|
|
|
The LAN Analyser is a real-time statistical tool that loads from
a bootable floppy disk. It runs entirely in RAM and does NOT write to the
hard drive. After using the LAN Analyser, the PC is returned to its
original state by simply removing the floppy disk and rebooting the system.
This feature empowers engineers with a portable "pocket" LAN analyzer.
The LAN Analyser does the following for each IP packet:
- Decodes the packet headers
- Searches and updates the MAC node table
- Searches and updates the user defined IP protocol table
- Searches and updates the IP nodes table
- Searches and updates the IP conversations table
The LAN Analyser's strength is in its ability to perform high speed table
lookups and protocol decoding for each packet. For a LAN segment running
at 10,000 packets per second, the LAN Analyser performs at least 40,000
table lookups and updates per second.
- MAC nodes
- IP nodes
- IP conversations
- Protocol counts
- Duplicate IP addresses
- Router detection
- Unknown TCP/UDP ports
- Pentium 133 Mhz
- 32M RAM
- 1.44M floppy drive
- One or more PCI Ethernet cards
Unix Users:
- Click here to download the raw floppy image.
- Use the dd command to write the image to the floppy disk. For example:
dd if=ltm_fdd.bin of=/dev/fd0
Windows Users:
- Click here to download the self
extracting DOS executable to a MS Windows PC, and save it in a temporary
directory.
- Run the ltm_fdd.exe program. This will extract three files:
- ltm_fdd.bin (floppy disk image)
- fdimage.exe (program to write floppy disk images)
- mkflp.bat (batch file)
- Insert a formatted floppy disk and run the mkflp.bat batch file.
The ltm_fdd.bin floppy disk image will be written to the floppy disk.
- Boot a network connected PC with the LAN Analyser floppy disk.
- Switch to the configuration screen (Alt-F2) and select Option 3.
- Configure the IP address, netmask and default gateway.
- Select Option 1 to reboot with the new configuration.
- Point your web browser at the IP address of the probe.
- Click on the "Interface 0 - telnet a.b.c.d 30000" button to
start a telnet connection to the probe.
- All available user commands are displayed on the initial help screen.
The LAN Analyser is a "LAN" tool, however many customers use it to track
traffic volumes over their WAN links. This is typically achieved by locating
the LAN Analyser on the same network segment as the router, or by mirroring
the routers' switch port.
The following examples display typical deployment configurations for the
LAN Analyser:
Example 1: Port mirroring |
| Example 2: VLAN mirroring |
NOTE: Many of the newer switches do not allow packets to be
transmitted on the monitor port, therefore the LAN Analyser will need to
be fitted with at least two network interfaces (ie. one to monitor and the
other to talk to the network).
The LAN Analyser only supports the following set of terminal emulators:
MAC node table:
Tips:
- Only the MAC addresses on the local subnet should appear in the table.
All IP traffic coming from other subnets should contain a source MAC of
the local router.
- Only the local subnet IP addresses should appear in the table.
- The alerts screen displays a possible list of duplicate IP addresses.
- The alerts screen displays a list of "Possible routers". A MAC is
listed as a "Possible router" if:
- Its IP address keeps changing.
- It transmits a routing type of packet (eg. RIP, OSPF, EGP, BGP,
ICMP NetRedirect).
Due to the complexity of many networks or incorrect device configuration,
routers and devices which appear to be acting like a router are listed in
the "Possible router" list of the alerts.
- The LAN Analyser will usually lock onto each routers' correct IP address
once it has seen a routing type packet (eg. rip, ospf, bgp, ICMP NetRedirect).
IP Protocol decoding:
The IP protocol decoder attempts to find a match in its defined set of
IP protocols and subprotocols. If a match can not be found, then the
packet is marked as "unknown". A "Protocol" is one of the types defined
in /etc/protocols. For example:
- icmp (1)
- igmp (2)
- tcp (6)
- egp (8)
- udp (17)
- ospf (89)
- ...
The "SubProtocol" is the next layer down within each IP Protocol. For example:
- icmp EchoReply (0)
- icmp Unreachable (1)
- icmp NetRedirect (2)
- ...
- icmp TllExceeded (11)
- ...
- tcp ftp-data (20)
- tcp ftp (21)
- tcp ssh
- tcp telnet (23)
- ...
- udp dns (53)
- udp bootps (67)
- udp bootpc (68)
- udp snmp (161)
- udp snmptrap (162)
- ...
If a match can not be found for a SubProtocol, then it is marked as {protocol}.unknown.
Unknown TCP/UDP port numbers:
If the IP protocol cannot be determined for a TCP or UDP packet, then
the Unknown Ports table is updated with both the source IP/Port and
destination IP/Port. This table allows you to quickly identify which
TCP/UDP port numbers are being used for local applications and from
what IP addresses.
This information is useful for detecting locally written applications
or applications which are using unregistered port numbers.
IP Nodes:
Tips:
- IP addresses from other subnets should contain the MAC address
of a local router.
IP Conversations:
- Q. Is there any technical support for the LAN Analyser ?
A. No.
- Q. My browser does not support the "telnet" URL ?
A. That's unfortunate. You will have to manually start a telnet
session to the specified IP Address / Port number.
- Q. Can the LAN Analyser be password protected ?
A. No. This feature is only available in the commercial version of Statseeker.
- Q. Can the LAN Analyser monitor 802.1Q VLANs ?
A. Yes.
- Q. Can I define my own TCP/UDP protocol types ?
A. No. This feature is only available in the commercial version of Statseeker.
- Q. Can multiple people use the LAN Analyser at once ?
A. Yes. It runs on FreeBSD, a multi user, multi tasking operating
system.
|
