As a Network Infrastructure Engineer for more than 10 years, I often encounter incidents related to issues of network connectivity. My main task is to normalize the connection that meets internal or external Service Level Agreements (SLAs). Some cases are straight forward and easy to determine such as loose cable from a client to switch port, defective SFP and mostly are Layer 1 related. You just need a good Network Performance Monitor (NPM) in place such as the popular Solarwinds and PRTG to alert you and respond as quickly as able.
However, I come across issues that may not addressed quickly and your Senior IT Management will ask you to deep dive for RCA. One example is intermittent disconnects wherein no obvious errors were seen from the infrastructure devices. A popular tool that I use to further investigate patterns and anomalies on network path is wireshark.
This motivates me to have a formal self-paced knowledge of wireshark based on its certifications exam objectives. You may visit: https://www.wcnacertification.com/faq for the details. If budget permits, I will sit and take the exam to validate my understanding of the objectives.
I know that a strong foundation of network analysis is a key skill that every IT professional should possess. I firmly believe that Wireshark is the best network analyzer tool and I thank the developers for their contributions.
I bought all the books published by Laura Chappell back in March 2014. The only new book since then was the second edition of Wireshark 101 so I think there is not much change from a reference standpoint. To purchase these books, please visit https://www.chappell-university.com/books
There are 33 sections listed in the exam objectives and I plan to create one blog post on each section. Hopefully I can articulate what the reference materials are trying to convey. I will make sure that I understand both concepts and practical applications. The trace files can be found at https://www.chappell-university.com/traces
Section one defines that the purpose of Network Analysis is to provide an insight into network communications to identify performance issues, locate security anomalies, analyze application communications flow and perform capacity planning. In able for us to be successful as Network Analyst, we should have a strong understanding of TCP/IP communications, comfortable in using a network analyzer tool and familiarity with packet structures as well as typical packet flows. A definition of legal issues of listening to network traffic was included on this section. We should be aware of the Electronic Communications and Privacy Act and its exceptions for operator and service providers. More info on https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act In our daily operations, we must always request approval from our Manager before setting up a wireshark capture.
Moreover, the reference material discussed the general network traffic flow that affects packet contents such as:
Switches: forwards frames based on the destination MAC address. When a packet arrives at a switch, the switch checks the packet to ensure that it has the correct checksum. The packet is discarded if it received bad checksums. If the checksum passed the switch examines the destination mac-address of the packet and consults its mac-address table to determine if it know which switch port leads to the host using that MAC-address. If the switch does not have the target mac-address in its mac-address tables, it will broadcast the frame out all switch ports except for the port where the frame came in.
Consider the figure below on a simple ping from R1 to R2 where the first ping failed because it has to put the ping request on hold to send out an ARP broadcast to learn the MAC address of the remote device, then wait for a response, and then send the first ping through.
Routers: when a router receives a frame, it uses the following logic on the data-link frame:
Step 1. Use the data-link Frame Check Sequence (FCS) field to ensure that the frame had no errors; if errors occurred, discard the frame.
Step 2. Assuming that the frame was not discarded at Step 1, discard the old data-link header and trailer, leaving the IP packet.
Step 3. Compare the IP packet’s destination IP address to the routing table, and find the route that best matches the destination address. This route identifies the
outgoing interface of the router, and possibly the next-hop router IP address.
Step 4. Encapsulate the IP packet inside a new data-link header and trailer, appropriate for the outgoing interface, and forward the frame.
There are other technologies that affects the traffic flow such as proxies, firewall, NAT as well as VLAN Tagging (802.1Q) and MPLS.
The last part of this section is a checklist of analysis tasks. These tasks can be considered as proactive and reactive. Sadly on my part, reactive analysis is more common. The network analysis tasks performed depends on the network traffic characteristics. Here are the top 10 that I can relate to in using wireshark:
- Identify the protocols and applications use.
- Learn the packet lengths used by a data transfer application
- Recognize the most common connection problems
- Spot delays between client requests due to slow processing
- Find the top talkers on the network
- List all hosts communicating
- Build graphs to compare traffic behavior
- Quickly identify HTTP error responses indicating client and server issues
- Play back VoIP conversations to hear the effects of various network problems on network traffic.
- Determine if out-of-sequence connections and packet loss on network.
I have genuine interest to learn this course and to apply best practices in network analysis. This way I can share knowledge and encourage peers on how to effectively maintain and operate their respective network environment.
I look forward to the next sections of this exam objectives.
Readings:
- Wireshark Network Analysis The Official Wireshark Certified Network Analyst (WCNA) Study Guide by Laura Chappell
- CCENT/CCNA ICND1 100-105 Official Cert Guide by Wendell Odom
DanteJr. 