Skip Links

Network World

Wendell Odom

The Confidence that Comes from Sniffing/Tracing

By wendell on Mon, 11/26/07 - 3:33pm.

Many network engineers spend some time Sniffing what goes over the wire on a LAN. In fact, from talking to students over the years, it's clear that the confidence to answer questions about addresses used in a network (like the one listed in this blog posting) comes from using a Sniffer (or your favorite alternative) to see what's going over the wire. However, when answering questions that involve the WAN many CCNA exam-takers seem to be less confident - in part because fewer network engineers spend time Sniffing the WAN.

First, let me comment briefly on the last question I posted in this blog, and the survey about how long it took everyone to answer the question. The survey showed about 30% of us took more than 70 seconds on that question, with about 50% taking more than 50 seconds - both typical of past surveys about questions listed in this blog.. However, almost 30% of you answered this question in less than 30 seconds. I'd be particularly curious if for those of you who answered quickly, if you have experience running LAN traces, and if that helped your confidence. Or, if you think you knew the answer, but lacked confidence because you hadn't spent any time looking at what goes over the wire, then please take time to weigh in as well.

This week I'll post a question that, like the last one, is easy if you know all the facts, and both easy and fast if you have some Frame Relay WAN experience. For comparison, I'll list a survey where you can click the time it takes you to answer the question

I'll give some hints at the next posting. As usual, don't spill the beans in the heading of any postings you make - leave that for the text so you don't spoil it for other folks. OK, start your timers - here's the question:

Question: PC1 sends one IP packet to PC2, and then one IP packet to PC3. For the packet sent to PC2, which of the following statements are true about these packets, and the frames used to encapsulate them, as the frames leave R1's Frame Relay access link?

A) For the packet going to PC2, the frame contains DLCI 101
B) For the packet going to PC2, the frame contains DLCI 102
C) For the packet going to PC2, the frame contains DLCI 103
D) The DLCI cannot be determined from the information given
E) PC2's MAC address is included in the Frame Relay header
E) R2's MAC address is included in the Frame Relay header

R1#show ip route
Codes: 
C -  connected, S - static, R - RIP, M - mobile, B - BGP
D -  EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i -  IS-IS, su - IS-IS summary, L1 - IS-IS level-1, 
     L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user 
    static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

    172.30.0.0/24 is subnetted, 5 subnets
D   172.30.2.0 [90/2172416] via 172.30.12.2, 00:03:15, 
    Serial0/0/0.2
D   172.30.3.0 [90/2172416] via 172.30.13.3, 00:01:28, 
    Serial0/0/0.3
C   172.30.1.0 is directly connected, FastEthernet0/0
C   172.30.12.0 is directly connected, Serial0/0/0.3
C   172.30.13.0 is directly connected, Serial0/0/0.2
R1#show frame-relay map
Serial0/0/0.3 (up): point-to-point dlci, 
    dlci 102(0x66,0x1860), broadcast status defined, 
	active
Serial0/0/0.2 (up): point-to-point dlci, 
    dlci 103(0x67,0x1870), broadcast status defined, 
	active
R1#show frame-relay pvc

PVC Statistics for interface Serial0/0/0 (Frame Relay DTE)

             Active     Inactive      Deleted       Static
 Local          2            0            0            0
 Switched       0            0            0            0
 Unused         0            1            0            0

DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, 
INTERFACE = Serial0/0/0.3

input pkts 69           output pkts 56         in bytes 5344      
out bytes 4572          dropped pkts 0         in pkts dropped 0         
out pkts dropped 0               out bytes dropped 0         
in FECN pkts 0          in BECN pkts 0         out FECN pkts 0         
out BECN pkts 0         in DE pkts 0           out DE pkts 0         
out bcast pkts 49       out bcast bytes 4152      
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 00:05:48, last time pvc status changed 00:05:48

DLCI = 103, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, 
INTERFACE = Serial0/0/0.2

input pkts 31           output pkts 31         in bytes 2460      
out bytes 3012          dropped pkts 0         in pkts dropped 0         
out pkts dropped 0               out bytes dropped 0         
in FECN pkts 0          in BECN pkts 0         out FECN pkts 0         
out BECN pkts 0         in DE pkts 0           out DE pkts 0         
out bcast pkts 26       out bcast bytes 2680      
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 00:05:49, last time pvc status changed 00:01:41

DLCI = 101, DLCI USAGE = UNUSED, PVC STATUS = INACTIVE, 
INTERFACE = Serial0/0/0

input pkts 0            output pkts 0          in bytes 0         
out bytes 0             dropped pkts 0         in pkts dropped 0         
out pkts dropped 0               out bytes dropped 0         
in FECN pkts 0          in BECN pkts 0         out FECN pkts 0         
out BECN pkts 0         in DE pkts 0           out DE pkts 0         
out bcast pkts 0        out bcast bytes 0         
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
switched pkts 0         
Detailed packet drop counters:
no out intf 0           out intf down 0        no out PVC 0         
in PVC down 0           out PVC down 0         pkt too big 0         
shaping Q full 0        pkt above DE 0         policing drop 0         
pvc create time 00:05:49, 
last time pvc status changed 00:05:49

Sniffing the WAN

0
By Shaun (not verified) on Thu, 11/29/2007 - 7:14am.

Wendell, how does one go about sniffing a WAN link like you would sniff a Ethernet port with a program like Wireshark?

Example of How to Sniff the WAN

0
By wendell on Thu, 11/29/2007 - 9:08am.

Shaun,

Well, you gotta spend a little money, rather than going the freeware/shareware route like with Wireshark. To Sniff the WAN, something needs to be directly connected to the WAN link, typically in-line, with a device generically called a probe. Today, the probe typically also has some form of Ethernet connection, with a separate harware device or software also on the LAN. The probe sends the captured data over the LAN to the hW/SW platform, which acts like Wireshark by storing, interpreting, and displaying what's in the trace. Follow this link to see one example of how the cabling might work. I've not ever looked for freeware/shareware to do the hard part, but you've gotta have something attached to the WAN link to grab the bits as they pass by.

I was afraid of that

0
By Shaun (not verified) on Fri, 11/30/2007 - 9:40am.

The point you made in this article hit home to me, as watching ethernet traffic from a monitored port showed me all the different PDU's in use, and helped me learn a lot, and upon reading your article the thought instantly occurred to me that it would be great if the were a similar method of doing this on serial links in the lab, but evidently, there is not.

Thanks for getting back to me

Cheers

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Welcome, visitor. Register Log in
About Cisco Cert Zone

Odom, CCIE No, 1624, splits time between writing books for Cisco Press and teaching classes for Skyline ATS. In his 25-ish years in the networking industry, he has worked as as a pre-sale and post-sale SE for a few networking vendors, as well as a network engineer implementing network technology. Wendell has spent the majority of the last 15 years teaching, consulting, and writing about networking technologies, most of which in some way relate to Cisco products. His books include titles on QoS, CCIE R/S, as well as several titles related to CCNA certification, including the September 2007 book CCNA Official Exam Certification Library (CCNA Exam 640-802) (Read a sneak peek of chapter 7). Click for the list of current titles by Wendell.