The 8021q-gig.cap trace file shows VLAN information from a spanned gigabit port. Explain the options as shown on the screen caps. Use the Sniffer with the dummy driver to demonstrate these options when needed. There is a good bit of information on the gigabit packet generator in the student notes. Open a trace file, then use Tools > Packet Generator to show these new tabs, choosing both a new frame and buffer option.
Page 8 - 28
Solving Gigabit Ethernet Problems

8-29 Sniffer University Gigabit Ethernet is quite stable now that the vendors are manufacturing to the specification Ensure you use high quality cables and connectors Use the same vendor when possible to avoid vendor incompatibilities Watch the autonegotiation sequence when you have stations that cannot communicate at all or show poor performance due to negotiating to a lower capability SMNP and RMON statistics of the interfaces show long-term statistics
Use a management application to watch for trends
Network Associates
Slide Title:
Solving Gigabit Ethernet Problems
These notes are based on a conversation with the Gigabit Ethernet people in the University of New Hampshire Interoperability lab.
Page 8 - 29
Summary
Differentiate between Gigabit Ethernet standards and cabling Attach the Gigabit Sniffer to Gigabit networks Configure Sniffer Pros gigabit-specific features Use the Sniffer Pro statistics and decodes to locate areas of concern Analyze autonegotiation frames to look for incompatibilities and downgraded connection setup
Network Associates
Sniffer University
Slide Title:Summary
Review the section objectives and answer any remaining questions. Wrap up the class. Thank them for coming. Gather student evaluations. Distribute certificates. Make sure the students have deleted their probes and have them Run > Clean to empty the CLASS directories of files theyve saved. Make sure that the HUBPORT3 and 4 trace files are removed. Remove demo Sniffer software from rental PCs using the uninstall program on the first installation disk if you have been instructed to do that. Target Time: Day 2 at 5pm
Page 8 - 30
9-1
Optional Technologies
Sniffer University
Network Associates
Ethernet Network Analysis and Troubleshooting LLC, 10BASE2 & 5
Slide Title: Optional Technologies
Files: Trace: Exercise:
09_app_g.PPT LLCNetb2.cap (new)
09_app_g.DOC
Observing LLC Traffic (new) This section is now called Optional Technologies.
Time:
The LLC section has 2 hours of material in it if a student asks for it. It is not expected you will need to cover this very often.
Please remember this instructor guide is a living document. It is not complete to start and is intended to grow with time. Add to your own copy as you gain experience. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.
Page 9 - 1
Contents
9-2
Logical Link Control (LLC) 10BASE-5 and 10BASE-2 Ethernet Exponential Backoff Formula Transmission Models 1 and 2 Details
Sniffer University
9-3 9-23 9-31 9-32
The backoff time is an integral random multiple of the Slot Time. 0 is considered by some to be an integer, and some implementations do choose 0 constantly. It is rather rude: some chipsets will see the resulting transmission not as a runt followed by a good frame, but as a single oversize frame, or may not see the good frame at all.This is the basis of some of the accusations of the Sniffer analyzer losing frames. Choosing 0, by the way, assumes that no one else on the net is playing the same rude trick, or that everyone who is playing that trick can sense a new frame at 1.6 instead of 9.6 bit times. It can cause repeated collisions between the same two stations.
Network Associates
Slide Title: Contents

Page 9 - 2
9-3
Logical Link Control

Sniffer University
Network Associates
Slide Title: Logical Link Control
LLC was designed by the IEEE 802.2 committee to provide transparent connectivity between any IEEE-compliant LAN physical layer to any upper-layer protocol. It does this by using Service Access Points (SAPs) in the header to address the network layer protocol. Members of the IEEE pushed for more functionality, so 3 types of data exchange were defined. (One more may be coming, according to Radia Perlman in Interconnections, Bridges and Routers.) LLC uses a subclass of the HDLC superset and is classified as BA (Balanced links, Asynchronous balanced mode), with several options on how to use the functional extensions. It acts like HDLC, but is intended for a LAN. It is independent of, yet utilized by, all the various media access protocols defined by the 802 working group.
Page 9 - 3
Objectives
9-4 Sniffer University Upon completion of this section, you will be able to: Explain the three types of LLC connections and when each one is used Know the purpose of the LLC frames and when they are used Follow a connection-oriented LLC conversation from setup through data exchange and shutdown
Network Associates
Slide Title: Objectives

Review the objectives.
Page 9 - 4
Logical Link Control

9-5
IEEE 802.2 Data Link LLC
Sniffer University
Layer MAC
Point to point data integrity Flow control Link maintenance Service access point addressing Connection oriented or connectionless services Functions independently of MAC layer
Many of these connection-oriented features of Type II LLC are found in reliable Transport layer protocols like TCP. The IEEE specifications refer to the frames as Protocol Data Units or PDUs.
Network Associates
Slide Title: Logical Link Control

Upper part of the Data Link Layer Review the points on the slide. IEEE 802.2 Upper half of the Data Link Layer Lower half controls how the devices access the wire, i.e., contention or token passing.
Page 9 - 5
802.2 Header Format

9-6
802.X Header DSAP SSAP Control
MAC Sublayer
LLC Sublayer
Sniffer University
DSAP:
(1 byte) Destination Service Access Point; receiving process at destination SSAP: (1 byte) Source Service Access Point; sending process in source Control: (1 byte) Various control information (2 bytes for connection-oriented LLC)
The control field used in type 1 datagrams is always one byte long. The control field can use one or two bytes for LLC type 2.
Network Associates
Slide Title: 802.2 Header Format

Header fields: DSAP: (1 byte) Destination Service Access Point; receiving process at destination. Least significant bit is Individual or Group Address indicator. SSAP: (1 byte) Source Service Access Point; sending process in source. Least significant bit is the command or response indicator. 0 = command, 1 = response. Analogy: Post Office Box: Frame is addressed with the SAP number (PO Box number). The Physical layer (post office) places the frame in the appropriate buffer (box). Protocol listening (postal customer) retrieves the frame from its box. Alternate: A numbered hole in the ceiling. The protocol above looks for frames at its assigned hole. The SAP numbers are reserved for IEEE and ISO protocols. 8 bits is not nearly long enough to define the number of protocols. The numbers were assigned on a first-come, first-served basis following strict rules for the types of organizations and protocols that may have a SAP number. To make things even worse, two of the 8 bits are reserved for other uses, so the field is actually only 6 bits long! Control: (1 byte) Various control information (2 bytes for connection-oriented LLC)
The control field byte(s) are very complex, with the different types of functions having different bit meanings. No attempt has been made here to delineate all the various frame headers, since the Sniffer analyzer decodes them.
Page 9 - 6
LLC Service Access Points (SAP)

9-7
BPDU Banyan IBM_NM IP ISO NetBIOS Novell SNA SNAP Global Null 42 Bridge Protocol Data Units BC Banyan VINES F4 IBM Network Management 06 Internet Protocol FE International Standards Organization F0 Network Basic I/O System E0 Novell (NetWare) 04, 05, 08, 0C Systems Network Architecture AA SubNetwork Access Protocol FF Broadcast 00 IBM SAP Negotiation
Sniffer University
SAPs are a pass-through between any IEEE-compliant physical layer and any upper-layer protocol. 00 is a Null SAP. Only real use at this time is by IBM which forces SAP negotiation for connection to 3745s. This is the only SAP initially active on a 3745 so the initial request must be addressed to the Null SAP.
Network Associates
Slide Title: LLC Service Access Points (SAP)

Just mention quickly. This is for their reference.
Page 9 - 7
SNAP Header Format

9-8 SubNetwork Access Protocol (SNAP) provides a standard way of encapsulating upper-layer protocols on IEEE 802 networks
802.X Header DSAP (AA for SNAP) SSAP (AA for SNAP) Control Organization/ Vendor Code (optional) Type
Sniffer University
MAC Sublayer
LLC Sublayer
SNAP
Organization Code: (3 bytes) Identifies the vendor or manufacturer. Same as vendor code in MAC layer address. Often 0000 if Upper-Layer Protocol (ULP) did not change. Type: (2 bytes) Identifies the ULP. Same as Ethertype for protocols that came from the Ethernet environment.
The SNAP field allows version 2 Ethertype fields to be included in IEEEcompliant frames. It also allows vendors to specify their "type" within the SNAP header. The vendor code is usually not supplied when the upper-layer protocol is unchanged to run on SNAP instead of 802.X or Ethernet. For example, you will see that TCP/IP implementations on SNAP do not supply the vendor code. A nifty expression: SNAP allows us to snap Ethertypes into 802.x frames.
Network Associates
Slide Title: SNAP Header Format

SNAP was added to enable non-IEEE protocols to be supported at the LLC layer. The vendor code and Type fields are bought by a vendor. If they want to write their own proprietary protocols, they can use their vendor code and the type that was assigned them in these fields. Then stations will be able to feed the frames to the correct upper-layer protocol. The problem arises when different vendors implement the protocols differently, so there may be problems with interconnectivity across vendor lines. The most frequent use we see of the SNAP header is for Ethernet version II Ethertypes to be included in an IEEE frame.
Page 9 - 8
LLC Functions
9-9 Some protocols use LLC merely as a pass-through header to carry data. All control of the connection is handled by higher layers. The frames are Unnumbered Information frames Other protocols use the additional functionality that the IEEE provides Sniffer University
LLC connection-oriented service at OSI layer 2 offers many of the data integrity functions we expect to find at OSI layer 4 the transport layer The primary difference is that LLC deals with point-to-point connections, whereas layer 4 protocols like TCP deal with endto-end connections
Network Associates
Slide Title: LLC Functions

Some protocols use LLC merely as a pass-through header to carry data. Higher layers handle all control of the connection. The frames are Unnumbered Information frames. NetWare uses the LLC layer this way. The only reason LLC is there is because it is using standard IEEE 802.5 frames that have the LLC header. NetWare predates the IEEE specs, so the original design was for non-IEEE compliant frames like ARCNET and proprietary Ethernet. Neither of these has an LLC layer. The LLC SAPs are used to identify this frame as a NetWare frame (SAP = E0). Other protocols use the additional functionality that the IEEE provides. This is what we will cover here. LLC connection-oriented service at OSI layer 2 offers many of the data integrity functions we expect to find at OSI layer 4 - the transport layer. The primary difference is that LLC deals with point-to-point connections, whereas layer 4 protocols like TCP deal with end-toend connections.
Page 9 - 9
LLC Frame Types

9-10 Unnumbered frames:
Establish link connections/disconnections Provide link maintenance and error recovery Provide connectionless (datagram) support
Supervisory frame: Sniffer University

Acknowledges frames received Requests retransmission of frame(s) Provides flow control
Information frames:
Transport user data and higher-layer protocols Increment sequence numbers
These frames are identified by bits in the LLC headers. There are many types of fields in LLC frames. Fortunately, the Sniffer Network Analyzer knows all of them and decodes them in the Summary and Detail windows for you, so we will not break them out here.
Network Associates
Slide Title: LLC Frame Types

Quickly go over the three types of frames and their purposes. Mention that we will cover them in more detail in the following pages.
Page 9 - 10
LLC Unnumbered Frame Types

9-11
SABME UA DISC DM Set Asynchronous Balanced Mode Extended Unnumbered Acknowledgment Disconnect Disconnect Mode Frame Reject Exchange Identification Test Unnumbered Information Command Response Command Response Response Either Either Either Connection Oriented Connection Oriented Connection Oriented Connection Oriented Connection Oriented Connection or Connectionless Connection or Connectionless Connection or Connectionless
Sniffer University

FRMR XID TEST UI
SABME is used to set up a duplex connection, using a modulo 128 window. UA acknowledges a SABME or DISC message. DISC requests connection termination. DM is transmitted by the receiver of a DISC to let the other side know it has received the DISC. FRMR indicates the receipt of an invalid frame. XID is used only with Type 1. An XID command from the transmitter informs the receiver of the identity of the transmitter and which LLC types the transmitter supports. A response is required to an XID command. It contains the same information as the command. TEST also has command and response frames. The transmitter can send this to see if the recipient can receive and return a packet. Data can be included that the recipient must return in the response frame. Unnumbered Information frames are used for connection control and to carry unsequenced data.
Network Associates
Slide Title: LLC Unnumbered Frame Types

Use the student notes to explain each type of unnumbered frame.
Page 9 - 11
LLC Supervisory Frames

9-12
(Type 2 - Connection oriented only)

RR RNR REJ Receive Ready Receive Not Ready Reject Command/Response Command/Response Command/Response
Sniffer University
LLC Information Frame

(Type 2 - Connection oriented only)
Information
Command/Response
Receive Ready is an acknowledgment frame. It contains a sequence number of the frame it is next expecting to receive and indicates the receiver is ready to receive more data. Receive Not Ready is an acknowledgment for previously received frames. The Next expect to Receive sequence number (NR) is included in the RNR frame. It also indicates that the receiver is temporarily busy and further frames should not be transmitted until the busy station sends a receive ready frame. REJect frames are sent when the receiver is requesting retransmission of frames. The REJ frame includes the sequence number of the next frame it expects. LLC rejects only once. If it doesnt get an ACK, it starts polling with RRs. Information frames are sequence numbered data frames.
Network Associates
Slide Title: LLC Supervisory Frames

These are for connection oriented delivery only. Note that there are both command and response types. RR RNR REJ Receive Ready Receive Not Ready REJect Command/Response Command/Response
Command/Response
LLC rejects only once. When it doesnt get an ACK, it starts polling with Receiver Ready. (Hello? Are you still there?) LLC Information Frame Connection oriented only I Information Command/Response These carry the data and acknowledgments. This is a building block for looking at the Sniffer analyzer displays.
Page 9 - 12
Type 1 Connectionless Services

9-13
Data Messages Sniffer University Data Messages
To use the Post Office as an example: Its like mailing a letter
No connection establishment is required. Type 1 supports point-to-point, multicast and broadcast communications. Messages are not sequenced. No flow control is provided. Delivery is not guaranteed. There is no retransmission on error. Sequential delivery is not guaranteed. Type 1 service is unreliable, but this is not a problem as long as an upperlayer protocol can recover from the error. Higher layers are responsible for flow control, error recovery and reliability. Three types of frames are supported: Unnumbered Information (UI), Exchange Identification (XID), and TEST. The control byte indicates the frame type.
Network Associates
Slide Title: Type 1 Connectionless Services

This is just data transport. No setup. No acknowledgments. No teardown. No error correction. No flow control. Upper-layer protocols are responsible for these functions. Frames are generally unnumbered information frames.
Page 9 - 13
Type 2 Connection Oriented Service

9-14
Session Setup ACK Sequenced Data Messages
Sniffer University
Disconnect ACK
Like making a telephone call: The endto-end connection is setup before your conversation begins, then torn down when you hang up
+
Type 2 is very similar to HDLC. Connection establishment and termination are required. Type 2 service provides a sequenced, acknowledged delivery of data. Each side of the connection maintains independent sequence numbers. Acknowledgments can be sent in separate frames or can be piggy-backed onto data frames, making it capable of very efficient use of the wire. Error recovery processes are available. Type 2 uses sliding window flow control (modulo 128). Example: Sessions between IBM LAN Manager and IBM bridges make use of this connection type when they're talking to each other. Type 2 frames can use one or two byte control fields. Frames with a one byte control field are: Set Asynchronous Balanced Mode Extended (SABME), DISConnect, Disconnected Mode, Frame Reject (FRMR) and Unnumbered Acknowledgment (UA). Frames with a two byte control field are: Information, Receive Ready, Receiver Not Ready and REJect.
Network Associates
Slide Title: Type 2 Connection Oriented Service

Based on HDLC Sequence numbers are maintained by each side and acknowledgments are sent based on the other sides sequence number. Because acknowledgments can be piggy-backed on data frames, it uses the wire efficiently. Session Setup ACK Sequenced Data Messages Disconnect ACK Frames will have either one or two byte control fields. Example: Sessions between IBM LAN Manager and IBM bridges make use of this connection type when they're talking to each other.
Page 9 - 14
Type 2 Connection Setup

9-15
Workstation TEST (Optional) XID (Optional) XID (Optional) SABME P(oll) Server TEST (Optional)
Sniffer University
UA F(inal) RR NR=0 P RR NR=0 F I NS=0 NR=0 RR NR=1
Some upper-layer applications will send TEST frames to make sure both sides can communicate. They may follow with one or two pairs of XID frames to negotiate the type of connection both can support. The first frame that establishes the connection is the SABME. You can do a Search for text on SABME to find the first instance of a connection being setup. Once the connection is made, the data will be sequenced and acknowledged. The Poll bit when set to a 1 forces the other side to respond. The Final bit is set to a 1 in the response frame.
Network Associates
Slide Title: Type 2 Connection Setup

This slide was included to discuss how sessions are setup in preparation for what they need to observe in the Sniffer Summary window. It deliberately does not show the additional information on the Summary line. It will be added later. This slide has a build which will display one line per click. Workstation TEST (Optional) XID (Optional) XID (Optional) The above frames are application-dependent. If you turn All layers on with no protocol filters set, you will see that the upper-layer protocol may actually be starting this. SNA uses TEST and XID frames to set up Physical Unit (PU) Allocations. They are also used for Source Route bridging explorer frames. This is the important part: SABME P(oll) UA F(inal) RR NR=0 Poll RR NR=0 Final I NS=0 NR=0 RR NR=1 Discuss the play of the Poll and Final bits. Poll means Answer me. Final means This is my answer to your poll. Server TEST (Optional)
Page 9 - 15
Type 2 Connection Teardown

9-16 Workstation DISC P Server UA F* DM UA Sniffer University
Normal teardown can be started from either side in the fashion described above. If there is a problem with the sequence numbers, the side detecting the problem will send a REJect and include the sequence number it next expects to receive. If the other side is able to back up and send that sequence numbered frame, all is well. If the two sides cannot resynchronize, one side will send the DISC to hang up. The other side will then respond with a UA(optional)* or DM.
So what is the difference between a REJect and a DISConnect? A REJect is sent when a problem occurs. The two sides will attempt to get resynchronized. If that fails, they will DISConnect. You can look for this by doing a Search for text on REJ, then follow through to see if they were able to roll back to a point where they can move forward again. A DISC is the normal conclusion of a connection. The first side will send the DISC when it has completed its work. The other side responds with the Disconnect Mode, indicating it is finished, too. A DISC will also be used when one of the two stations determines that the efforts to resolve a problem are fruitless and it needs to shut the connection down. Upper-layer protocols will determine whether a new attempt is made to open a new connection.
Network Associates
Slide Title: Type 2 Connection Teardown

This slide is also preparation for what they will see in the Sniffer analyzer. This slide has a build which will reveal one line at a time. Workstation DISC P ----------> Server <---------UA* F <---------DM* UA -----------
DISC is used to shut down a connection for either a normal End of Operation or upon the failure of a resynchronization effort. REJ does not end the conversation. It is sent when a problem is encountered. Attempts are made to back up to a point where sequence numbers can be synchronized. The data exchange will restart if synchronization is achieved; if not, then a DISC will be sent to close the connection. * This is according to the IEEE802.3 specification.
Page 9 - 16
FRMR vs. REJ

9-17 FRMR is sent upon:
Receipt of a frame with a data field that is not permitted
i.e., an unnumbered acknowledgment (UA) with data
Sniffer University
Receipt Receipt Receipt Receipt length Receipt Receipt
of of of of
an an an an
unsolicited Final (F) bit set to one unexpected UA unsupported frame type I frame that exceeds the established maximum
of an invalid receive sequence number N(R) of an invalid send sequence number N(S)
REJ is sent to:

Request the resending of I frames starting with the frame number N(R)
Upon receipt of an FRMR a station should: Send a SABME or DISC. Upon receipt of a REJ a station should: Send the corresponding I frame as soon as it is available. Resend any unacknowledged I frames. Behavior upon receipt of an invalid send sequence number varies: If the data is within the receive window, then an REJ should be sent. If the data is not within the receive window, then a FRMR should be sent. The receive window size can be specified in an XID frame. In the real-world, we see more REJs than FRMRs. REJ is preferable because the session doesnt need to be re-established.
Network Associates
Slide Title: FMR vs. REJect

Slide is self-explanatory. Cover the student notes, also. This is an important concept to understand when they troubleshoot an LLC problem.
Page 9 - 17
Type 3: Acknowledged Connectionless

9-18
Sequenced Data Messages ACK
Sniffer University
Connectionless service Guaranteed in-sequence delivery of data Uses stop and wait flow control
Like a conversation where one side is saying Uh huh, Yes, I see
LLC Type 3 was developed primarily for process control applications over a token bus, so it is very seldom seen today.
Network Associates
Slide Title: Type 3 Acknowledged Connectionless

This is here to complete the types of LLC connections. As the student notes indicate, it was intended for process control applications over a token bus (computer-aided car manufacture?) and is seldom used today. Dont spend any time on this.
Page 9 - 18
Decoding LLC Connection-Oriented Frames

9-19
From Workstation LLC C D=F0 S=F0 RR NR=0 P Command D=F0 Destination Service Access Point = F0 (NetBIOS) S=F0 Source Service Access Point = F0 (NetBIOS) RR Receive Ready NR=0 Frame Number Workstation expects to receive is 0 Poll bit is on: Workstation expects a response from Server
Now sending 0
From Server LLC R D=F0 S=F0 RR NR=0 F Response D=F0 Destination Service Access Point = F0 (NetBIOS) S=F0 Source Service Access Point = F0 (NetBIOS) RR Receive Ready NR=0 Frame Number Server expects to receive is 0 Final bit is on: Response to Workstation's Poll
Sniffer University
From Workstation LLC C D=F0 S=F0 I NR=0 NS=0 Command D=F0 Destination Service Access Point = F0 (NetBIOS) S=F0 Source Service Access Point = F0 (NetBIOS) Information frame: Higher layer data is included NR=0 Workstation is still expecting to receive frame 0 next NS=0 Workstation is sending frame number 0
Next expect to receive 1, now sending 0

From Server LLC R D=F0 S=F0 I NR=1 NS=0 P Response D=F0 Destination Service Access Point = F0 (NetBIOS) S=F0 Source Service Access Point = F0 (NetBIOS) Information frame; higher layer data is included NR=1 Server expects to receive frame number 1 next NS=0 Server is sending frame number 0 Poll bit is on: Server expects a response from Workstation
The easiest way to view LLC conversations is to set up a Station address filter for the two communicating stations. Then turn on Two station format in the Summary window. The top line is what you would see in the Summary window. In the first two frames, we see both ends of the logical connection advertise the sequence numbered frame they expect to receive next (NR = Receive sequence Number). These are also the initial frames. In the third frame, the workstation issues the sequence numbered Information frame the server expects (NS = Send sequence Number). In the fourth frame, the server both acknowledges the workstations frame by specifying the next frame it expects to receive (NR), and also sends the frame the workstation asked for earlier (NS).
Network Associates
Slide Title: Decoding LLC Connection-Oriented Frames

This is the key page to explain what they will see in the Sniffer analyzers Summary screen. Emphasize that they should: Set up a station address filter on the two sides. Protocol filter on LLC (or enable All layers and leave all protocols visible if they want to watch how the upper-layer protocols are using LLC). Use two-station format. Presentation Idea: You may want to place a paper over the screen and pull it down as you explain each field in the Summary line. Because of the way this screen is constructed, a build could not be created.
Page 9 - 19
Understanding LLC Frame Numbering

9-20
Workstation N(R) N(S) 0 0 1 0 1 1 2 1 2 3 0 Server N(R) 0 N(S)
Sniffer University
# 1 2 3 4 5 6 7 8 9
+
Here we see a graphical representation of the first 4 frames. We are also witnessing a window of 1 because each I(nformation) frame is ACKnowledged before the next is issued. If we assume that the piggybacking of an I frame onto the ACK continues, we will see frames 5 and 6. The server expands its window to 3, so we see 3 sequenced I frames (NS=1,2,3) starting in frame 6 to frame 8, with the subsequent ACK (NR=4) by the workstation in frame 9. Many times, upper-layer protocols start their sessions by setting up an LLC connection first, then you can watch the middle layer set up connections until the highest layer protocol establishes its connection. You may want to set a protocol filter so you see just the LLC layer, or you may choose to enable All layers so you can see the progression of the connections being established at each layer. LLC can be set to efficiently use the wire. Data can be being piggybacked on the ACK frame from the server.
Network Associates
Slide Title: Understanding LLC Frame Numbering

Each side maintains separate sequence numbers.
As you explain this, use the terms Now sending and Next expect to receive to help them make the link between the
NS and the NR. This slide has a build that will display one line per click. Frames 1 and 2 are the Receive Ready setup- each side tells the other their first sequence number will be 0. Frame 3 Workstation Now sending number 0, next expects to receive 0. Frame 4 Server Now sending number 0, next expects to receive 1. (In other words, Im acknowledging I got frame 0.) Frame 5 Workstation now sending frame 1, next expects to receive frame 1 (acknowledges frame 0). Frame 6 Server now sending frame 1, next expects to receive frame 2 (acknowledges frame 1). Frame 7-8 Server sends frames 2-3. Frame 9 Workstation acknowledges frames 1 through 3 by saying I next expect 4. Question: If frame 7 (NS=2) becomes lost or is damaged and the workstation receives frames 6 and 8 (NS=1 and NS=3), which frame will the workstation ACK (NR=?)? Answer: The workstation will ACK 2 (NR=2).
Page 9 - 20
Common LLC Problems

9-21
LLC is usually very reliable When problems happen the most common reasons are:
Connection reset Unsupported LLC frame types Flow control lockup Frame sequence retransmission Excessive length information field Expired timers Expired counters
Sniffer University
Connections get reset when one side stops responding or stops sending correctly sequenced frames. We will see an example in the exercise. Unsupported LLC frame types and excessive length information fields shouldn't happen if the implementation follows the LLC specification. Flow control lockup happens when a station continually sends Receive Not Ready due to lack of buffers or other resource problems. Retransmissions may be happening because the sender's timer isn't set correctly, and the sender isn't waiting long enough for acknowledgment. Counters refer to how many times a station will retransmit. Timers and counters are configurable.
Network Associates
Slide Title: Common LLC Problems

LLC is pretty reliable. When failures occur, look for: Connection resets if the parameters were not negotiated properly. Connection resets due to incorrect sequence numbers. They must resend every frame after the error. Unsupported frame types. Flow control lockup -each one hears the others hold music. Excessive length fields. Buffer allocation problems causing RNR.
Adjust configuration file.

Short retransmission timers, which cause retransmissions. Configure longer. Vendors may have configuration files that override the drivers timers. Problems are frequently caused by device drivers.
Page 9 - 21
Exercises: Observing LLC (Ethernet)

9-22
Sniffer University
Network Associates
Slide Title: Exercises:

Observing LLC (Ethernet) This is a new exercise suing a new trace file. It is mostly FYI and pretty straightforward. Practice it!
Page 9 - 22
9-23
10BASE5 and 10BASE2

Sniffer University
Network Associates
Slide Title: 10BASE5 and 10BASE2

Important Points to Cover: Section Title Page. Header page to show the components that the specifications were built upon. Even though we have placed this further in the back of the book now, we cannot neglect it.
Page 9 - 23
10BASE2 and 5 Components

9-24
50 Terminator 10BASE5 Thick Ethernet Transceiver Ground AUI cable 50 Ohm Terminator
Sniffer University
10BASE-T Hub
Unshielded Twisted Pair
Network Interface Card (NIC) 50 Ohm Terminator Repeater 10BASE2 Thin Ethernet Network Interface Card (NIC) Ground 50 Terminator
Network Interface Card (NIC)
Transceiver: Used to physically and electrically attach DTE equipment to the network. Transceivers sense carrier and detect collisions. If a collision occurs, the transceiver notifies the adapter by outputting a voltage on the collision present circuit. V2 Ethernet added SQE. The Transceiver notifies the adapter during the interframe gap time that it is capable of informing the adapter if a collision occurs. With 802.3 specs, a transceiver provided a jabber latch. There are three versions: Version 1 used with the early Ethernet specification, Version 2 Ethernet (Heartbeat added), and IEEE 802.3 version (changes to the AUI wiring). A transceiver can be built into the Network Interface Controller (Card). This is used in 10BASE-T and 10BASE2. A fourth type of transceiver is the Fiber Optic transceiver. Repeaters: Used to extend the cable segment beyond the maximum segment distance for the topology used. Repeaters are also used when changing from one media type to another (that is, from thick to thin Ethernet).
Network Associates
Slide Title:10BASE 2 and 5 Components

Important Points to Cover: Terminators remove the signal from the wire and prevent reflections back onto the wire. Thick Ethernet cable Color defines the place it is installed. Some give off noxious fumes, so they must be installed in plenums. Spec defines as a bright color. Thin Ethernet (Cheaper net) Transceivers External: Vampire tap into the thick cable or small box attached to the AUI connector of the adapter. Internal: On the card. AUI Cable NICs Grounding rules Ground only one end of each segment to a good earth ground. Repeater: Used to extend the signal and other functions. Hub: Yes, they are used frequently today. This shows a way that they can be integrated into legacy environments.
Page 9 - 24
10BASE5 Thick Ethernet

9-25
50 terminator
AUI cable
Coax cable
Transceiver
50 terminator
Sniffer University
Maximum segment length = 500 meters Each end terminated with 50 ohm terminators Maximum number of attachments per segment = 100 Maximum length of AUI cable = 50 meters* Minimum separation between attachments = 2.5 meters
2.5m minimum separation makes sure that signal reflections, when they occur (that is, the cable is unterminated), do not add up in phase, which would probably blow the transceiver. The 500 meter segment does not need to be made from a single length of cable. Cable sections can be joined together using "N" type barrel connectors. The IEEE 802.3 specification recommends the following when slicing thick cable: 1. Use cable sections from the same manufacturer and cable lot number, to avoid impedance mis-match and other problems. 2. To minimize signal reflection problems, use segments that are lengths of 23.4m, 70.2m, and 117m. Since these lengths are odd integral multiples of a half wavelength in the cable at 5 MHz, reflections do not have a high probability of adding in phase. (A 5MHz signal is achieved when the transceiver is outputting only alternating ones and zeros, as it does with the preamble.) *The maximum length of the AUI cables refers to the transmission model one which we will discuss later.
Network Associates
Slide Title: 10BASE5 Thick Ethernet

Slide and notes are adequate.
Page 9 - 25
10BASE5 Components
Thick Coax Cable Transceiver
50 terminator
9-26
AUI Cable
Terminal Server
Transceiver
AUI Cable
Sniffer University
Multi-Port Transceiver
Transceiver
AUI Cable
50 terminator to ground
Multi-Port Repeater
A terminal server could be used to support RS-232 connected ASCII "dumb" terminals to the Ethernet. CSMA/CD is done in the terminal server. The Multi-Port Transceiver is also known as a Fan Out box, Delni, or a multi-tap. It is a dumb wiring concentrator that connects multiple workstations using a single tap in the thick Ethernet cable. CSMA/CD is done by the end stations.
Network Associates
Slide Title: 10BASE5 Components

There are probably still some of these lurking in older environments.
Page 9 - 26
Signal Quality Error Test

9-27
SQE TEST
Transceiver
AUI cable
Sniffer University
Network Interface Card (NIC)
SQE is used to test the collision presence circuit After successfully transmitting data, the Transceiver asserts the SQE signal on the collision presence circuit When the Network Interface Card sees the SQE signal asserted, it knows the Transceiver can inform the Network Interface Card when a collision does occur Not supported by Ethernet Version 1 equipment Turn off SQE on a transceiver attached to an AUI port on a repeater or repeating hub Transceivers that are integral to the NIC do not require SQE to test the AUI link between NIC and transceiver: the link is hard-wired
From 802.3: "At the conclusion of the output function, the Data Terminal Equipment opens a time window during which it expects to see the SQE signal asserted on the Control In (collision presence) circuit. The time window begins when CARRIER_STATUS becomes CARRIER_OFF. The duration of the window shall be at least 4.0 microseconds but no more than 8.0 microseconds. During the window, the Carrier Sense Function is inhibited." SQE should be turned off on transceivers connected to repeaters because a repeater can't be inhibited for 4.0 microseconds. It may receive bits on its other port and need to send them. Most people just turn SQE off because it causes confusion when counting collisions. Some transceivers and network management tools will count the SQE test as a collision (for example, the Collision LED may be lit when the SQE test is asserted).
Network Associates
Slide Title: Signal Quality Error Test

Important Points to Cover: Turn SQE off on repeaters and hubs (that act as repeaters). Some manufacturers require that SQE be turned on for their cards and Media Access Unit (MAU) combinations. (HP required this on their cards. Present requirement is unknown.) The specifications dont say what the NIC card does if it expects the SQE test and it doesnt see it. It is probably driver-dependent (that is, implementation-dependent). It is important to note that this signal does not go out onto the cable. It is a loop-back between the transmit side of the card, looping through the MAU and back into the receive side of the card. Many students talk about their collision counts going up when they have SQE turned on. You need to ascertain if they are referring to statistics gained by SNMP polls of the collision register on the card (which may count these as collisions) or if they are seeing this on cable statistics. If this is going out onto the cable, it is not obeying IEEE rules.
Page 9 - 27
Analyzing Coax Collisions

9-28
2nd station
50m AUI cables
450 m
Sniffer Pro 1
R3
50m AUI cables
8 0 0 m F i b e r L i n k
(Point of collision)
Evidence of collision will arrive at station A ______ bytes into station As transmission
Sniffer University
50m AUI cables
R1
50m AUI cable
R2
Sniffer Pro 2
Transmitting station
50m AUI cable
Sniffer Pro 3
NAI enhanced drivers required to sense and capture collision frames
Once you understand the concepts of signal propagation delay, you can begin to apply them to perform more precise analysis of the collision frames you find in your Sniffer Pro analyzer traces. As shown in the diagram above, what you will see in the trace will depend upon: 1) The point of collision. 2) The location of the Sniffer Pro analyzer relative to the collision point. The diagram shows one collision event. However, each of the three Sniffer Pro analyzers will show different indications of the event. This fact is key to effective troubleshooting. All components are given in terms of their equivalent lengths in Thicknet coax R1 = 231 m (10 bit times) R2 and R3 pair = 231 m 50 m AUI segment = 59 m 800 m fiber segment = 933 m Total equivalent Thicknet distance between points A & B
Network Associates
Slide Title: Analyzing Coax Collisions

This has been included in the student appendix.
This diagram should enable you to tie together three important concepts you have learned: 1. The propagation delay of a signal on different types of media (per How long is a bit) 2. How different Ethernet physical components react during a collision (station jam signal, hub jam, etc.) 3. How different Sniffers react to the same collision event. The scenario is as follows: Station A starts a transmission. The transmission goes both ways towards Sniffers 1 and 2, and towards Sniffer 3. Just before the leading bit of the preamble reaches the far end of the uppermost Ethernet segment, the station near point B starts a transmission, causing a collision at Point B. The following concepts will help you understand the scenario: The station at point B will be the first station to detect the collision; what will it do? (Send a 32-bit jam signal) Why? (To busy the wire and enable repeater R3 to detect evidence of the collision).What is the evidence? (2 signals on the same coaxial mediaR3s and the jam from station at point B). Sniffer 1 will not show any evidence that a collision occurred (unless its a version thats counting preamble collisions). Why? (Because we dont capture preamble collisions.) How repeaters R3 and R2 react to the collision when the jam signal reaches them. (R3 will begin to jam 96 bits back to R2; R2 will begin to jam 96 bits on the middle coaxial segment towards Station A.) What Station A has been doing during all this time. (Still transmitting its signal.) How much of Station As signal has gotten out on the wire before the jam signal from R2 reaches it? Here is some of the math to show the different propagation delays by differing types of media and repeaters: Total equivalent Thicknet distance between points A & B: 59+450+ 59+231+59+933+59+59 = 450 = 2359m 2359m / 23.1 = 102 bits, or 12.75 bytes What will happen when the jam signal reaches Sniffer 2? (Because this is coaxial media, the combination of Station As transmission and the 96-bit jam signal from R2 will cause the receive function on Sniffer 2 to lose synchronization/clocking. When this happens, the Sniffer stops capturing the frame and truncates it if enough of the frame 2 bytes past the preamble has been received.) What sort of flag will be posted with this frame? (The X flag.) Major learning point: If someone hands you a trace file for analysis and you see the X flag posted on truncated frames, you can say with a high degree of certainty that the trace was captured from coaxial media! What will happen when Station A realizes that a collision has occurred? (Starts jamming 32 bits.) Has this been a legal collision event. (Yes, because it has happened well before 64 bytes have left Station A.) What does repeater R1 do when it sees evidence of the collision? (Starts jamming 96 bits onto the lowermost Thicknet segment.) What causes R1 to sense the collision event? (The combined jam signals from R2 and Station A.) What will be recorded on Sniffer 3? (Because the Sniffer was on a segment where only one signal the one from the lower half of R1was being broadcast, the frame will appear similar as it does on Sniffer 2. However, the frame will not be truncated but will be followed by R1s jam pattern of alternating 1s and 0s, that will be translated to the hex values of AAs or 55s.) What flags will be posted? (R and C, but certainly not an X flag.) How many bytes of AAs and 55s will be shown. (This will depend upon what the vendor has implemented as the jam pattern; remember that 96 bits are a minimum. Generally, it is safe to assume that you will see a value of 12 bytes, plus or minus 4.) Major learning point: Because Sniffer 3 has been on the far side of a repeater for this event, this simulates exactly what happens in 10baseT environments. In 10baseT shared environments, a station can only receive direct evidence of collision if the hub sends a jam signal while that station is transmitting. And since Sniffers dont transmit, it has to use the jam pattern to deduce that a collision occurred somewhere.
Page 9 - 28
10BASE2 Thin Ethernet

9-29
50 terminator
RG 58 Cable BNC Tee Connectors 50 terminator to ground
Sniffer University
Maximum segment length = 185 meters Maximum number of attachments per segment = 30 Minimum separation between stations = .5 meters
Thin Ethernet, at 0.18 inches in diameter, is also known as Cheapernet. T connectors must be right at the network interface card. Adding additional cable to go from the T to a network interface card is not permitted, though people do it. This will suffice if you're not approaching length limitations, though the signal will attenuate. The problem with this solution is that most people forget to count it in their length considerations.
Drop cable not permitted!
Network Associates
Slide Title: 10BASE2 Thin Ethernet

Again, focus on the termination rules. Mention the drawing in their notes section.
Page 9 - 29
9-30
Exponential Backoff Transmission Models 1 and 2 Details

Sniffer University
Network Associates
Slide Title:Exponential Backoff Transmission Models 1 and 2 Details

Title page only.
Page 9 - 30

9-31
The backoff time is an integral random multiple of the Slot Time. 0 is considered by some to be an integer, and some implementations do choose 0 constantly. It is rather rude: some chipsets will see the resulting transmission not as a runt followed by a good frame, but as a single oversize frame, or may not see the good frame at all.This is the basis of some of the accusations of the Sniffer analyzer losing frames. Choosing 0, by the way, assumes that no one else on the net is playing the same rude trick, or that everyone who is playing that trick can sense a new frame at 1.6 instead of 9.6 bit times. It can cause repeated collisions between the same two stations.
Sniffer University
BackoffTime = RandomNumber multiplied by SlotTime SlotTime = time to propagate 512 bits (i.e., 51.2 seconds) RandomNumber is greater than or equal to 0 and less than 2n n = number of times it has tried for first 10 times or n = 10 for the 11th through 16th try After 16 tries, report error to the upper-layer protocol
Network Associates
Slide Title: Truncated Binary Exponential Backoff

The slide is self-explanatory.
Page 9 - 31
New IEEE Maximum Topology Specs

9-32 The maximum topology of a 10 Mbps baseband network is limited by two factors:
Round-trip collision delay Interpacket gap shrinkage
Sniffer University
There are two methods, or transmission models, for calculating the round-trip collision delay (i.e., maximum copper and fiber lengths), according to the standard
Model 1 closely follows the 5-4-3 rule Model 2 assigns a value to each type and length of copper or fiber media, which corresponds to a worst-case round-trip delay for the Ethernet signal
The new standards allow you to mix media types in your networks. More details on these specifications are in the appendix.
Network Associates
Slide Title:New IEEE 802.3 Maximum Topology Specs

Important Points to Cover: This presents the factors in the determination and states there are two ways to calculate the maximum topology. Factors: Round-trip collision delay Interpacket gap shrinkage Models 1 and 2 detailed on the next pages.
Page 9 - 32
Transmission Models 1 and 2

9-33 10 Mbps maximum topology rules Transmission Model 1 is the more conservative and restrictive of the two
It has the advantage of being validated to work with all vendors products
Sniffer University
Transmission Model 2 uses tables to calculate:

Round-trip delay times for all types of media Interpacket gap shrinkage for multiple repeaters
Model two is more cumbersome than model 1, but has the advantage of extending the topology farther. It also more accurately reflects the types of distances found in real networks.
Network Associates
Slide Title: Transmission Models 1 and 2

The slide is self-explanatory.
Page 9 - 33
Transmission Model 1
9-34 Closely matches the traditional 5-4-3 rule of traditional Ethernet networks
FOIRL, 10baseFL, 10baseFB and 10baseFP links are included AUI cables, if used, are restricted to 25 meters in length The maximum allowable length of any inter-repeater fiber segment is restricted to 1000 meters (FOIRL, FL, and FB) If all five segments are present, the maximum length of any fiber segment shall not exceed 500 meters The maximum length for a fiber hub-to-station (repeater-toDTE) drop is 400 meters in an Ethernet network that also contains a 1000-meter link segment If fiber link segments are held to 500 meters, the maximum fiber hub-to-station drop is increased to 500 meters Since no vendors are known to manufacture to 10baseFP standards, we will not consider 10baseFP in this course. FOIRL = Fiber Optic Repeater Link FP = Fiber Passive FL = Fiber Link (replaces FOIRL) FB = Specification for fiber with lower repeater delay that allows for longer length
Sniffer University
Network Associates
Slide Title: Transmission Model 1

Most similar to 5-4-3. AUI cables 25 meters maximum. Maximum interrepeater fiber cable is 1000 meters, but if 5 are used, then the maximum of each is reduced to 500 meters. Add diagram here.
Page 9 - 34
Model 2 Path Delay Value

9-35 Sniffer University Model 2 assigns a value to each type and length of copper or fiber media, which corresponds to a worst-case round-trip delay for the Ethernet signal
The value also takes into account the repeater for any fiber or copper segment
Starting from the point of highest variability your network (call it the left end), calculate the length of each segment across repeaters to the farthest station on the network (called the right end)
Add the individual segment values to arrive at a total Path Delay Value, or PDV The total should not exceed 572 bit times The number of repeaters on any path may exceed the Model 1 limit of four
Delay A
Delay B R Delay C Delay D PDV A + B +C + D + E <= 572
Delay E
The standards add an additional value of 5 to the Path Delay Value for a margin of error.
Network Associates
Slide Title: Transmission Model 2 (Calculating Path Delay Value)

Calculations are made using two types of variables: Path Delay Values and Interpacket Gap Shrinkage. Well cover the first one here and the second one on the next slide.
Tables have been established that set delay for segments. Delay values reflect the media type and repeater. Total delay of A + B + C + D + E must be less than 572. There may be no more than four repeaters.
Page 9 - 35
9-36
(Calculating Interpacket Gap Shrinkage)

The distance (in bit times) in the gap between frames will decrease with each repeater in the path as repeaters regenerate the preambles of Ethernet frames
This limits the number of repeaters that can be installed on any given path on very short networks
Transmission Model 2
Sniffer University
The calculation is made by adding the path variability values, (or P V V) for each segment across repeaters that the signal must pass
The total value must not exceed 49 bit times
PvvA
PvvB
PvvC
PvvD
P v v A + B +C + D <= 49 bit times
The starting point is called the transmitting end, the center segments are called mid-segments. The far end (receive end) across the last repeater is not taken into consideration. We will be using a network diagram in the next exercise to determine if it passes the model 1 or 2 requirements.
Network Associates
Slide Title: Transmission Model 2 (Calculating Interpacket Gap Shrinkage)

Here is part two. Repeaters shrink the interpacket gap as they regenerate the preambles. Each successive repeater shortens it more. This calculation is the deciding factor in how many repeaters can be in a segment.
A B C D pvv A + pvv B + pvv C + pvv D must be less than 49 bit times
Page 9 - 36
Maximum Transmission Paths

9-37
Four Repeaters, Five Segments Three Coax Segments Two 10BaseT or Fiber Optic Links Repeater Repeater
Repeater
Sniffer University
500 m 10Base5 or 185m 10Base2 Coax Links 100 m 10BaseT or 500m 10BaseFL Link
Repeater
MAU AUI Cable DTE
MAU AUI Cable DTE
The Version 2 specification explained the maximum topology slightly differently

500 Meters Maximum End Fiber Optic Station Repeater 3 x 500 1 x 1000 6 x 50 500 Meters Maximum 500 Meters Maximum AUI Cable 50 Meters Maximum End Station
Fiber Optic Repeater
Repeater
Meter coax cable segments Meter fiber optic link Meter AUI cables
1500 meters + 1000 meters + 300 meters
2800 meters total distance between transmitting stations
The fiber link is called FOIRL (Fiber Optic Inter-repeater Link). Youll often hear the maximum distance between two stations on an Ethernet network is 2.8 kilometers. That number is derived by drawing the topology shown above. The 2.8 kilometers limit is mentioned in the Ethernet Version 2 Blue Book specification. It is not mentioned in 802.3. (802.3 has the picture from the previous page.) Note: the Ethernet maximum distance specification does abide by the newer 802.3 specification: the 2.8 Km limit is a special case of the general rules.
Network Associates
Slide Title: Maximum Transmission Paths

Here is a graphic representation of allowable cable lengths for various types of media.
Page 9 - 37
Model 1Max Transmission Paths

9-38
4 Repeaters, 5 links (1-Coax, 3-10BaseT and/or 2-Fiber Optic Rptr Set Links) 100m 10BaseT Link Rptr Set 500m Fiber Optic Links 500m Coax 10Base5 Link Rptr Set Rptr Set Rptr Set 100m 10BaseT Links 3 Repeaters, 4 link segments (2- 10BaseT and 2- 1 km Fiber Optic links) Rptr Set 1 km Fiber Optic Links Rptr Set Rptr Set MAU DTE
Sniffer University
AUI Cables
Network Associates
Slide Title: Model 1 Max Transmission Paths

This is the first of two diagrams showing different allowed maximum path configurations. These diagrams are modified from the diagrams in section 13 of the 802.3 spec. The 10Base FP sections were replaced with FL or T since FP is not used in current networks. The slide is complete.
Page 9 - 38
Model 1 Max Transmission Paths

9-39
3 Repeaters, 4 link segments (1- 1 km 10BaseFB,1- 1km FOIRL, 2400 m 10BaseFL) ink IRL L m FO 1k Rptr Set 1 km 10BaseFB Link 4 Repeaters, 5 link segments (2- 500m 10BaseFB, 1- 500m FOIRL, 2500m 10BaseFL) Rptr Set Rptr Set Rptr Set 400 m 10BaseFL Links Rptr Set MAU
25 m AUI Cables
DTE
Sniffer University
500m FOIRL Link
Rptr Set 500 m 10BaseFL Links Rptr Set MAU
500m 10BaseFB Links
25 m AUI Cables
DTE
Network Associates
Slide Title: Model 1 Max Transmission Paths

This is the second two of four diagrams showing different allowed maximum path configurations. The slide is complete.
Page 9 - 39
Network Associates
Page 9 - 40
Section 9
Helpful Information
Helpful Information ........................................................................................... 41 List of Known Ethertypes ................................................................................. 43 Ethernet Frame Type References.................................................................... 46 An explanation of the Analyzing Coax Collisions diagrams in the appendix .... 47 Recommended Reading List............................................................................ 48 Helpful WWW Links ......................................................................................... 49
Page 9 - 41
Section 9
List of Most Common Service Access Points (SAPs)

Ethertype 00 02 03 04 05 06 08 0C 0E 10 18 20 34 42 4E 7E 80 86 8E 98 AA BC E0 EC F0 F4 F5 F8 FE FF Protocol Null LLC LLC SNA SNA IP SNA SNA IEC 955 IPX CLNP CLNP BPDU EIA RS-511 ISO 8208 XNS IEC 955 SNAP VIP IPX CLNP NetBIOS LM LM Purpose XID or Text Individual Sublayer Management Group Sublayer Management Individual Path Control Group Path Control IP SAP for TCP/IP Organization IEEE IEEE IEEE IBM IBM DOD IBM IBM IEEE Novell Texas Instr ISO ISO IEE IEEE IEEE 3 Com Nestar IEEE ARPANET DOD Banyan Novell ISO IBM IBM IBM IBM ISO
PROWAY Network Management
Network Layer Spanning Tree Bridge Management Manufacturing Message Service X.25 over 802.2 Type 2 LLC
Active station list maintenance Address Resolution Protocol (ARP) Subnetwork Access Protocol Network Layer Routing
Individual Group Remote Program Load (RPL) Network Layer Protocol Global LSAP
Page 9 - 42
Section 9
List of Known Ethertypes

Ethertype 0000-05EE 0000-05FF 0101-01FF 0200 0201 0400 0600 0601 0800 0801 0802 0803 0804 0805 0806 0807 081C 0888-088A 0900 0A00 0A01 0BAD 1000 1001-100F 1600 4242 5208 6000 6001 6002 6003 6004 6005 6006 6007 6008-6009 6010-6014 7000 7001 7002 7020-7029 7030 7034 Protocol None 802.5 PUP PUP PUP XNS XNS IP X.25 NBS ECMA CHAOSNet X.25 ARP XNS Private Purpose IEEE 802.3 Length Field IEEE 802.5 Length Field Address Translation Address Translation IDP Address Translation 3MB Only IP Internet Internet Internet Level 3 For IP and CHAOS Symbolix Debugger Address Translation Address Translation Organization IEEE IEEE Xerox Xerox Xerox Nixdorf Xerox Xerox DOD
Texas Instr DOD
PUP PUP VIP IP Simnet PCS Basic BI Simnet MOP MOP Phase IV DRP LAT
Trailer Negotiation Trailer Block Encapsulation Valid System Protocol Private Unassigned Dump Load Assistance Remote Console Routing Local Area Transport Diagnostics User Protocol System Communication Architecture Unassigned Download
UB Xerox Xerox Banyan Berkely Berkley BBN BBN DEC DEC DEC DEC DEC DEC DEC DEC DEC 3Com UB UB UB LRT Proteon Caletrom
LAVC
NIU BootDiagLoop
Broadcast at Boot Stage, DL
Page 9 - 43
Section 9
Ethertype 8003 8004 8005 8006 8008 8010 8013 8014 8015 8016 8019 802E 802F 8035 8036 8038 8039 803A 803B 803C 803D 803E 803F 8040 8041 8042 8044 8046-8047 8049 805B 805C 805D 8060 8062 8065-8066 8067 8068 8069 806A 806C 806D 806E-8077
Protocol VLN Direct Probe Protocol Local Use AT&T Diagnostics Network Games
Purpose
Bounce Server Native Ethernet RARP
BPDU DSM/DTP Argonaut Con VAXLN CSMA/CD DNA
Spanning Tree Bridge Management
LAST
Unassigned Encryption Time Service LAN Traffic Monitor NetBIOS Emulator Local Area System Transport Future Use
V Kernel Experimental V Kernel Production
Integrated Automation
Graphics
Organization Chronus Chronus HP Nestar Stanford Excelan SGI SGI SGI Stanford HP Apollo Tymeshare Tigan, Inc DOD Aenoic Systems DEC DEC DEC DEC DEC DEC DEC DEC DEC DEC DEC Plan Res Co AT&T Expert Data Stanford Stanford Evans & Suther Lt Machines Counterpoint Univ of Mass Veeco General Dynamics AT&T Autophon ComDesign Compugraphic Landmark
Page 9 - 44
Section 9
Ethertype 807A 807B 807C 807D-807F 8080 8081-8083 8088-808A 809B 809C-809E 809F 80A3 80A4--80B3 80C0-80C3 80C6 80C7 80C8-80CC 80CD-80CE 80CF-80D3 80D4 80D5 80DD 80DE 80DF 80E0-80E3 80E4-80F0 80F2 80F3 80F4-80F5 80F7 80FF-8103 8107-8109 8130 8131 8137-8138 8139-813D 9000 9001 9002 9003 FF00
Protocol Data Elektronik
Purpose
Bridge, Router, WANManager TranLAN III Management
Ether-Talk
RT Distributed Services/DB Transparent Remote File System
Bridge Management AppleTalk AppleTalk Bridge Management Private
NetWare IPX LAN Loopback Bridge Comm. Management
Vital LAN Bridge cache wake
Organization Matra Dansk Merti Vitalink Vitalink Counterpoint Xyplex Kinetics Datability Spider Nixdorf Seimans DCA Pacer Software Applitek Corp Intergraph Inc Harris/3M Taylor Rosemont IBM Varian Integrated Systems Integrated Systems Allen Bradley Datability Retix Apple Shiva HP Apollo Wellfleet Symbolics Waterloo VG Labs Novell KTI DEC Xerox 3Com 3Com BBN
Page 9 - 45
Section 9
Ethernet Frame Type References Version 2 Frame

Bytes 8 6 6 2 46 to 1500 4 Field Preamble Destination Address Source Address Ethertype Data Padded to minimum frame length of 64 bytes Frame Check Sequence (FCS)
IEEE 802.3 Frame

Bytes 8 6 6 2 1 L L C 1 1-2 42 to 1497 4 Field Preamble (7 bytes preamble, 1 byte of Start of Frame Delimiter) Destination Address Source Address Length Destination SAP Source SAP Control Data Padded to minimum length of 64 bytes Frame Check Sequence (FCS)
New IEEE Frame

Bytes 8 Field Preamble (7 bytes preamble, 1 byte of Start of Frame Delimiter) Destination Address Source Address Type/Length Destination SAP Source SAP Data Padded to minimum length of 64 bytes Frame Check Sequence (FCS)
6 6 2 1 1 42 to 1497 4
NetWare Raw Frame

Bytes 8 6 6 2 46 to 1500 4 Field Preamble Destination Address Source Address Length FFFF followed by Data Padded to minimum frame length of 64 bytes Frame Check Sequence (FCS) Bytes 8 6 6 2 1 1 2 3 2 38 to 1492 4
IEEE 802.3 SNAP Frame

Field Preamble (7 bytes preamble, 1 byte of Start of Frame Delimiter) Destination Address Source Address Length Destination SAP Source SAP Control Vendor Code Type Data Padded to minimum length of 64 bytes Frame Check Sequence (FCS)
L L C S N A P
Page 9 - 46
Section 9
An explanation of the Analyzing Coax Collisions diagrams in the appendix

This diagram should enable you to tie together three important concepts you have learned: 1. The propagation delay of a signal on different types of media (per How long is a bit) 2. How different Ethernet physical components react during a collision (station jam signal, hub jam, etc.) 3. How different Sniffers react to the same collision event. The scenario is as follows: Station A starts a transmission. The transmission goes both ways towards Sniffers 1 and 2, and towards Sniffer 3. Just before the leading bit of the preamble reaches the far end of the uppermost Ethernet segment, the station near point B starts a transmission, causing a collision at Point B. The following concepts will help you understand the scenario: The station at point B will be the first station to detect the collision; what will it do? (Send a 32-bit jam signal) Why? (To busy the wire and enable repeater R3 to detect evidence of the collision).What is the evidence? (2 signals on the same coaxial mediaR3s and the jam from station at point B). Sniffer 1 will not show any evidence that a collision occurred (unless its a version thats counting preamble collisions). Why? (Because we dont capture preamble collisions.) How repeaters R3 and R2 react to the collision when the jam signal reaches them. (R3 will begin to jam 96 bits back to R2; R2 will begin to jam 96 bits on the middle coaxial segment towards Station A.) What Station A has been doing during all this time. (Still transmitting its signal.) How much of Station As signal has gotten out on the wire before the jam signal from R2 reaches it? Here is some of the math to show the different propagation delays by differing types of media and repeaters: Total equivalent Thicknet distance between points A & B: 59+450+ 59+231+59+933+59+59 = 450 = 2359m 2359m / 23.1 = 102 bits, or 12.75 bytes What will happen when the jam signal reaches Sniffer 2? (Because this is coaxial media, the combination of Station As transmission and the 96-bit jam signal from R2 will cause the receive function on Sniffer 2 to lose synchronization/clocking. When this happens, the Sniffer stops capturing the frame and truncates it if enough of the frame 2 bytes past the preamble has been received.) What sort of flag will be posted with this frame? (The X flag.) Major learning point: If someone hands you a trace file for analysis and you see the X flag posted on truncated frames, you can say with a high degree of certainty that the trace was captured from coaxial media! What will happen when Station A realizes that a collision has occurred? (Starts jamming 32 bits.) Has this been a legal collision event. (Yes, because it has happened well before 64 bytes have left Station A.) What does repeater R1 do when it sees evidence of the collision? (Starts jamming 96 bits onto the lowermost Thicknet segment.) What causes R1 to sense the collision event? (The combined jam signals from R2 and Station A.) What will be recorded on Sniffer 3? (Because the Sniffer was on a segment where only one signal the one from the lower half of R1was being broadcast, the frame will appear similar as it does on Sniffer 2. However, the frame will not be truncated but will be followed by R1s jam pattern of alternating 1s and 0s, that will be translated to the hex values of AAs or 55s.) What flags will be posted? (R and C, but certainly not an X flag.) How many bytes of AAs and 55s will be shown. (This will depend upon what the vendor has implemented as the jam pattern; remember that 96 bits are a minimum. Generally, it is safe to assume that you will see a value of 12 bytes, plus or minus 4.) Major learning point: Because Sniffer 3 has been on the far side of a repeater for this event, this simulates exactly what happens in 10baseT environments. In 10baseT shared environments, a station can only receive direct evidence of collision if the hub sends a jam signal while that station is transmitting. And since Sniffers dont transmit, it has to use the jam pattern to deduce that a collision occurred somewhere.
Page 9 - 47
Section 9
Recommended Reading List

Standards IEEE Standard 802.3, 1998 Edition This includes the contents of the 8802-3:1996 Edition plus IEEE standard 8023aa-1998, IEEE Standard 802-3r-1996, IEEE Standard 802.3u-1995, IEEE Standard 802-3u-1995, IEEE Standard 802-3x and y-1997 and IEEE Standard 802-3z-1998. 1268 pages ISBN 0-7381-0330-6 Supplements to IEEE Standard 802-3-1998 802.3ac-1998 Frame Extensions for Virtual Bridged Local Area Network (VLAN) Tagging on 802.3 networks 20 pages ISBN 0-7381-1421-9 802.3ab-1999 Physical Layer Parameters and Specifications for 1000 Mb/s Operation over 4-Pair of category 5 Balance Copper Cabling, Type 1000BASE-T 144 pages ISBN 0-7381-1741-2 Approved draft 802-3ad-2000 Aggregation of Multiple Link Segments 184 pages 0-7381-2468-0 Books Switched, Fast, and Gigabit Ethernet, Understanding, Building and Managing High-Performance Ethernet Networks 3rd Edition 1999 618 pages Robert Breyer and Sean Riley, Macmillan Technical Publishing ISBN 1-57870-073-6 Gigabit Ethernet, 1998 411 pages Rich Seifert Addison Wesley ISBN 0-201-18553-9 Fast Ethernet, Dawn of a New Network, 1996 310 pages Howard W. Johnson, Prentice Hall ISBN 0-13-352643-7
Page 9 - 48
Section 9
Helpful WWW Links

http://www.sniffer.com Sniffer Technologies website http://www.Standards.ieee.org/ IEEE website http://www.idg.net/metcalfe/ Bob Metcalfs website the inventor of Ethernet) http://www.ansi.org ANSI website http://www.iol.unh.edu University of New Hampshire Interoperability Labs. Leaders in interoperability testing for many new technologies. This site has links to tutorials. http://www.gigabit.ethernet.org The gigabit alliance website http://www.tolly.com Independent hardware testing and industry reports http://www.nstl.com National Software Test Lab independent testing http://www.global.his.com Official supplier of IEEE and TIA/EIA standards documents not free
Page 9 - 49
Instructor Exercises
Sniffer University TNV-202-GUI 4.0-OCT2000
________________________________________________
Table of Contents
Table of Contents............................................................................................................................. 1 Exercise Section 1: Which Frames Are on the Network? ................................................................ 3 Exercise Section 1: Isolating Frame Types with Pattern Matching (Optional)................................. 7 Exercise Section 1: A Surprise at 23:00 (Optional) ....................................................................... 11 Exercise Section 2: Comparing Ethernet Data .............................................................................. 13 Exercise Section 3: Cable Specifications....................................................................................... 15 Exercise Section 4: Hubports......................................................................................................... 21 Exercise Section 4: More Problems............................................................................................... 25 Exercise Section 4: Test Your Skill ................................................................................................ 27 Exercise Section 4: Errors.............................................................................................................. 31 Exercise Section 4: Evaluating Hub Jams ..................................................................................... 35 Exercise Section 4: Ethernet Physical Errors (Optional) ............................................................... 37 Exercise Section 5: Short Circuited Bridges .................................................................................. 41 Exercise Section 5: Busy Jam ....................................................................................................... 43 Exercise Section 5: Switch Traffic (Optional)................................................................................. 47 Exercise Section 6: Fast Ethernet Troubleshooting and Back Pressure ....................................... 51 Exercise Section 6: Fast Ethernet Problems ................................................................................. 55 Exercise Section 6: 10/100 Hubs ................................................................................................... 57 Exercise Section 8: Gigabit Traffic................................................................................................. 59 Exercise Section 9: Observing LLC ............................................................................................... 63
A word of explanation about the formatting of the exercises Choices you need to make in the menus or configuration windows are in bold. When you are navigating through a series of steps, they have been shortened and separated with a right arrow. Example: Pull down the Monitor menu, choose Select Filter, click Select Filter becomes Use Monitor > Select Filter > Select Filter. As you work through the exercises, you will be opening a series of windows. When asked to close many of them, Sniffer Pro will ask if you want to save them. Do not save the data unless specifically instructed to save the data.
There are more exercises here than can be done in the allotted class time. The instructor will choose exercises that meet the needs of the majority of the students in each class. All of the trace files needed for these exercises are on the CD in your class manual. You may wish to work on these independently if you finish your exercises early or do them outside of class time.
4.0-OCT2000
Network Associates
10-1
4.0-OCT2000
Network Associates
10-2
Exercise Section 1: Which Frames Are on the Network?

Objective: Use data pattern filters based on frame formats to determine what frame types are in use on the network and make sure no incompatibilities exist. Identify the most common frame format and then eliminate all frames of that type. When they are gone, you will see what remains. Repeat this process until you have identified all frame types present on the network.
Procedure:
1. Configure the analyzer then open the file: a. Create a new Agent for this class called "TNV202": File > Select Settings... > New. Name it TNV202 and choose the 10/100 Ethernet adapter. Dont copy any settings. Click OK twice. b. Use Display > Display Setup> General to enable the Expert and Post Analysis tabs. (They may already be enabled.) Click OK. c. Set the agent to loopback with File > Loopback Mode.
d. Open the file C:\202GUI\Mixed_01.cap. 2. From the Expert click on DLC layer Objects. There should be 35. The frame types for each object (adapter) are shown in the Expert Detail panel on the lower right. Hint: on the Expert Summary screen, identify the separator bar on the right. If you drag that up, youll see the Objects listed in the upper right, highlighting each in the top right shows its details in the lower right panel. Click the arrow on the top of the upper left window to enlarge the right windows. Separator bar Expert Detail panel
3. Observe the frame types shown for each adapter. How many different frame types (other than broadcast and multicast) are shown? Just 2 types, 802.3 and Ethertype. There are actually 3 frame types in this trace file: one standard 802.3 frame with the LLC header and 10 Raw Ethernet frames. Unfortunately, the Expert doesnt distinguish between them. 4. Display the Decode windows and click the Monitors Protocol Distribution icon. Well use this tool to determine the protocols on the network and their distribution. Well need to generate the trace file once to see the protocols. Right-click over the Decode window and choose Send Current Buffer and click OK to send the buffer 1 time. 5. Fill in the table on the next page as you answer the questions from the Protocol Distribution view when the entire trace has been sent (wait until the counter on the lower right goes blank). a. With the MAC layer and Table view selected, which protocols are listed and how many frames were sent for each protocol?
4.0-OCT2000
Network Associates
10-3
b. Look at the Pie Chart view and note the percentages of each protocol shown by clicking on each slice or look at the Bar Graph view and click on each bar to see the stats.) DECnet 35 45.45% IP 27 35.06% IPX 10 12.99% IP_ARP 1 1.30% LAT 1 1.30% Others 3 3.90%
Protocol # Packets % of Total
You may want to mention that LAT is a part of DECnet, so the total is 36 packets and 46.75% 6. Close the Protocol Distribution window. From the Decode display, we can get a quick summary of frame types by using Display > Display Setup. On the Summary Display tab, exclude All protocols in the lower window, and then click on Ethernet to enable it. You now see which frames are version 2, but no differentiation is made between the rest. Highlight the non-Ethertype frames, then look in the Detail panel and note the frame types you see. Most are raw, but frame 75 is 802.3 with the LLC header. There are no SNAP frames. 7. To see which station is using each protocol, click the Matrix tab. a. With the Traffic Map showing the MAC layer, click off all protocols except Other. Ctrl click to select all those end station addresses with Other traffic, then press the Visual filter icon to display only these frames. How many frames did you get? What frame type(s) are they using? 2
Stations HP1 012BB4 and 090009012BB4 (multicast) are using 802.3 frames with the LLC header (SAP FC); stations DECnet 00C8CC and broadcast are using version 2 frames (Ethertype 0804 for Chaosnet). b. Click back on the Matrix tab (this still reflects the original trace file with all the frames). Now enable only the IPX stations in the Matrix Traffic Map view. Ctrl click on each IPX address to select all of them, then press the Visual filter icon and display the frames. How many frames are there? 10 Does this agree with the number you noted in the chart above? Yes Does the frame type match what you anticipated it would? Yes, they are raw frames, typical of NetWare frames c. Well use a similar process to determine the frame types the DECnet stations are using. Click the Matrix tab. Enable only DECnet on the MAC layer of the Traffic Map. Looking at the pattern of the frames on the traffic map, what do you observe? Almost all of the traffic is to and from the level one router. Only two stations are talking to each other.
4.0-OCT2000
Network Associates
10-4
CTRL click to select all DECnet addresses, then filter them into a new window. How many frames do you have? 35 Use Display > Display Setup > Summary Display to exclude none of the protocols. What information is being sent? Most are Router hellos, end node hellos and route advertisements. Only one (frame 40) carries NSP data between 51.4 and 51.30. What frame type does DECnet use? Version 2. d. Last, lets look at the IP traffic next. Well use a protocol filter to see those frames. Start with the Decode tab with 77 frames (this is the original unfiltered trace file.) e. Right click over the Summary window, choose Define Filter, then create a new profile called IP using Profiles > New > name = IP, copy the Default filter. Click OK, then Done. f. Now click the Advanced tab and enable only the IP and IP ARP protocols, click OK.
g. Right click over the Summary window and use Select filter to choose the IP filter. How many frames did you get in the new window? 28 What version frames are they? Version 2. This is a fairly quick way of seeing what frames are on your network. The traffic map is especially useful to see IP local router situations. If you see a lot of frames going to a router when they should stay local, you need to look for local router diagnoses in the Expert. In a NetWare environment, you normally see most of the client traffic going to the servers, since it is a client-server environment. If you see a lot of traffic between servers, investigate to see if a server is being used to forward frames that are not compatible with the intended servers configuration. If you are migrating from an IPX-based network to NetWare 5 on IP and are using an intermediate server to forward the frames to the new server, this is a normal phenomenon. This should be an interim short-term solution, since the traffic is doubled with that configuration. 8. Close the window. Do not go on to the next exercise.
4.0-OCT2000
Network Associates
10-5
4.0-OCT2000
Network Associates
10-6
Exercise Section 1: Isolating Frame Types with Pattern Matching (Optional)

Objective: Determine what frame formats are in use on the network and make sure no incompatibilities exist. Identify the most common frame format and then eliminate all frames of that type. When they are gone, you will see what remains. Repeat this process until you have identified all frame types present on the network.
Procedure:
1. You can also use pattern match filtering to eliminate frames based on data patterns. We'll repeat this process until you have filtered most frame types present on the network. When the frames you want to exclude are gone, you will see what remains. Exit the Sniffer application, then start it again so your filtered tabs start at 1. Open the file C:\202GUI\Mixed_01.cap. 2. Which frame format is being used in Frame 1? Ethernet Version 2 3. Eliminate all frames using the Ethertype in Frame 1. We'll start a new profile and configure a hexadecimal pattern match display filter. Highlight frame 1. a. Look at the DLC header in the Detail window and note the Ethertype here: 6003 b. From Display > Define Filter. Click Profiles > New > Name it Pattern Match, c. Copy Existing Profile = Default.
d. Click OK > Done. e. Click the Data Pattern tab, click Add NOT, then Add Pattern (This window opens).
4.0-OCT2000
Network Associates
10-7
f.
Make sure Pkt: 1 is displayed (If not, use the Previous button).
g. Click on Ethertype = 6003 (DECNET) in the DLC layer of the frame data. h. Click Set Data. Note the pattern 60 03 is pasted in the data area above and the offset field is updated to C. FYI: If you wanted to do a different type of pattern match, you would need to click the Format button and choose from Binary, ASCII, EBCDIC before pasting in the data. You can paste up to 32 bytes of data for matching. i. Click OK here, then OK on the Define Filter window.
4. That's a start, but the filter hasn't been applied yet. Lets apply the filter now. a. Right click in the display window, click Select Filter and select the Display Pattern Match filter. Note: Data Pattern should read (NOT DLC: Ethertype = 6003[DECNET]). Click OK. b. You should have a new Filtered x window with a frame count in the title bar. c. How many frames are there? 42 5. Note this new filtered window has maintained the original frame numbers. The window should start with frame 3, a DNS OK status frame. What frame format is being used in Frame 3? V2 6. Well add this Ethertype to our filter to eliminate all frames with the Ethertype in the DNS OK frame. Write the Ethertype here: 0800 a. Display > Define Filter > Data Pattern tab. b. Add NOT > Add Pattern. c. Highlight DLC: Ethertype = 0800 (IP) then click on Set Data. 08 00 pastes in at C.
d. Then click OK. Your match should now look like this:
e. Hold your cursor over the AND line to see how the match has been built this far. Click OK if it matches. Go back and fix it if it doesn't.
4.0-OCT2000 Network Associates 10-8
f.
Right click in the Filtered x display window, click Select Filter > select the Display Pattern Match filter. Click OK.
g. You should get a new Filtered x window with 15 frames that starts with a LAT change node frame. Is the LAT frame the same frame format as the previous frames? Yes. 7. Eliminate all frames with the Ethertype in the LAT frame. Write the Ethertype here: 6004 8. Repeat the same filtering process to eliminate this frame type: a. Display > Define Filter > Data Pattern tab > Add NOT > Add Pattern. b. Highlight Ethertype 6004 (DEC LAT), click on Set Data, then click OK. c. Click OK to save the updated filter.
9. Display > Select Filter > select the Display Pattern Match filter again. Click OK. How many frames are in the new Filtered x window that pops up? 14 a. What is the frame format in the NSAP frame? Novell Raw. b. What field can be used to filter this frame type? IPX Checksum. c. What is the hex pattern and offset used to perform this filter? FFFF at offset 0E. 10. First, we'll create a filter to view only the Novell Raw frames then we'll change it so we exclude these frames along with the previously excluded Ethertype frames. a. Since we plan to filter out the Novell Raw frames in the last step, we'll start by adding a NOT before we add the pattern as we did before. b. Display > Define Filter > Data Pattern tab > Add NOT > Add Pattern. c. Highlight IPX Checksum = 0xFFFF, click on Set Data, then click OK.
d. Before we finish, remember that we want to include all of the Novell Raw frames and exclude all of the others. To make this happen, click on the NOT left of the IPX Checksum entry so it turns to a solid red (the NOT disappears). Your match should now look like this:
e. Click OK if it matches. Go back and fix it if it doesn't. 11. Display > Select Filter > select the Pattern Match filter again. Click OK. How many frames are in the new Filtered x window that pops up? 10 12. Review the DLC header in each frame. These should all be 802.3 Raw frames. 13. Let's change our filter to exclude these frames and see what type of frames are left in the trace. a. Display > Define Filter > Data Pattern tab. b. Enable the NOT above the IPX Checksum pattern by clicking on the red block. c. Click OK when finished.
14. Now we need to apply this filter as we did before. What do you think will happen if we apply the filter to this filtered window? You'll get the error message "No frames matched the filter!" because this window only contains the 802.3 Raw frames (all other frames were filtered out earlier). a. Let's go back to our original trace window by clicking the Decode tab. b. Display > Select Filter > select the Pattern Match filter again. Click OK. How many frames are in the new Filtered 5 window that pops up? 4 15. You have now eliminated all Novell NetWare frames and enough Version 2 traffic so that you can easily examine the remaining frames. Answer the following questions: a. How many standard 802.3 frames (with only an LLC header) are there? One - RPL Unknown b. How many 802.3 SNAP frames are there? zero c. How many Version2 frames remain? Three - ARP, LOOP Reply Receipt, Chaosnet 16. Close the window. Do not go on to the next exercise.
4.0-OCT2000
Network Associates
10-10
Exercise Section 1: A Surprise at 23:00 (Optional)

Objective: In the real world, you often encounter unexpected results. This exercise presents an unexpected situation and asks you to describe your findings. Your instructor will explain the technical background causing the situation AFTER you have done the exercise. (We don't want to spoil the surprise!)
Instructor Note: You will want to omit this exercise, demo it, or do it with the class if you have chosen not to do the previous optional pattern match filtering exercise. The pattern match required here is not detailed in these steps since it was detailed in the previous exercise. 1. Open the file C:\202GUI\Mixed_02.cap. Display the Decode view. 2. What is the frame format used in Frame 1? 802.3 Raw as evidenced by the 802.3 Length field and missing LLC header. 3. What field will you use to eliminate all these packets to see what else might be on this network? You will use the IPX Checksum field ('FFFF' pattern). 4. Create a new Data Pattern match called No Raw Frames to eliminate all frames using this frame format. Select the filter. 5. Carefully study your results. Can you explain the 5 frames? These frames DON'T GO AWAY! When you examine the HEX you will see the '1111' padding bytes between the LENGTH field and the 'FFFF' checksum in the XNS Header. Sniffer Pro assumes they are IPX and decodes them as IPX, posting a message in the Detail window noting the incorrect IPX length field. 6. Close the window. Stop here. Do not proceed to the next exercise. Instructor Note: Here's the story behind the problem: These bytes were included when IBM, Sytek (the broadband vendor) and Novell built the IBM Broadband/Ethernet bridge. Although we don't know exactly why Novell put them there we do know that the request came from Novell. One speculation is that something moved data in 4 byte words and the header, when padded from 14 to 16 bytes, provided 4 even 4-byte words. You will only encounter this in some obscure environments. The exercise is intended to give the student an opportunity to encounter a strange situation and make reasonable observations about it. (Think about a bridge set to filter FFFF!)
4.0-OCT2000
Network Associates
10-11
4.0-OCT2000
Network Associates
10-12
Exercise Section 2: Comparing Ethernet Data

Objective: To look at a series of trace files captured from different speeds of Ethernet data and compare how they appear in the Decode windows. Well start at 10 Mbps data and work to Gigabit. We are not going to do any type of response time measurements; well just look at the delta times between the frames to see how quickly a station can get a frame into the network after the last frame completes. We wont look at any errors there may be, either. Well save that for later. The appropriate Sniffer Pro was connected to each of these networks and a file was saved.
Background:
1. Well look at a 10 Mbps trace first. Open C:\202GUI\bcast.cap to the Decode window. This is a trace where every device on the network responded to the RWHO in frame 1 about as fast as they could get them onto the network. There are no physical errors to confuse the timing, but there is one long pause well ignore. a. What is the range of Delta times between the ARP frames? (Ignore frame 20) 0.002.985 to 0.003.150 about 3 milliseconds apart (frame 54 is about 4 ms) b. Click the Statistics tab. What is the line speed shown here? 10 Mbps 2. Now lets see whats different in the 100 Mbps screens. Open C:\202GUI\100mbfile.caz to the Decode window. a. Click the Statistics tab. What is the line speed? 100 Mbps b. What is the Delta time of frame 108, one of the shortest delta times? 0.000. 161 = 161 microseconds, a good improvement. 3. Finally, well look at some Gigabit data. Open C:\202GUI\GB.cap to the Decode window. Instructor note: There are CRC errors and Code Violations (CV) errors in this trace. The help screens give this definition: Gigabit Ethernet uses the 8B/10B transmission code 10 to map signals into 10-bit code groups. 8B/10B coding provides a set of 2 possible code groups. A given 10-bit code group can be categorized as either legal, showing a positive running disparity error, showing a negative running disparity error, or as an illegal code group. The Sniffer Pro reports a code violation when it sees a code group that is either illegal or that has a running disparity error as compared to the previous code group. The students will look at the help screen in the Gigabit section exercise. a. Click the Statistics tab. What is the line speed shown? 1000 Mbps
4.0-OCT2000
Network Associates
10-13
b. In the Decode view, what is the Delta time of frame 16, one of the shortest delta times in this trace? (Expand the width of the Delta Time column to see the entire value.) 0.000.000.012 = 12 nanoseconds! c. Note that an extra 3-digit column has been added to the Delta and Relative time columns to compensate for this faster speed. It can measure down to 32 nanoseconds.
d. What is different about the Status column? It shows [A] and [B] to indicate which channel captured the frame. The Fast Ethernet Full Duplex pod captures show the [A] and [B] indicators, too. 4. This has been just a short comparison of what you see in the Sniffer windows. We hope it points out that once you learn how to use the Sniffer for one speed, you can apply those same techniques to looking at the other speeds. In the next sections well give you more specific information on how to look in different areas to help you analyze your traffic. 5. Close all the open windows. Do not go on until instructed.
4.0-OCT2000
Network Associates
10-14
Exercise Section 3: Cable Specifications

Objectives: Use Output from Sniffer Pro and a network map to: 1) Determine if the fact that the 5-4-3 rule was broken in this network design is the "Cause" of the problem 2) Determine the round trip propagation delay for this network 3) Determine if the collisions are "Legal" or appropriate for this network design 4) Narrow the "Fault Domain" and determine the best place to start troubleshooting this problem 5) Determine if there is a relationship between collisions and a LAN overload symptom Background: You have been called in to investigate problems on an Ethernet network that was designed by someone else. As far as you can tell, the network looks like the drawing below. 50 meters
?? Coax Thin Ethernet RG 58 coax
Node 1 WstDig178C41 Node 2 WstDig96EC2C File Server COFFEE.1 WstDigFF965F Student note: Hub 1 Hub 2 Hub 3 Hub 3 Hub 3 Hub 3
Bridge
Node 3
Sniffer
Note that the picture is not complete. For example, there probably were other stations on the thin Ethernet. The Sniffer analyzer was connected somewhere near the end of the thin Ethernet. We don't know exactly what was on the other side of the bridge shown on the left. Originally the Sniffer analyzer was placed at the end of the topology and saw no errors. In the actual trace, the Sniffer analyzer was traded with Node 3 and saw errors. Node 3 was moved to the end of the topology and worked without incident. Client addresses and the Server COFFEE.1 all exist off of Hub 1.
Instructor Note: Questions in step 13 have been changed to reflect the actual forwarding delay of 15 bits on the Gandolf hubs. Please review them and be ready for new numbers! Questions 14 and 15 have also been reworded with new assumptions. 1. Configure the Alarm settings. a. Select Tools > Expert Options > Alarms tab. b. Click on the + next to Global to expand it. c. Under the LAN overload entry, notice the value of 50 (percent) as the threshold for LAN Overload.
4.0-OCT2000
Network Associates
10-15
d. Click in the Lan Load field and change the value to 30 so we will be alerted when the lower threshold is exceeded. e. Click on the Apply button. Click OK to exit the Alarms. f. When you change these settings for your own Sniffer, adjust the Dashboard settings, too, so it will reflect the same thresholds.
g. Open the Dashboard, click the Set Thresholds button. Change the Utilization(%) High Threshold setting to 30. Click OK and note the red area on the Utilization dial now starts at 30%. (This will have no effect unless we generate some traffic for the Dashboard to monitor.) Close the Dashboard. 2. Open the file C:\202GUI\HUB6ARC.caz. 3. Click on Global Symptoms. What are the symptoms? LAN overload and Bad CRC 4. Let's take a closer look at these errors. a. Click on the Objects tab on the upper right. (Drag the separator bar to the bottom if the tab is not visible on the right.) Specific information about the condition should now appear. b. Click the icon to see the Expert Explain on the LAN Overload symptom. Read the explanation of the problem and possible remedies. Close the Help window when done. c. What is the First Time for the LAN Overload symptom? 16:36:56.765 (or 4:36:56:765 PM as it will show later) d. What is the Duration of the symptom? 1s 436 ms (1.436 seconds) (4:36:56:765 + 1:436 = 4:37:492:765 PM end time) e. What was the value recorded for Maximum and Average LAN Overloads? 35% Maximum, 11% Average f. Record the stations involved. 4 stations: WstDig0A065A, WstDigFF965F, Gandlf100738, and WstDig178C41 g. Click the F7 key and observe the similar information on the Bad CRC symptom. 5. Click on the Summary tab to return to the Expert Overview window. What are the symptoms at the DLC layer? What stations are involved? Runt frames (2 stations: WstDigFF965F and Gandlf100738)
4.0-OCT2000
Network Associates
10-16
What are the diagnoses at the DLC layer? What stations are involved? High rate of physical errors (3 stations: WstDigFF965F, WstDig96EC2C and WstDig178C41) Are any of the stations involved in the LAN Overload condition also reporting errors at the DLC layer? Yes, 2 out of 4 were involved in the DLC Diagnosis (WstDigFF965F and WstDig178C41 sent bad frames); 2 out of 4 were involved in the DLC Symptoms (WstDigFF965F and Gandlf100738 sent or received Runt frames). 6. Press the Decode tab to display the data. Enable Relative time if the column is not visible. What is the total time of this capture? Only 11.201 seconds 7. In the next few steps we are going to try to determine what, if any, correlation exists between the LAN Overload condition and the bad frames. This is a common approach used by analysts when troubleshooting. The questions one might ask are: Are the bad frames the result of excessive collisions that will occur whenever utilization on an Ethernet network starts to reach a critical state? If so, with the topology involved, at what maximum point within a frame could one expect damage to occur? In this example, one simple way to begin to rule out a correlation is to look for bad frames occurring at times when no LAN overload condition exists. 8. Reference the time you recorded earlier for the start and duration of the LAN Overload, let's use a filter to display only bad frames. a. Select Display > Define Filter > Profiles > New. Name it allbadframes. Click OK and Done b. Select the Advanced tab. c. Disable Packet Type Normal, which will leave only problem frames enabled. Click OK.
d. Select the allbadframes display filter. Display > Select Filter > allbadframes > OK. A new Filtered x window should open with 2503 frames. 9. Zoom in (F4) on the Summary window. Were going to examine the Status column. a. Enable the Summary Display Optional Fields, Status, Absolute Time and Bytes (Len) by clicking on Display > Display Setup > Summary Display > Optional Fields. Click OK. b. What types of errors do you observe? Lots of Alignments and Runts, 21 Collisions, 1 Fragment, and 11CRCs 10. Scroll over to the far right-hand column and scan through the Absolute Time values.
a. Did most of the bad frames happen during the LAN Overload? The bad frames were happening before the LAN Overload, during the LAN Overload, and after the LAN Overload. (Expert shows military time, decode shows AM, PM) b. In your judgement, are the bad frames the result of the LAN Overload condition? The error frames are not just due to the network being busy. c. If not, what else could be a cause of the bad frames?
The errors could be caused by signal reflections, noise, hardware problems, propagation delay, etc., at this point we dont know enough to isolate the problem. 11. Scan through the LEN (Bytes) column values. The Sniffer stops capturing a frame when a collision causes the bits to no longer be recognizable. With a network only 50 meters in length, would you expect to see collisions occurring so far into the Ethernet frames? No 12. We're now going to determine how far into the frames collision damage is occurring. To do that, you will need to define and select a new display filter. a. Display > Define Filter... b. Create a New Profile called Collisions (copy the Default profile). c. OK > Done.
d. Select the Advanced tab. e. In the Packet Type text window, clear all of the boxes except for the Collision box. f. Click OK to save the filter.
g. Display > Select Filter... When you select the Collisions filter, you should see a new Filtered x window appear with 21 frames. h. Zoom into the Summary window and observe the LEN (bytes) column. What is the largest collision frame recorded? 11 bytes 13. With a network of six repeaters in series and a total cable distance of fifty meters between end stations in the collision domain, do the collision frame sizes seem appropriate? (Hint: each of these hubs adds about 15 bit times of latency to the network. Also, in 10BaseT each bit is 17.7 meters long.) To determine the answer to this question, let's calculate the round trip delay: (use the Windows calculator if you like)
4.0-OCT2000
Network Associates
10-18
a. Cable latency in bit times = total distance \ length of bit: 50 / 17.7 = 2.82 bits b. Total Hub Latency in bit times = latency of each hub * number of hubs: 15 * 6 = 90 bits (/ 8 = 11.25 bytes) c. Total Delay = cable latency + total hub latency: 2.8 +90 = ~93 bits ( / 8 = 11.6 bytes) d. Round trip latency = Total Delay * 2: 93 * 2 = 186 bits (23.2 bytes) e. Subtract preamble (preamble is on the wire only): 186 bits 64 bits = 122 bits (15 bytes) f. Subtract CRC (CRC is on the wire only): 122 bits 32 bits = 90 bits (11 bytes) g. Total number of bytes displayed in the Sniffer: 90 bits/8 = approx. 11.25 bytes or > 11 h. Compare your calculations to what youre seeing on the Sniffer Pro analyzer. Does your worst case calculation concur? The collisions (maximum of 11 Bytes) are Legal (appropriate) for this network design. These collisions are also within 64 bytes, which is an IEEE "LEGAL" collision. 14. Was the fact that the network broke the 5-4-3 rule the reason the collision is occurring so far into the frame? No, the network is only 50m or 3 bits in length. The accumulated propagation delay of the 6 hubs is what caused the collision to occur so far into the frame. 15. Will extending the length of each of the hub lengths to their maximum of 100m cause late th collisions that occur beyond the 64 byte mark in the frame? Potentially yes. 16. In the next few steps, we are going to look at a conversation in the original trace file and attempt to isolate the location of the problem on this LAN. Note that on the network diagram, the Sniffer Pro is behind the suspect cable. Sniffer Pro will therefore, see error frames from this conversation that really do not exist due to the intermittent cable problem. a. Select the Expert tab to return to the main file. b. Click on the DLC Objects column.
c.
Click on the WstDig96EC2C address in the Summary view to select it.
d. Click on the Display Filter icon to filter on this node, a new Filtered x window appears. e. What are the errors noted in the Status column? Mostly Alignment and a few Runt errors. f. Notice that throughout the conversation between these two nodes, not one frame is resent even the runt frames!
g. Is this conversation operating normally? It must be. h. Apply your filter for Collision frames. Are there any collisions in the conversation between these two nodes? No i. There are Runt frames in the trace file between these two nodes. What are they if not the results of a collision? To find out, define a new filter for Runt frames only and select it. How long are the frames? All 56 bytes- could be an indication of a partial reflection but it is more like a standing wave that can run the entire length of the cable after the node has nd finished sending. True reflections occur BEFORE the 32 byte in a frame. There are no AAs or 55s in the frames, either, indicating it was a local collision on a coax segment. 17. Based on the errors reported in the Sniffer, is the conversation working correctly? No (at the Sniffer end of the network). 18. Where is the "Fault Domain" and what is causing this problem? The conversation is working correctly between the workstation and the server -- so something is damaging the frames between the workstation and the Sniffer. 19. If you could physically inspect the cabling in the Fault Domain, you would notice a piece of ARCnet cable (RG62) connecting a machine to the Thinnet (RG58) segment. Could replacing bad cable correct physical layer errors? Yes! 20. Close the trace file window. 21. Stop here. Do not proceed to the next exercise.
j.
4.0-OCT2000
Network Associates
10-20
Exercise Section 4: Hubports

Objective: Use two related trace files to isolate the cause of physical errors on a 10BASE-T network. Evaluate traces taken by the DOS Sniffer with Sniffer Pro. A user on a 10BASE-T network was experiencing intermittent problems. Other users appeared to be working fine. Two DOS Sniffer analyzers were used to take "simultaneous" traces. One trace (Hubport2) was taken at the user's work area by disconnecting the drop cable at the back of the workstation and attaching it to the Sniffer's RJ-45 port. The second trace (Hubport1) was taken at the 10BASET hub that served the user's work area. (See the diagram below.)
Background:
We are going to show you how you can use a single Sniffer Pro to perform analysis and comparison on two trace files. 10BaseT Hub Hubport 1: Sniffer on known good port Hubport 2: Sniffer on suspect port NetWare client: Novell~FAA NetWare File Server: 3Com~704
NetWare Client: 3Com~F91 Fact One: The user's PC was replaced by a Sniffer analyzer. Fact Two: Another Sniffer analyzer is plugged into a known good port. Both Sniffer analyzers were capturing simultaneously. 1. Evaluate the network diagram then proceed. 2. Think about different ways to approach isolating the source of the problem. What have you come up with? 3. Use the Display menu > Display Setup..., disable the Expert tab. 4. Open the files C:\202GUI\ Hubport1.cap and Hubport2.cap. 5. Use Window > Tile to display both files simultaneously and do a frame to frame comparison. (Use the Ctrl-Tab keys to switch between the windows.) 6. How many frames are in the file Hubport1.cap? 71 Hubport2.cap? 75
7. These two trace files start at different frames because the captures could not be started at exactly the same time. You will need to "align" the two trace files to start at the same frame.
4.0-OCT2000
Network Associates
10-21
Think about different ways to approach aligning the two trace files to start at the same packet before continuing with the lab. 8. We're going to align the two trace files by examining the first frame in Hubport1.cap for a unique string of data and then search for that string in Hubport2.cap. a. In frame 1 of Hubport1.cap, notice the NCP read command ("Read 512 at 2812416"). The offset value (2812416) is the unique string we will use to align these trace files. b. Ctrl-Tab to Hubport2.cap > click on frame 1 in the Summary window. c. Use the Find Frame feature to find the first frame that matches this string: - Right Click in the Summary window > Select Find Frame - Choose Text tab - Input the value of the offset (2812416) - Search from = Summary text - Search Direction = Down d. Click OK. 9. What is the frame number in Hubport2.cap that matches Frame 1 of Hubport1.cap? Frame 5 If the "found frame" in Hubport2.cap matches the first frame in Hubport1.cap, can we assume that the rest of the trace will match as well? If they were both set to capture without a filter, yes. 10. Since we have found a frame in Hubport2.cap that matches Frame 1 in Hubport1.cap, we should be able to select all of the rest of the frames as well. If we select these frames as a group, we should have a file that matches Hubport1.cap exactly. Let's give it a try: a. Right Click in the Summary window of Hubport2.cap. b. Click Select Range. c. Choose Range, From = 5, To = 75.
d. Click Select. Note: The boxes to the far left of frames 5 to the end of the trace should contain an X. e. Right Click in the Summary view. f. Click Save Selected. A new window titled Snif(n) should appear (The n represents a number). The new window should have 71 frames and be aligned frame for frame with Hubport1.cap. We dont need the Hubport2.cap file any longer so close it now.
4.0-OCT2000
Network Associates
10-22
11. Do a quick comparison of the first few frames to verify that the traces are aligned. 12. Choose Window menu > Tile so we can see parts of both windows. 13. The next thing we need to do is quickly search through each of the trace files to locate any bad Ethernet frames. We'll use the Find Frame feature again: a. Highlight the Snif(n) window, select Alt-F3 (the Find Frame window should pop up). Choose the Status tab and select all frame error boxes under Trigger, then select OK. b. Were any bad frames located? If so, write down the frame number(s) here: Yes Frame 40 c. Repeat the search until there are no other error frames.
14. Repeat the search process with the Hubport1.cap window. a. Were any bad frames located here? No b. What could account for the differences in the traces? One trace was captured from a known good port on the hub, the other was taken from a suspect port. 15. While looking at the Hubport1.cap Summary view, use Display > Go to Frame, to go to the frame number of the bad frame from the Snif(n) window (recorded in Step 13). Compare the two frames in each of the windows. Have you gotten closer to isolating the problem? You should be able to see that the frame is damaged in one trace and is not in the other- think about the situation that might cause this to happen. You may think the problem in frame 40 of HUBPORT2.cap was caused by a collision. But if it were a collision, HUBPORT1.cap would have seen a damaged frame also. In addition, if a collision had occurred, the NetWare client would have retransmitted the data. But in HUBPORT1.cap , we can see that the client and the server seem to think there was nothing wrong with frame 40. It seems that only the Sniffer analyzer on hubport 2 saw a problem. In fact, that was the case: the port was bad. The hub took a good frame off the backplane and output a bad frame at the bad port only. 16. Use Display > Display Setup and Enable the Expert tab on the General window and close all open windows without saving. 17. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-23
4.0-OCT2000
Network Associates
10-24
Exercise Section 4: More Problems

Objective: Evaluate and describe the traffic from a network that was experiencing problems.
1. Open the file C:\202GUI\BADCABLE.cap. What are the Expert diagnosis and symptoms at the DLC layer? How many are there? 1 diagnosis - High rate of physical errors, 18 symptoms - Runt frame, DLC source address multicast and DLC source address broadcast. View the Decode window. How many frames are there in this trace? The total number of frames is 79 2. Select the allbadframes display filter to show only error frames. a. How many damaged frames are there in the Filtered x window? 56 frames b. Based on the number of Runt, Alignment and Bad CRC frames, do you think there's a problem? Absolutely! 56 out of 79 frames in error is a 71% error rate. We'll discuss later some of the rules of thumb for excessive damaged frames. 3. Scroll right in the Summary panel. What is the range of the size (in bytes) of the damaged frames? 2 ~ 566 bytes 4. Evaluate the Delta times between some of the damaged frames. Is there any consistency to the delta times? No, it varies between .0001 and 1.9 seconds. 5. Look in the Hex window for evidence of hardware-related problems. Do you think this is a hardware-related problem? How would you describe the damaged frames? Yes. Many of the longer damaged frames include more than 8 bytes of FFs. 6. What would you do next to fix this problem? Consider using binary search method to isolate the problem and identify where the damage is occurring. The problem here is that someone put his own plugs on UTP and incorrectly connected the wire pairs so there was no Common Mode Rejection of noise. It might
as well have been flat satin wire. The FFFFs show that noise was affecting the traffic and changing the 0 bits to 1s. Unfortunately, noise is not always so obvious and does not always leave the telltale FFFFs. 7. Close the window. 8. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-26
Exercise Section 4: Test Your Skill

Objective: Hint: To evaluate several different types of frame corruption. Consider using the Sniffer Pro Ethernet Error Analysis table located before the exercise slides in your student guide.
1. Configure the Display options to show DLC addresses in the Summary view Display > Display Setup > Summary Display tab > disable Show Network Addresses 2. For each of the following files, write down the characteristics of the damaged frames (length, any pattern present at the end of the frame, whether frame appears to be repeated, etc.) and assess the probable type of frame corruption demonstrated in the trace. Assume that the trace shows a representative sample of the error. Close each window when youve answered the questions. Choose between: a. C:\202GUI\01.cap Normal collisions Propagation delay Reflected signals Electrical noise Hardware problems
Sniffer Pro shows collision indication in the Status column. The Hex window shows that the bad frame, Frame 2, is perfectly truncated at Byte 12, indicating that this trace was taken from coaxial-based media. Frame 3 is most likely a retransmission of Frame 2. Probable cause: Legal local coax collision. This trace came from a pulp and paper mill where the thick and thinnet cables were occasionally run over by forklifts carrying a large roll of paper. The steel pipe that was embedded in the grooved concrete floor (it carried the coax) had become crushed over time. The problem always surfaced for a moment whenever the forklifts ran over the crushed pipe containing the coax cable b. C:\202GUI\05.cap
(Note: For a detailed review of this trace file, please consult the document "trace file addendum" located at the back of this manual.) Legal and late collisions caused by a faulty (crushed) cable. Sniffer Pro shows frames with collision indication in the Status column. Also, the Summary window indicates that the collision on frames 4 and 6 occurred after 64 bytes. This is accurate, but on these larger size frames it is difficult to tell if the frames have been truncated because Sniffer Pro does not decode past the DLC layer. So we can't tell (from layer 3 info) how big the frame was supposed to be unless we manually draw out the layer 3 details. (Protocol forcing does not give us an option for the DECnet DRP protocol, only LAT.)
4.0-OCT2000
Network Associates
10-27
c.
C:\202GUI\06.cap
Sniffer Pro shows frames with collision indication in the Status column. All are small 24 byte frames. Contains DLC addresses, no pattern at end of frame. Probable cause: If this were truly representative of the traffic, it's probably signal reflection. d. C:\202GUI\16.cap
Variable but small-sized frames. All have 11-12 bytes of 55s, representing hub/repeater jam, appended to 43 bytes of data. Probable cause: repeated collisions on a remote 10BASE-T network. They look like reflections but cannot be. Remember, the majority of the signal moves towards the termination and will not be reflected back. That means that in a full-size 32-byte network, the collision can never be more than one-half the network thats 16 bytes from the center to the unterminated end and 16 bytes back towards the sender headed towards the termination. Thats 32 bytes total. This is jut a lucky break. The frames were selected to create the individual trace to ensure the students learned to identify this pattern as hub jam, not reflection. It is strictly coincidental that the collision occurs 55 bytes into the frame. e. C:\202GUI\17.cap
Sniffer Pro indicates that frames 5 through 8 are damaged by collisions. Frame 7 and frame 8 are late collisions, as indicated in the Summary and Expert views. Four damaged frames come from same source. Frames 5 and 6 are truncated at byte 42. Frames 7 and 8 are truncated late at byte 86. Frames 7 and 8 are evidence of late collisions combined with signal reflection. There are possibly multiple problems with this network. Probable cause, in order: Propagation delay, hardware, and signal reflection. f. C:\202GUI\21.cap. (Be sure to look at frames 124, 178,179 and 321.)
Sniffer Pro reports Alignment and CRC errors in the decode Status column. The Expert doesnt report any errors other than the Global CRC errors. This may seem odd with so many problems in this trace. The answer is that the Expert builds the object database from addresses seen in frames without CRC errors. Then, when it sees what it knows is a valid address associated with a problem frame it reports the Symptom/Diagnoses. Since every frame in this trace has a CRC error, the Expert never builds the object database, never learns the valid addresses and therefore has nothing to associate a Symptom/Diagnoses with even though the addresses here are most likely valid the Expert would not have learned that.
If you need to demonstrate this, load FRAGS.cap. Select the allbadframes filter. You will have a decode full of Alignment, Fragment and Runt frames. Select a few of one kind and Save Selected. You will notice that Alignment and Fragment frames all have CRC errors and the Expert will not learn about any DLC objects associated with those frames. However, Runt frames do not have a CRC error and the Expert will learn about those DLC objects. Probable cause: Hardware, a jabbering NIC. 3. Close all open windows. 4. Use Display > Display Setup > Summary Display to reset the Display option to Show Network Addresses. 5. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-29
4.0-OCT2000
Network Associates
10-30
Exercise Section 4: Errors

Objective: Background: Use filtering options to identify physical errors on an Ethernet Network. The NFS client pc150 [192.9.200.150] is experiencing problems communicating with the NFS server natco-4 [192.9.200.203]. The client and server are separated by a repeater.
1. Open the file C:\202GUI\FRAGS.cap. Click on the Decode tab and note the frame count. How many frames? 1173 2. Let's investigate how many of the frames in this trace have been damaged in some way. Apply the allbadframes filter to only show the bad frames. a. How many frames are bad in the Filtered x window? 111 b. Does this seem to be a problem? 111 bad frames in 1173 is more than a 9% error rate. It certainly warrants more of an investigation. c. Return to the Decode tab to show the original entire trace. 3. Look at the detail of frame 1. This should be part of a conversation between [192.9.200.150] pc150 and [192.9.200.203] natco-4. The subnet mask for these devices is 255.255.255.0. Are they on the same or different subnets? The same subnet.
4. Let's apply a filter to isolate this conversation.

a. Click on the Matrix tab. Change the view to IP and use Ctr-click to highlight [192.9.200.203] and [192.9.200.150]. b. Click on the Visual Filter icon to create the filter. c. How many frames are in this new Filtered x window? 947 5. Now lets analyze the conversation between these two stations. Right click on the current Filtered x window and choose Create New Filtered Window. This will allow Expert analysis of these frames. The new window should be named FilteredFramesx.cap. a. Use the search function to find any frames that contain physical errors (or other symptoms): Display > Find Frame > Expert tab > Any symptom/diagnosis string > Down > OK. Use F3 to repeat the search.
4.0-OCT2000
Network Associates
10-31
b. When a bad frame occurs, notice who is sending the frame and the C/R sequence, does the conversation recover after each error? Yes, for error frames up to Frame 940. Starting with Frame 941 it does not recover. c. Prior to frame 941, is [192.9.200.203] or [192.9.200.150] always receiving a bad frame? Both are receiving bad frames. This would rule out a bad NIC card in one of the nodes d. Repeat the process to find and analyze all of the error frames in this conversation. How many symptom frames are there? 17 frames have symptoms, some are physical errors, others are NFS problems. e. Apply the allbadframes filter to this trace to see how many frames contain physical errors. How many frames do we see in the new filtered trace? 11 f. What types of physical errors are found in this display? Alignment errors g. Does the number of errors found here seem excessive? 11 errors in 947 frames equals slightly more than 1% errors. This does not seem to be a problem. h. Use F4 to zoom in the Hex window and look at the damaged frames. What do you notice about the damage? 4 of the frames show 5555s . All frames are damaged beyond 64 bytes. 6. Can we draw any conclusions? 5555s are evidence of hardware problems or collisions. If they are collisions, they all extend beyond 64 bytes and would be late or illegal collisions indicating a possible out of spec network or propagation delay. 7. Press the Decode tab to return to the FilteredFramesx.cap display window with 947 frames. GoTo Frame 943 and evaluate the conversation. a. Does the conversation seem to continue normally at this point? No, we see PC150 sending messages but Natco-4 never responds. The conversation always recovered prior to frame 943.
4.0-OCT2000
Network Associates
10-32
b.
What is the delta time between frames 941 and 943? 206.953.080 seconds!
c.
What could cause this type of delay? A number of problems or changes in the physical network could cause the network to go down for this amount of time (over 3 minutes!)- all of them caused by human intervention.
8. Based on what we know now, draw a diagram of this network including the cabling, PC150 and Natco-4, the repeater, the Sniffer, and any other devices that you can identify. Use the diagram to try and isolate the problem.
9. Close the windows without saving. 10. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-33
4.0-OCT2000
Network Associates
10-34
Exercise Section 4: Evaluating Hub Jams

Objectives: Be able to recognize indications of a Hub/Repeater Jam by examining examples taken from a live network. Open these trace files and answer the questions for each: C:\202GUI\19.cap C:\202GUI\20.cap C:\202GUI\BAD03.cap 1. Open and evaluate the Expert information There are no symptoms or diagnoses in any of these traces. 2. Press the Decode tab to display the frames. 3. What type of frame damage is present? a. File 19.cap Shows one Runt frame, 7 bytes in length with all AAAAs. b. File 20.cap Shows one Runt, 8 bytes long, all AAAAs. c. File BAD03.cap Shows two Runts, each 8 bytes long, with all 5555s. Instructor Notes: From the Hex view point out the characteristics of a hub jam as seen on the Sniffer analyzer: 5555555s. May also see AAAAAAs. Hubs are repeaters. When they detect a collision off of a port, they will jam and ensure at least 96 bits. The first 62 bits are defined by IEEE to be 10101010... Presumably the real preamble came from the sender of the frame. A collision occurred. It was followed by the repeater's jam. The repeater jam is 96 bits. When we see 8 bytes of AA or 55, we are seeing the first 64 bits of the jam. The remaining 32 bits are used by the Sniffer Pro analyzer for the CRC check and thus are not visible. 4. Close all open windows. 5. Stop here. Do not proceed to the next exercise.
Procedure:
4.0-OCT2000
Network Associates
10-35
4.0-OCT2000
Network Associates
10-36
Exercise Section 4: Ethernet Physical Errors (Optional)

Objective: Determine whether apparent frame errors should be counted as part of overall Network statistics. The parallel tasking feature of many Ethernet cards can throw off baseline statistics unless you know what to look for.
Background:
1. Manually create address book entries for the two stations communicating in this trace. Assign the name Server to 161.69.97.200 and Client to 161.69.97.202. Enable Show network address in Display < Display Setup > Summary Display. 2. Open and display the trace file C:\202GUI\BADCRC.cap. Press the Decode tab to display the data. 3. In Frame 1, we see Client (NGC 030B4D) issue an SMB Read command for 32 kb of data, starting at offset 3964928 (00803c00h) for the file handle (F=) 1009. 4. Frames 2 and onwards show Server using NetBIOS to move 1460-byte blocks of data (over a TCP connection) until the TCP window is filled and an acknowledgement is received. (Note that the first block of data is 1456 bytes.) a. What is unusual about frame 6? Bad CRC b. What is the frame length? 978 bytes c. From the information within the IP header, what size frame did the IP stack on Server indicate that it was sending to the DLC layer for encapsulation?
1500 bytes a maximum size frame. The Sniffer also notes the frame was retransmitted in frame 13, but the Summary window associates it with frame 14. Frame 13 is the retransmission looking at the hex data and the TCP sequence number. 5. Let's change our display to show only the TCP protocol information: a. Display > Display Setup > Summary Display tab. b. Click on the All button on the bottom to exclude all protocols, then press T repeatedly until you find Transmission Control Protocol. Uncheck the box for it, then click on OK. c. You should now see only the TCP layer displayed.
d. Lastly, adjust the width of the Summary column in the main display to allow the ACK, SEQ, LEN and WIN values to be displayed. (Instructor Note: Note that the column will retain this length for all future trace files until you change it again, or until you delete the Sniffer.INI file in your operating system's configuration files directory.)
4.0-OCT2000
Network Associates
10-37
6. Examine the LEN= value in the Summary view for Frame 6. What is the value? 924 bytes a. Look at the Len(Bytes) column in the Summary window. How many bytes are there in the frame? 978 bytes b. What it the IP total length? 1500 (Sniffer is showing the actual length of the data in the Summary panel line rather than what was originally sent.) 7. What is the delta time between Frames 7 and 8? 323.6 milliseconds.
a. Does this appear consistent with the times for previous exchanges of data between these two stations? No, it is much longer. b. Frame 8 is a retransmission of which previous frame? Frame 2, from the sequence number 60142096. (If you go back to frame 2, the Sniffer tells you it was retransmitted in frame 8.) c. Why is the Server retransmitting frames?
It did not receive an ACK from Client before before the retransmit timer expired. 8. Look for the retransmitted frame that has the same SEQ number as frame 6 (the bad frame). In which frame did you find it? Frame 13 (The first line of the TCP header in frame 6 points us to frame 13) 9. To confirm that the communication continues normally, compare Client's next SMB Read in Frame 38 with that of Frame 1. Is the Read 32KB further into file 1009? Look in the SMB detail of this frame at Starting offset. Yes, the next read is 32KB further into the file, 3997696. 10. We have just seen a scenario where a corrupted Ethernet frame causes the upper layer protocol to time out and retransmit. Now, let's examine a scenario where things do not proceed as we expect. 11. Close the trace file, in preparation to load a new one. Also, return to the Display Setup > Summary Display tab, and click on the None button to clear all the protocol filters. Click OK. 12. Click on the Address Book icon on the main toolbar. Change the Server's address to 206.116.6.132, and the Client's address to 206.116.6.135. When you have edited both stations, close the address book. 13. Open the trace file C:\202GUI\BADCRC-1.cap and click on the Decode tab to display the frames. 14. In Frame 1 Client opens the file PRO40A1.TMP. In Frame 3 it issues a command to the server of Write Block Raw 65520 bytes at offset 0 of the file. Then Client starts sending the data using NetBIOS in frames 4 and 5. Frame 6 is a TCP Ack to frames 4 and 5.
4.0-OCT2000
Network Associates
10-38
15. Frame 7 shows Server's response to Client's write request in frame 3. Look in the SMB Write Raw Data header. It indicates Server is ready to write the data Client will send. The Bytes actually written shows 0, the bytes remaining to be read is 65535 (actually a little more than the client said it would send.) Evidently it has not read the NetBIOS data sent in frames 4 and 5 yet. 16. In Frame 8 we see Client use NetBIOS to write another 1456 bytes of data. 17. Examine the Status and LENgth columns in the Summary view along with the Detail window of Frame 9. a. What kind of error does SnifferPro post against the frame? CRC error b. What is the frame length? c. 516 bytes
What type of problem do we normally associate with this type of frame corruption? Electrical noise
18. Now examine Frame 10. With the exception of the actual frame length, do Frames 9 and 10 appear to be the same? To be sure, compare the unique IP Identification fields, IP Length fields, the unique TCP Sequence numbers and Hex ASCII data patterns. Both Frames 9 and 10 are identical: same IP Identification fields (14342, incremented by at least one for each frame sent), same IP Length fields of 1500 (although the first frame contains considerably less than 1500 bytes), and same TCP Sequence numbers (60550401). Even the TCP Checksum fields are the same, although the first frame contains less data than the second frame, which means the Checksum must be different as Sniffer analyzer points out (8722). The Hex data matches to the point of corruption. 19. When a frame is damaged in transit that is not the result of a legal collision, the receiver will request the SMB Write again. Does this occur? No, Server does not request the write again in Frame 73. In fact, the client continues onward, with Server's permission, in writing the next 64KB of data in Frame 75. 20. Now examine the Delta time between Frames 9 and 10. a. How much time elapses between when Expert Sniffer Analyzer sees the beginning of Frame 9 and when it sees the beginning of Frame 10? 1.6 ms elapses between Frames 9 and 10. b. How is it possible that Client knew it had sent an undersized and error frame and compensated by retransmitting it immediately? Normally, it is impossible for a sender to know it transmitted a bad frame or that its frame became damaged in transit and, subsequently, retransmit it immediately. Normally, the receiver's transport layer protocol makes the decision to have the original frame retransmitted properly, which may include repeating the entire write process of all 64KB as we saw in the earlier example.
4.0-OCT2000
Network Associates
10-39
c.
After reviewing a typical retransmission as in the earlier trace file, doesn't this seem more like "magic" than a protocol with a structured retransmission mechanism at work?
Yes, this does defy convention and seems more like magic than normal communication. 21. Use F8 repeatedly to advance to Frame 17. Use the same method to compare Frames 17 and 19. Does the earlier situation repeat itself or is this a different problem? The situation repeats itself in Frames 17 & 19. 22. There is a general performance guideline for baselining that suggests a network segment should have no more than one CRC error per MB of data seen "on the wire." Do the cumulative physical errors exceed this guideline? There are 2 physical errors, specifically CRC errors, for 153,902 bytes seen on the wire. If 1 CRC error for 1MB of data = 100%, then 2 CRC errors for 154KB = 1,300%. This exceeds the guideline substantially! 23. It may be difficult for us to speculate as to what is causing the CRC-error frames to be retransmitted so quickly in the second trace file. In reality, it is the implementation of a relatively new performance feature called early transmit. The frame is copied from the PC's memory buffer directly to the network, instead of going through the NIC's memory buffer first. Unfortunately, the PC in this trace file couldn't provide the data fast enough to the NIC card, which was creating and transmitting the frame simultaneously. Subsequently, the first frame was undersized and aborted. Fortunately, the entire frame was ready for transmittal the second time, in both instances. There are actually two scenarios that can cause this kind of problem. One scenario involves incompatibilities between PCI-based personal computers and PCI-based Ethernet NICs. Another scenario involves early transmit. This trace file deals with early transmit of newer high performance NIC cards with parallel tasking or pipelining features. This trace file came from a client and server using 100Mhz Pentium PCs with 64MB of RAM and 3COM 3C59x PCI-bus based Ethernet NICs. Although the PCs were fast, the NIC was faster. (Note that an operating system and concurrently executing applications can also bog down a fast PC so as to cause the transmit underrun situation.) Periodically, the PC couldn't provide the data for an entire frame before the NIC had sensed the 10BASET network was free and started sending the frame it was creating on the fly. The result is a 516 byte frame instead of a 1514 (Sniffer analyzer interprets the last 4 bytes in an Ethernet frame as the CRC and doesn't show them to us). SMC uses an Early Transmit Threshold (ETT) of 64 bytes with an increment of 8 bytes for each transmit underrun situation. It appears as though 3COM uses an ETT of 516B. 24. Close all open windows. 25. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-40
Exercise Section 5: Short Circuited Bridges

Objective: Evaluate the results of an incompatible implementation of Spanning Tree or disabled Spanning Tree. The network was in its initial stages of development. There were very few actual users connected at this time. New users were being added and the network topology was changing. Not all bridges in use were managed bridges. The few users that were connected were complaining of extremely slow response time and sessions that were disconnecting. There were no problems with the physical layer. The design of the network provided for redundant backup paths. Spanning Tree would prevent the occurrence of network loops.
Background:
Instructor Note: This trace file was taken in a lab network. The bridges were buffering and were doing 8:1 compression. The WAN links are true full-duplex.
192 Kb
Bridge
Bridge
Bridge
192 Kb
Bridge
1. Evaluate the network diagram, then proceed. 2. What should Spanning Tree accomplish in this network? Spanning tree should disable one of the 192 Kb links. 3. Open the trace file C:\202GUI\SCBRIDGE.caz. 4. Select the DLC Objects. How many station (non-broadcast) addresses are displayed? Only one (WstDigFD965F). 5. Select the Global Symptoms. Record the two symptoms displayed. Broadcast / Multicast Storm and LAN overload. 6. Does this seem logical, given the number of devices detected by the Sniffer Pro? Not really. 7. Press the Decode tab to display the Summary window. 8. What is the range of Delta times for the first 10 frames? From .076 to .172 milliseconds.
4.0-OCT2000
Network Associates
10-41
9. Are all the frames the same size? Yes. They are all 60 bytes. 10. Press the End key to go to the last frame of the trace. How many frames were captured? 12,406. a. Observe the value in the Relative Time column. How long did it take for all the frames to be captured by Sniffer Pro? 1.576 seconds. 11. What conclusions do you make? Either that the adapter is streaming with the same frame or there is a bridging loop in the network. In fact, this is indicative of a bridging loop. All the frames are copies of the same frame endlessly circulating the network. If there had been more stations then you would see two, maybe three stations at the maximum, transmitting. 12. If the speed of the bridged links was 10 Mbps instead of the two 192 Kbps links, what effect do you think it would have on the utilization value? Nearly 100%. What would happen to the Delta times? They would decrease to about half their current range values. 13. Close the window. 14. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-42
Exercise Section 5: Busy Jam

Objective: Background: Determine the cause of continued network slow downs. The network has been using hubs for some time. NetWares Pburst was recently installed to improve the throughput when reading files from and writing files to the file server. Due to the volume of complaints about network response time, a switch was installed to give the file server the equivalent of its own 10 Mbps Ethernet segment. Network performance was not improved.
Sniffer Pro
Switch Hub 10 Mbps NetWare Server
NetWare Clients
1. Evaluate the network diagram, then proceed. 2. Open the trace file C:\202GUI\BUSY-JAM.caz. 3. How many DLC addresses does Expert Overview display? 18
Instructor note: the DOS Sniffer showed 13. Sniffer Pro counts all stations receiving valid frames as objects, even if they have not transmitted any frames. 4. Click on the number posted in the Global Symptoms column. a. What symptom is posted? LAN overload. b. How long has this symptom been active? 10.096 seconds c. Press the Decode tab. Using the value in the Relative Time column at the end of the trace, can you determine if this symptom was occurring throughout the duration of the trace?
Yes, the trace took 10.61 seconds total; Sniffer Pro adds the minimum time that the LAN will remain at overload before resolving itself, if it does.
4.0-OCT2000
Network Associates
10-43
5. Back in the Expert view, double-click on the LAN overload symptom to display more detail related to the problem. (Drag the separator bar to the bottom if you do not see the Objects tab on the top right.) a. What value is recorded for Maximum LAN Overload? Maximum was 94%. b. What value is recorded for Average LAN Overload? Average was 80% c. Click on the for an explanation of this problem.
6. Given the number of DLC addresses identified by the Sniffer analyzer does it seem logical that we have a switch loop in our network? Not really. There are too many stations participating for a loop to be the cause. 7. Can we always rely upon the correctness of our network map? In most networks, no. They should be close, however. 8. Display the data and evaluate the delta times. Do the Delta times posted by the Sniffer analyzer seem consistent with a switch or bridge loop in our network? No. They are larger than one would expect to see with a loop. They are not the same frame, either. 9. Frame 1 shows an NCP command to open a file. The destination address of A1.1 is the address of the Novell File Server. If you cannot see the entire client address, adjust the width of both of the address columns until the entire address is visible. 10. Let's take a look at the lower two layers to see what's happening there. a. Apply our Allbadframes filter (Display > Select Filter) b. A new Filtered x window with 618 frames should appear. 11. Looking through the frames, do you see signs of physically damaged frames? 8 or 9 bytes of AAAAAs for the destination address and question marks for the source address. Each frame is also 8 or 9 bytes long. 12. What problems do we associate with this pattern of damaged frames? Signal Reflection and Hub Jams.
4.0-OCT2000
Network Associates
10-44
13. With the network topology (type of equipment and design) and indicators from the data, what conclusions do you reach? This is most likely not a Signal Reflection problem. We are using hubs and switches exclusively. These devices reduce the network to a series of point-to-point links with a bus compliance. Each station transmits its data to the hub/switch; the hub/switch either repeats or switches the data to the appropriate port. The transmit leads from each device are a discreet pair, as are the receive leads. We are witnessing Hub Jams (either from the hub or the switch). The real problem is that the server is still on a 10Mbps link. By installing a switch we have done nothing to eliminate the bottleneck in the network (it is now the switch instead of the cable segment that existed earlier). The switch will also introduce one full frame of latency to all buffered frames. If the server is responding to the client, then the client port must buffer the incoming client frames. This really adds latency to all transactions and is a classic example of poor network design. Switches can be very helpful, provided they are deployed correctly. 14. Close the window. 15. Stop here. Do not proceed to the next exercise.
4.0-OCT2000
Network Associates
10-45
4.0-OCT2000
Network Associates
10-46
Exercise Section 5: Switch Traffic (Optional)

Objective: To view several types of frames captured in a switched network. You will look at typical switch-related protocols and the different VLAN tagging encapsulation methods. The first trace was captured using the Switch Expert control to SPAN a port to the Sniffer port. Several protocols are used in this switched environment: Spanning Tree BPDUs, VTP (Cisco Virtual Trunk Protocol) to maintain the tree of switches, Cisco ISL (Interswitch Link Protocol) encapsulation, CDP (Cisco Discovery Protocol), and DISL (Cisco Dynamic Inter-Switch Link). We are not going to explore the proprietary protocols, but will look at the ISL headers and use the Expert information to learn how to troubleshoot from it. Most of the data has been stripped out of the trace. You can also see the switchs MIB data when you attach to a switch. Once you get the port mirrored, the captured data looks pretty much like other Sniffer traffic with added VLAN information and switch traffic. The second trace and third show 802.1Q encapsulation. 1. Open C:\NAI\202GUI\VLANprob.caz. In the Expert windows, answer the following questions. a. At the Global layer, what protocols are active? BPDU, Cisco ISL and Cisco VTP b. What symptoms are listed? VTP versions different, VLAN not operational, Spanning Tree Topology Change, VLAN removed from Domain c. How many VLAN objects are there at the Global layer? 40 from the upper right panel, there are 36 VLANs, 2 domains and 2 segments. Note that some of them are FDDI and Token Ring in addition to the Ethernet VLANs. d. At the DLC layer, what protocol is shown? Ether and Token Ring e. Well limit our exploration to the Global layer. It looks like that will provide us a lot of things to learn! 2. The Global layer symptom Spanning Tree Topology Change is related to BPDU frames. Well start there. The Expert gives us a lot of help in determining what has happened. 3. With all five of the Expert windows open, highlight the symptom associated with VLAN #1, then look at the lower right panel to see the information shown about the BEFORE and AFTER configuration. If we had a good network map, it would be very easy to see how the mesh has changed with this information. Its a lot better than trying to make sense of the series of frames on our own!
Background:
4.0-OCT2000
Network Associates
10-47
a. What is the Priority ID of the root bridge before and after the change? b. Before: 0001.0060478F9A00 After: 012c.00100706D000
4. Click the Decode tab. Look at the details of the first BPDU frame. What type of encapsulation is it using? Are all the frames encapsulated? It is a standard Ethernet frame encapsulated in an ISL header. The Ethernet frame is directed to the multicast address 0180C2000000 No, all the frames are not encapsulated. Some of the DISL frames have just a DISL header with two parts: one that looks like a version 2 DLC header followed by a Pseudo LLC/SNAP header that contains the DISL information. CDP frames are not encapsulated, either. They look like standard LLC/SNAP frames. (In the original unfiltered trace, there were also NSAP frames that were not encapsulated.) 5. Notice that frame 9 has a different Pri number from the earlier frames. Look at the BPDU header of frame 9. Compare the BPDU header information with frames 1-8. What is different about the flags in this frame? It is a topology change frame a. Compare the root ID in frame 8 and frame 9. Does this agree with what we saw in the Expert? No, frame 8 shows the root as 8000.Cisco58F9AFD, frame 9 shows 0001.Cisco58F9A00 as root. These frames are repeated in frames 29 and 30. 6. Since these frames didnt apply to the information we saw in the Expert, go back to the Expert and highlight the VLAN #1 Spanning Tree Topology Change symptom, then press the Experts Display Filter icon. 7. Compare the root identifier in frames 9 and 113. Does this match what we saw in the Expert? Yes, this is what triggered the symptom. The BPDUs in the trace allowed the Expert to build the BEFORE and AFTER table. 8. Lets go back to the Expert and look at those VLAN changes we saw. a. Look at the Global symptoms and highlight the VTP Versions Different symptom. Click on the ? help icon to see what this symptom means. From the lower right panel, what was the last VTP version received? 2 b. What VLAN was removed? 333 We can assume this is related to the VTP version problem. If you look at the VLAN Removed from Domain symptom, youll see that it is this same VLAN and the incorrect version shows in these panels. c. Click on the TNV layer in the Detail Tree in the center bottom panel. What is the VTP version being used? 1
d. What VLANs are in this domain? 1, 225, 226, 1002, 1003, 1004, and 1005
4.0-OCT2000
Network Associates
10-48
e. Highlight the VTP Versions Different symptom, then click on the Display Filter icon to see the frames associated with this symptom. Find the VTP frames and locate the frame that shows version 2. Which frame shows version 2? Frame 64 What is the updater's IP address? 161.69.225.250 This and the DLC address should make it quite easy to locate the device that needs the upgrade. If you want to isolate the VTP frames, youll need to do a data pattern match filter on the SNAP Type = 203 (VTP) which pastes 20 03 at offset 2E. (There are 12 in the trace.) f. In the Expert, highlight one of the VLAN Not Operational symptoms and click the ? help button to get some information about what caused this symptom. Note the reason for the non-operational state shown in the lower right window. This information will help you reconfigure the devices so you can bring them up. # 2 is Undefined, # 10 shows MTU Too Big For Trunk, # 11 shows MTU Too Big For Device, and # 12 shows Suspended. g. If you want to find the frame(s) that triggered these symptoms, go to the Decode window and right click, then Find Frame. Type MTU too big and click to search in the Detail window and disable match case. Frame 106 shows all the VLAN that are Not Operational. 9. Last, lets look at some 802.1Q headers. This trace is using ISL, so well close it and look at another trace. Open C:\NAI\202GUI\8021q.cap. This trace is pretty clean, fortunately, so well just look at the frames in the Decode window. a. Scroll up in the Detail window and look at the 8021Q headers. Its pretty simple- showing just the 8100 protocol type field that identifies this field as a tag, then the next byte showing the frame priority, tunnel type and the VLAN ID. Remember that the Ethertype field shown in this header actually belongs to the part of the DLC header the tag is inserted between the source DLC address and the type/length field. b. Scroll down to one of the 1518 byte frames just to see how the Sniffer labels these maximum size 1518 byte Ethernet frames that have the 4 byte header added. There is no CRC error posted, but you will see a TCP checksum error message. c. We may see longer frames in the future as the specifications are changed to make Ethernet more efficient at the higher speeds.
10. Close the 8021q.cap trace and open C:\202GUI\8021q-gig.cap trace. This is a trace taken from the trunk between gigabit switches, since we see the VLAN tags in the frames and the telltale full-duplex channel identifiers in the Status column. The Statistics tab shows the link is 1000 Mbps. 11. Check the tag header in the Detail window. Is it like the one we saw from the 100 Mbps link? Yes 12. There are some frames labeled Oversize in this trace. Evidently the Sniffer allows 1518 byte 802.1Q frames because it knows the tag adds 4 bytes to the maximum size Ethernet frame. Because these are greater than 1518 bytes, it labels them as Oversize.
4.0-OCT2000
Network Associates
10-49
13. Remember that Sniffer Pros switch Expert and Control functions also shows the MIB data for switches. MIB data allows you to see the version of the switchs operating system and statistics for each module, port and VLAN. This is covered in more detail in the TNV-201-DSP and TNV-112-GUI classes. 14. Close all windows. Do not go on to the next exercise.
4.0-OCT2000
Network Associates
10-50
Exercise Section 6: Fast Ethernet Troubleshooting and Back Pressure

Objective: To review Ethernet troubleshooting techniques using a trace captured from a Fast Ethernet network, then recognize back pressure frames sent by Fast Ethernet switches. Both trace files were taken from switched Fast Ethernet networks. They have several problems. We'll use the Expert to tell us about them.
Background:
1. Open C:\202GUI\100MBFIL.caz. 2. Look at the Expert. What symptoms do you see at the Global layer? Broadcast/Multicast Storm. a. How many stations are involved in this? Thirteen. Several of them are DECnet stations, which tends to be a very chatty Protocol. 3. What diagnoses do you see at the DLC layer? High rate of physical errors. a. What symptoms do you see at the DLC layer? Lots of runts and DLC address is a multicast address caused by frame corruption in the destination address field. If you highlight a station with this symptom in the upper right window and look at the DLC addresses in the Detail tree, youll see that many of them have 5s or As in the address. 4. Look at the Decode window and frame 13.Decnet stations periodically send these Hello frames. a. What is the DLC address for 46.307? DECnet0033B9 (WISHPB) b. Highlight that address in the Expert DLC object list and click on the Display Filter icon. A new Filtered x window with 6 frames will open. Enable Relative Time column if not shown. How often is 46.307 sending these Hello frames? Every 14.5 seconds DECnet nodes multicasting at this rate will contribute to Broadcast/Multicast storms. Based on this, you will want to adjust your Expert Alarm thresholds for broadcast storms to a much higher level to eliminate these Global symptoms.
4.0-OCT2000
Network Associates
10-51
5. Apply your allbadframes filter to the unfiltered Decode window. How many frames have errors? 219. a. Of the 6059 frames in the original trace, what is the percentage of frames with physical errors? 219/6059 = 3.6%. This is outside what is considered normal and should be corrected. b. Analyze the problem by looking at the hex of the damaged frames. What conclusions can you draw? Frames are damaged anywhere from 2 to 51 bytes into the frame. AAAAs and 5555s appear in most of the damaged frames. Wed rule out normal collisions because there are far more than 8 bytes of AAAAs and 5555s. It is most likely a hardware problem or backpressure. (We dont have the story on this trace.) Wed need a network map or the actual network to probe further. Fix the physical problems before moving on to the upper layer problems. 6. Lets look at a couple of traces with backpressure so you will recognize it. System Engineers gave these traces to us. They were captured from different networks using different hubs. Close the 100mbfil.caz window and open the C:\202GUI\Backpres.cap trace file. This is a filtered trace that shows only bad frames. Normally, backpressure will not have such a catastrophic effect on the network. What data patterns do you see in Decode window? D0D0D0, 434343 and 343434 patterns. a. What size range are most of the frames? 12 to 20 bytes (a few are larger). This trace was from Michelle Coomes when she was at 3Com. 7. Now open the C:\202GUI\Backpres2.cap trace file. From the Expert, what symptoms or diagnoses do you see at the DLC layer? Collision after 64 bytes. a. What station is involved? 0008C7A4ACB3. This is coincidental-- it happened on many stations. 8. View the Decode window and look at the hex data for the frame with this symptom. What type of errors do you see in this frame? Repeating 55s starting at offset 236 in frame 6. 9. Follow the sequence of the bytes and offsets in this file transfer. Frame 9 below the damaged frame, youll see a burst frame from the client requesting retransmission of the frame that got damaged. Look in the Detail window for the offset and size. Which frame retransmits the damaged frame? Novells Pburst has selective retransmission of frames not received in a burst. Use Two station format to show this sequence. Disable Show Network Addresses, then use the Matrix to set a filter on the 2 MAC addresses. It becomes very easy to
see the effects of the backpressure on the transfer and how the upper layers handle any collisions that result. The Intel client requests a big read in frame 4 The server sends packets 5, 6, 7 and 8 with the data, but 6 gets damaged. The client comes back in frame 9 with the request for the missing frame Frame 10 is the retransmission of frame 6. This trace came from a company that was having problems from a line running in the proximity of a generator in a warehouse using cat 5 cabling. The errors coming from the EMI was overflowing the buffer on the 10/100 switch so the switch was sending out the backpressure. To solve the situation the customer installed a fiber zip cord and it worked. This proves the point that the backpressure was not the problem but the EMI was. I hope this fills in the gaps for everyone. Michael "Mickey" Giovingo 10. These are two examples of backpressure sent by switches to slow the stations. Evidently the buffer is full and they need to slow things down so they can free buffer space. Remember that the specification allows the switch to send preamble bits (alternating ones and zeros) to keep the line busy. This shows up as 5s or As in the traces. If the vendor chooses to use another bit pattern, you will see other bit patterns. To determine the bit pattern for your switches, capture during a busy period and look for frames with suspicious patterns. Disable backpressure on your switch, while capturing a trace. See which patterns are missing. Document the information for your co-workers. If you see a lot of errors like this on your Fast Ethernet segments, look at where the back pressure bits show up in the frames to ensure you dont have a different problem. You may need to segment a network if the switch is unable to keep up with the normal traffic.
11.
12.
4.0-OCT2000
Network Associates
10-53
4.0-OCT2000
Network Associates
10-54
Exercise Section 6: Fast Ethernet Problems

Objective: Background: Look at a trace taken from a busy Fast Ethernet network. Several Windows NT workstations were copying files across the network in a Sniffer University classroom. The stations were connected to a 100 Mbps hub. Many errors caused slow response times. In spite of the problems shown here, most stations did not experience much difficulty. This trace was captured with a filter set to capture only physical error frames.
1. Open C:\202GUI\Big_bad_rich.caz. What problems does the Expert see and how long did they last? Bad CRC errors at the global layer, lasting 3 minutes, 45 seconds and 723 ms 2. How many DLC objects are shown? Only two, both have NGC cards 3. Look at the Decode window. What type of errors are reported in the status column? CRC, alignment, collision, unknown 4. What conclusions can you draw from what youve learned in class? The 55s are collision data that are the result of the two colliders and the hub all jamming at about the same time. On bigger networks, the jam is accumulated. On small networks, the jam overwrites each other. Result: big networks can have 8 to 12 bytes of jam, small networks can have 0 to 8 bytes of jam, depending on where it started in the frame or preamble. The partial frames showing the conversation from 10.10.0.7 (NGC 100D4E) to 10.10.0.9 (NGC 100EF8) show CRC errors, probably due to a marginal or failing card. 5. Close the window. Stop; do not go on to the next exercise.
4.0-OCT2000
Network Associates
10-55
4.0-OCT2000
Network Associates
10-56
Exercise Section 6: 10/100 Hubs

Objective: Explore traces taken from 10 Mbps and 100 Mbps ports on a single autosensing hub (multi-port repeater) to see if there are differences in what each port sees. Two Sniffers were attached to a hub, one was attached at 10 Mbps, the other at 100 Mbps. Each port on the hub was capable of either speed. We could assume there were two backplanes in the hub, one for each speed with a link between them to propagate traffic to all ports. These traces are from Steve Hammill. They were taken from the Hawking 10/100 multiport repeater that is advertised as a hub. Each port autosenses the speed of the connection. Any ports that are not the same speed have the frames bridged between them. There are other issues in these traces that are not related to the forwarding we point out in this exercise. Stay away from them unless you are cornered or are prepared to discuss them!
Background:
Instructors:
1. Open these two trace files: C:\NAI\202GUI\Hawk10b.enc and Hawk100b.enc. Use Windows > Tile to see both of the traces Expert overview simultaneously. 2. How many frames are in the Hawk10b.enc trace? 130 The Hawk100b.enc trace? 42
(This does not imply that there is a difference in what the Sniffers saw, it may just be a matter of when each was started and stopped.) 3. Note any differences in Expert information here. Hawk10b.enc has 2 ICMP redirect symptoms and 1 Router Storm diagnosis at the Station layer, and 1 WINS No Response diagnosis at the Session layer. Hawk100b.enc has only the router storm diagnosis There are different object counts at the Session, Connection, Station and Subnet layers, too. 4. Adjust each window so it occupies one half of the screen vertically so you can compare the traces frame by frame. Press F4 to zoom each Summary panel. Look at the frame data so you can align the first matching frames side by side. What are the first two identical frames? Frames 1-5 in each trace are identical. Starting at frame 6, the Hawk100b.enc has frames that are not found in the Hawk10b.enc trace. 5. Lets see if we can filter out some of the frames to get an idea of the criteria this device is using to forward the frames. First lets find out how many are broadcast frames. Create a new profile called Broadcast. Use the Address tab, leave the Address type set to Hardware, then click the + in front of the Broadcast/Multicast Address icon. Scroll down and highlight Broadcast(FFFFFFFFFFFF), drag it to the top Station 1 field, click in the Station 2 top field to select Any, then click OK. Select this filter on each trace. How many frames are there in each trace? Both have 24 broadcast frames, so we know the hub forwarded all of those as it should have.
4.0-OCT2000
Network Associates
10-57
6. Now go back to your Broadcast filter and click the Exclude button and apply the filter to each of the Decode-tabbed windows again. How many non-broadcast frames are in each trace? Hawk10b.enc has 106 frames, Hawk100b.enc has 18 frames. 7. Click the Host Table tab for each trace and compare the IP addresses. How many hosts are in each trace and which ones appear in each trace? Both traces have 192.168.1.13, 192.168.1.192, 192.168.1.252-255. Hawk10b.enc also has 192.168.1.251, 10.1.1.11, 10.1.1.53, 161.69.33.11, 161.69.5.203 8. Change the layer to MAC. How many DLC addresses are in each trace? The same six devices appear in both traces. This means there is at least one router. 9. What conclusions can you draw from the behavior of this hub/multiport repeater? This device seems to be doing more than bridging the frames between the backplane. It is forwarding frames based on criteria above the datalink layer. Note that only the Ping and ARP frames between .13 and .192 are in the Hawk100b.enc trace. These frames are also in the Hawk10b.enc trace, but there are lots of WINS Refresh Name frames in the Hawk10b.enc that arent in the Hawk100b.enc trace. All the WINS non-broadcast frames were filtered by the hub on the 100 Mbps port. 10. This seems like non-standard behavior. You may want to do a similar check of any odd connection problems you see on your 10/100 hubs. You may find that this type of behavior might impact what you see on the Sniffer, security devices, network management tools, etc. 11. Enlarge both trace file windows to normal size, then close them. Stop here. Do not go on to the next exercise unless directed by your instructor.
4.0-OCT2000
Network Associates
10-58
Exercise Section 8: Gigabit Traffic

Objective: Background: Follow autonegotiation frames and analyze a trace with errors. The first trace was taken as a Gigabit Ethernet device was initializing. We will follow the sequence of frames each side sent. The second trace was captured on a network and has many Expert symptoms.
1. Use File > Select Settings to create a new Gigabit agent. Click New. Name it Gigabit and choose the Network Associates Gigabit Ethernet PCI Adapter_x from the Network Adapter drop-down list. Dont copy any settings. Click OK twice. Click OK on the Failed to Set Monitor Mode message. You should see Gigabit, SX in the title bar. Ignore the blinking Channels A and B Link Faults indicator in the title bar. 2. Open C:\202GUI\GBAutonegotiation.cap. This trace has 12 frames captured between channels A and B. Zoom the Detail window and press F8 to advance frame by frame. Note the contents of C1 for each. Frame 1 2 3 All zeros Asymmetric & Symmetric Pause, Full Duplex Channel A Direction Idle All zeros Channel B
Ack, Link Failure, Symmetric Pause, Half & Full Duplex
Ack, Asymmetric & Symmetric Pause, Full Duplex Idle All zeros Asymmetric & Symmetric Pause, Full Duplex
6 7 8
Ack, Symmetric Pause, Half & Full Duplex
10
Ack, Asymmetric & Symmetric Pause, Full Duplex Idle
11 12
3. Though we dont see definitive frames where both agree in this trace, we can assume they will settle on Symmetric Pauses and Full Duplex as the highest common denominator. They will maintain this mode until they are reset or reboot. The rule is to acknowledge after a side
4.0-OCT2000
Network Associates
10-59
has received 3 consecutive identical frames. These devices do not seem to follow the rule. There is no field to indicate the media type in use. 4. Notice the 10 bit decodes in the Hex panel are automatically enabled for autonegotiation signals. 5. The proof of success lies in seeing whether the devices go on to exchange data (we dont see that in this trace). If they do, then the inconsistencies with the specification dont matter. If they dont exchange data, you have the frames to follow to see where the sides disagree and work from that point. Close this file. 6. Open C:\202GUI\GB.cap. You will see in the Expert that this trace file has 5 Time-to-Live Expiring symptoms at the Station layer. We wont worry about those thats for another course! We can do some examination of the Global symptom of a Bad CRC. 7. Looking in the Decode window, we see that almost every frame has a symptom associated with it. Lets pull in only the frames with bad CRCs. From Display > Define Filter > Profiles > New name the filter CRC Errors, click Done and OK. On the Advanced tab select 3 only the CRC errors. Now right-click on the Summary window and choose Select Filter from the menu and choose the CRC Errors filter. A new window will open with 24 frames showing CRC and CV (code violation) errors. 8. Use Help > Help Topics > Find. Wait while the help files build. Enter code vi to find the explanation for these. Highlight the Code Violation Errors in the bottom panel and click Display. Close the Help screen when youve learned how the Sniffer makes this determination. 9. Do you see any single source address that might indicate a bad card? No, there are several different IP source addresses, though all of them are sent to the same IP and DLC multicast address. 10. Lets look for evidence of physical damage or other erroneous data in these frames. Tab into the Hex window and press F4 to zoom it. Now press F8 to advance one frame at a time. Do you see evidence of physical damage? No, the frames look pretty normal. 11. Now click back on the Decode tab to view the entire trace again. Well check to see if any of these frames were retransmitted. Highlight frame 10 and note the IP identification number in the frame. ID = 52848. 12. Right-click and choose Find Frame, type in this ID number in the text search window and click the Detail window radio button, then click OK. Repeat this for a couple of the other CRC error frames. Are they retransmitted? No, they are not, so it appears the other side got them OK. 13. Lets do one last thing with this trace. Right-click over the Hex window and choose 10 Bit so we can see the 10 bit decodes. (This is automatically enabled for Autonegotiation frames, but you must set it manually for gigabit data frames.) Scroll through the Hex window to see how this data looks. You will see some Carrier Extend and idle bits at the end of most of them. Even though Carrier Extend was developed for half-duplex links, one or more are inserted between each frame in full-duplex mode, too.
4.0-OCT2000
Network Associates
10-60
14. We dont have more information on this trace to tell you how this was resolved. We hope this has given you some confidence that you can use the skills youve learned here to analyze Gigabit Ethernet frames. Use File > Select Settings to return to your 10/100 Ethernet agent.
4.0-OCT2000
Network Associates
10-61
4.0-OCT2000
Network Associates
10-62
Exercise Section 9: Observing LLC

Objective: Background: Use the Sniffer Pro Network Analyzer Display options to study an LLC session. This trace file was taken from a Fast Ethernet network running Windows NT4 running on NetBIOS and LLC.
1. Open the file C:\202GUI\LLCnetb2.cap. You should have 221 frames. 2. View the Detail of frame 1. Is this an Ethernet Version 2 or 802.3 frame? 802.3 frame.
3. Use Display > Display Setup > Summary Display to enable Two-station format and exclude All protocols, then click Logical Link Control to enable only LLC, click OK. 4. Is this an LLC Type 1 (connectionless) or LLC Type 2 (connection-oriented) session? LLC TYPE 2 (connection-oriented). There are send [N(S)] and receive [N(R)] numbers for connection-oriented sequencing. There are also two bytes in the Control Field in the hex window. 5. Which frame starts a new LLC connection? Frame 10 is the SABME 6. Which is the first frame where data is sent? Who sent it? What sequence number is sent? Frame 14 is sent by Intel B41D55 using sequence number 0 7. In which frame does Dell D45AE8 send sequence number 3? 23 8. Which frame shuts down the connection? Who sent it? The Intel B41D55 sends the DISC in frame 107 9. What is the response to this frame? Dell D45AE8 sends a UA in frame 108 and thats the end of this session. 10. What was the purpose of all those frames where no LLC data was sent? Hint: Enable the display of all protocols in Display > Display Setup > Summary Display > enable Show all layers, then click None at the bottom. The first LLC data frame (14) carried the NetBIOS session initialization frame. Frame 18 begins the CIFS/SMB protocol negotiation and account setup process Once that is done, it appears that the LLC frames are just keep alives. There is no upper layer activity. CIFS/SMB ends the session in frame 105 and LLC disconnects in frame 107. 11. Close all open windows without saving and disable Two-station format. 12. Shut down the Sniffer. We hope this class will enable you to effectively troubleshoot your Ethernet networks back at your company
4.0-OCT2000
Network Associates
10-63
4.0-OCT2000
Network Associates
10-64

Ethernet Network Analysis and Troubleshooting

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ethernet Network Analysis and Troubleshooting

Uploaded by

Copyright:

Available Formats

1-1