Network Monitoring and Analysis: A Protocol Approach to Troubleshooting
by Robert Buljevic - Monday, 2 June 2003.
Authors: Ed Wilson and James Naramore
Pages: 359
Publisher: Prentice Hall PTR
ISBN: 0130264954


The title of this book is very descriptive, it tells you clearly what's this book about. Network analysis and monitoring consists of employing proper software and/or hardware tools to capture, decode, interpret, and react to the contents of data packets as they transit a network's medias. This process is an invaluable network troubleshooting method, yet it is the least understood of all administrator activities. Protocol level analysis is too often unjustifiably considered an esoteric activity confined to an enlightened inner circle.

About the author

In this book the author tries to correct the situation by tackling the tortuous task of network troubleshooting from a protocol analysis perspective. Ed Wilson (MCSE+I, MCT, Master ACE, CCNA) is a senior networking specialist with Full Service Networking, a Microsoft Solution Provider Partner in Cincinnati, OH. He is the co-author of several Windows networking books.

Inside the book

The book starts with an exhaustive overview of the most common protocols you are likely to encounter while troubleshooting the network. After reading the first chapters you'll have a good understanding of the TCP/IP protocol suite, the SPX/IPX protocol and SMB. First of all you'll see how TCP provides reliable connections and flow control. You get a glimpse into the complexity of TCP implementation when the author discusses the three way handshake and the associated TCP quiet time concept, reset generation and processing, flow window management, etc.

The Internet Protocol (IP) is responsible for fragmentation and reassembly of data packets as well as providing delivery and routing from source to destination. Understanding the structure of IP packets is fundamental for protocol analysis. The SPX/IPX protocol associated with Novell NetWare environments is also covered in detail. Personally, I was not very interested in this part, but whoever deals with Novell networks will find this chapter very useful.

The final chapter in this first part of the book is about the Server Message Blocks (SMB) protocol. SMB is Microsoft's file sharing protocol that ships with every Microsoft Windows system. It is therefore, for better or worse, the most prevalent application level protocol in LAN environments. It enables the sharing of directories, files, printers, and other components across a network. SMB is covered here in great detail since it's crucial for successful troubleshooting: the chapter is accompanied by many packet captures showing how SMB operates in real world situations.
This book was published in 2000 and it doesn't include information on recent developments around SMB. SMB was originally developed by Intel and Microsoft in the early 1980s and has been the core of DOS and Windows filesharing ever since. In the late 90s Microsoft renamed it to CIFS (Common Internet Filesystem) and even submitted draft CIFS specifications to the Internet Engineering Task Force (the drafts have since expired). Although SMB has been working on top of NetBIOS API over TCP/IP (commonly known as NBT), in recent versions of Windows (notably Win2000) SMB is implemented purely over TCP/IP, and NetBIOS is included only for backwards compatibility. All these developments have added to the complexity of SMB/CIFS, with important implications for protocol analysis and troubleshooting.

After looking at the players, that is, the protocols involved, we're ready to take a look at the issues - namely client, server and application traffic. That's part two of the book.

Client traffic and communication with the server is examined step-by-step: client initialization, DHCP traffic, WINS traffic and network browsing.
The chapter dealing with server traffic analyses domain controller initialization, DNS resolving and other server related issues.
The next chapters focus on application traffic: FTP, HTTP, SSL, SMTP/POP3 (with particular reference to the MS Exchange server traffic).
Each of the chapters are accompanied by extensive capture examples so you'll see how all this looks in practice.

The third part of the book is about the tools used for network monitoring. The author chose to use exclusively Microsoft's Network Monitor family. NetMon is included with Windows NT or 2000 Server operating systems (although it's not part of the default installation). NetMon offers an intuitive interface and easy interpretation of captured data. The author explains how to make the capture, view it and save it as well as filter and analyze the obtained data.

The final fourth part of the book is about troubleshooting scenarios - it is here the common networking problems are examined from a protocol approach. These problems include workstation logon failure, DHCP lease problems, slow workstation traffic, excessive broadcasts and other issues.
The last chapter deals with some specific security issues such as finding DHCP rogue servers and detecting other sniffers on the LAN (only other NetMon sniffers).

Some appendixes follow with lists of common TCP and UDP port numbers, command line utilities, NetBIOS suffixes, and some packet capture data (domain controller startup and opening a web page).

Also, the book includes a CD-ROM with sample network traces (txt and NetMon format), custom filters and batch files for starting Network Monitor with a variety of options.

My opinion

The first thing you notice about this book is that it's evidently Windows centric. The author is a specialist in Windows networking, so this choice is no surprise. However, I don't regard this as a bad thing necessarily. Windows is a pervasive operating system, it's hard to imagine a LAN without some Windows workstations on it, and Windows machines are the main source of network problems and the main focus of network troubleshooting. It is therefore a good idea to cover SMB/NetBIOS in detail, as this also applies to Unix/Samba scenarios (for ex. Linux servers and Windows workstations integrated for file and printer sharing). Furthermore, it must not be forgotten that the majority of topics covered in this book actually applies to general TCP/IP issues, not necessarily Windows related.

The choice to push Network Monitor as the only tool for protocol analysis is perhaps limiting. Although NetMon is easy to use, there are more sophisticated options, such as Ethereal. In recent years the porting of the Unix packet capture library (libpcap) and its implementation in Windows as "winpcap" has certainly expanded the possibilities. For ex. Ethereal for Windows is based on Winpcap drivers. And now you can build your own applications for packet capture and packet creation under Windows, based on the winpcap framework - which gives you ample possibilities to experiment and explore.

Despite its limitations, this book remains a very good read for those wondering what's happening under the hood of their network and why things don't work as they're supposed to. However don't expect this book will make you a TCP/IP guru. Protocol analysis is a skill that gets honed with lots of practical hands-on work. Therefore, you'll need to work with a packet analyzer a lot before you're able to see any tangible results. But this book will be an excellent guide in this process.


Why collaboration is crucial in the battle for IT security

Guy Wertheim, the CTO at Comilion, talks about the importance of collaboration and data sharing in the battle for increased security.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Sep 2nd