Ethernet Network Analysis and Troubleshooting | Ethernet | Computer Network

1-1

Ethernet Network Analysis and Troubleshooting

© Network Associates

Sniffer University

Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

Section 1 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:

Ethernet Network Analysis and Troubleshooting– Section 1 of TNV-202-GUI Start: Day 1 Approx. 9am Finish: Day 1 Approx. 12:00 noon

Section Timing:

Section 1 title slide. Files: Traces: Exercises: 01_frm_g.PPT Mixed01.cap 01_frm_g.DOC Mixed02.cap

Which Frames are on the Network? Isolating Frame Types with Pattern Matching (optional) A Surprise at 23:00 Be sure to practice before you teach this new version! You will need to tighten up on all the sections so you will have time to cover the new materials. It will be a challenge! Pace it carefully. There are several new concepts and exercises, so go through the class very carefully before you teach it. Practice all the exercises and look at the trace beyond what we focus on in the exercises so you are not blindsided by questions outside of the exercise. Please remember this instructor guide is a living document. It is not complete to start and is intended to grow with time. Add to your own copy as you gain experience. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.

Note:

Page 1 - 1

© Network Associates

Sniffer University

1-2

Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

Section 1 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:NAI – Sniffer University
Important Points to Cover:

Logo page. Skip past this quickly.

Original Traces for the Course: (all were saved as .CAP files – none were recaptured)
01.CAP 05.CAP 09.CAP 13.CAP 17.CAP 21.CAP (giant.enc) BAD03.CAP BUSY-JAM.CAP HUBPORT1.CAP MIXED-02.CAP 02.CAP 06.CAP 10.CAP 14.CAP 18.CAP 100MBFIL.CAP BADCABLE.CAP COL100_3.CAP HUBPORT2.CAP SCBRIDGE.CAP 03.CAP 07.CAP 11.CAP 15.CAP 19.CAP BACKPRES.CAP BADCRC.CAP FRAGS.CAP JABBER.CAP TCPDEMO6.CAP 04.CAP 08.CAP 12.CAP 16.CAP 20.CAP BACKPRES2.CAP BADCRC-1.CAP HUB6ARC.CAZ MIXED-01.CAP

New traces added in version 4.0
Name GB.CAP Gigabit data trace GBAUTONEGOTIATION. CAP Gigabit autonegotiation VLANProb.caz Cisco ISL VLAN VLANprob2.cap Cisco ISL VLAN Hawk10b.enc & Hawk100b.enc Jabtest.enc (1 frame) Overtest.cap Big_Bad_Rich.caz Llcnetb2.cap Bcast.cap 8021Q-gig.cap 8021q.cap Source Sniffer Pro 4.0 Samples Directory HQ server HQ lab trace – filtered to remove HQ names & info HQ lab trace – filtered to remove HQ names & info Steve Hammill – classroom setup traces HQ engineering HQ Engineering Don Prefontaine created in an on-site class Bev Mannes home network 303 trace file HQ engineering (Subset of dc_01.caz) HQ engineering Speed 1000 1000 100 100 10 100 10 10 100 100 10 1000 100 Course Location Screen caps 2 Exercises Screen caps 2 exercises Screen caps & exercise Screen Cap Demo Exercise Screen shot Extra-demo Exercise LLC exercise Exercise Demo, screen cap Screen caps & exercise

Page 1 - 2

Housekeeping
1-3
BREAKS LUNCH TELEPHONES
Call the office Net Down!!!

BEEPERS IN SILENT MODE CELL PHONES IN SILENT MODE REST ROOMS EMERGENCY INFORMATION

Sniffer University

?

QUESTIONS

All phone calls must be made outside the classroom during breaks.

© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

Section 1 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title: Housekeeping
Important Points to Cover: Use your normal way of presenting this information. Instructor History Paperwork (Student information forms) Student Introductions: Company name Operating systems Connection technologies at their site Networking experience, etc. Location of: Exits Washrooms Telephones Lunchroom or lunch arrangements Time intervals Break Lunch Start Finish Note: You may negotiate different start and end times provided it does not place undue hardship on anyone in the class. Instructor availability

Page 1 - 3

Sniffer University

1-4

Use Your Trace File CD for the exercises in this class

Thank You!

Students are not permitted to audio or video tape the course presentation. Duplication of Course Materials or the Trace File CD is strictly prohibited by copyright. The Trace File CD that comes with this manual contains: • All Class Traces - which can be copied to the C:\ drive or used in the CD-ROM Drive • Reference materials- ATM Forum Docs, RFCs, Product Guides and other Documentation

© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

Section 1 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:Thank You!
Important Points to Cover:

Keep going Briefly review the policy. The trace files for this class are placed in the 202GUI directory on the trace file CD in the student manual. Mention that there are additional trace files that are copied to Sniffer Pro’s program directory if they would like to practice with those samples.

Page 1 - 4

1-5

Sniffer University's Total Network Visibility Curriculum
• Interconnection Concepts & Troubleshooting

Upper-Layer Analysis & Troubleshooting Technologies • TCP/IP Applications: Concepts & Troubleshooting
• TCP/IP Network Analysis & Troubleshooting

• Microsoft Windows NT & Windows 2000 Network

Sniffer University

Network Interfaces Tools & Systems

• ATM Network Analysis & Troubleshooting • WAN Analysis & Troubleshooting • Token Ring Network Analysis & Troubleshooting • Ethernet Network Analysis & Troubleshooting • Implementing Distributed Sniffer System / RMON Pro • Troubleshooting with the Sniffer Pro Network Analyzer • Sniffer Pro for DOS Sniffer Experts

Visit our website for more information on our classes and a current schedule: www.sniffer.com >> follow the Sniffer University Links

© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

Section 1 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:Sniffer University's TNV Curriculum
Important Points to Cover:

These are the 11 active courses in the curriculum as of Oct 2, 2000 for Version 4.0. Point out where you are in the curriculum. Mention other GUI courses available and highlight next step courses such as: 3 day WAN- TNV-207-GUI 5day TCP/IP curriculum – TNV-303-GUI and TNV-304-GUI. 5day ATM- TNV-218-GUI Keep going.

Page 1 - 5

Table of Contents
• • • • • • • • • • • • • • • • Course Overview Ethernet Frame Formats Ethernet Sniffer Pro Hardware Ethernet Physical and Data Link Layers Timing Specifications Troubleshooting Tips Ethernet Bridging and Switching Concepts Bridges Switches VLAN Tagging 100 Mbps Fast Ethernet Full Duplex Ethernet Gigabit Ethernet Optional Technologies - LLC and Coax Glossary of Terms Student Exercises Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page 1-7 Day 1 1-18 2-1 3-1 3-25 4-1 5-1 Day 2 5-3 5-15 5-27 6-1 7-1 8-1 9-1 9-41 10-1

© Network Associates

Sniffer University

1-6

Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

Section 1 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:Table of Contents
Important Points to Cover:

Run down the list of topics. Mainly here for student reference. Use this to let them know what we will cover in class. The redundant list after this was removed. A dotted line has been added to give the students an indication of when the topics will be covered. Timing: Day one: Afternoon: Day two: Afternoon: Optional: A guideline for timing: Morning: Section 1 and 2. Section 3. Morning: Section 4 and Section 5 (Bridges). Section 5 (Switches), Sections 6-8. Logical Link Control

Page 1 - 6

1-7

Course Overview
Sniffer University
© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

Page 1 .Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Course Overview Important Points to Cover: Standard title slide only.7 .

Course Objectives 1-8 Upon completion of the course. you will be able to: • Discuss the details of the Ethernet (802.3) specification • Effectively use the Sniffer Pro analyzer to manage and troubleshoot Ethernet LANs • Use practical hands-on troubleshooting methods and partner with the Network Associates Sniffer Pro Network Analyzer in Ethernet environments © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .

8 . State the course objectives. how to use the Sniffer Pro analyzer in an Ethernet environment. Page 1 . and how to interpret the data captured.Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Course Objectives Important Points to Cover: We are here to learn something about Ethernet technology.

Prerequisites 1-9 • Basic LAN knowledge and experience using the • Sniffer University • Sniffer Pro Analyzer TNV-101-GUI: Troubleshooting with the Sniffer Pro Network Analyzer or TNV-112-GUI: Sniffer Pro for DOS Sniffer Experts © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .

9 .Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Prerequisites Important Points to Cover: Cover quickly. Page 1 . Determine if all of the students meet the prereqs and discuss any problems if you have some that have not taken TNV-101-GUI or TNV-112-GUI.

and Application layers are not clearly differentiated in most network protocols • The Transport layer provides for communications between programs • The Network layer provides for communications between devices Sniffer University Ethernet Layers The Data Link layer provides for communications between electrical end-points (network interface cards) The Physical layer provides the conductive path that includes media. electrical or optical signaling levels and coding characteristics © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .OSI Functional Protocol Layers 1-10 • The Session. connectors. Presentation.

Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:OSI Functional Protocol Layers Important Points to Cover: This is now a build slide that builds on mouse clicks. Transport protocols can be connection or connectionless. All these processes (without LLC) are connectionless. Upper Layer protocols control the communications between the applications themselves. Everything else is “upper layer” to Ethernet. Physical and data link are the layers directly involved in Ethernet. so the students may apply the binary search method against the OSI stack. We will not focus on them here. If connection oriented. They are connection-oriented and take care of any error handling not done by the lower layers. Page 1 . Review the functions of each layer.10 . Network layer protocols are also connectionless. The Ethernet layers are set off to emphasize this is where the Ethernet specifications reside. All of the protocols in the layers above Ethernet are taught in many other Sniffer University courses. then we can determine whether or not the network is good by simply following the sequence numbers.

The ANSI number for the 802.2 – Logical Link Control (LLC) describes peer-to-peer procedures for the transfer of information and control between any pair of Service Access Points on any 802.0 in LANs 802. an abbreviation for Media Access Control.1D – MAC Bridging 802.5 Token Passing Medium Access over ring Physical Layer 802.9 Integrated Services at Medium Access Physical Layer 802. IEEE Recommended Practice for Broadband Local Area Networks. 802.1B – LAN/MAN Management 802.ieee.com © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .12 Demand Priority Medium Access Sniffer University 802.IEEE 802 Standards 1-11 802. 802.1F – Common Definitions & procedures 802.1G – Remote Media Access Control Bridging 802.7 standard is a recommended practice for common Physical Layer technologies.X LAN 802.11 Wireless Medium Access 802.10 LAN/MAN Security 802.3 CSMA/CD Medium Access Data Link Layer Physical Layer Physical Layer Physical Layer Physical Layer The lower part of the Data Link Layer is called the MAC layer. In addition.6 Dristributed Queue Dual Bus Medium Access Physical Layer 802.1H – MAC Bridging of Ethernet in V2.1E – System Load Protocol 802.3 1996 edition of the specs is 8802-3:1996 IEEE Specifications can be purchased through http://www.14 Standard Protocol for Cable-TV-based Broadband Communication Network is another protocol in development in 1998.4 Token Passing Medium Access over bus Physical Layer 802.

Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:IEEE 802 Standards Important Points to Cover: History of where the Standards came from. The 802. Page 1 .14 for Cable-TV based broadband is not on this drawing due to space constraints.11 . The relationship among the standards committees. This is the official IEEE diagram based on the drawing in the IEEE Std 802.3ab -1999.1 layer has the bridging standards listed individually and 802.

3ac 1985 Carrier Sense Multiple Access with Collision Detection (Original Ethernet Specification) 1995 Media Access Control (MAC) Parameters. WIP = Work in Process © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .Aggregation of Multiple Link Segments (Parallel Point-to-Point link segments) Sniffer University 802. Physical Layer.3 networks 2000 Carrier Sense Multiple access with Collision Detection (CSMA/CD) access method and physical layer specification.3u 802.3x 802.3ad Many other specification documents cover many facets of the Ethernet specifications.3z 802. Repeater and Management Parameters for 1000 Mb/s (Gigabit) Operation 1999 Physical Layer parameters for 1000 Mb/s Operation over 4-Pair Cat 5 Balanced Copper Cabling. Physical Layers. A complete list is available from the IEEE web site. Type 1000BASE-T 1998 Carrier Sense Multiple Access with Collision Detection (CSMA/CD) frame extensions for Virtual Bridged Local Area Networks (VLAN) tagging on 802. Medium Attachment Units and Repeater for 100 Mb/s Operation.3ab 802.3 802. Type 100BASE-T 1997 Specification for Full Duplex Operation 1998 Media Access Control Parameters.Major IEEE Ethernet Standards 1-12 802.

Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Major IEEE Ethernet Standards Important Points to Cover: This is a quick list of the Ethernet standards we will cover in this class. You might want to note the large gap between the original 802.12 . It is not a comprehensive list. then twisted pair with all the other changes to devices were defined in the “a” through “t” addenda. since there are numerous other addenda as seen by the lettering of the standard. Page 1 . Quite the contrary: as the original spec was improved for thin coax. This does not mean to indicate there was no change in 10 years.3 standard approved in 1985 and the u standard approved in 1995.

-5 volts). Cannot co-exist on the same segment due to the different signaling methods.3u) Full Duplex (802. as the same signaling methods are used. Specified thick coax. 3. 802. 5.3 Ethernet Switching Gigabit Ethernet proposed. Intel and Xerox IEEE 802.Ethernet Evolution 1-13 1972 1982 Work on Ethernet begins at Xerox PARC 1983 Novell NetWare Proprietary Frame 1985 1990 10Base-T 1993 1995 1996 1997 1998 2000 Fast Ethernet (802. Specified thick coax cable.3x) Gigabit standard (802. thin coax. 2. Added SQE (Heartbeat). twisted pair cabling and fiber. Definition simplicity Efficient use of shared resources Ease of reconfiguration and maintenance Compatibility Low cost V1 Ethernet: Used an unbalanced signaling method (+5 volts referenced against ground). V2 and 802.3: V1 and V2: Added jabber inhibit. V2 Ethernet: Used a balanced signaling method (+5.3: Can co-exist on the same segment. 4. Switch sales exceed shared hubs Design Goals: 1. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .3z) VLANs Terabit stds in process Sniffer University V2 Ethernet Spec completed by DEC.

Page 1 .3.Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Ethernet Evolution Important Points to Cover: Discuss the milestones and the Design Goals.13 . All frame types that use CSMA/CD are now valid 802. New dates and milestones have been added.

. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .Media Evolution 1-14 Thick Coax Thin Coax Twisted Pair Optical Fiber Sniffer University DB15 Connectors attaches to External transceiver with AUI cable BNC Connectors with T connectors RJ45 Connectors RJ45 Connectors & Twinax.

7 ???? Cables attach to connectors in the wall or cube. The latest is optical fiber. Our diagram shows the ordinary users connected with cat 5 cabling with an uplink on the hub or switch to the high-speed optical backbone. Do just a quick review of how Ethernet media has changed over the years. so new ways of learning of collisions had to be developed.Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Media Evolution Important Points to Cover: New Slide. It is used in one Gigabit Ethernet configuration. Twisted pair changed the whole layout of the network structure. This is generally used as a backbone or for high-speed servers. bring all the connections back to wiring closet. We started with the old thick cable in the ceiling. now on to cat 6.14 . Dedicated wires for receive and transmit meant that cards could no longer listen on the same wire. High performance servers may be connected directly with optical cable. Then thin coax took over. the wire then goes to a punch-down block and finally to a hub or switch. Cat 3 evolved to cat4. Page 1 . There is mention of Twinax on the bottom. evolved to cat 5.

The advent of the switch allowed dedicated connections between two devices in a switched temporary point-to-point connection. wait the interframe gap and sense collisions. Concentrators or hubs repeat the signals out to all stations attached. Each must wait its turn to use the wire and only one signal can be on the wire at a time. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats . Twisted pair cabling provides dedicated receive and transmit wires in the cable. Even though collisions are avoided in this configuration. since each direction can be busy simultaneously. wait the interframe gap and sense collisions and retransmit if a collision occurs. there is no need to sense carrier or detect collisions. the same adapter cards are used. Since the links are point-to-point.(collisions avoided) Coax cables are broadcast in nature. The introduction of full duplex connections allowed bandwidth to double. Every station sees every signal on the wire. but only one wire can be active at a time. full duplex switched point-to-point connections allowed signals on each wire simultaneously. so the devices still sense for carrier. When faster technologies were introduced. so each station must sense whether the wire is busy.Media Access Evolution 1-15 Hub or Concentrator Shared media halfduplex with collisions Dedicated RX/TX lines Shared media halfduplex with collisions Sniffer University Switch Switch Dedicated RX/TX lines Dedicated media full-duplex without carrier sense or collision detection Dedicated RX/TX lines Dedicated media half-duplex with carrier sense and collision detection .

then transmitting while listening for collisions. not both simultaneously.you always had access to the receive port on the other side. The introduction of twisted pair wiring to a central repeater still maintained the need for CSMA/CD.15 . so even the faster devices know how to deal with CSMA/CD. All of the newer technologies still have this as the basis for their specifications.Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Media Access Evolution Important Points to Cover: New Slide. The birth of CSMA/CD meant everyone listening. When full duplex was developed. Collisions are almost non-existent. since everything received on one port was repeated out to all the others. waiting their turn. This attempts to show how access to the wire has changed over the years. every port is its own collision domain. But the listen-and-wait and retry was maintained for backward compatibility. With the introduction of switches. But there still is the little matter of being able to talk to the older NICs and devices. each device had two lines in a point-to-point connection to the other end. The cards can either send or receive. There was no need to wait for the line. Page 1 .

© Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats . This includes 4 bytes of frame check sequence but does not include the 8 bytes of preamble sequence. The maximum frame size is 1518 bytes including CRC.Summary of Ethernet Features 1-16 • Uses Carrier Sense Multiple Access/Collision Detection (CSMA/CD) for its media access control – Switches and faster technologies avoid collisions with dedicated and/or full-duplex connections • Original specifications defined as a bus technology – Usually installed as a star topology today Sniffer University • Variable size frames • Best effort delivery • Various data encoding techniques are used The minimum frame size is 64 bytes.

16 . Page 1 . This is the beginning of the real class. and do not have collisions to detect (CD). are not multiple access (MA).Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Summary of Ethernet Features Important Points to Cover: Original specifications are based on bus technology and CSMA/CD. there are other details that have been maintained through all the iterations. Nevertheless. since some don’t use carrier sense (CS). this can no longer be the feature common to all varieties. so the name has stuck. With the introduction of switches and Full Duplex Ethernet. CSMA/CD has always been the defining feature of Ethernet.

Digital Signal Encoding 1-17 0 TTL 1 0 0 1 1 Manchester (10 Mbps Ethernet) Sniffer University Differential Manchester (Token Ring) • • • • Bit Cell Bit Cell Bit Cell Bit Cell Bit Cell Bit Cell TTL is used on circuit boards Manchester Encoding is used in 10 Mb/s Ethernet/802. The encoding techniques for Fast Ethernet and Gigabit Ethernet are covered in section five.3 Differential Manchester Encoding is used by Token Ring/802. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats . It is used on circuit boards where synchronized clocking can be applied to multiple circuits. TTL has no timing encoded in the data.5 Faster Technologies use different encoding schemes Bit Cell Boundaries Manchester and Differential Manchester encoding are methods of embedding the clock into the data stream so the adapter can determine whether a bit is a one or a zero.

It is only really important for the students to understand that the timing is imbedded in the data stream so that adapters can tell a 1 from a 0.17 . Fast Ethernet and Gigabit Ethernet use different encoding methods. They will be covered in their respective sections. Page 1 .Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Digital Signal Encoding Important Points to Cover: Don’t dwell on this slide.

1-18

Ethernet Frame Formats
Sniffer University
© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

Section 1 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:Ethernet Frame Formats
Important Points to Cover:

Topic Title slide only. Keep going.

Page 1 - 18

Section Objectives
1-19
© Network Associates

Sniffer University

Upon completion of this section, you will be able to: • Describe protocol concepts • Differentiate between Ethernet Frame Formats • Recognize network configuration issues with different frame formats • Identify frame format incompatibilities

Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

Section 1 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:Section Objectives
Important Points to Cover:

State the objectives for this section. This prepares the students and set expectations about the desired outcome of learning this information.

Page 1 - 19

Ethernet Frame Formats
1-20
Frame Type Version 2 Novell Raw 802.3 802.3 SNAP

Detail Window Label Ethertype 802.3 length but no LLC header 802.3 length and LLC header SAP = AA, then SNAP Header

Expert DLC Label Ethertype 802.3 802.3 802.3

LLC: Logical Link Control. A protocol that provides connection control and multiplexing to subsequent embedded protocols; standardized as IEEE 802.2 and ISO/DIS 8802/2. SAP: Service Access Point. (1) A small number used by convention or established by a standards group, that defines the format of subsequent LLC data; a means of demultiplexing alternative protocols supported by LLC. (2) Service Advertising Protocol. Used by NetWare servers to broadcast the names and locations of servers and to send a specific response to any station that queries it. SNAP: Sub-Network Access Protocol (also sometimes called Sub-Network Access Convergence Protocol). An extension to IEEE 802.2 LLC that permits a station to have multiple network-layer protocols. The protocol specifies that DSAP and SSAP addresses must be AA hex. A field subsequent to SSAP identifies one specific protocol. Interpreted in the TCP/IP PI suite and the AppleTalk PI suite. (See RFC 1042 for further information on SNAP.) MAC frames are used in Full Duplex Ethernet The Expert Detail Panel shows the frame type associated with each device at the DLC layer.
© Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

Sniffer University

Section 1 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:Ethernet Frame Formats
Important Points to Cover:

This is a list of what we will cover in the next set of slides. Ethertype, LLC DSAP and SSAP are addresses. SNAP defines a different location in the frame for the address of the receiving process. NetWare originally started with a proprietary frame but now supports everything. Carrier extend and MAC Control are mentioned in this section, but will be explained fully in section five.

Page 1 - 20

Ethernet Version 2 Frame
1-21
Preamble Dest 8 1010...10101011 Sniffer Pro Capture Range 6 Source 6 Type 2 Data 46 - 1500 CRC 4

Sniffer University

• • • • •

Preamble: Destination: Source: Type: Data:

• CRC:

64 bits (8 bytes) of synchronization (6 bytes) address of destination node (6 bytes) address of source node (2 bytes) specifies upper-layer protocol Data link layer views all information handed to it by higher layers as data, whether it is protocol information or user data Cyclic Redundancy Check Frame Check Sequence (FCS), or checksum value

Ethertypes are managed by Xerox.

© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

Section 1 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:Ethernet Version 2 Frame Format
Important Points to Cover:

Emphasize the preamble and its function. Hit the bit pattern and reference the AAAAs and 55555s. Demo:Demonstrate frame structure with TCPDEMO6.CAP. Walk the students through performing a pattern match on a version two Ethertype. Repeat this for each frame type, each time using a different match. Be sure to name the matches. After the last frame type in this section, walk the students through saving setups so that they now have a predefined filter that can be used later.

Page 1 - 21

Ethernet Version 2 Data Link Layer
1-22
Network Layer Data Link Control Layer Physical Layer Non-IEEE Networks (e.g., Ethernet, ARCNET, Local Talk)

Sniffer University

• Pre-dates IEEE specs • Identifies the hardware address of the adapters for both receiving and sending stations • Identifies the receiving process with a two byte Type field in the DLC header • Requires the Network Layer to ensure a minimum packet size of 46 bytes of data • Only provides connectionless services

© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

Section 1 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:Ethernet Version 2 Data Link Layer
Important Points to Cover:

Information on slide should suffice.

Page 1 - 22

Novell NetWare 802.3 “Raw” Frame
1-23
Preamble Dest 8 6 Source Length 6 2 FFFF Data CRC 4

1010...10101011

Sniffer Pro Capture Range

Sniffer University

• • • •

Preamble: Destination: Source: Length:

• Data: • CRC:

64 bits (8 bytes) of synchronization (6 bytes) address of destination node (6 bytes) address of source node (2 bytes) specifies the number of bytes (46-1500) in the data field IPX Header starting with 2 bytes checksum (usually FFFF) followed by NetWare higher layers (‘data’) Cyclic Redundancy Check Frame Check Sequence (FCS), or checksum value

Novell developed their frame type before the IEEE committee was finished. As a result, they identified the length but did not use LLC. This is not a problem provided all stations use the same frame type. It does have a negative impact on IEEE compliant implementations when Novell issues broadcast frames. Service Access Point of FF is the broadcast SAP. All stations have to copy.

© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

Section 1 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:Novell NetWare 802.3 “Raw” Frame Format
Important Points to Cover:

Use a third match as you take the students through this process. If performed correctly, you will certainly speed up the exercises at the end of this section, if not eliminate them. Point out that Novell’s frame type was defined while the IEEE committees were still meeting. It really did not matter, since one only installed a single operating system. We were not designing enterprise networks with LANs and we certainly were not interfacing a lot of dissimilar systems. In today’s environment however, it is definitely an issue.

Page 1 - 23

802.3 “Raw” Data Link Layer
1-24
Network Layer Data Link Layer Media Access Control Sublayer Physical Layer

Sniffer University

IEEE Networks (e.g., 1BASE5, 802.3, 802.5)

• Only uses the bottom half of the DLC Layer • MAC layer contains hardware addresses of destination and sending stations • Uses a two byte length identifier • Does not use LLC • Specified while IEEE was formulating 802.3 specs • MAC Layer ensures minimum frame length

© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats

3 “Raw” Data Link Layer Important Points to Cover: NetWare IEEE 802.3. Information on slide should suffice.24 .Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: 802. Page 1 .

If they are greater than 05DC hex (1500 decimal).1497 4 1010. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .3 Frame 1-25 Logical Link Control (LLC) 802. if they are less. they are assumed to be a length field.IEEE 802.. then the frame is Version 2.etc. The MAC layer pads the field to ensure overall 64-byte minimum frame size requirement Cyclic Redundancy Check Frame Check Sequence (FCS). sending process in source (1 byte) Various control information (2 bytes for connection-oriented LLC) The upper-layer protocol information.. followed by 8 bits (1 byte) of starting delimiter with bit pattern of 10101011.. or checksum value Sniffer University • CRC: Stations know if a frame is Version 2 or 802. IEEE defines the preamble as 56 bits (7 bytes) of alternating 10101010. if any.10101011 Sniffer Pro Capture Range • • • • • • • • • Preamble: SFD: DA: SA: Length: DSAP: SSAP: Control: Data/Pad: 56 bits (7 bytes) of synchronization (1 byte) start frame delimiter (transition from synch to DA) (6 bytes) Destination Address: address of destination node (6 bytes) Source Address: address of source node (2 bytes) specifies the number of bytes (3-1500) in the LLC and data fields (1 byte) Destination Service Access Point.. receiving process at destination (1 byte) Source Service Access Point..3 by evaluating the 2 bytes following the source address.2 Preamble SFD DA SA Length DSAP SSAP Control Data +Pad CRC 7 1 6 6 2 1 1 1 or 2 42 .

Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:IEEE 802. they are assumed to be a length field.3 by evaluating the 2 bytes following the source address.) Page 1 . then the frame is Version 2. which uses Ethertype 2ØØ. If they are greater than 05DC hex (1500 decimal). (PUP stands for PARC Universal Packet.25 . if they are less. Stations know if a frame is Version 2 or 802. Be sure to select a different match and to disable the first match.3 Frame Format Important Points to Cover: Repeat of previous page. Note: the exception is PUP.

3 Data Link Layer 1-26 Network Layer Logical Link Control Sublayer Media Access Control Sublayer Physical Layer Data Link Layer Sniffer University IEEE Networks (e..g.3. 802.5) • Splits the DLC layer into two distinct sublayers • MAC layer contains hardware addresses of destination and sending stations • Provides LLC services – Receiving and sending processes identified by SAP addressing – Accommodates both connectionless and connection oriented implementations – Provides for the use of SNAP • MAC Layer ensures minimum frame length © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats . 802.IEEE 802. 1BASE5.

Page 1 .3 Data Link Layer Important Points to Cover: Information on slide should suffice.Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:IEEE 802.26 .

or checksum value SNAP allows vendors who do not have an assigned Service Access Point to become IEEE compliant. The first three bytes identify the vendor and the last two bytes identify the protocol used. receiving process at destination (1 byte) Source Service Access Point.. A Snap header is five bytes.2 SNAP Header Control 1 3 Type CRC AA AA 2 38 . The first three bytes (the vendor ID) are usually padded with zeroes.1492 4 Data +Pad 1010. Service Access Point of AA identifies a SNAP header immediately following the LLC header.IEEE 802. The version 2 Ethertype is generally used as the identifier.. © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .3 SNAP Frame 1-27 Preamble SFD DA 7 1 6 SA 6 Length 2 Logical Link Control (LLC) 802. sending process in source (1 byte) Various control information (5 bytes) First three bytes identify the vendor. Last two bytes identify the protocol The data link layer views all information handed to it by higher layers as data.10101011 • • • • • • • • • Preamble: SFD: DA: SA: Length: DSAP: SSAP: Control: SNAP: DSAP SSAP Sniffer Pro Capture Range Vndr Code • Data: • Pad: • CRC: 56 bits (7 bytes) of synchronization (1 byte) start frame delimiter (6 bytes) Destination Address: address of destination node (6 bytes) Source Address: address of source node (2 bytes) specifies the number of bytes (3-1500) in the LLC and data fields (1 byte) Destination Service Access Point. whether it is protocol information or user data Pads frame to minimum of 46 bytes total for the data and LLC (so collisions can be detected) Cyclic Redundancy Check Frame Check Sequence (FCS).

27 .” TIP: TCPDEMO6 is a good trace to use to show this. Page 1 .3 SNAP Format Important Points to Cover: Finish with the pattern match and save “setups.Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:IEEE 802.

1BASE5.5) • SNAP (Sub-Network Access Protocol) • SNAP is a sub-set of LLC • Allows Protocols without an assigned IEEE SAP to implement an IEEE compliant MAC layer • Provides for an additional 5 byte header to specify the receiving process (three bytes identify the vendor and two bytes identify the protocol) • MAC layer contains hardware addresses of destination and sending stations • MAC Layer ensures minimum frame length © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .3.3 SNAP Data Link Layer 1-28 Network Layer SNAP Data Link Layer LLC Media Access Control Sublayer Physical Layer IEEE Networks (e. 802. 802.g..IEEE 802.

Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:IEEE 802.28 .3 SNAP Data Link Layer Important Points to Cover: Is a subset of LLC. Page 1 .

65.IEEE Ethernet Frame Evolution 1-29 • Version 2 was historically not an IEEE recognized frame • As of 1997.535 = Type 1501-1535 reserved © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats . it is a part of the Ethernet frame formats • The field formerly called the “length” field by IEEE is now labeled “length/type” field – This provides backward compatibility for version 2 Preamble SFD 7 1 DA 6 SA 6 Length DSAP SSAP Control Data +Pad CRC X 2 1 1 1 or 2 42 .1497 4 Sniffer University Length/Type + 0-1500 = Length 1536 .

The next click shows the next slide. Point out the field values at the bottom that devices use to tell what type of frame is arriving. but now the specification matches the process.29 . Of course.Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:IEEE Ethernet Frame Evolution Important Points to Cover: This is an automated build slide that will display on a timer. Page 1 . Don’t click until you’re ready for the next slide! A “+” in the lower left corner of the build slides tells you how many clicks you need before it goes to the next slide. When there is no number after the “+”. the slide is totally automated. they’ve always done it this way. This brings the previous information into the present definition of the Ethernet frame type.

Http://www. 0C 7E 20. 14. EC. FE. 34.org keeps an updated list of Ethertypes. SnifferPro maintains a list of the Ethertypes and SAPs and decodes the Upper Layer Protocols (ULP) based on the Ethertype or SAP found in the Data Link header.25 ISO SNAP Value E0 80 F0 06 42 04. 54 AA Note: A comprehensive listing of Ethertypes and SAPs is in the appendix. © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .iana. 08.Ethertypes and SAPs 1-30 E-Type NetWare XNS IP IP (VINES) ARP RARP DRP LAT LAVC ARP (ATalk) Value 8137 0600. 80C4 0806 8035 6003 6004 6007 80F3 SAP NetWare XNS NetBIOS IP BPDU SNA X. 05. 0807 0800 0BAD.

30 . Use data pattern matching to filter on specific SAPs and Ethertypes. Go to Define Filters and demonstrate for the students the protocol filters. Page 1 .Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Ethertypes and SAPs Important Points to Cover: Demo: There is a more complete list from the Sniffer Pro analyzer’s main menu.

3 determine what ULP SNAP frame the frame is carrying Look at the SAP values to determine what ULP the frame is carrying STOP Are the 2 bytes at offset ØE equal to AA AA hex? NO STOP YES You have just determined that the frame is a standard 802.3 frame +3 © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .3 raw frame You have just Look at the determined that the Ethertype values to frame is an 802.Determining Ethernet Frame Types 1-31 Start here Observe the hex value of the field following the DLC source address STOP Is the value of the field greater than Ø5DC hex? NO YES Look at the 2 bytes at offset ØE You have just determined that the frame is an Ethernet version 2 frame Look at the Ethertype values to determine what ULP the frame is carrying Sniffer University STOP Are the 2 bytes equal to FF FF hex? NO YES You have just determined that the frame is a Novell 802.

This is a semi-automated build slide. There are 3 clicks. Page 1 .Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Determining Ethernet Frame Types Important Points to Cover: Student reference.31 . one at each stop sign after each determination has been made.

Expert Shows Frame Types • The DLC Layer Objects show the frame types received and transmitted – Shows only as Ethertype or 802. All others are shown as 802.3 Frames.3 Version 2 frames are shown as Ethertype Frames. © Network Associates Sniffer University 1-32 Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .

only Ethertype frames are differentiated in this window.32 . You may want to demonstrate this with a trace file.3 Page 1 . All the other frames show up as 802.Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Expert Shows Frame Types Important Points to Cover: Student reference. Beware.

3 Frame © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .Examine the DLC Details 1-33 Version 2 Frame Sniffer University 802.

3 frames appear in the Detail window.33 .Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Examine the DLC Details Important Points to Cover: This is a quick visual shot of how version 2 and 802.cap frame 1 Demo: Mixed01.cap frame 75 Page 1 .3 Ethernet II 802.3 Frame Demo: Mixed01. 802.

Examine the DLC Details 1-34 NetWare “Raw” Frame Sniffer University SNAP Frame © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .

3 SNAP Demo: TCPDEMO6.3 “Raw” Demo: Mixed01.cap frame 22 Page 1 . 802.Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Examine the DLC Details Important Points to Cover: This is a quick visual shot of how NetWare “raw” and SNAP frames appear in the Detail window.CAP frame 547 802.34 .

Sniffer Pro Filter Elimination Patterns 1-35 • To filter Version 2.3. use the IPX Packet Type (but be careful. because a one-byte pattern match may be ambiguous) • To filter SNAP. you can make sure no incompatibilities exist Highlight frame in Summary window before accessing this window Create a new profile Summary of the match will build here Choose your operand first then click Add Pattern 2 1 1) 2) 3) 4) Summary of the match 4 3 2 1 Change Frame Highlight the data in the Detail window Click Set Data Data will be pasted into the pattern area Click OK Choose your next operand and repeat the steps until all your matches are pasted in © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats . use the Ethertype • To filter 802. use DSAP and SSAP equal to AA • By determining what frame formats are in use on the network. use the FFFF checksum bytes Sniffer University – If the checksum is in use. use the SAP • To filter NetWare.

Those screen shots are placed in the student notes on this page for their reference. Page 1 .35 . The exercise that used pattern matching has been replaced by one using the Expert.Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Sniffer Pro Filter Elimination Patterns Important Points to Cover: This replaces the several data pattern match slides in the previous version of the course.

So How Does This Matter? 1-36 Sniffer University • Devices using different frame formats will not be able to communicate directly – They must send their frames to a translating bridge or router which converts and forwards the frames – This creates a local router situation which doubles the traffic • Devices configured with multiple unnecessary frame formats load the network – NetWare servers RIP and SAP for each frame type • Upper Layer Protocols expect a certain frame type and may not be able to communicate if the wrong frame type is in use © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .

This helps to link this information to practical uses for the information.36 . Page 1 .Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: So How Does This Matter? Important Points to Cover: New Slide.

Exercise: Which Frames Are on the Network? 1-37 Turn to the lab section to complete this exercise © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .

Be sure to practice this before class so you are ready for it! Page 1 .37 .Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Exercise: Which Frames Are on the Network? Important Points to Cover: This exercise has been modified. It no longer uses data pattern matching.

1-38 If you have no questions about the previous exercise then continue with the next exercise or if you need a demonstration or explanation ask your instructor to help you now © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .

38 .Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Yield Important Points to Cover: This slide is here so you can control the exercise process. Page 1 .

Exercise: A Surprise at 23:00 1-39 Turn to the lab section to complete this exercise © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .

Page 1 .39 .Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Exercise: A Surprise at 23:00 Important Points to Cover: This exercise is unchanged.

3 IEEE 802.Summary 1-40 In this section. you learned how to: • Differentiate between Ethernet Frame Formats – – – – Ethernet Version 2 Novell 1983 proprietary frame format IEEE 802.3 SNAP Sniffer University • Recognize network configuration issues with different frame formats • Identify frame format incompatibilities © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Overview and Frame Formats .

40 . Ask the students if they have any questions. Target Time: Breaktime of Day 1 Page 1 .Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Summary Important Points to Cover: Wrap up the section by reviewing the labs and the objectives.

2-1 Ethernet Sniffer Pro Hardware Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .

Please remember this instructor guide is a living document. ______ Finish: Day 1 Early afternoon Important Points to Cover: Section 2 title slide only. Files: Traces: Exercises: 02_snf_g. no matter what the speed of the network. Page 2 .PPT bcast.Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Ethernet Sniffer Pro Hardware Section 2 Section Timing: Start: Day 1 Approx.caz Comparing Ethernet Data This is a new section.1 . They get to see the new faster Ethernet products right away and see in an exercise that Ethernet looks almost the same on the Sniffer. We hope that by putting this information at the front of the course. It is not complete to start and is intended to grow with time. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.DOC GB. Add to your own copy as you gain experience.cap 02_snf_g.cap 100mbfile. the students will feel this is an up-to-date course.

Section Objectives 2-2 Upon completion of this section. you will be able to: • Select the appropriate Sniffer configuration for each type of Ethernet network • Ensure system requirements are met for each type of Sniffer • Attach Sniffer Pro to the various Ethernet networks © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .

2 . Page 2 .Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Section Objectives State the objectives.

2-3 10/100 Ethernet © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .

Page 2 .Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: 10/100 Ethernet Title Slide Only.3 .

5. select the Network icon. 3.Select the adapter. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware . select the adapter. In Windows 95/98: 1.No CPU Throttling.Click the Adapter tab.Change the Capture Rate to High . 3. which still enables the card to load. We recommend you increase the buffer size in increments of 10 to the highest possible setting.10/100 Portable System Requirements 2-4 • PAC 64 or 65 or CardBus compatible notebook PC – Can also be loaded on a desktop PC – Pentium 200 MHz CPU or higher • Windows 95c*/98 or NT SP3 server or workstation • Sniffer 10/100 Ethernet adapter • 85 MB Disk space for software – Much more for traces Sniffer University • 64 MB RAM – Some topologies require more • Keyboard and Pointing Device PAC 64 Windows 95c requires Winsock 2.Click the Advanced tab.Increase the Receive Buffers value to a larger number. 2.In the Windows control panel. Consult the Sniffer documentation for a list of the adapters supported with this release. 2. increase the receive buffer size and capture rate on the Ethernet adapter. We recommend you increase the buffer size in increments of 10 to the highest possible setting.No CPU Throttling. select the Network icon. On heavily loaded Ethernet networks. In Windows NT: 1. select Receive Buffers and increase the value to a larger number. 4. then click Properties. Windows NT has been tested through SP 6a.Change the Capture Rate to High . then click Properties. which still enables the card to load.In the Property list box.In the Windows control panel. 5.In the list box at the top of the Configuration tab. 4.

4 . though desktops are not really portable!) Dolch Review the system requirements The readme instructions for setting the Ethernet card parameters for heavily loaded networks in included in the student notes.Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: 10/100 Portable System Requirements New Slide. Page 2 . Quickly review the three options Notebook Desktop (this means that desktops are included in the NAI suite of portable software.

Attaching Sniffer Pro to the Network 2-5 • Attach the RJ45 jack into a port on the hub – All signals are seen on the Sniffer Ethernet Hub • Attach the RJ45 jack into a port on the switch Sniffer University – Use the Switch Expert or switch software to mirror the port(s) to the Sniffer port Ethernet Switch PAC 64 • Attach in series on coax cable segments PAC 64 © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .

5 . Dolch or desktop. All attach the same way.Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Attaching Sniffer Pro to the Network Discuss the various ways they can attach the Sniffer. Page 2 . It doesn’t matter if it is notebook.

© Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .DSPro Agents • DS Pro consists of two computers: • Agents permanently installed in production networks 2-6 DSPro Agent – Attach the Agent’s Ethernet monitor card to the production network to be analyzed Ethernet – Attach the transport Ethernet card to Network either a dedicated network or the production network Sniffer University • A console to access Agents remotely – Attach the Console to a network that has access to the networks where the DS Pro Agents are installed – SniffView application accesses them remote Sniffers and controls them with the familiar user interface Ethernet Network DSPro Agent Optional Transport Network DSPro Console Sniffer University has a two day TNV-012-DSP class that teaches the unique configuration processes required for the DS Pro system.

Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: DSPro Agents Don’t get sidetracked into explaining the DS Pro system.6 . Direct them to the TNV-201-DSP class! Page 2 .

2-7 Full Duplex Sniffer Pro Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .

7 .Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Full Duplex Sniffer Pro Important Points to Cover: Title Slide Only. Page 2 .

A supported Fast Ethernet network adapter installed in the Sniffer PC. 64 or 65 or CardBus compatible notebook PC • Windows 95c/98 or NT SP3 server or workstation • Sniffer 10/100 Ethernet adapter – Set to 100 Mbps Sniffer University • Full Duplex pod • 85 MB Disk space for software – Much more for traces • 64 MB RAM (128 is better) • DSPro also has a 4 port Ethernet adapter you can configure in several modes A Fast Ethernet Full Duplex Pod installation consists of the following major components: A PC with Sniffer Pro or Sniffer agent (Distributed Sniffer) software installed on the hard disk (the Sniffer PC).” © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .System Requirements 2-8 • PAC 63. A Fast Ethernet Full Duplex Pod is connected to the Sniffer PC via the Fast Ethernet adapter and the Ethernet port on the Fast Ethernet Full Duplex Pod labeled. Consult the Sniffer documentation for a list of the adapters supported with this release of the Full Duplex Pod. "Host Channel 10/100 UTP.

Needs a 10/100 adapter in the main PC Pod attaches through the Ethernet cable Pod attaches into the network Needs lots of buffer and disk space. since the traffic load is very high and will create large trace files.8 .Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: System Requirements Important Points to Cover: Slide moved here from section five of the previous version. Page 2 .

Full Duplex Fast Ethernet. and Half Duplex Fast Ethernet.800 Packets per Second (PPS) wire speed packet capture – Full line rate on two channels in High Speed mode – Near 100 Mbps in streaming mode – Stores to a hardware buffer configurable to 512 MB • Full-duplex Dual-channel Synchronous capture Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware . This is called the “Pod-FEDC-NA-100” for Fast Ethernet Dual Channel in the NAI order book.Full Duplex Pod 2-9 The Fast Ethernet Full Duplex Pod is a separate network interface pod provided by Network Associates for use with Sniffer Pro and the Distributed Sniffer. The Fast Ethernet Full Duplex Pod lets you use the Sniffer with a Fast Ethernet card installed to monitor or capture data from Ethernet. Fast Ethernet. © Network Associates Sniffer University • Troubleshoots and analyzes all traffic on 10/100 fullduplex backbone connections • 148. The Fast Ethernet Full Duplex Pod provides two separate receive channels (one for each side of a full duplex Fast Ethernet network) and can capture at full Fast Ethernet line rate speeds in either a passthrough mode or a terminated mode.

This is listed in the order list as “Pod-FEDC-NA-100” for “Fast Ethernet Dual Channel Pod.9 .Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Full Duplex Pod Important Points to Cover: Slide moved here from section five of the previous version. Frames captured on the pod are encapsulated into Ethernet frames.” Page 2 . Buffer is in the pod. then delivered to the PC for analysis.

Normal Ethernet frames are 1518 bytes maximum. The pod can capture frames up to 4082 bytes in length (including CRC). Frames larger than 4082 bytes will be treated as illegal frames. making it available to the full set of Sniffer features. the analyzer strips the encapsulated capture data out of the Ethernet frame. The captured data is then encapsulated in Ethernet frames and sent to the Sniffer PC over a Fast Ethernet connection. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .Full Duplex Pod Connectors 2-10 • Connects to High-Speed 100Base-TX and 100Base-FX Ethernet Networks – RJ-45 ports offer a power-off pass-through – Fiber and T4 supported through MII connectors Probe Channel B Probe Channel A 10/100 UTP MII Sniffer University Power Synch Synch Connector In Out Serial Port 10/100 UTP MII Host Channel 10/100 UTP Connection Connection button Channel B Channel A Connect straightselects between connections to connections to the through Ethernet Pass-through and the network (UTP network (UTP and cable to the laptop Terminate Modes and MII) MII) The Fast Ethernet Full Duplex Pod captures network data off the connected circuit and stores it in its own internal buffer. There.

The right-most UTP connector attaches the pod to the 10/100 card in the PC.Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Full Duplex Pod Connectors Important Points to Cover: Slide moved here from section five of the previous version. The connection button allows you to set pod to either pass-through or terminate mode.10 . Point out the separate channel connector. Page 2 . They can attach to TX via UTP or FX via the MII (Media Independent Interface) connectors. The Synch In and Out connectors are not used.

Full Duplex Pod LEDs 2-11 • Separate LNK (Link) and ACT (Activity) LEDs show the status of each port – The LNK LED illuminates when the indicated prt is connected and working properly – The ACT LED blinks when there is activity on the indicated port Sniffer University Host Channel A Channel B LINK ACT Passthrough Terminate Clock Activity Power HW Chk LED Description Passthrough Lit when pod is in passthrough mode. Switch with the button on the back of the pod Terminate Lit when pod is in terminate mode Clock Lit periodically to indicate the pod’s software is alive and active Activity Lit when there is potential loss of data.The data may be lost when there is more data than the pod can handle Power Lit when the pod is receiving power HW Chk Lit when there is pod hardware or software failure Flashes in test mode © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .

Page 2 .11 .Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Full Duplex Pod LEDs Important Points to Cover: Slide moved here from section five of the previous version. Review quickly. Mainly for reference.

© Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware . the link will go down! You may wish to install a splitter in the line that will enable you to attach the pod when needed without bringing down the link. Be sure it meets the dB loss specifications so the link is not degraded. The pod provides a pass-through mode. then on if this occurs. Turn the pod off. When you remove power from the pod in pass-through mode.Connecting the Pod to the Sniffer 2-12 Sniffer University • Power down the Sniffer and unplug the pod • Attach the pod to the Sniffer with a standard Ethernet cable – Connect between the Ethernet port on the PC and the Host Channel 10/100 UTP port on the pod • Power on the PC • Connect the power to the pod • Connect the pod to the network When the pod is powered on before the host. pod initialization may fail.

It is huge and heavy and nicknamed “the brick” for good reason – it’s as big and heavy as a brick. It’s important they follow this order. Emphasize that this pod has a different power adapter from the rest.12 . They may damage the pod and/or PC if they don’t or the Sniffer may not be able to see the pod. Page 2 .Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Connecting the Full Duplex Pod to the Sniffer Important Points to Cover: New Slide.

Attaching FDX Pod to the Network 2-13 • Insert directly in the link – Copper pass-through prevents losing link. even when powered off Ethernet Hubs or Switches Channel A Channel B • Tap into the line with a splitter Sniffer University – Can leave the splitter in at all times and tap the line when necessary – Use a copper or fiber splitter/transceiver Routers /Switches Beam Splitters Tap Optical Signal from Channels A and B and Send to Pod • Tap into the line through a monitor port on a switch or hub To Channel A Ethernet Hub © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .

Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Attaching Full Duplex Pod to the Network Important Points to Cover: Slide moved here from section five of the previous version. Page 2 .13 . Keep splitters in the line at all times so you won’t need to break the connection to attach the Sniffer. but will probably allow you to select which channels you want to monitor. Push the button to place it in pass-through mode. Three ways: Break open the link and insert the pod. Set the button to terminate mode so the signals are not repeated back onto the wire! Attach to a monitor port on the switch. This is vendor-specific.

attach the Full Duplex pod to the Agent and use the remote console to configure the options. • Attach using the diagrams on the previous page DSSPro Agent Transport Cable Channel B Monitor Cable Sniffer University Ethernet Network Channel A DSPro Console © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .Attaching FDX Pod to DSPro Agents 2-14 • When using the Distributed Sniffer System.

It is covered in the 201-DSP class. There is also a 4 port Ethernet card that can be used in the DS Pro to monitor several different full-duplex connections. Page 2 .14 . Included here mainly to emphasize this pod can be used on the DS Pro system.Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Attaching Full Duplex Pod to DSPro Agents Important Points to Cover: New Slide. including 400 MB pipes that combine full-duplex channels.

Read them before you use the Sniffer! © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .0 Readme.2-15 Gigabit Sniffer Sniffer University There are several paragraphs of information in the 4.wri that is copied to the Sniffer Pro program directory when you load the Sniffer Pro software.

15 . Page 2 .Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Gigabit Sniffer Important Points to Cover: Title slide.

Dated 3/8/96 Dolch-2. Insert the Flash BIOS upgrade diskette into driver A: 2. AMI and Award are popular BIOS chips. Give this file the name Dolch-1. Reboot after update. There should be two files: awdflash. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware Sniffer University .Gigabit Sniffer Pro Minimum Host CPU 2-16 • Microsoft Windows 98 or NT4.0 SP6 • 233 MHz Pentium or better • 128 MB RAM for traffic generation • 800 x 600 Screen 256 Color Monitor • Large GB disk for huge trace files • Full length PCI slot for Gigabit Ethernet card • Half length ISA slot for power adapter if CPU doesn’t have 3. 4. follow these instructions: 1. The BIOS version should be AI5TVD2-0617 You can contact DOLCH to get the BIOS Flash upgrade. 5.847 Bytes. Use a compatible portable (Dolch) or desktop that has a Peripheral Component Interconnect (PCI ) slot.072 Bytes.exe. Save and program the BIOS.bin. enter Dolch-2. size=131. Run the awdflash. You will be prompted to enter bios file name.3v power available • PCI to PCI bridge support v2. 3.1 • Plug and Play v1. You then will be prompted to save a file.exe file.bin.bin and save the BIOS.0a • AMI or Award BIOS xx0617 PAC 64 Windows 95 is not supported for the Gigabit Sniffer. size=7. 6. Dated 6/19/97 Upgrade the Flash BIOS for PAC-64 To Upgrade the Flash BIOS for PAC-64.

Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Gigabit Sniffer Pro Minimum Host CPU Important Points to Cover: Slide moved here from section five of the previous version Slide is adequate. Page 2 .16 .

on installing the card.3v Voltage Regulator Card • PC Power Supply ‘Y’ cable • Voltage Regulator to Protocol Analyzer Power Cable Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware . in other words. no IP address should be assigned for the card. © Network Associates Sniffer University • Long and Short External Trigger Cables • Duplex Fiber Optic Cable • 3.Hardware Included 2-17 • Xyratex 1250 SX or LX Protocol Analyzer Adapter Card – SC connectors SX Short Wave 850 nm LX Long Wave The Xyratex Gigabit card is designed to analyze network. it will not bind to the TCP/IP binding.

17 . Page 2 .Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Hardware Included Important Points to Cover: Slide moved here from section five of the previous version Slide is adequate.

collisions. idles and code violations SX and LX transceivers are available. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware . autonegotiation. error propagation. packet encapsulation.Interfaces 2-18 Sniffer University • 1000 Base -SX • 1000 Base -LX • 1000 Base -CX through external adapter • 1000 Base -T • Can analyze both sides of full-duplex connection or two separate single links • Captures and analyzes raw bits from the link – Sees 10-bit codes. preambles.

18 . Just run down the list. Page 2 .Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Interfaces Important Points to Cover: New slide.

3v power supply connector – Dolch PAC 65 and newer has 3.3v Power 2-19 • Two sources: • Mother boards in newer CPUs have 3.3 v power. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .3v Voltage Regulator half-slot ISA card for CPUs without the 3.3 v connector.3. PAC 64 needs the card (PAC 63 and older are not supported for Gigabit) – Attach to the Protocol Analyzer card Sniffer University • 3.3v power supply – Generates 3.3v from PC’s 5v power supply – Drives up to 3 Protocol Analyzer cards – Y cable inserts between power supply and CD-ROM/floppy disk – Connects to Protocol Analyzer boards with short cable ATX mother boards include the 3.

you need another card that supplies it. Jumper from this card to the PacketMaster card. If the motherboard doesn’t have it. Page 2 .3V Power Important Points to Cover: Slide moved here from section five of the previous version Needs 3volts power.19 .Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: 3.

Xyratex 1250 Connectors 2-20 Rx 2 Connector 1 to Device 1 Tx 1 Rx 1 Connector 2 to Device 2 Tx 2 PacketMaster 1250 Card Channel 2 Channel 1 Sniffer University • Two 1000Base-SX or LX Gigabit Ethernet SC Connections • External trigger in and trigger out connections Sync In (Trigger In) Sync Out (Trigger Out) Available external connections are: • two 1000Base SX Short Wave Fiber Optic connector pairs • a single micro coax external trigger input • a single micro coax external trigger output Trigger conditions can be independently defined for each channel or combined for both channels. * T Specification under development © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware . The system can also provide external TTL output from a trigger. The system can accept external inputs and can also be synchronized to other test equipment. just as for filtering. Interfaces available: • 1000 Base -SX • 1000 Base -LX • 1000 Base -CX through an external adapter • 1000 Base -T* coming later • SX and LX transceivers are available.

Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Xyratex 1250 Connectors Important Points to Cover: Slide moved here from section five of the previous version Slide is adequate.20 . Page 2 .

switches Full Duplex connection between end nodes Rx1 PA C 62 Tx Tx Rx2 Tx Rx1 Tx2 Rx2 Tx1 Rx Tx Rx Tx PA C 62 Sniffer University Full Duplex connection between switch and end node Attached to hub or switched port (can be a SPAN port) Use this for traffic generation also Rx1 PA C 62 Rx2 Tx Rx1 PA C 62 Tx Loopback between Tx1 & Rx2 © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .Connecting the Analyzer 2-21 Full Duplex connection between 2 hubs.

) Slide is self-explanatory.21 . (They are very lucky. Page 2 .they are in high demand and short supply.Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Connecting the Analyzer Important Points to Cover: Slide moved here from section five of the previous version This will help those students who have the Sniffer now.

Gigabit DSPro 2-22 Sniffer University • The Xyratex card is also supported in the DSPro Agent • Attach this card to the Gigabit network as you do for the portable Sniffer • Attach the 10/100 monitor adapter to the transport network DSPro Agent Transport Cable Monitor Cable 10/100 Ethernet Network Gigabit Network © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .

Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Gigabit DSPro Important Points to Cover: New Slide.22 . Page 2 . Mainly FYI Screens still look the same when you connect to the Agent.

Use the diagram on the next page as a reference to the network layout Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .Exercise: Comparing Ethernet Data 2-23 © Network Associates Sniffer University Turn to the lab section to complete this exercise.

Page 2 . Do not mention the 10 bit hex decode in the Gigabit screens now! Wait until they have been explained in the Gigabit section. so it has been mentioned briefly. This exercise is here to let them see right up front how the data looks in almost all speeds of the Sniffer.Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Exercise: Comparing Ethernet Data Important Points to Cover: New Exercise. I was unable to get a 100 MB full-duplex trace file.23 .

you learned how to: • Select the appropriate Sniffer configuration for each type of Ethernet network • Ensure system requirements are met for each type of Sniffer • Attach Sniffer Pro to the various Ethernet networks © Network Associates Sniffer University More details on using these Sniffers are in the sections following Ethernet Network Analysis and Troubleshooting Ethernet Sniffer Pro Hardware .Summary 2-24 In this section.

Page 2 .24 .Section 2 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Summary Important Points to Cover: Review the section objectives and answer any remaining questions. Target Time: Day 1 at noon or earlier if possible.

3-1 Ethernet Physical and Data Link Layers Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .

It is not complete to start and is intended to grow with time. so your challenge will be to keep the students engaged through the lecture. The diagrams have been spiffed up so they show mainly star configurations.DOC This is a critical section that must be covered thoroughly so the students understand the basis of all Ethernet standards. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.caz Cable Specifications 03_PHY_g. Please remember this instructor guide is a living document.1 .PPT HUB6ARC. The 10BASE5 and 10BASE2 specific slides are now in the Optional Technologies section. Page 3 .Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Ethernet Physical and Data Link Layers – Section 3 Start: Day 1 Approx. Be prepared to jump there if you have students who still want to see the physical components of the old technologies. Add to your own copy as you gain experience. Files: Traces: Exercise: 03_phy_g. 1pm Finish: Day 1 End of day Section Timing: Important Points to Cover: Section 3 title slide only. The exercise comes close to the end.

Section Objectives 3-2 Upon completion of this section. you will be able to: • • • • Describe the access method used in Ethernet Discuss the responsibilities of the MAC layer Differentiate the various types of Physical Layer devices Explain the importance of the physical size limitations of the Ethernet networks • Determine when the physical characteristics of the Physical Layer have been extended beyond the specifications © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .

2 . but they invariably learn new things in this section. Page 3 .Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Section Objectives State the objectives. The specifications for 10BASE2 and 10BASE5 are still the basis for the newer environments and need to be covered. The focus of the prior revision was on the new components most customers have in their environments. We’ve tried to make it as painless as possible while still giving them everything they need to know to understand the buzz words and more importantly why collision domains and timing specifications are still important! Most of our students think they know the Ethernet “nitty gritty” details.

© Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . Standard hubs and switching hubs are becoming commonplace. or by using bridges • Networks are segmented using routers Switches OFF ON Router Hubs OFF ON Network Interface Card (NIC) Network A Hubs Network B Ethernet networks are undergoing unprecedented change.Ethernet Components Today Switched Segment Dedicated Connections: Only Broadcasts are propagated to all Switches Switches 3-3 Sniffer University Broadcast Segment Everything broadcast to all • There is a wide variety of configurations and options available • All still adhere to core concepts that define Ethernet • Segments are extended logically by chaining hubs or switches. Full Duplex Ethernet may be installed. Fast transmit adapters enable large amounts of data to be transmitted and received. Fast Ethernet is being included.

Today.3 . Page 3 . switches may start to push out hubs. We are installing switches and hubs now.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Ethernet Components Today Today networks are undergoing change. The only constant we really have is change. Ethernet is still contention-based. Emphasize the fact that whether we are talking about 10BASE5 or switches. designed to a bus concept. pushing out the older 10BASE5 and 10BASE2 networks. No one is really installing 10BASE5 or 10BASE2 today. hubs were the new devices in networks. Fast Ethernet Full duplex Fast transmit adapters Gigabit Ethernet Yesterday.

Ethernet Contention Access Control 3-4 Sniffer University • Broadcast environment • All network stations contend for available network bandwidth • Simultaneous transmissions cause collisions. which produce runt frames • Contention Access Control works well with bursty traffic Concentrator or Hub © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .

Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Ethernet Contention Access Control No inherent line control is used.4 . Page 3 .6 bit times. The only requirement to transmit data is that the wire is quiet for 9.

3-5 The Basis for Ethernet Specifications • Carrier Sense – Listen until no carrier is sensed. usually implemented as a star – The rules are observed in half-duplex switched networks even though collisions are usually avoided by using dedicated connections © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . then transmit after a delay CSMA/CD • Multiple Access – Designed for a broadcast environment – Every station hears every frame Sniffer University • with Collision Detection – Listen for a collision while you transmit • Designed for a bus.

5 . Preparing the students for what is to come later. Page 3 .Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: CSMA/CD The Basis for Ethernet Specifications The basics.

the 802. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . the interframe gap is .MAC Frame Transmission 3-6 • Construct a frame from data supplied by upper-layer – A legal frame must be at least 64 bytes long and no longer than 1518 bytes (counting the CRC. The card has no knowledge of whether it is plugged into a switch or hub port. .6 micro-seconds before it can transmit.6 micro-second delay between frames in 10 Mbps Ethernet.6 µs for 10 Mbps.96 microseconds. but not the Preamble) – If necessary. An adapter must sense that the wire has been quiet at least 9. These specifications apply to all speeds of Ethernet. The actual time between frames is dependant on the speed of the network and shrinks in proportion to the increase in speed. 96 ns for 1000 Mbps • Transmit and listen • Detect collisions • Backoff and retransmit if collisions occur All adapters are manufactured to the Ethernet specifications. The gap in Gigabit Ethernet is 96 nanoseconds. In Fast Ethernet. Specifications dictate that there be a minimum 9.3 MAC layer adds a pad so that the frame is at least 64 bytes Sniffer University • Calculate and append the CRC • Sense Carrier: Defer to stations already transmitting • Observe Interframe spacing: There is always at least a 96 bit time delay between frame transmission – 9.96 µs for 100 Mbps. The interframe spacing is always 96 bit times.

6 .6 microseconds in 10 Mbps. 960 nanoseconds in 100 Mbps and 96 nanoseconds in Gigabit 1000 Mbps. Page 3 . Import change: The Interframe gap has been changed from 96 microseconds to 96 bit times to imply this is used in all speeds. it is the MAC’s job to ensure the minimum frame length. Now the version two frames have been brought under the IEEE. so all versions must pad. The MAC layer is responsible for accessing the channel and ensuring correct transmission of the data.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Media Access Control (MAC) Frame Transmission With IEEE MAC layer. This is a departure from the V2 specifications. Use this term throughout this section. which forced the network layer protocol to guarantee the minimum frame size. The Interframe Gap is 9. MAC functions reside on the adapter on the chipset.

010 01 1 Source Station + *Timing slowed to show process Even in switched environments.0101 Dest Address Preamble Dest Address Preamble .Frame Transmission 3-7 • After sensing that there is no carrier on the wire during the interframe gap period. 10 10 Sniffer University Concentrator or Hub 0101 0 1.0101 1001000110101101. stations must wait the interframe time after the line goes silent before they start transmitting. 01 10101 1 1010101...... © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . stations with data to send transmit the frame • The signal is propagated everywhere • The source station listens while transmitting • It assumes the frame was delivered if it sensed no interference 101..101 0101 10 10 .

Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Frame Transmission This is a timed build slide and covers only the transmission part of the process. When the signal is transmitted. All stations hear it. It builds automatically. Stations continue to listen while they transmit. This is mentioned in the student notes and should be discussed in class. This is a good time to discuss the adapters that jump the gun and start transmitting before the interframe gap time. then begins to transmit. Page 3 .7 . it is intended to go everywhere. it waits the interframe gap time. The station that wants to transmit listens for carrier When it senses there is no carrier.

The transceiver notifies the adapter of a collision. it waits a random amount of time *Timing slowed to show process Stations continue to listen as they transmit. While an adapter is transmitting. the adapter tries again (up to a total of 16 times) • It uses truncated binary exponential backoff to ensure that two stations will not collide with each other again during the wait cycle – Each time it retries. the transceiver detects an increase in voltage on the wire if another station transmits at the same time. If a receive signal is detected. they both transmit and a collision occurs Transmit Jam Collision Transmit Jam Concentrator or Hub Sniffer University +3 • The transmitting adapters sense the collision and continue to transmit a 32-bit jam signal. it listens on its receive pair. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .Collisions 3-8 • When two stations with data to transmit sense that the media is available at the same time. Twisted pair environments are basically point-to-point communications. the adapter has detected a collision. On a bus. Any other stations with frames queued sense the wire is busy and they wait until the interframe gap has passed after the wire goes silent. and wait a random amount of time before retransmitting • If there are repeated collisions.

Manufacturers can do what they want as long as it is not the CRC of the bits that were just transmitted. it waits a longer period of time before listening for carrier.8 . In the meantime. There is no specified jam pattern for the adapters. a totally different station may have gotten a frame out onto the network. Import change: The wording was changed slightly to indicate it does not stop transmitting.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Collisions This is a timed build slide. The transmitting adapters back off a random amount of time. IEEE states a minimum jam of 32 bits but does not specify a maximum jam period past 150 ms. the participating stations output a minimum of 32 bits as a jam. The first station to timeout tries again. This of course involves more delay than the collisions and backoff induced. -------------------------------------------------------------------------------The signal from the transmitting station will not be heard by the second station some distance from it. Its purpose is simply to busy out the wire on a 500 meter segment. If a collision occurs. but just continues to transmit the jam signal instead of the frame. It gives up after 16 unsuccessful attempts and purges the frame from its transmit buffer. The upper layer protocol must queue it again. There are three clicks for the slide. Page 3 . Wait to click until the first collision occurs. Some is automated on a timer. and some requires a mouse click to activate. Each time the adapter is involved in a collision trying to transmit the same frame. so it begins to send its frame.

.....1024 x 51.2 µsec 15 28 = 0.2 µsec 23 = 0.Truncated Binary Exponential Backoff 3-9 Retry Random Time Range 1 2 3 4 5 6 7 8 21 = 0.. The figures above are for 10 Mbps Ethernet.1024 x 51..1024 x 51.256 x 51...2µsec 22 = 0.1024 x 51.8 x 51..2 µsec 25 = 0.....512 x 51..2 x 51.2 µsec Sniffer University 27 = 0.2 µsec 210 = 0.. gigabit are 1/100th of these times......2 µsec 210 = 0.1024 x 51...1024 x 51.2 µsec Retry Random Time Range 9 10 11 12 13 14 29 = 0.2 µsec 210 = 0.1024 x 51.2 µsec 210 = 0.......2 µsec 26 = 0....2 µsec 16 (1024 x . © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .4 x 51.....0000512 = 52..32 x 51.4 milliseconds) The backoff time is measured using the propagation delay of the media (slot time).....2 µsec 210 = 0.2 µsec 210 = 0.128 x 51...2 µsec 210 = 0.64 x 51. 100 Mbps times are one 1/10th these times.16 x 51..2 µsec 24 = 0...

The previous two slides are now combined on this single slide.9 . Page 3 . Don’t spend any time here.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Truncated Binary Exponential Backoff For student reference.

Excessive errors Transmit No End of Until End data? All speeds of Ethernet follow this flowchart. Wait backoff time Detect Yes Collision? No Yes Done. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . Only the timing changes.Half Duplex MAC Transmit 3-10 Data to send No Pad to 60 bytes < 60 bytes? Yes Sniffer University Calculate and add CRC Transmit Carrier No Data Sense? Wait 96 bit Listen for Yes times collision Defer Compute backoff. Transmit OK! Send Jam No Too many attempts? Yes Done.

Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Half Duplex MAC Transmit Spend time taking the students through the process. Page 3 . There is a new diagram similar to this in the Full Duplex section now. Make sure they understand.10 .

.. otherwise they stop copying and release the buffer Destination 080069020FD3 .AAAAA Source Address Dest Address Preamble C788CD809782 Source +1 *Timing slowed to show process © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers ... stations continue to copy.AAAAAAAAA .” adapters copy the DLC destination address • If the destination DLC address is equal to their own or a broadcast..AAAAA Concentrator or Hub .AAAAA .Frame Reception 3-11 • All adapters synchronize clocks to the preamble bit pattern • Upon receipt of “end of preamble flag.AAAAA Sniffer University C788CD8097823DF020960080BAAAAAA.

they copy it.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Frame Reception This is an automated build slide. Click the mouse when you are ready to show the action after you have covered the bullets. If the frame is not intended for them. Page 3 . Stations hear the preamble and synchronize their clocks to it.11 . Stations listen for as long as it takes to determine if the frame is addressed to them or not. If it is addressed to them. they discard the bits from their receive buffer and passively wait for a new signal or the quiet time so that they may send their own data. The Start if Frame delimiter indicates the destination field is coming next.

6 bit times after the final data bit to let their transmission level reach 0. the bits are referred to as dribble bits and will be truncated by the receiving adapter to the nearest 8-bit boundary. Any bits whose signal level is less than the receiving adapter’s minimum level requirements will be disregarded. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . and for these bits to be of sufficient amplitude to be seen as bits by a receiving adapter. report Alignment Error. In these circumstances. otherwise report CRC error) • Pass good data to upper-layer Frames are always truncated because transmitters have a hard time stopping immediately after the last data bit. It is possible for a transmitting adapter to send an extra bit or two after sending the CRC field. due to the increased number of bit times required for transmitting adapters to return to zero. Transmitters are allowed 1.Assessment of Received Frames 3-12 >512 Bits? Yes CRC Valid? Yes Good Frame! Pass to higher layer protocol No No End on 8-bit Boundary? No Yes CRC Error Sniffer University Runt Frame Discard Frame Alignment Error MAC Frame Reception: • Recognize if frame is destined for this station • Discard frame if it is too short (runt) • If frame does not end on an 8-bit boundary. discard the frame (If the discarded frame does not end on an 8-bit boundary. If the calculated CRC does not match the CRC in the frame. truncate it to the nearest 8-bit boundary • Calculate CRC. Dribble bits become more evident in Fast Ethernet and Gigabit Ethernet networks.

12 . A similar diagram is in the Full Duplex section. Page 3 .Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Assessment Of Received Frames Cover well.

since a collision signal is propagated out all ports. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . It does not store and forward data • A 10BASE-T hub acts as a multiport repeater A repeater can cause more collisions. A repeater is not addressable.Repeaters 3-13 10BASE5 OFF ON Repeater 10BASE5 AUI AUI Multiport Repeater OFF ON 10BASE2 10BASE-T 1 2 3 4 5 6 10BASE5 AUI Hub or Concentrator Sniffer University • A repeater is a physical layer device that extends the network length and topology by regenerating and retiming the signal one bit at a time • A repeater repeats every signal that comes in on one port onto every other port. This address is NOT used in frame regeneration.Hubs managed through SNMP have an IP address assigned to the interface that communicates with the management application. A repeater does not isolate traffic or collisions • A repeater is transparent to other stations on the network.

Page 3 . A repeater doesn’t isolate collisions.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Repeaters Repeaters are required to quickly forward data from one port onto all others.13 . it propagates them. A hub graphic has been added to the slide.

. A repeater uses the preamble to sync up to bits.Repeaters are Responsible For: 3-14 • Preamble Regeneration – Remove preamble from received frame and regenerate it on sending frame • Data Repeat – Repeat all signals received on one segment to all other segments attached to the repeater Sniffer University • Signal Amplification – Ensure the amplitude of signals is correct • Signal Retiming – Ensure encoded data output is within jitter tolerances • Fragment Extension – Extend repeated signal if less than 96 bits (including preamble) Preamble: 8 bytes of 1010101.10101011 at the beginning of each Ethernet frame. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . the repeater will extend the bits to at least 96 bits. in which case the repeater regenerates a new preamble.. This ensures that the signal meets the next repeater while the repeater is still transmitting. so that the attached segments are “busied out” for the duration of the original collision. The preamble is discussed in more detail in the data link layer section. just like any station does. If a repeater receives a little fragment (runt) frame that is less than 32 bits plus preamble. Some bits may be lost.

they go into repeat mode. They create a new preamble. When they see the “11” indicating the end of preamble. Repeaters jam out all ports on detection of a collision. They are the only devices for which IEEE has defined a jam pattern (documented in the student notes). Page 3 .Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Repeaters Are Responsible For: Repeaters do not repeat preamble.14 .

4 to .6 mm diameter (26 to 22 AWG) unshielded wire in a multipair cable • Maximum distance from hub to transceiver = 100 meters • A hierarchical star topology is allowed. as well as cross-talk. However. This follows the four repeater rule contained in the IEEE 802.5dB of signal attenuation. Each hub contains repeater functionality. with up to four levels of concentrators Telephone wire meets the requirements because it is usually unshielded twisted-pair cable composed of . overall propagation delay comes into play. The limit of 100 meters is for the worst case of 11. due to the geometry of the twist. you must be concerned with electromagnetic and radio interference. Use a cable scanner to test for cross talk.5 mm (24 AWG) twisted pairs.10BASE-T Ethernet Cabling 3-15 Concentrator or Hub RJ-45 jacks UTP 100 meters max RJ-45 jack Older Implementations External Transceiver AUI cable Internal Transceiver on NIC and RJ-45 jack Sniffer University • Media = . If you're using a standalone hub AND your new and improved TDR says all of the requirements for segment signal conformance are being met. Many manufacturers now use transceiver chips that drive typically from 125 meters to 200 meters (626 feet). Cross-talk is caused by excessive coupling of signals from one line to another. you don't have to worry about using the longer UTP cable.3 specification. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . The 10BASE-T specification states that any two stations communicating cannot traverse more than four hubs. When unshielded twisted pair cabling is used. the moment you attach a hub with these cable lengths to another hub.

15 .Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: 10BASE-T Ethernet Cabling Important Points to Cover: Hubs are repeaters. Cover the cable distance specifications. Page 3 .

10/100Base-T Frame Transmission
3-16 10/100Base-T Hub or Concentrator
• A group of multiport repeaters • Signal received off of a Flooded port is repeated onto the out to all backplane, then flooded other out all other ports
ports

Sniffer University

Inbound signal from transmitting station

Workstation

Workstation
File Server File Server

+

Concentrators (hubs) are the equivalent of a bus in a box and function like multiport repeaters. A signal received from a transmitting station is repeated onto the backplane and then repeated (flooded) out all other ports. Hubs and repeaters do not repeat preamble. They regenerate a new one. When the end of preamble is reached, repeaters then go into repeat mode. Fragments are extended to the minimum of 96 bits. Concentrators (hubs) do not segment collision domains. Upon detection of a collision, hubs jam out all ports. Repeaters are the only devices that have an IEEE-specified jam pattern. The first 62 bits (of 96) must be 10101010...etc. The concentrator may partition any port with 32 consecutive collisions. Unmanaged hubs will re-enable the port upon receipt of any good data frame. Managed hubs tend to require that the administrator re-enable the port through the elemental manager.

© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers

Section 3 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title: 10/100Base-T Frame Transmission
Important Points to Cover:

Note the edition of 100Base info here. This is an automated build slide showing the signal propagation. It’s still a bus with the backplane propagating the signal everywhere.

Page 3 - 16

The Hierarchy of Ethernet Hubs
3-17
Simple, low-cost Desktop Hubs • Standalone hubs typically support 8-16 ports • Some larger multi-slot hubs support from 4-12 “line cards,” each containing 12-24 ports, for a total of about 288 physical ports • All users are connected to same backplane, hence the same LAN • 10/100 Autosensing

Sniffer University

Workgroup Hubs • The need for autonomous work groups requires backplane segmentation of larger hubs • Hub backplanes are physically separated into 2 or 3 or 4 different Ethernet segments • 10/100 Autosensing

Interconnection of these separate LANs is accomplished by the inclusion of bridge-on-a-card or router-on-a-card modules to one of the segmented LANs. Standalone bridges and routers are also used, but the trend is toward spaceconserving configurations. Some vendors offer tiny “micro” bridges to connect one Ethernet to another. All networking components reside within the hub or networking platform, which makes them ideal for locked wiring closets. Workgroup hubs typically have an element manager that will support both inband (Telnet via TCP/IP on Ethernet) and out-of-band (RS232 for modems) access. These element managers provide physical level data about the health of the LAN and can send SNMP “traps” to, or respond to SNMP polls from integrated network management systems or “umbrella” managers. Some hubs are equipped with redundant hot-standby power supplies for maximum uptime. Power supply or line card “swaps” can be performed during off-peak times. The reality: although hubs have evolved into the heterogeneous networking platform, they have also become the single point-of-failure for many workgroups.

© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers

Section 3 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title: The Hierarchy of Ethernet Hubs
Important Points to Cover:

Student notes and slide are adequate. The names of the hubs have changed to reflect how they are marketed today.

Page 3 - 17

Backbone Hubs
3-18
OFF ON

OFF ON

SNMP Management applications are used to control these sophisticated hubs. Many offer click and drag operations to logically move stations. SNMP agents collect port, backplane and other statistics. The management stations periodically poll the devices for the statistics. Data is collected and reports are generated to track the health of the device and network.

© Network Associates

Sniffer University

• Multiple “flavors” of backbone hubs proliferate today. Some offer dedicated functions, while others offer add-in functionality via line cards like: – Multiple media Ethernet segments: AUI, BNC, 10/100BASE-T, FOIRL – Multiple media Token Ring segments: STP, UTP, fiber repeaters – Multiport local and remote bridges with FDDI backbone interfaces – Multiport, multi-protocol local and remote routers – Ethernet packet switches. These are discussed in more detail later – LAT and TCP/IP terminal servers for RS232-based devices – X.25 gateways, SNA gateways – Novell NetWare file servers – Etc. The list continues to grow

Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers

Section 3 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:
Important Points to Cover:

Backbone Hubs

Student notes and slide are adequate.

Page 3 - 18

Link Test Pulse
TX RX COL LINK
RX TX TX RX

3-19

TX RX COL LINK

NIC

10Mbps link test pulses are 100 nanoseconds (100 nanoseconds = 0.1 microseconds = 1 bit time) in size, and are transmitted every 201 microseconds. Unless there is a regular link test pulse, data is not transferred from the wire to the receiver, or from the transmitter to the wire. Polarization or phase is the correct match of TX+ to RX+ instead of TX+ to RX-. Some early 10BASE-T products did not incorporate auto-polarity and autophase matching capabilities. The wires connecting these devices must be oriented correctly. Subsequent products do incorporate these features. 100BASE-T Link Integrity pulses are sent continuously on the T4 primary transmit pair about 1 ms apart. Failure to detect these pulses generates an error.

© Network Associates

Sniffer University

• Many transceivers and hub ports feature a Link LED (usually green in color) that provides a confidence check of wire pair integrity • A pulse is transmitted on one end’s transmit pair to the other end’s receive pair every 201 µs. The pulse is unique and will not be mistaken for a data frame or a collision • It provides status of the hub’s transmit wire pair to the node’s receive wire pair (node Link LED), and the node’s transmit pair to the hub’s receive pair (hub Link LED) • An illuminated Link LED is not a guarantee that the wire pair is polarized or phased correctly (TX+ to RX+, TX- to RX-) or that the wire pair is twisted together end-to-end (pin 3 twisted with pin 6, for example: orange/white wire twisted with white/orange wire)

Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers

Section 3 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:
Important Points to Cover:

Link Test Pulse

The link pulse test does check for correct phasing of the signal. It is simply a continuity test. If the pulse is not there, the devices will not communicate. We are going to be doing some comparisons of these link pulses as we discuss Fast and Gigabit Ethernet. The characteristics of the 10 Mbps links pulses is important to mention here. One pulse Evenly spaced at 201 microseconds

Page 3 - 19

10 Base T Ethernet Pinouts
3-20
Jack at NIC RJ-45 Plug
8 1

Contact
1 white/orange 2 orange/white 3 white/green

Signal
Transmit + Transmit Receive + Not used Not used Receive Not used Not used

X-over
3 white/orange 6 orange/white 1 white/green

Sniffer University

4 5 6 green/white 7 8

2 green/white

The 8-pin connector is used as the mechanical interface to the twisted pair cable. The connector is used on the hub as well as the NIC. Typically the NIC connects to a wall outlet using a twisted pair patch cord. Wall outlets connect through building wiring and a cross-connect function to the repeater hub. The cross connect (or crossover) function connects the transmitter at one end of the twisted pair link to the receiver at the other end of the twisted pair link. The cross connect can be built into the receiving end. There are two pairs used for each station attachment. Two wires (one pair) are used to receive data from the hub to which it is attached. The second pair is used to transmit data to the hub. Normally a light on the hub indicates the pair from the station to the hub are attached correctly (this is the TX+ and TXfrom the station to the RX+ and RX- on the hub). A light (Link LED) on the card indicates the pair from the hub to the station are correct (this is the TX+ and TX- from the hub to the RX+ and RX- on the station). Most 10 and 100 MBPS twisted-pair Ethernet is still half duplex: a station is either transmitting or receiving, not both.

© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers

Section 3 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title: 10BASE-T Ethernet Pinouts
Important Points to Cover:

Ethernet hubs used to require correct phasing. You could not get away with reversing the leads. Most hubs today will auto-sense and compensate if the polarity is reversed. Pins 4 and 5 are not used. They were reserved for tip and ring. Pins 7 and 8 were used in the old days for a second line or to power a phone with auxiliary features.

Page 3 - 20

Which Wires are Paired at the Jack/Plug?
3-21
Wire #

Sniffer University

1 2 3 4 5 6 7 8

white/green green white/orange blue white/blue orange white/brown brown 4 1 2 pair 3

white/orange orange white/green blue white/blue green white/brown brown 4 1 3 pair 2

T+ TR+ Ethernet (802.3)

RToken ring (802.5)

568A wiring standard

568B wiring standard

• If you suspect noise is damaging data to a station, check to see if the •

receive pair has been “split out” If the receive pair is not twisted together, the wires will not be mutually affected by the same noise, thus Common Mode Rejection will not be effective

How will you know if noise is affecting data to a station? For one thing, you will see lots of CRC errors on the Sniffer with that station as the destination address. There will also be various other errors (especially retransmissions) associated with the station. The EIA/TIA 568 wiring standards shown above is somewhat different from the widely used “USOC” wiring scheme (not shown) for telephone signals. Because of the wire-pair layouts, a 568 link can be used for voice signals; however, USOC wiring is not properly paired for Ethernet signals. EIA/TIA 568 standards specify an 8-pin connector (RJ-45), pinned out in one of the two options--568A or 568B--shown above. Today’s connecting hardware is color-coded to match the wires, and modern cable testers can quickly determine if the link is capable of carrying a 10 or 100 Megabit Ethernet signal.

© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers

Section 3 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title: Which Wires are Paired at the Jack/Plug?
Important Points to Cover:

10BASE-T requires the transmit leads and the receive leads to be discreet pairs. It does not matter how your plant is cabled, but you need to know so that the pairing can be maintained. 10BASE-T will not work if the pairs are not maintained.

Page 3 - 21

Common Mode Rejection (CMR)
3-22
TX+ TX+2.5v 0 volts -2.5v +2.5v 0 volts -2.5v RX+ RX-

RX+ RX-

Sniffer University

+2.5v 0 volts -2.5v

+2.5v 0 volts -2.5v

TX+ TX-

• For CMR to function properly, a pair of wires need to be twisted around each other • CMR uses the voltage differences between each signal (TX+) and its mirror image (TX-) to determine the logic state of each bit. (The differential voltage is typically either 5v or 0v) • Voltage spikes, when they occur, will induce themselves onto the wire pair but the difference in voltage (5v or 0v) will remain the same • CMR is not perfect, as excessive electrical “noise” may defeat the cancellation process and destroy the transceivers at the hub and the node

For Common Mode Rejection (balanced signaling, or longitudinal voltages) to work properly, the signal and its reference need to be subject to the same interference. For the signals to be subject to the same interference, they are treated as a pair and mutually twisted. There are several different schemes of pairings. Unshielded twisted pair wiring that is correct for Ethernet may not be correct for telephony, or wire that is correct for Token Ring may not be correct for Ethernet. Observe standard wiring guidelines such as NOT routing UTP over florescent lights, near high-voltage or high-current sources, etc. The diagram above depicts the hex pattern of 6E, which Intel uses as the cable test pattern.

© Network Associates

Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers

22 . Page 3 . Equal noise maintains the relationship of the signal and can be filtered out so that the chips can still determine a one from a zero. the relationship is not constant and common mode rejection doesn’t work. When wires are not twisted together and noise hits.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Common Mode Rejection (CMR) Important Points to Cover: This is what allows 10BASE-T to work. The important concept is that you want the same amount of noise on the receive minus wire as the noise on the receive plus wire.

RX+ RXRXRXRXRXRXTX+ TX.RX+ TX+ TX.RX+ TX+ TX. a device in common usage in many installations.RX+ TX+ TX.RX+ TX+ TX.RX+ TX+ TX. The connections in the diagram are: 1) PC NIC and UTP patch cord 2) UTP patch cord and wall plate 3) Wall plate and UTP cable 4) UTP cable and punchdown block Punch down blocks include BIX 1A. and/or AT&T MT 110 (for level 5) 5) Punchdown block and 25-pair cable 6) 25-pair cable and first patch panel 7) First patch panel and UTP patch cord 8) UTP patch cord and second patch panel 9) Second patch panel and 25-pair cable 10) 25-pair cable and interface module This cabling diagram may be simplified in most locations.RX+ TX+ TX. Telco 66.RX+ RXRXRXRXRXRXTX+ TX.RX+ TX+ TX.RX+ TX+ TX.RX+ RXRXRXRXRXRX- 6 OFF Sniffer University ON 8 0 1 2 3 4 5 6 7 8 9 10 11 0 1 2 3 4 5 6 7 8 9 10 11 9 OFF ON 10 Port Patch Panels Beware of too many connections. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .Cabling Installations 3-23 NIC Card Connection Wall Plate 1 3 2 7 0 1 2 3 4 5 6 7 8 9 10 11 0 1 2 3 4 5 6 7 8 9 10 11 Punch Down 4 Block 5 TX+ TX.RX+ TX+ TX.RX+ TX+ TX.RX+ TX+ TX. The shaded area from points 4-9 are the equivalent of a harmonica.RX+ TX+ TX.RX+ TX+ TX.RX+ TX+ TX. Each one contributes to signal attenuation and represents a potential failure point The diagram above can apply to Ethernet or Token Ring.RX+ TX+ TX.

New installations wire the network to category 5 specifications. An example would be to connect the wallplate (3) to the back of the patch panel (8). Cross connects are made directly to the hub. Unfortunately. Most new installations DO NOT install wiring this way. but rather is an example of how things should NOT be done.23 . This cabling diagram represents the way things were done in the past -. Each mechanical connection induces loss and an opportunity for a failure point.to meet category 3 standards. Each mechanical connection induces loss and an opportunity for a failure point. Page 3 . this is the cabling found in some environments.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Cabling Installations Important Points to Cover: This cabling diagram does not represent the ideal.

and no crossovers. using the special connections. that may be cascaded further (to more hops) than the IEEE rules allow.” or at the punchdown block. and advertise themselves as half-hop hubs.Hub-to-Hub Connections 3-24 • Hubs typically cross internally over the transmit and receive pairs from the nodes • Hub-to-hub connections must be “crossed over” so that the transmit pair of one hub’s port goes to the receive pair of the other hub’s port and vice-versa • This can be done with a “crossover cable.2 RX+ 3 RX. or via an “MDI-X” port that internally crosses the pairs Sniffer University OFF ON OFF ON OFF ON TX+ 1 TX. Other manufacturers have developed Full Duplex Ethernet hubs. Some of these manufacturers are circumventing the IEEE rules by using special connections for hub-to-hub connections.6 RX+ 3 6 RX1 TX+ 2 TX- OFF ON Some manufacturers do not support hubs being connected via node ports. Some hub manufacturers are now offering proprietary higher speed synchronous links between THEIR hubs. MDI-X should only be enabled on one end. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .

24 . Page 3 .Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Hub-to-Hub Connections Student notes and slide are adequate.

3-25 Timing Specifications Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .

Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Timing Specifications Title slide only.25 . Page 3 .

. Repeaters propagate everything.Collision Domain 3-26 A transmission on this segment.. if any... while the original station is still transmitting Repeaters A "collision domain" is defined as the physical area within which a collision is propagated.is propagated through repeaters all the way to all segments! . © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . must propagate all the way back.and news of a problem.. even bad frames.. Sniffer University .

This slide was updated to show repeaters (hubs) instead of coax cable. since the card only listens while it is transmitting.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Collision Domain This is an automated build slide. Page 3 . The round-trip time for the worst-case scenario must be less than the time to transmit the minimum-sized frame. Cable lengths.26 . All equipment (old and new) must follow this rule. thin or twisted pair as long as the media is shared. The rule still applies. Extremely important concept. whether we’re using thick. repeater rules and propagation delay all must reach this target. All timing specifications are based on the collision domain.

000 km/sec) • Twisted Pair Cable: Signal travels at . We must be concerned about over-extending the network length. © Network Associates Sniffer University • Determination of the maximum topology and minimum frame size depends on information about the speed that data travels • Data travels at less than the speed of light (c) • c = speed of light in a vacuum = 300. and contribute to late collisions.Ethernet Signal Propagation Speed 3-27 It’s important to be aware of this information (though not memorize the numbers) to gain an understanding of the maximum Ethernet topology and the minimum Ethernet frame size.65c (195. which will exceed the propagation budget.66c (198.65c (195.000 km/sec) Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .000 kilometers per second (approximately 1 foot per nanosecond) • Thick Coax Cable: Signal travels at .000 km/sec) • AUI Cable: Signal travels at . Twisted pair cable is the slowest data mover.000 km/sec) • Thin Coax Cable: Signal travels at .77c (231. which in turn results in extremely slow response to most network users.59c (177.000 km/sec) • Fiber Cable: Signal travels at .

This information comes from the 802.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Ethernet Signal Propagation Speed This is a lead-in to the next slide. Page 3 . It is an auto build slide.27 .3 spec.

7 meters = 566. 300 divided by 23 = approx.4 meters are busy on jam.7 meters • 32 x 17. [(200 / 17.1 meters • A bit occupies 23.000 km/sec÷10 million bits per second = 17. For example: If your maximum latency is 300 meters (includes delay in hubs and all equipment). 13 bits.7) = 11. (This information is taken from the 1992 edition of the 802. A collision in a network with latency equivalent to 300 meters should never occur past bit number 26. still within the preamble. Collisions that occur past this point are the result of defective hardware somewhere in the network.000 km/sec divided by 10 million bits per second = 23. 1 bit = 23 meters. © Network Associates Sniffer University For thick Ethernet. In twisted pair.1 meters on thick Ethernet. easily exceeding the maximum length between end devices Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . would you expect to see a collision 20 bytes into the frame? On thick Ethernet. a collision should never occur beyond bit number 23. 300 meters total. How Long is a Bit? 3-28 This information is used to determine where a collision can reasonably be expected to occur in a worst case scenario in your specific network. the basis of the specification: • 231.3 specification.3] x 2 = ~23 bits.) On twisted pair Ethernet. You should not see a collision past the preamble. slightly fewer meters for thin and twisted pair Ethernet • An extension of 32 bits would cause an additional 32 x 23. which makes it possible to busy out a maximum size Ethernet segment • This explains why a repeater extends a fragment frame by at least 32 bits.1 meters or 739 meters to be busy. It also explains the 32 bit jam added to a collision frame For 10Base-T: • 177.So. [(300 / 23) = 13] x 2 = 26 bits. the maximum cable length from hub port to transceiver is 100 meters (200 meters from end device to end device). Multiply by 2 for the round trip. then.

(Lightbulb goes on.) The pictures you see of a tiny frame on a big network are all wrong. How Long is a Bit? Our favorite slide.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: So. thus collisions are much more rare than you have been led to believe. Page 3 .28 . The frame quickly envelopes the entire cable segment.

the remainder are link segments • A coax segment is a cable terminated at both ends in its characteristic impedance. Cable lengths are modified and delay characteristics are calculated to obtain the maximum topology rules. Each tap and each device adds additional delay.000 km/sec = 2165 nanoseconds. a maximum of three may be coax segments. terminated in a repeater set at each end. © Network Associates Sniffer University • The maximum transmission path permitted between any two stations is five segments and four repeater sets • Of the five segments. with a maximum end-to-end propagation delay of 2165 Ns for 10BASE5 and 950 Ns for 10BASE2 • A point-to-point link segment is a non-coax segment.2 micro seconds of delay. Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . so the total network must not introduce more than 51. See previous page for speed. Maximum end-to-end propagation delay is derived by dividing the maximum length by the speed. For thick coax. A 10BASE-T connection between a hub and station is also considered a point-topoint link • If there are no link segments on a transmission path. with a maximum end-to-end propagation delay of 2570 Ns. For thin coax.000 km/sec = 950 nanoseconds. this is 500 m divided by 231.3 specification. Even though these rules are specified for coax cable.Historical IEEE 802.3 Maximum Topology (5-4-3 Rule) 3-29 Segment 1 Segment 2 Segment 3 Segment 4 Segment 5 Station 1 Repeater Set 1 Repeater Set 2 Repeater Set 3 Repeater Set 4 Station 2 This information is taken from the 1992 edition of the 802. there may be a maximum of three coax segments on that path given current repeater technology. the 5-4-3 rule still applies to the newer fast technologies. this is 185 meters divided by 195.

You can still go there to show them if you think a student needs them for clarification. Page 3 . The slide is a lead-in to the new concept of transmission models explained on the next pages. The newer transmission models 1 and 2 slides have been moved to the Optional Technologies section since most people are not using equipment where it is important. many years. They are taken directly from the IEEE specs that have been in place for many. Explain the 5-4-3 rule so they understand it fully.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Historical IEEE802.3 Maximum Topology (5-4-3 Rule) Important Points to Cover: These rules are derived from the collision domain concept.29 .

Retransmitting at the MAC level is very fast: within microseconds. This is based on the round-trip propagation delay on a frame for the worst-case scenario • Station 1 transmits to adjacent Station 2 on Segment 1 • Station 3 just misses hearing Station 1’s transmission and also transmits. A retransmission at upper-layers can take a few seconds per frame. Station 3’s transmission collides with Station 1’s transmission • The damaged frame travels back down the network to inform Station 1 that a collision has occurred. so the damaged frame can be resent at the MAC level. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . A retransmission at the LLC level takes a few milliseconds.Minimum Frame Length Determination 3-30 Segment 1 Segment 2 Segment 3 Segment 4 Segment 5 Sniffer University Station Station Repeater Repeater Repeater Repeater Station 1 Set 2 Set 3 Set 1 Set 4 2 3 • The minimum length for an Ethernet frame is 64 bytes or 512 bits. This takes approximately 50 microseconds or 500 bit times • The minimum frame length is defined such that the: –Message from Station 1 is long enough so that Station 1 is still sending when the collision is detected –The resulting runt message from Station 1 is short enough such that Station 2 (the receiver) can throw out the message on the basis of it being too short (less than 64 bytes) The node needs to know it had a collision.

30 . Page 3 .Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Minimum Frame Length Determination These rules are derived from the collision domain concept.

even bad frames. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . Repeaters propagate everything.So How Does this Apply to TP? 3-31 1 R1 5 R4 Populating one of these repeaters would break the rule 3 R3 2 R2 4 Sniffer University + The frames must be long enough so that stations 1 and 5 are still transmitting when the collision signal gets back to them Count the repeaters between the furthest end stations to ensure you have not broken the 5-4-3 rule Repeaters Hubs or Concentrators A "collision domain" is defined as the physical area within which a collision is propagated.

Automated build slide.31 .Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: So How Does This Apply to TP? New Slide. It’s easy to inadvertently break the rule when you have them all stacked in racks in a wiring closet. Page 3 . Shown to emphasize that hubs / concentrators must follow the 5-43 rule. Perhaps they should label the devices so unused ports are not used incorrectly.

Is this a Valid Application of 5-4-3? 3-32 ACME 10BASE-T Concentrator Sniffer University ACME 10BASE-T Concentrator ACME 10BASE-T Concentrator ACME 10BASE-T Concentrator ACME 10BASE-T Concentrator ACME 10BASE-T Concentrator © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .

For example. for thick coax. we must specify a minimum frame length of 64 bytes due to the inherent normal propagation delay of the maximum topology size described above. etc.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Is This a Valid Application of 5-4-3 with 10BASE-T? Cover: Yes. we can now see how the minimum frame length of 64 bytes was calculated. (1) The length of any given segment of a network is limited by the electrical and physical properties of the cable type employed. The primary characteristic is the rate of attenuation over a given length of the cable. Specifically the IEEE specifications say. This is a 10BASE-T network with a 3-level cascade.1. 500 meters is considered to be the maximum length over which we can transmit a signal while ensuring that the signal does not attenuate or otherwise degrade to the point of being unacceptable to a receiver. This creates a maximum topology as described in the text. Note that no frame needs to traverse more than 5 segments or 4 repeaters (hubs) to its destination. If the interframe gap is reduced. "The worst-case variabilities of transmission elements in the network plus some of the signal reconstruction facilities required in the 10 Mbps baseband repeated specification combine in such a way that the gap between two packets travelling across the network may be reduced below the interframe gap specified in section 4. the potential for misinterpretation of frames increases.e. the number of repeaters that can be used is limited by the potential for shrinkage of the interframe gap.Follow the path of every station to ensure that it obeys the 5-4-3 rule." (3) Knowing the facts as given in (1) and (2) above. We can have a maximum of 4 repeaters and. The middle-end hubs are populated.4. whereas the middle-center hub is not: it is a link segment to the two lower populated hubs. The development of the 5-4-3 rule can be summarized as follows. and updating statistical counters. Page 3 . managing the buffer.2 of the 802. 5 segments between any two stations. This parameter limits the equipment (i.4. Shrinkage of the gap will likely prevent receiving network interfaces from having sufficient time to perform housekeeping functions such as posting interrupts. Then. number of repeaters) between any two DTEs. This is the recommended configuration by the 10BASE-T vendor SMC. We have segments of 500 m due to the signal characteristics of the cable. (2) Based on section 13.32 . knowing that we must guarantee collision detection while the stations participating in the collision are still transmitting. therefore.3 specification. The topmost concentrator serves as the “backbone” to the other hubs.2.

Exercise: Cable Specifications 3-33 © Network Associates Sniffer University Turn to the lab section to complete this exercise. Use the diagram on the next page as a reference to the network layout Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .

Go over the diagram on the next page before they begin. Page 3 .33 .Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Exercise: Cable Specifications Use the instructor notes in the back of the instructor manual to review the exercise.

1 WstDigFF965F Bridge 50 meters © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .Exercise: Cable Specifications 3-34 Node 1 WstDig178C4 Node 2 WstDig96EC2 Hub 1 Network Diagram UTP Hub 2 Hub 3 Hub 4 Hub 5 ?? coax Thin Ethernet RG58 coax Hub 6 Sniffer University Node 3 Sniffer File Server COFFEE.

Page 3 . Originally the Sniffer analyzer was placed at the end of the topology and saw no errors. Note that the picture is not complete. we calculate from right to left: 50 meters N N FS B N S H H H H H H 8+8+8+8+8+16 = 56 This does not exceed the delay. To calculate the p v v. you will probably not cover this with the class. In the actual trace. there probably were other stations on the thin Ethernet.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Exercise: Cable Specifications-network diagram Review the network configuration. The node was moved to the end of the topology and worked without incident. The calculations are left here just in case you need them. The Sniffer analyzer was connected somewhere near the end of the thin Ethernet. For example.1 Since the transmission model slides were moved to the back. (Otherwise the Sniffer technician probably would have noticed the ARCNET cable!?!) We don’t know exactly what was on the other side of the bridge shown on the left. Client addresses in the trace all exist off of the Concentrator with the Server Coffee.34 . the Sniffer analyzer was placed at the junction and saw errors. but it is higher than the 49 p v v allowed in Model 2.

Degree of Degradation 3-35 © Network Associates Sniffer University • Ethernet retransmission occurs. the longer the user has to wait Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers . within a few hundred microseconds • Type II LLC retransmissions may occur within milliseconds • Transport layer retransmissions may occur within seconds • Application layer retransmissions may occur within tens of seconds • User programs may wait minutes before timing out • Conclusion: The higher the layer responsible for retransmission. typically.

Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Degree of Degradation Important concept. Page 3 . Physical layer recovery is fast. Each layer higher takes more time to recover from an error.35 .

4mS later. 955: pc150 times out after request is unanswered and ARPs for natco-4 26.2mS later. Application Layer Retransmissions 943: NFS request.ENC. 952: Frame 951 is collided and is retransmitted 50mS later.4 seconds before the user application gives up and ARPs to see if its server is still alive. At the time that the trace was taken. and 26.3mS later.2mS later. The Truncated Binary Exponential Backoff Algorithm (progressively larger multiples of the slot time) is demonstrated in frames 945 to 952: the random backoff timer is lengthening until the first good request in frame 952. 946: Frame 945 is collided and is retransmitted 0.7s later. The NFS retransmissions occur at 0. 3s.6mS later. Network Associates was using an adapter which was incapable of counting or flagging frames as collided. 12. Once NFS retransmits in frame 953. 953: Unanswered request (952) is retransmitted 12. 954: Frame 953 is collided and is retransmitted 0. The client NFS request to look up the file wp50 in the directory handle E71D is retransmitted four times without answer for a total of 43.3mS later. Note that all frames with a CRC flag are actually collided. 944: Unanswered request (943) is retransmitted 0.2mS later. 949: Frame 948 is collided and is retransmitted 2. Trace file FRAGS.3s later.Sniffer University 3-36 MAC Layer vs. 948: Frame 947 is collided and is retransmitted 0. 951: Frame 950 is collided and is retransmitted 11.2s. we see the algorithm start over again at the beginning.8s or so. 945: Unanswered request (944) is retransmitted 3s later. 950: Frame 949 is collided and is retransmitted 24. © Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .7s. which is collided. when the client finally gives up.9s later. 947: Frame 946 is collided and is retransmitted 0.

36 . Application Layer Retransmissions Retransmission timer as revealed in the Sniffer Pro analyzer screens.Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: MAC Layer vs. FRAGS. Demo: Page 3 .CAP Frames 945-952 show the retransmission timer in action.

Summary 3-37 In this section. you learned how to: • Describe the access method used in Ethernet • Discuss the responsibilities of the MAC layer • Differentiate the various types of Physical Layer devices • Explain the importance of the physical size limitations of the Ethernet networks • Ensure the physical characteristics of the Physical Layer have not been extended beyond the specifications © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .

37 .Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Summary Wrap up the section by reviewing the objectives and answering any questions the students may have. since the stuff that’s coming is what they want to hear. Page 3 . Target Time: End of Day 1. Go further is you can.

© Network Associates Ethernet Network Analysis and Troubleshooting Ethernet Physical and Data Link Layers .

Section 3 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Page 3 .38 .

4-1 Troubleshooting Methodologies Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

CAP Badcrc.CAP 19. Some answers have changed.CAP 16.DOC Traces: HUBPORT1. Files: 04_tbls_g. CAP 06. CAP 01.PPT 04_tbls_g.CAP 21. Page 4 . Choose those you feel will meet your student’s needs.cap BADCABLE.ENC) Exercises: Optional- Hubports More Problems Test Your Skill Errors Evaluating Hub Jams Ethernet Physical Errors Modifications were made for the new software version.CAP 17.CAP Badcrc-1.CAP (was GIANT. CAP 05.CAP BAD03. Be sure to review them before you teach! There are too many to do all and have time to cover the newer technologies. CAP FRAGS.Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Troubleshooting Methodologies Section 4 Start: Day 2 Beginning of the day Finish: Day 2 Late morning if possible! Section Timing: Important Points to Cover: Section 4 title slide only.1 .cap HUBPORT2.CAP 20.

you will be able to: • Recognize and isolate failures in the network using the Sniffer Pro Network Analyzer • Examine Monitor Statistics to determine whether there are problems • Use the Expert symptoms and diagnoses to get the details • Gather Monitor statistics for trend analysis and baselining © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .Section Objectives 4-2 Upon completion of this section.

Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Section Objectives State the objectives. Page 4 . This section is just troubleshooting with lots of suggestions and practice.2 .

Capturing Error Frames 4-3 • You must use NAI-supported adapters with enhanced drivers to observe and capture physical error frames – NAI-21140UC Sniffer University • Adaptec (Cogent) ANA-6911A/TX PCI • Adaptec (Cogent) ANA-6911A/TXC PCI – Xircom CBE-10/100 BTX CardBus – Xircom CBE2-10/100 BTX CardBus © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Capturing Error Frames New Slide.3 . Page 4 . These cards capture both 10 and 100 Mbps networks. Use this slide to emphasize they need to use NAI supported cards and drivers in order to capture the error frames.

Analyzing the Ethernet Physical Layer 4-4 • Frame Corruption – – – – – Collisions Propagation delay Reflected signals Electrical noise Hardware failure Sniffer University • With any of these problems. users will see decreased performance due to multiple frame retransmissions © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

4 . Page 4 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Analyzing the Ethernet Physical Layer Look for evidence of these in the Sniffer Pro analyzer.

© Network Associates Sniffer University • More than one bad frame per Mbyte of data deserves attention • Any unexplained change in the baseline deserves attention • More than 1% Error Rate deserves attention Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies . This translates to a frame loss rate of 10-7. A typical LAN 10Mbps segment should have a BER of 10-11 or better.Some Guidelines 4-5 The IEEE specifications stipulate that the Bit Error Rate (BER) should not exceed 10-8 in worst case.

Be sure to cover these. CNX guidelines do not allow you to specifically state that this is a CNX concept. Page 4 . since these are important CNX numbers they need to know.5 . so do not say this is on the test! We have met the requirement that it is documented in the course materials.Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Some Guidelines Important Points to Cover: These are important guidelines for determining when they need to act. however.

Fast Transmit Adapters 4-6 • Some adapters start transmitting before the entire frame has arrived in their transmit buffer – If the remainder of the frame has not arrived when the first part is on the wire. the Sniffer calculates the CRC based on the last 4 bytes and shows a CRC error Sniffer University – The adapter waits for carrier to drop and 96 bit times to elapse before it sends the complete frame Partial frame on the wire Frame from upper layer CRC Error! Complete frame on the wire Transmit Buffer +4 • Do not count these incomplete bad CRC frames in the 1 bad frame /MB calculation The name depends on the vendor. leaving the short incomplete frame on the wire – Since it has no CRC. © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies . The adapter may also be called a parallel tasking adapter. it just quits transmitting.

The slide is pretty self-explanatory and should help you explain away some of the false CRC errors the Sniffer reports. (They may be known by other vendorspecific names) It is a build slide that is partially timed and partially relies on mouse clicks. Page 4 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Fast Transmit Adapters This is a new slide that discusses the effect of “fast transmit” or “parallel tasking” adapters.6 .

Troubleshooting Tip 4-7 © Network Associates Sniffer University • It is always easier to identify what is wrong if one knows how it is supposed to work • One recommendation would be to capture an example of “how it looks” when the network is working • Save the captured data to a file • When the network stops working. capture another snapshot and compare the working scenario with the nonworking scenario • Then simply identify what is different between the two examples Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Troubleshooting Tip Student notes and slide are adequate.7 . Page 4 .

Divide and Conquer 4-8 Sniffer University • All speeds of half-duplex Ethernet are contentionbased • Because of its nature. we are still troubleshooting Ethernet with the “Binary Search” method • Divide the domain in half. You can also look at the hub with a solid activity light. Which half does the problem follow? – This is still valid for star networks • We could always use a network map! Problem? Problem? +1 Some hubs will autopartition devices out of the network that have too many bad CRCs or if they are jabbering. That usually indicates problems. © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

Not all hubs and switches support them. too. Of course.8 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Divide and Conquer This is an automated build slide. A blinking light on the hub/switch is there to remind you to talk about autopartitioning hubs and looking at the lights in the wiring closet for lights that are abnormal. It still works on star configurations. but they need to know which is supported on their equipment and use those clues. Page 4 . It’s an old method “tried and true” on bus topology Ethernet. too. A star configuration should prompt a discussion about hubs and switches. so this may be a last resort technique. managed hubs and switches provide a lot of information to the management software. Be sure to mention the student notes topics. too.

Exercise: Hubports 4-9 Turn to the lab section to complete this exercise. Use the diagram on the next page for reference © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

Page 4 .9 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Exercise: Hubports Use the diagram on the next page to introduce this exercise.

3) Although the network is physically wired as a star. it is still logically a bus. © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies . including bad or collided frames.Exercise: Hubports Continued 4-10 Network Diagram 10BASE-T Hub Hubport1: known good port Hubport2: suspect port NetWare client: Novell~FAA NetWare file server: 3Com~704 • The user’s PC was Sniffer University • NetWare client: 3Com~F91 replaced by a Sniffer. The same cable connecting the PC was used Another Sniffer is plugged into a known good port. 2) Communication is half-duplex and asynchronous in nature: each node must wait until the wire is quiet before accessing the network. Both Sniffers were capturing simultaneously 1) The network is broadcast-oriented: every node hears everything on the wire.

Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Exercise: Hubports Diagram Give the background information before the students begin the exercise. 10BASE-T Hub NetWare client: Sniffer analyzer: suspect port NetWare client: NetWare file server: NetWare client: Page 4 . They may not catch all the clues. but that’s the fun of the exercise.10 .

Legal Collisions 4-11 Sniffer University • Collision occurs within the first 512 bits (64 bytes) of data • Preamble collisions have no recoverable frame data • Typical collisions occur within the first 48 bytes of data • Sniffer Pro Analyzer needs to see 96 bits to capture the frame. otherwise it just increments the collision counter – This includes the preamble and the first bytes of the destination address – 64 bits of Preamble 32 bits of the destination address • Networks up to 37% sustained utilization are often very “clean” © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

11 . Sniffer adapters: The Sniffer Network Analyzer uses two basic types of adapters: Those that can report collisions. If the packet is analyzed and has a CRC error nd the last 2 bytes of the packet are 0xAAAA or 0x5555.Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Legal Collisions Important Points to Cover: These collisions are a normal part of Ethernet. Page 4 . then the packet is considered to be a soft collision.” Those that do not report collisions. Sniffer Pro software uses a “soft collision” counter. The adapter senses that a collision has occurred and marks the frame with an “x.

Normal Collisions 4-12 Sniffer University • Preamble collisions are not captured • Local coax collisions do not have AAs or 55s in the data • Remote collisions show AAs and 55s in the data field inserted by the repeater • They may be labeled collision fragments or runts Runts Preamble D Addr S Addr Tp/Ln Headers 8 6 6 2 varies Data varies CRC 4 © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

12 . It is labeled as a collision fragment in the Detail window. This is from 01.CAP Page 4 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Normal Collisions New slide Screen shot showing a normal collision.

The squelch filter drops this signal. • On UTP repeated sections. look for evidence of jam from the repeater after 6010 bytes – – – – Either aa aa aa aa.Late Collisions 4-13 • On coax. the signal becomes much more negative when the collision occurs. so you see good data then nothing. or 55 55 55 55 … 101010101010 is aa aa aa.. 010101010101 is 55 55 55 64 byte minimum minus the 4 byte CRC 6010 = 3D16 Sniffer University Late Collisions Preamble D Addr S Addr Tp/Ln Headers 8 6 6 2 varies Data varies CRC 4 © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies ..

Page 4 .cap has a late collision in frame 6 way out at offset 38F. so it was captured on a local coax segment. Badcrc. 17. The Expert gives a symptom that indicates when it has seen a collision after the 64th byte when the frame meets certain criteria. but it must be beyond what the Sniffer uses to call a late collision. There are no AAs or 55s in the hex data.13 .cap has a lot of collisions. some are marked as occurring after the 64th byte. This should help you in teaching them how to determine when the collision was too late.Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Late Collisions This is a screen capture that “draws the line” in the hex window to show where the dividing line is between a normal and late collision.

suspect a rogue node or bad hub Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .Rogue Nodes or Bad Hubs 4-14 Sniffer University © Network Associates • Rogue nodes with “hearing problems” may think the wire is quiet when they send their frame in the middle of someone else’s frame • Bad hubs can also cause late collisions • Calculate the math pertaining to network size – If collisions are occurring well beyond where they should be.

14 . Thanks. This slide was suggested by Don Prefontaine.cap and 04. Sniffer recognizes when a collision occurs too late and shows it in the Expert and on the Summary and Detail panels in the decode window. Don! Page 4 . 05.cap both have frames marked as “collision after 64 bytes”.Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Rogue Nodes or Bad Hubs New Slide.

Filter out the good frames and turn off symptoms. Look at frames 958-964 in the hex panel. but skewed by participation • Corruption typically occurs before the 64th byte – This is NOT an absolute rule • Cause: Cable is too long. or there are too many repeaters or hubs – The faster technologies have shorter cable specifications and require high quality cables. old legacy cables may have been overlooked and are still in use FRAGS.29 seconds to reach Earth • Excessive propagation delay causes corruption • Corruption is random – Size of corrupted frame is random – Victim (source) is random. © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .ENC shows an example of propagation delay. or out of spec.Propagation Delay Problems 4-15 Sniffer University • Propagation delay is part of normal communications – Example: a signal sent from the Moon takes 1.

Page 4 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Propagation Delay Problems Important skill which allows you to know what may have caused the corruption the Sniffer analyzer is showing.15 .

. © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies ..Excessive Propagation Delay 4-16 • Users at end of topology may have more problems than other users • Sniffer Pro Analyzer sees: – – – – “Physical errors” symptoms or diagnoses Damaged frames (CRC errors) Only a few runts (many frames will be legal minimum length) Collision counter will be high if cable is too long • May not be high if collisions are across a repeater Sniffer University • Examine frames for “Collision data” visible at end of frame – aa aa aa… or 55 55 55.

16 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Excessive Propagation Delay Important skill which allows you to know what may have caused the corruption the Sniffer analyzer is showing. Page 4 .

If a hub uplink or switch uplink is not working properly. bad. voltage sensing. When a node sends bits to a hub. It does not do current sensing. one pair is for transmission and the other is for reception. A TDR will tell you if the cable is good. unlike coax. That means that a node cannot see what it is transmitting. but are not seen in UTP frames because the adapter does not see them. change the cable to a known good cable and test again. On coax. or ugly. It is simply looking for link pulse to know if the link is still there. If the UTP cable is flexed too much. Reflections are also the result of poor termination or no termination. and Manchester encoding detection like it can with coax. exceeds the 110 ohms or 130 ohms of normal termination) that will not pass enough current. They cannot be observed on UTP because. They are easy to detect on coax. the best way to examine it is to examine the coax segments with a Time Domain Reflectometer (TDR) Sniffer Pro Transmit +1 CRC errorscollision data Signal reflection problems occur everywhere on every medium. one pair is used for both transmission and reception. it can create a “near open” (resistance too high. © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies . • Corruption is non-random – Frames are corrupted by their own reflected preamble • A victim node’s frame will typically be corrupted at the same offset Sniffer University – Corruption often occurs prior to the 32nd byte (3210 = 1F16) – Collision data may be visible • If signal reflection is suspected. thus creating a signal reflection.Signal Reflection Problems 4-17 • These problems occur on all media. the hub repeats it out all ports except the one it received on. a node cannot “see” the bits it is transmitting. On UTP.

Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Signal Reflection Problems Important skill which allows you to know what may have caused the corruption the Sniffer analyzer is showing. You may want to discuss some of the things that may show up in the Sniffer’s hex window. so you can skip it if no one has it anymore. Important point: This shows up almost exclusively in coax Ethernet. It is doubtful that you would see any of the destination address folding back. There may be reflected preamble in the frame.17 . where the Sniffer was attached in relation to the open cable and where the transmitting station is located directly affect it. The diagram is automated. Of course. Page 4 .

maybe only one or a few bits got changed – Not many more runts or collisions than baseline • Cause: – Radio Frequency Interference (RFI) – Electromagnetic Interference (EMI) – Poor quality cabling not meant for high speed data transmission Sniffer Pro Transmit CRC errors © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .Electrical Noise Problems 4-18 Sniffer University +1 • Users see intermittent disconnections and problems connecting to network services • Sniffer Pro Analyzer sees: – “Physical errors” symptoms or diagnoses – Damaged frames resulting in CRC errors – The frames are the “right” size but have incorrect data.

The diagram is automated.Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Electrical Noise Problems Review quickly. Page 4 .18 .

it will appear as a CRC or Alignment in the status field – If the damaged frame is less than 64 bytes. adapter thinks the frame ended © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies . it will appear as a Runt or Fragment in the status field – Noise disrupts the clock.Troubleshooting Electrical Noise 4-19 • Corruption is random • No collision data is visible – This is an absolute! • Noise typically has no effect on frame length • Worst case scenario: Sniffer University – If the damaged frame is greater than 64 bytes.

19 . Page 4 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Troubleshooting Electrical Noise Student notes and slide are adequate.

75 s – The port LED will flash and Sniffer shows chronic errors A hardware card that is jabbering can jabber with preamble sequence or all ones. The Ethernet V1 and V2 specifications did not have this feature • A managed hub will autopartition the port out quickly – An unmanaged hub waits until it misbehaves for .Hardware Problems / Issues 4-20 • Corruption can look like all the other types of physical errors • Typical evidence is too many bytes – Much more than 8 bytes of corrupted data • Corrupted data may resemble preamble sequence of AAs and 55s • Could be a jabbering transceiver or NIC Sniffer University – The 802. © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .3 specification states that a transceiver should contain a self-interrupt capability to inhibit a station from sending for more than 150 milliseconds.25 to .

Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Hardware Problems / Issues Student notes and slide are adequate.20 . Page 4 .

Jabbering NIC 4-21 • Lots of ones or zeros that seem to go on forever Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

21 . It may have been created.Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Jabbering NIC New slide.enc from HQ engineering.the Jabber. The Expert doesn’t label it that way and you will see the same pattern of bits in the frame that was retransmitted and others around it. Screen shot showing jabber in a frame. This shot was taken from jabtest.cap file we previously used for jabber may not actually show jabber. but it meets the Expert’s criteria for jabber as you see on the screens. Page 4 . Warning.

CRC Runt >64 bytes <64 bytes No specific pattern. Frames will be truncated. 0XA1A1. Greater than 12 bytes of AAs or 55s. Fragments are defined as Runts with an invalid May contain the AA/55 pattern. The cause is hardware. May contain the AA/55 pattern. The data pattern is caused by the repeater jam signal. 0X1A1A. 0X4343 A frame with a dribbling bit set that is larger than 60 bytes with a CRC error or the frame contains a non-integer multiple of 8 bits A frame with a CRC error and size larger than 1514 bytes A frame with a good CRC and size larger than 1514 bytes A frame with a CRC error and size less than 60 bytes © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .Sniffer Pro Ethernet Error Analysis 4-22 Sniffer Label #Collision Frame Size Error patterns Probable Causes Representative of late collisions on coaxial media. 0X6868. Fragment <64 bytes Jabber May be any size. Sniffer Pro Physical Error Descriptions CRC Errors Short/Runt Soft Collision Alignment Jabber Oversize Fragment A legal frame with a CRC error. a frame whose CRC does not agree with the actual bytes received A frame that is less than 60 bytes with a good CRC A runt frame with a CRC error and one of the following patterns in the last three bytes: 0X5555. Handle the same as Alignments. The pattern is important >1514 bytes Oversize Hardware has failed and is streaming data. Most commonly caused by noise or hardware. If not there. 0XAAAA. Managed hubs may permanently partition node streaming for more than 150ms. a jabbering NIC or repeater is most likely. or greater amount. 64 bytes or greater N/A (Truncated) Alignment # Alignment <64 bytes >64 bytes Look for 8 to 12 bytes of AAAAs or 5555s. especially damaged or improperly installed wiring. unmanaged hubs may not. Sniffer University Runts have the same causes as Alignments. -X8989. include propagation delay and hardware as causes. usually a NIC or repeater. If the AA/55 pattern exceeds 12 bytes. usually CRC. usually from 8 – 12 bytes. Alignment errors with the AA/55 pattern are most often caused by normal collisions on UTP cable. 0X0D0D. Pattern will include lots of AAs and 55s. Causes include propagation delay or faulty hardware. If data length is greater than 64 bytes on any damaged frame. see comments. from 8 – 12 bytes. -X3434.

Page 4 . Have them mark this page for future reference for labs and when they get back to the job. Do not attempt to read this fine print from the screen.22 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Sniffer Pro Ethernet Error Analysis Review quickly.

Exercise: More Problems 4-23 Turn to the lab section to complete this exercise © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

Page 4 .23 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Exercise: More Problems Tell the students whether to go on to this or wait for you to discuss the previous exercise.

Most Hubs Bit Jam on a Collision 4-24 Sniffer University • Per 802. 4 from source collider. the repeater transmits a 96 bit Jam. – The 96 bits is 12 bytes if 55 or AA.3: If a collision is detected on any of the ports to which the repeater (hub) is transmitting. such that the first 62 bits transmitted are a pattern of alternate 1s and 0s. and 4 bytes from the hub + Sniffer Pro Analyzer © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies . 4 from destination collider.

Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Most Hubs Bit Jam on a Collision When the hub senses a collision.24 . it sends a 96 bit jam out all of the ports. Page 4 .

Hub Jam Signatures 4-25 Sniffer University Look for AAAAAAs or 55555555s in the hex window © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

cap and busy-jam.25 . Both the Summary and Hex windows are shown so you can point out how the Sniffer shows in each panel. The screen shots are taken from 02. Page 4 . Two screen captures showing both 5s and As.Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Hub Jam Sniffer Signatures New slide.cap.

Analyzing Collisions and Hub Jam 4-26 Sniffer Pro 2 sees a partial frame with jam bits Sniffer Pro 1 sees a partial frame with jam bits Sniffer University 1-A collision occurs here 2-The hub propagates jam signals out to all devices + Sniffer Pro 3 sees a partial frame with jam bits Collision Jam Repeaters © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

26 . Page 4 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Analyzing Collisions and Hub Jam New slide. This slide shows what you see in Sniffer screens in a hub-based network.

Frame Type Interoperability Problems 4-27 • User sees: – Inability to connect to specific network services • Sniffer Pro Analyzer sees: – No more error frames than usual • Examine frames to see: Sniffer University – If the user’s system is using Ethernet frame format and the network service IEEE 802.3 If the network is not experiencing physical layer problems.3 frame format (or vice versa) – If the user’s system is using SNAP frame format while the network service is not (or vice versa) • Cause: – Driver software configured incorrectly – Some implementations support only Ethernet or only IEEE 802. © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies . verify the frame types being used by both communicating parties.

27 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Frame Type Interoperability Problems Review quickly. Page 4 .

Check Dashboard Statistics 4-28 • Look here for indications of high utilization and errors © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

This should be familiar if they have been to the 101 G class.28 . Either use the traffic generator screen from the tools menu or right click over the Summary panel and choose “Generate current buffer” and send it out continuously so you’ll have plenty of time to show these next screens. Click the Dashboard icon to show this screen. Open a trace file and display the decode windows.Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Check Dashboard Statistics The following screen shots enable you to discuss the areas of Sniffer Pro that help them to troubleshoot Ethernet specifically. You may want to do a demo of this. but it never hurts to re-emphasize these. Page 4 .

Supported Ethernet adapters are: Adaptec Fast Ethernet Adapter Network Associates Card Bus Ethernet 10/100 Adapter (Xircom) © Network Associates • Use the Dashboard Detail counters to find physical errors Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .Monitor Dashboard Details 4-29 Sniffer University Reminder: You must have the enhanced drivers loaded to detect and capture error frames.

29 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Monitor Dashboard Details Click the Detail tab to show this view. Point out the important fields: Utilization Errors CRCs Runts Oversize Fragments Jabber Alignment Collisions Page 4 .

Dashboard Error Timeline 4-30 Sniffer University • Click on the Network and Detail Error sections to see a graphic representation of Ethernet physical errors 6 0 5 0 10 0 9 © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

There is no trace that will generate this type of display. Be aware that this data cannot be exported – it shows real-time statistics. The lower graph was fabricated by adding lines to the display.30 . Heaven help the people who would be on a network this bad! Page 4 . Show all of the lower timelines and relate them to Ethernet counts. You can start history sample if you want to save this type of information.Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Dashboard Error Timeline New Slide.

Track Errors with History Samples 4-31 © Network Associates Sniffer University • Run these and save the data as a .CSV file • Open in Excel or a reporting application Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Track Errors with History Samples There are more. Page 4 .31 . Demonstrate on your Sniffer.

The application will continue to gather statistics until you close the window. Then paste it into your document or a paint program for further editing. Repeat this process until you have chosen all the statistics you want included in your report.Create a Multiple History Report 4-32 Sniffer University • Include the errors you need to see • Collect the data. then save to a file to import into a spreadsheet or reporting program To create a multiple history report. When you want to save the statistics to a file. Double click the icon with the sample name to start collecting the statistics. Adjust any colors as you wish. just press the alt and print screen keys to copy it to the clipboard. click the Export icon and name the file and choose the file type (comma. assign a name to your sample and modify the sample interval and Graph Type on the General dialog box. open the History Samples window from either the Monitor menu > History Samples or by clicking the History Samples icon. If you want to import a snapshot of this screen. Click OK when done. Click the Selection tab. It will continue to gather statistics in the background. tab or space delimited) and path. This can be viewed later within the History samples application. then the New (Insert) icon and scroll and click to choose a sample from the Statistics List window. You will also be able to save the information in graphic format when you close the sample window. © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies . Minimize the window to get it out of your way if you wish. Use the up and down arrow icons to place the statistics that will have the highest values at the bottom. Click the Add Multiple History icon.

They can also save a snapshot of this graph as a .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Create a Multiple History Report Demonstrate how to create a Multiple History report of the Ethernet errors.HST file when they close the window. space or tab delimited file for import into a spreadsheet or database. Page 4 .32 . Run for a specific time and save the file as comma. Suggest they may want to run this as a baseline and for trend analysis or scheduled reports for the boss.

for best performance. utilization should be below 37% sustained utilization to be considered “clean” © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .Check Utilization In Global Stats 4-33 • Remember.

they should check first if the network is overloaded. The 37% given here will re-emphasize this statistic they need for CNX. If they are seeing a high level of physical errors. they need to look at a possible physical reason for the errors. Page 4 .33 .Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Check Utilization in Global Stats Demonstrate this screen under Global Statistics. If the traffic is within normal ranges.

Look at the Expert’s DLC Layer 4-34 Sniffer University Who’s the source? Is this really the culprit. or is it just impacted? Check the Symptoms and Diagnoses The physical errors include: • CRC errors • Runts • Oversize • Fragments • Jabber • Alignment errors • Collision packets © Network Associates Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .

Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Look at the Expert’s DLC layer This emphasizes “troubleshoot from the bottom up”. Demonstrate with your favorite trace file that shows several DLC layer symptoms and diagnoses. They learned this in TNV101-GUI (we hope they went).34 . Expert help is available for symptoms and diagnoses by clicking the ? icon. The DLC layer is the only place they will see Ethernet-related specific information. This is not the place to teach the Expert. Point out the information available for each symptom or diagnosis in the Expert Detail panel on the lower right. Page 4 .

Troubleshooting Exercises 4-35 © Network Associates Sniffer University Your instructor will choose the exercises to meet class needs. Come back to them when you get back to work and need review. try another one. • Test Your Skill • Errors • Ethernet Physical Errors • Evaluating Hub Jams If you complete them early. Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies . Turn to the lab section to complete the selected exercises.

We don’t know what was causing that damage and can only speculate that it was bad hardware (the original repeater? A bad NIC card on the segment?)or an out of spec network (unlikely since they are on the same segment. Have them mark the matrix on page 22 to help them determine what the problems might be. It was replaced prior to frame 941 which is the reason for the large delta time and since it was defective. Ethernet Physical Errors See impact of Parallel Tasking feature of some Ethernet cards Evaluating Hub Jams Practice troubleshooting hub jams. but w/o a network map it is difficult to know). The damage appears to be hardware related. The administrator suspected the repeater and replaced it with another that was not being used. Emphasize that you are selecting based on the needs of the students in this class so they don’t feel you are skipping things they really want to see. Errors Exercise The conversation always recovers prior to frame 941. it is the reason there is no recovery in the conversation starting with frame 941.Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Troubleshooting Exercises This single slide points to all of the exercises for this section. Page 4 .35 . Test Your Skill Exercise This one is very important. It gives them a chance to look at traces with no clues of the problems in them. This replacement was defective. You may wish to eliminate any that you feel do not meet the needs of the class you are teaching. These are time-consuming.

Expert and Decode screens to help you determine the cause of frame damage Ethernet Network Analysis and Troubleshooting Troubleshooting Methodologies .Summary 4-36 © Network Associates Sniffer University • Use a bottom-up process for troubleshooting Ethernet network problems • Work on the crises first. the crises should be fewer and the proactive preventive work will take on more importance • Use the clues in the Sniffer Pro Monitor. then spend time doing proactive monitoring to look for areas where performance is degrading and make appropriate changes • Eventually.

Good technicians try to avoid problems by looking for signs of degradation and fixing them before they become crises. Add your own suggestions to this list that’s here. The Sniffer is much more than a troubleshooting tool! Target Time: Lunch or before if possible.36 . Page 4 . We’re trying to emphasize using the tool for proactive network management here to plant a seed.Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Summary Wrap up the section by reviewing the bullets and answering any questions the students may have.

Sniffer University has a three day class TNV-315-GUI with many more details. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .5-1 Ethernet Bridging and Switching Concepts Sniffer University We are including a very brief overview of bridging and switching techniques here to enable you to troubleshoot a switched Ethernet environment. this section will lay the groundwork for those discussions. Since many of these same principles are used for Full Duplex and Fast Ethernet.

cap 05_brg_g.1 .Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Ethernet Bridging and Switching Concepts – Section 5 Section Timing: Start: Day 2 Before Lunch bridging section if you can Finish: Day 2 Mid-afternoon Important Points to Cover: Work through the Section 5 title slide only.DOC busy_jam. Page 5 . Spanning Tree is covered very briefly in this course. Refer the students who need more to the 315 course. The bridging section is also used as an introduction to concepts for the switching section.cap VLANprob.caz 8021q-gig. Full Duplex and Gigabit Ethernet sections. Files: Traces: 05_brg_g.PPT scbridge.caz VLANprob2.cap Exercises: Short Circuited Bridges Busy Jam Switch Traffic (Optional) new The bridging and switching sections are somewhat short to allow time for the VLAN and expanded Fast Ethernet. which covers it in great detail. VLAN tagging information has been added. Move through it as quickly as you can to have time for the new section.caz 8021q.

Section Objectives 5-2 Upon completion of this section. you will be able to: • Differentiate between bridging and switching on a conceptual level • Recognize network configuration issues with bridges and switches • View VLAN information in frames • Use Sniffer Pro to identify common problems associated with bridges and switches © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Bridging and Switching .

Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Section Objectives Important Points to Cover: State the objectives for the section.2 . Page 5 .

5-3 Bridges Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .

Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Bridges Title slide only. Page 5 .3 .

since segments separated by a bridge are in different collision domains • A bridge is protocol independent. as well as allow you to examine how effective the bridge is to forward and filter frames. TCP/IP. Some bridges allow complex filters to be used to determine which frames get forwarded and which frames don't. The bridge manager will allow you to configure the bridge. They learn the address of each device on each segment to which the bridge is connected. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . specifically at the MAC sub-layer. a new protocol is added and eventually a bridge to allow access to a second segment. The bridge is programmed (using a filter) not to forward IP frames. you may want to consider its management capability. Additionally. they have no reason to be concerned with higher layer protocols like DECnet. The bridge stores this information in a "Forwarding Table. the bridge must not forward these same frames. maintain its address table. Due to company growth. typically two segments. Since an IP router is already being used to forward IP frames. With any luck at all your bridge is sophisticated enough to have some sort of bridge manager.Ethernet Bridges 5-4 LOCAL HUB HUB REMOTE HUB HUB Bridge LAN or WAN link Bridge Sniffer University • A bridge is a store-and-forward Data Link layer device • A bridge increases the size of a network without increasing bandwidth contention. XNS. A bridge bases its forwarding decision on the Data Link layer destination address in a frame • Bridges only pass valid frames • An Ethernet bridge is transparent from the end node’s point of view Bridges work at the Data Link layer of the OSI Reference Model. it examines the physical layer address to determine whether or not the frame should be forwarded to the other segment. consider this: is your vendor's manager going to manage another vendor's bridge? When determining a vendor for your bridge purchase. This might be used in the case where a router was previously installed to route IP frames. When a frame is received on one port of the bridge. One bridge can forward (or filter) all of these higher layer protocols." Since they work at the MAC layer and are only concerned with physical layer address (like Ethernet). but allow remaining frames to be forwarded if the destination address deems it necessary. Bridges are only concerned with physical layer addresses." Bridges are also what is termed "Protocol Transparent.

Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Ethernet Bridges Work at the Data Link Layer. Many are managed by bridge management programs. Some may do complex filtering. Forward frames based on the MAC layer address. Bridges learn the addresses on each of their ports and build a forwarding table. Page 5 . Label was added to indicate the link can be LAN or WAN.4 . They are protocol transparent.

but usually start with 1024. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . The list can be lengthy. but the maximum limit is vendor specific A list must be kept of what node addresses lie beyond a bridge port. The number of addresses are vendor dependent.Multiport Ethernet Bridges 5-5 Multi-Port Bridge Port D Port B Port A Port C Address 1 Address 4 Address 5 Address 7 Address 2 Address 6 Address 8 Address 3 Hub OFF ON OFF ON Mini-Hubs Sniffer University • • • • • Learns the addresses of devices that reside off each port Maintains a list of the addresses for each port in hardware “Content Addressable RAM” Logically extends the cabling segment. but physically separates into separate collision domains RAM for storage usually holds 1024 addresses Can be increased.

5 .Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Multiport Ethernet Bridges As noted on the slide. Page 5 .

it learns the locations.Ethernet Bridges are Responsible For: 5-6 © Network Associates Sniffer University Flooding: If the destination address is unknown. even if the two stations communicating are on the same side of the repeater.. Ethernet Network Analysis and Troubleshooting Bridging and Switching . By examining the source address in frames. but actually it is worth mentioning in order to compare a bridge to a repeater: a repeater repeats everything. Since a bridge looks at the data link header. etc. the bridge just drops the frame User Filtering: Allows a network manager to filter. it does not need to forward unnecessarily. to increase the network's efficiency or add security measures The filtering function might seem so obvious it's not worth mentioning. or if it’s a multicast/broadcast destination address. even though a bridge is a layer two device. based on protocols. The filtering rate advertised for a bridge is the number of frames per second on which the bridge can make forwarding/nonforwarding decisions. a bridge learns which stations are on which side of it Forwarding: Once a bridge learns where stations are. the bridge sends the frame out each port except the port on which the frame was received Learning: A bridge is promiscuous and sees every frame on the segments to which it is attached. allowing some manufacturers to claim to filter on layer three protocol addresses. addresses. User filtering may employ a technique similar to the Sniffer analyzer’s pattern match function. packet type. it only sends a frame out the correct port to reach the destination station Filtering: If the destination and source addresses are on the same port.

Page 5 .6 .Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Ethernet Bridges Are Responsible For Cover the slide points well.

CRC bad? If yes. the bridge will forward as it should • If the CRC is bad. the bridge will discard the frame – A higher layer protocol will time out and attempt retransmissions This technique requires the bridge to look at the entire frame before making a forwarding decision. A benefit of this feature is that the bridge can determine whether there is an error in the frame before making a forwarding decision. throw frame away. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . then forward. Error frames are removed from the network.Store and Forward 5-7 A HUB CRC good? If yes. DA = B HUB B Sniffer University + • Bridges are “Store and Forward” devices • They must copy the entire frame and verify the CRC before forwarding • If the CRC is good. A drawback is that the bridge will introduce latency (delay).

Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Store and Forward This is now an animated build slide. Page 5 . Review them. Slide and notes are adequate to explain the concept.7 .

Bridge Data Flow Receive frame on Port x Read source address MAC Port Age MAC SA in Table? No Enter into Port x Table Yes Read Dest MAC Is it Bdcst? No MAC Port Age MAC DA in Table? No Yes DA on Port x? Yes Discard frame No Yes Flood to all ports except x Sniffer University 5-8 Forward frame on correct port +4 All speeds of Ethernet follow this flowchart. Only the timing changes. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .

Click to reveal each step in the decision process as you discuss it.8 . Page 5 .Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Bridge Data Flow New partially automated build slide.

For example. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . Bridges are assigned an ID by the administrator (two byte field). The network manager configures a cost for each port on the bridge. The MAC address of the adapter is appended to the two byte ID. and the result becomes the Bridge Identifier.Bridging Loop 5-9 Forward Broadcast Frames circle Forward endlessly Forward Forward Forward Forward Sniffer University • Ethernet bridges are susceptible to loops • The Spanning Tree Algorithm handles loops by disabling alternate routes – All traffic flows toward the root bridge • Bridges use Bridge Protocol Data Unit (BPDU) frames to negotiate a unique device-to-device path • The picture above does not have Spanning Tree enabled. the cost for a T1 link could default to 100. When Station A sends a broadcast frame. the frame can be forwarded by all bridges in a constant loop The Spanning Tree specification is defined in IEEE 802. Topology loops can occur in a switched network just like a bridged network. The lowest value Bridge Identifier becomes the Root bridge. Costing information is exchanged with BPDU frames. while the cost for a 56 kbps line could default to 500.1d.

IEEE 802.1d is the specification covering Spanning Tree.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Bridging Loop Important Points to Cover: Broadcast frames will be forwarded continuously when Spanning Tree is not enabled. Page 5 .9 .

If you are using one of these and see BPDUs. = st Co 1 Cost = 5 © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . Anytime you see BPDUs in your traces. check to make sure Spanning Tree is not needed. Many vendors have proprietary protocols that allow you to do load balancing in a mesh environment. then disable it on the bridge(s) sending the frames. you’ll know it is active.Spanning Tree 5-10 Sniffer University • Bridges in a mesh configuration use a “cost” metric to determine the best (cheapest) path – The best path is used for forwarding – The other paths are backups and not used unless the best path fails • One bridge is elected “root” – All frames are directed towards the root Cost = 2 = st Co 2 Co s t= 1 Co s t= Best Backup 4 s Co t= 4 Co st t= os C = 2 5 Many switches in meshed configurations use Spanning Tree to prevent loops.

Page 5 . The fast primary path will be used until it fails. slow link used as a backup path and a low cost to a fast primary path. You need a good logical drawing of the bridged/switched segments to plan the best paths and assign costs appropriately. The bridges/switches exchange BPDU frames when a link fails to reconfigure the tree to cover the segment that’s down. Each bridge/switch has a unique identifier. Administrators can assign IDs to control which bridge/switch becomes the root of the tree. The administrator can control paths by assigning a high cost to an expensive. You might want to mention here that switches frequently use Spanning Tree to maintain forwarding tables to indicate the continued use of Spanning Tree and BPDU frames.10 .Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Spanning Tree New Slide.

Addison Wesley. For a detailed explanation of the Spanning Tree algorithm. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . it compares the message received from that port with what it would send out that port. It changes its table if it discovers a better route and stops sending configuration messages on that LAN. the message is considered stale and the bridge recalculates the best route as if it had not received the message. 1992 ISBN 0-201-56332-0. see Section 3 in Interconnections.BPDU Frames 5-11 • Sent by the bridge to neighbors to share configuration information Sniffer University Multicast Dest. If the message age reaches a certain threshold. Bridges and Routers. The source address is the address of the port sending the BPDU The Root ID in the frame is the bridge this one assumes is the root Sending bridge ID is the ID of the bridge sending this frame The cost is the least cost path to the root from this bridge Bridges build forwarding tables from the BPDU frames When a bridge receives a BPDU frame from its neighbor. Radia Perlman. Address Type of frame Root Bridge Link Cost Source information Timers The destination address is a functional address assigned to “all bridges”.

TNV-315 “Interconnection Concepts and Troubleshooting” will teach the specifications and structure of the BPDU frames in detail. Page 5 .11 . Cover only the basics in this class. There is no time for it here.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: BPDU Frames New Slide.

Not see frames going between Nodes D. You will not see the bridge’s addresses. B and C.Capturing in a Bridged Environment 5-12 Node D Node E HUB Node A Node B HUB Sniffer University Node F SnifferPro Node C Frames seen by Sniffer Pro The Sniffer Pro Network Analyzer will: See frames going between Nodes A. The Sniffer Pro Network Analyzer will show Node A and Node D's Ethernet addresses. At the data link layer. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . Example: Node A is communicating with Node D via a bridge. See traffic bridged between the two networks. the source and destination addresses will be the end node’s addresses. E and F.

Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Capturing in a Bridged Environment “New” Slide. You might want to mention the bridge could actually be a switch.12 . Page 5 . (Actually a resurrection of the slides we always included in this class – updated to star wiring.

Exercise: Short Circuited Bridges (Optional) 5-13 Turn to the lab section to complete this exercise © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Bridging and Switching .

Since the Spanning Tree discussion has been expanded again. you may not want to skip this exercise.13 . Fit it in.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Exercise: Short Circuited Bridges (Optional) This exercise is optional due to the time constraints of the class. as you are able. Page 5 .

Exercise: Short Circuited Bridges 5-14 192 Kb Link Sniffer University 192 Kb Link Sniffer Pro analyzer © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .

During which time.03 seconds Time to transmit one frame on an Ethernet where 1 bit = 1/10.200 bits/second = . Assume Bridge 2 puts the frame out. label the bridges 1-4 starting in the upper left-hand corner and continue on clockwise. Bridge 3 begins transmitting its frame out on to the Ethernet (Frame 2 on the Sniffer). (For argument’s sake. Bridge 2 will transmit the frame back toward Bridge 1 and then the process continues.) Assume the propagation delay across the Ethernet or WAN link is 0. Time to transmit a minimum length Ethernet frame across the 192 Kb link Minimum frame = 512 bits Preamble = + 64 bits ============= Total bits transmitted = 576 bits 576 bits / 19. Page 5 .14 . Bridge 3 is receiving the frame Bridge 2 transmitted.03 seconds later Bridge 1 has transmitted the frame to Bridge 2. . (. you may want to work through the following math with the students. Assume within 576 microseconds Bridge 1 and Bridge 4 receive the frame. We can assume this because the network as shown is symmetrical..) Within 576 microseconds. let's say this is the ARP Frame 1 we see on the Sniffer.000 Seconds = . Bridge 2 receives Frame 2 after 576 microseconds. Bridge 4 begins putting Frame 1 onto the left Ethernet segment. For this discussion. Either Bridge 2 or Bridge 3 will be able to access the Ethernet media on the right..000001 Seconds = 1 microsecond.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Exercise: Short Circuited Bridges (Diagram) If you are questioned about the small delta times that appear in this trace file. Bridge 3 begins transmitting Frame 1 back towards Bridge 4.000. Therefore to transmit 576 bits takes 576 microseconds.000576 Seconds or roughly half a millisecond. TIME LINE Station on left sends ARP. During the same time period Bridge 4 to Bridge 3.

5-15 Switches Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .

Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Switches Title slide only. Page 5 .15 .

They generally won’t do fragmentation and re-assembly. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . Packets are processed in parallel by very fast hardware.” It really is hard to compare switches. One vendor claims a switching delay of only 40 microseconds. which divides the bandwidth among all attached segments. 3. If the destination segment is busy. Using the switch’s “electronically controlled patch panel” feature sounds great. a switch learns which addresses are available at each port. The late 1990s started major innovations in this area. but could wreak havoc with IP addressing and subnet mask schemes. 2. until the destination segment is free. Some switches support software configuration to specify which ports can talk to which ports. layer 2 and layer 3 relays. but unlike a hub. and forward immediately if possible. Unlike a bridge. the frame is queued in a buffer. simultaneous conversations on different ports (unlike bridges) – Provide full bandwidth at each port – Do not verify the validity of the CRC (unlike bridges) Sniffer University • Most switch vendors implement Spanning Tree Algorithm A switch connects LAN segments like a hub does. for example. a switch provides full bandwidth at each port. Like a bridge. just like a bridge. Usually the destination segment is not busy. which they measure as the time between the first bit of a packet received and the first bit of the packet sent. sort of an “electronically controlled patch panel.Switches 5-16 • Switches are similar to bridges and do these actions: – Learn which addresses are available at each port – Maintain lookup tables by port (as bridges do) – Look at the destination address and forward immediately if possible – Switch packets between ports – Switching fabric maintains multiple. A port can be dedicated to a single file server. when forwarding a packet a switch may look at just the destination address. Issues with using switches instead of bridges or routers include: 1. A switch may forward a bad CRC and a runt that has a destination address. Switches will not isolate broadcast storms. They often cannot be set up for protocol filtering. instead of the whole packet. especially because they have very different architectures and because vendors are getting very creative in combining the functions of layer 1.

16 . Read the fine print! Will it work with what you have? Page 5 .Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Switches Vendors are doing many things to improve the performance of their products.

providing the user or segment with almost dedicated bandwidth. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . so a combination of vendor switches is difficult – There are many proprietary implementations Microsegmentation means that there is only one device at each switch port.Switched Networking 5-17 Sniffer University • Switched networking provides a simple solution to existing networks suffering from traffic congestion • In Ethernet environments. Switches are plug and play. reducing response times. but much pre-planning is required. Switches are a small cost. provide increased performance without replacing existing wiring plant. The overall benefit of switching is that multiple conversations can occur simultaneously on a single switched hub. Traffic is aggregated on the backplane of the switch. Switching extends the life of existing legacy LAN networks. a switch will not improve the condition.5 . easy to implement. when compared to other alternatives.10 Gbps with recent announcements for 85 Gbps backplanes. This backplane should be between 1. and increase network throughput. if your bandwidth is being eaten up by DLC layer broadcasts. As an example. each switch port is a separate collision domain • Switches allow you to micro-segment • Some switches provide monitor ports to attach a Sniffer Pro • Switches are not governed by standards. rather than a shared LAN on a port as in segmented network.

Page 5 .Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Switched Networking Slide and notes points.17 .

a separate collision domain or ring. But some vendors are adding layer 3 functions to switches. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . VLAN is popular in today's dynamic environment where “Tiger Teams” are created across departmental lines to address a particular problem or project and then disbanded once that problem or project has been resolved. by which you can logically group switch ports. A VLAN generally divides your network into broadcast domains. is growing in acceptance. Similar ratios apply to other size switches. they are layer 2 devices. like the ability to route IP and IPX. The VLAN concept. Switches can act like fast bridges. The total aggregate bandwidth goes up with switch technology • A 12 port switch can support six simultaneous conversations Sniffer University Server Workstation Workstation + Server A switch allows devices or segments to have a unique dedicated path to each other. backplane speed needs to equal six times the individual wire speeds of the ports. VLAN schemes are proprietary to the different vendors. then is broken down and made available for the next frame. in effect.Basic LAN Switching Defined 5-18 • A switch allows dedicated communications paths to be rapidly built and torn down between multiple sources and destinations. The path is active for the duration of the frame. Each port on a switch is. In 12 port switches.

Page 5 . It can have congestion control. It is torn down after each frame has been transmitted.18 . The Virtual LAN (VLAN) concept allows the administrator to group ports through software for workgroup segmentation. The path is active for the duration of the frame only. and max. Each pair of communicating devices has the entire bandwidth (in this case 10 Mbps) for their frame. min. the ability to handle 100 to 300 back-to-back. Each port is a separate collision domain. Switching times may degrade noticeably. Other manufacturers use proprietary methods to avoid loops. but at least you won’t lose any packets which will cause retransmissions. Many switches implement Spanning Tree to avoid topology loops where broadcast frames circulate endlessly. size frames pretty much assures negligible packet loss no matter what the traffic pattern. where a switch will slow things down if ports become overloaded. A bullet and student note was added that addresses the issues of the speed of the switching fabric. A switch should have a very low PLR or Packet Loss Rate. For switches without active congestion control.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Basic LAN Switching Defined Collisions are in switched environments. Switches that can buffer more than 100 1518 byte packets are considered very robust.

Capturing in a Switched Environment 5-19 SnifferPro sees only Broadcast Traffic plus.. At the data link layer.. You will not see the switch’s addresses. Switch vendors have provided various mechanisms for network analysis tools to evaluate network traffic and conversations. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . the source and destination addresses will be the end node’s addresses. Sniffer University Node D Node E Node F Node A Node B Node C Vendor Dependent The Sniffer Pro Network Analyzer sees different things based on the switch technology and how the switch has been set up.

Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Capturing in a Switched Environment What you see is what the vendor allows you to see. Page 5 . DLC addresses are the end station’s.19 . Addresses are like the addresses in a bridged environment.

It will work well when overall use of the switch is low. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . You will get all traffic that occurs on any port in the hub.Seeing the Frames 5-20 • Switch sends all traffic to a monitor port SnifferPro Sniffer University • Switch sends selected port or VLAN traffic to a monitor port SnifferPro +2 Tapping the backplane of the switch does not limit the traffic sent to the monitor port. their combined traffic may be greater than the switch can process through a single monitor port. You will most likely lose packets. This may present problems due to high utilization on the monitor port. but if several users of the switch are demanding high amounts of bandwidth individually. A port tap limits traffic seen to just what happens on that one port.

20 . Selected port or VLAN traffic to a monitor port But if the port can’t deliver it.) Issues: Is the port able to handle the aggregate bandwidth of the backplane? Is the Sniffer Pro analyzer able to handle the aggregate bandwidth of the backplane? You can’t just put a Fast Ethernet Sniffer Pro analyzer here. All traffic to a Monitor Port (This is not an industry-standard label for this port.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Seeing the Frames Several separate slides are now combined so you can cover them quickly and compare them more easily. The signals and timing are different in Fast Ethernet. You’ll need to set a capture filter to focus on the traffic that will help you solve the problem. Station address filter Address class filter Protocol filter Gives a very limited view of just one station’s traffic. Page 5 . you still can’t capture it.

Remember. There are several inexpensive mini-hubs on the market. everyone will be talking to those servers. though. If you are using a DSS/RMON Agent. and left in place to enable real-time monitoring. Several companies make matrix switches. Be sure you are not introducing a repeater into a full-duplex link by mistake. in some environments. you should use a Network Associates supported switch like the DataComm switch. Portable Sniffer Pro Network Analyzers can also be used in place of the DSS/RMON. This is a very easy solution to implement and. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . you can only monitor one port at a time. Adding the hub may change the timing characteristics of the segment and may introduce its own set of errors if you exceed the collision domain. For example. when there are only a couple of servers in a server-client environment. a very effective solution.Seeing the Frames Continued 5-21 • Attach a shared media hub between a server and the port to see all server traffic • Install a matrix switch to view several segments Switched Media Hub Sniffer University Shared Media Hub (mini-hub) Shared Media Hubs Server SnifferPro Workstations Server Transport Card DSS/RMON Agent Server Server Matrix Switch Monitor Card + The hub should be attached when the server is inactive. therefore you’re actually getting all traffic on the switch by just monitoring the servers’ ports. This also works well with unsophisticated switches that have do not have a built-in monitor port. There are several advantages to using a Network Associates supported switch.

We also sell DSS/RMON Multiview. SniffView allows you to switch the DS Pro Agent into multiple segments so you can monitor the conversations to multiple servers (or routers) one at a time.21 . Allows you to see all the traffic to and from the server. Some of them can be controlled directly with SniffView. There are several vendors that supply switches from DS Pro. Permanently install a minihub in the line to your bridges and routers. There are several models that can attach into a combination of Ethernet and other topologies. which is a DS Pro in a matrix switch.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Seeing the Frames (Continued) Permanently install minihubs in the line to your servers. Page 5 . Allows you to see all traffic directed to or from them.

5(2) 2916XL v11.4(1)* 6500 v5. Be sure to disable it when you have completed your analysis or capture! The TNV-201-DSP and TNV-315-GUI classes have more information on switch control and Expert.0 Not all features are supported.5(2)* 6000 v5. You then would not be able to control the switch or see the MIB data. It is connected to the switch control port which cannot be a monitor port. Mirroring places a heavy load on the switch. If you have just one adapter in your Sniffer.5(2) 5000 v4. SPAN (Switched Port ANalyzer) is a proprietary Cisco protocol used to mirror traffic from a port or VLAN to a monitor port.1)XP* 2926 v4.Switch Control and Expert 5-22 • Switch control allows you to access supported switches and span one port or VLAN to a monitor port • Two adapters are required to span a port – The configuration adapter sends SNMP signals to the switch’s IP address to control the switch and retrieve MIB data • Attach to the switch control port – The monitor adapter does the assigned Sniffer tasks • Attach to the mirrored port Sniffer University • One adapter is enough if you just want MIB data Monitor adapter Frames Switch SPAN Port Port or VLAN Configuration adapter + SNMP Commands Sniffer Pro version 4.4(1)* 6002 v5.0(5.5(2)* 5509 v4.4(1)* Nortel models: Baystack 450 v HW:RevB.5(2)* 5500 v4. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . SW:V1.0 switch expert supports: Cisco models: * = this versions or newer 2900 v. it must have TCP/IP bound to it so it can connect to the switch to control it. Contact NAI tech support for specific issues. You would need to stop Sniffer Pro and reconnect it into the monitor port and restart it as a Sniffer to sniff the monitor port.5(2)* 5002 v4.4(1)* 6509 v5.04.4.2(8)SA5* 2924(M)XL v12.5(2)* 5505 v4.1. FW:V1.

You cannot use a single card to send the SNMP commands to the switch to control it AND then turn around and sniff using the same card. You need the second card only if you want to do the Sniffer functions. You can get the MIB data with a single adapter. Turn the mirroring off when you are done! Page 5 . You can use these MIB screens to mirror a port or VLAN to the port where the Sniffer is attached. It is covered in detail in the TNV-201-DSP class. so all of the MIB and control screens can be demonstrated. etc.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Switch Control and Expert New Slide.e. set triggers. That class has a switch. It will also be shown in the Advanced TNV-102-GUI class being written. DO NOT leave it enabled constantly.) You can do all the Sniffer functions on the mirror port i.22 . (VLAN mirroring is not supported for all switch models. start Monitor screens. capture. Try to attend a TNV-210-DSP class to see this in action so you can discuss it better. You also need a switch to demonstrate all the functions of this feature. Unfortunately we just don’t have time to delve into this in this class. Port mirroring (or SPAN) puts a big load on the switch. The basics: You can get all the MIB data from the switch and see it in the Sniffer windows.

they look just like any other Ethernet frame • Expert shows symptoms and diagnoses plus valuable VLAN information • Use the skills you’ve gained here to determine where problems lie Ethernet Network Analysis and Troubleshooting Bridging and Switching .Switch Frames 5-23 © Network Associates Sniffer University • Once you get the frames from the switch.

Page 5 . The main difference in the Sniffer screens is the VLAN information in the Expert. You can filter from the Expert’s VLAN symptoms and diagnoses.23 . You can get the switch MIB statistics on adapter and VLAN MIB counts that can be very helpful. Any VLAN symptoms and diagnoses will be labeled in the Summary display. The students will see that in the VLAN section.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Switch Frames New Slide.

Switch Performance 5-24 • Switches are often faster than bridges • They segment collision domains • Cut Through switches are fastest – They read only the destination address and forward to a new or established port – The provide the least amount of data integrity (they only verify the destination MAC address) Sniffer University • Some switches offer FFCT (fragment-free cut-through) mode – Only frames at least 64 bytes in size are forwarded • Switch latency increases the further into a frame the switch checks for data integrity • Switches forward damaged frames if damage occurs past their check point © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .

Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Switch Performance Slide is adequate.24 . Page 5 .

Exercise: Busy Jam 5-25 Turn to the lab section to complete this exercise © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Bridging and Switching .

Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Exercise: Busy Jam Page 5 .25 .

Exercise: Busy Jam Diagram 5-26 Switch Sniffer University Sniffer Pro analyzer Hub 10 Mbps Server Client Stations © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .

26 .Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Exercise: Busy Jam Diagram Network Diagram Page 5 .

5-27 Virtual LANs (VLANs) Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .

Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Virtual LANs (VLANs) New Section .27 . Page 5 .New title Slide.

802. The switches use standard routing protocols to communicate with routers. Since many of the mechanisms are vendor-specific. This was the first implementation of VLAN groups. Problems arise when they dock these laptops and use the docking station’s NIC card or software overwrites the MAC address.VLANs 5-28 • Many switches allow you to set up virtual LANs – A VLAN is roughly a broadcast domain – Stations in different physical locations can communicate as if they were on a common LAN – Some manufacturers allow you to place ports on more than one switch in a VLAN – There are many vendor-specific implementations Sniffer University HR VLAN 1st Floor 2nd Floor 3rd Floor Exec VLAN Finance VLAN Port configurations aggregate stations based on the port where they are attached. IP Multicast address groups segregate the multicast traffic and send only to those devices that are in the VLAN. This extends beyond the normal networkmaintenance address types for routing and bridging support to specialized applications like broadcast audio or video data.1Q standard. but all traffic in the VLAN is switched. MAC address-based VLANs group stations based on their MAC address. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .1Q VLAN tagged frames is a new IEEE standard that uses an additional header in the frames between the switches that identifies the VLAN. Protocol-based VLANs group stations based on their protocol type or layer 3 address. It is a good way to isolate groups using non-routable protocols. you should try to buy all your switches from one vendor or only use switches that support the 802. This is useful when you have laptop users who carry them around and attach their PCMCIA cards in different locations.

the stuff we taught in the technology section hasn’t gone away! VLANs provide a way to logically link devices in different layer 1-2 physical network segments into a logical layer. Page 5 . Emphasize the broadcast domains.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: VLANs New Slide.three network segment. What they may not know is how their traffic looks on the wire. See.28 . VLANs have been around for a long time and most students will have basic knowledge about them.

moves require reconfiguration • Protocol (Layer 3 grouping) – Groups all devices with the same protocol .isolates protocolspecific broadcasts – Stations with multiple protocols belong to multiple VLANs – Router required between different protocols and IP subnet VLANs Sniffer University • MAC address – Assign each NIC to a particular VLAN IP multicast address – Good for laptops that move around • Multicast Address – Proxy address for a group of devices © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .VLAN Grouping Techniques 5-29 • Port – Assign each port to a particular VLAN – Quick and simple.

Page 5 .29 . Quickly review the ways vendors implement VLANs.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: VLAN Grouping Techniques New Slide.

just send them to the right port • The IEEE modified this for the 802. there needs to be a way to quickly send them to the proper switch • Cisco developed a proprietary protocol called Interswitch Link Protocol (ISL) which added a few bytes or “tag” at the beginning of the frame – The tag identifies the VLAN – This eliminated the need to do a table lookup for each frame .1Q specification © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .VLAN Tagging 5-30 Sniffer University • When devices are spread across several physical segments.

This is just a page to introduce the reason for tags and the VLAN tagging methods Page 5 .Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: VLAN Tagging New Slide.30 .

Interswitch Link (ISL) Protocol 5-31 © Network Associates Sniffer University • The Grandfather of the IEEE 802.1Q tagging standard • A proprietary Cisco protocol developed to support trunks between Cisco switches • Tags added to the frames between the switches include a VLAN group identifier to route them to the proper VLAN • Several other vendors licensed ISL • 3Com used VLT frame tagging method Ethernet Network Analysis and Troubleshooting Bridging and Switching .

Tags are carried on the trunk links between Cisco Switches We can see them and decode them on frames captured on these links Page 5 .31 . Other vendors licensed it.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Interswitch Link (ISL) Protocol New Slide. This is a Cisco vendor proprietary protocol.

The frame is forwarded only to switches and interconnected links with the same 10 bit address. This tag is removed before the frame is forwarded to the end station or switch outside the VLAN.Cisco ISL Frame Tags 5-32 Sniffer University Inter Switch Link (ISL) protocol was developed by Cisco and has been incorporated into the 802. ISL adds a 10 bit address to every frame as it enters the switch fabric.1Q standard. © Network Associates • Ethernet frame is attached after the 26 byte ISL Header • VLAN identifier Ethernet Network Analysis and Troubleshooting Bridging and Switching .

This screen capture was taken from VLANprob.32 . Don’t go into details of this protocol.caz frame 1. Let Cisco teach that in their classes! Page 5 . The students will use it in the exercise at the end of this section.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Cisco ISL Frame Tags New Slide.

Cisco ISL Expert Information 5-33 Sniffer University © Network Associates • VLAN information shown at the Global Layer • VLAN list in the Detail Tree • Statistics and details in the Expert Detail panel Ethernet Network Analysis and Troubleshooting Bridging and Switching .

Explore more of the Expert information with the students. This screen capture was taken from VLANprob2. Page 5 .cap Expert view with the Global symptoms highlighted.33 .Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Expert Cisco ISL Information New Slide.

802.1Q standard is based on the 802.1Q uses frame tagging to carry VLAN membership information across multiple multivendor devices Sniffer University – The security header from 802. You may choose to put these devices into more than one VLAN so all who need them can access them.10 is modified to support VLAN tagging – Tags allow frames to be forwarded quickly to other switches within the VLAN • Routers are required to forward frames between VLANs – Can be internal to the switch or external one-armed routers • Vendor proprietary implementations are still also used – This creates vendor interoperability problems Several issues need to be addressed when implementing VLANs: Management: Even though most vendors use management software to create the VLANs and move ports into the VLAN. there is an issue of keeping up with all the moves (though this is certainly easier than moving cable to keep a person in the same network segment!).1Q VLAN Standard 5-34 • The 802. 80/20 Rule: It is difficult to maintain the “80/20” where 80% of the traffic remains local and 20% goes outside the area and through a router. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .10 is the Interoperable LAN/MAN Security (SLIS) standard which defines a single Protocol Data Unit (PDU) with an 802. People also may feel isolated when they are moved out of the area where their co-workers are.10 standard – 802.10 header inserted between the MAC header and the frame data for secure transmission of data • 802. Shared resources like servers and printers need to be managed so people in a different VLAN can print to the local printer and access their server.

1Q VLAN Standard New Slide. All the switches in the VLAN must support the same tagging method or frames will not get where they need to go! Page 5 . This is the IEEE standard for VLAN tagging.34 .Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: 802. Highlight the last bullet. The headers are different.

3ac standard has extended the maximum frame size to 1522 bytes to allow for these 4 additional bytes. To have end-to-end priority. The user priority field allows applications that require guaranteed bandwidth to be delivered before applications that are not time-sensitive. The 802. The switches must maintain internal queues for each priority.1Q header Tag Control field has three fields: 3 bits user priority 1 bit tunnel type i. RSVP at the network layer in the stack needs to inform layer 2 to set the priority bits to match the level of the data being sent. This enables lower cost Ethernet installations to compete with the highmaintenance and cost ATM networks that provide robust Quality of Service guarantees.1Q VLAN Headers 5-35 Fits between the Source MAC address and Type/Length field of the MAC header of the Ethernet frame MAC D & S Type Tag Control MAC Type/Length 8100 User Priority Tunnel Type VLAN ID Data Sniffer University 2 bytes 2 bytes Tag Protocol Type field identifies the 802. You may see it called 802. Keep in mind that this is priority done at layer 2.1Q standard works hand in hand with the 802. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .1 Q/p in some publications.802.1P standard for assigning priority levels to frames. Incoming frames are placed in the queue for the priority in the field and the highest priority frames are transmitted out before the lower priority frames. Ethernet or Token Ring 12 bit VLAN ID 802. 3 bits allow for 8 different priority levels. all devices in the intervening path must recognize the priority levels at both layers.e.

The number of bytes in the spec didn’t match what I saw in the frames that way. Point out that the tag comes in the MAC header! This was very confusing when I first viewed these frames. This shows a breakout of the fields in the tag to prepare them for what the Sniffer shows.35 . I wanted to put the Type/Length field in with the tag. then the MAC type or length field. because the Sniffer puts it there without identifying that it is part of the DLC header.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: 802. then the tag.1Q VLAN Headers New Slide. The destination and source addresses come first. Page 5 .

Ethernet sets this to 8100.1Q Header • VLAN identifier • Maximum length frames grow to 1518 bytes • Sniffer does not capture the last 4 bytes of the frame – No CRC error is posted The tag Protocol Type is used for FDDI. © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching . Token Ring and SNAP encoded fields.802.1Q Header 5-36 Sniffer University • Ethernet frame is encapsulated inside the 802.

That shouldn’t create problems for us. since it still has almost the entire frame.36 . Hey – the Ethernet maximum frame size has been exceeded! If a max size Ethernet frame is encapsulated in a tagged frame. BTW – a question has been raised about how the Sniffer handles the max size Ethernet frames captured by a pod. The pod transparently fragments these oversize frames and the PC reassembles them in the driver software before they are sent up the stack for analysis. certainly enough to get through all the ULP layers to see if there are problems there. The Sniffer knows this is OK when it sees the 8100 Type field and it doesn’t post an oversize symptom or count is as bad.1Q Header New Slide. Remember it encapsulates them in Ethernet frames to send them to the PC.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: 802. It does indicate only the first 1514 bytes were captured in the Detail window. Page 5 . it is 1518 bytes.

Expert 802.1Q Information 5-37 Sniffer University • VLAN information is shown at the Global layer • Symptoms and diagnoses break out stations in the VLAN 8021Q Protocol in use VLAN numbers and switch MAC addresses VLAN Info © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .

This was a serendipity trace I found just before press time. You might want to demonstrate this on your Sniffer using the 8021q.37 . Point out the [A] and [B] in the status column and show the Statistics tab where 1000 is the line speed. cover it very briefly here and let them discover the details on their own in the exercise.1Q Information New Slide. If you’re doing OK. If time is running short. Page 5 .cap trace that shows this information captured from a gigabit Sniffer. give them the details and skip the exercise. There is another 8021q-gig.cap trace file the students will use for their exercise.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Expert 802.

Troubleshooting with the Sniffer Pro Analyzer TNV-201-DSP.VLAN Frames 5-38 • Sniffer sees VLAN headers only between switches that support them – Tap into the trunk link or mirror the trunk port to the Sniffer port with Switch control Sniffer University HR VLAN 1st Floor 2nd Floor 3rd Floor Exec VLAN Finance VLAN More details on the switch Expert are available in these Sniffer University classes: TNV-101-GUI. Implementing Distributed Sniffer System/RMON Pro TNV-315-GUI. Interconnection Concepts and Troubleshooting © Network Associates Ethernet Network Analysis and Troubleshooting Bridging and Switching .

Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: VLAN Frames New Slide. This is just a visual reminder you will see these only if you tap into the trunk link either physically or by spanning the trunk port to the Sniffer.38 . This is risky! Page 5 .

Optional Exercise: Switch Traffic 5-39 Turn to the lab section to complete this exercise © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Bridging and Switching .

but this will help.39 . The students will observe several types of traffic in a switched environment. They won’t see the MIB data or be able to do a SPAN. Try to allow time to do it so they feel good about at least seeing the Expert part of switch analysis and see the frame tagging.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Optional Exercise: Switch Traffic New Exercise. Page 5 . This is a great exercise to satisfy the students who came to see switch troubleshooting. They will look at typical switch-related protocols and the different VLAN tagging encapsulation methods.

you learned how to: • Differentiate between bridging and switching on a conceptual level • Attach Sniffer Pro to bridged and switched networks • View VLAN identifying information in tagged frames • Use Sniffer Pro to identify common problems associated with bridges and switches Ethernet Network Analysis and Troubleshooting Bridging and Switching .Summary 5-40 © Network Associates Sniffer University In this section.

This is a good place for a break if you haven’t already done so. Page 5 .40 . Target Time: Day 2 early afternoon.Section 5 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Summary Important Points to Cover: Wrap up the section by reviewing the objectives and answering any questions the students may have.

6-1 100 Mbps Fast Ethernet Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet .

Big_bad_rich. Johnson. Fast and Gigabit Ethernet 3rd Edition by Robert Breyer and Sean Riley.1 . Please allow enough time to present it if the class is interested. so this section can be taught very quickly. By now. ISBN 1-57870-073-6 Exercises: Page 6 . Have the students do the exercises if possible.CAP . Macmillan Technical Publishing. Files: Traces: 06_fe_g. BACKPRES1. 3:00 Section Timing: Important Points to Cover: Section 6 title slide only.CAP.Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: 100Mbps Fast Ethernet Section 6 Start: Day 2 Mid-afternoon Finish: Day 2 Approx. they have seen Fast Ethernet several times. References: Fast Ethernet: dawn of a New Network by Howard W. The first shows various different vendor implementations of back pressure.DOC 100MBFIL. The second is a filtered trace and shows lots of hub jams and collisions.caz Fast Ethernet Troubleshooting and Back Pressure Fast Ethernet Problems 10/100 Hubs The former three-part section covering all the fast technologies has been split into sections for each. 1999.PPT 06_fe_g. Prentice Hall Publishing. BACKPRES. 1996. ISBN 0-13-352643-7 Switched.CAP.

you will be able to: • Summarize the features of Fast Ethernet • Summarize 100BASE-T4. 100BASE-TX. and 100BASE-FX implementations • Recognize back pressure frames in a trace • Attach Sniffer Pro to your Fast Ethernet networks • Use the Sniffer Pro statistics and decodes to locate areas of concern © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Fast Ethernet .Section Objectives 6-2 Upon completion of this section.

2 .Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Section Objectives Troubleshooting Fast Ethernet is basically the same as 10mb Ethernet. Page 6 .

3 Several clauses are included in the specification. Earlier versions of 802.3u is defined in clauses 21-30 Clause 21 100BASE-T Introduction Clause 22 Medium Independent Interface Clause 23 100BASE-T4 Transceiver Clause 24 100BASE-X Transceiver Clause 25 100BASE-TX PMD* Clause 26 100BASE-FX PMD* Clause 27 Repeaters Clause 28 Autonegotiation Clause 29 Topologies Clause 30 Management © Network Associates Sniffer University • 100Mbps version of the Ethernet standard • Uses the same timing criteria as 10 Mbps Ethernet • 100BASE-Tx supports Category 3.Overview of Fast Ethernet 6-3 IEEE802.3u • Many switches and hubs combine 10 Mbps and 100 Mbps ports to link legacy networks into high speed backbones Ethernet Network Analysis and Troubleshooting Fast Ethernet .3u (100BASE-T) adopted in 1995 as a supplement to IEEE802.3 are defined in clauses 1-20. 802.4 and 5 twisted-pair wiring and fiber cabling • Standard defined by IEEE 802.

but mostly outlines the new features.3 .Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Overview of Fast Ethernet The specification calls for a few changes from the previous spec. Page 6 .

Where to Deploy Fast Ethernet 6-4 Remote LAN Remote Router Workgroup LANs Campus 10/100 Mbps Hubs and Switches Network Center 10/100 Mbps Workgroup Switches Hubs/Switches Router Fractional T1. WAN T1. It is not useful in the backbones of large enterprise networks. X. most Fast Ethernet hub installations will be in workgroup areas.25. Frame Relay Sniffer University Firewall Router Faster Server Links Router Server Cluster Hub Token Ring Due to the small collision domain and repeater limitations. Fast Ethernet switches or other technologies are needed to go the distances. © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet .

Fast Ethernet is. and Fast Ethernet is probably inferior. Page 6 . consider Fast Ethernet. and easier. FDDI has been around a long time and is a proven technology. however. cheaper to implement.” Pulling out FDDI would be a real waste of money. since troubleshooting skills students already have transfer over to this technology.4 . This is to say. “If you need to install a new highspeed backbone. Also mention the environments listed in the student notes section where Fast Ethernet could be implemented.Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Where to Deploy Fast Ethernet Key words: “In place of” does not mean pull out all of your FDDI and use Fast Ethernet instead.

pin 1 ----------| Dedicated Transmit pair + 2 ----------| Dedicated Transmit pair 3 ----------| Dedicated Receive pair + 4 ----------| Bi-directional pair 1 + 5 ----------| Bi-directional pair 1 6 ----------| Dedicated Receive pair 7 ----------| Bi-directional pair 2 + 8 ----------| Bi-directional pair 2 © Network Associates Sniffer University • Interconnections are made with hubs. etc. most of what has been covered in this course is applicable to 100BASE-T also. Ethernet Network Analysis and Troubleshooting Fast Ethernet . 4 and 5 UTP • It must be four-pairs for 100BASE-T to run on 3 and 4 Fortunately. 100BASE-T makes use of CSMA/CD and the same frame formats as 10Mbps Ethernet.1995 spec details the pinout for internal and external crossover cables.Similarities between 10BASE-T and 100BASE-T 6-5 • Both use CSMA/CD • Frame formats and frame lengths are the same • Both can run on Category 3. Therefore.3U . switches. Wiring specification Page 131 of IEEE 802. repeaters.

The differences do not affect us as the protocol analyst.Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Similarities Between 10BASE-T and 100BASE-T Point out just how similar the two are. Page 6 . as a network manager concerned with the installation and overall network design. Of course. the similarities and differences are critical.5 .

There are new rules defining the number of repeaters allowed.6 microseconds • It is still 96 bit times for 10/100/100. Changes have been made to the PHYsical layer components. © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet .96 microseconds instead of 9.100BASE-T Features 6-6 Sniffer University • 100BASE-T transmits ten times as much data in the same amount of time • It has new PHY standards • The network design is more compact • The interframe gap is . the times just get shorter as the speed increases • Coding schemes 4B5B and 8B6T replace Manchester encoding 100BASE-T does have some important differences from 10BASE-T. New sub-layers such as the Reconciliation sub-layer and an interface called the MII (Media Independent Interface) have been defined in the specification.

Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: 100BASE-T Features This slide shows key differences Point out the interframe gap is still 96 bit times.6 . the bit times are just 10 times shorter! Page 6 .

Physical Layer Specifications 6-7 • 100BASE-TX: Fast Ethernet for Category 5 UTP – Most widely used physical layer specification for 100BASE-T today • 100BASE-T4: Fast Ethernet for CAT3 UTP – Use when you have a large installed base of voice grade wiring – Requires four wires of the cable – Not implemented very often. so there is very little vendor support for it Sniffer University • 100BASE-FX: Fast Ethernet for Fiber Optic Cabling – Used in sites that are considering fiber cabling or have it installed – Usually used between floors of a building © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet .

7 .Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Physical Layer Specifications Use this page as a preview of what we will cover in more detail. Page 6 .

100BASE-TX for Category 5 UTP 6-8 © Network Associates Sniffer University • Transmission over two pairs of Category 5 UTP or IBM Type 1 STP wire • RJ-45 connector is exactly the same as that used by 10-BASE-T where the RJ-45 links two pairs of wires • The punchdown blocks in the wiring closet must be Category 5 certified • Traditional DB-9 connector used for STP wiring • 4B5B coding Ethernet Network Analysis and Troubleshooting Fast Ethernet .

Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:100BASE-TX for Category 5 UTP Important Points to Cover: Slide information is adequate. Page 6 .8 .

so full-duplex operation is not possible • 8B6T coding TIA/EIA Cabling standards Category 1 2 3 4 5 5 5E 6 7 Application Support Voice only Voice or low speed data Voice. 10BASE-T 16 Mbps Token Ring CDDI. ATM 155 1000BASE-T (higher specs) 1000BASE-T TBD TBD (Work in Process) Bandwidth voice 1 16 MHz 20 MHz 100 MHz 100 MHz 100 MHz 200 MHz 600 MHz Year Std 1950s 1960s 1991 1993 1994 1999 1998 1999 9/2000 © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet . or 5 UTP wiring • Three pairs are used for transmission and the fourth wire is used for collision detection • Since it can run on Category 3.100BASE-T4 for Category 3 UTP 6-9 Sniffer University • Operates over four pairs of Category 3. 100BASE-TX. provides for easier migration to 100BASE-T without rewiring • Three of the four pairs are used to transmit or receive. 4.

9 . Page 6 .Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:100BASE-T4 for Category 3 UTP Important Points to Cover: Slide information is adequate.

1995 spec details the pinouts for internal and external crossover cables © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet .3U . you just need to ensure you follow through with the same pinouts for all the cables. Both T4 and 1000BASE-T require four pairs. Gigabit requires a higher quality connector. Wiring specification Page 131 of IEEE 802.100 Base T Ethernet Pinouts 6-10 RJ45 EIA/TIA-T568A Pin 1 2 3 8 1 AT&T 258A and EIA/TIA-568B Pin 1 2 3 4 5 6 7 8 Signal Transmit 3 Receive 3 Transmit 2 Receive 1 Transmit 1 Receive 2 Transmit 4 Receive 4 Wire Color white/green green/white white/orange blue/white white/blue orange/white white/brown brown/white Signal Transmit 2 Receive 2 Transmit 3 Receive 1 Transmit 1 Receive 3 Transmit 4 Receive 4 Wire Color white/orange orange/white white/green blue/white white/blue green/white white/brown brown/white Sniffer University 4 5 6 7 8 It doesn’t matter which wiring spec you choose.

Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: 100BASE-T Ethernet Pinouts New Slide. they will need to connect all eight of the pins to make the old cable work for the new speed! Page 6 .10 . For student reference. 10BASE-T required only: pin 1 Transmit 2 – white/orange pin 2 Receive 2 – orange/white pin 3 Transmit 3 – white/green pin 6 Receive 3 – green/white If they are upgrading NICs to 100 or 1000 Mbps.

useful for connections between interconnect devices on a Fast Ethernet backbone • Uses the MIC. ST or SC fiber connectors defined for FDDI and 10BASE-FX networks • 4B5B coding The Fiber MIC connector uses one keyed connector.100BASE-FX for Fiber Optic Cabling 6-11 • Operates over two strands of multimode or singlemode fiber cabling (just like FDDI) • Fiber optic media transmits over greater distances than UTP. The ST connector is the bayonet-style connectors that twist onto separate fiber cables. It is the connector of choice for future designs. It is quite large and is being replaced by the SC connector. The SC connector is smaller and uses a duplex connector. It is the most popular connector. © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Fast Ethernet .

Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:100BASE-FX: Fast Ethernet for Fiber Optic Cabling Important Points to Cover: Slide information is adequate.11 . Page 6 .

no signal level change represents a binary code-zero PHY The conversion from 4 bits to 5 bits does not involve any mathematical calculations . Fast Ethernet operates at 100 Mbps as data passes through the NIC. Q: How does 4B5B contribute to making Fats Ethernet fast? A: By processing bits in parallel blocks as they pass through the MAC layer rather than serially as in Manchester encoding.6-12 (100BASE-FX and 100BASE-TX ) • Upper layer protocols send data in 8 bit bytes • The MAC driver splits the bytes into 4 bit nibbles – A look-up table is used to convert the 4bit nibble to a 5-bit symbol or symbol code 8 bit bytes 4B5B Encoding Technique ULP MAC 4 bit nibbles 5 bit symbols Sniffer University • Clocking information is carried within the data stream • 100BASE-FX uses a two-state NRZI signal – A change in signal level represents a binary code-one. After the addition of the extra bit. © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet . it theoretically transmits at 125 MHz.it is merely a table lookup.

The transition order (+1. so don’t get hung up on the fact that a 1 maps to 01001 and F to 11101. The codes were defined to keep the number of sequential zeros less than 3 to maintain clock.-1. this is where the signal goes. you’ve got a one.+1. This is “nice to know” information but not needed to troubleshoot Fast Ethernet. Cover it quickly so you have time to present the stuff that will help them. In 4B5B.0…) tells us that if there is going to be a transition. What makes 4B5B different from other encoding schemes is that the kind of transition is not always the same.12 . Page 6 .0. Look at the beginning of the bit cell to see if there’s a transition. The codes do not directly map to the hex value of the byte.Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: 4B5B Encoding Technique (100BASE-FX and 100BASE-TX) Important Points to Cover: New diagram requested by Linda Richman. otherwise it’s a zero. If there is. every four bits will be sent out over five bit times. Thank you! Encoding is red bold to emphasize this is and encoding scheme to differentiate it from the purpose of the next slide.0.

0. 0.. No transition = binary 0 • Transition order: +1 0 -1 0 +1 0 -1 0 endlessly Each 4 bit nibble is translated into a 5 bit symbol. so the 100 Mbps hub will adjust the port to 10 Mbps. 0 so this is a -1 binary 0 Transition present. +1. the 5 bit symbol for F is 11101. What happens if you connect a 10 Mbps hub to a 100 Mbps port? Autonegotiation signals will not be sent by the 10Mbps hub.) No transition +1 present. 0. the fast hub converts it to 4B5T encoding and uses MLT-3 ternary signaling to forward it out a fast port. The slow hub will send frames using Manchester encoding.. © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet . F maps to 11101 • A transition = binary 1.1. 0 .4B5B Ternary Example 6-13 • 100BASE-TX uses MLT-3 ternary signaling – Any signal change in TX is represented by circulating among three progressive levels: (+1.-1. so this is a binary 1 0 1 0 1 0 1 1 1 1 F 0 1 Sniffer University • Hex 1F to 4B5B: 1 maps to 01001. It does the opposite conversion before forwarding any frames from the fast port to the slow port. The five bit symbol for 1 is 01001.

Notice that after each group of four bits.Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: 4B5B Ternary Example This is electrical signaling – how we get the bits we just converted form 4 bit patterns into 5 bit symbols. This transition does not provide data but is used for clocking. Page 6 . there’s a transition.13 .

8B6T Encoding Technique 6-14 (100BASE-T4) • Based on a ternary symbol .+ 0 + -) – A lookup table is used to convert the 8 bit byte into the 10 bit symbol Sniffer University • Each 6T code symbol is fanned out onto the three pairs in round robin fashion • Preamble is still 8 bytes in length – A special pattern is used to help the receiver locate the beginning of data on each pair – The receiver strips this pattern and returns an ordinary preamble to the MAC © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet . 0 or • Each byte is mapped to a 6 bit-time ternary code symbol.. to represent 1F.e. the 6T code group is 0 . called a 6T symbol – (i.meaning it may take on one of three values: 1.0 or -1 also represented as +.

The 802.3u spec defines a six part code for each byte. Page 6 .14 .Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: 8B6T Encoding Technique (100BASE-T4) Important Points to Cover: This is “nice to know” information but not needed to troubleshoot Fast Ethernet. Cover it quickly so you have time to present the stuff that will help them.

+ 0 + - © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet .50 mV -3.5 Volts +/.10% 0 Volts +/.+ 0 + Data octet 00 01 02 : 1F 6T code group +-00+0+-+-0 +-0+-0 : 0-+0+- Sniffer University +3.10% 0 .3u specification: 1F uses code word 0 .8B6T Example 6-15 Taken from the 802.5 Volts +/.

Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: 8B6T Example Important Points to Cover: Cover quickly.15 . Page 6 .

Data Frame Transmission in 8B6T 6-16 BYTES Convert Convert Convert Convert Convert Convert to to to to to to 6T 6T 6T 6T 6T 6T code code code code code code group group group group group group Sniffer University 3 ( of t he 4 p airs) © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet .

Three are used for transmission. the fourth does collision detection.Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Data Frame Transmission in 8B6T Important Points to Cover: As we showed earlier.16 . Each byte goes to a different wire in a round robin fashion. Page 6 . 100BASE-T4 operates over four pairs of UTP wiring.

the performance of the repeater determines the number of repeaters allowed. To make things easier. However. Therefore.Maximum Collision Domain 6-17 • The physical size and number of repeaters is limited in order to meet the round-trip propagation delay requirements – 100 meters (328 feet) is the maximum for each UTP link – A maximum of two repeaters is allowed – Two “classes” of repeaters are used (depending on their latency characteristics): Class I and Class II – The maximum collision domain for Fast Ethernet over cat 5 UTP using one class I repeater is 200 meters (672.12 micro-seconds. © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet . certain classifications regarding the repeater’s characteristics have been defined. switches are frequently used to extend the distances. The 512 bit-time propagation limitation still applies. 512-bit times equals only 5.4 feet) – Two class II repeaters extend it to 205 meters Sniffer University • Because of these constraints.

Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Maximum Collision Domain Slide information is adequate.17 . Page 6 .

but adds latency to the repeater. This allows translation between different encoding.Class I Repeaters 6-18 • Used to connect unlike physical signaling systems • Only one Class I repeater can reside within a single collision domain when maximum cable lengths are used • Standard Class I repeater has maximum round-trip delay of 140 bit times Sniffer University – Late collisions result if limits are exceeded 100m UTP 100Base-TX Class I 100m UTP 100Base-T4 200m Class one repeaters convert each incoming analog signal to digital before the data is placed on the backbone and repeated out. The digital data then must be converted back to analog at each port before it is sent out. Analog Analog Analog Analog Analog Analog Analog Digital Digital Digital Digital Digital Digital Digital Backplane © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet . only one level one repeater is allowed in the collision domain. For this reason.

This limits you to just one repeater due to the longer propagation delay.18 .Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Class I Repeaters A little more clarification has been added to help differentiate between Class 1 and 2 repeaters. Page 6 . Because Class 1 repeaters can do translation between different cabling systems. it takes longer to repeat the signal.

The latency of these repeaters is less. but no conversion between encoding can be done.Class II Repeaters 6-19 • Provide ports for only one physical signaling system type – Timing constraints do not allow translation between 100BASETX and 100BASE-T4 Sniffer University • Have smaller internal delays so that two class II repeaters may reside within a given collision domain when maximum cable lengths are used • Standard Class II repeater has 92 bits as its maximum round trip delay – 67 bits for Class II repeaters with any T4 ports Class II 100m UTP 5m UTP 205m Class II 100m UTP Class II repeaters repeat the analog signal BEFORE it is converted to digital. Analog Analog Analog Analog Analog Analog Analog Backplane Digital © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet .

Page 6 . That allows for two in a collision domain. they can forward the information much more rapidly.19 .Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Class II Repeaters Because Class II repeaters cannot translate.

Stackable Hubs Provide More Ports 6-20 Sniffer University • Stackable hubs are multiport repeaters • Their backbones are connected with external cables to repeat all the frames • The stack acts like a single repeater +1 Timing slowed for demonstration! © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet .

Page 6 . Stackable hubs allow you to put a lot more devices in a collision domain than you could with single hubs.20 . Essentially the backbone is extended through the external cables so the stack acts like a single repeater.Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Stackable Hubs Provide More Ports New Slide.

Fiber Repeaters 6-21 • Fiber cabling allows much larger collision domains Class II Class II 18m 105m Fiber Fiber 105m Fiber 228m Class II Sniffer University Class II • Fiber and UTP can be mixed • Just be sure the end-to-end propagation delay does not exceed 512 bit times +Delay for each cable to the node (x2) +Delay for each repeater +Delay for cable between repeaters © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet .

(especially on the backbone) this slide was added to show the optical repeater specifications. expressed in bit times. If you carry a book with you. Since fiber optic is becoming quite common now. The Switched. Fast. this is the one to carry.21 . and Gigabit Ethernet book mentioned on the front of this section has great information on how to calculate all the different combinations.Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Fiber Repeaters New Slide. The calculations for maximum collision domains need to add the delay of each wire based on type and length plus the delay of the repeater(s). Page 6 .

100BASE-TX. Fast Ethernet link pulses are bursts containing information about the capabilities of the adapter. 100BASE-TX full-duplex or 100BASE-T4 • Both 100BASE-T NICs and hubs send a modified 10BASE-T link integrity test pulse sequence (called Fast Link Pulses -FLP) – 10BaseT devices don’t understand the pulses and ignore them – 100BaseT devices adjust to 10 Mbps when they receive 10BASE-T link pulses • Hub and NIC automatically adjust their speed to the highest common denominator both can accommodate 10 or 100? Full or half? AUTONEGOTIATE! OFF ON OFF ON ?? Hub or switch Useful if you’re unsure what you’re plugging into AND when upgrading to 100BASE-T hubs or cards 10BASE-T link pulses are a single signal every 201 µs. Priority Connection type 1 1000BASE-T full-duplex 2 100BASE-T2 full-duplex 3 100BASE-T2 4 100BASE-TX full-duplex 5 100BASE-T4 6 100BASE-TX 7 10BASE-T full-duplex 8 10BASE-T Autonegotiation is a common source of incompatibility problems when using a 10/100 card from one vendor and a hub from another vendor.Auto-Negotiation 6-22 Sniffer University • “The algorithm that allows two devices at either end of a link segment to negotiate common data service functions” • RJ-45 connector may have any one of five different Ethernet signals: 10BASE-T. They are used for all the faster Ethernet interfaces. The highest common connection type is used for the connection. 10BASE-T full-duplex. © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet . Priority bits in the pulses identify the type of the device connection capabilities and are assigned as below.

Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Auto-Negotiation Good coverage of this on pages 133 through 135 of the Seifert book. Autonegotiation is used only on 100 Mbps twisted pair networks. so we will not see them in traces. so you may have a combination of 10 and 100 MB stations on the ports. Autonegotiation created a lot of problems in the early NICs. Not vendors used the same algorithm and things worked OK until you introduced a new brand of NIC into the network. Most hubs and switches can negotiate on each port. 16 bit “pages” are sent that carry information that identifies the parameters. so the ends of the links must be manually configured. There is a larger discussion of these in the gigabit section. Most hubs allow you to turn autonegotiation off to force the network to specific parameters. The IEEE has not been able to overcome the negotiation problems in fiber optic networks. Page 6 . The Sniffer will not capture any of these signals. The Sniffer does not capture Fast Ethernet autonegotiation – the gigabit Sniffer Pro does. Generally there are devices on the network that are never powered down. The negotiation is done for a specific link. Cards are able to differentiate between the link pulses. autonegotiation and data signals on the wire. Autonegotiation is done on power up. The pulses sent to negotiate are ignored by any cards that do not support it. These early implementation problems are now corrected and most cards are compatible. so they control the parameters of a broadcast segment.22 .

10/100 Hubs and Switches 6-23 • There are many varieties of 10/100 hubs – Hubs with separate linked backbones for each speed • Frames between different speed devices crosses over the link – 10 Mbps hubs with 100Mbps uplinks Sniffer University • 10 Mpbs traffic is aggregated onto the high speed uplink • The frames are buffered until they can be forwarded • Be sure the uplink is switched to enable longer distances • Each 100 Mbps device autonegotiates the speed of the port – Since 10BASE-T devices have no autonegotiate pulses. their port is set to 10Mbps © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet .

then power it up.) The best advice is to leave the 10/100 Ethernet card in your Sniffer set to autonegotiate the speed. Attach it to the network. the worst that happens is the card (including the Sniffer) won’t see anything! Page 6 . If you plug any 10/100 card into the wrong port. too.23 . It will learn automatically the correct speed and begin to watch the frames even before you start any monitor or capture processes. Slide information is adequate. This slide also answers the question of “what if I plug in the wrong Sniffer?” (We address it later.Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: 10/100 Hubs and Switches New Slide.

10/100 Flow Control 6-24 • Devices with a mixture of port speeds must provide buffers to hold the data between the high and low speed devices – Flow control must be used to signal devices to stop sending data when the buffer is full – Half-duplex uses back pressure signals © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Fast Ethernet .

Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: 10/100 Flow Control New Slide. This is a lead-in to the back pressure discussion and the exercise where we see two traces from a 10/100 autosensing hub. Page 6 .24 . There will be a delay between the 10 and 100 connections because of the bridging effect inside the hub or switch.

the backoff algorithm in the end station will keep incrementing the time the card waits to retransmit and will finally give up. AAAAAAAA. © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet . which degrades performance.Back Pressure 6-25 Sniffer University • Switches send “back pressure” frames as a “busy signal” to end stations to prevent them from sending frames when the switches internal buffers have reached their capacity – Switches that do not use back pressure or some other “flow control” mechanism will simply DROP FRAMES when their internal buffers cannot handle the traffic flow • Frames are vendor-specific – IEEE specifies this as preamble bits not followed by a start of frame delimiter. disable back pressure and capture a trace • If fragments are there. This causes retransmissions at the higher layers. the cards can transmit as soon as they sense the line is free and the backoff algorithm will not be started. 34343434. Back pressure eliminates this problem. D0D0D0D0 patterns – To determine your back pressure patterns. By keeping the line busy with bits. 202020202. Not all vendors follow the spec – Show up in the Sniffer hex window with 5555555555. it is jam • If they are gone. If the switch causes collisions when the buffer is full to keep from discarding frames. it is back pressure Switches discard frames when their buffers are full.

(The suggestion in the last bullets are hers. frames may be dropped at the switch.CAP trace files. If you disable backpressure. With LLC this could be a matter of milliseconds. their only function is to trigger carrier detect on the cards on that segment.) 3 Com calls it Intelligent Flow Management (IMF) in its documentation. leave backpressure on. Backpressure is a good thing! It looks like collisions. Thanks. When the switch detects there’s 254k in the input buffer. this could be a matter of hundreds of milliseconds. Anyway. A few things to remember: Since these are not valid frames. Ethernet cards are designed to backoff and retransmit if they detect a collision while transmitting. it sends those signals to the network. too. it’s the physical layer that handles this. The same patterns can be used as jams. show the BACKPRES.CAP and BACKPRES1. It is copied verbatim from the IFAQ. etc.Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Back Pressure This slide discusses the features of back pressure and how to deal with and identify it in the network. If they will do the exercise.25 . This means no collision occurs and the upper layer has to time out to detect the lost packet. Here is the text of an email from a former instructor while she was working at 3 Com about the BACKPRES. If you don’t have time for the exercise in class. Michelle!!! Demo: Page 6 . With TCP. This takes microseconds. let them discover it. let’s use 256k for our example. Backpressure will prevent them from transmitting in the first place or may cause a few collisions here and there (the switches don’t carrier sense before they output backpressure). That’s an eternity. Bottom line. but keep this in mind. I differentiate by looking at the fragments in the trace. The filling of the input buffer could mean the outbound segment is busy and the switch is having difficulty sending frames out. There is no meaning to their content. especially on Fast Ethernet. Here’s how it works: There’s an input buffer (size varies by device).CAP trace.

Troubleshooting Fast Ethernet 6-26 • Troubleshooting Fast Ethernet is pretty much like troubleshooting 10 Mbps Ethernet • Look for bad ports on the switch or hub – Check the Dashboard Detail panel for error counts – Look for corruption in the frame’s hex window Sniffer University • Check if the collision domain is too large – – – – Collision domains are much smaller than 10BASE-T Are there too many repeaters in series? Is the fiber segment too large? Look for propagation delay clues in the frames: collision evidence late in the frame © Network Associates Ethernet Network Analysis and Troubleshooting Fast Ethernet .

Page 6 . The same technique applies in Fast Ethernet. Refer them back to the hubports exercise we did.26 .Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Troubleshooting Fast Ethernet The slide is self-explanatory.

Troubleshooting Fast Ethernet 6-27 • Autonegotiation vendor incompatibilities – Not all vendors implement – TX idles simulate jabber that keeps network busy • View the Dashboard Detail panel for jabber and oversize frames • Look for garbage in the frames – May autonegotiate to T4 assuming cable may not be category 5 • Result is lower performance for the higher quality wiring • Turn off autonegotiate and enable TX with cat 5 • Check your switch port information if this statistic is available © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Fast Ethernet .

Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Troubleshooting Fast Ethernet The slide is adequate.27 . Page 6 .

CRC errors. in the Dashboard Detail panel – Check for a link light – 100BASE-TX NICS plugged into 10BASE-T ports • Their idle signals can cause collisions on the 10BASE-T hub © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Fast Ethernet . Cables coming into the wiring closet may come from a lower speed NIC and cause problems without autonegotiation – Updated NIC may connect to old wires and cause degradation in the signals – Look for evidence of physical corruption.. etc. jabber.Troubleshooting Fast Ethernet 6-28 • Cabling problems – All RJ-45 jacks look alike.

Page 6 .Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Troubleshooting Fast Ethernet The slide is adequate.28 .

Fast Ethernet Exercises 6-29 © Network Associates Sniffer University Turn to the lab section to complete the Fast Ethernet exercises • Fast Ethernet Troubleshooting and Back Pressure • Fast Ethernet Problems Ethernet Network Analysis and Troubleshooting Fast Ethernet .

Michael "Mickey" Giovingo Page 6 .29 . you could use these trace files to demonstrate the patterns. I hope this fills in the gaps for everyone. This proves the point that the back pressure was not the problem but the EMI was. If you run out of time. Look back to page 25 for the backpres.Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Fast Ethernet Exercises Please do these two exercises. To solve the situation the customer installed a fiber zip cord and it worked.cap file: This trace came from a company that was having problems from a line running in the proximity of a generator in a warehouse using cat 5 cabling. At the end are 2 trace files showing different types of backpressure. The second exercise discusses some of the issues in the 10/100 autosensing hubs. They teach valuable skills and give them another chance to work with Fast Ethernet and how it impacts the network.cap story. Fast Ethernet Troubleshooting and Back Pressure The first shows Fast Ethernet traffic. The errors coming from the EMI was overflowing the buffer on the 10/100 switch so the switch was sending out the backpressure. This is the story that came with the backpres2.

100BASE-TX. you learned how to: • Summarize the features of Fast Ethernet • Differentiate the 100BASE-T4.Summary 6-30 In this section. and 100BASE-FX implementations • Recognize back pressure frames in a trace • Attach Sniffer Pro to your Fast Ethernet networks • Use the Sniffer Pro statistics and decodes to locate areas of concern © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Fast Ethernet .

Section 6 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Summary Review the section objectives and answer any remaining questions. Target Time: Day two at afternoon break. Page 6 .30 .

7-1 Full Duplex Ethernet © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Full Duplex .

Files: Traces: 07_fd_g.1 . 3:00 Section Timing: Important Points to Cover: Section 7 title slide only.Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Full Duplex Ethernet Start: Day 2 after break Finish: Day 2 Approx.DOC None available – sorry! This section looks back to Fast Ethernet and forward to Gigabit Ethernet. Add to your own copy as you gain experience. Please remember this instructor guide is a living document. Both use Full Duplex. It is not complete to start and is intended to grow with time. Page 7 . Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material.PPT 07_fd_g.

Section Objectives 7-2 Upon completion of this section. you will be able to: • • • • Summarize the features of Full Duplex Ethernet Differentiate Full Duplex Ethernet standards and cabling Recognize Pause frames in the trace and why they are sent Attach Sniffer Pro Full Duplex pod to your Full Duplex Ethernet networks • Configure Sniffer Pro’s full duplex features • Use the Sniffer Pro statistics and decodes to locate areas of concern • Attach the Full Duplex pod to analyze full duplex connections © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Full Duplex .

Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Section Objectives You will not have access to the FDX pod for this class. How you handle these sections will depend on your comfort level with the material. ISBN 0-201-18553-9 Switched. Prentice Hall Publishing. References: Fast Ethernet: dawn of a New Network by Howard W. has no exercises accompanying them and consist of many slides depicting configuration. Johnson. 1999. Since many students may have questions regarding how the Sniffer will handle Full Duplex and Gigabit. Addison Wesley Publishing. Full Duplex. Fast and Gigabit Ethernet 3rd Edition by Robert Breyer and Sean Riley. 1996. you have these sections as an overview. Macmillan Technical Publishing. This section. 1998.2 . ISBN 0-13-352643-7 Gigabit Ethernet. Technology and Applications for High Speed LANs by Rich Seifert. ISBN 1-57870-073-6 Page 7 .

© Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex .3x Specification • Many half-duplex switches have full-duplex uplink ports Full duplex cards are usually practical only for servers with high levels of traffic on both the receive and transmit lines. Adding a full duplex card to a workstation is only practical for one with a multitasking operating system running applications that require and can handle simultaneous read and write operations.Full Duplex Communication 7-3 Full-duplex Power Users Switch Full-duplex Uplinks Full Duplex Switch Sniffer University Full Duplex Server or Routers Half-duplex Workstations • Simultaneous Transmit and Receive on separate cables • Eliminates collisions • Must be supported by both hub and end-node • Can allow full distance limitation of media (2km for fiber optic cable) • Defined in the 802.

Page 7 . you’d need the CSMA/CD and all the advantages go out the window. This imbalance will be most apparent in a client-server link between a single user and server. Most connections send a lot of data in one direction and acknowledgements in the other direction. the cables can be much longer.Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Full Duplex Communication Each station has two cables: one to transmit to the port. If they were shared. Full duplex doubles the aggregate channel capacity.3 . but does not double the maximum data transfer rate due to the nature of the traffic. With a server or router connected to a backbone and many stations accessing them. Because there are no collisions. They can send and receive simultaneously. the other to receive. the receive and transmit channels are more likely to have an equal amount of traffic. Each link must be a dedicated connection.

ATM or ISDN with H channels Router Faster Server Links Server Cluster attached full duplex Traffic management for frames going to non-duplex stations is handled by the internal buffering on the switch. © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex .Where to Deploy Full Duplex Ethernet 7-4 Remote LAN Campus Workgroup LANs 10/100 Mbps Hubs and Switches Network Center Full Duplex Connections Firewall Router Remote Router Workgroup Hubs Sniffer University WAN SONET.

Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Where to Deploy Full Duplex Ethernet In the backbone so edge devices can have full bandwidth in each direction.4 . Most companies will have much larger configurations! Page 7 . In powerful servers that service many clients. 100 or 1000 Mbps networks. Note that is can be used in 10. This is a very simplified diagram. Anywhere there is a need for a huge fast pipe.

Switched Full Duplex 7-5 Sniffer University • Only two devices on the segment . No Multiple Access. No Collision Detection No CSMA/CD! © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex .the node and switch port • Simultaneous receive and transmit • No need to wait for carrier. always available – Queue up the frames and send immediately • No collisions – No backoff delays – No Carrier Sense.

but we still call it Ethernet! Page 7 . isn’t MA and doesn’t need to do CD. FDDI.you get the idea.5 . Idea from Seifert: Ethernet has always been defined as CSMA/CD. it was Token Ring. Now we have an environment that doesn’t do CS. Token Passing. If it didn’t do it.Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Switched Full Duplex Important Points to Cover: Emphasize the first bullet.

Full Duplex Transmit 7-6 • Receive frame from the upper layer • Transmit out the transmit port • Wait interframe gap • Transmit the next frame Frame Frame Frame Frame Frame IFG Frame © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Full Duplex .

just keep pumping them out.6 . by golly.Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Full Duplex Transmit This slide is animated. but be sure to put the interframe gap for the technology between them so the receiver can catch it’s breath. just put it on the wire! If you have a bunch of frames to send. Page 7 . send the frame up the stack and get ready to synch up for the next one. If you have a frame to send.

Full Duplex Receive 7-7 10101010... Yes SFD? No Wait My Address? Yes CRC Valid? Yes Good Frame! Pass to higher layer protocol Yes >512 Bits? No No Discard Frame No Assemble Frame © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Full Duplex .

The other one had so many things going on. A couple of things have been added here that were assumed in the 10 Mb chart: SFD recognition. It has the length filed to tell it how long the frame is.7 . that we just didn’t have room for them there! Question: Does the receiver need the gap to tell when the frame has ended? Nope. address recognition.Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Full Duplex Receive This is a modified version of the 10 Mb flow chart. frame assembly. Page 7 .

Full Duplex Flow Control 7-8 Sniffer University • Switches discard frames when their buffers overflow • Full duplex transmission bursts can fill buffers. especially if different speed devices are conversing • MAC Control Frames were developed to allow the switch to tell the nodes to throttle back – PAUSE is the only MAC Control frame defined today • MAC Control frames are part of the Data Link Layer – – – – Sent to a well-known address Bridges and switches do not forward The switch sends the PAUSE to the device on the TX wire The NIC stops sending for the time specified in the PAUSE frame – The switch can send multiple PAUSE frames until the buffers reach the lower threshold © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex .

These frames replace backpressure. It is anticipated more will be added as needed.8 . Page 7 .Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Full Duplex Flow Control MAC frames in Ethernet????? And they still call it Ethernet??? The PAUSE is the only MAC frame defined yet.

The station can modify the wait time by sending a new PAUSE frame with the timer set either shorter or longer to reflect current buffer conditions.2 µsecond increments. Only stations that support the PAUSE function will accept the frame.12 µseconds. 100 and 1000 Mbps Ethernet. The opcode specifies the type of control frame. It can be used for 10. 100 Mbps is 5. They are sent by either side when their buffer is full and are used to notify the receiving side to wait a certain period of time before sending more frames. 10 Mbps will be 51. PAUSE frames are opcode 0001 and are the only MAC Control frames currently defined. It is measured in 512-bit times so it is specific to each data rate.MAC Control Frame 7-9 Bytes 8 6 6 2 2 44 4 The destination address is a multicast address that has previously been reserved. © Network Associates Sniffer University Preamble and SFD Destination Address Source Address Type = 8808 MAC Control Opcode MAC Control Parameters Pad to 44 bytes CRC 0180C2000001 Sending Station’s Address MAC Control Frame Type PAUSE = 0001 Pause time in 512 bit-time increments Ethernet Network Analysis and Troubleshooting Full Duplex . All MAC Control frames will be type 8808. 1000 Mbps is 512 nanosecond increments. A time is included in the MAC Control Parameter field that indicates the amount of time the receiver must wait.

Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: MAC Control Frame Important Points to Cover: The 8808 type filed identifies this as a MAC Control frame.9 . Conceivably they can be used for all speeds. The time is always listed in 512 bit-time intervals.the spec was written with that in mind. Right now the only one is 0001 for the PAUSE. The opcode indicates which type of MAC frame. Question: Does the full duplex Sniffer capture these control frames? Page 7 . Later on there may be control frames that need more fields. Space is reserved for more parameters.

3ad specifies link aggregation • Port aggregation allows up to four full-duplex Fast Ethernet ports to be aggregated into what appears as a single high speed link • Each channel runs 100 Mbps in each direction • Can be used only in point-to-point configurations • Some links can be configured as standby links – Failure of a primary link automatically switches the traffic to the backup link • Device drivers and software configure full-duplex adapters • NAI’s DSPro has a card that can sniff these links NAI sells a four port Ethernet adapter and tap card for DSPro Agents which allows you to designate all four ports as an EtherChannel. The TNV-201-DSP course has more information on this card.400+ Mbps Full Duplex 7-10 Sniffer University • 802. © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex .

This slide is here to answer questions from students about whether the Sniffer can capture on these high-speed links.Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: 400+ Mbps Full Duplex New Slide. Page 7 .10 . It is only for the DS Pro and we cover this card and all the other non-portable solutions in the TNV-201-DSP class. DO NOT try to give them details here.

7-11 Full Duplex Sniffer Pro Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex .

11 . Page 7 .Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Full Duplex Sniffer Pro Important Points to Cover: Title page to lead into covering the Sniffer.

The Host adapter must be configured with a fixed IP address. © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex . DHCP for the host is not supported.Create an Agent for the Pod 7-12 • File > Select Settings 1 Choose the Ethernet card 2 Choose the FDX pod 3 IP address should fill in one higher than your card’s address Sniffer University Pod initializes when you click OK When configuring the new agent. This will enable the IP address box. you must select the Ethernet network card before you check the Full Duplex pod radio button. Set the pod’s IP address one higher than the address of the Ethernet card in your computer if the address is not automatically sensed.

If all goes well. They can use Ipconfig. the IP address becomes active. you should see the Sniffer window open and the agent name and pod speed shows up in the title bar.Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Create an Agent for the Pod Important Points to Cover: Remind them the system requirement and pod information was covered in section two so we haven’t repeated it here. Use the familiar File > Select Settings to create the new agent. you’ll see some progress report messages as the code is downloaded to the pod. Page 7 . When you click OK on this screen and select it from the Select Settings window.12 . First select the Ethernet adapter in the PC When you select the Full Duplex pod in the Netpod type field. Important: the IP address for the pod must be one host number higher than the address of the Ethernet card.exe or open the Windows network window to get the address if they don’t know it.

check the line speed settings in Tools > Options > Full Duplex Pod Ethernet Network Analysis and Troubleshooting Full Duplex .Set Line Speed 7-13 Sniffer University © Network Associates • Before you start a capture.

Page 7 . Use Tools > Options > Full Duplex pod tab window to do that. All of the choices are shown in the drop-down list.13 .Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Set Line Speed The first thing you need to do is set the line speed of the link.

Two Memory Pools 7-14 • Pod Memory – The physical memory installed in the box – Up to 512 MB – Frames from the network are copied here Sniffer University • Sniffer PC Memory – Set through the Buffer tab on Capture Filters – Frames from the pod are copied here © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex .

Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Two Memory Pools This is preparation for the next slide that shows the options you have in capturing this traffic. Page 7 .14 . Explain it quickly and move on.

Two Transfer Modes 7-15 • Set by clicking the icons on the toolbar or the Capture Menu • Stream Mode – The pod streams the data to the analyzer application as it is captured off the network – Counts appear in the Sniffer window Sniffer University • High Speed Capture Mode – The data is held in the pod buffer until the capture is stopped – Use this mode when you are capturing from a very busy network – You can set the options to stop the capture when the buffer is full • The frames are transferred to the PC for analysis © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex .

You can also configure the Sniffer to stop when the pod buffer is full and upload the frames to the PC. but does not so real-time Expert analysis. This allows you to focus on capturing the frames without the holes introduced in Stream Mode. You’ll want to watch the buffer dial to make sure you stop the capture before the pod buffer recycles and writes over the first frames..Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Two Transfer Modes Stream Mode – the pod sends the frames to the Sniffer PC as they arrive on the network.15 . The software decodes the frames and shows statistics. High Speed Capture Mode is used on very busy networks. The pod may miss capturing some frames as the frames are transferred to the PC on very busy networks. How? Read on…. You must stop the capture and upload the frames to the PC before you get Expert analysis.> Page 7 .

Pod Buffer Action Configuration 7-16 Sniffer University © Network Associates Capture > Define Filter > Full Duplex Pod Ethernet Network Analysis and Troubleshooting Full Duplex .

16 .Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Pod Buffer Action Configuration This configuration sets the actions on the pod buffer Page 7 .

Sniffer Buffer Action Configuration 7-17 Sniffer University • Capture < Define Filter > Buffer • Set the Sniffer Buffer actions here – Same options as other Sniffers © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex .

17 . Page 7 .Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Sniffer Buffer Action Configuration This panel controls the PC buffer actions. There are no unique Full Duplex settings here.

Capture Panel Display Window 7-18 Sniffer Statistics View Both Shown when you start a capture from the capture menu or icon Sniffer University Pod Statistics The Decode window Summary panel shows the channel number as [A] and [B] in the Status column © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex .

Pod statistics at the bottom. The graphs on the lower panel are color-coded for each channel. Page 7 . The pod counts show numbers for each channel and total counts.18 .Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Capture Panel Display Window This is the display when you have enabled the View Both option. PC statistics at the top.

Special Icons on the Toolbar 7-19 • View Full Duplex Pod Only – Provides statistics for the capture session on the pod itself • View Sniffer Only Sniffer University – Standard capture panel display and more – Provides run-time statistics for the capture session on the PC • View Both – Split screen to show statistics for both © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex .

19 . Page 7 . You can select just the Sniffer PC counts.Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Special Icons on the Toolbar These icons control which panels are open on the Sniffer capture screen. just the pod counts or both.

Pod Gauges 7-20 • Frames Received per second on each channel • Percentage of free memory on each channel • Number of errors per second received on each channel © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Full Duplex .

Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Pod Gauges Slide is self-explanatory.20 . Page 7 .

Setting Pod Properties 7-21 • Click the Properties icon in the Full Duplex pod window or click the right mouse button over the capture window and select the Properties option • Identify shows: Sniffer University – Pod version – Pod IP Address – Pod Ethernet Mac Address – Connection mode – Line Speeds – Total Memory Pod Version number specifies the version of the software on the pod IP Address shows the IP address assigned to the pod MAC Address shows the hardware address of the Ethernet adapter in the pod Connection shows whether the pod is set to passthrough or terminate mode Channel A Line Speed shows the line speed of the network segments attached to Channel A Channel B Line Speed shows the line speed of the network segments attached to Channel B Total Memory shows the amount of memory installed on the pod (in DIMMs) © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex .

Page 7 .21 .Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Setting Pod Properties Slide is self-explanatory.

Hardware filters Software filters © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex . the filter is applied as a hardware filter • If Mode is set to Exclude or if you have more than 16 sources or 16 destination. Software filters are applied by the Sniffer application to the frames uploaded from the pod buffer to the Sniffer buffer.Address Filters 7-22 • If Mode is set to Include and you set address filters with less than or equal to 16 sources and 16 destinations. the filter is applied as a software filter Type of address filter # Sources 2 1 0 # Destinations 2 0 1 Sniffer University 1 1 “Any” does not count as a source or destination Hardware filters are applied at the pod as the frames are captured from the network. The frames excluded by hardware filters are not saved in the pod buffer.

Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Address Filters Slide is self-explanatory.22 . Page 7 .

the frames are stored in the pod buffer until the capture is stopped • Limiting the frames that are accepted ensures you will have the frames needed to isolate the problem • When hardware filters are in effect. address filters are particularly helpful • When the mode is set to High Speed. the pod will automatically filter out all frames shorter than 55 bytes. CRC included Ethernet Network Analysis and Troubleshooting Full Duplex .Filters in High Speed Captures 7-23 © Network Associates Sniffer University • When capturing in high speed at full line rate.

23 . Set capture filters to save room for what you need to see! Page 7 .Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Filters in High Speed Captures Slide is self-explanatory.

© Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex . see Appendix A in the Full Duplex Product Manual on your student CD.Error Frames with the Full Duplex Pod 7-24 Frame Size <51+4 >50+4 & <60+4 Runt 60+4 to 1514+4 Normal 1514+4 & >4082+4 <4082+4 >4082+4 Oversized Illegal Jabber Illegal Valid CRC Illegal Sniffer University Invalid CRC Illegal Fragment CRC (frame sizes in bytes + CRC) For more details.

Page 7 . If you want more details.Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Error Frames with the full Duplex Pod Slide is self-explanatory. look at Appendix 2 in the Full Duplex pod use documentation on the student CD.24 .

2 LAN Sniffer Pros in Full Duplex 7-25 • Interim solution when you don’t have an FDX pod FAST ETHERNET 100 Mbps SPLITTER Receive Transmit 1 Fast Ethernet 2 Switch 3 Receive Transmit Server Sniffer Port 2 Receives data from Server Transmit/Switch Receive Sniffer University Sniffer Port 1 Receives data from Server Receive/Switch Transmit PA C 62 Fast Ethernet Sniffer Pro Analyzer Fast Ethernet Sniffer Pro Analyzer © Network Associates Ethernet Network Analysis and Troubleshooting Full Duplex .

both can be opened in Sniffer Pro and their windows set side by side to compare them directly as we did in the hubports exercise. Page 7 .Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Using 2 LAN Sniffer Pros in Full Duplex This is the same diagram we had before. They will need to match request and reply sequences in the frames to line up the frames for comparison. Remind them to time synchronize them as close as they can before they start to capture and start the capture as simultaneously as they can. Once they have the trace files saved. It is possible to use two regular Fast Ethernet Sniffers attached to a splitter to capture each channel separately.25 .

you learned how to: • Differentiate Full Duplex Ethernet standards and cabling • Recognize Pause frames in the trace and why they are sent • Attach Sniffer Pro Full Duplex pod to your Full Duplex Ethernet networks • Configure Sniffer Pro’s full duplex features • Use the Sniffer Pro statistics and decodes to locate areas of concern • Attach the Full Duplex pod to analyze full duplex connections © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Full Duplex .Summary 7-26 In this section.

Section 7 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Summary Important Points to Cover: Review the section objectives and answer any remaining questions.26 . Target Time: Day 2 at 3:30 Page 7 .

8-1 Gigabit Ethernet © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .

Please remember this instructor guide is a living document. Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material. Page 8 .cap 8021q-gig.DOC GB. Files: Traces: Exercise: 08_gig_g.cap This section was updated to reflect the new technologies customers are beginning to employ in their networks. Just click OK to move beyond it.cap Gigabit Traffic 08_gig_g. 5:00 Section Timing: Important Points to Cover: Section 8 title slide only. Add to your own copy as you gain experience. It is not complete to start and is intended to grow with time.1 . This will enable you to create a new agent and show the features of the Sniffer. There is a warning that Monitor mode is disabled.Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Gigabit Ethernet Start: Day 2 late-afternoon Finish: Day 2 Approx.PPT GBautonegotiation. There should be a gigabit dummy driver defined on the class Sniffers.

1000Base-LX. you will be able to: • Summarize the features Gigabit Ethernet • Differentiate Gigabit Ethernet standards and cabling • Summarize 1000Base-SX.Section Objectives 8-2 Upon completion of this section. 1000Base-CX and 1000BaseT implementations © Network Associates Sniffer University • Attach Sniffer Pro to your Gigabit Ethernet networks • Configure Sniffer Pro’s gigabit-specific features • View the autonegotiation process in the Sniffer and determine if there is a problem • Use the Sniffer Pro statistics and decodes to locate areas of concern Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .

ISBN 1-57870-073-6 Page 8 . References: Gigabit Ethernet. Practice with them so can present the information in this section.Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Section Objectives Cover the objectives quickly. Addison Wesley Publishing. Fast and Gigabit Ethernet 3rd Edition by Robert Breyer and Sean Riley.2 . 1998. Macmillan Technical Publishing. 1999. ISBN 0-201-18553-9 Switched. Technology and Applications for High Speed LANs by Rich Seifert. We do have dummy drivers so you can show the Gigabit screens.

Baseband signaling with a modulation rate of 125 Mbaud is used on each of the wire pairs.3ab addendum defines the Physical Layer parameters for 4-pair over Cat 5 balanced copper cabling • Switches with 10/100 and Gigabit port link legacy networks into high speed Gigabit backbones – Frequently used in server clusters. The period for each symbol is 8 ns.Gigabit Overview 8-3 Sniffer University • 1000 Mbps Ethernet is able to transmit a frame at ten times the data rate of 100 Mbps Ethernet • It allows you to use familiar Ethernet technology while providing much higher bandwidth • The standard using optical cabling is defined in 802. T R T R T R T R T R T R T R T R © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .3z addendum • 802. links between switches and servers – Some implementations even allow you to aggregate 1000BASE-X or 1000BASE-T segments into 10 Gigabit links • Check the Gigabit Ethernet Alliance www.org The aggregate data rate of 100 Mbps is achieved by transmission at a data rate of 250 Mbps over each UTP wire pair.gigabitethernet. Full duplex transmission allows symbols to be transmitted and received on the same wire pairs at the same time.

Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Gigabit Overview Important Points to Cover: You may want to poll the class to see what their plans are for gigabit vs. Page 8 . Review the bullets quickly.3 . ATM.

Deploying Gigabit Ethernet 8-4 Remote LAN Remote Router Network Center Gigabit Backbone Connections Workgroup LANs Campus 10/100 Mbps Hubs and Switches with Gigabit Uplinks Workgroup Hubs Sniffer University WAN SONET. only high throughput links will initially use or need Gigabit Ethernet. © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet . ATM or ISDN with H channels Firewall Router Router Server Cluster with Gigabit connections Due to the cost of Gigabit switches.

Fast Ethernet switches for the LANs will have gigabit uplinks to multiplex the traffic onto the high speed backbone. Later slides address the move to gigabit to the desktop.4 . Page 8 .Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Deploying Gigabit Ethernet One last slide like this. Early implementations will concentrate these very expensive high speed connections where the highest levels of traffic exist.

The LLC layer is moved intact from the IEEE specification.3 Ethernet IEEE 802.3 Physical Layer Network Layer IEEE 802.3 specification • Increases data rate to 1.IEEE Gigabit Data Link Layer 8-5 IEEE 802. The Physical layers are derived from the ANSI X3T11 Fibre Channel specification.3 LLC IEEE 802.3 Ethernet specification that specifies CSMA/CD for half duplex or full duplex rules for media access control.25 Gbps Data Link Layer FC-4 Upper Layer Mapping FC-3 Common Services FC-2 Signaling FC-1 Encode/ Decode FC-0 Interface and Media ANSI X3T11 Fibre Channel IEEE Networks (1000Base-3z) The Gigabit Ethernet standard draws from two separate specifications. The Data link layers are derived from the IEEE 802. © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .3 CSMA/CD IEEE 802.3 LLC CSMA/CD or Full Duplex MAC 8B/10B Encode/Decode Serializer/ Deserializer Connector Sniffer University • Uses the Physical Layer of the Fiber Channel • Uses the MAC and LLC layers of the 802.

Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:IEEE Gigabit Link Layer Important Points to Cover: Don’t spend much time on it here. since it is mainly FYI stuff. Page 8 .5 .

not very practical! • Carrier extension is used to extend the frame so the diameter can be extended to 200 meters using fiber or copper media – Different cables yield higher diameters – This compares to the 200 meter limit for 100Mbps Ethernet over copper – Only one repeater (hub) can exist between any two devices on the network The large number of cable choices allows for a maximum network diagram to range from 200 meters with category 5 UTP to 550 meters using 1300 nm single mode 500Mhx/km fiber at attenuation 2.32 all the way to 5000 meters using 1300 nm single mode 10/125 µm cables fiber at attenuation 4.Physical Limitations of Shared Gigabit 8-6 Sniffer University • Using the standard Ethernet specifications for copper wire. © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet . the half-duplex network diameter would be reduced to 20 meters .5.

Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Physical Limitations of Shared Gigabit Important Points to Cover: A VERY small collision domain IF you use it in a half-duplex configuration. Page 8 . Emphasize again we are still building on the old 10Base5 specs if we are going to share the media.6 .

Gigabit Carrier Extend 8-7 • Carrier Extend is used in Half Duplex gigabit Ethernet to extend frames less than 512 bytes to the slot time minimum (4096 bit-times) – Fills the Inter Frame Gap (IFG) in burst mode – This allows collisions to be sensed on shared media while both sides transmit. it still must send 512 bytes. most of which is only a carrier signal. © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet . This is also inefficient. P DA SA L/T DS SS Ctr Data F Preamble Destination Address Source Address Length/Type Destination SAP Source SAP LLC Control A SNAP header not shown here may follow this field Frame data Frame Check Sequence (CRC) Carrier Extend allows the network diameter to remain at the 200 meter limit used by Fast Ethernet over twisted pair media. It imposes a great deal of overhead for a network where smaller frames predominate. but contributes a lot of overhead to each small frame! – The standards committee wanted to provide backward compatibility even though this is impractical – It also appears at the end of some full-duplex frames P DA SA L/T DS SS Ctr Data F Carrier Extend 448-1 bytes Sniffer University 64 + 448 = 512 byte minimum bytes Most Gigabit implementations will use Full Duplex mode to enable long cable lengths. If a device only has 64 bytes of data to send (a minimum-length Ethernet frame).

7 . Extend small frames to the 512 byte minimum in half-duplex so all stations will hear the transmission and wait to transmit. since it is dependent on how long the frame is. One or more inserted between each frame in full-duplex mode. Fill the interframe gap in burst mode (covered on the next slide). The Carrier Extend length is purposely written as 448 – 1 bytes.Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Gigabit Carrier Extend This is a multi-faceted tool. Page 8 .

Carrier Extend in the Sniffer 8-8 • Turn on 10 Bit decodes from the Hex rightclick menu – This frame was captured from a full duplex network • Note the [A] channel indicators • Even the 1472 byte frame 23 has one Carrier_Extend field © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .

8 . Page 8 . This may help in resolving vendor interoperability problems.Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Carrier Extend in the Sniffer This shows how to enable the Sniffer to display the 10 bit codes.

Frame Bursting Part One 8-9 Sniffer University • Frame bursting is used to overcome the overhead of carrier extend • The first frame is transmitted using the normal procedures for half-duplex Gigabit Ethernet • A frame burst timer is started to allow transmissions of up to 64 Kbits • If additional frames are queued for transmission and the 64 Kbit timer has not expired. two things happen: – The first frame is followed by carrier extend – The next frame is transmitted © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .

9 . Page 8 . If it has a frame in process. since the stations owns the wire in each direction and has full bandwidth to transmit at all times. If this occurs. When the first frame is out. packet bursting allows it to send them until the 64Kbit timer runs out. it finishes sending it. since all stations should hear carrier and wait. Collisions should not occur during the burst. then it begins to transmit the first frame. then yields the line. starting the process over again. it may cause a late collision. the adapter stops transmitting data and starts jamming. it keeps the line busy by transmitting nondata symbols (carrier extension symbols) to fill the interframe gap. If a collision occurs.Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Frame Bursting Part One If the station has multiple frames queued in its transmit buffer. Packet bursting is not used in full-duplex. The station waits until there is no carrier sensed. It extends it to the slot time if it is short. then it transmits the second frame. then it backs off and retries. If the collision domain limit is exceeded or a device has failed. It can continue to transmit frames separated by carrier extend until the 64 Kbit timer runs out (8192 bytes). it backs off and waits its turn to transmit.

that frame may be completely sent Sniffer University – In many cases a station could theoretically transmit more than 64 Kbits – The actual maximum bits that could be sent would be seen where the 64 Kbit limit is reached on the first bit of a maximum-length frame – In this case.Frame Bursting Part Two 8-10 • The process is repeated until there is no more data to send or until the timer expires • If the 64 Kbit limit is reached during the transmission of a frame.144 bits © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet . the total bits transmitted would be 64 Kbits plus the length of that frame which would be 1518 bytes or 12.

Page 8 .Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Frame Bursting.10 . Part Two Notes on previous page cover this page.

shared media hubs are probably not a practical option with Gigabit Ethernet – All vendors offer Full-duplex switches to overcome the inefficiencies © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .Problems of Shared Media 8-11 Sniffer University • Using hubs requires that all devices share the media to form a single collision domain • Even with frame bursting. the overhead of carrier extension is still significant • A topology with a maximum diameter of 200 meters is not workable in many large environments • Therefore.

11 . Emphasize again the IEEE chose to build on the old 10Base5 specs for backward compatibility. But fortunately they moved on to create an environment where Gigabit can really speed things up.Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Problems of Shared Media Review the bullets quickly. This is a quick recap of the problems of shared media 9and why full duplex is the choice for everyone. Page 8 .

© Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .Full-Duplex. By allowing servers to send large frames. • Many 100 Mbps hubs and switches will be equipped with gigabit uplink ports to provide connectivity with the network’s gigabit backbone • Pause frames are used for flow control • Jumbo frames are now allowed – Up to 9.each port is a separate collision domain – Switches can be connected in a hierarchical fashion to extend the network without the concern of collision detection • Most switches offer full-duplex ports which will effectively double the potential throughput to 2 Gbps and extend the cable length. Since sending frames requires CPU processing. the CPU can queue a large frame.000 bytes! Single mode fiber increases the length of the cable substantially. sending a lot of small frames is inefficient. One vendor supports single mode cable lengths up to 9 miles. then work on other tasks while it is being sent. Switches & Jumbo Frames 8-12 Sniffer University • Gigabit switches will be the solution of choice – Since switches act like bridges .

reduce the overhead doing contention and increase the cable lengths. but these will be very rare. You get full bandwidth in both directions.12 .Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Full Duplex. Switches & Jumbo Frames Important Points to Cover: Can you imagine Gigabit without using switches? Each connection is its own collision domain. Page 8 . Half duplex still does contention. full duplex doesn’t need it. The best solution is full duplex gigabit. There still can be collisions between the switch and the end station.

Optical Fiber 8-13 • Three varieties of fiber are specified: – 50 µm multimode – 62.5 µm multimode – 10 µm single mode Sniffer University • The specs allow for two types of laser drivers – 1000BaseSX: 850 nm (short-wave) – 1000BaseLX: 1350 nm (longwave) µm = micron nm = nanometers © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .Physical Media .

13 .Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Physical Media – Optical Fiber Important Points to Cover: This is the first of 3 slides that discuss the various types of media. See big bucks $$$$$$$$$ Page 8 . Cover them quickly. Lasers are expensive.

It simultaneously transmits on all four pairs to achieve the 1000 Gbps rate.Copper Cable 8-14 • 1000BASE-CX – Can only be used as patch cables or “jumpers” due to a distance limit of 25 meters – Created to help reduce cost of the many short connections required in a wiring closet – Consists of 2 pairs of shielded 150-ohm Twinax cable – Much like Type 1 STP used in traditional token ring environments.s. Each wire transmits 250 Mbps which aggregate to 1000 Mbps. The Twinax cable consists of two center conductors surrounded by an insulated spacer which is surrounded by a tubular outer conductor (usually braid.) It is then covered entirely by an insulating and protective cover. 25 MHz for 100BASE-T2). © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet . foil or both. but with higher electrical quality standards • 1000BASE-T Sniffer University – 4 pairs of category 5 UTP balanced copper cable – 100 meter cable limit – Uses 4D-PAM5 (4-dimensional 5-level Pulse Amplitude Modulation) coding (8B1Q4) • • • • 8 bits are converted to 4 quinary symbols Levels are +2 +1 0 -1 -2 Start-of-Stream delimiter signals beginning of frame End-of_stream delimiter signals the end of the frame 1000BASE-T clock frequency is 125 MHz (v. It is similar to twisted pair in that it uses differential or balanced transmission.

14 .Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Copper Cable Important Points to Cover: Slide is adequate. Page 8 .

© Network Associates Sniffer University – Use a 64 bit 66 MHz PCI slot so the CPU bus can handle the amount of traffic Ethernet Network Analysis and Troubleshooting Gigabit Ethernet . Many different manufacturers use this chip on the r boards.usually used in servers – Use multiple parallel high speed processors to handle the data flow effectively – Install plenty of fast memory to cache the data.Gigabit to the Desktop 8-15 • Very limited deployment .000 transistors. while gigabit data flows at nanosecond speeds The gigabit transceiver chip on the board contains more than 200. since disk drives operate in milliseconds. about the processing capability of an Intel 486 chip.

Section 8 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title: Gigabit to the Desktop
Important Points to Cover:

Big challenges: Coax cable limitations for such high speeds Big Bucks

$$$$$$$$

Page 8 - 15

Encoding Technique: 8B10B
8-16 • Used for fiber optic and 1000BASE-CX media • Derived from 4B5B encoding used in 100BaseTX, 100BaseFX, and FDDI • Each 8-bit byte is represented by a 10-bit code
– There are two code groups or categories: • “D” Group - Used for data transmission • “K” Group - Used to send control signals • Uses a look-up table for the conversion values

Sniffer University

• The clock signal is embedded in the data stream
– To insure that there are adequate voltage transitions, a data signal (“D” groups) never have more than 4 consecutive ones or zeros in them – 8B10B includes a number of unique control signal patterns (known as “commas”) that allow devices to synchronize and align their bit cells

IBM developed and patented the 8B10B encoding standard and it licensed it for Fibre Channel and Gigabit Ethernet. It ensures there are enough clock transitions for receiver clock recovery and allows control signals to be embedded in the data stream. Single and multiple bit errors can be corrected. The data code words never include more than 4 consecutive ones or zeros or the ten bit codes do have an imbalance of more than one, i.e., 5 ones and 5 zeros, 6 ones and 4 zeros or 4 ones and 5 zeros. The IEEE std 802.3ab -1999 spec lists the entire bit-to-symbol mapping table of codes. It is also referred to as 8B1Q4 coding technique. The conversion process is called 4D-PAM5 and refers to the 4 Dimensional 5-level Pulse Code Amplitude Modulation process.

© Network Associates

Ethernet Network Analysis and Troubleshooting Gigabit Ethernet

Section 8 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title: Encoding Technique 8B10B
Important Points to Cover:

Nice to know information. Won’t help troubleshoot. Cover quickly. A table of symbols is included in the spec and table A-1 page 387 of Seifert’s book and the IEEE spec (of course). The Gigabit Sniffer interface in current use gives statistics of the D and K group bits.

Page 8 - 16

Autonegotiation
8-17 • Gigabit autonegotiation is used to configure operational parameters
– Fast Ethernet negotiates the speed with fast pulses

• Gigabit uses special normal-rate signaling Sniffer University
– Signals indicate whether it is using full or half-duplex

• 16 bit message pages are exchanged on link initialization, multiple pages can be used

If only one side supports full duplex, the connection will use half-duplex if each side allows negotiation. The PAUSE and Asymmetry direction bits are used together to determine if the device supports flow control and if it does, whether is is capable of asymmetric flow control. (Asymmetric refers to a large discrepancy between the amount of data on each line at the same time. If the device is a server, it can process requests from multiple clients on the transmit and receive lines, so the traffic will be somewhat even on the two sides. If the device is a node, data transfer will occur on only one line with acknowledgments on the other, so the traffic tends to be heavy on one line and light on the other line.) There are four possibilities with the two bits: 1) No flow control 2) Asymmetric flow control toward the node 3) Asymmetric flow control from the node and 4) Symmetric flow control. The Remote Fault bits indicate error conditions that prevent normal operation. Codes are shown Remote Fault bit 1, Remote Fault bit 2. 00 = No error, 01 = Device Offline, 10 = Link failure, 11 = Auto-negotiation failure Autonegotiation messages are sent repeatedly until the sender receives an acknowledgement. The acknowledgement bit indicates the sender has received 3 sequential autonegotiation messages with the same contents. The next page bit is reserved for future use when more than 16 bits are required to negotiate parameters. Special K and D combinations identify the autonegotiation signals so they are not interpreted as data.
© Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet

Section 8 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:
Important Points to Cover:

Autonegotiation

We’ve talked about autonegotiation before in the Fast Ethernet section. Here are the details about the 16 bit message pages and the significance of each of the bits. This shows all the different parameters that can be negotiated. Student notes should help you present this.

Page 8 - 17

Autonegotiation Process
8-18
PHY comes up as Slave Enter slave silent mode Start wait timer & send 0s Scan for carrier

Link Status = Fail
Send fast link pulses Yes Enter training mode Establish receive operation Send info to link partner Process fail? Yes No Yes Process fail? No

Sniffer University

Master on NW? Yes

No

Receive link info from partner

Send idles or data

Link Status = Fail

The fast link pulses are identical to the Fast Ethernet pulses. They indicate the type of connection the system is able to use. The highest level for both sides becomes the negotiated transmission characteristic. Priority 1 2 3 4 5 6 7 8 Connection type 1000BASE-T full-duplex 100BASE-T2 full-duplex 100BASE-T2 100BASE-TX full-duplex 100BASE-T4 100BASE-TX 10BASE-T full-duplex 10BASE-T

© Network Associates

Ethernet Network Analysis and Troubleshooting Gigabit Ethernet

Section 8 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:
Important Points to Cover:

Autonegotiation Process

Use this flow chart to explain the autonegotiation process and the symbolism of the Master and Slave bits they will see in the Sniffer screens. They will look at this in the exercise, so you can cover it in the slide now and let them discover it in the exercise if you have time for it.

Page 8 - 18

Autonegotiation Frame Details
8-19
Bits Parameter 0-4 5 6 7 8 Reserved Full-duplex Half-duplex PAUSE Asymmetry direction Remote Fault 1 Remote Fault 2 Acknowledgement Next Page Present

Sniffer University

9-11 Reserved 12 13 14 15 0 15

This is very useful when you need to troubleshoot vendor incompatibility issues.

© Network Associates

Ethernet Network Analysis and Troubleshooting Gigabit Ethernet

Section 8 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:
Important Points to Cover:

Autonegotiation Frame Details

New Slide. The bits are listed on the side. You can send multiple “pages” of information in the process. We see two duplicate pages here. Developer note: I tried very hard to get new Full Duplex and Gigabit traces, but no one came through for me. I asked a couple of different mailing lists and HQ people and there just don’t seem to be many floating around. I surely hope to get one showing the autonegotiation process through real work for the next revision!

Page 8 - 19

Autonegotiation Frame Summary
8-20
Pulses- no addresses

Sniffer University

Number of ten bit codes in the set 32 nanosecond timestamps

• 10 bit Hex decodes are automatically enabled for autonegotiation signals

© Network Associates

Ethernet Network Analysis and Troubleshooting Gigabit Ethernet

Section 8 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:
Important Points to Cover:

Autonegotiation Frame Summary

Point out that there are not addresses in these signals

Page 8 - 20

10 Bit Decode of the Signals
8-21 Sniffer University
© Network Associates

• Right-click in the Hex window and select 10 Bit to see the autonegotiation decodes

Ethernet Network Analysis and Troubleshooting Gigabit Ethernet

Section 8 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:
Important Points to Cover:

10 Bit Decode of the Signals

This shows how to see the 10 bit decodes

Page 8 - 21

8-22 Gigabit Sniffer Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .

22 . This is a brief overview.Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Gigabit Sniffer Important Points to Cover: Title Page. Page 8 .

Some Advice 8-23 © Network Associates Sniffer University • Full wire speed transmission can create 125 MB of data every second! • That’s just too many frames to analyze • Run Monitor applications to gather statistics and narrow in on problem areas • Set capture filters to accept the frames where you see problems • Turn off real-time Expert analysis and view Expert after you stop the capture Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .

Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Some Advice Capture filters! Turn off real-time Expert Page 8 .23 .

so you won’t get any data at all (and will get a failure to open the adapter message) Sniffer University • If you plug a 10/100 adapter into a full-duplex Fast Ethernet port. the media and connectors will limit the number of mistakes you can make • Then there’s autonegotiation – If you have the wrong speed card. you’ll just get one side of the conversation © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet . the autonegotiation will fail.What if I Plug in the Wrong Sniffer? 8-24 • First of all.

Slide is sufficient Page 8 .24 .Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: What If I Plug in the Wrong Sniffer? New Slide.

© Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Gigabit Ethernet . it and Full Duplex Ethernet will be covered in detail in a separate High Speed Ethernet class.Gigabit User Interface 8-25 • Uses the standard Sniffer Pro interface with enhancements for Gigabit technology The Gigabit Sniffer now has the Sniffer Pro interface. Due to the complexity of the products.

25 . Page 8 .Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Gigabit User Interface Important Points to Cover: The Monitor screens and Expert are the same The capture panel has a tab for Channel Info that shows counts for each channel The Summary window shows [A] and [B] to indicate which channel the frame was captured from.

one for each channel • Global Statistics shows individual channel statistics and colored-coded graphs for each • The Summary window shows [A] and [B] in the status columns to indicate which channel captured the frame • Packet Generator has tabs to set the rate. override addresses and preamble and change the CRC © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .Other Differences 8-26 Sniffer University • The Dashboard and Capture Panel show counts for each channel • History samples are doubled.

Page 8 . Demo if you like.Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Other Display Differences New Slide.26 . Cover the bullets.

– Configure Buffer size on the Buffer tab • Configuration process is similar to Full Duplex © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .Three Separate Buffers 8-27 • Adapter Memory – 144 MB trace buffer memory • 72 MB per channel (2) – Configure parameters on the Tools > Options > Gigabit tab Sniffer University • Monitor or Emulation mode • Enable Jumbo frames • SPAN port connection PAC 62 • SnifferPro software RAM .

Two on the card. one on the PC Note there are no choices for uploading since the frames are already in the Sniffer buffer.Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Three Separate Buffers New Slide. Page 8 .27 .

set data offsets. Packets per seconds. The Gigabit tab allows you to set the preamble length and change the CRC. © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet . include sequence numbers. adjust timestamps and generate certain types of errors. and Network Utilization The Address tab allows you to override the source and destination address in several different ways The Advanced tab (single frames only) choices are: random size packets.More New Options 8-28 • Tools >Options >Gigabit – Set mode – Enable jumbo frames Sniffer University • Capture > Define Filter – Control card buffers – Capture filters can be set on one channel or both The Gigabit Packet Generator has more options than the other Ethernet Sniffers: The Rate tab allows you to set the Interpacket Delay.

Use the Sniffer with the dummy driver to demonstrate these options when needed. Yes. but not all of the options are enabled. you can span a gigabit port to the Sniffer. The Define Filter > Gigabit Ethernet tab shows up from Display > Define Filter. These two screens adjust how you want to control the buffers and the behavior of the ports. Explain the options as shown on the screen caps. choosing both a new frame and buffer option. The Tools > Options > Gigabit tab sets the action of the port. The 8021q-gig.Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: More New Options New Slide. then use Tools > Packet Generator to show these new tabs.cap trace file shows VLAN information from a spanned gigabit port. There is a good bit of information on the gigabit packet generator in the student notes. Page 8 .28 . Open a trace file.

Solving Gigabit Ethernet Problems 8-29 Sniffer University • Gigabit Ethernet is quite stable now that the vendors are manufacturing to the specification • Ensure you use high quality cables and connectors • Use the same vendor when possible to avoid vendor incompatibilities • Watch the autonegotiation sequence when you have stations that cannot communicate at all or show poor performance due to negotiating to a lower capability • SMNP and RMON statistics of the interfaces show long-term statistics – Use a management application to watch for trends © Network Associates Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .

29 .Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Important Points to Cover: Solving Gigabit Ethernet Problems These notes are based on a conversation with the Gigabit Ethernet people in the University of New Hampshire Interoperability lab. Page 8 .

Summary 8-30 In this section. you learned how to: • • • • Differentiate between Gigabit Ethernet standards and cabling Attach the Gigabit Sniffer to Gigabit networks Configure Sniffer Pro’s gigabit-specific features Use the Sniffer Pro statistics and decodes to locate areas of concern • Analyze autonegotiation frames to look for incompatibilities and downgraded connection setup © Network Associates Sniffer University Ethernet Network Analysis and Troubleshooting Gigabit Ethernet .

Remove demo Sniffer software from rental PCs using the uninstall program on the first installation disk if you have been instructed to do that. Gather student evaluations. Target Time: Day 2 at 5pm Page 8 .30 . Make sure the students have deleted their probes and have them Run > Clean to empty the CLASS directories of files they’ve saved. Thank them for coming. Wrap up the class. Make sure that the HUBPORT3 and 4 trace files are removed.Section 8 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Summary Important Points to Cover: Review the section objectives and answer any remaining questions. Distribute certificates.

10BASE2 & 5 .9-1 Optional Technologies Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting LLC.

It is not complete to start and is intended to grow with time.1 . Please e-mail suggestions to the course Subject Matter Expert (SME) for future updates to the course material. Files: Trace: Exercise: 09_app_g.PPT LLCNetb2. Add to your own copy as you gain experience.cap (new) 09_app_g. Time: The LLC section has 2 hours of material in it if a student asks for it. Please remember this instructor guide is a living document.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Optional Technologies Important Points to Cover: Section 9 title slide only. Page 9 . It is not expected you will need to cover this very often.DOC Observing LLC Traffic (new) This section is now called Optional Technologies.

assumes that no one else on the net is playing the same rude trick.6 bit times. or may not see the good frame at all. or that everyone who is playing that trick can sense a new frame at 1. Choosing 0.6 instead of 9. 0 is considered by some to be an integer. It can cause repeated collisions between the same two stations. 10BASE2 & 5 . It is rather rude: some chipsets will see the resulting transmission not as a runt followed by a good frame.Contents 9-2 Logical Link Control (LLC) 10BASE-5 and 10BASE-2 Ethernet Exponential Backoff Formula Transmission Models 1 and 2 Details Sniffer University 9-3 9-23 9-31 9-32 The backoff time is an integral random multiple of the Slot Time. © Network Associates Ethernet Network Analysis and Troubleshooting LLC.This is the basis of some of the accusations of the Sniffer analyzer losing frames. by the way. but as a single oversize frame. and some implementations do choose 0 constantly.

Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Contents Important Points to Cover: Page 9 .2 .

9-3 Logical Link Control Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting LLC. 10BASE2 & 5 .

Bridges and Routers. but is intended for a LAN. according to Radia Perlman in Interconnections. It is independent of. yet utilized by. Page 9 .2 committee to provide transparent connectivity between any IEEE-compliant LAN physical layer to any upper-layer protocol.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Logical Link Control LLC was designed by the IEEE 802. with several options on how to use the functional extensions. all the various media access protocols defined by the 802 working group. so 3 types of data exchange were defined. It acts like HDLC.3 . Asynchronous balanced mode).) LLC uses a subclass of the HDLC “superset” and is classified as BA (Balanced links. It does this by using Service Access Points (SAPs) in the header to address the network layer protocol. (One more may be coming. Members of the IEEE pushed for more functionality.

you will be able to: • Explain the three types of LLC connections and when each one is used • Know the purpose of the LLC frames and when they are used • Follow a connection-oriented LLC conversation from setup through data exchange and shutdown © Network Associates Ethernet Network Analysis and Troubleshooting LLC.Objectives 9-4 Sniffer University Upon completion of this section. 10BASE2 & 5 .

Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Objectives Review the objectives.4 . Page 9 .

10BASE2 & 5 .2 Data Link LLC Sniffer University Layer MAC • Point to point data integrity • Flow control • Link maintenance • Service access point addressing • Connection oriented or connectionless services • Functions independently of MAC layer Many of these connection-oriented features of Type II LLC are found in reliable Transport layer protocols like TCP. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. The IEEE specifications refer to the frames as “Protocol Data Units” or PDUs.Logical Link Control 9-5 IEEE 802.

Page 9 .. IEEE 802.2 Upper half of the Data Link Layer Lower half controls how the devices access the wire.e.5 . i. contention or token passing.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Logical Link Control Upper part of the Data Link Layer Review the points on the slide.

receiving process at destination SSAP: (1 byte) Source Service Access Point. sending process in source Control: (1 byte) Various control information (2 bytes for connection-oriented LLC) The control field used in type 1 datagrams is always one byte long. 10BASE2 & 5 .2 Header Format 9-6 802.802. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. The control field can use one or two bytes for LLC type 2.X Header DSAP SSAP Control MAC Sublayer LLC Sublayer • • Sniffer University DSAP: (1 byte) Destination Service Access Point.

two of the 8 bits are reserved for other uses. Least significant bit is Individual or Group Address indicator. 0 = command. first-served basis following strict rules for the types of organizations and protocols that may have a SAP number. No attempt has been made here to delineate all the various frame headers. Protocol listening (postal customer) retrieves the frame from its box.6 . 1 = response. with the different types of functions having different bit meanings. Analogy: Post Office Box: Frame is addressed with the SAP number (PO Box number).2 Header Format Header fields: DSAP: (1 byte) Destination Service Access Point. The numbers were assigned on a first-come. To make things even worse. Alternate: A numbered hole in the ceiling. Page 9 . Least significant bit is the command or response indicator.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: 802. sending process in source. so the field is actually only 6 bits long! Control: (1 byte) Various control information (2 bytes for connection-oriented LLC) The control field byte(s) are very complex. The SAP numbers are reserved for IEEE and ISO protocols. since the Sniffer analyzer decodes them. receiving process at destination. The protocol above looks for frames at its assigned hole. The Physical layer (post office) places the frame in the appropriate buffer (box). 8 bits is not nearly long enough to define the number of protocols. SSAP: (1 byte) Source Service Access Point.

0C Systems Network Architecture AA SubNetwork Access Protocol FF Broadcast 00 IBM SAP Negotiation • • Sniffer University SAPs are a pass-through between any IEEE-compliant physical layer and any upper-layer protocol. 05. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. This is the only SAP initially active on a 3745 so the initial request must be addressed to the Null SAP. 00 is a Null SAP. 10BASE2 & 5 . Only real use at this time is by IBM which forces SAP negotiation for connection to 3745s.LLC Service Access Points (SAP) 9-7 BPDU Banyan IBM_NM IP ISO NetBIOS Novell SNA SNAP Global Null 42 Bridge Protocol Data Units BC Banyan VINES F4 IBM Network Management 06 Internet Protocol FE International Standards Organization F0 Network Basic I/O System E0 Novell (NetWare) 04. 08.

This is for their reference. Page 9 .Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: LLC Service Access Points (SAP) Just mention quickly.7 .

you will see that TCP/IP implementations on SNAP do not supply the vendor code. Often 0000 if Upper-Layer Protocol (ULP) did not change. The vendor code is usually not supplied when the upper-layer protocol is unchanged to run on SNAP instead of 802.X or Ethernet. It also allows vendors to specify their "type" within the SNAP header. Type: (2 bytes) Identifies the ULP. A nifty expression: “SNAP allows us to snap Ethertypes into 802. 10BASE2 & 5 .x frames. Same as Ethertype for protocols that came from the Ethernet environment.X Header DSAP (AA for SNAP) SSAP (AA for SNAP) Control Organization/ Vendor Code (optional) Type Sniffer University MAC Sublayer LLC Sublayer SNAP Organization Code: (3 bytes) Identifies the vendor or manufacturer.” • © Network Associates Ethernet Network Analysis and Troubleshooting LLC. • • • The SNAP field allows version 2 Ethertype fields to be included in IEEEcompliant frames. Same as vendor code in MAC layer address. For example.SNAP Header Format 9-8 SubNetwork Access Protocol (SNAP) provides a standard way of encapsulating upper-layer protocols on IEEE 802 networks 802.

so there may be problems with interconnectivity across vendor lines. Page 9 . Then stations will be able to feed the frames to the correct upper-layer protocol. they can use their vendor code and the “type” that was assigned them in these fields. The most frequent use we see of the SNAP header is for Ethernet version II Ethertypes to be included in an IEEE frame. The problem arises when different vendors implement the protocols differently.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: SNAP Header Format SNAP was added to enable non-IEEE protocols to be supported at the LLC layer.8 . The vendor code and Type fields are “bought” by a vendor. If they want to write their own proprietary protocols.

All control of the connection is handled by higher layers. 10BASE2 & 5 . whereas layer 4 protocols like TCP deal with endto-end connections © Network Associates Ethernet Network Analysis and Troubleshooting LLC.LLC Functions 9-9 • Some protocols use LLC merely as a pass-through header to carry data. The frames are Unnumbered Information frames • Other protocols use the additional functionality that the IEEE provides Sniffer University – LLC connection-oriented service at OSI layer 2 offers many of the data integrity functions we expect to find at OSI layer 4 the transport layer – The primary difference is that LLC deals with point-to-point connections.

NetWare uses the LLC layer this way. Page 9 . Other protocols use the additional functionality that the IEEE provides.the transport layer. whereas layer 4 protocols like TCP deal with end-toend connections. This is what we will cover here. Neither of these has an LLC layer. LLC connection-oriented service at OSI layer 2 offers many of the data integrity functions we expect to find at OSI layer 4 . The primary difference is that LLC deals with point-to-point connections. The LLC SAPs are used to identify this frame as a NetWare frame (SAP = E0). so the original design was for non-IEEE compliant frames like ARCNET and proprietary Ethernet.9 .Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: LLC Functions Some protocols use LLC merely as a pass-through header to carry data. The frames are Unnumbered Information frames. Higher layers handle all control of the connection. The only reason LLC is there is because it is using standard IEEE 802.5 frames that have the LLC header. NetWare predates the IEEE specs.

© Network Associates Ethernet Network Analysis and Troubleshooting LLC.LLC Frame Types 9-10 • Unnumbered frames: – Establish link connections/disconnections – Provide link maintenance and error recovery – Provide connectionless (datagram) support • Supervisory frame: Sniffer University – Acknowledges frames received – Requests retransmission of frame(s) – Provides flow control • Information frames: – Transport user data and higher-layer protocols – Increment sequence numbers • • These frames are identified by bits in the LLC headers. There are many types of fields in LLC frames. 10BASE2 & 5 . Fortunately. so we will not break them out here. the Sniffer Network Analyzer knows all of them and decodes them in the Summary and Detail windows for you.

Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: LLC Frame Types Quickly go over the three types of frames and their purposes.10 . Page 9 . Mention that we will cover them in more detail in the following pages.

LLC Unnumbered Frame Types 9-11 SABME UA DISC DM Set Asynchronous Balanced Mode Extended Unnumbered Acknowledgment Disconnect Disconnect Mode Frame Reject Exchange Identification Test Unnumbered Information Command Response Command Response Response Either Either Either Connection Oriented Connection Oriented Connection Oriented Connection Oriented Connection Oriented Connection or Connectionless Connection or Connectionless Connection or Connectionless Sniffer University • • • • • • • • FRMR XID TEST UI SABME is used to set up a duplex connection. UA acknowledges a SABME or DISC message. DISC requests connection termination. 10BASE2 & 5 . DM is transmitted by the receiver of a DISC to let the other side know it has received the DISC. Unnumbered Information frames are used for connection control and to carry unsequenced data. An XID command from the transmitter informs the receiver of the identity of the transmitter and which LLC types the transmitter supports. A response is required to an XID command. TEST also has command and response frames. Data can be included that the recipient must return in the response frame. It contains the same information as the command. using a modulo 128 window. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. FRMR indicates the receipt of an invalid frame. XID is used only with Type 1. The transmitter can send this to see if the recipient can receive and return a packet.

Page 9 .11 .Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: LLC Unnumbered Frame Types Use the student notes to explain each type of unnumbered frame.

The “Next expect to Receive” sequence number (NR) is included in the RNR frame. The REJ frame includes the sequence number of the next frame it expects. REJect frames are sent when the receiver is requesting retransmission of frames.Connection oriented only) RR RNR REJ Receive Ready Receive Not Ready Reject Command/Response Command/Response Command/Response Sniffer University LLC Information Frame (Type 2 . it starts polling with RRs.LLC Supervisory Frames 9-12 (Type 2 . It also indicates that the receiver is temporarily busy and further frames should not be transmitted until the busy station sends a receive ready frame. If it doesn’t get an ACK. It contains a sequence number of the frame it is next expecting to receive and indicates the receiver is ready to receive more data. • • • © Network Associates Ethernet Network Analysis and Troubleshooting LLC. Information frames are sequence numbered data frames.Connection oriented only) I Information Command/Response • Receive Ready is an acknowledgment frame. 10BASE2 & 5 . LLC rejects only once. Receive Not Ready is an acknowledgment for previously received frames.

RR RNR REJ Receive Ready Receive Not Ready REJect Command/Response Command/Response Command/Response LLC rejects only once. Page 9 . This is a building block for looking at the Sniffer analyzer displays. Note that there are both command and response types.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: LLC Supervisory Frames These are for connection oriented delivery only.12 . When it doesn’t get an ACK. it starts polling with Receiver Ready. (Hello? Are you still there?) LLC Information Frame Connection oriented only I Information Command/Response These carry the data and acknowledgments.

The control byte indicates the frame type. but this is not a problem as long as an upperlayer protocol can recover from the error. Type 1 supports point-to-point. No flow control is provided. Type 1 service is unreliable. Exchange Identification (XID).Type 1 Connectionless Services 9-13 Data Messages Sniffer University Data Messages To use the Post Office as an example: It’s like mailing a letter • • • • • • • • • • No connection establishment is required. Delivery is not guaranteed. error recovery and reliability. Higher layers are responsible for flow control. Messages are not sequenced. Sequential delivery is not guaranteed. Three types of frames are supported: Unnumbered Information (UI). © Network Associates Ethernet Network Analysis and Troubleshooting LLC. 10BASE2 & 5 . multicast and broadcast communications. There is no retransmission on error. and TEST.

No setup. Frames are generally unnumbered information frames. No teardown. Upper-layer protocols are responsible for these functions. No acknowledgments. No error correction. Page 9 . No flow control.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Type 1 Connectionless Services This is just data transport.13 .

Receive Ready.Type 2 Connection Oriented Service 9-14 Session Setup ACK Sequenced Data Messages Sniffer University Disconnect ACK Like making a telephone call: The endto-end connection is setup before your conversation begins. Frame Reject (FRMR) and Unnumbered Acknowledgment (UA). DISConnect. 10BASE2 & 5 . acknowledged delivery of data. Receiver Not Ready and REJect. Type 2 service provides a sequenced. Type 2 uses sliding window flow control (modulo 128). Error recovery processes are available. Example: Sessions between IBM LAN Manager and IBM bridges make use of this connection type when they're talking to each other. Connection establishment and termination are required. Frames with a one byte control field are: Set Asynchronous Balanced Mode Extended (SABME). Frames with a two byte control field are: Information. Disconnected Mode. Type 2 frames can use one or two byte control fields. then torn down when you hang up + • • • • • • • • • • • Type 2 is very similar to HDLC. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. making it capable of very efficient use of the wire. Acknowledgments can be sent in separate frames or can be “piggy-backed” onto data frames. Each side of the connection maintains independent sequence numbers.

Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Type 2 Connection Oriented Service Based on HDLC Sequence numbers are maintained by each side and acknowledgments are sent based on the other side’s sequence number.14 . it uses the wire efficiently. Example: Sessions between IBM LAN Manager and IBM bridges make use of this connection type when they're talking to each other. Session Setup ACK Sequenced Data Messages Disconnect ACK Frames will have either one or two byte control fields. Because acknowledgments can be “piggy-backed” on data frames. Page 9 .

The first frame that establishes the connection is the SABME. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. 10BASE2 & 5 . You can do a Search for text on SABME to find the first instance of a connection being setup. The Poll bit when set to a “1” forces the other side to respond.Type 2 Connection Setup 9-15 Workstation TEST (Optional) XID (Optional) XID (Optional) SABME P(oll) Server TEST (Optional) Sniffer University UA F(inal) RR NR=0 P RR NR=0 F I NS=0 NR=0 RR NR=1 + Some upper-layer applications will send TEST frames to make sure both sides can communicate. the data will be sequenced and acknowledged. The Final bit is set to a “1” in the response frame. Once the connection is made. They may follow with one or two pairs of XID frames to negotiate the type of connection both can support.

Poll means “Answer me.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Type 2 Connection Setup This slide was included to discuss how sessions are setup in preparation for what they need to observe in the Sniffer Summary window. They are also used for Source Route bridging explorer frames. This is the important part: SABME P(oll) UA F(inal) RR NR=0 Poll RR NR=0 Final I NS=0 NR=0 RR NR=1 Discuss the play of the Poll and Final bits.” Final means “This is my answer to your poll.15 . This slide has a “build” which will display one line per click. It deliberately does not show the additional information on the Summary line. Workstation TEST (Optional) XID (Optional) XID (Optional) The above frames are application-dependent. you will see that the upper-layer protocol may actually be starting this. If you turn All layers on with no protocol filters set.” Server TEST (Optional) Page 9 . SNA uses TEST and XID frames to set up Physical Unit (PU) Allocations. It will be added later.

A DISC is the normal conclusion of a connection. If the other side is able to back up and send that sequence numbered frame. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. then follow through to see if they were able to roll back to a point where they can move forward again. If the two sides cannot resynchronize. The other side responds with the Disconnect Mode. one side will send the DISC to “hang up. + So what is the difference between a REJect and a DISConnect? A REJect is sent when a problem occurs.” The other side will then respond with a UA(optional)* or DM. You can look for this by doing a Search for text on REJ. The two sides will attempt to get resynchronized. indicating it is finished. A DISC will also be used when one of the two stations determines that the efforts to resolve a problem are fruitless and it needs to shut the connection down.Type 2 Connection Teardown 9-16 Workstation DISC P Server UA F* DM UA Sniffer University Normal teardown can be started from either side in the fashion described above. too. If that fails. If there is a problem with the sequence numbers. the side detecting the problem will send a REJect and include the sequence number it next expects to receive. all is well. they will DISConnect. The first side will send the DISC when it has completed its work. 10BASE2 & 5 . Upper-layer protocols will determine whether a new attempt is made to open a new connection.

This slide has a “build” which will reveal one line at a time. Attempts are made to back up to a point where sequence numbers can be synchronized. * This is according to the IEEE802. Page 9 . REJ does not end the conversation. Workstation DISC P ----------> Server <---------UA* F <---------DM* UA -----------à DISC is used to shut down a connection for either a normal End of Operation or upon the failure of a resynchronization effort. The data exchange will restart if synchronization is achieved.3 specification. if not.16 . then a DISC will be sent to close the connection.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Type 2 Connection Teardown This slide is also preparation for what they will see in the Sniffer analyzer. It is sent when a problem is encountered.

• Upon receipt of a REJ a station should: Send the corresponding I frame as soon as it is available. an unnumbered acknowledgment (UA) with data Sniffer University – – – – Receipt Receipt Receipt Receipt length – Receipt – Receipt of of of of an an an an unsolicited Final (F) bit set to one unexpected UA unsupported frame type I frame that exceeds the established maximum of an invalid receive sequence number N(R) of an invalid send sequence number N(S) • REJ is sent to: – Request the resending of I frames starting with the frame number N(R) • Upon receipt of an FRMR a station should: Send a SABME or DISC. REJ 9-17 • FRMR is sent upon: – Receipt of a frame with a data field that is not permitted • i. 10BASE2 & 5 . then a FRMR should be sent. In the real-world.. • Behavior upon receipt of an invalid send sequence number varies: If the data is within the receive window. we see more REJs than FRMRs.FRMR vs.e. then an REJ should be sent. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. Resend any unacknowledged I frames. REJ is preferable because the session doesn’t need to be re-established. The receive window size can be specified in an XID frame. If the data is not within the receive window.

REJect Slide is self-explanatory.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: FMR vs. Cover the student notes. This is an important concept to understand when they troubleshoot an LLC problem.17 . Page 9 . also.

” “Yes. © Network Associates Ethernet Network Analysis and Troubleshooting LLC.” “I see” LLC Type 3 was developed primarily for process control applications over a token bus. so it is very seldom seen today.Type 3: Acknowledged Connectionless 9-18 Sequenced Data Messages ACK Sniffer University • Connectionless service • Guaranteed in-sequence delivery of data • Uses stop and wait flow control Like a conversation where one side is saying “Uh huh. 10BASE2 & 5 .

18 .Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Type 3 Acknowledged Connectionless This is here to complete the types of LLC connections. As the student notes indicate. Don’t spend any time on this. it was intended for process control applications over a token bus (computer-aided car manufacture?) and is seldom used today. Page 9 .

In the fourth frame. The top line is what you would see in the Summary window. and also sends the frame the workstation asked for earlier (NS). the server both acknowledges the workstation’s frame by specifying the next frame it expects to receive (NR). the workstation issues the sequence numbered Information frame the server expects (NS = Send sequence Number). These are also the initial frames. we see both ends of the logical connection advertise the sequence numbered frame they expect to receive next (NR = Receive sequence Number). Then turn on Two station format in the Summary window.Decoding LLC Connection-Oriented Frames 9-19 From Workstation LLC C D=F0 S=F0 RR NR=0 P Command D=F0 Destination Service Access Point = F0 (NetBIOS) S=F0 Source Service Access Point = F0 (NetBIOS) RR Receive Ready NR=0 Frame Number Workstation expects to receive is 0 Poll bit is on: Workstation expects a response from Server Now sending 0 From Server LLC R D=F0 S=F0 RR NR=0 F Response D=F0 Destination Service Access Point = F0 (NetBIOS) S=F0 Source Service Access Point = F0 (NetBIOS) RR Receive Ready NR=0 Frame Number Server expects to receive is 0 Final bit is on: Response to Workstation's Poll Sniffer University From Workstation LLC C D=F0 S=F0 I NR=0 NS=0 Command D=F0 Destination Service Access Point = F0 (NetBIOS) S=F0 Source Service Access Point = F0 (NetBIOS) Information frame: Higher layer data is included NR=0 Workstation is still expecting to receive frame 0 next NS=0 Workstation is sending frame number 0 Next expect to receive 1. 10BASE2 & 5 . now sending 0 From Server LLC R D=F0 S=F0 I NR=1 NS=0 P Response D=F0 Destination Service Access Point = F0 (NetBIOS) S=F0 Source Service Access Point = F0 (NetBIOS) Information frame. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. higher layer data is included NR=1 Server expects to receive frame number 1 next NS=0 Server is sending frame number 0 Poll bit is on: Server expects a response from Workstation The easiest way to view LLC conversations is to set up a Station address filter for the two communicating stations. In the first two frames. In the third frame.

a build could not be created. Protocol filter on LLC (or enable All layers and leave all protocols visible if they want to watch how the upper-layer protocols are using LLC).Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Decoding LLC Connection-Oriented Frames This is the key page to explain what they will see in the Sniffer analyzer’s Summary screen. Page 9 . Presentation Idea: You may want to place a paper over the screen and pull it down as you explain each field in the Summary line. Because of the way this screen is constructed. Emphasize that they should: Set up a station address filter on the two sides.19 . Use two-station format.

we will see frames 5 and 6. so we see 3 sequenced I frames (NS=1. 10BASE2 & 5 . Data can be being piggybacked on the ACK frame from the server. with the subsequent ACK (NR=4) by the workstation in frame 9.3) starting in frame 6 to frame 8.Understanding LLC Frame Numbering 9-20 Workstation N(R) N(S) 0 0 1 0 1 1 2 1 2 3 0 Server N(R) 0 N(S) Sniffer University # 1 2 3 4 5 6 7 8 9 + 4 • • • • Here we see a graphical representation of the first 4 frames. then you can watch the middle layer set up connections until the highest layer protocol establishes its connection. Many times. or you may choose to enable All layers so you can see the progression of the connections being established at each layer. upper-layer protocols start their sessions by setting up an LLC connection first. We are also witnessing a “window of 1” because each “I(nformation)” frame is “ACKnowledged” before the next is issued. You may want to set a protocol filter so you see just the LLC layer. If we assume that the “piggybacking” of an I frame onto the ACK continues. The server expands its window to 3.2. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. LLC can be set to efficiently use the wire.

next expects to receive 1. Page 9 .20 . which frame will the workstation ACK (NR=?)? Answer: The workstation will ACK 2 (NR=2).each side tells the other their first sequence number will be 0.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Understanding LLC Frame Numbering Each side maintains separate sequence numbers. Frames 1 and 2 are the Receive Ready setup. This slide has a “build” that will display one line per click. use the terms “Now sending” and “Next expect to receive” to help them make the link between the NS and the NR.” Question: If frame 7 (NS=2) becomes lost or is damaged and the workstation receives frames 6 and 8 (NS=1 and NS=3). Frame 9 Workstation acknowledges frames 1 through 3 by saying “I next expect 4. next expects to receive 0. I’m acknowledging I got frame 0. As you explain this. next expects to receive frame 2 (acknowledges frame 1). (In other words. Frame 3 Workstation “Now sending” number 0. Frame 4 Server “Now sending” number 0. Frame 6 Server now sending frame 1. next expects to receive frame 1 (acknowledges frame 0).) Frame 5 Workstation now sending frame 1. Frame 7-8 Server sends frames 2-3.

Common LLC Problems 9-21 • LLC is usually very reliable • When problems happen the most common reasons are: – – – – – – – Connection reset Unsupported LLC frame types Flow control lockup Frame sequence retransmission Excessive length information field Expired timers Expired counters • • • • Sniffer University Connections get reset when one side stops responding or stops sending correctly sequenced frames. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. and the sender isn't waiting long enough for acknowledgment. Unsupported LLC frame types and excessive length information fields shouldn't happen if the implementation follows the LLC specification. We will see an example in the exercise. 10BASE2 & 5 . Counters refer to how many times a station will retransmit. Timers and counters are configurable. Retransmissions may be happening because the sender's timer isn't set correctly. Flow control lockup happens when a station continually sends Receive Not Ready due to lack of buffers or other resource problems.

21 . Vendors may have configuration files that override the driver’s timers. Buffer allocation problems causing RNR. Page 9 .Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Common LLC Problems LLC is pretty reliable. Connection resets due to incorrect sequence numbers. They must resend every frame after the error. Excessive length fields. Flow control lockup -each one hears the other’s hold music. Adjust configuration file. Problems are frequently caused by device drivers. Configure longer. Unsupported frame types. Short retransmission timers. which cause retransmissions. look for: Connection resets if the parameters were not negotiated properly. When failures occur.

10BASE2 & 5 .Exercises: Observing LLC (Ethernet) 9-22 Turn to the lab section to complete this exercise Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting LLC.

Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Exercises: Observing LLC (Ethernet) This is a new exercise suing a new trace file. It is mostly FYI and pretty straightforward.22 . Practice it! Page 9 .

10BASE2 & 5 .9-23 10BASE5 and 10BASE2 Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting LLC.

we cannot neglect it.23 . Header page to show the components that the specifications were built upon. Even though we have placed this further in the back of the book now.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: 10BASE5 and 10BASE2 Important Points to Cover: Section Title Page. Page 9 .

10BASE2 and 5 Components
9-24
50 Ω Terminator 10BASE5 Thick Ethernet Transceiver Ground AUI cable 50 Ohm Terminator

Sniffer University

10BASE-T Hub

Unshielded Twisted Pair

Network Interface Card (NIC) 50 Ohm Terminator Repeater 10BASE2 Thin Ethernet Network Interface Card (NIC) Ground 50 Ω Terminator

Network Interface Card (NIC)

Transceiver: Used to physically and electrically attach DTE equipment to the network. Transceivers sense carrier and detect collisions. If a collision occurs, the transceiver notifies the adapter by outputting a voltage on the collision present circuit. V2 Ethernet added SQE. The Transceiver notifies the adapter during the interframe gap time that it is capable of informing the adapter if a collision occurs. With 802.3 specs, a transceiver provided a jabber latch. There are three versions: Version 1 used with the early Ethernet specification, Version 2 Ethernet (Heartbeat added), and IEEE 802.3 version (changes to the AUI wiring). A transceiver can be built into the Network Interface Controller (Card). This is used in 10BASE-T and 10BASE2. A fourth type of transceiver is the Fiber Optic transceiver. Repeaters: Used to extend the cable segment beyond the maximum segment distance for the topology used. Repeaters are also used when changing from one media type to another (that is, from thick to thin Ethernet).

© Network Associates

Ethernet Network Analysis and Troubleshooting LLC, 10BASE2 & 5

Section 9 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title:10BASE 2 and 5 Components
Important Points to Cover: Terminators remove the signal from the wire and prevent reflections back onto the wire. Thick Ethernet cable Color defines the place it is installed. Some give off noxious fumes, so they must be installed in plenums. Spec defines as a “bright color.” Thin Ethernet (Cheaper net) Transceivers External: Vampire tap into the thick cable or small box attached to the AUI connector of the adapter. Internal: On the card. AUI Cable NICs Grounding rules Ground only one end of each segment to a good earth ground. Repeater: Used to extend the signal and other functions. Hub: Yes, they are used frequently today. This shows a way that they can be integrated into legacy environments.

Page 9 - 24

10BASE5 Thick Ethernet
9-25
50 Ω terminator
AUI cable

Coax cable

Transceiver

50 Ω terminator

Sniffer University

Maximum segment length = 500 meters • Each end terminated with 50 ohm terminators • Maximum number of attachments per segment = 100 • Maximum length of AUI cable = 50 meters* • Minimum separation between attachments = 2.5 meters

2.5m minimum separation makes sure that signal reflections, when they occur (that is, the cable is unterminated), do not add up in phase, which would probably blow the transceiver. The 500 meter segment does not need to be made from a single length of cable. Cable sections can be joined together using "N" type barrel connectors. The IEEE 802.3 specification recommends the following when slicing thick cable: 1. Use cable sections from the same manufacturer and cable lot number, to avoid impedance mis-match and other problems. 2. To minimize signal reflection problems, use segments that are lengths of 23.4m, 70.2m, and 117m. Since these lengths are odd integral multiples of a half wavelength in the cable at 5 MHz, reflections do not have a high probability of adding in phase. (A 5MHz signal is achieved when the transceiver is outputting only alternating ones and zeros, as it does with the preamble.) *The maximum length of the AUI cables refers to the transmission model one which we will discuss later.

© Network Associates

Ethernet Network Analysis and Troubleshooting LLC, 10BASE2 & 5

Section 9 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title: 10BASE5 Thick Ethernet
Important Points to Cover:

Slide and notes are adequate.

Page 9 - 25

10BASE5 Components
Thick Coax Cable Transceiver
50 Ω terminator

9-26

AUI Cable

Terminal Server

Transceiver

AUI Cable

Sniffer University

Multi-Port Transceiver

Transceiver

AUI Cable
50 Ω terminator to ground

Multi-Port Repeater

A terminal server could be used to support RS-232 connected ASCII "dumb" terminals to the Ethernet. CSMA/CD is done in the terminal server. The Multi-Port Transceiver is also known as a Fan Out box, Delni, or a multi-tap. It is a dumb wiring concentrator that connects multiple workstations using a single tap in the thick Ethernet cable. CSMA/CD is done by the end stations.

© Network Associates

Ethernet Network Analysis and Troubleshooting LLC, 10BASE2 & 5

Section 9 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title: 10BASE5 Components
Important Points to Cover:

There are probably still some of these lurking in older environments.

Page 9 - 26

Signal Quality Error Test
9-27
SQE TEST

Transceiver

AUI cable

Sniffer University

Network Interface Card (NIC)

• SQE is used to test the collision presence circuit • After successfully transmitting data, the Transceiver asserts the SQE signal on the collision presence circuit • When the Network Interface Card sees the SQE signal asserted, it knows the Transceiver can inform the Network Interface Card when a collision does occur • Not supported by Ethernet Version 1 equipment • Turn off SQE on a transceiver attached to an AUI port on a repeater or repeating hub • Transceivers that are integral to the NIC do not require SQE to test the AUI link between NIC and transceiver: the link is hard-wired

From 802.3: "At the conclusion of the output function, the Data Terminal Equipment opens a time window during which it expects to see the SQE signal asserted on the Control In (collision presence) circuit. The time window begins when CARRIER_STATUS becomes CARRIER_OFF. The duration of the window shall be at least 4.0 microseconds but no more than 8.0 microseconds. During the window, the Carrier Sense Function is inhibited." SQE should be turned off on transceivers connected to repeaters because a repeater can't be inhibited for 4.0 microseconds. It may receive bits on its other port and need to send them. Most people just turn SQE off because it causes confusion when counting collisions. Some transceivers and network management tools will count the SQE test as a collision (for example, the Collision LED may be lit when the SQE test is asserted).

© Network Associates

Ethernet Network Analysis and Troubleshooting LLC, 10BASE2 & 5

Section 9 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title: Signal Quality Error Test
Important Points to Cover: Turn SQE off on repeaters and hubs (that act as repeaters). Some manufacturers require that SQE be turned on for their cards and Media Access Unit (MAU) combinations. (HP required this on their cards. Present requirement is unknown.) The specifications don’t say what the NIC card does if it expects the SQE test and it doesn’t see it. It is probably driver-dependent (that is, implementation-dependent). It is important to note that this signal does not go out onto the cable. It is a loop-back between the transmit side of the card, looping through the MAU and back into the receive side of the card. Many students talk about their collision counts going up when they have SQE turned on. You need to ascertain if they are referring to statistics gained by SNMP polls of the collision register on the card (which may count these as collisions) or if they are seeing this on cable statistics. If this is going out onto the cable, it is not obeying IEEE rules.

Page 9 - 27

Analyzing Coax Collisions
9-28

B

2nd station
50m AUI cables
450 m

Sniffer Pro 1

x

R3
50m AUI cables

8 0 0 m F i b e r L i n k

(Point of collision)

Evidence of collision will arrive at station A ______ bytes into station A’s transmission

Sniffer University

50m AUI cables

R1
50m AUI cable

A

R2
Sniffer Pro 2

Transmitting station
50m AUI cable

Sniffer Pro 3

NAI enhanced drivers required to sense and capture collision frames

Once you understand the concepts of signal propagation delay, you can begin to apply them to perform more precise analysis of the collision frames you find in your Sniffer Pro analyzer traces. As shown in the diagram above, what you will see in the trace will depend upon: 1) The point of collision. 2) The location of the Sniffer Pro analyzer relative to the collision point. The diagram shows one collision event. However, each of the three Sniffer Pro analyzers will show different indications of the event. This fact is key to effective troubleshooting. All components are given in terms of their equivalent lengths in Thicknet coax R1 = 231 m (10 bit times) R2 and R3 pair = 231 m 50 m AUI segment = 59 m 800 m fiber segment = 933 m Total equivalent Thicknet distance between points A & B

© Network Associates

Ethernet Network Analysis and Troubleshooting LLC, 10BASE2 & 5

Section 9 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title: Analyzing Coax Collisions
This has been included in the student appendix.
This diagram should enable you to tie together three important concepts you have learned: 1. The propagation delay of a signal on different types of media (per How long is a bit) 2. How different Ethernet physical components react during a collision (station jam signal, hub jam, etc.) 3. How different Sniffers react to the same collision event. The scenario is as follows: Station A starts a transmission. The transmission goes both ways towards Sniffers 1 and 2, and towards Sniffer 3. Just before the leading bit of the preamble reaches the far end of the uppermost Ethernet segment, the station near point B starts a transmission, causing a collision at Point B. The following concepts will help you understand the scenario: • The station at point B will be the first station to detect the collision; what will it do? (Send a 32-bit jam signal) Why? (To busy the wire and enable repeater R3 to detect evidence of the collision).What is the evidence? (2 signals on the same coaxial media—R3’s and the jam from station at point B). • Sniffer 1 will not show any evidence that a collision occurred (unless it’s a version that’s counting preamble collisions). Why? (Because we don’t capture preamble collisions.) • How repeaters R3 and R2 react to the collision when the jam signal reaches them. (R3 will begin to jam 96 bits back to R2; R2 will begin to jam 96 bits on the middle coaxial segment towards Station A.) • What Station A has been doing during all this time. (Still transmitting its signal.) How much of Station A’s signal has gotten out on the wire before the jam signal from R2 reaches it? Here is some of the math to show the different propagation delays by differing types of media and repeaters: Total equivalent Thicknet distance between points A & B: 59+450+ 59+231+59+933+59+59 = 450 = 2359m 2359m / 23.1 = 102 bits, or 12.75 bytes • What will happen when the jam signal reaches Sniffer 2? (Because this is coaxial media, the combination of Station A’s transmission and the 96-bit jam signal from R2 will cause the receive function on Sniffer 2 to lose synchronization/clocking. When this happens, the Sniffer stops capturing the frame and truncates it if enough of the frame – 2 bytes past the preamble – has been received.) What sort of flag will be posted with this frame? (The “X” flag.) • Major learning point: If someone hands you a trace file for analysis and you see the X flag posted on truncated frames, you can say with a high degree of certainty that the trace was captured from coaxial media! • What will happen when Station A realizes that a collision has occurred? (Starts jamming 32 bits.) Has this been a “legal” collision event. (Yes, because it has happened well before 64 bytes have left Station A.) • What does repeater R1 do when it sees evidence of the collision? (Starts jamming 96 bits onto the lowermost Thicknet segment.) What causes R1 to sense the collision event? (The combined jam signals from R2 and Station A.) • What will be recorded on Sniffer 3? (Because the Sniffer was on a segment where only one signal— the one from the lower half of R1—was being broadcast, the frame will appear similar as it does on Sniffer 2. However, the frame will not be truncated but will be followed by R1’s jam pattern of alternating 1’s and 0’s, that will be translated to the hex values of AA’s or 55’s.) What flags will be posted? (R and C, but certainly not an X flag.) How many bytes of AA’s and 55’s will be shown. (This will depend upon what the vendor has implemented as the jam pattern; remember that 96 bits are a minimum. Generally, it is safe to assume that you will see a value of 12 bytes, plus or minus 4.) Major learning point: Because Sniffer 3 has been on the far side of a repeater for this event, this simulates exactly what happens in 10baseT environments. In 10baseT shared environments, a station can only receive direct evidence of collision if the hub sends a jam signal while that station is transmitting. And since Sniffers don’t transmit, it has to use the jam pattern to deduce that a collision occurred somewhere.

Page 9 - 28

10BASE2 Thin Ethernet
9-29
50 Ω terminator

RG 58 Cable BNC Tee Connectors 50 Ω terminator to ground

Sniffer University

• Maximum segment length = 185 meters • Maximum number of attachments per segment = 30 • Minimum separation between stations = .5 meters

Thin Ethernet, at 0.18 inches in diameter, is also known as Cheapernet. T connectors must be right at the network interface card. Adding additional cable to go from the T to a network interface card is not permitted, though people do it. This will suffice if you're not approaching length limitations, though the signal will attenuate. The problem with this solution is that most people forget to count it in their length considerations.

Drop cable not permitted!

© Network Associates

Ethernet Network Analysis and Troubleshooting LLC, 10BASE2 & 5

Section 9 TNV-202-GUI

Ethernet Network Analysis and Troubleshooting

Slide Title: 10BASE2 Thin Ethernet
Important Points to Cover:

Again, focus on the termination rules. Mention the drawing in their notes section.

Page 9 - 29

9-30

Exponential Backoff Transmission Models 1 and 2 Details
Sniffer University

© Network Associates

Ethernet Network Analysis and Troubleshooting LLC, 10BASE2 & 5

30 .Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:Exponential Backoff Transmission Models 1 and 2 Details Important Points to Cover: Title page only. Page 9 .

6 bit times. but as a single oversize frame. Choosing 0. report error to the upper-layer protocol © Network Associates Ethernet Network Analysis and Troubleshooting LLC. assumes that no one else on the net is playing the same rude trick. It is rather rude: some chipsets will see the resulting transmission not as a runt followed by a good frame. It can cause repeated collisions between the same two stations. 10BASE2 & 5 . or that everyone who is playing that trick can sense a new frame at 1. Sniffer University • BackoffTime = RandomNumber multiplied by SlotTime • SlotTime = time to propagate 512 bits (i.. and some implementations do choose 0 constantly. or may not see the good frame at all.2 µseconds) • RandomNumber is greater than or equal to 0 and less than 2n • n = number of times it has tried for first 10 times or n = 10 for the 11th through 16th try • After 16 tries.e.Truncated Binary Exponential Backoff 9-31 The backoff time is an integral random multiple of the Slot Time. by the way. 51. 0 is considered by some to be an integer.6 instead of 9.This is the basis of some of the accusations of the Sniffer analyzer losing frames.

31 . Page 9 .Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Truncated Binary Exponential Backoff Important Points to Cover: The slide is self-explanatory.

maximum copper and fiber lengths).New IEEE Maximum Topology Specs 9-32 • The maximum topology of a 10 Mbps baseband network is limited by two factors: – Round-trip collision delay – Interpacket gap shrinkage Sniffer University • There are two methods. according to the standard – Model 1 closely follows the 5-4-3 rule – Model 2 assigns a value to each type and length of copper or fiber media..e. © Network Associates Ethernet Network Analysis and Troubleshooting LLC.” for calculating the round-trip collision delay (i. 10BASE2 & 5 . More details on these specifications are in the appendix. or “transmission models. which corresponds to a worst-case round-trip delay for the Ethernet signal The new standards allow you to mix media types in your networks.

Page 9 . Factors: Round-trip collision delay Interpacket gap shrinkage Models 1 and 2 detailed on the next pages.32 .Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title:New IEEE 802.3 Maximum Topology Specs Important Points to Cover: This presents the factors in the determination and states there are two ways to calculate the maximum topology.

but has the advantage of extending the topology farther. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. 10BASE2 & 5 . It also more accurately reflects the types of distances found in real networks.Transmission Models 1 and 2 9-33 • 10 Mbps maximum topology rules • Transmission Model 1 is the more conservative and restrictive of the two – It has the advantage of being validated to work with all vendors’ products Sniffer University • Transmission Model 2 uses tables to calculate: – Round-trip delay times for all types of media – Interpacket gap shrinkage for multiple repeaters Model two is more cumbersome than model 1.

Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Transmission Models 1 and 2 Important Points to Cover: The slide is self-explanatory.33 . Page 9 .

if used. 10baseFL.Transmission Model 1 9-34 • Closely matches the traditional “5-4-3 rule” of traditional Ethernet networks – FOIRL. the maximum fiber hub-to-station drop is increased to 500 meters Since no vendors are known to manufacture to 10baseFP standards. 10BASE2 & 5 . we will not consider 10baseFP in this course. are restricted to 25 meters in length – The maximum allowable length of any inter-repeater fiber segment is restricted to 1000 meters (FOIRL. FOIRL = Fiber Optic Repeater Link FP = Fiber Passive FL = Fiber Link (replaces FOIRL) FB = Specification for fiber with lower repeater delay that allows for longer length Sniffer University © Network Associates Ethernet Network Analysis and Troubleshooting LLC. the maximum length of any fiber segment shall not exceed 500 meters – The maximum length for a fiber hub-to-station (repeater-toDTE) drop is 400 meters in an Ethernet network that also contains a 1000-meter link segment • If fiber link segments are held to 500 meters. 10baseFB and 10baseFP links are included – AUI cables. and FB) • If all five segments are present. FL.

Maximum interrepeater fiber cable is 1000 meters.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Transmission Model 1 Important Points to Cover: Most similar to 5-4-3. Add diagram here. then the maximum of each is reduced to 500 meters. Page 9 . AUI cables 25 meters maximum. but if 5 are used.34 .

which corresponds to a worst-case round-trip delay for the Ethernet signal – The value also takes into account the repeater for any fiber or copper segment • Starting from the point of highest variability your network (call it the “left end”). 10BASE2 & 5 . calculate the length of each segment across repeaters to the farthest station on the network (called the “right end”) – Add the individual segment values to arrive at a total Path Delay Value. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. or PDV – The total should not exceed 572 bit times – The number of repeaters on any path may exceed the Model 1 limit of four Delay A R Delay B R Delay C Delay D PDV A + B +C + D + E <= 572 R R Delay E The standards add an additional value of 5 to the Path Delay Value for a margin of error.Model 2 Path Delay Value 9-35 Sniffer University • Model 2 assigns a value to each type and length of copper or fiber media.

35 . We’ll cover the first one here and the second one on the next slide. There may be no more than four repeaters.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Transmission Model 2 (Calculating Path Delay Value) Important Points to Cover: Calculations are made using two types of variables: Path Delay Values and Interpacket Gap Shrinkage. Delay values reflect the media type and repeater. Total delay of A + B + C + D + E must be less than 572. Page 9 . A B C D E Tables have been established that set delay for segments.

9-36 (Calculating Interpacket Gap Shrinkage) • The distance (in bit times) in the gap between frames will decrease with each repeater in the path as repeaters regenerate the preambles of Ethernet frames – This limits the number of repeaters that can be installed on any given path on very short networks Transmission Model 2 Sniffer University • The calculation is made by adding the path variability values. The far end (“receive end”) across the last repeater is not taken into consideration. We will be using a network diagram in the next exercise to determine if it passes the model 1 or 2 requirements. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. 10BASE2 & 5 . the center segments are called “mid-segments”. (or P V V) for each segment across repeaters that the signal must pass – The total value must not exceed 49 bit times PvvA R PvvB R PvvC R PvvD R P v v A + B +C + D <= 49 bit times The starting point is called the transmitting end.

A B C D pvv A + pvv B + pvv C + pvv D must be less than 49 bit times Page 9 . This calculation is the deciding factor in how many repeaters can be in a segment. Each successive repeater shortens it more.36 .Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Transmission Model 2 (Calculating Interpacket Gap Shrinkage) Important Points to Cover: Here is part two. Repeaters shrink the interpacket gap as they regenerate the preambles.

3 has the picture from the previous page. That number is derived by drawing the topology shown above.) Note: the Ethernet maximum distance specification does abide by the newer 802.3 specification: the 2.Maximum Transmission Paths 9-37 Four Repeaters. The 2. It is not mentioned in 802.8 kilometers.8 kilometers limit is mentioned in the Ethernet Version 2 Blue Book specification. © Network Associates Ethernet Network Analysis and Troubleshooting LLC. Five Segments Three Coax Segments Two 10BaseT or Fiber Optic Links Repeater Repeater Repeater Sniffer University 500 m 10Base5 or 185m 10Base2 Coax Links 100 m 10BaseT or 500m 10BaseFL Link Repeater MAU AUI Cable DTE MAU AUI Cable DTE The Version 2 specification explained the maximum topology slightly differently 500 Meters Maximum End Fiber Optic Station Repeater 3 x 500 1 x 1000 6 x 50 500 Meters Maximum 500 Meters Maximum AUI Cable 50 Meters Maximum End Station Fiber Optic Repeater Repeater Meter coax cable segments Meter fiber optic link Meter AUI cables 1500 meters + 1000 meters + 300 meters 2800 meters total distance between transmitting stations The fiber link is called FOIRL (Fiber Optic Inter-repeater Link).8 Km limit is a special case of the general rules.3. (802. You’ll often hear the maximum distance between two stations on an Ethernet network is 2. 10BASE2 & 5 .

Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Maximum Transmission Paths Important Points to Cover: Here is a graphic representation of allowable cable lengths for various types of media.37 . Page 9 .

1 km Fiber Optic links) Rptr Set 1 km Fiber Optic Links Rptr Set Rptr Set MAU DTE Sniffer University AUI Cables © Network Associates Ethernet Network Analysis and Troubleshooting LLC.10BaseT and 2. 4 link segments (2.Model 1Max Transmission Paths 9-38 4 Repeaters. 3-10BaseT and/or 2-Fiber Optic Rptr Set Links) 100m 10BaseT Link Rptr Set 500m Fiber Optic Links 500m Coax 10Base5 Link Rptr Set Rptr Set Rptr Set 100m 10BaseT Links 3 Repeaters. 10BASE2 & 5 . 5 links (1-Coax.

Page 9 .38 . The slide is complete. The 10Base FP sections were replaced with FL or T since FP is not used in current networks.3 spec. These diagrams are modified from the diagrams in section 13 of the 802.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Model 1 Max Transmission Paths Important Points to Cover: This is the first of two diagrams showing different allowed maximum path configurations.

Model 1 Max Transmission Paths 9-39 3 Repeaters.1. 10BASE2 & 5 .500m 10BaseFB. 2400 m 10BaseFL) ink IRL L m FO 1k Rptr Set 1 km 10BaseFB Link 4 Repeaters. 2500m 10BaseFL) Rptr Set Rptr Set Rptr Set 400 m 10BaseFL Links Rptr Set MAU 25 m AUI Cables DTE Sniffer University 500m FOIRL Link Rptr Set 500 m 10BaseFL Links Rptr Set MAU 500m 10BaseFB Links 25 m AUI Cables DTE © Network Associates Ethernet Network Analysis and Troubleshooting LLC. 1.1 km 10BaseFB.500m FOIRL.1km FOIRL. 5 link segments (2. 4 link segments (1.

39 . Page 9 . The slide is complete.Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Slide Title: Model 1 Max Transmission Paths Important Points to Cover: This is the second two of four diagrams showing different allowed maximum path configurations.

© Network Associates Ethernet Network Analysis and Troubleshooting LLC. 10BASE2 & 5 .

Section 9 TNV-202-GUI Ethernet Network Analysis and Troubleshooting Page 9 .40 .

49 Page 9 .......................................................................................Section 9 Ethernet Network Analysis and Troubleshooting Helpful Information Helpful Information ..........................................41 ........................................ 43 Ethernet Frame Type References....................................... 41 List of Known Ethertypes .................................... 46 An explanation of the Analyzing Coax Collisions diagrams in the appendix ........................................................................................................... 47 Recommended Reading List............................................... 48 Helpful WWW Links .............

Section 9 Ethernet Network Analysis and Troubleshooting List of Most Common Service Access Points (SAPs) Ethertype 00 02 03 04 05 06 08 0C 0E 10 18 20 34 42 4E 7E 80 86 8E 98 AA BC E0 EC F0 F4 F5 F8 FE FF Protocol Null LLC LLC SNA SNA IP SNA SNA IEC 955 IPX CLNP CLNP BPDU EIA RS-511 ISO 8208 XNS IEC 955 SNAP VIP IPX CLNP NetBIOS LM LM Purpose XID or Text Individual Sublayer Management Group Sublayer Management Individual Path Control Group Path Control IP SAP for TCP/IP Organization IEEE IEEE IEEE IBM IBM DOD IBM IBM IEEE Novell Texas Instr ISO ISO IEE IEEE IEEE 3 Com Nestar IEEE ARPANET DOD Banyan Novell ISO IBM IBM IBM IBM ISO PROWAY Network Management Network Layer Spanning Tree Bridge Management Manufacturing Message Service X.2 Type 2 LLC Active station list maintenance Address Resolution Protocol (ARP) Subnetwork Access Protocol Network Layer Routing Individual Group Remote Program Load (RPL) Network Layer Protocol Global LSAP Page 9 .42 .25 over 802.

DL” Page 9 .Section 9 Ethernet Network Analysis and Troubleshooting List of Known Ethertypes Ethertype 0000-05EE 0000-05FF 0101-01FF 0200 0201 0400 0600 0601 0800 0801 0802 0803 0804 0805 0806 0807 081C 0888-088A 0900 0A00 0A01 0BAD 1000 1001-100F 1600 4242 5208 6000 6001 6002 6003 6004 6005 6006 6007 6008-6009 6010-6014 7000 7001 7002 7020-7029 7030 7034 Protocol None 802.25 NBS ECMA CHAOSNet X.43 .3 Length Field IEEE 802.5 PUP PUP PUP XNS XNS IP X.5 Length Field Address Translation Address Translation IDP Address Translation 3MB Only IP Internet Internet Internet Level 3 For IP and CHAOS Symbolix Debugger Address Translation Address Translation Organization IEEE IEEE Xerox Xerox Xerox Nixdorf Xerox Xerox DOD Texas Instr DOD PUP PUP VIP IP Simnet PCS Basic BI Simnet MOP MOP Phase IV DRP LAT Trailer Negotiation Trailer Block Encapsulation Valid System Protocol Private Unassigned Dump Load Assistance Remote Console Routing Local Area Transport Diagnostics User Protocol System Communication Architecture Unassigned Download UB Xerox Xerox Banyan Berkely Berkley BBN BBN DEC DEC DEC DEC DEC DEC DEC DEC DEC 3Com UB UB UB LRT Proteon Caletrom LAVC NIU BootDiagLoop “Broadcast at Boot Stage.25 ARP XNS Private Purpose IEEE 802.

44 . Inc DOD Aenoic Systems DEC DEC DEC DEC DEC DEC DEC DEC DEC DEC DEC Plan Res Co AT&T Expert Data Stanford Stanford Evans & Suther Lt Machines Counterpoint Univ of Mass Veeco General Dynamics AT&T Autophon ComDesign Compugraphic Landmark Page 9 .Section 9 Ethernet Network Analysis and Troubleshooting Ethertype 8003 8004 8005 8006 8008 8010 8013 8014 8015 8016 8019 802E 802F 8035 8036 8038 8039 803A 803B 803C 803D 803E 803F 8040 8041 8042 8044 8046-8047 8049 805B 805C 805D 8060 8062 8065-8066 8067 8068 8069 806A 806C 806D 806E-8077 Protocol VLN Direct Probe Protocol Local Use AT&T Diagnostics Network Games Purpose Bounce Server Native Ethernet RARP BPDU DSM/DTP Argonaut Con VAXLN CSMA/CD DNA Spanning Tree Bridge Management LAST Unassigned Encryption Time Service LAN Traffic Monitor NetBIOS Emulator Local Area System Transport Future Use V Kernel Experimental V Kernel Production Integrated Automation Graphics Organization Chronus Chronus HP Nestar Stanford Excelan SGI SGI SGI Stanford HP Apollo Tymeshare Tigan.

Section 9 Ethernet Network Analysis and Troubleshooting Ethertype 807A 807B 807C 807D-807F 8080 8081-8083 8088-808A 809B 809C-809E 809F 80A3 80A4--80B3 80C0-80C3 80C6 80C7 80C8-80CC 80CD-80CE 80CF-80D3 80D4 80D5 80DD 80DE 80DF 80E0-80E3 80E4-80F0 80F2 80F3 80F4-80F5 80F7 80FF-8103 8107-8109 8130 8131 8137-8138 8139-813D 9000 9001 9002 9003 FF00 Protocol Data Elektronik Purpose Bridge.45 . Management Vital LAN Bridge cache wake Organization Matra Dansk Merti Vitalink Vitalink Counterpoint Xyplex Kinetics Datability Spider Nixdorf Seimans DCA Pacer Software Applitek Corp Intergraph Inc Harris/3M Taylor Rosemont IBM Varian Integrated Systems Integrated Systems Allen Bradley Datability Retix Apple Shiva HP Apollo Wellfleet Symbolics Waterloo VG Labs Novell KTI DEC Xerox 3Com 3Com BBN Page 9 . WANManager TranLAN III Management Ether-Talk RT Distributed Services/DB Transparent Remote File System Bridge Management AppleTalk AppleTalk Bridge Management Private NetWare IPX LAN Loopback Bridge Comm. Router.

1 byte of Start of Frame Delimiter) Destination Address Source Address Length Destination SAP Source SAP Control Vendor Code Type Data – Padded to minimum length of 64 bytes Frame Check Sequence (FCS) L L C S N A P Page 9 .Section 9 Ethernet Network Analysis and Troubleshooting Ethernet Frame Type References Version 2 Frame Bytes 8 6 6 2 46 to 1500 4 Field Preamble Destination Address Source Address Ethertype Data – Padded to minimum frame length of 64 bytes Frame Check Sequence (FCS) IEEE 802. 1 byte of Start of Frame Delimiter) Destination Address Source Address Length Destination SAP Source SAP Control Data – Padded to minimum length of 64 bytes Frame Check Sequence (FCS) New IEEE Frame Bytes 8 Field Preamble (7 bytes preamble.46 . 1 byte of Start of Frame Delimiter) Destination Address Source Address Type/Length Destination SAP Source SAP Data – Padded to minimum length of 64 bytes Frame Check Sequence (FCS) 6 6 2 1 1 42 to 1497 4 NetWare “Raw” Frame Bytes 8 6 6 2 46 to 1500 4 Field Preamble Destination Address Source Address Length FFFF followed by Data – Padded to minimum frame length of 64 bytes Frame Check Sequence (FCS) Bytes 8 6 6 2 1 1 2 3 2 38 to 1492 4 IEEE 802.3 SNAP Frame Field Preamble (7 bytes preamble.3 Frame Bytes 8 6 6 2 1 L L C 1 1-2 42 to 1497 4 Field Preamble (7 bytes preamble.

In 10baseT shared environments.75 bytes • What will happen when the jam signal reaches Sniffer 2? (Because this is coaxial media. remember that 96 bits are a minimum. what will it do? (Send a 32-bit jam signal) Why? (To busy the wire and enable repeater R3 to detect evidence of the collision). or 12.What is the evidence? (2 signals on the same coaxial media—R3’s and the jam from station at point B). The following concepts will help you understand the scenario: • The station at point B will be the first station to detect the collision. And since Sniffers don’t transmit.) • Major learning point: If someone hands you a trace file for analysis and you see the X flag posted on truncated frames. However. etc. but certainly not an X flag. this simulates exactly what happens in 10baseT environments.) • What Station A has been doing during all this time.) How many bytes of AA’s and 55’s will be shown. The propagation delay of a signal on different types of media (per How long is a bit) 2. you can say with a high degree of certainty that the trace was captured from coaxial media! • What will happen when Station A realizes that a collision has occurred? (Starts jamming 32 bits. (Yes. because it has happened well before 64 bytes have left Station A.) Major learning point: Because Sniffer 3 has been on the far side of a repeater for this event.1 = 102 bits. the combination of Station A’s transmission and the 96-bit jam signal from R2 will cause the receive function on Sniffer 2 to lose synchronization/clocking. Just before the leading bit of the preamble reaches the far end of the uppermost Ethernet segment.) What sort of flag will be posted with this frame? (The “X” flag. How different Sniffers react to the same collision event. a station can only receive direct evidence of collision if the hub sends a jam signal while that station is transmitting.) What causes R1 to sense the collision event? (The combined jam signals from R2 and Station A. hub jam.) Has this been a “legal” collision event. Page 9 . the station near point B starts a transmission.) • How repeaters R3 and R2 react to the collision when the jam signal reaches them.) • What does repeater R1 do when it sees evidence of the collision? (Starts jamming 96 bits onto the lowermost Thicknet segment. plus or minus 4.) • What will be recorded on Sniffer 3? (Because the Sniffer was on a segment where only one signal— the one from the lower half of R1—was being broadcast. it is safe to assume that you will see a value of 12 bytes.) What flags will be posted? (R and C. that will be translated to the hex values of AA’s or 55’s. the Sniffer stops capturing the frame and truncates it if enough of the frame – 2 bytes past the preamble – has been received. How different Ethernet physical components react during a collision (station jam signal.) How much of Station A’s signal has gotten out on the wire before the jam signal from R2 reaches it? Here is some of the math to show the different propagation delays by differing types of media and repeaters: Total equivalent Thicknet distance between points A & B: 59+450+ 59+231+59+933+59+59 = 450 = 2359m 2359m / 23. Why? (Because we don’t capture preamble collisions. causing a collision at Point B. When this happens.47 . The transmission goes both ways towards Sniffers 1 and 2. R2 will begin to jam 96 bits on the middle coaxial segment towards Station A.) 3. and towards Sniffer 3. the frame will appear similar as it does on Sniffer 2. • Sniffer 1 will not show any evidence that a collision occurred (unless it’s a version that’s counting preamble collisions).Section 9 Ethernet Network Analysis and Troubleshooting An explanation of the Analyzing Coax Collisions diagrams in the appendix This diagram should enable you to tie together three important concepts you have learned: 1. Generally. The scenario is as follows: Station A starts a transmission. it has to use the jam pattern to deduce that a collision occurred somewhere. (R3 will begin to jam 96 bits back to R2. (Still transmitting its signal. (This will depend upon what the vendor has implemented as the jam pattern. the frame will not be truncated but will be followed by R1’s jam pattern of alternating 1’s and 0’s.

IEEE Standard 802-3u-1995. IEEE Standard 802. 1996 310 pages Howard W.3ab-1999 Physical Layer Parameters and Specifications for 1000 Mb/s Operation over 4-Pair of category 5 Balance Copper Cabling. Building and Managing High-Performance Ethernet Networks 3rd Edition 1999 618 pages Robert Breyer and Sean Riley. 1998 411 pages Rich Seifert Addison Wesley ISBN 0-201-18553-9 Fast Ethernet.3 networks 20 pages ISBN 0-7381-1421-9 802.Section 9 Ethernet Network Analysis and Troubleshooting Recommended Reading List Standards IEEE Standard 802. Understanding. IEEE Standard 802-3r-1996. Fast. IEEE Standard 802-3x and y-1997 and IEEE Standard 802-3z-1998.3ac-1998 Frame Extensions for Virtual Bridged Local Area Network (VLAN) Tagging on 802.3u-1995.48 . Dawn of a New Network. Johnson.3. and Gigabit Ethernet. Prentice Hall ISBN 0-13-352643-7 Page 9 . Macmillan Technical Publishing ISBN 1-57870-073-6 Gigabit Ethernet. 1268 pages ISBN 0-7381-0330-6 Supplements to IEEE Standard 802-3-1998 802. Type 1000BASE-T 144 pages ISBN 0-7381-1741-2 Approved draft 802-3ad-2000 Aggregation of Multiple Link Segments 184 pages 0-7381-2468-0 Books Switched. 1998 Edition This includes the contents of the 8802-3:1996 Edition plus IEEE standard 8023aa-1998.

net/metcalfe/ Bob Metcalf’s website – the inventor of Ethernet) http://www.tolly.49 .unh.his.ethernet.gigabit.org/ IEEE website http://www.ansi.iol.Section 9 Ethernet Network Analysis and Troubleshooting Helpful WWW Links http://www.com Sniffer Technologies website http://www. This site has links to tutorials.org ANSI website http://www.Standards.idg.sniffer.global.org The gigabit alliance website http://www.com Independent hardware testing and industry reports http://www.nstl. Leaders in interoperability testing for many new technologies.ieee.com Official supplier of IEEE and TIA/EIA standards documents – not free Page 9 .edu University of New Hampshire Interoperability Labs. http://www.com National Software Test Lab – independent testing http://www.

Instructor Exercises Sniffer University TNV-202-GUI 4.0-OCT2000 .

________________________________________________ .

...............................................................................Ethernet Network Analysis and Troubleshooting Table of Contents Table of Contents........................ 4....................... choose Select Filter.... they have been shortened and separated with a right arrow....................................... 57 Exercise Section 8: Gigabit Traffic................................................ 41 Exercise Section 5: Busy Jam ................ 63 A word of explanation about the formatting of the exercises Choices you need to make in the menus or configuration windows are in bold........ click Select Filter becomes Use Monitor > Select Filter > Select Filter......................... 35 Exercise Section 4: Ethernet Physical Errors (Optional) .............................................................................................................................................................. There are more exercises here than can be done in the allotted class time................................. 51 Exercise Section 6: Fast Ethernet Problems ............... 47 Exercise Section 6: Fast Ethernet Troubleshooting and Back Pressure ........... 55 Exercise Section 6: 10/100 Hubs ................ 7 Exercise Section 1: A Surprise at 23:00 (Optional) ......................... As you work through the exercises............... When asked to close many of them......... 59 Exercise Section 9: Observing LLC .. Do not save the data unless specifically instructed to save the data....................................................................................................................................................... Sniffer Pro will ask if you want to save them............. The instructor will choose exercises that meet the needs of the majority of the students in each class........................................................................................................................................................................................................................................................ 31 Exercise Section 4: Evaluating Hub Jams .................................................................................................................. 21 Exercise Section 4: More Problems.... 1 Exercise Section 1: Which Frames Are on the Network? ....... Example: Pull down the Monitor menu........................................ You may wish to work on these independently if you finish your exercises early or do them outside of class time. 11 Exercise Section 2: Comparing Ethernet Data .............................................................. 25 Exercise Section 4: Test Your Skill ............................................................................................................ 3 Exercise Section 1: Isolating Frame Types with Pattern Matching (Optional).. 13 Exercise Section 3: Cable Specifications........................... All of the trace files needed for these exercises are on the CD in your class manual............................... 15 Exercise Section 4: Hubports........................... When you are navigating through a series of steps................................................. 37 Exercise Section 5: Short Circuited Bridges ................ 43 Exercise Section 5: Switch Traffic (Optional)...................................................... you will be opening a series of windows.................................... 27 Exercise Section 4: Errors............................................0-OCT2000 Network Associates 10-1 ..........................................................................................................................

0-OCT2000 Network Associates 10-2 .Ethernet Network Analysis and Troubleshooting 4.

. Click OK twice. There should be 35. The frame types for each object (adapter) are shown in the Expert Detail panel on the lower right. Name it TNV202 and choose the 10/100 Ethernet adapter. c. With the MAC layer and Table view selected. Observe the frame types shown for each adapter. highlighting each in the top right shows its details in the lower right panel. Don’t copy any settings. Display the Decode windows and click the Monitor’s Protocol Distribution icon. We’ll use this tool to determine the protocols on the network and their distribution. Hint: on the Expert Summary screen. d. Identify the most common frame format and then eliminate all frames of that type.. Open the file C:\202GUI\Mixed_01. Configure the analyzer then open the file: a. Repeat this process until you have identified all frame types present on the network. b. 802.3 and Ethertype. There are actually 3 frame types in this trace file: one standard 802.cap. the Expert doesn’t distinguish between them. Right-click over the Decode window and choose Send Current Buffer and click OK to send the buffer 1 time. When they are gone. Click the arrow on the top of the upper left window to enlarge the right windows.Ethernet Network Analysis and Troubleshooting Exercise Section 1: Which Frames Are on the Network? Objective: Use data pattern filters based on frame formats to determine what frame types are in use on the network and make sure no incompatibilities exist. a. identify the separator bar on the right. If you drag that up. Separator bar Expert Detail panel 3. We’ll need to generate the trace file once to see the protocols. you’ll see the Objects listed in the upper right. Use Display > Display Setup> General to enable the Expert and Post Analysis tabs. Set the agent to loopback with File > Loopback Mode. 4. Create a new Agent for this class called "TNV202": File > Select Settings.) Click OK. 5. Fill in the table on the next page as you answer the questions from the Protocol Distribution view when the entire trace has been sent (wait until the counter on the lower right goes blank). you will see what remains. Procedure: 1. which protocols are listed and how many frames were sent for each protocol? 4. Unfortunately. 2. > New.3 frame with the LLC header and 10 “Raw” Ethernet frames. How many different frame types (other than broadcast and multicast) are shown? Just 2 types. (They may already be enabled.0-OCT2000 Network Associates 10-3 . From the Expert click on DLC layer Objects.

Click back on the Matrix tab (this still reflects the original trace file with all the frames).75% 6. How many frames are there? 10 Does this agree with the number you noted in the chart above? Yes Does the frame type match what you anticipated it would? Yes. typical of NetWare frames c.45% IP 27 35. a.30% LAT 1 1. so the total is 36 packets and 46. stations DECnet 00C8CC and broadcast are using version 2 frames (Ethertype 0804 for Chaosnet). Ctrl click to select all those end station addresses with “Other” traffic. Only two stations are talking to each other. exclude All protocols in the lower window. Click the Matrix tab.3 frames with the LLC header (SAP FC). they are “raw” frames.0-OCT2000 Network Associates 10-4 . On the Summary Display tab. How many frames did you get? What frame type(s) are they using? 2 Stations HP1 012BB4 and 090009012BB4 (multicast) are using 802.3 with the LLC header. click off all protocols except Other. 4.) DECnet 35 45. Highlight the non-Ethertype frames. We’ll use a similar process to determine the frame types the DECnet stations are using. From the Decode display. but no differentiation is made between the rest. then look in the Detail panel and note the frame types you see. Looking at the pattern of the frames on the traffic map. we can get a quick summary of frame types by using Display > Display Setup. what do you observe? Almost all of the traffic is to and from the level one router. 7.Ethernet Network Analysis and Troubleshooting b.90% Protocol # Packets % of Total You may want to mention that LAT is a part of DECnet. Ctrl click on each IPX address to select all of them. Close the Protocol Distribution window. To see which station is using each protocol. There are no SNAP frames. then press the Visual filter icon to display only these frames. You now see which frames are version 2. Look at the Pie Chart view and note the percentages of each protocol shown by clicking on each slice or look at the Bar Graph view and click on each bar to see the stats. With the Traffic Map showing the MAC layer. Most are “raw”. then press the Visual filter icon and display the frames. click the Matrix tab. but frame 75 is 802.99% IP_ARP 1 1. Now enable only the IPX stations in the Matrix Traffic Map view. Enable only DECnet on the MAC layer of the Traffic Map. and then click on Ethernet to enable it.30% Others 3 3.06% IPX 10 12. b.

Do not go on to the next exercise. Last. g. f. let’s look at the IP traffic next.4 and 51. end node hellos and route advertisements. If you see a lot of traffic between servers. In a NetWare environment. Close the window. If you see a lot of frames going to a router when they should stay local. The traffic map is especially useful to see IP local router situations. Start with the Decode tab with 77 frames (this is the original unfiltered trace file. 8. you normally see most of the client traffic going to the servers. then filter them into a new window. This is a fairly quick way of seeing what frames are on your network. d. choose Define Filter.30. Click OK. What frame type does DECnet use? Version 2. Now click the Advanced tab and enable only the IP and IP ARP protocols.) e. this is a normal phenomenon. then create a new profile called IP using Profiles > New > name = IP. If you are migrating from an IPX-based network to NetWare 5 on IP and are using an intermediate server to forward the frames to the new server. What information is being sent? Most are Router hellos. copy the Default filter. This should be an interim short-term solution. How many frames do you have? 35 Use Display > Display Setup > Summary Display to exclude none of the protocols. How many frames did you get in the new window? 28 What version frames are they? Version 2. We’ll use a protocol filter to see those frames.Ethernet Network Analysis and Troubleshooting CTRL click to select all DECnet addresses. you need to look for local router diagnoses in the Expert. since the traffic is doubled with that configuration.0-OCT2000 Network Associates 10-5 . investigate to see if a server is being used to forward frames that are not compatible with the intended server’s configuration. then Done. Right click over the Summary window and use Select filter to choose the IP filter. click OK. 4. Only one (frame 40) carries NSP data between 51. since it is a client-server environment. Right click over the Summary window.

Ethernet Network Analysis and Troubleshooting 4.0-OCT2000 Network Associates 10-6 .

4. Click Profiles > New > Name it Pattern Match. We'll start a new profile and configure a hexadecimal pattern match display filter. Click the Data Pattern tab. you will see what remains. a. From Display > Define Filter. You can also use pattern match filtering to eliminate frames based on data patterns. e. When the frames you want to exclude are gone. Eliminate all frames using the Ethertype in Frame 1. c. When they are gone. Copy Existing Profile = Default.0-OCT2000 Network Associates 10-7 . Look at the DLC header in the Detail window and note the Ethertype here: 6003 b. Open the file C:\202GUI\Mixed_01. Identify the most common frame format and then eliminate all frames of that type. We'll repeat this process until you have filtered most frame types present on the network.Ethernet Network Analysis and Troubleshooting Exercise Section 1: Isolating Frame Types with Pattern Matching (Optional) Objective: Determine what frame formats are in use on the network and make sure no incompatibilities exist. Click OK > Done. click Add NOT. you will see what remains.cap. Procedure: 1. Which frame format is being used in Frame 1? Ethernet Version 2 3. then Add Pattern (This window opens). d. Repeat this process until you have identified all frame types present on the network. 2. Highlight frame 1. then start it again so your filtered tabs start at 1. Exit the Sniffer application.

Display > Define Filter > Data Pattern tab. h. We’ll add this Ethertype to our filter to eliminate all frames with the Ethertype in the DNS OK frame. FYI: If you wanted to do a different type of pattern match. Click OK. Click on Ethertype = 6003 (DECNET) in the DLC layer of the frame data. 08 00 pastes in at C. Click OK here. Let’s apply the filter now. Go back and fix it if it doesn't. What frame format is being used in Frame 3? V2 6. a. Hold your cursor over the AND line to see how the match has been built this far. Right click in the display window. then OK on the Define Filter window. i. you would need to click the Format button and choose from Binary. but the filter hasn't been applied yet. ASCII. Note the pattern 60 03 is pasted in the data area above and the offset field is updated to C. a DNS OK status frame. d. b. g. You can paste up to 32 bytes of data for matching. c. Add NOT > Add Pattern. use the Previous button). b.Ethernet Network Analysis and Troubleshooting f. You should have a new Filtered x window with a frame count in the title bar. Click Set Data. Click OK if it matches. Note this new filtered window has maintained the original frame numbers. Note: Data Pattern should read (NOT DLC: Ethertype = 6003[DECNET]). Your match should now look like this: e. That's a start. Then click OK. c. How many frames are there? 42 5. The window should start with frame 3. 4. Highlight DLC: Ethertype = 0800 (IP) then click on Set Data. 4. click Select Filter and select the Display Pattern Match filter.0-OCT2000 Network Associates 10-8 . EBCDIC before pasting in the data. Make sure Pkt: 1 is displayed (If not. Write the Ethertype here: 0800 a.

Ethernet Network Analysis and Troubleshooting f. we'll start by adding a NOT before we add the pattern as we did before. g. Highlight IPX Checksum = 0xFFFF. b. Before we finish. Display > Define Filter > Data Pattern tab > Add NOT > Add Pattern. Eliminate all frames with the Ethertype in the LAT frame. What is the hex pattern and offset used to perform this filter? FFFF at offset 0E. You should get a new Filtered x window with 15 frames that starts with a LAT change node frame. Right click in the Filtered x display window. Display > Define Filter > Data Pattern tab > Add NOT > Add Pattern. How many frames are in the new Filtered x window that pops up? 14 a. Write the Ethertype here: 6004 8. remember that we want to include all of the Novell Raw frames and exclude all of the others. 10. we'll create a filter to view only the Novell Raw frames then we'll change it so we exclude these frames along with the previously excluded Ethertype frames. Your match should now look like this: 4. Is the LAT frame the same frame format as the previous frames? Yes. d. c. To make this happen. What field can be used to filter this frame type? IPX Checksum. Click OK. click on Set Data. First. 9. Repeat the same filtering process to eliminate this frame type: a. then click OK. click on the NOT left of the IPX Checksum entry so it turns to a solid red (the NOT disappears).0-OCT2000 Network Associates 10-9 . c. c. then click OK. What is the frame format in the NSAP frame? Novell Raw. click on Set Data. 7. Highlight Ethertype 6004 (DEC LAT). click Select Filter > select the Display Pattern Match filter. Display > Select Filter > select the Display Pattern Match filter again. Click OK to save the updated filter. Click OK. Since we plan to filter out the Novell Raw frames in the last step. b. a. b.

11.0-OCT2000 Network Associates 10-10 . Display > Select Filter > select the Pattern Match filter again. How many 802. Go back and fix it if it doesn't. c.3 SNAP frames are there? zero c. Click OK. b. Display > Define Filter > Data Pattern tab. How many frames are in the new Filtered 5 window that pops up? 4 15. Click OK.RPL Unknown b.Ethernet Network Analysis and Troubleshooting e. a.ARP. 14. How many Version2 frames remain? Three . a. Enable the NOT above the IPX Checksum pattern by clicking on the red block. You have now eliminated all Novell NetWare frames and enough Version 2 traffic so that you can easily examine the remaining frames. 4. Now we need to apply this filter as we did before. Do not go on to the next exercise. Review the DLC header in each frame. b. 13. Answer the following questions: a. How many standard 802. These should all be 802. Display > Select Filter > select the Pattern Match filter again. Let's change our filter to exclude these frames and see what type of frames are left in the trace. What do you think will happen if we apply the filter to this filtered window? You'll get the error message "No frames matched the filter!" because this window only contains the 802.3 frames (with only an LLC header) are there? One . How many frames are in the new Filtered x window that pops up? 10 12. Chaosnet 16. Let's go back to our original trace window by clicking the Decode tab. Close the window. LOOP Reply Receipt. Click OK if it matches. Click OK when finished.3 Raw frames (all other frames were filtered out earlier).3 Raw frames.

when padded from 14 to 16 bytes. or do it with the class if you have chosen not to do the previous optional pattern match filtering exercise. Your instructor will explain the technical background causing the situation AFTER you have done the exercise. 6. 3. provided 4 even 4-byte words. The exercise is intended to give the student an opportunity to encounter a strange situation and make reasonable observations about it. posting a message in the Detail window noting the incorrect IPX length field.cap. 4.Ethernet Network Analysis and Troubleshooting Exercise Section 1: A Surprise at 23:00 (Optional) Objective: In the real world. demo it.3 Raw as evidenced by the 802. Instructor Note: Here's the story behind the problem: These bytes were included when IBM. Stop here. 1. The pattern match required here is not detailed in these steps since it was detailed in the previous exercise. (We don't want to spoil the surprise!) Instructor Note: You will want to omit this exercise. What is the frame format used in Frame 1? 802. Although we don't know exactly why Novell put them there we do know that the request came from Novell. Display the Decode view. you often encounter unexpected results. This exercise presents an unexpected situation and asks you to describe your findings.0-OCT2000 Network Associates 10-11 . What field will you use to eliminate all these packets to see what else might be on this network? You will use the IPX Checksum field ('FFFF' pattern). You will only encounter this in some obscure environments. Sytek (the broadband vendor) and Novell built the IBM Broadband/Ethernet bridge. Select the filter. Close the window. Open the file C:\202GUI\Mixed_02. One speculation is that something moved data in 4 byte words and the header. 5. 2. Do not proceed to the next exercise. Sniffer Pro assumes they are IPX and decodes them as IPX. Create a new Data Pattern match called No Raw Frames to eliminate all frames using this frame format.3 Length field and missing LLC header. (Think about a bridge set to filter FFFF!) 4. Can you explain the 5 frames? These frames DON'T GO AWAY! When you examine the HEX you will see the '1111' padding bytes between the LENGTH field and the 'FFFF' checksum in the XNS Header. Carefully study your results.

0-OCT2000 Network Associates 10-12 .Ethernet Network Analysis and Troubleshooting 4.

cap to the Decode window. What is the range of Delta times between the ARP frames? (Ignore frame 20) 0. Click the Statistics tab.0-OCT2000 Network Associates 10-13 .Ethernet Network Analysis and Troubleshooting Exercise Section 2: Comparing Ethernet Data Objective: To look at a series of trace files captured from different speeds of Ethernet data and compare how they appear in the Decode windows. This is a trace where every device on the network responded to the RWHO in frame 1 about as fast as they could get them onto the network.caz to the Decode window. What is the Delta time of frame 108. Click the Statistics tab. we’ll look at some Gigabit data. 161 = 161 microseconds.003. Open C:\202GUI\100mbfile. We’ll look at a 10 Mbps trace first. Now let’s see what’s different in the 100 Mbps screens. The appropriate Sniffer Pro was connected to each of these networks and a file was saved. a. showing a negative running disparity error. Open C:\202GUI\GB. We’ll start at 10 Mbps data and work to Gigabit.002. one of the shortest delta times? 0. Instructor note: There are CRC errors and Code Violations (CV) errors in this trace. Click the Statistics tab. We are not going to do any type of response time measurements.000. We’ll save that for later. a good improvement. A given 10-bit code group can be categorized as either legal. 3. What is the line speed shown here? 10 Mbps 2. 8B/10B coding provides a set of 2 possible code groups.cap to the Decode window. What is the line speed shown? 1000 Mbps 4. Open C:\202GUI\bcast. The Sniffer Pro reports a code violation when it sees a code group that is either illegal or that has a running disparity error as compared to the previous code group. The help screens give this definition: Gigabit Ethernet uses the 8B/10B transmission code 10 to map signals into 10-bit code groups. We won’t look at any errors there may be. What is the line speed? 100 Mbps b. a. showing a positive running disparity error. but there is one long pause we’ll ignore. a. or as an illegal code group. we’ll just look at the delta times between the frames to see how quickly a station can get a frame into the network after the last frame completes. Background: 1. Finally. There are no physical errors to confuse the timing.985 to 0. either. The students will look at the help screen in the Gigabit section exercise.150 – about 3 milliseconds apart (frame 54 is about 4 ms) b.

Close all the open windows.) 0. 4. In the Decode view.0-OCT2000 Network Associates 10-14 . Note that an extra 3-digit column has been added to the Delta and Relative time columns to compensate for this faster speed. We hope it points out that once you learn how to use the Sniffer for one speed. one of the shortest delta times in this trace? (Expand the width of the Delta Time column to see the entire value. This has been just a short comparison of what you see in the Sniffer windows. Do not go on until instructed. 5.000. It can measure down to 32 nanoseconds. d. The Fast Ethernet Full Duplex pod captures show the [A] and [B] indicators. What is different about the Status column? It shows [A] and [B] to indicate which channel captured the frame. too. what is the Delta time of frame 16. you can apply those same techniques to looking at the other speeds.000. In the next sections we’ll give you more specific information on how to look in different areas to help you analyze your traffic.012 = 12 nanoseconds! c. 4.Ethernet Network Analysis and Troubleshooting b.

b. Node 3 was moved to the end of the topology and worked without incident. Please review them and be ready for new numbers! Questions 14 and 15 have also been reworded with new assumptions. Instructor Note: Questions in step 13 have been changed to reflect the actual forwarding delay of 15 bits on the Gandolf hubs. The Sniffer analyzer was connected somewhere near the end of the thin Ethernet. In the actual trace. Configure the Alarm settings. 4.Ethernet Network Analysis and Troubleshooting Exercise Section 3: Cable Specifications Objectives: Use Output from Sniffer Pro and a network map to: 1) Determine if the fact that the 5-4-3 rule was broken in this network design is the "Cause" of the problem 2) Determine the round trip propagation delay for this network 3) Determine if the collisions are "Legal" or appropriate for this network design 4) Narrow the "Fault Domain" and determine the best place to start troubleshooting this problem 5) Determine if there is a relationship between collisions and a LAN overload symptom Background: You have been called in to investigate problems on an Ethernet network that was designed by someone else. a. the Sniffer analyzer was traded with Node 3 and saw errors. Originally the Sniffer analyzer was placed at the end of the topology and saw no errors. As far as you can tell. Click on the + next to Global to expand it. 1. 50 meters ?? Coax Thin Ethernet RG 58 coax Node 1 WstDig178C41 Node 2 WstDig96EC2C File Server COFFEE. notice the value of 50 (percent) as the threshold for LAN Overload. the network looks like the drawing below. Select Tools > Expert Options > Alarms tab. We don't know exactly what was on the other side of the bridge shown on the left.0-OCT2000 Network Associates 10-15 . c. Under the LAN overload entry.1 WstDigFF965F Student note: Hub 1 Hub 2 Hub 3 Hub 3 Hub 3 Hub 3 Bridge Node 3 Sniffer Note that the picture is not complete.1 all exist off of Hub 1. Client addresses and the Server COFFEE. For example. there probably were other stations on the thin Ethernet.

Click OK to exit the Alarms. a.765 (or 4:36:56:765 PM as it will show later) d. 4 stations: WstDig0A065A. Record the stations involved. What are the symptoms at the DLC layer? What stations are involved? Runt frames (2 stations: WstDigFF965F and Gandlf100738) 4. Click in the Lan Load field and change the value to 30 so we will be alerted when the lower threshold is exceeded.0-OCT2000 Network Associates 10-16 . 2. e. Open the Dashboard. 5. When you change these settings for your own Sniffer. f. Let's take a closer look at these errors. What are the symptoms? LAN overload and Bad CRC 4. Click the F7 key and observe the similar information on the Bad CRC symptom. (This will have no effect unless we generate some traffic for the Dashboard to monitor. b. and WstDig178C41 g. Click the icon to see the Expert Explain on the LAN Overload symptom. so it will reflect the same thresholds.) Close the Dashboard.Ethernet Network Analysis and Troubleshooting d. Close the Help window when done. click the Set Thresholds… button. Click on the Objects tab on the upper right. Click OK and note the red area on the Utilization dial now starts at 30%. WstDigFF965F. c. Change the Utilization(%) High Threshold setting to 30. Gandlf100738.caz. 11% Average f. Click on the Apply button. adjust the Dashboard settings. Open the file C:\202GUI\HUB6ARC. What was the value recorded for Maximum and Average LAN Overloads? 35% Maximum. (Drag the separator bar to the bottom if the tab is not visible on the right. 3. too. Read the explanation of the problem and possible remedies. What is the Duration of the symptom? 1s 436 ms (1. Click on Global Symptoms. g.436 seconds) (4:36:56:765 + 1:436 = 4:37:492:765 PM end time) e. What is the First Time for the LAN Overload symptom? 16:36:56. Click on the Summary tab to return to the Expert Overview window.) Specific information about the condition should now appear.

Reference the time you recorded earlier for the start and duration of the LAN Overload.201 seconds 7. 21 Collisions. Press the Decode tab to display the data. and 11CRCs 10. 2 out of 4 were involved in the DLC Diagnosis (WstDigFF965F and WstDig178C41 sent bad frames). WstDig96EC2C and WstDig178C41) Are any of the stations involved in the LAN Overload condition also reporting errors at the DLC layer? Yes. Select Display > Define Filter > Profiles > New. one simple way to begin to rule out a correlation is to look for bad frames occurring at times when no LAN overload condition exists. We’re going to examine the Status column. let's use a filter to display only bad frames. a.Ethernet Network Analysis and Troubleshooting What are the diagnoses at the DLC layer? What stations are involved? High rate of physical errors (3 stations: WstDigFF965F. c. Disable Packet Type Normal. Click OK.0-OCT2000 Network Associates 10-17 . at what maximum point within a frame could one expect damage to occur? In this example. Name it allbadframes. 8. In the next few steps we are going to try to determine what. b. Scroll over to the far right-hand column and scan through the Absolute Time values. What types of errors do you observe? Lots of Alignments and Runts. 4. 9. 2 out of 4 were involved in the DLC Symptoms (WstDigFF965F and Gandlf100738 sent or received Runt frames). Enable the Summary Display Optional Fields. Status. The questions one might ask are: Are the bad frames the result of excessive collisions that will occur whenever utilization on an Ethernet network starts to reach a critical state? If so. d. 1 Fragment. Enable Relative time if the column is not visible. with the topology involved. Click OK. Absolute Time and Bytes (Len) by clicking on Display > Display Setup > Summary Display > Optional Fields. if any. 6. which will leave only problem frames enabled. correlation exists between the LAN Overload condition and the bad frames. What is the total time of this capture? Only 11. Zoom in (F4) on the Summary window. A new Filtered x window should open with 2503 frames. a. Select the allbadframes display filter. Display > Select Filter > allbadframes > OK. This is a common approach used by analysts when troubleshooting. Click OK and Done… b. Select the Advanced tab.

. f. clear all of the boxes except for the Collision box. Display > Define Filter. 11. What is the largest collision frame recorded? 11 bytes 13. propagation delay. The Sniffer stops capturing a frame when a collision causes the bits to no longer be recognizable. c. (Expert shows military time. With a network of six repeaters in series and a total cable distance of fifty meters between end stations in the collision domain. are the bad frames the result of the LAN Overload condition? The error frames are not just due to the network being busy.0-OCT2000 Network Associates 10-18 . PM) b. d.. and after the LAN Overload. In the Packet Type text window. Display > Select Filter. Zoom into the Summary window and observe the LEN (bytes) column. Also. do the collision frame sizes seem appropriate? (Hint: each of these hubs adds about 15 bit times of latency to the network. c. a. you should see a new Filtered x window appear with 21 frames. Create a New Profile called Collisions (copy the Default profile).Ethernet Network Analysis and Troubleshooting a. at this point we don’t know enough to isolate the problem. during the LAN Overload. in 10BaseT each bit is 17. We're now going to determine how far into the frames collision damage is occurring. g. noise. Select the Advanced tab... If not. e. etc. decode shows AM. Scan through the LEN (Bytes) column values. b.7 meters long. Did most of the bad frames happen during the LAN Overload? The bad frames were happening before the LAN Overload.. Click OK to save the filter. OK > Done. would you expect to see collisions occurring so far into the Ethernet frames? No 12.) To determine the answer to this question. In your judgement. you will need to define and select a new display filter. let's calculate the round trip delay: (use the Windows calculator if you like) 4. h. hardware problems. With a network only 50 meters in length. what else could be a cause of the bad frames? The errors could be caused by signal reflections. When you select the Collisions filter. To do that.

82 bits b.Ethernet Network Analysis and Troubleshooting a. Select the Expert tab to return to the main file. Total Hub Latency in bit times = latency of each hub * number of hubs: 15 * 6 = 90 bits (/ 8 = 11. Total number of bytes displayed in the Sniffer: 90 bits/8 = approx. Click on the DLC Objects column. the network is only 50m or “3 bits” in length. a. see “error” frames from this conversation that really do not exist due to the intermittent cable problem. Cable latency in bit times = total distance \ length of bit: 50 / 17.25 bytes or > 11 h. Subtract CRC (CRC is on the wire only): 122 bits – 32 bits = 90 bits (11 bytes) g. 4. we are going to look at a conversation in the original trace file and attempt to isolate the location of the problem on this LAN. Was the fact that the network broke the 5-4-3 rule the reason the collision is occurring so far into the frame? No. Does your worst case calculation concur? The collisions (maximum of 11 Bytes) are “Legal” (appropriate) for this network design. Total Delay = cable latency + total hub latency: 2. Round trip latency = Total Delay * 2: 93 * 2 = 186 bits (23.2 bytes) e.25 bytes) c. The accumulated propagation delay of the 6 hubs is what caused the collision to occur so far into the frame. which is an IEEE "LEGAL" collision.0-OCT2000 Network Associates 10-19 .7 = 2. 11. Compare your calculations to what you’re seeing on the Sniffer Pro analyzer. These collisions are also within 64 bytes. In the next few steps.8 +90 = ~93 bits ( / 8 = 11. 16. Sniffer Pro will therefore.6 bytes) d. 14. 15. Subtract preamble (preamble is on the wire only): 186 bits – 64 bits = 122 bits (15 bytes) f. Will extending the length of each of the hub lengths to their maximum of 100m cause “late th collisions” that occur beyond the 64 byte mark in the frame? Potentially yes. the Sniffer Pro is behind the suspect cable. b. Note that on the network diagram.

e. There are Runt frames in the trace file between these two nodes. f. Apply your filter for Collision frames. a new Filtered x window appears. j. 4. 21. What are the errors noted in the Status column? Mostly Alignment and a few Runt errors. is the conversation working correctly? No – (at the Sniffer end of the network). either. Stop here. Notice that throughout the conversation between these two nodes. d.0-OCT2000 Network Associates 10-20 . Close the trace file window.so something is damaging the frames between the workstation and the Sniffer. Do not proceed to the next exercise. h. 19.could be an indication of a “partial reflection” but it is more like a standing wave that can run the entire length of the cable after the node has nd finished sending. you would notice a piece of ARCnet cable (RG62) connecting a machine to the Thinnet (RG58) segment. Are there any collisions in the conversation between these two nodes? No i. 17. If you could physically inspect the cabling in the Fault Domain. Is this conversation operating normally? It must be. What are they if not the results of a collision? To find out. True reflections occur BEFORE the 32 byte in a frame. Click on the WstDig96EC2C address in the Summary view to select it. Based on the errors reported in the Sniffer. Click on the Display Filter icon to filter on this node. not one frame is resent – even the runt frames! g. indicating it was a local collision on a coax segment. Where is the "Fault Domain" and what is causing this problem? The conversation is working correctly between the workstation and the server -.Ethernet Network Analysis and Troubleshooting c. define a new filter for Runt frames only and select it. How long are the frames? All 56 bytes. There are no AAs or 55s in the frames. 18. Could replacing bad cable correct physical layer errors? Yes! 20.

cap? 71 Hubport2. How many frames are in the file Hubport1.. One trace (Hubport2) was taken at the user's work area by disconnecting the drop cable at the back of the workstation and attaching it to the Sniffer's RJ-45 port. These two trace files start at different frames because the captures could not be started at exactly the same time. Both Sniffer analyzers were capturing simultaneously. (Use the Ctrl-Tab keys to switch between the windows. Use the Display menu > Display Setup. 4.) 6. What have you come up with? 3. Other users appeared to be working fine. disable the Expert tab.) Background: We are going to show you how you can use a single Sniffer Pro to perform analysis and comparison on two trace files. Use Window > Tile to display both files simultaneously and do a frame to frame comparison. Think about different ways to approach isolating the source of the problem. Evaluate traces taken by the DOS Sniffer with Sniffer Pro.cap and Hubport2. The second trace (Hubport1) was taken at the 10BASET hub that served the user's work area.0-OCT2000 Network Associates 10-21 . (See the diagram below. A user on a 10BASE-T network was experiencing intermittent problems. Fact Two: Another Sniffer analyzer is plugged into a known good port. You will need to "align" the two trace files to start at the same frame. 10BaseT Hub Hubport 1: Sniffer on known good port Hubport 2: Sniffer on suspect port NetWare client: Novell~FAA NetWare File Server: 3Com~704 NetWare Client: 3Com~F91 Fact One: The user's PC was replaced by a Sniffer analyzer. 4.. Two DOS Sniffer analyzers were used to take "simultaneous" traces. Evaluate the network diagram then proceed. Open the files C:\202GUI\ Hubport1. 5.cap? 75 7. 1.. 2.Ethernet Network Analysis and Troubleshooting Exercise Section 4: Hubports Objective: Use two related trace files to isolate the cause of physical errors on a 10BASE-T network.cap.

Choose Range. Click Select Range. we should be able to select all of the rest of the frames as well. Right Click in the Summary window of Hubport2. Let's give it a try: a. 4.cap. Click OK.cap? Frame 5 If the "found frame" in Hubport2. b. notice the NCP read command ("Read 512 at 2812416"). Click Save Selected.Right Click in the Summary window > Select Find Frame . If we select these frames as a group. d.cap for a unique string of data and then search for that string in Hubport2.cap exactly. b.cap.Search from = Summary text . e.Ethernet Network Analysis and Troubleshooting Think about different ways to approach aligning the two trace files to start at the same packet before continuing with the lab. The new window should have 71 frames and be aligned frame for frame with Hubport1. Note: The boxes to the far left of frames 5 to the end of the trace should contain an X. 9. Click Select.Choose Text tab .cap. Since we have found a frame in Hubport2. 8. yes.cap matches the first frame in Hubport1.cap > click on frame 1 in the Summary window.cap. From = 5. 10.cap that matches Frame 1 in Hubport1. a. we should have a file that matches Hubport1.cap. f.Input the value of the offset (2812416) . What is the frame number in Hubport2. Ctrl-Tab to Hubport2. Use the Find Frame feature to find the first frame that matches this string: . In frame 1 of Hubport1. c.0-OCT2000 Network Associates 10-22 .cap that matches Frame 1 of Hubport1.cap.cap file any longer so close it now.Search Direction = Down d. c. Right Click in the Summary view. A new window titled Snif(n) should appear (The “n” represents a number). We don’t need the Hubport2. We're going to align the two trace files by examining the first frame in Hubport1. To = 75. can we assume that the rest of the trace will match as well? If they were both set to capture without a filter. The offset value (2812416) is the unique string we will use to align these trace files.

that was the case: the port was bad. The hub took a good frame off the backplane and output a bad frame at the bad port only. 12. the NetWare client would have retransmitted the data. select Alt-F3 (the Find Frame window should pop up). 14. write down the frame number(s) here: Yes – Frame 40 c.cap was caused by a collision. a. Have you gotten closer to isolating the problem? You should be able to see that the frame is damaged in one trace and is not in the other. Do a quick comparison of the first few frames to verify that the traces are aligned.0-OCT2000 Network Associates 10-23 . Repeat the search process with the Hubport1. 13. Repeat the search until there are no other error frames. We'll use the Find Frame feature again: a. Highlight the Snif(n) window. Were any bad frames located? If so.Ethernet Network Analysis and Troubleshooting 11. if a collision had occurred. b. Choose Window menu > Tile so we can see parts of both windows. Choose the Status tab and select all frame error boxes under Trigger. Do not proceed to the next exercise. In fact. But in HUBPORT1.cap . It seems that only the Sniffer analyzer on hubport 2 saw a problem. use Display > Go to Frame. we can see that the client and the server seem to think there was nothing wrong with frame 40. the other was taken from a suspect port. Compare the two frames in each of the windows. Stop here. 15. 16. to go to the frame number of the bad frame from the Snif(n) window (recorded in Step 13). 4. HUBPORT1. In addition. The next thing we need to do is quickly search through each of the trace files to locate any bad Ethernet frames. You may think the problem in frame 40 of HUBPORT2.cap Summary view.think about the situation that might cause this to happen. But if it were a collision. What could account for the differences in the traces? One trace was captured from a known good port on the hub.cap window. Use Display > Display Setup and Enable the Expert tab on the General window and close all open windows without saving. then select OK.cap would have seen a damaged frame also. Were any bad frames located here? No b. 17. While looking at the Hubport1.

0-OCT2000 Network Associates 10-24 .Ethernet Network Analysis and Troubleshooting 4.

We'll discuss later some of the “rules of thumb” for excessive damaged frames. 6. What are the Expert diagnosis and symptoms at the DLC layer? How many are there? 1 diagnosis . 1.0-OCT2000 Network Associates 10-25 . It might 4. Look in the Hex window for evidence of hardware-related problems. How many damaged frames are there in the Filtered x window? 56 frames b. it varies between . 3. a. DLC source address multicast and DLC source address broadcast. The problem here is that someone put his own plugs on UTP and incorrectly connected the wire pairs so there was no Common Mode Rejection of noise. How many frames are there in this trace? The total number of frames is 79 2. What would you do next to fix this problem? Consider using binary search method to isolate the problem and identify where the damage is occurring.cap. Scroll right in the Summary panel. Is there any consistency to the delta times? No. Select the allbadframes display filter to show only error frames. Alignment and Bad CRC frames. Evaluate the Delta times between some of the damaged frames. Do you think this is a hardware-related problem? How would you describe the damaged frames? Yes. Many of the longer damaged frames include more than 8 bytes of FFs.0001 and 1. What is the range of the size (in bytes) of the damaged frames? 2 ~ 566 bytes 4.Runt frame. do you think there's a problem? Absolutely! 56 out of 79 frames in error is a 71% error rate. 18 symptoms . Open the file C:\202GUI\BADCABLE.9 seconds. View the Decode window.High rate of physical errors. 5.Ethernet Network Analysis and Troubleshooting Exercise Section 4: More Problems Objective: Evaluate and describe the traffic from a network that was experiencing problems. Based on the number of Runt.

The FFFFs show that noise was affecting the traffic and changing the 0 bits to 1s. Do not proceed to the next exercise. 7. Close the window. 4. Stop here. 8. noise is not always so obvious and does not always leave the telltale FFFFs.0-OCT2000 Network Associates 10-26 . Unfortunately.Ethernet Network Analysis and Troubleshooting as well have been flat satin wire.

please consult the document "trace file addendum" located at the back of this manual. Choose between: • • • • • a. So we can't tell (from layer 3 info) how big the frame was supposed to be unless we manually draw out the layer 3 details.cap (Note: For a detailed review of this trace file. Probable cause: Legal local coax collision.) 4. Consider using the Sniffer Pro Ethernet Error Analysis table located before the exercise slides in your student guide. Frame 3 is most likely a retransmission of Frame 2. 1. indicating that this trace was taken from coaxial-based media. C:\202GUI\01.0-OCT2000 Network Associates 10-27 . Sniffer Pro shows frames with collision indication in the Status column. The steel pipe that was embedded in the grooved concrete floor (it carried the coax) had become crushed over time. Configure the Display options to show DLC addresses in the Summary view Display > Display Setup > Summary Display tab > disable Show Network Addresses 2. write down the characteristics of the damaged frames (length.) Legal and late collisions caused by a faulty (crushed) cable. This trace came from a pulp and paper mill where the thick and thinnet cables were occasionally run over by forklifts carrying a large roll of paper. whether frame appears to be repeated. the Summary window indicates that the collision on frames 4 and 6 occurred after 64 bytes. The problem always surfaced for a moment whenever the forklifts ran over the crushed pipe containing the coax cable b.cap Normal collisions Propagation delay Reflected signals Electrical noise Hardware problems Sniffer Pro shows collision indication in the Status column. This is accurate. is perfectly truncated at Byte 12. Also. etc. (Protocol forcing does not give us an option for the DECnet DRP protocol. any pattern present at the end of the frame. For each of the following files. only LAT.) and assess the probable type of frame corruption demonstrated in the trace.Ethernet Network Analysis and Troubleshooting Exercise Section 4: Test Your Skill Objective: Hint: To evaluate several different types of frame corruption. but on these larger size frames it is difficult to tell if the frames have been truncated because Sniffer Pro does not decode past the DLC layer. Close each window when you’ve answered the questions. Assume that the trace shows a representative sample of the error. The Hex window shows that the bad frame. Frame 2. C:\202GUI\05.

179 and 321. They look like reflections but cannot be. (Be sure to look at frames 124. and signal reflection. 4. it's probably signal reflection. This may seem odd with so many problems in this trace. in order: Propagation delay.cap Sniffer Pro indicates that frames 5 through 8 are damaged by collisions. never learns the valid addresses and therefore has nothing to associate a Symptom/Diagnoses with even though the addresses here are most likely valid – the Expert would not have learned that. C:\202GUI\17. C:\202GUI\06. All have 11-12 bytes of 55s. appended to 43 bytes of data. when it sees what it knows is a valid address associated with a problem frame it reports the Symptom/Diagnoses. There are possibly multiple problems with this network.cap Variable but small-sized frames. Since every frame in this trace has a CRC error. It is strictly coincidental that the collision occurs 55 bytes into the frame. The frames were selected to create the individual trace to ensure the students learned to identify this pattern as hub jam. Frame 7 and frame 8 are late collisions.) Sniffer Pro reports Alignment and CRC errors in the decode Status column. representing hub/repeater jam. the majority of the signal moves towards the termination and will not be reflected back. 178. This is jut a “lucky break”. That’s 32 bytes total. d. Probable cause. the Expert never builds the object database.Ethernet Network Analysis and Troubleshooting c. Remember. The answer is that the Expert builds the object database from addresses seen in frames without CRC errors. Frames 7 and 8 are truncated late at byte 86.0-OCT2000 Network Associates 10-28 .cap Sniffer Pro shows frames with collision indication in the Status column. Probable cause: repeated collisions on a remote 10BASE-T network. That means that in a full-size 32-byte network. Frames 5 and 6 are truncated at byte 42. as indicated in the Summary and Expert views. no pattern at end of frame. All are small 24 byte frames. C:\202GUI\16. the collision can never be more than one-half the network – that’s 16 bytes from the center to the unterminated end and 16 bytes back towards the sender headed towards the termination. not reflection. The Expert doesn’t report any errors other than the Global CRC errors. Then. hardware. Four damaged frames come from same source. f. Frames 7 and 8 are evidence of late collisions combined with signal reflection.cap. Contains DLC addresses. C:\202GUI\21. Probable cause: If this were truly representative of the traffic. e.

Select a few of one kind and Save Selected. Fragment and Runt frames. Stop here. Probable cause: Hardware. Close all open windows.cap. 5. However. Select the allbadframes filter. Use Display > Display Setup > Summary Display to reset the Display option to Show Network Addresses. 4.0-OCT2000 Network Associates 10-29 . You will notice that Alignment and Fragment frames all have CRC errors and the Expert will not learn about any DLC objects associated with those frames. You will have a decode full of Alignment. Do not proceed to the next exercise. load FRAGS. 4. 3. a jabbering NIC.Ethernet Network Analysis and Troubleshooting If you need to demonstrate this. Runt frames do not have a CRC error and the Expert will learn about those DLC objects.

Ethernet Network Analysis and Troubleshooting 4.0-OCT2000 Network Associates 10-30 .

9. How many frames are bad in the Filtered x window? 111 b. How many frames are in this new Filtered x window? 947 5. 3. How many frames? 1173 2. Apply the allbadframes filter to only show the bad frames.9.9. The subnet mask for these devices is 255. Right click on the current Filtered x window and choose Create New Filtered Window. The client and server are separated by a repeater.9.150] pc150 and [192.150]. 4. Click on the Matrix tab.255. Use F3 to repeat the search.203] and [192.0-OCT2000 Network Associates 10-31 .cap. The new window should be named FilteredFramesx.203] natco-4.cap. 1. Does this seem to be a problem? 111 bad frames in 1173 is more than a 9% error rate.9. This should be part of a conversation between [192. This will allow Expert analysis of these frames. Use the search function to find any frames that contain physical errors (or other symptoms): Display > Find Frame > Expert tab > Any symptom/diagnosis string > Down > OK. Click on the Decode tab and note the frame count.203].200.9. Click on the Visual Filter icon to create the filter.200.Ethernet Network Analysis and Troubleshooting Exercise Section 4: Errors Objective: Background: Use filtering options to identify physical errors on an Ethernet Network. Let's investigate how many of the frames in this trace have been damaged in some way.0. c. The NFS client pc150 [192. a. Look at the detail of frame 1.200. Are they on the same or different subnets? The same subnet. c.255. a.200. Open the file C:\202GUI\FRAGS.200.150] is experiencing problems communicating with the NFS server natco-4 [192. 4.200. Let's apply a filter to isolate this conversation. Return to the Decode tab to show the original entire trace. Now let’s analyze the conversation between these two stations. b. Change the view to IP and use Ctr-click to highlight [192. It certainly warrants more of an investigation. a.

200. Starting with Frame 941 it does not recover. What do you notice about the damage? 4 of the frames show 5555s . some are physical errors.200.150] always receiving a bad frame? Both are receiving bad frames. When a bad frame occurs. Does the conversation seem to continue normally at this point? No. 4. Use F4 to zoom in the Hex window and look at the damaged frames. Can we draw any conclusions? 5555s are evidence of hardware problems or collisions. h. c. How many symptom frames are there? 17 frames have symptoms. GoTo Frame 943 and evaluate the conversation. This would rule out a bad NIC card in one of the nodes d. This does not seem to be a problem. 6. we see PC150 sending messages but Natco-4 never responds.9. notice who is sending the frame and the C/R sequence. How many frames do we see in the new filtered trace? 11 f.0-OCT2000 Network Associates 10-32 . they all extend beyond 64 bytes and would be late or illegal collisions indicating a possible out of spec network or propagation delay. All frames are damaged beyond 64 bytes.203] or [192. e.Ethernet Network Analysis and Troubleshooting b. If they are collisions. Apply the allbadframes filter to this trace to see how many frames contain physical errors. What types of physical errors are found in this display? Alignment errors g. The conversation always recovered prior to frame 943. does the conversation recover after each error? Yes. a.cap display window with 947 frames. for error frames up to Frame 940. others are NFS problems. Prior to frame 941. 7. Repeat the process to find and analyze all of the error frames in this conversation. is [192. Does the number of errors found here seem excessive? 11 errors in 947 frames equals slightly more than 1% errors.9. Press the Decode tab to return to the FilteredFramesx.

and any other devices that you can identify. draw a diagram of this network including the cabling. What could cause this type of delay? A number of problems or changes in the physical network could cause the network to go down for this amount of time (over 3 minutes!). What is the delta time between frames 941 and 943? 206. Based on what we know now.0-OCT2000 Network Associates 10-33 . 8. 10. 4. Use the diagram to try and isolate the problem. PC150 and Natco-4. 9.080 seconds! c. the Sniffer. Do not proceed to the next exercise.953.Ethernet Network Analysis and Troubleshooting b. Stop here.all of them caused by human intervention. Close the windows without saving. the repeater.

0-OCT2000 Network Associates 10-34 .Ethernet Network Analysis and Troubleshooting 4.

Instructor Notes: From the Hex view point out the characteristics of a hub jam as seen on the Sniffer analyzer: 5555555s. 8 bytes long. File 20. A collision occurred. 5. The repeater jam is 96 bits.cap C:\202GUI\20. File BAD03. b. Close all open windows. Presumably the real preamble came from the sender of the frame. The remaining 32 bits are used by the Sniffer Pro analyzer for the CRC check and thus are not visible. 3. with all 5555s. When we see 8 bytes of AA or 55.cap Shows one Runt frame.0-OCT2000 Network Associates 10-35 . File 19.Ethernet Network Analysis and Troubleshooting Exercise Section 4: Evaluating Hub Jams Objectives: Be able to recognize indications of a Hub/Repeater Jam by examining examples taken from a live network. all AAAAs. When they detect a collision off of a port. Press the Decode tab to display the frames. we are seeing the first 64 bits of the jam.cap 1.. Open and evaluate the Expert information There are no symptoms or diagnoses in any of these traces. May also see AAAAAAs. What type of frame damage is present? a. Do not proceed to the next exercise. 4. 2. Hubs are repeaters.cap Shows one Runt. 7 bytes in length with all AAAAs. Open these trace files and answer the questions for each: C:\202GUI\19. Procedure: 4.cap C:\202GUI\BAD03..cap Shows two Runts. It was followed by the repeater's jam. The first 62 bits are defined by IEEE to be 10101010. each 8 bytes long. c. Stop here. they will jam and ensure at least 96 bits.

0-OCT2000 Network Associates 10-36 .Ethernet Network Analysis and Troubleshooting 4.

200 and Client to 161. Click on the All button on the bottom to exclude all protocols. Open and display the trace file C:\202GUI\BADCRC. What is unusual about frame 6? Bad CRC b.cap. we see Client (NGC 030B4D) issue an SMB Read command for 32 kb of data.97. 5. Frames 2 and onwards show Server using NetBIOS to move 1460-byte blocks of data (over a TCP connection) until the TCP window is filled and an acknowledgement is received. starting at offset 3964928 (00803c00h) for the file handle (F=) 1009. 3. Let's change our display to show only the TCP protocol information: a. Press the Decode tab to display the data.69.202. Manually create address book entries for the two stations communicating in this trace. Frame 13 is the retransmission looking at the hex data and the TCP sequence number.0-OCT2000 Network Associates 10-37 . then press T repeatedly until you find Transmission Control Protocol. Enable Show network address in Display < Display Setup > Summary Display. d.) 4.97.) a.INI file in your operating system's configuration files directory. 2. From the information within the IP header. Display > Display Setup… > Summary Display tab. The Sniffer also notes the frame was retransmitted in frame 13. What is the frame length? 978 bytes c. You should now see only the TCP layer displayed. In Frame 1.69. LEN and WIN values to be displayed. Background: 1. 4. b. (Instructor Note: Note that the column will retain this length for all future trace files until you change it again. Uncheck the box for it. Assign the name Server to 161.Ethernet Network Analysis and Troubleshooting Exercise Section 4: Ethernet Physical Errors (Optional) Objective: Determine whether apparent frame errors should be counted as part of overall Network statistics. Lastly. adjust the width of the Summary column in the main display to allow the ACK. but the Summary window associates it with frame 14. (Note that the first block of data is 1456 bytes. then click on OK. The parallel tasking feature of many Ethernet cards can throw off baseline statistics unless you know what to look for. or until you delete the Sniffer. SEQ. what size frame did the IP stack on Server indicate that it was sending to the DLC layer for encapsulation? 1500 bytes – a maximum size frame. c.

6. 8. Click OK. We have just seen a scenario where a corrupted Ethernet frame causes the upper layer protocol to time out and retransmit. 3997696. 4.) c. What it the IP total length? 1500 (Sniffer is showing the actual length of the data in the Summary panel line rather than what was originally sent. Examine the LEN= value in the Summary view for Frame 6. Then Client starts sending the data using NetBIOS in frames 4 and 5. Also. return to the Display Setup > Summary Display tab. How many bytes are there in the frame? 978 bytes b. In which frame did you find it? Frame 13 (The first line of the TCP header in frame 6 points us to frame 13) 9. Now.” Yes.6 milliseconds. Look for the retransmitted frame that has the same SEQ number as frame 6 (the bad frame).0-OCT2000 Network Associates 10-38 . and the Client's address to 206. let's examine a scenario where things do not proceed as we expect. and click on the None button to clear all the protocol filters.) 7. compare Client's next SMB Read in Frame 38 with that of Frame 1. Click on the Address Book icon on the main toolbar. 12. it is much longer. Why is the Server retransmitting frames? It did not receive an ACK from Client before before the retransmit timer expired. In Frame 3 it issues a command to the server of Write Block Raw 65520 bytes at offset 0 of the file. When you have edited both stations.135.6. Is the Read 32KB further into file 1009? Look in the SMB detail of this frame at “Starting offset. a. What is the value? 924 bytes a. in preparation to load a new one. 13. Look at the Len(Bytes) column in the Summary window.116. Change the Server's address to 206. (If you go back to frame 2. In Frame 1 Client opens the file PRO40A1. Frame 8 is a retransmission of which previous frame? Frame 2. close the address book. from the sequence number 60142096. 14.TMP.cap and click on the Decode tab to display the frames. 11.132. Close the trace file. the next read is 32KB further into the file. 10. What is the delta time between Frames 7 and 8? 323. the Sniffer tells you it was retransmitted in frame 8.116. Does this appear consistent with the times for previous exchanges of data between these two stations? No.Ethernet Network Analysis and Troubleshooting 6. To confirm that the communication continues normally. Frame 6 is a TCP Ack to frames 4 and 5. Open the trace file C:\202GUI\BADCRC-1. b.

with Server's permission.Ethernet Network Analysis and Troubleshooting 15. b. incremented by at least one for each frame sent). 20. the client continues onward. Even the TCP Checksum fields are the same. In Frame 8 we see Client use NetBIOS to write another 1456 bytes of data. although the first frame contains less data than the second frame. How much time elapses between when Expert Sniffer Analyzer sees the beginning of Frame 9 and when it sees the beginning of Frame 10? 1. subsequently. How is it possible that Client knew it had sent an undersized and error frame and compensated by retransmitting it immediately? Normally. Examine the Status and LENgth columns in the Summary view along with the Detail window of Frame 9. What kind of error does SnifferPro post against the frame? CRC error b. The Bytes actually written shows 0. Does this occur? No. The Hex data matches to the point of corruption. 4.0-OCT2000 Network Associates 10-39 . compare the unique IP Identification fields. When a frame is damaged in transit that is not the result of a legal collision. 17. What is the frame length? c. do Frames 9 and 10 appear to be the same? To be sure. which means the Checksum must be different as Sniffer analyzer points out (8722). 19. retransmit it immediately. In fact. it is impossible for a sender to know it transmitted a bad frame or that its frame became damaged in transit and. Server does not request the write again in Frame 73. Frame 7 shows Server's response to Client's write request in frame 3. Now examine Frame 10. 516 bytes What type of problem do we normally associate with this type of frame corruption? Electrical noise 18. With the exception of the actual frame length. 16. Look in the SMB Write Raw Data header. the unique TCP Sequence numbers and Hex ASCII data patterns. It indicates Server is ready to write the data Client will send. and same TCP Sequence numbers (60550401). Normally. a. the receiver will request the SMB Write again. IP Length fields. in writing the next 64KB of data in Frame 75. the receiver's transport layer protocol makes the decision to have the original frame retransmitted properly. Both Frames 9 and 10 are identical: same IP Identification fields (14342. a.6 ms elapses between Frames 9 and 10. same IP Length fields of 1500 (although the first frame contains considerably less than 1500 bytes). which may include repeating the entire write process of all 64KB as we saw in the earlier example. the bytes remaining to be read is 65535 (actually a little more than the client said it would send.) Evidently it has not read the NetBIOS data sent in frames 4 and 5 yet. Now examine the Delta time between Frames 9 and 10.

4. the entire frame was ready for transmittal the second time. instead of going through the NIC's memory buffer first. Close all open windows. This trace file came from a client and server using 100Mhz Pentium PCs with 64MB of RAM and 3COM 3C59x PCI-bus based Ethernet NICs. In reality. One scenario involves incompatibilities between PCI-based personal computers and PCI-based Ethernet NICs. Unfortunately. After reviewing a typical retransmission as in the earlier trace file. SMC uses an Early Transmit Threshold (ETT) of 64 bytes with an increment of 8 bytes for each transmit underrun situation. the NIC was faster. There is a general performance guideline for baselining that suggests a network segment should have no more than one CRC error per MB of data seen "on the wire. (Note that an operating system and concurrently executing applications can also bog down a fast PC so as to cause the transmit underrun situation. it is the implementation of a relatively new performance feature called “early transmit”. Subsequently. Use F8 repeatedly to advance to Frame 17. which was creating and transmitting the frame simultaneously. for 153. 21.Ethernet Network Analysis and Troubleshooting c. Use the same method to compare Frames 17 and 19.300%. 25. There are actually two scenarios that can cause this kind of problem. doesn't this seem more like "magic" than a protocol with a structured retransmission mechanism at work? Yes. in both instances. then 2 CRC errors for 154KB = 1. Another scenario involves “early transmit. Stop here. It may be difficult for us to speculate as to what is causing the CRC-error frames to be retransmitted so quickly in the second trace file. Does the earlier situation repeat itself or is this a different problem? The situation repeats itself in Frames 17 & 19. the PC couldn't provide the data for an entire frame before the NIC had sensed the 10BASET network was free and started sending the frame it was creating “on the fly." Do the cumulative physical errors exceed this guideline? There are 2 physical errors. Although the PCs were fast.902 bytes seen “on the wire”. Fortunately. It appears as though 3COM uses an ETT of 516B. this does defy convention and seems more like magic than normal communication. This exceeds the guideline substantially! 23. Do not proceed to the next exercise.) Periodically.0-OCT2000 Network Associates 10-40 . 24. If 1 CRC error for 1MB of data = 100%.” This trace file deals with “early transmit” of newer high performance NIC cards with “parallel tasking” or “pipelining” features. the PC in this trace file couldn't provide the data fast enough to the NIC card. specifically CRC errors. the first frame was undersized and aborted. 22. The frame is copied from the PC's memory buffer directly to the network.” The result is a 516 byte frame instead of a 1514 (Sniffer analyzer interprets the last 4 bytes in an Ethernet frame as the CRC and doesn't show them to us).

The few users that were connected were complaining of extremely slow response time and sessions that were disconnecting. Record the two symptoms displayed. Evaluate the network diagram. Spanning Tree would prevent the occurrence of network loops. There were no problems with the physical layer. 2. Background: Instructor Note: This trace file was taken in a lab network. 8. then proceed. What is the range of Delta times for the first 10 frames? From . 4. Not all bridges in use were managed bridges. 3. Press the Decode tab to display the Summary window. What should Spanning Tree accomplish in this network? Spanning tree should disable one of the 192 Kb links. 192 Kb Bridge Bridge Sniffer Pro analyzer Bridge 192 Kb Bridge 1. How many station (non-broadcast) addresses are displayed? Only one (WstDigFD965F).caz. Broadcast / Multicast Storm and LAN overload.Ethernet Network Analysis and Troubleshooting Exercise Section 5: Short Circuited Bridges Objective: Evaluate the results of an incompatible implementation of Spanning Tree or disabled Spanning Tree.076 to . The network was in its initial stages of development. The WAN links are true full-duplex. The design of the network provided for redundant backup paths. 4. Select the DLC Objects. given the number of devices detected by the Sniffer Pro? Not really. 5. New users were being added and the network topology was changing. The bridges were buffering and were doing 8:1 compression. Select the Global Symptoms. 6.172 milliseconds.0-OCT2000 Network Associates 10-41 . There were very few actual users connected at this time. Open the trace file C:\202GUI\SCBRIDGE. Does this seem logical. 7.

Do not proceed to the next exercise.Ethernet Network Analysis and Troubleshooting 9. transmitting. They are all 60 bytes. Stop here. maybe three stations at the maximum. 4. a. 13. 10. what effect do you think it would have on the utilization value? Nearly 100%. What conclusions do you make? Either that the adapter is streaming with the same frame or there is a bridging loop in the network. How many frames were captured? 12. How long did it take for all the frames to be captured by Sniffer Pro? 1. 14. All the frames are copies of the same frame endlessly circulating the network. Observe the value in the Relative Time column. If there had been more stations then you would see two. this is indicative of a bridging loop. In fact. Press the End key to go to the last frame of the trace.576 seconds. 12. If the speed of the bridged links was 10 Mbps instead of the two 192 Kbps links.0-OCT2000 Network Associates 10-42 . Are all the frames the same size? Yes. Close the window. What would happen to the Delta times? They would decrease to about half their current range values. 11.406.

4. The network has been using hubs for some time. if it does. NetWare’s Pburst was recently installed to improve the throughput when reading files from and writing files to the file server. 3. Due to the volume of complaints about network response time. How many DLC addresses does Expert Overview display? 18 Instructor note: the DOS Sniffer showed 13. Using the value in the Relative Time column at the end of the trace. 4. Sniffer Pro counts all stations receiving valid frames as objects. 2.Ethernet Network Analysis and Troubleshooting Exercise Section 5: Busy Jam Objective: Background: Determine the cause of continued network slow downs.0-OCT2000 Network Associates 10-43 . Click on the number posted in the Global Symptoms column.61 seconds total.096 seconds c. Sniffer Pro Switch Hub 10 Mbps NetWare Server NetWare Clients 1. then proceed.caz. b. Evaluate the network diagram. How long has this symptom been active? 10. What symptom is posted? LAN overload. the trace took 10. Sniffer Pro adds the minimum time that the LAN will remain at overload before resolving itself. a switch was installed to give the file server the equivalent of its own 10 Mbps Ethernet segment. even if they have not transmitted any frames. Network performance was not improved. a. can you determine if this symptom was occurring throughout the duration of the trace? Yes. Open the trace file C:\202GUI\BUSY-JAM. Press the Decode tab.

11. 8. Do the Delta times posted by the Sniffer analyzer seem consistent with a switch or bridge loop in our network? No. 7. They are larger than one would expect to see with a loop. A new Filtered x window with 618 frames should appear. Display the data and evaluate the delta times. do you see signs of physically damaged frames? 8 or 9 bytes of AAAAAs for the destination address and question marks for the source address. They are not the same frame. 6. either. b. They should be close. 4. 9. Back in the Expert view. (Drag the separator bar to the bottom if you do not see the Objects tab on the top right. Looking through the frames. What value is recorded for Average LAN Overload? Average was 80% c. Given the number of DLC addresses identified by the Sniffer analyzer does it seem logical that we have a switch loop in our network? Not really. double-click on the LAN overload symptom to display more detail related to the problem. If you cannot see the entire client address. Let's take a look at the lower two layers to see what's happening there.) a. The destination address of A1.1 is the address of the Novell File Server.0-OCT2000 Network Associates 10-44 . Each frame is also 8 or 9 bytes long. What value is recorded for Maximum LAN Overload? Maximum was 94%. Apply our Allbadframes filter (Display > Select Filter) b. however. a. adjust the width of both of the address columns until the entire address is visible. Click on the for an explanation of this problem. What problems do we associate with this pattern of damaged frames? Signal Reflection and Hub Jams. There are too many stations participating for a loop to be the cause. Can we always rely upon the correctness of our network map? In most networks.Ethernet Network Analysis and Troubleshooting 5. 10. no. Frame 1 shows an NCP command to open a file. 12.

We are using hubs and switches exclusively. If the server is responding to the client.Ethernet Network Analysis and Troubleshooting 13. Do not proceed to the next exercise. then the client port must buffer the incoming client frames.0-OCT2000 Network Associates 10-45 . With the network topology (type of equipment and design) and indicators from the data. 15. Stop here. The transmit leads from each device are a discreet pair. Switches can be very helpful. Each station transmits its data to the hub/switch. The switch will also introduce one full frame of latency to all buffered frames. This really adds latency to all transactions and is a classic example of poor network design. what conclusions do you reach? This is most likely not a Signal Reflection problem. We are witnessing Hub Jams (either from the hub or the switch). Close the window. By installing a switch we have done nothing to eliminate the bottleneck in the network (it is now the switch instead of the cable segment that existed earlier). The real problem is that the server is still on a 10Mbps link. as are the receive leads. 4. These devices reduce the network to a series of point-to-point links with a bus compliance. provided they are deployed correctly. the hub/switch either repeats or switches the data to the appropriate port. 14.

Ethernet Network Analysis and Troubleshooting 4.0-OCT2000 Network Associates 10-46 .

Once you get the port mirrored. What symptoms are listed? VTP versions different. CDP (Cisco Discovery Protocol). How many VLAN objects are there at the Global layer? 40 – from the upper right panel. Note that some of them are FDDI and Token Ring in addition to the Ethernet VLANs. the captured data looks pretty much like other Sniffer traffic with added VLAN information and switch traffic. there are 36 VLANs. Cisco ISL and Cisco VTP b.1Q encapsulation. The Expert gives us a lot of help in determining what has happened.Ethernet Network Analysis and Troubleshooting Exercise Section 5: Switch Traffic (Optional) Objective: To view several types of frames captured in a switched network. In the Expert windows. It looks like that will provide us a lot of things to learn! 2. We’ll start there. At the Global layer. It’s a lot better than trying to make sense of the series of frames on our own! Background: 4. The second trace and third show 802. Open C:\NAI\202GUI\VLANprob. Cisco ISL (Interswitch Link Protocol) encapsulation.0-OCT2000 Network Associates 10-47 . what protocols are active? BPDU. what protocol is shown? Ether and Token Ring e. but will look at the ISL headers and use the Expert information to learn how to troubleshoot from it. answer the following questions. With all five of the Expert windows open. Most of the data has been stripped out of the trace. You can also see the switch’s MIB data when you attach to a switch. At the DLC layer. The Global layer symptom “Spanning Tree Topology Change” is related to BPDU frames. Spanning Tree Topology Change. a. The first trace was captured using the Switch Expert control to SPAN a port to the Sniffer port. d. 3. VLAN not operational. 1. If we had a good network map. We’ll limit our exploration to the Global layer. Several protocols are used in this switched environment: Spanning Tree BPDUs. then look at the lower right panel to see the information shown about the BEFORE and AFTER configuration. VLAN removed from Domain c. it would be very easy to see how the mesh has changed with this information. and DISL (Cisco Dynamic Inter-Switch Link). VTP (Cisco Virtual Trunk Protocol) to maintain the tree of switches. highlight the symptom associated with VLAN #1. 2 domains and 2 segments.caz. We are not going to explore the proprietary protocols. You will look at typical switch-related protocols and the different VLAN tagging encapsulation methods.

frame 8 shows the root as 8000. 8.Cisco58F9A00 as root. What is the Priority ID of the root bridge before and after the change? b. These frames are repeated in frames 29 and 30. and 1005 4. Does this agree with what we saw in the Expert? No. The Ethernet frame is directed to the multicast address 0180C2000000 No. 1004. there were also NSAP frames that were not encapsulated. If you look at the VLAN Removed from Domain symptom. 6. Let’s go back to the Expert and look at those VLAN changes we saw. Compare the BPDU header information with frames 1-8. What VLAN was removed? 333 We can assume this is related to the VTP version problem. a. CDP frames are not encapsulated. What is the VTP version being used? 1 d. Look at the BPDU header of frame 9. either. Before: 0001. Since these frames didn’t apply to the information we saw in the Expert. From the lower right panel. Some of the DISL frames have just a DISL header with two parts: one that looks like a version 2 DLC header followed by a “Pseudo LLC/SNAP header” that contains the DISL information. (In the original unfiltered trace. frame 9 shows 0001. 1002. 226. what was the last VTP version received? 2 b.0-OCT2000 Network Associates 10-48 . go back to the Expert and highlight the VLAN #1 Spanning Tree Topology Change symptom. Does this match what we saw in the Expert? Yes. you’ll see that it is this same VLAN and the incorrect version shows in these panels. c. Click the Decode tab. Click on the ? help icon to see what this symptom means. this is what triggered the symptom. What type of encapsulation is it using? Are all the frames encapsulated? It is a standard Ethernet frame encapsulated in an ISL header. 7. Compare the root identifier in frames 9 and 113. Look at the details of the first BPDU frame. They look like standard LLC/SNAP frames. What VLANs are in this domain? 1. Notice that frame 9 has a different “Pri” number from the earlier frames.Cisco58F9AFD. 225. The BPDUs in the trace allowed the Expert to build the BEFORE and AFTER table. What is different about the flags in this frame? It is a topology change frame a. then press the Expert’s Display Filter icon. Look at the Global symptoms and highlight the VTP Versions Different symptom.Ethernet Network Analysis and Troubleshooting a.00100706D000 4.0060478F9A00 After: 012c. 1003.) 5. all the frames are not encapsulated. Click on the TNV layer in the Detail Tree in the center bottom panel. Compare the root ID in frame 8 and frame 9.

There is no CRC error posted. Check the tag header in the Detail window.showing just the 8100 protocol type field that identifies this field as a tag. you’ll need to do a data pattern match filter on the SNAP Type = 203 (VTP) which pastes 20 03 at offset 2E. Remember that the Ethertype field shown in this header actually belongs to the part of the DLC header – the tag is inserted between the source DLC address and the type/length field. Note the reason for the non-operational state shown in the lower right window. In the Expert. Open C:\NAI\202GUI\8021q.cap trace. Frame 106 shows all the VLAN that are “Not Operational”. Last. If you want to isolate the VTP frames.) f.250 This and the DLC address should make it quite easy to locate the device that needs the upgrade. 9.cap. Evidently the Sniffer allows 1518 byte 802. then the next byte showing the frame priority. then Find Frame. There are some frames labeled Oversize in this trace. b. so we’ll close it and look at another trace. It’s pretty simple. This trace is using ISL. Which frame shows version 2? Frame 64 What is the updater's IP address? 161. tunnel type and the VLAN ID. Because these are greater than 1518 bytes.69. fortunately. The Statistics tab shows the link is 1000 Mbps. but you will see a TCP checksum error message. go to the Decode window and right click. Scroll up in the Detail window and look at the 8021Q headers. We may see longer frames in the future as the specifications are changed to make Ethernet more efficient at the higher speeds. let’s look at some 802. it labels them as Oversize. Is it like the one we saw from the 100 Mbps link? Yes 12. a. Type MTU too big and click to search in the Detail window and disable match case. Close the 8021q. 10. Find the VTP frames and locate the frame that shows version 2.1Q frames because it knows the tag adds 4 bytes to the maximum size Ethernet frame. g. # 10 shows MTU Too Big For Trunk. Scroll down to one of the 1518 byte frames just to see how the Sniffer labels these maximum size 1518 byte Ethernet frames that have the 4 byte header added. Highlight the VTP Versions Different symptom. # 11 shows MTU Too Big For Device. and # 12 shows Suspended.Ethernet Network Analysis and Troubleshooting e. This information will help you reconfigure the devices so you can bring them up. (There are 12 in the trace. then click on the Display Filter icon to see the frames associated with this symptom. # 2 is Undefined.0-OCT2000 Network Associates 10-49 . c. so we’ll just look at the frames in the Decode window. since we see the VLAN tags in the frames and the telltale full-duplex channel identifiers in the Status column.1Q headers. If you want to find the frame(s) that triggered these symptoms.225. 4.cap trace and open C:\202GUI\8021q-gig. This is a trace taken from the trunk between gigabit switches. This trace is pretty clean. 11. highlight one of the VLAN Not Operational symptoms and click the ? help button to get some information about what caused this symptom.

4. 14.0-OCT2000 Network Associates 10-50 . Do not go on to the next exercise. Remember that Sniffer Pro’s switch Expert and Control functions also shows the MIB data for switches. port and VLAN. MIB data allows you to see the version of the switch’s operating system and statistics for each module. Close all windows.Ethernet Network Analysis and Troubleshooting 13. This is covered in more detail in the TNV-201-DSP and TNV-112-GUI classes.

Ethernet Network Analysis and Troubleshooting Exercise Section 6: Fast Ethernet Troubleshooting and Back Pressure Objective: To review Ethernet troubleshooting techniques using a trace captured from a Fast Ethernet network.caz. What is the DLC address for 46. How many stations are involved in this? Thirteen. What diagnoses do you see at the DLC layer? High rate of physical errors. They have several problems. Several of them are DECnet stations. We'll use the Expert to tell us about them. 3. you’ll see that many of them have 5s or As in the address. Both trace files were taken from switched Fast Ethernet networks. you will want to adjust your Expert Alarm thresholds for broadcast storms to a much higher level to eliminate these Global symptoms. Look at the Expert. a. Highlight that address in the Expert DLC object list and click on the Display Filter icon. Open C:\202GUI\100MBFIL.0-OCT2000 Network Associates 10-51 . How often is 46. 4.5 seconds DECnet nodes multicasting at this rate will contribute to Broadcast/Multicast storms. Based on this. a. Background: 1. What symptoms do you see at the Global layer? Broadcast/Multicast Storm. a.307 sending these “Hello” frames? Every 14. If you highlight a station with this symptom in the upper right window and look at the DLC addresses in the Detail tree.Decnet stations periodically send these “Hello” frames. What symptoms do you see at the DLC layer? Lots of runts and “DLC address is a multicast address” caused by frame corruption in the destination address field. Look at the Decode window and frame 13.307? DECnet0033B9 (WISHPB) b. Enable Relative Time column if not shown. 4. 2. which tends to be a very “chatty” Protocol. A new Filtered x window with 6 frames will open. then recognize back pressure frames sent by Fast Ethernet switches.

a. a. System Engineers gave these traces to us. Now open the C:\202GUI\Backpres2. What size range are most of the frames? 12 to 20 bytes (a few are larger). From the Expert. what symptoms or diagnoses do you see at the DLC layer? Collision after 64 bytes. b. you’ll see a burst frame from the client requesting retransmission of the frame that got damaged.caz window and open the C:\202GUI\Backpres. This trace was from Michelle Coomes when she was at 3Com. We’d rule out normal collisions because there are far more than 8 bytes of AAAAs and 5555s. What station is involved? 0008C7A4ACB3. Look in the Detail window for the offset and size. 6. 8. Of the 6059 frames in the original trace. Normally. Close the 100mbfil. 434343 and 343434 patterns. Apply your allbadframes filter to the unfiltered Decode window. They were captured from different networks using different hubs. Let’s look at a couple of traces with backpressure so you will recognize it. backpressure will not have such a catastrophic effect on the network. Analyze the problem by looking at the hex of the damaged frames. What data patterns do you see in Decode window? D0D0D0. This is coincidental-. a. then use the Matrix to set a filter on the 2 MAC addresses.) We’d need a network map or the actual network to probe further. This is a filtered trace that shows only bad frames. How many frames have errors? 219. Follow the sequence of the bytes and offsets in this file transfer. Which frame retransmits the damaged frame? Novell’s Pburst has selective retransmission of frames not received in a burst.Ethernet Network Analysis and Troubleshooting 5. It is most likely a hardware problem or backpressure. Use Two station format to show this sequence.cap trace file.6%. AAAAs and 5555s appear in most of the damaged frames. Disable Show Network Addresses.cap trace file.it happened on many stations. View the Decode window and look at the hex data for the frame with this symptom. What conclusions can you draw? Frames are damaged anywhere from 2 to 51 bytes into the frame. Frame 9 below the damaged frame. 9. (We don’t have the story on this trace. 7. What type of errors do you see in this frame? Repeating 55s starting at offset 236 in frame 6. This is outside what is considered normal and should be corrected. Fix the physical problems before moving on to the upper layer problems. It becomes very easy to 4. what is the percentage of frames with physical errors? 219/6059 = 3.0-OCT2000 Network Associates 10-52 .

To determine the bit pattern for your switches. look at where the back pressure bits show up in the frames to ensure you don’t have a different problem. Remember that the specification allows the switch to send preamble bits (alternating ones and zeros) to keep the line busy. See which patterns are missing. 7 and 8 with the data. but 6 gets damaged. If the vendor chooses to use another bit pattern. This proves the point that the backpressure was not the problem but the EMI was. The Intel client requests a big read in frame 4 The server sends packets 5. 6. Document the information for your co-workers. 4. you will see other bit patterns. If you see a lot of “errors” like this on your Fast Ethernet segments.Ethernet Network Analysis and Troubleshooting see the effects of the backpressure on the transfer and how the upper layers handle any collisions that result. Disable backpressure on your switch. To solve the situation the customer installed a fiber zip cord and it worked. These are two examples of backpressure sent by switches to slow the stations. capture during a busy period and look for frames with suspicious patterns.0-OCT2000 Network Associates 10-53 . The client comes back in frame 9 with the request for the missing frame Frame 10 is the retransmission of frame 6. Michael "Mickey" Giovingo 10. 12. Evidently the buffer is full and they need to slow things down so they can free buffer space. I hope this fills in the gaps for everyone. You may need to segment a network if the switch is unable to keep up with the normal traffic. 11. This shows up as 5s or As in the traces. The errors coming from the EMI was overflowing the buffer on the 10/100 switch so the switch was sending out the backpressure. This trace came from a company that was having problems from a line running in the proximity of a generator in a warehouse using cat 5 cabling. while capturing a trace.

Ethernet Network Analysis and Troubleshooting 4.0-OCT2000 Network Associates 10-54 .

Close the window. small networks can have 0 to 8 bytes of jam. alignment. unknown 4. 45 seconds and 723 ms 2. collision.0. Look at the Decode window. What type of errors are reported in the status column? CRC. Stop. Many errors caused slow response times. 1. the jam overwrites each other. most stations did not experience much difficulty. do not go on to the next exercise.10. On bigger networks. lasting 3 minutes.9 (NGC 100EF8) show CRC errors. the jam is accumulated.caz. probably due to a marginal or failing card. Result: big networks can have 8 to 12 bytes of jam.7 (NGC 100D4E) to 10. In spite of the problems shown here. Open C:\202GUI\Big_bad_rich.Ethernet Network Analysis and Troubleshooting Exercise Section 6: Fast Ethernet Problems Objective: Background: Look at a trace taken from a busy Fast Ethernet network. both have NGC cards 3. Several Windows NT workstations were copying files across the network in a Sniffer University classroom. This trace was captured with a filter set to capture only physical error frames. The stations were connected to a 100 Mbps hub.0-OCT2000 Network Associates 10-55 . depending on where it started in the frame or preamble. The partial frames showing the conversation from 10. How many DLC objects are shown? Only two.0. On small networks. 4. What problems does the Expert see and how long did they last? Bad CRC errors at the global layer.10. What conclusions can you draw from what you’ve learned in class? The 55s are collision data that are the result of the two colliders and the hub all jamming at about the same time. 5.

0-OCT2000 Network Associates 10-56 .Ethernet Network Analysis and Troubleshooting 4.

then click the + in front of the Broadcast/Multicast Address icon. it may just be a matter of when each was started and stopped. the other at 100 Mbps.0-OCT2000 Network Associates 10-57 . leave the Address type set to Hardware. Hawk10b. How many frames are in the Hawk10b. They were taken from the Hawking 10/100 multiport repeater that is advertised as a hub. 4.enc has only the router storm diagnosis There are different object counts at the Session. Station and Subnet layers. click in the Station 2 top field to select Any. Stay away from them unless you are cornered or are prepared to discuss them! Background: Instructors: 1. Two Sniffers were attached to a hub. We could assume there were two backplanes in the hub. Let’s see if we can filter out some of the frames to get an idea of the criteria this device is using to forward the frames. Use Windows > Tile to see both of the traces Expert overview simultaneously.enc trace? 130 The Hawk100b. Each port autosenses the speed of the connection. the Hawk100b. Note any differences in Expert information here. Create a new profile called Broadcast. 5. How many frames are there in each trace? Both have 24 broadcast frames. then click OK. Starting at frame 6. too.enc has frames that are not found in the Hawk10b. Press F4 to zoom each Summary panel.enc and Hawk100b. one was attached at 10 Mbps. Scroll down and highlight Broadcast(FFFFFFFFFFFF). Connection. Use the Address tab. Any ports that are not the same speed have the frames bridged between them. Look at the frame data so you can align the first matching frames side by side. Each port on the hub was capable of either speed. Adjust each window so it occupies one half of the screen vertically so you can compare the traces frame by frame. Hawk100b. Select this filter on each trace. 2.enc trace. These traces are from Steve Hammill. one for each speed with a link between them to propagate traffic to all ports. There are other issues in these traces that are not related to the forwarding we point out in this exercise.Ethernet Network Analysis and Troubleshooting Exercise Section 6: 10/100 Hubs Objective: Explore traces taken from 10 Mbps and 100 Mbps ports on a single autosensing hub (multi-port repeater) to see if there are differences in what each port sees. 4. so we know the hub forwarded all of those as it should have.enc.) 3. Open these two trace files: C:\NAI\202GUI\Hawk10b. and 1 WINS No Response diagnosis at the Session layer. What are the first two identical frames? Frames 1-5 in each trace are identical.enc has 2 ICMP redirect symptoms and 1 Router Storm diagnosis at the Station layer. First let’s find out how many are broadcast frames. drag it to the top Station 1 field.enc trace? 42 (This does not imply that there is a difference in what the Sniffers saw.

0-OCT2000 Network Associates 10-58 .1.11.Ethernet Network Analysis and Troubleshooting 6.69.enc that aren’t in the Hawk100b. 9.5. etc.enc has 18 frames. 161. Do not go on to the next exercise unless directed by your instructor. 10.33. 192.168. then close them.192. 4. This seems like non-standard behavior. How many DLC addresses are in each trace? The same six devices appear in both traces.enc trace. 11. These frames are also in the Hawk10b. All the WINS non-broadcast frames were filtered by the hub on the 100 Mbps port.192 are in the Hawk100b. Now go back to your Broadcast filter and click the Exclude button and apply the filter to each of the Decode-tabbed windows again.252-255.1.203 8. network management tools. Stop here.251.enc trace.11.1. but there are lots of WINS “Refresh Name” frames in the Hawk10b.13.1. Click the Host Table tab for each trace and compare the IP addresses.168. 10.69. You may find that this type of behavior might impact what you see on the Sniffer.1. It is forwarding frames based on criteria above the datalink layer.1.53.168. You may want to do a similar check of any odd connection problems you see on your 10/100 hubs. Hawk100b.13 and .1. security devices.168.1. 7.enc trace. 10. How many hosts are in each trace and which ones appear in each trace? Both traces have 192. Change the layer to MAC. This means there is at least one router. Enlarge both trace file windows to normal size.enc also has 192. 161. What conclusions can you draw from the behavior of this hub/multiport repeater? This device seems to be doing more than bridging the frames between the backplane. 192. Note that only the Ping and ARP frames between . How many non-broadcast frames are in each trace? Hawk10b. Hawk10b.enc has 106 frames.

Ethernet Network Analysis and Troubleshooting Exercise Section 8: Gigabit Traffic Objective: Background: Follow autonegotiation frames and analyze a trace with errors. You should see Gigabit. Open C:\202GUI\GBAutonegotiation. Half & Full Duplex 5 Ack. The first trace was taken as a Gigabit Ethernet device was initializing. Full Duplex Channel A Direction ç è è ç è è è è ç è è ç Idle All zeros Channel B 4 Ack. We will follow the sequence of frames each side sent. Name it Gigabit and choose the Network Associates Gigabit Ethernet PCI Adapter_x from the Network Adapter drop-down list. Full Duplex Idle 11 12 3. we can assume they will settle on Symmetric Pauses and Full Duplex as the highest common denominator. The rule is to acknowledge after a side 4. Click OK on the “Failed to Set Monitor Mode” message. Click OK twice. Note the contents of C1 for each. Half & Full Duplex 10 Ack. This trace has 12 frames captured between channels A and B. Symmetric Pause. The second trace was captured on a network and has many Expert symptoms. 2. Frame 1 2 3 All zeros Asymmetric & Symmetric Pause. Asymmetric & Symmetric Pause. Full Duplex 6 7 8 9 Ack. Ignore the blinking “Channels A and B Link Faults” indicator in the title bar. SX in the title bar. Asymmetric & Symmetric Pause. Full Duplex Idle All zeros Asymmetric & Symmetric Pause. Use File > Select Settings to create a new Gigabit agent. Link Failure. Zoom the Detail window and press F8 to advance frame by frame.0-OCT2000 Network Associates 10-59 . They will maintain this mode until they are reset or reboot. 1. Symmetric Pause. Don’t copy any settings.cap. Click New. Though we don’t see definitive frames where both agree in this trace.

Let’s look for evidence of physical damage or other erroneous data in these frames. There is no field to indicate the media type in use. 4. Highlight frame 10 and note the IP identification number in the frame. Highlight the Code Violation Errors in the bottom panel and click Display. 5. Open C:\202GUI\GB. they are not. Now press F8 to advance one frame at a time. one or more are inserted between each frame in full-duplex mode. The proof of success lies in seeing whether the devices go on to exchange data (we don’t see that in this trace). 8. 10. Do you see any single source address that might indicate a bad card? No. These devices do not seem to follow the rule. Close this file. On the Advanced tab select 3 only the CRC errors. you have the frames to follow to see where the sides disagree and work from that point. 7. 12. Tab into the Hex window and press F4 to zoom it. Let’s pull in only the frames with bad CRCs. If they don’t exchange data. You will see in the Expert that this trace file has 5 Time-to-Live Expiring symptoms at the Station layer. If they do. Repeat this for a couple of the other CRC error frames. From Display > Define Filter > Profiles > New name the filter CRC Errors. Let’s do one last thing with this trace. Close the Help screen when you’ve learned how the Sniffer makes this determination. We’ll check to see if any of these frames were retransmitted. click Done and OK. Do you see evidence of physical damage? No. (This is automatically enabled for Autonegotiation frames. 11. Use Help > Help Topics > Find. Right-click over the Hex window and choose 10 Bit so we can see the 10 bit decodes. A new window will open with 24 frames showing CRC and CV (code violation) errors. then click OK.Ethernet Network Analysis and Troubleshooting has received 3 consecutive identical frames. there are several different IP source addresses. the frames look pretty normal. type in this ID number in the text search window and click the Detail window radio button. 9. Right-click and choose Find Frame. We won’t worry about those – that’s for another course! We can do some examination of the Global symptom of a Bad CRC. then the inconsistencies with the specification don’t matter. but you must set it manually for gigabit data frames. Even though Carrier Extend was developed for half-duplex links. 6. Enter code vi to find the explanation for these. 13. Are they retransmitted? No.cap.) Scroll through the Hex window to see how this data looks. Looking in the Decode window. Now right-click on the Summary window and choose Select Filter from the menu and choose the CRC Errors filter. ID = 52848. You will see some Carrier Extend and idle bits at the end of most of them. so it appears the other side got them OK. though all of them are sent to the same IP and DLC multicast address. too. 4. Notice the 10 bit decodes in the Hex panel are automatically enabled for autonegotiation signals.0-OCT2000 Network Associates 10-60 . Wait while the help files build. we see that almost every frame has a symptom associated with it. Now click back on the Decode tab to view the entire trace again.

Ethernet Network Analysis and Troubleshooting 14. We don’t have more information on this trace to tell you how this was resolved. 4. Use File > Select Settings to return to your 10/100 Ethernet agent.0-OCT2000 Network Associates 10-61 . We hope this has given you some confidence that you can use the skills you’ve learned here to analyze Gigabit Ethernet frames.

Ethernet Network Analysis and Troubleshooting 4.0-OCT2000 Network Associates 10-62 .

There are send [N(S)] and receive [N(R)] numbers for connection-oriented sequencing. then click None at the bottom. We hope this class will enable you to effectively troubleshoot your Ethernet networks back at your company 4. Which is the first frame where data is sent? Who sent it? What sequence number is sent? Frame 14 is sent by Intel B41D55 using sequence number 0 7. This trace file was taken from a Fast Ethernet network running Windows NT4 running on NetBIOS and LLC. Frame 18 begins the CIFS/SMB protocol negotiation and account setup process Once that is done. You should have 221 frames. Use Display > Display Setup > Summary Display to enable Two-station format and exclude All protocols. What was the purpose of all those frames where no LLC data was sent? Hint: Enable the display of all protocols in Display > Display Setup > Summary Display > enable Show all layers.Ethernet Network Analysis and Troubleshooting Exercise Section 9: Observing LLC Objective: Background: Use the Sniffer Pro Network Analyzer Display options to study an LLC session. click OK. CIFS/SMB ends the session in frame 105 and LLC disconnects in frame 107. Close all open windows without saving and disable Two-station format. 2. Shut down the Sniffer. Is this an LLC Type 1 (connectionless) or LLC Type 2 (connection-oriented) session? LLC TYPE 2 (connection-oriented). There is no upper layer activity. There are also two bytes in the Control Field in the hex window.cap.3 frame. Is this an Ethernet Version 2 or 802. 5.0-OCT2000 Network Associates 10-63 . 4. 10. The first LLC data frame (14) carried the NetBIOS session initialization frame. In which frame does Dell D45AE8 send sequence number 3? 23 8. 11. What is the response to this frame? Dell D45AE8 sends a UA in frame 108 and that’s the end of this session. Which frame starts a new LLC connection? Frame 10 is the SABME 6. View the Detail of frame 1. 3. then click Logical Link Control to enable only LLC. Which frame shuts down the connection? Who sent it? The Intel B41D55 sends the DISC in frame 107 9. Open the file C:\202GUI\LLCnetb2.3 frame? 802. 12. 1. it appears that the LLC frames are just keep alives.

0-OCT2000 Network Associates 10-64 .Ethernet Network Analysis and Troubleshooting 4.

Sign up to vote on this title
UsefulNot useful