How are Network devices linked together

how to monitor network devices and how to ping devices on network
HartJohnson Profile Pic
HartJohnson,United States,Professional
Published Date:02-08-2017
Your Website URL(Optional)
Comment
5 network devices and traffic How Smart is Your Network? Everyone in the office thinks I’m crazy, but I swear it’s watching us I warned them, and they’ll find out soon enough. This network is too smart A network can never be too smart. Networks need as much intelligence as you can pack into them, but where does that intelligence come from? The answer is from its network devices. In this chapter, we’ll look at how hubs, switches and routers use their innate intelligence to move packets around a network. We’ll show you how these devices think, why they’re so useful, and we’ll even take a peek at what network traffic looks like using packet analyzing software. Keep reading, and we’ll show you how to super-charge your network. this is a new chapter 175 Download at aback to that message... You’ve decoded the secret message... You’re a crackerjack network technician for the Head First Spy Agency. You’ve successfully decoded a secret message from the rogue signal, so what’s next? ...but how do we know who sent it? Even though we’ve decoded one of the messages the mole sent, we don’t know who sent it. And if we don’t know who’s sending rogue messages, how can we prevent it from happening? We need to somehow track down who the mole is—but how? All we have to go on is the rogue signal we used to decode the message. Can we somehow use that to help us sniff out the mole? 176 Chapter 5 Download at a network_ops1spydept.gov Catch that mole cloakbossspydept.gov Great work on decoding that message. Just one question - who sent it? We’ve got to stop whoever’s doing this, or it’s bad news for our business. We can’t afford to let any company secrets to get out.network devices & traffic Label each part of the frame below and write some notes about which part of the frame might be important in catching the mole on our network. Notes: you are here 4 177 Download at aThe Payload would contain the actual secret message being sent by the mole. know your frames Label each part of the frame below and write some notes about which part of the frame might be important in catching the mole on our network. CRC Checksum EtherType Destination MAC address Payload Preamble Source MAC address Notes: The Destination MAC address would tell us where the data was going to next. 178 Chapter 5 Download at a The Source MAC address field would tell us what hardware sent the message and help us pin down the mole’s computer.We don’t need the rest of the frame elements for now. The Destination MAC address is the hardware address of the next network device the frame is going to. network devices & traffic The packet information tells us where Geek Bits the packet came from When we decoded the message earlier, we saw that each packet It’s not just PCs that have MAC contains the source MAC address. In other words, it contains the addresses. Many internet-capable MAC address of the hardware that sent the packet. video game systems have a You can find a MAC address stamped on the NIC card inside a console that will show you the computer. MAC addresses are six bytes long, or 48 bits. Typically MAC address of the device. they are written in hexadecimal format and separated by colons or dashes, like this: 0f:2b:5d:e7:a3:eb. Preamble Destination MAC address Source MAC address ... The MAC address of the hardware that sent the rogue message is 00:1f:f3:53:fe:32. So how can we use this to tell us who the mole is? That’s easy. We find the computer with that MAC address, and then see who uses it. Chances are, the mole is the person who uses the computer that sent the messages. Right? Let’s see if this works. you are here 4 179 Download at a The Source MAC address is the hardware address of the last network device from which the frame was sent. The frame is sent from one NIC to another.which mac address? So who’s the mole? Here’s a list of all the MAC addresses at the company you’re investigating. So who uses the computer that sent the rogue signal? Person Location IP MAC Mike D. Admin 192.168.100.34 00:1f:f3:53:fe:ae Sue T. Front Desk 192.168.100.45 00:1f:f3:53:fe:28 Ed G. Shipping 192.168.100.32 00:1f:f3:53:f:18 Kyle M. IT 192.168.100.2 00:1f:f3:54:27:d2 Debbie Y. IT 192.168.100.3 00:1f:f3:86:fe:2a Carol C. Admin 192.168.100.4 00:1f:f3:23:4f:1a Server IT 192.168.100.100 00:1f:f3:23:4f:27 Unfortunately, the source MAC address of the signal isn’t in the list, even though the list of computers is up to date. But why? I wonder... the list contains MAC addresses for computers, but what if the source MAC address belongs to some other sort of hardware? If that was the case, it wouldn’t be on the list. Other types of hardware have MAC addresses. Let’s take a look at the network and see if we can see what’s going on. 180 Chapter 5 Download at a The MAC address that sent the rogue signal is 00:1f:f3:53:fe:32. But where is it in the list?Routers allow us to connect networks. network devices & traffic There’s more to networks than computers The company network isn’t just comprised of computers and servers. There’s also network devices such as hubs, switches and routers. Hubs and switches work on the local area network (LAN) or intranet, and routers allow us to set up wide area networks (WANs) or internets. 00:1f:f3:53:fe:ae 00:1f:f3:53:fe:28 00:1f:f3:23:4f:27 00:1f:f3:54:27:d2 00:1f:f3:53:f:18 00:1f:f3:23:4f:1a 00:1f:f3:86:fe:2a you are here 4 181 Download at a The Internet is not the same thing as an internet. The Internet refers to the big interconnected space we use to send data around the world. The term “internet” refers to at least two intranets connected together by a router. Switches allow us to connect different machines on the network, too. This is the point at which the rogue signal was caught. Hubs allow us to connect different machines on the network, such as computers and printers.RJ-45 Ports where Ethernet devices connect to Electrical circuitry that processes signals hubs are dumb Hubs Up Close As we’ve said before, hubs allow us to connect the different machines we want on our network, like computers and printers, for example. It simply takes an incoming signal, copies it to all its other ports, and broadcasts it. A hub is sometimes called a repeater because it repeats the incoming signal using no digital intelligence such as memory or a processor. Here’s what a hub looks like inside: Hubs are dumb A hub is a dumb device because it doesn’t understand network data, and it doesn’t know about or store MAC addresses. It simply repeats incoming signals on all ports, without making any changes to the signal before broadcasting it. 182 Chapter 5 Download at a Status LEDs AC power in Power supply components Capacitors and Resistors Collision and Traffic Level Lights show when there are collisions and network traffic on the port There is no way to tell that a packet was broadcast from a hub. You just have to know your network layout and what nodes are connected to hubs. network devices & traffic Hubs don’t change the MAC address So how does this help us trace the rogue signal? The last device that the packet came through before it was intercepted was a hub. As a hub simply transmits signals as it receives them and has no real understanding of network data, it doesn’t make any change to the source MAC address. It keeps the source MAC address as it was when it received the packet. I don’t understand anything about this signal, so I’ll just broadcast it. Maybe someone else will know what to do with it. So which device sent the packet to the hub? As the hub makes no changes to the source MAC address, this means that the source MAC address must belong to the device that passed the signal to the hub. We need to look beyond the hub to sniff out the mole. Hubs contain no processors. What does this tell you about how the hub processes signals? you are here 4 183 Download at a Hubs broadcast incoming signals without making any changes to them. Hubs don’t change the source MAC address....the hub sends it to all its other ports. hubs send signals everywhere A hub sends signals, and sends them everywhere A hub receives incoming signals and sends them out on all the other ports. When several devices start sending signals, the hub’s incessant repetition creates heavy traffic and collisions. A collision happens when two signals run into one another, creating an error. The sending network device has to back off and wait to send the signal again. Hubs think in terms of electricity A hub is really just an A hub contains no processors, and this means that a hub has electrical repeater. It no real understanding of network data. It doesn’t understand MAC addresses or frames. It sees an incoming networking takes whatever signal signal as a purely electrical signal, and passes it on. So what next? comes in, and sends it out on all the other ports. 184 Chapter 5 Download at a When a signal comes in here...network devices & traffic So what passed the signal to the hub? So far we’ve seen that the signal passed through a hub, but we don’t know which network device passed the signal to the hub. Let’s go back to the network diagram, this time looking at what other devices are connected to the hub. 00:1f:f3:53:fe:ae 00:1f:f3:53:fe:28 00:1f:f3:23:4f:27 00:1f:f3:54:27:d2 00:1f:f3:53:f:3a 00:1f:f3:53:f:4f 00:1f:f3:23:4f:1a 00:1f:f3:86:fe:2a The hub has two devices connected to it that could have sent the signal, a computer and a switch. As the computer MAC address doesn’t match the one we’re looking for, we know the computer didn’t send the signal; it must have been the switch. So how do switches function? you are here 4 185 Download at a This is the point at which the rogue signal was caught. Switch Hub...the switch sends it to where it needs to go. a switch is more particular A switch sends frames, and only sends them where they need to go Switches avoid collisions by storing and forwarding frames on the intranet. Switches are able to do this by using the MAC address of the frame. Instead of repeating the signal on all ports, it sends it on to the device that needs it. Switches think in terms of frames A switch reads the signal A switch contains processors, RAM, and ASICS, and this as a frame and uses means that a switch can properly process network data. It understands MAC addresses and frames, which means that the frame’s information it can deal intelligently with any incoming networking signal. It can work out where the signal needs to go, and deals with to send it where it’s it accordingly. supposed to go. 186 Chapter 5 Download at a When a frame comes in here...RJ-45 ports Fiber uplink ports network devices & traffic Switches Up Close Just like a hub, a switch allows us to connect the different machines we want on our network, like computers and printers, for example. Here’s a look inside a switch: Switches are smart There’s a big difference in how hubs and switches deal with signals. A switch can process signals as frames, and also understands MAC addresses. Instead of repeating incoming signals on all ports, a switch can store packets and forward them to their destinations. Let’s take a closer look at this. you are here 4 187 Download at a Status LEDs The processor runs the switch’s operating system, manages memory, and coordinates various activities amongst the other digital components. Application Specific Integrated Circuits (ASICS) are highly specialized integrated circuits... AC power in Power supply componentsTarget switches use lookup tables Switches store MAC addresses in a lookup table to keep the frames flowing smoothly 1 The source workstation sends a frame. A frame carries the payload of data and keeps track of the time sent, as well as the MAC address of the source and the MAC address of the target. I’m going to 00:fb:23:57:8b:22 I’m coming from 00:0a:1e:55:6d:3b. I’ll update my table with the information I got from the frame. 00:0a:1e:55:6d:3b 2 The switch updates its MAC address table with the MAC address and the port it’s on. Switches maintain MAC address tables. As frames come  in, the switch’s knowledge of the traffic gets more descript.  The switch matches ports with MAC addresses. MAC address for Target Port 00:0a:1e:55:6d:3b 49 3 The switch forwards the frame to its target MAC address using information from its table. It does this by sending the frame out the port where that MAC address is located as the MAC address table indicates. 00:fb:23:57:8b:22 188 Chapter 5 Download at a The switch uses a table to keep track of frame information. A port is where a network node connects to a switch. Source Switchnetwork devices & traffic BE the Switch Your job is to play the switch and update the lookup table based on the frame information shown. Follow the arrows to match the Mac Address wth the port. We did the first one for you. 00:0a:1e:55:6d:3b 00:23:3d:6c:4d:11 00:1c:21:7f:bb:23 00:6a:9f:31:55:3f 00:09:12:dd:34:5e MAC address Port 00:0a:1e:55:6d:3b 1 you are here 4 189 Download at a 1 2 3 4 5 6 7 8be the switch BE the Switch Your job is to play the switch and update the lookup table based on the frame information shown. Follow the arrows to match the Mac Address wth the port. We did the first one for you. 00:0a:1e:55:6d:3b 00:23:3d:6c:4d:11 00:1c:21:7f:bb:23 00:6a:9f:31:55:3f 00:09:12:dd:34:5e MAC address Port 00:0a:1e:55:6d:3b 1 00:23:3d:6c:4d:11 3 00:1c:21:7f:bb:23 4 00:6a:9f:31:55:3f 7 00:09:12:dd:34:5e 8 190 Chapter 5 Download at a 1 2 3 4 5 6 7 8network devices & traffic Tonight’s talk: Hub vs. Switch Hub: Switch: Alright, Switch, I’m getting tired of you calling my intelligence into question. Could you repeat that? I’m getting tired of... are you making fun of me? Just a little joke on your other name. So they call me a repeater, so what? Well, that’s where all your problems lie. The fact that you repeat every little thing that comes into your ports on ALL of your other ports makes for a real slow network. Okay, I repeat signals, other than that we’re pretty similar. No we’re not. You work in signals. I work in frames. I like power more than data. That’s why I work with electricity exclusively. I’m a computer. I have my own operating system. Well, I connect computers together. But you don’t do it efficiently. You bombard all of your ports with unnecessary network traffic. I like to make sure that every device on the network gets a heads-up about traffic. But it’s all unnecessary noise. I send frames exactly where they need to go. I have built-in digital logic and can read information from frames and use it to send data accurately. But I’m cheaper. Can’t beat me at that can you? I’m worth every penny. Put just one of me in a network run entirely by you, and I can up the speed and the bandwidth of the network the minute someone turns me on. you are here 4 191 Download at aThe MAC address of a computer or other network device connected to the switch. Low end switches do not generally have serial ports on them. The command above was for a HP ProCurve Switch. Other brands of switches may have slightly different commands to see the MAC address table. check the switch’s lookup table The switch has the information... Since the switch stores MAC addresses, we should be able to connect to the switch and look at its table. Will this get us the information we need to find the mole? 1 Connect your computer to the switch with a serial cable. You will use this to communicate with the switch. 2 Open a terminal program such as Hyperterminal, and get to the command prompt of the switch. Type in the commands below: File Edit Window Help WhichSwitchIsWhich switch show mac-address Status and Counters - Port Address Table MAC Address Located on Port - - 000074-a23563 49 0001e6-70f1bb 44 0001e6-7673f6 42 0001e6-800044 37 0001e6-81cb6b 5 0001e6-8f0a86 12 How long do you think a switch keeps MAC addresses in its table? 192 Chapter 5 Download at a The port number on the switch that the device is connected to.network devices & traffic Here are all the MAC address tables. I can’t see the rogue MAC address in any of the tables. Frank: So do you think the switches aren’t picking up the MAC address? Jim: No, the problem is that the switches clear out those MAC address tables in about three minutes. Frank: Clear them out? Jim: Yea, if a network device stops transmitting, the switch just deletes the entry to keep the table size small. Frank: So where does that leave us with finding this rogue machine? Jim: Well I’ve looked at all the PCs and did not find the rogue address. Frank: What’s next? Jim: I think we need to capture the network traffic and look for traffic with that source MAC address. I can then get back into the switches to find that address and narrow it down to a port on a switch. Frank: That sounds like a good plan. How are you going to capture traffic? Jim: I need to find some software... you are here 4 193 Download at aEthernet cable use software to monitor packets We can use software to monitor packets If you need to monitor network traffic and capture packet information, there’s some great software out there that will do exactly what you need— software like Wireshark. To monitor traffic, you install the software on a workstation, and then plug the workstation into the network at the point you want to monitor. The software then gives you information about the packets that pass the workstation. The Network Let’s use Wireshark to monitor traffic on the switch. That way we can pick up any more rogue signals the mole sends, and find out what network device sends them to the switch. 194 Chapter 5 Download at a Look in Appendix i for more details about installing Wireshark. Wireshark monitors the inbound and outbound packets. As packets come and go, Wireshark shows them on screen. Wireshark is installed on a workstation and plugged into the network.