Packet Sniffing for Beginners

Sometimes there are errors and problems on a network that need in depth analysis. Troubleshooting some issues can be almost impossible without using a tool to investigate deeper such as a packet sniffer. Often you won’t be able to find that issue with a non-responsive share or the reason that your RAS server is so slow is because all your travelling sales people are using it to watch BBC TV abroad when they’re travelling!

If a certain error condition occurs only when the request is coming from an actual client, but not when using telnet, packet sniffing is in order.
Sometimes, using telnet may be complex, because the proxy and origin servers may require authentication credentials to be sent. In those
cases, it is more convenient to use a real Web client that can easily construct those headers. Also, if a problem exhibits itself with a certain client,
but not with others, it is worthwhile to find out exactly what is being sent by the client.

There are a number of packet sniffers. Depending on the operating
system, you may find some of these useful.
° wireshark
° ethereal
° etherfind
° tcpdump
° nettl

Many books and instructions will pick a specific packet sniffer to use so if you’re following a guide use this. One of the most popular is Wireshark which is a fully functional and free packet sniffer often used by professionals instead of more costly commercial options.
Many of the most comprehensive are actually distributed as part of Unix and Linux distributions and you’ll have to refer to the UNIX man pages for instructions for the others.
Example. Let’s say you want to snoop the traffic between the hosts fred’s PC (client) and socrates (server). You can use something like Wireshark to track the traffic between the two endpoints and analyse what’s happening between them.

Of course, this only is useful if you can initially identify which sources to monitor. If you suspect that Fred is using the company proxy for Netflix then you can prove the point easily using a packet sniffer. If you’re not sure then you may have to look first to the network hardware for clues, checking switches and hubs for span ports and plugging into them is a useful tactic. These ports typically mirror all the traffic being carried over the active ports meaning you can use the span port to track all the data on that device.

The ability to specify a port is essential and all decent packet sniffers will allow this. Also you should be able to use switch options to control how the traffic should be dumped. That is to specify exactly what format the traffic should be returned in, this is useful as it helps in the analysis stage. Any packet sniffer which doesn’t do this will make the next stages much harder as the amount of data produced will often be very large.

Implementing your Internet Security Policy

One of the problems with IT department is that they can often be a little bit detached from the rest of an organisation. Many are even physically separated, perhaps stuck in a separate building or floor which only helps increase the isolation. In many ways it’s not a problem after all, it’s a department which will probably need more space and room for storage of parts, replacements etc. Commonly the IT department will have easy access to server rooms so that they can maintain and support when those remote connections drop.

However one of the issues is that people who work in IT often see the rest of the company through their IT usage and not through their real function. This can be a problem with how people use technology and how it is managed throughout the company.

The classic example is that of internet usage, which over the last decade or so has become one of the main issues to manage in any IT department. First of all there are the technical complexities of allowing company clients to access outside resources. Then there are the potential security risks of viruses, hacking attempts, inappropriate browsing, email security, spam and so on. Access to the internet is now fairly commonplace but it almost always puts a huge strain on both technical and human resources to support.

For example many users will use the internet just as they do at home? Downloading BBC videos like this, visiting shopping sites, hobbies, research and all sorts of things which can impact the local network. It doesn’t take many users streaming video to their PCs to have a huge slowdown on many normal company networks which are rarely configured to cope with this sort of traffic. Yet how do you stop them? Many IT departments I have seen over the years simply block access, a few rules in the firewall will stop all access to a particular site. However this is obviously not the way to do this, a technical solution should not be implemented on it’s own.

A company should have an Internet Usage Policy to cover situations like this. Without stating clearly what employees can or can’t do online leaves the company and Human Resource departments on very thin ice. That user who spends all day streaming from Netflix or visiting porn sites is clearly not doing their job but it’s difficult to discipline without clear guidelines in such a policy or in their terms of employment. Having a proper internet policy is much simpler as it can be adapted quickly, can be referenced from other policies and things like employee guidelines. Also the policy can be directly linked to technical solutions like a proper access control list.

If guidelines are in place, you mostly won’t have to spend time chasing and blocking video and media sites individually like Netflix or the BBC iPlayer. If employees know that they are not able to use these sites and the reasons behind them generally the problem is resolved first. There may be issues with more technical users who attempt to circumvent or hide their activities perhaps using an online IP changer but there people are easier to deal with if they are directly contravening company policies.

No Comments Networking, News, Protocols

Network Layer Switches

Network switches play a critical role in the performance of local area networks. They may be used in private networks like the intranet and extranet, segmenting the networks into more manageable sections. The resulting networks are known as HFC, please see the glossary for definitions. Setting up a sizable computer network can be an intimidating undertaking and one needs an in-depth understanding of the role of every networking device to construct an efficient network. Thus, it’s accountable for setting up the essential network for transferring data from 1 user to other. In truth, it is the largest SDH-based transport network on earth. It establishes a relation to the device by choosing the essential service or application.

Packet routing is extremely essential task in order to prevent congestion. When a data packet would like to reach a specific destination, it must traverse through these networks. The file transfer protocol supplies a way to move data efficiently from 1 machine to another. Routing protocols transmit information concerning the network. Most routing protocols do not consist of layer two information that’s necessary to set up a VCC connection. It’s an unreliable, connectionless protocol for applications which do not want TCP’s sequencing on flow control and want to provide their own. In large, complex networks servers need access to this sort of throughput – imagine the strain on something like Netflix IP servers broadcasting video to millions.

Every computer online or a local network becomes assigned an exceptional address commonly called Internet Protocol address or simply the IP address. It is not just a vast array of computers, connected to each other. You may also browse the internet for articles, discussions and suggestions. Optical communication links and networks are crucial for the online backbone along with for interconnects utilised in data centres and high-performance computing systems.

While doing this, it must manage problems like network congestion, switching issues, etc.. It can help you comprehend the working of a network in an easy and quick method. Many times, once an application would like to communicate with a different application, then there must be communication between these associated processes. Working of the web is based on a collection of protocols. To have the ability to find that massive network to work and get our LANs to act jointly there has to be a routing protocol that enables it. It uses TCP at the transport layer again to find out the reliability.

If you have a relatively new mobile handset, then it’s most inclined to be equipped with an integrated web browser. It selects device and execute a service discovery to look for available services or applications. Bluetooth devices operate in a variety of about ten meters. It functions as an intermediary between wireless and wired devices which are part of a network. Aside from the computers themselves, there are numerous intermediary devices which make data transfer possible. It can also allow a network to detect, reroute or simply block specific types of transport presumably it is how the BBC has blocked VPNs like this story details.

Window flow control mechanisms weren’t modeled, so as to extend the reach of the study to congestion collapse regions. After you prepare the export feature, NetFlow information is exported whenever a flow expires. The principal use of the router is to ascertain the very best network path in a complicated network. The third main purpose of LAN switches is Layer two loop avoidance. Besides this, the gateway functionality has to be enabled. Each P-NET module also has to have a service channel that may identify unknown participants.

Computer Security: Phishing

Out of all the weapons available to a cyber criminal, phishing is probably one of the most widely used. It is generally described as a random, un-targeted attack with the intention of tricking someone into revealing confidential information by replying to an email, clicking a link or filling in a bogus webpage. Most of the popular phishing attacks rely on an element of social engineering. That is deceiving people into gaining access rather than directly hacking into a target system.

Usually the main delivery mechanism is via email and using modern mailing systems they can target millions of email addresses at one time. There are many variations of the phishing attacks ranging from installing keyloggers, duplicate websites or similar. The intent is always to steal personal information such as username, passwords and account numbers.

It is fairly common for these phishing emails to include attachments or links that can install various types of malware onto the victims computer in order to steal their information too.

Quick Summary of Phishing Attacks

There are as explained lots of different types of Phishing attacks and their popularity changes quite regularly.

Email Phishing – is probably the most well known and centers around mass distributions of emails, they are very random and usually rely on volume to succeed.

Spear Phishing – is a more targeted term for phishing which follows the basic premises. However they are usually more sophisticated and tailored towards a certain type of user or organisation.

Man in the Middle (MiTM) attacks involve the attacker positioning themselves between a legitimate website or company and the end user, the goal is to record any information sent. It\’s normally one of the most difficult to operate but also to detect as the transactions are normally legitimate but simply intercepted.

There are many other methods available to capture information with things like keyloggers and screen capture programs popular too, the ideas are always to simply gain passwords or other personal information.

Some other variants include pharming which is even less targeted than phishing just installing malicious code onto servers to redirects any user to fake websites. There are various methods of doing this including several involving DNS like modifying a users host file to redirect them without their knowledge. A particularly sinister version of pharming is known as DNS (Domain Name System) poisoning where users are directed to fraudulent websites without the need for corruption of the personal host file.  Others use legitimate or at least semi-legitimate services to trick people to using them.  One of the more popular methods was to put free proxy servers out on the internet for people to bypass region blocks, these were then used to steal peoples credentials as they were using them.   This explains the method of region lock bypass using a proxy to watch the BBC although the example used in the post was a commercial service.

Malware Phishing – Is the process of download malware on a users’ device either through an attachment in an email, a downloadable web file or exploiting software vulnerabilities.

Further Reading – Security Information and UK VPN trial

Using Reverse Proxies in your Environment

Many IT administrators use proxies extensively in their networks, however the concept or reverse proxying is slightly less common.  So what is a reverse proxy? Well, it refers to the setup where a proxy server like this is run in such a way that it appears to clients just like a normal web server.

Specifically, the client will connect directly to the proxy considering it to be the final destination i.e. the web server itself, they will not be aware that the requests could be relayed further to another server.   It is possible that this will even be an additional proxy server.   These ‘reverse proxy servers’ are also often referred to as gateways although this term can have different meanings too.  To avoid confusion we’ll avoid that description in this article.

In reality the word ‘reverse’ refers to the backward role of the proxy server. In a standard proxy, the server will act as a proxy for the client initially.  Any request by the proxy is made on behalf of the received client request.  This is not the case in the ‘reverse’ scenario because because it acts as a proxy for the web server and not the client.  This distinction can look quite confusing, as in effect the proxy will forward and receive requests to both the client and server however the distinction is important.  You can read RFC 3040 for further information on this branch of internet replication and caching.

A standard proxy is pretty much dedicated to the client’s needs,  all configured clients will forward all their requests for web pages to the proxy server.   In a standard network architecture they will normally sit fairly close to the clients in order to reduce latency and network traffic.   These proxies are also normally run by the organisations themselves although some ISPs will offer the service to larger clients.

In the situation of a reverse proxy, it is representing one or a small number of origin servers.  You cannot normally access random servers through a reverse proxy because it has to be configured to specifically access certain web servers.  Often these servers will need to be highly available and the caching aspect is important,  a large organisation like Netflix would probably have specific IP addresses (read this) pointing at reverse proxies.  The list of servers that are accessible should always be available from the reverse proxy server itself.   A reverse proxy will normally be used by ‘all clients’ to specifically access certain web resources, indeed access may be completely blocked by any other route.

Obviously in this scenario it is usual for the reverse proxy to be both controlled and administered by the owner of the origin web server.  This is because these servers are used for two primary purposes to replicate content across a wide geographic area and two replicate content for load balancing.  In some scenarios it’s also used to add an extra layer of security and authentication to accessing a secure web server too.


Using Proxies for Virtual Locations

For many people, travel is becoming much easier and as a species our geographical horizons are perhaps wider than ever.  Inexpensive air travel and soft borders like the European Union means that instead of just looking to work in another city or town, another country is just as viable.  The internet of course enables this somewhat, many corporations have installed infrastructure to allow remote or home working which means many people can work from wherever they wish.   Instead of sitting in cubicles in vast expensive office space, the reality is that people can work together just as easily using high speed internet connections from home.

Unfortunately there are some issues from this digital utopia, of which most are self inflicted.  Instead of being a vast unfettered global communications medium, the internet in some senses has begun to shrink somewhat.  Not so much in size but rather an increasing number of restrictions, filters and blocks being applied to web servers across the planet.  For instance the company I work for has two main bases one in the UK and the other in Poland, which means there is quite a bit of travel between the two countries.  Not surprisingly employees who are working away from home for some time, use the internet to keep in touch with their homelife, yet this can be frustrating.

A common issue is the fact that many websites are not really accessible globally, they are locked to specific regions.  Take for example the main Polish TV channel – TVN, it has a fantastic website and a media player by which you can watch all their shows.  However a Polish citizen who tries to watch the local News from Warsaw from a hotel in the UK will find themselves blocked, the content is only available to those physically located in Poland.  It’s no one off either, this behaviour is shared by pretty much every large media company on the web who block access depending on your location.

There is a solution and for our employees it’s actually quite simple, all they need to do is fire up their VPN client and remotely connect back to their home server in Poland.  The instant they do this, their connection looks like it’s based in Poland and all the Polish TV channels will work perfectly.  There’s a post about something similar here – using a Polish proxy to watch TVN and some other channels although this one is through a commercial service designed to hide your location.  It’s a practice that is becoming increasingly necessary, the more we travel the more we find our online access is determined by our physical location.

The use of proxies and more recently VPNs allows you to break out of these artificial intranets which companies are creating by blocking access from other countries.  The idea is that if you have the ability to switch to various VPNs across the world you can effectively take back control and access whatever website you need. Your physical location becomes unimportant again, by taking control of your virtual location you have an huge advantage over other internet users by choosing the location you wish to appear from.  There are even some other options now take a look at this UK DNS proxy which does something fairly similar and can be used to watch the BBC and Netflix from outside the UK.

John Hammond

Author of – Does BBC Iplayer Work in Ireland 

IP Name Resolution

There is one technology normally associated with IP name resolution and that’s DNS (Domain Name System) or Smart DNS, this is probably because it’s the dominant system on the internet.  However in the average corporate network you’ll find all sorts of alternative methods to resolving names and IP addresses which have been around for years.  Here’s just a few of the common ones that you might come across:

Broadcasting: The use of mass broadcasts to help resolve names is of course very inefficient, basically a plea to the whole network asking for an answer.  You’d think that this method isn’t used any more and it’s true most network administrators have tried to remove it from their networks.   However for anyone who’s tried to troubleshoot a network of any size you’ll almost certainly find devices who routinely broadcast looking for name resolution.  A couple of reasons it doesn’t work well are it generates lots of unnecessary traffic and most routers won’t transmit the broadcasts anyway so calls are frequently just lost.  You can configure routers to pass on these message using the IP address helper function but this is not the way to run a fast efficient network.

Netbios over TCP/IP

Netbios was the primary method used by windows computers to resolve names and IP addresses, although again DNS is likely to have replaced it normally.  There are 4 methods to Netbios Name resolution and they are usually operated in a distinct order.

  • p-Node – Client contacts a WINS or NBNS server using unicast.  This needs to be configured on the client server to work properly but then just requires IP connectivity.
  • b-Node – Client attempts to  contact a WINS or NBNS server using a broadcast.  This will only be successful if there is a server on the same subnet or routers are configured to forward the request.
  • m- Node – Client uses b-node first then p-node is there is no reply to the initial broadcast.
  • h-Node – Client will first use a p-node unicast if configured and then fall back to a b-Node broadcast afterwards.


Windows Internet Names Service is a Microsoft implementation of the NetBios (NBNS) protocol.  It’s a dynamic and distributed method of name resolution used mainly in Windows environments.  It has all name resolutions saved on central WINs servers, and indeed in some implementations the WINS service was installed automatically on Microsoft Windows server installations. Again it works best when the WINS server is configured correctly on the client, otherwise it will fall back on broadcasts like NBNS.


This is a simple static file similar to a hosts file which is must be created, distributed and kept updated by the network administrator.  If a client is configured in h-node then the LMhosts file will be consulted as a fall back method.  It can create a lot of work and potential issues in large dynamic environments although it can be used to distribute names of key servers which are unlikley to be moved or modified.

Read More

3 Comments Networking, News