news / tech talk

Packet Analysis

by Lee LeClair
11/14/2008
As seen in Inside Tucson Business

As a computer and network geek, one of the primary tools I rely to solve network, computer, and application problems is the packet analyzer. A packet analyzer allows one to “see” almost literally what is occurring over a part of the network and is an invaluable tool in figuring out vexing problems and securing one’s network. Without a packet analyzer, one must guess about what is occurring on the network based on theory and arcane vendor literature. A packet analyzer reveals what a former employee of the NSA I know calls the “ground truth” about what is occurring on your network. It is like a magic magnifying glass allowing you to see the secret life of data packets.

I will not lie, it takes at least some background knowledge about network protocols (TCP/IP) to make sense of what is going on but not as much as you might think. There are some great books available on using packet analyzers as well, including Practical Packet Analysis by Chris Sanders, but you can learn quite a bit from some quality time with Google. If you understand some of the basics of TCP/IP and protocols like HTTP, FTP, etc. then you are on your way.

There are many uses for packet analyzers but one of the most common is to figure out why some software or computer is not reachable from some other software or computer. Usually there is a firewall or two in the way. The approach I take is to examine packets from multiple points in the path from the source device to the target device. Typically, a problem will become obvious just inside or outside a restrictive network device like a firewall or filtering router. To do this, you will need to place your packet analyzer on the network in such a way that you can “see” data in your target path. If you have sophisticated network switches, you can configure port-mirroring or spanning so that data from a particular port is replicated to another port on which your packet analyzer is listening. A more crude but very simply option is to place a hub in-line at points you would like to check.

These days, packet analyzers are especially valuable since so many security measures have migrated from specialized network devices (e.g., firewalls, switch access controls, filtering routers, etc.) to computer software. Home and business PC protections software available from Symantec, McAfee, Kaspersky, ZoneAlarm, Windows, etc. often provide a “personal firewall” and other anti-intrusion measures to try and safeguard each computer they are loaded on. Improperly configured, these can cause communication problems for valid programs but the issues are often difficult to pinpoint.

In a nutshell, packet analyzers tell you exactly what packets are sent and received on your network. If you know what should be occurring, you will quickly see what part is NOT occurring and then begin the business of finding out WHY.

A packet analyzer can be expensive gear as some of my clients use, or it can be free software, a laptop, and a hub. I usually go with the laptop, a free software program called Wireshark (formerly called Ethereal), and a 10/100 network hub. That is the great thing about packet analysis, it can be done pretty cheaply and using whatever happens to be your favorite operating system. It is not often in life you can get to the ground truth, but it is very rewarding when you can.

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business