An edited version of this article was originally printed in the May 2009 edition of Hakin9 Magazine under Tool Reviews. As an IT consultant I frequently need to monitor and analyze network traffic. Wireshark is easily the tool of choice.

Introduction:
The great white is one of the undisputed masters of the open seas and with knowledge and training Wireshark can help the network admin or consultant master that sea of data that flows across the networks of the world. Originally developed by Gerald Combs in 1998 and available as free/open source software under the name Ethereal, the project grew to encompass many programmers over the years and was renamed Wireshark in June 2006.

Wireshark is considered to be one of the premier protocol analysis tools with eWeek Labs in 2007 listing it among “The Most Important Open-Source Apps of All Time.” Wireshark is free/open source software with versions available for Linux, Microsoft Windows and Mac OS X at http://www.wireshark.org

As an essential element of the toolkit of any network professional, Wireshark provides the tools to capture and analyze network traffic or to perform analysis on network captures provided by tools such as tcpdump, tshark, EtherPeak and a wide range of others.

Installation:
Installation is platform dependent but easily done using the appropriate method such as the Windows installer package or for the more adventurous by the compiling the program from the source code. Linux users should use the method appropriate to the distribution they are using such as apt-get or rpm. The download page at wireshark.org covers the options and installation methods for the more common platforms.

First Runs:
With Wireshark installed you’re ready to do your first packet captures so let’s go. The easiest method is to use the main toolbar (the set of icons directly below the text menu headings) and left-click on the left-most icon that looks like NIC with a small white list box on it. This will open the “Capture interfaces” dialog box which will show the interfaces that Wireshark is recognizing, a description, the IP, and a column showing packet activity for each.

To begin capturing packets just left-click on the start button for the the interface you want. Wireshark will now begin capturing packets for that interface and show the results in the packet list pane that is part of the main window. On a busy network this will quickly fill with all the network noise including routing protocols, spanning-tree from switches and arp requests. Somewhere amidst the turmoil are the packets you’re looking for.

Managing the Packet Capture:
Wireshark thoughtfully provides two primary methods to save filling your hard drive and drawing down your patience in analyzing all that network noise. On the front end the analyst can deploy capture filters that as the name would imply limit what packets Wireshark actually brings up from the NIC and includes in the capture archive. If for example you know you have no interest in the all that chatty spanning-tree traffic between switches you can deploy a capture filter to tell Wireshark to ignore those packets. This provides several benefits in that your capture data set will be reduced making analysis much quicker and efficient and the saved captures will make for smaller files.

Finding Needles in Haystacks:
Even with a good set of capture filters in place a busy network will generate a lot of packets so how do we as network analysts save our patience and find specific packets or groups of packets. Enter the second powerful feature that of using display filters. Whereas capture filters actually limit what packet types will be included in the capture set the display filter only controls what is shown in the packet list pane. The actual capture set isn’t altered and remains intact. For example let’s say that in my haste I didn’t filter out the spanning-tree traffic and now my 15 minute capture set has some critical packets all of which are somewhere in that sea of STP dribbling down the page causing my vision to blur. Relief is as close as typing “!(stp)” in the “Filter:” box and clicking apply. The packet list pane will now show all traffic that was captured except for spanning-tree.

Analysis and Statistics:
Wireshark provides an excellent set of tools to analyze the packet capture set the discussion of which is too lengthy for an introductory article. I would note that it’s well worth the efforts to spend some time working through the options provided as a wealth of information can be drawn from the capture set that can be instrumental in resolving a myriad of network issues including performance and security.

Conclusion:
As an independent IT consultant to small businesses and similar organizations I’ve been using Wireshark and it’s fore-runner Ethereal since around 2001 and consider it the most important tool in my kit for resolving networking issues.

A simple example is a government customer with a staff of about 12 on a small LAN had a new “big-brand-name” combination copier, printer and scanner installed. The day after the installation the manager sent me an email saying that when I had a chance to check out the network as it was definitely acting just a tad more sluggish. A 60 second capture set with Wireshark showed that the network was not only busily handling its normal load of TCP/IP traffic but was awash in both AppleTalk and IPX/SPX. Seeing how we had neither any Macs or Netware servers on the network inquiring minds wanted to know the source of this bothersome gibberish. A quick analysis of the packets revealed the offending traffic all originating from the IP assigned to the new multifunction machine. A short walk through the network settings dialog screens for the multifunction box showed that the tech had simply left the defaults on which where to use IPv4, AppleTalk and IPX/SPX. Two quick taps to disable the latter two and Wireshark showed the network no longer bothered by unnecessary traffic and the performance slightly improved.

Moving from the broad over view lets now move into demonstrating some of the direct benefits of the more commonly implemented features of Cisco router and switches by using a simple, small office scenario as a case study.

Typical of a small organization is there are departments for financial matters, marketing and sales and one or more managers. The personnel in each of these areas has specific computer function and data needs with some being in common such as Internet access and others being necessarily limited to certain workers such as access to financial data.

Let’s assume we’re a consulting firm that’s been hired to design this network and as the the first step we have met with the key managers to develop a list of criteria for each department in regards to computer resources, security and performance. In our meeting we agreed to the following goals.

Network Design Goals and Numbers

Overall:

A reasonable level of network security. This particular business isn’t subject to any set of specific regulations such as HIPAA but management well understands that good security practices are both a sound investment in protecting the company’s IT assets, the company image and as a deterrent against legal proceedings. It was agreed that the following basic security procedures are to be implemented.

- Centralized anti-virus on a server that can “push-out” anti-virus software to all client machines on the network and can monitor and update those clients as needed.

- Only those services that are required in general will be permitted to pass through the various router interfaces and all others will be blocked. Core external (Internet/WAN side) services were identified as HTTP and HTTPS (web/secure web), SMTP and POP3 (email services), DNS (domain name lookup) and FTP (file transfers).

All Personnel:

1. Internet access for web services, email and file transfers.
2. Each employee will have an area on the server for storage of personal files that is accessible only by them, managers and IT staff.

Managers: Subnet 172.10.8.0/24

1. Unlimited access to all computer resources and data.

Sales and Marketing: Subnet 172.10.9.0/24

1. Access to the server based CRM (Customer Relationship Management) software.

Accounting and Finance: Subnet 172.10.10.0/24

1. Access to the server based accounting software and financial records. All other personnel restricted with no access.

Hardware and Software

To implement our case scenario the following equipment and software is ordered, placed and wired with Category 5E cable. Our equipment list includes:

1. One server running a server operating system such as Microsoft 2003 Server or an appropriate Linux distribution such as Red Hat or SUSE for use as a file server at address 172.10.8.2/24
2. One server running a server operating system such as Microsoft 2003 Server or an appropriate Linux distribution such as Red Hat or SUSE for use as an application server running the accounting package at address 172.10.10.2/24.
3. One Cisco 2621XM router using the two Fast Ethernet interfaces with no other modules/cards installed.
4. One Cisco Catalyst 2950 – 48 port switch.

Given that the focus of this article is in how we utilize the Cisco router and switch to achieve our goals I’m won’t go into any detail as to server configuration. Suffice to say both Microsoft and Linux servers can be configured to provide appropriate access control through the use of user and group level permissions.

Implementation

As the first step in implementing our network design we’ll look at the configuration of the Cisco 2621XM router. This router has two Fast Ethernet interfaces, referred to as FA0/0 and FA0/1, built in which are what we’ll be using for our network.

On the WAN (Wide area network) side we’ll connect the cable from the Internet Service Provider’s hardware (DSL, cable modem etc) Ethernet interface into FA0/0 of our router and run a cat 5e cable from router interface FA0/1 to port FA0/1 on our Cisco Catalyst 2950 switch.

We now have a setup where the insecure side of the WAN (Internet) enters into the router on interface FA0/0, the secure trusted network (LAN) connects to router interface FA0/1 and any traffic between them passes through the router. It’s on these interfaces we can at the simplest level implement ACLs (Access Control Lists) to meet one of our basic security goals.

(As an aside if the router is running IOS 12.4(6)T and later we can take advantage of the newer Cisco zone based firewall features which offer an even richer and more granular way to control traffic.)

Starting with the WAN side interface (FA0/0) we would build an ACL only allowing the HTTP, HTTPS, SMTP, POP3, DNS and FTP protocols while restricting all others. With this in place we have significantly improved our security profile by vastly limiting the “attack surface” which in this case is the number of ports open to the insecure/WAN side of the network. Also given it’s likely we only have a single public IP but have numerous devices on the trusted LAN that wish to connect to Internet based resources we would implement Port Address Translation (PAT) to provide the mapping of the multiple internal addresses to the single public address.

VLan Setup

Before moving to the configuration of FA0/1 interface of the router we need to outline the basics of the LAN design. To implement our desired internal security/access control goals we will use a combination of VLans (virtual LANs) on the switch and access control lists (ACLs) on the LAN side router interface (FA0/1).

For those not familiar a VLan is a software level method that allows a switch to be configured such that it can have groups of ports divided such that each group can be assigned to a different subnet (network level address) yielding a number of benefits. Our primary interest here is that by having the various groups of users on different subnets we can add an additional level of control over access to server resources and files. Specifically we will create the following VLans and correlate them with the following subnets.

VLan 8 : 172.10.8.0/24 – Managers
VLan 9 : 172.10.9.0/24 – Sales & Marketing
VLan 10 : 172.10.10.0/24 – Accounting and Finance

Because a Catalyst 2950 is only a layer 2 switch (doesn’t have layer 3 routing capabilities) we have to use the LAN side router interface (FA0/1) to provide routing between the VLans via a configuration somewhat humorously known as a “router on a stick!” In sum the router interface is configured with three sub-interfaces with one each assigned an address within one of the network address ranges and corresponding VLan number. To clarify using an example we could configure a sub-interface for VLan 8 using the following commands. (Router configuration commands are enclosed in quotes)

“interface fa0/1.08″ : This creates the sub-interface
“encapsulation dot1q 8″ : Set encapsulation to 802.1q and assign this interface to VLan 8
“ip address 172.10.8.1 255.255.255.0″ : Set the IP address for the interface to network 172.10.8 and for host address 1.

We would then create two more sub-interfaces for the remaining two VLans/subnets in a similar fashion.

Note: 802.1q or VLan tagging is a method that allows correlation of packets to a specific VLan.

Now with the router configured we need to do a bit of magic (configuration) on the switch by making the Fast Ethernet port of the switch connecting to the LAN side interface of the router into what’s referred to as a trunking port. In sum a trunking port recognizes packets from all VLans and allows then to pass over the cable to the router and back. This configuration allows packets to move between the several VLans/subnets unless otherwise restricted as we illustrate in the following.

Meeting Design Goals

Let’s return to our design specification above where we wanted to restrict traffic to the accounting package server at address 172.10.10.2 to only the members of the Accounting and Finance group. Notice we assigned this group to VLan 10 with the subnet of 172.10.10.0/24 thus appropriately placing the users and server on the same network. This provides a faster response for the users and removes unnecessary traffic from having to traverse the LAN side router interface of FA0/1.

Moreover we can easily met our design goal by using an appropriate ACL to prevent traffic from the Sales and Marketing subnet from entering the Accounting and Finance VLan (10). Other design goals for restricting traffic would be implemented in a similar fashion.

Wrapping Up

The above scenario may seem overly complex but in fact is a configuration that an experienced Cisco technician could implement in less than an hour or two. Although we have only “scratched the surface” of the capabilities for controlling traffic, improving performance and implementing security we have accomplished a fair amount in building a solidly performing network that can easily be expanded to accommodate growth.

Moreover this need not be vastly more expensive as the Cisco hardware described above can currently be bought in used but excellent condition on eBay from a reputable dealer for under $300 USD. Considering that a low-end “router” and switch would run about $100 or so the differential of $200 is rather insignificant for the benefits obtained from having real professional level equipment.

Hopefully, by my case example above, you as the owner and/or manger of a small business or similar sized organization will begin to see using real professional networking equipment such as that produced by Cisco in a new, and very favorable light. As an IT professional I can vouch there’s a lot more cost to a network then the purchase price and those bargain basement routers and switches are in fact a very expensive choice!

To your networking and business success!

At first blush there would seem to be vast differences in the networking needs of each but in fact I would argue there’s not. At least not in my opinion. Fact is I recommend Cisco equipment for the smallest home office and up and the reasoning is simple. In today’s world a solid IT infrastructure is a given for essentially every organization and there’s a whole lot of reasons to standardize on Cisco equipment and the related software. Let’s take a look at those reasons and see if you agree.

Out of the gate it’s hard to argue that Cisco isn’t one of the leading names in the world of networking hardware being a first rate manufacturer of routers, switches and related networking gear. In fact Cisco is in many ways a De Facto standard by which competitors are measured.

Moreover the Cisco certifications for networking expertise such as the CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional, and the “Doctorate” of networking, the CCIE (Cisco Certified Internet Expert) are well respected designations with corresponding levels of increasing difficulty to obtain. Designations that go a good way towards guaranteeing that the IT technician thus certified has the corresponding level of knowledge to perform the configuration and maintenance of Cisco networks the organization requires.

No other manufacturer of networking equipment for the small to medium business can compare in the range of equipment offered and the related programs to certify the support personnel. From my point of view there’s a lot of value in that fact alone and the reasoning is simple and centers primarily on one concept; TOC or Total Cost of Ownership.

Total Cost of Ownership

TOC was all the rage a few years back and perhaps is considered “old-hat” these days. Not-with-standing that Total Cost of Ownership isn’t the latest shiny toy in the world of IT marketing circles it’s a valid and highly useful concept for considering the real long-term cost of any business investment.

Total Cost of Ownership, as the name implies takes into consideration not only the initial investment but the less than obvious costs such as those to have the initial configuration done in setting up the network and the cost of ongoing maintenance and modifications as networks grow and change. TOC helps us guard against being penny-wise and pound-foolish! Let’s consider the real long-term costs of your networking investment.

Costs of Building the Network

When building a new network the most obvious issue is the initial investment to purchase the equipment but the somewhat hidden cost is that for creating a workable network that meets the present and near-future needs of the organization. The assumption I often see, understandably, is that a router is a router is a….. not so! Real routers and switches can do things, important things, that the $50 dollar deal calling itself a router or switch at the local hardware retailer couldn’t dream of doing. Things that matter now and probably even more so as the entity grows.

When one measures the cost of the installation and configuration at rates typical of professional IT consultants it becomes readily apparent that a significant up front cost factor is for the latter and in fact less expensive, low-end equipment is often harder to install and configure correctly due to it’s limited capacity leading to even higher installation costs. In short the small savings for low-end equipment is quickly lost in the lack of configurability and the increased cost for IT support services.

Long-term Benefits

Let’s consider a short list of the long-term benefits of using an industry standard like Cisco.

1. Standardization: Cisco equipment runs on their proprietary software known as IOS (Internet Operating System). While new versions are developed on a regular basis to build in additional features the core commands for routing and switching remain largely unchanged. There’s no new interface or base command set to learn if you upgrade a router or switch. The existing configurations can be largely or completely moved to the new equipment and all will work as expected.

2. Configuration Options: The IOS offers a range of configuration options not found in low end equipment that is typically marketed to the small to medium business sector. Features such as ACLs (access control lists), VLans (virtual LANs) and QOS (quality of service) that allow the equipment to be configured for faster, more efficient, and in to days threat environment, more secure operations.

3. Modular Interface Configuration: Cisco’s line of modular routers such as the 1700, 1800, 2600 and 3600 series allow simple and efficient modification of what modules and networking interfaces are present. Modular configuration allows creating, and in the future recreating, the features and interfaces to meet your organization’s needs. Interface modules/cards include serial, Ethernet, Fast Ethernet, ATM, BRI-ISDN, PRI, T-1 and Voice options to meet the present and changing network traffic type demands.

4. Simplified Security and Accounting: Software packages such as the Security Device Manager and Access Control Server make the three A’s, Authentication, Authorization, and Accounting, even easier to setup and maintain giving organizations of alls sizes the features necessary for basic to advanced security for those who need to meet compliance requirements.

While each of the above topics could be discussed in depth, and will in future articles, we hope the preceding has prompted you to consider your current and future networking investments in a broader light and to consider Cisco equipment as the right choice. As an IT professional I can vouch there’s a lot more cost to a network then the purchase price and those bargain basement routers and switches are in fact a very expensive choice!

This article is part 1 of a 2 part series: Part 2 is at Cisco for Small Businesses-An Example Network Case Study

First thing to consider is that Conflicker, like most of the malware (malicious software) released to the Internet in the past 5-6 years, is *not* likely to do any real, irreversible damage to your computer systems. It’s essential to understand that the programmers creating most modern malware are profit driven and see this as a business. They’re not going to make money by destroying computers. What they *do* want to achieve is to be able to use others computer systems for illegal activities which is most commonly for sending spam.

Case in point is that Dean Turner of Symantec Security says he doubts there will be substantial cyber disaster. More than likely the internet will not go down, the makers of Conflicker C are profit driven and need the computers in the botnet to make money for them by sending out spam emails and so on. Paul Ferguson of Trend Micro agrees. He says these people, “don’t want to bring down the infrastructure. That would not allow them to continue to carry out their scams.”

I hope you’re convinced (and relieved) that the world (or more directly the Internet) is unlikely to end on April 1, 2009 or anytime thereafter because of the actions of malware programmers. Either way most people want to know that their computer system is secure and they’re protected with which I heartily agree.

Let’s look at (1)a quick check list of items that will need to be in place to protect your computer system(s) and (2) how to check to see if your system might already be infected.

(Note: Clients of Shafer Consulting that have an active service agreement are protected as all updates and anti-virus protection are checked/executed as part of the monthly services items.)

Check the following to see if your protection is current:

1. Microsoft Windows updates should always be current. Microsoft released the initial fix for this back in October. If your Microsoft Windows computer is being updated regulary this patch should have been installed in the next update you did after mid-October 2008. If you really want to verify the update was applied then in your Windows machine go to the “Start” icon and then “Control Panel -> Add or Remove Programs” (Note: Depending upon the menu choice you’re using you may have to use “Start -> Settings – Control Panel ->Add or Remove Programs”)

Once in the “Add or Remove Programs” area check the box at the top of the page that is titled “Show updates”. With this item selected you will now be able to see all the installed programs and the Windows updates that have been installed. You want to verify that KB958644 has been installed.

2. Anti-Virus: In today’s connected world *no* computer should be without anti-virus software. Moreover it’s essential to make sure that the anti-virus software is regularly updating the virus signatures. Typically when you open the anti-virus software you will see a place that gives the date of the last update or the date of the signatures database. Make sure this is less than several days old at most. If older than several days run the “update” option and make sure it worked! A full scan of your computer probably isn’t a bad idea either when not in use such as during lunch or at the end of the day.

A simple check for current infection:

1. Try contacting one of the links below that connect to well known anti-virus vendors. Conflicker is setup to block access to the most commonly known anti-virus vendor sites such as McAfee, Symantec and Kaspersky. If you can reach these websites you’re machine is likely *not* infected.

http://www.mcafee.com
http://www.symantec.com

If you think you might have an infected machine McAfee (the anti-virus company) has a special version of their “Stinger” malware removal tool that is being updated daily. It can be downloaded at:

http://www.majorgeeks.com/McAfee_AVERT_Stinger_Conficker__d6157.html

Note: Business Tips & Trends posts are provided for informational purposed only. As always, anyone wishing to pursue ideas provided here should contact a professional in the appropriate field.

Business Tip provided by Mike Jones of First Pacific Funding, Inc. Mike can be reached at 1-866-926-5575 x 204