Tip of the Month

October 2001

So Many Protocols...So Little Time!!!

With over 1700 RFC's for IP Protocols, it is impossible to know the details of them all. Protocols constantly change with new product releases and advanced technologies. But despite the dynamic elements of the protocol suite, it is important to remember that the foundation for all IP protocols is the same.

To maximize our efforts as packet analysis specialists, we would do well to remember that darned OSI model! Many people know the model, but forget to use it in real-life network firefighting.

The vast majority of capacity issues or anomalous conditions on LANs and WANs can generally be answered by examining Layers 1-4. However, in many instances, the more knowledge we have of networking and protocols, the quicker we are to jump in at Layer 7 and work our way down to Layer 1, only to find after many hours of troubleshooting that a cable was unplugged by the nightly office elves!

Here are some recommended steps that employ the model that should help you minimize time spent troubleshooting:

1. Start at Layer 1, the physical layer, and find some facts.
   
   
   1. Is the media properly attached and still working properly?
      
      
   2. Should I swap cables and see if one is bad?
      
      
2. Layer 2, the Data Link Layer. This layer enables local communication between nodes.
   
   
   1. Are the drivers up to date?
      
      
   2. Are we speaking the same frame type as those we are attempting to communicate with?
      
      
   3. Is my physical address valid?
      
      
   4. Am I able to communicate with nodes in my local area without going through a router? You can tell if a packet has crossed a router by looking at the TTL field under the IP header and seeing if it has been decremented by a router. You can also tell by looking at the source physical address to ensure it is not the router's.
      
      
3. Layer 3 is where IP resides and is, therefore, common ground for all IP family protocols. IP is used for network-to-network communication and handles packet fragmentation and reassembly.
   
   
   1. At conversation start-up, are packet sizes being negotiated with the frag-flag?
      
      
   2. Are my network addresses coming from DHCP or do I use Static addressing?
      
      
4. Layer 4 Transport functions may or may not reside in our packets. Higher layer protocols will generally run on either TCP or UDP in the IP family.
   
   
   1. TCP is regarded as connection-oriented and will have Sequence and Acknowledgement numbers associated with each byte of data.
      
      
      1. View the Sequence and Acknowledgement numbers to ensure progression is steady and correct (more than 10% retransmissions per MB of data is of concern).
         
         
   2. UDP itself is not a connection-oriented protocol. However, connection orientation may be at another layer either within Layer 2 or within the protocol itself.
      
      

EtherPeek, TokenPeek and AiroPeek (the "Peeks") do an excellent job of decoding IP and many other protocol families. They also provide detailed explanations of protocols and their use via Tools/Protocol Info for a highlighted protocol in many Peek windows.

This understanding of the OSI model will allow you to apply the Peeks' capabilities to gain insight into your network's operations whether or not you are an expert in all 1700+ IP (or other) protocols!