sanjiva
asked on
Net sniffers and traffic generators
Hello,
Is it possible to determine whether a net device is a software or a hardware router by sniffing the network? Which sniffers would do this? By the way, does anyone know of a software traffic generator which can transmit up to 10 Mb/s? . Freeware or trials wanted. I admit this is a two-in-one question. If I get real gain from the answers, I will raise the points.
Thanks.
Is it possible to determine whether a net device is a software or a hardware router by sniffing the network? Which sniffers would do this? By the way, does anyone know of a software traffic generator which can transmit up to 10 Mb/s? . Freeware or trials wanted. I admit this is a two-in-one question. If I get real gain from the answers, I will raise the points.
Thanks.
Hai Sanjiva,
I really agree with Haho. Only way you can identify from which machine you received packet(ie from router or from some other device) by observing the MAC address. Every NIC manufacturer will have a unique ID for that company(ie first three bytes will be unique for each vendor).
But all the above is limited when you are using sniffer only in LAN. Beacause the MAC address will change when you transfer the data from one LAN to another LAN through router or some other device.
There is another possibilty as told by Haho you can change the MAC addresses locally. This is called as Locally Administered Address. Now a days its possible with so many NIC drivers.
You can download software traffic generator demo versions from
www.zdnet.com
In this search for traffic generator in pc downloads.
You will get the required one.
I hope I have given clear information.
Bye,
Murthy
I really agree with Haho. Only way you can identify from which machine you received packet(ie from router or from some other device) by observing the MAC address. Every NIC manufacturer will have a unique ID for that company(ie first three bytes will be unique for each vendor).
But all the above is limited when you are using sniffer only in LAN. Beacause the MAC address will change when you transfer the data from one LAN to another LAN through router or some other device.
There is another possibilty as told by Haho you can change the MAC addresses locally. This is called as Locally Administered Address. Now a days its possible with so many NIC drivers.
You can download software traffic generator demo versions from
www.zdnet.com
In this search for traffic generator in pc downloads.
You will get the required one.
I hope I have given clear information.
Bye,
Murthy
ASKER
Thanks Haho and Murthy,
I will not be able to try that immediately, but will let you know when I am.
It seems I am the one who has not been completely clear: there is a hardware device which performs the routing, it certainly is not a server. What I wonder is whether the routing implementation in this router is done in software ('slow path') or hardware ('fast path'). Modern routers should be implemented in the hardware, but I want to check if this is so.
Regards!
I will not be able to try that immediately, but will let you know when I am.
It seems I am the one who has not been completely clear: there is a hardware device which performs the routing, it certainly is not a server. What I wonder is whether the routing implementation in this router is done in software ('slow path') or hardware ('fast path'). Modern routers should be implemented in the hardware, but I want to check if this is so.
Regards!
sanjiva,
Alll routing occurs in software. The slow path/fast path that I think you are refing to is what cisco calls fast switching of the packet. This is still done in software.
Process Switching
Process switching is the most basic way of handling a packet. The packet is placed in the queue corresponding to the Layer 3 protocol and then the
corresponding process is scheduled by the scheduler. The process is one of the processes you can see in the show process cpu command output (that
is, "ip input" for an IP packet). At this point, the packet will stay in the queue until the scheduler gives the CPU to the corresponding process. The waiting
time depends on the number of processes waiting to run and the number of packets waiting to be processed. The routing decision is then made based on
the routing table and the Address Resolution Protocol (ARP) cache. Once the routing decision has been made, the packet is forwarded to the
corresponding outgoing interface.
Fast Switching
Fast switching is an improvement over process-switching. In fast switching, the arrival of a packet triggers an interrupt, which causes the CPU to
postpone other tasks and handle the packet. The CPU immediately does a lookup in the fast cache table for the destination Layer 3 address. If it finds a
hit, it rewrites the header and forwards the packet to the corresponding interface (or its queue). If not, the packet is queued in the corresponding Layer 3
queue for process-switching.
The fast cache is a binary tree containing destination Layer 3 addresses with the corresponding Layer 2 address and outgoing interface. Since this is a
destination-based cache, load sharing is only done per destination. If the routing table has two equal cost paths for a destination network, there is one
entry in the fast-cache for each host.
Some packets/protocols cannot be fast-switched, such as X25, or packets destined to the CPU, like routing updates.
Alll routing occurs in software. The slow path/fast path that I think you are refing to is what cisco calls fast switching of the packet. This is still done in software.
Process Switching
Process switching is the most basic way of handling a packet. The packet is placed in the queue corresponding to the Layer 3 protocol and then the
corresponding process is scheduled by the scheduler. The process is one of the processes you can see in the show process cpu command output (that
is, "ip input" for an IP packet). At this point, the packet will stay in the queue until the scheduler gives the CPU to the corresponding process. The waiting
time depends on the number of processes waiting to run and the number of packets waiting to be processed. The routing decision is then made based on
the routing table and the Address Resolution Protocol (ARP) cache. Once the routing decision has been made, the packet is forwarded to the
corresponding outgoing interface.
Fast Switching
Fast switching is an improvement over process-switching. In fast switching, the arrival of a packet triggers an interrupt, which causes the CPU to
postpone other tasks and handle the packet. The CPU immediately does a lookup in the fast cache table for the destination Layer 3 address. If it finds a
hit, it rewrites the header and forwards the packet to the corresponding interface (or its queue). If not, the packet is queued in the corresponding Layer 3
queue for process-switching.
The fast cache is a binary tree containing destination Layer 3 addresses with the corresponding Layer 2 address and outgoing interface. Since this is a
destination-based cache, load sharing is only done per destination. If the routing table has two equal cost paths for a destination network, there is one
entry in the fast-cache for each host.
Some packets/protocols cannot be fast-switched, such as X25, or packets destined to the CPU, like routing updates.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Murthy d,
I am sorry but I did not find what I am looking for on the link you suggested. I have 'scanned' about 50 downloads. Did you have a particular program in mind?
Haho,
Thank you, I will try the net. monitor and let you know. Still, it is not what I need. I already am using net. monitors and also the manufacturer's tools for the network devices.
Everyone,
What I need is a generator of (meaningless) ethernet traffic, to load an experimental network with 'data'. Then, I want to add a voice over IP stream, give it a priority on specific ports of the network devices, and see the difference in the quality of the voice signal. To see this, the network must be very much loaded. If the traffic generator can do (allmost) 10 Mb/s, than I am sure the voice will be degraded untill it gets the priority.
A note on the primary question about hardware routers will follow.
Thanks.
I am sorry but I did not find what I am looking for on the link you suggested. I have 'scanned' about 50 downloads. Did you have a particular program in mind?
Haho,
Thank you, I will try the net. monitor and let you know. Still, it is not what I need. I already am using net. monitors and also the manufacturer's tools for the network devices.
Everyone,
What I need is a generator of (meaningless) ethernet traffic, to load an experimental network with 'data'. Then, I want to add a voice over IP stream, give it a priority on specific ports of the network devices, and see the difference in the quality of the voice signal. To see this, the network must be very much loaded. If the traffic generator can do (allmost) 10 Mb/s, than I am sure the voice will be degraded untill it gets the priority.
A note on the primary question about hardware routers will follow.
Thanks.
Sanjiva,
You must realize that 10Mbps is quite an amount of traffic.
I've used "sniffer pro" to generate a lot of traffic by sending the same packet each 0 (zero) milliseconds. It caused so much traffic that my NIC couldn't receive any more data and caused my system to hang after about 5 seconds.
However, I have never reached 10Mbps from one machine because the bus speed of my pc (an ordinary P4) can't handle all the traffic generated by the processor.
What you can do is generate multicast traffic and forward it to a layer 3 switch. From the layer 3 switch set up multiple routing ports to a layer 2 switch with each port (of the L3) in a different VLAN. Now trunk all of these VLANs back to one single port. This port will definitely have more than 10Mbps.
Please note that you need good processors on the switches because multicast traffic uses CPU and when your CPU hits 100% for all long time it will probably reboot. (I used a Nortel 8600 L3 and a Nortel Baystack 450)
You must realize that 10Mbps is quite an amount of traffic.
I've used "sniffer pro" to generate a lot of traffic by sending the same packet each 0 (zero) milliseconds. It caused so much traffic that my NIC couldn't receive any more data and caused my system to hang after about 5 seconds.
However, I have never reached 10Mbps from one machine because the bus speed of my pc (an ordinary P4) can't handle all the traffic generated by the processor.
What you can do is generate multicast traffic and forward it to a layer 3 switch. From the layer 3 switch set up multiple routing ports to a layer 2 switch with each port (of the L3) in a different VLAN. Now trunk all of these VLANs back to one single port. This port will definitely have more than 10Mbps.
Please note that you need good processors on the switches because multicast traffic uses CPU and when your CPU hits 100% for all long time it will probably reboot. (I used a Nortel 8600 L3 and a Nortel Baystack 450)
ASKER
3408,
Thank you for a very interesting idea. I will try it as soon as I can, but it might be as long as in 10-14 days as some routers/switches and myself will be away from the company in the meantime. However, I am looking forward to give this a try.
Regards.
Thank you for a very interesting idea. I will try it as soon as I can, but it might be as long as in 10-14 days as some routers/switches and myself will be away from the company in the meantime. However, I am looking forward to give this a try.
Regards.
1) A sniffer will provide the OUI (Organizationally unique identifier, commonly refered to as the Vendor ID) of the router if it is sitting on the same wire as the router. Using this a certain amount of information can be gathered to give clues as to wether the router involved is software or hardware based. Ultimatly what is the purpose of your question concerning the hardware vs. software basis of the router? Are you attempting to determine what devices are performing routing functions in the network? Are you looking for a router that is contributing to routing loops or otherwise injecting bad route information? Are you concerned about the performance of a routing device, and therefore are attempting to derive how it is operating?
Post a comment regarding these questions and I'll certainly attempt to asist in providing some positive information for your problem.
2)The only free utility that I have used is at this url;
http://www.netiq.com/Qcheck/default.asp
But the parent company has products specific to the testing that you are looking to do, look at ;
http://www.ganymedesoftware.com/products/chariot/index.phtml
Obviously a for fee product a product that will definiatly provide the tools to provide the testing information that you are looking for...
Post a comment regarding these questions and I'll certainly attempt to asist in providing some positive information for your problem.
2)The only free utility that I have used is at this url;
http://www.netiq.com/Qcheck/default.asp
But the parent company has products specific to the testing that you are looking to do, look at ;
http://www.ganymedesoftware.com/products/chariot/index.phtml
Obviously a for fee product a product that will definiatly provide the tools to provide the testing information that you are looking for...
ASKER
qelqin,
Thanks for the effort. My aim is to confirm the performance level of a router which performs the routing in hardware. It is an Alcatel router, and I have got a clear explanation from the technical support about software/hardware routing, I just want to prove to the net. users the routing in this device is done through hardware.
As for the rest of your comment, I will do my best to try it soon, but please be patient! I will let you know as soon as I have any news. Thanks again.
Thanks for the effort. My aim is to confirm the performance level of a router which performs the routing in hardware. It is an Alcatel router, and I have got a clear explanation from the technical support about software/hardware routing, I just want to prove to the net. users the routing in this device is done through hardware.
As for the rest of your comment, I will do my best to try it soon, but please be patient! I will let you know as soon as I have any news. Thanks again.
This question appears to be abandoned. I will allow one week before I close this question
with the following recommendation:
- points 3-way 25 each to haho, 3408, crieman
if there is any objection to this recommendation then please post it here within 7 days.
thanks,
lrmoore@nw
EE Cleanup Volunteer
with the following recommendation:
- points 3-way 25 each to haho, 3408, crieman
if there is any objection to this recommendation then please post it here within 7 days.
thanks,
lrmoore@nw
EE Cleanup Volunteer
per recommendation
SpideyMod
Community Support Moderator @Experts Exchange
3408 points for you at:
https://www.experts-exchange.com/questions/20493878/points-for-3408-re-20131005.html
crieman points for you at:
https://www.experts-exchange.com/questions/20493875/points-for-crieman-re-20131005.html
SpideyMod
Community Support Moderator @Experts Exchange
3408 points for you at:
https://www.experts-exchange.com/questions/20493878/points-for-3408-re-20131005.html
crieman points for you at:
https://www.experts-exchange.com/questions/20493875/points-for-crieman-re-20131005.html
if ur sniffer in on the same network...
you can trace the IP to MAC address used to communicate between the router and other devices on the network.
The MAC or ethernet hardware address does include vendor specific ids.. so from there, u can deduce whether it is a server NIC card or router interfaces...
However, bear in mind that MAC address cna be spoofed or replaced with self-assigned MAC address on some Unix servers.