Running applications across a modeled network shows how the applications will behave in similar situations. We used Fragroute and Fragrouter (see "NIP Attacks in the Bud") to test security devices' ability to reassemble traffic streams and detect obvious evasion techniques. Fragroute can slice packets into tiny fragments, duplicate and reorder packets, set IP options and do a host of other nasty things.
Before we run these packet games, we like to see what the SUTs are doing. Protocol-analysis tools are essential for discovering and troubleshooting network problems, and desktop protocol analyzers like Network Associates' Sniffer and Wild Packets' EtherPeek are invaluable for analyzing network traffic. Both analyzers support a wealth of protocol decodes for the hexadecimal-challenged, and they have extremely flexible packet-filtering capabilities. The open-source Ethereal has fewer features, especially in expert analysis, but it has good protocol decodes and has been ported to multiple OSs. Better than Java--learn once, run everywhere. For you command-line geeks, tcpdump is a viable option and, like Ethereal, has been ported to multiple OSs.
Because most NICs drop errored frames, we use in-line protocol analyzers, such as Network Associates' Sniffer Distributed s400 Model EG2S appliance, to monitor all traffic passing a point in the wire. The EG2S, which sits in-line and uses an external console to capture packets and analyze data, can capture all traffic on full-duplex gigabit links. The downside is no real-time packet analysis.
Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining Network Computing, Mike worked as an independent consultant in central New York. Write to him at mfratto@ nwc.com.
Post a comment or question on this story.
There are several ways to get traffic off the wire and into a protocol analyzer, and each has advantages and disadvantages. At first glance, the easiest method is to plug the network and the protocol analyzer into a hub. You can have as many protocol analyzers as the hub supports. The caveat is that if you're monitoring Fast Ethernet, you've halved your overall throughput--100 Mbps shared versus 200 Mpbs switched--and you've introduced contention on the network, which means collisions.