Solved

Net sniffers and traffic generators

Posted on 2001-06-06
12
595 Views
Last Modified: 2012-08-13
Hello,

Is it possible to determine whether a net device is a software or a hardware router by sniffing the network? Which sniffers would do this? By the way, does anyone know of a software traffic generator  which can transmit up to 10 Mb/s? . Freeware or trials wanted. I admit this is a two-in-one question. If I get real gain from the answers, I will raise the points.

Thanks.
0
Comment
Question by:sanjiva
12 Comments
 
LVL 1

Expert Comment

by:Haho
Comment Utility
I have an idea.. maybe it will be workable? :)
if ur sniffer in on the same network...
you can trace the IP to MAC address used to communicate between the router and other devices on the network.

The MAC or ethernet hardware address does include vendor specific ids.. so from there, u can deduce whether it is a server NIC card or router interfaces...
However, bear in mind that MAC address cna be spoofed or replaced with self-assigned MAC address on some Unix servers.
0
 
LVL 1

Expert Comment

by:murthy_d
Comment Utility
Hai Sanjiva,
I really agree with Haho.  Only way you can identify from which machine you received packet(ie from router or from some other device) by observing the MAC address.  Every NIC manufacturer will have a unique ID for that company(ie first three bytes will be unique for each vendor).

But all the above is limited when you are using sniffer only in LAN.  Beacause the MAC address will change when you transfer the data from one LAN to another LAN through router or some other device.

There is another possibilty as told by Haho you can change the MAC addresses locally.  This is called as Locally Administered Address.  Now a days its possible with so many NIC drivers.

You can download software traffic generator demo versions from
www.zdnet.com

In this search for traffic generator in pc downloads.

You will get the required one.

I hope I have given clear information.

Bye,
Murthy
0
 

Author Comment

by:sanjiva
Comment Utility
Thanks Haho and Murthy,

I will not be able to try that immediately, but will let you know when I am.

It seems I am the one who has not been completely clear: there is a hardware device which performs the routing, it certainly is not a server. What I wonder is whether the routing implementation in this router is done in software ('slow path') or hardware ('fast path'). Modern routers should be implemented in the hardware, but I want to check if this is so.

Regards!
0
 
LVL 2

Expert Comment

by:crieman
Comment Utility
sanjiva,
   Alll routing occurs in software.  The slow path/fast path that I think you are refing to is what cisco calls fast switching of the packet.  This is still done in software.

Process Switching

Process switching is the most basic way of handling a packet. The packet is placed in the queue corresponding to the Layer 3 protocol and then the
corresponding process is scheduled by the scheduler. The process is one of the processes you can see in the show process cpu command output (that
is, "ip input" for an IP packet). At this point, the packet will stay in the queue until the scheduler gives the CPU to the corresponding process. The waiting
time depends on the number of processes waiting to run and the number of packets waiting to be processed. The routing decision is then made based on
the routing table and the Address Resolution Protocol (ARP) cache. Once the routing decision has been made, the packet is forwarded to the
corresponding outgoing interface.

Fast Switching

Fast switching is an improvement over process-switching. In fast switching, the arrival of a packet triggers an interrupt, which causes the CPU to
postpone other tasks and handle the packet. The CPU immediately does a lookup in the fast cache table for the destination Layer 3 address. If it finds a
hit, it rewrites the header and forwards the packet to the corresponding interface (or its queue). If not, the packet is queued in the corresponding Layer 3
queue for process-switching.

The fast cache is a binary tree containing destination Layer 3 addresses with the corresponding Layer 2 address and outgoing interface. Since this is a
destination-based cache, load sharing is only done per destination. If the routing table has two equal cost paths for a destination network, there is one
entry in the fast-cache for each host.

Some packets/protocols cannot be fast-switched, such as X25, or packets destined to the CPU, like routing updates.
0
 
LVL 1

Accepted Solution

by:
Haho earned 25 total points
Comment Utility
sanjiva,

or u can use a network mapper/monitoring tool that seems to be able to deduce what type of equipment on the LAN;

http://www.ipswitch.com/Products/WhatsUp/
0
 

Author Comment

by:sanjiva
Comment Utility
Murthy d,
I am sorry but I did not find what I am looking for on the link you suggested. I have 'scanned' about 50 downloads. Did you have a particular program in mind?

Haho,
Thank you, I will try the net. monitor and let you know. Still, it is not what I need. I already am using net. monitors and also the manufacturer's tools for the network devices.
Everyone,
What I need is a generator of (meaningless) ethernet traffic, to load an experimental network with 'data'. Then, I want to add a voice over IP stream, give it a priority on specific ports of the network devices, and see the difference in the quality of the voice signal. To see this, the network must be very much loaded. If the traffic generator can do (allmost) 10 Mb/s, than I am sure the voice will be degraded untill it gets the priority.

A note on the primary question about hardware routers will follow.

Thanks.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Expert Comment

by:3408
Comment Utility
Sanjiva,

You must realize that 10Mbps is quite an amount of traffic.
I've used "sniffer pro" to generate a lot of traffic by sending the same packet each 0 (zero) milliseconds. It caused so much traffic that my NIC couldn't receive any more data and caused my system to hang after about 5 seconds.
However, I have never reached 10Mbps from one machine because the bus speed of my pc (an ordinary P4) can't handle all the traffic generated by the processor.
What you can do is generate multicast traffic and forward it to a layer 3 switch. From the layer 3 switch set up multiple routing ports to a layer 2 switch with each port (of the L3) in a different VLAN. Now trunk all of these VLANs back to one single port. This port will definitely have more than 10Mbps.
Please note that you need good processors on the switches because multicast traffic uses CPU and when your CPU hits 100% for all long time it will probably reboot. (I used a Nortel 8600 L3 and a Nortel Baystack 450)
0
 

Author Comment

by:sanjiva
Comment Utility
3408,
Thank you for a very interesting idea. I will try it as soon as I can, but it might be as long as in 10-14 days as some routers/switches and myself will be away from the company in the meantime. However, I am looking forward to give this a try.
Regards.
0
 
LVL 2

Expert Comment

by:gelgin
Comment Utility
1) A sniffer will provide the OUI (Organizationally unique identifier, commonly refered to as the Vendor ID) of the router if it is sitting on the same wire as the router.  Using this a certain amount of information can be gathered to give clues as to wether the router involved is software or hardware based.  Ultimatly what is the purpose of your question concerning the hardware vs. software basis of the router?  Are you attempting to determine what devices are performing routing functions in the network? Are you looking for a router that is contributing to routing loops or otherwise injecting bad route information? Are you concerned about the performance of a routing device, and therefore are attempting to derive how it is operating?

Post a comment regarding these questions and I'll certainly attempt to asist in providing some positive information for your problem.

2)The only free utility that I have used is at this url;
http://www.netiq.com/Qcheck/default.asp

But the parent company has products specific to the testing that you are looking to do, look at ;

http://www.ganymedesoftware.com/products/chariot/index.phtml
Obviously a for fee product a product that will definiatly provide the tools to provide the testing information that you are looking for...
0
 

Author Comment

by:sanjiva
Comment Utility
qelqin,
Thanks for the effort. My aim is to confirm the performance level of a router which performs the routing in hardware. It is an Alcatel router, and I have got a clear explanation from the technical support about software/hardware routing, I just want to prove to the net. users the routing in this device is done through hardware.
As for the rest of your comment, I will do my best to try it soon, but please be patient! I will let you know as soon as I have any news. Thanks again.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
This question appears to be abandoned. I will allow one week before I close this question
with the following recommendation:

- points 3-way 25 each to haho, 3408, crieman

if there is any objection to this recommendation then please post it here within 7 days.

thanks,

lrmoore@nw
EE Cleanup Volunteer
0
 

Expert Comment

by:SpideyMod
Comment Utility
per recommendation

SpideyMod
Community Support Moderator @Experts Exchange

3408 points for you at:
http://www.experts-exchange.com/Hardware/Routers/Q_20493878.html

crieman points for you at:
http://www.experts-exchange.com/Hardware/Routers/Q_20493875.html
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now