Tip of the Month

February 2004

No Span Analysis

The first time you place an analyzer on a network to gain a quick perspective on what is happening you may not have a specific node to reference. Where do you begin? Try plugging into a switch without a port mirror/SPAN! I know… I know…this goes against what usually is heard, but try it! If you plug in without a mirror/SPAN all you are going to see is broadcast and multicast traffic. You can get some good information from this method.

Reference the behavior of nodes on a switch. Nodes will ARP for their default gateway if the physical address is not in cache. The ARP is sent as a broadcast thus stations ARPing for the default gateway should have packets destined for a non-local network. Nodes ARPing for local stations should have the same network portion in their IP address. Investigate ARPing stations to ensure they are looking for local stations physical addresses and that only one station is answering or that a gateway is answering. For this method you will want to utilize the Summary column in EtherPeek NX.

By viewing the Summary column you will be looking for repeated packets such as a node ARPing for another node periodically. If you see multiple ARP packets with the same destination from the same source, you can draw the conclusion that there was never a response. Now you have some information to delve into deeper with a SPAN!

You will also want to take a look at the different frame formats in use to ensure nodes are speaking the same language or to put to rest some frame incompatibility issues. You may wish to reference the Protocols tab, Peer Map or individual decodes to view different frame types.

You may also find an overwhelming amount of multicast packets that you may chose to investigate.

In short…look for repetitive behaviors that do not make sense! This method will help you to see the forest through the trees!