Ethernet Network Analysis and Troubleshooting

© Network Associates Ethernet Network Analysis and TroubleshootingEthernet Overview and Frame Formats

Sn

iffe

r U

niv

ersi

ty

1

-1

EthernetNetwork Analysis

and Troubleshooting

Section 1 TNV-202-GUI Ethernet Network Analysis and Troubleshooting

Page 1 - 1

Slide Title: Ethernet Network Analysis and Troubleshooting– Section 1 of TNV-202-GUI

Section Timing: Start: Day 1 Approx. 9amFinish: Day 1 Approx. 12:00 noon

Section 1 title slide.

Files: 01_frm_g.PPT 01_frm_g.DOC

Traces: Mixed01.cap Mixed02.cap

Exercises: Which Frames are on the Network?Isolating Frame Types with Pattern Matching (optional)A Surprise at 23:00

Note:Be sure to practice before you teach this new version! You willneed to tighten up on all the sections so you will have time tocover the new materials. It will be a challenge! Pace itcarefully.

There are several new concepts and exercises, so go through theclass very carefully before you teach it. Practice all the exercisesand look at the trace beyond what we focus on in the exercises soyou are not blindsided by questions outside of the exercise.Please remember this instructor guide is a living document. It is notcomplete to start and is intended to grow with time. Add to yourown copy as you gain experience. Please e-mail suggestions to thecourse Subject Matter Expert (SME) for future updates to thecourse material.


Sn

iffe

r U

niv

ersi

ty

1

-2


Page 1 - 2

Slide Title:NAI – Sniffer University

ImportantPoints toCover: Logo page. Skip past this quickly.

Original Traces for the Course: (all were saved as .CAP files – none wererecaptured)

01.CAP 02.CAP 03.CAP 04.CAP05.CAP 06.CAP 07.CAP 08.CAP09.CAP 10.CAP 11.CAP 12.CAP13.CAP 14.CAP 15.CAP 16.CAP17.CAP 18.CAP 19.CAP 20.CAP21.CAP (giant.enc) 100MBFIL.CAP BACKPRES.CAP BACKPRES2.CAPBAD03.CAP BADCABLE.CAP BADCRC.CAP BADCRC-1.CAPBUSY-JAM.CAP COL100_3.CAP FRAGS.CAP HUB6ARC.CAZHUBPORT1.CAP HUBPORT2.CAP JABBER.CAP MIXED-01.CAPMIXED-02.CAP SCBRIDGE.CAP TCPDEMO6.CAP

New traces added in version 4.0

Name Source Speed Course LocationGB.CAPGigabit data trace

Sniffer Pro 4.0 SamplesDirectory

1000 Screen caps2 Exercises

GBAUTONEGOTIATION.CAPGigabit autonegotiation

HQ server 1000 Screen caps2 exercises

VLANProb.cazCisco ISL VLAN

HQ lab trace – filtered toremove HQ names & info

100 Screen caps& exercise

VLANprob2.capCisco ISL VLAN

HQ lab trace – filtered toremove HQ names & info

100 Screen CapDemo

Hawk10b.enc &Hawk100b.enc

Steve Hammill – classroomsetup traces

10100

Exercise

Jabtest.enc (1 frame) HQ engineering 10 Screen shotOvertest.cap HQ Engineering 10 Extra-demoBig_Bad_Rich.caz Don Prefontaine created in

an on-site class100 Exercise

Llcnetb2.cap Bev Mannes home network 100 LLC exerciseBcast.cap 303 trace file 10 Exercise8021Q-gig.cap HQ engineering

(Subset of dc_01.caz)1000 Demo, screen

cap8021q.cap HQ engineering 100 Screen caps

& exercise


Sn

iffe

r U

niv

ersi

ty

1

-3Housekeeping

BREAKS

LUNCH

TELEPHONES

REST ROOMS

EMERGENCY INFORMATION

QUESTIONS

BEEPERS IN SILENT MODECall theoffice

Net Down!!!

CELL PHONES IN SILENT MODE

?

All phone calls must be made outside the classroom during breaks.


Page 1 - 3

Slide Title: HousekeepingImportantPoints toCover: Use your normal way of presenting this information.

Instructor HistoryPaperwork (Student information forms)Student Introductions:

Company nameOperating systemsConnection technologies at their siteNetworking experience, etc.

Location of:ExitsWashroomsTelephonesLunchroom or lunch arrangementsTime intervals

BreakLunchStartFinish

Note: You may negotiate different start and end times provided it does not place undue hardship on anyone in the class.

Instructor availability


Sn

iffer

Un

iver

sity

1-4

Thank You!

Use Your Trace FileCD for the exercises

in this class

Students are not permitted to audio or video tape the course presentation.Duplication of Course Materials or the Trace File CD is strictly prohibited bycopyright.

The Trace File CD that comes with this manual contains:

• All Class Traces - which can be copied to the C:\ drive orused in the CD-ROM Drive

• Reference materials- ATM Forum Docs, RFCs, Product Guides andother Documentation


Page 1 - 4

Slide Title:Thank You!

ImportantPoints toCover: Keep going

Briefly review the policy.The trace files for this class are placed in the 202GUI directory onthe trace file CD in the student manual.Mention that there are additional trace files that are copied toSniffer Pro’s program directory if they would like to practice withthose samples.


Sn

iffer

Un

iver

sity

1-5

Sniffer University's Total Network Visibility Curriculum

Upper-LayerTechnologies

NetworkInterfaces

Tools &Systems

• Interconnection Concepts & Troubleshooting

• Microsoft Windows NT & Windows 2000 NetworkAnalysis & Troubleshooting

• TCP/IP Applications: Concepts & Troubleshooting

• TCP/IP Network Analysis & Troubleshooting

• ATM Network Analysis & Troubleshooting

• WAN Analysis & Troubleshooting

• Token Ring Network Analysis & Troubleshooting

• Ethernet Network Analysis & Troubleshooting

• Implementing Distributed Sniffer System / RMON Pro

• Troubleshooting with the Sniffer Pro Network Analyzer

• Sniffer Pro for DOS Sniffer Experts

Visit our website for more information on our classes and a current schedule:

www.sniffer.com >> follow the Sniffer University Links


Page 1 - 5

Slide Title:Sniffer University's TNV Curriculum

ImportantPoints toCover: These are the 11 active courses in the curriculum as of Oct 2, 2000

for Version 4.0.

Point out where you are in the curriculum.

Mention other GUI courses available and highlight next stepcourses such as:

3 day WAN- TNV-207-GUI5day TCP/IP curriculum – TNV-303-GUI and TNV-304-GUI.5day ATM- TNV-218-GUI

Keep going.


Sn

iffe

r U

niv

ersi

ty

1

-6Table of Contents

• Course Overview Page 1-7 Day 1• Ethernet Frame Formats Page 1-18• Ethernet Sniffer Pro Hardware Page 2-1• Ethernet Physical and Data Link Layers Page 3-1• Timing Specifications Page 3-25• Troubleshooting Tips Page 4-1• Ethernet Bridging and Switching Concepts Page 5-1 Day 2• Bridges Page 5-3• Switches Page 5-15• VLAN Tagging Page 5-27• 100 Mbps Fast Ethernet Page 6-1• Full Duplex Ethernet Page 7-1• Gigabit Ethernet Page 8-1• Optional Technologies - LLC and Coax Page 9-1• Glossary of Terms Page 9-41• Student Exercises Page 10-1


Page 1 - 6

Slide Title:Table of Contents

ImportantPoints toCover: Run down the list of topics. Mainly here for student reference.

Use this to let them know what we will cover in class. Theredundant list after this was removed.

A dotted line has been added to give the students an indication ofwhen the topics will be covered.

Timing: A guideline for timing:Day one: Morning: Section 1 and 2.Afternoon: Section 3.

Day two: Morning: Section 4 and Section 5 (Bridges).Afternoon: Section 5 (Switches), Sections 6-8.Optional: Logical Link Control


Sn

iffe

r U

niv

ersi

ty

1

-7

CourseOverview


Page 1 - 7

Slide Title:Course Overview

ImportantPoints toCover: Standard title slide only.


Sn

iffe

r U

niv

ersi

ty

1

-8

• Discuss the details of the Ethernet (802.3)specification

• Effectively use the Sniffer Pro analyzer to manageand troubleshoot Ethernet LANs

• Use practical hands-on troubleshooting methods andpartner with the Network Associates Sniffer ProNetwork Analyzer in Ethernet environments

Course Objectives

Upon completion of the course, you will be able to:


Page 1 - 8

Slide Title:Course Objectives

ImportantPoints toCover: We are here to learn something about Ethernet technology, how to

use the Sniffer Pro analyzer in an Ethernet environment, and howto interpret the data captured.

State the course objectives.


Sn

iffe

r U

niv

ersi

ty

1

-9

• Basic LAN knowledge and experience using theSniffer Pro Analyzer

• TNV-101-GUI: Troubleshooting with the Sniffer ProNetwork Analyzeror

• TNV-112-GUI: Sniffer Pro for DOS Sniffer Experts

Prerequisites


Page 1 - 9

Slide Title: Prerequisites

ImportantPoints toCover: Cover quickly.

Determine if all of the students meet the prereqs and discuss anyproblems if you have some that have not taken TNV-101-GUI orTNV-112-GUI.


Sn

iffe

r U

niv

ersi

ty

1

-10

OSI Functional Protocol Layers

• The Session, Presentation, and Application layersare not clearly differentiated in most network protocols

• The Transport layer provides for communicationsbetween programs

• The Network layer provides for communicationsbetween devices

Ethernet LayersThe Data Link layer provides for communicationsbetween electrical end-points (network interface cards)The Physical layer provides the conductive path thatincludes media, connectors, electrical or optical signalinglevels and coding characteristics


Page 1 - 10

Slide Title:OSI Functional Protocol Layers

ImportantPoints toCover: This is now a build slide that builds on mouse clicks. The Ethernet

layers are set off to emphasize this is where the Ethernetspecifications reside. Everything else is “upper layer” to Ethernet.

Review the functions of each layer, so the students may apply thebinary search method against the OSI stack.

Upper Layer protocols control the communications between theapplications themselves. They are connection-oriented and takecare of any error handling not done by the lower layers.Transport protocols can be connection or connectionless. Ifconnection oriented, then we can determine whether or not thenetwork is good by simply following the sequence numbers.Network layer protocols are also connectionless.All of the protocols in the layers above Ethernet are taught in manyother Sniffer University courses. We will not focus on them here.Physical and data link are the layers directly involved in Ethernet.All these processes (without LLC) are connectionless.


Sn

iffe

r U

niv

ersi

ty

1

-11

IEEE 802 Standards

802.2 – Logical Link Control (LLC) describes peer-to-peer proceduresfor the transfer of information and control between any pairof Service Access Points on any 802.X LAN

802.3CSMA/CDMediumAccess

802.4TokenPassingMediumAccessover bus

802.5TokenPassingMediumAccessoverring

802.6Dristrib-utedQueueDual BusMediumAccess

DataLinkLayer

PhysicalLayer

PhysicalLayer

PhysicalLayer

802.9Integra-tedServicesatMediumAccess

80

2.1

0 LA

N/M

ANSe

curit

y

802.11WirelessMediumAccess

802.12DemandPriorityMediumAccess

PhysicalLayer

PhysicalLayer

PhysicalLayer

PhysicalLayer

PhysicalLayer

802.1B – LAN/MAN Management802.1D – MAC Bridging802.1E – System Load Protocol802.1F – Common Definitions & procedures802.1G – Remote Media Access Control Bridging802.1H – MAC Bridging of Ethernet in V2.0 in LANs

The lower part of the Data Link Layer is called the MAC layer, an abbreviationfor Media Access Control.

In addition, 802.14 Standard Protocol for Cable-TV-based BroadbandCommunication Network is another protocol in development in 1998.

802.7 standard is a recommended practice for common Physical Layertechnologies, IEEE Recommended Practice for Broadband Local Area Networks.The ANSI number for the 802.3 1996 edition of the specs is 8802-3:1996

IEEE Specifications can be purchased through http://www.ieee.com


Page 1 - 11

Slide Title:IEEE 802 Standards

ImportantPoints toCover: History of where the Standards came from. The relationship among

the standards committees.This is the official IEEE diagram based on the drawing in the IEEEStd 802.3ab -1999. The 802.1 layer has the bridging standardslisted individually and 802.14 for Cable-TV based broadband is noton this drawing due to space constraints.


Sn

iffe

r U

niv

ersi

ty

1

-12

Major IEEE Ethernet Standards802.3 1985 Carrier Sense Multiple Access with Collision

Detection (Original Ethernet Specification)802.3u 1995 Media Access Control (MAC) Parameters, Physical

Layer, Medium Attachment Units and Repeater for 100 Mb/s Operation, Type 100BASE-T

802.3x 1997 Specification for Full Duplex Operation802.3z 1998 Media Access Control Parameters, Physical

Layers, Repeater and Management Parameters for 1000 Mb/s (Gigabit) Operation

802.3ab 1999 Physical Layer parameters for 1000 Mb/s Operationover 4-Pair Cat 5 Balanced Copper Cabling, Type1000BASE-T

802.3ac 1998 Carrier Sense Multiple Access with Collision Detection (CSMA/CD) frame extensions for Virtual Bridged Local Area Networks (VLAN) tagging on 802.3 networks

802.3ad 2000 Carrier Sense Multiple access with Collision Detection (CSMA/CD) access method and physical layer specification- Aggregation of Multiple Link Segments (Parallel Point-to-Point link segments)

Many other specification documents cover many facets of the Ethernetspecifications. A complete list is available from the IEEE web site.

WIP = Work in Process


Page 1 - 12

Slide Title:Major IEEE Ethernet Standards

ImportantPoints toCover: This is a quick list of the Ethernet standards we will cover in this

class.

It is not a comprehensive list, since there are numerous otheraddenda as seen by the lettering of the standard.

You might want to note the large gap between the original 802.3standard approved in 1985 and the u standard approved in 1995.This does not mean to indicate there was no change in 10 years.Quite the contrary: as the original spec was improved for thin coax,then twisted pair with all the other changes to devices were definedin the “a” through “t” addenda.


Sn

iffe

r U

niv

ersi

ty

1

-13

Ethernet Evolution

Design Goals:

1. Definition simplicity2. Efficient use of shared resources3. Ease of reconfiguration and maintenance4. Compatibility5. Low cost

1972

Work onEthernetbegins at

XeroxPARC

1996

Gigabitstandard(802.3z)VLANs

1982

V2Ethernet

Speccompletedby DEC,Intel and

Xerox

1983 1990

10Base-T

EthernetSwitching

1993

GigabitEthernetproposed.

Switch salesexceed

shared hubs

19981985

IEEE802.3

NovellNetWare

ProprietaryFrame

FastEthernet(802.3u)

1995 1997

Full Duplex(802.3x)

2000

Terabitstds inprocess

V1 Ethernet: Used an unbalanced signaling method (+5 volts referencedagainst ground).

V2 Ethernet: Used a balanced signaling method (+5, -5 volts).Added SQE (Heartbeat).

802.3: Added jabber inhibit.Specified thick coax, thin coax, twisted pair cabling and fiber.

V1 and V2: Specified thick coax cable.Cannot co-exist on the same segment due to the differentsignaling methods.

V2 and 802.3: Can co-exist on the same segment, as the same signalingmethods are used.


Page 1 - 13

Slide Title:Ethernet Evolution

ImportantPoints toCover: Discuss the milestones and the Design Goals.

New dates and milestones have been added.

All frame types that use CSMA/CD are now valid 802.3.


Sn

iffe

r U

niv

ersi

ty

1

-14

Media EvolutionTwisted

PairThinCoax

BNC Connectorswith T connectors

DB15 Connectorsattaches to

External transceiverwith AUI cable

ThickCoax

OpticalFiber

RJ45Connectors

RJ45Connectors

& Twinax..


Page 1 - 14

Slide Title:Media Evolution

ImportantPoints toCover: New Slide.

Do just a quick review of how Ethernet media has changed over theyears.

We started with the old thick cable in the ceiling.

Then thin coax took over.

Twisted pair changed the whole layout of the network structure,bring all the connections back to wiring closet. Cat 3 evolved tocat4, evolved to cat 5, now on to cat 6, 7 ????

Cables attach to connectors in the wall or cube, the wire then goesto a punch-down block and finally to a hub or switch.

Dedicated wires for receive and transmit meant that cards could nolonger listen on the same wire, so new ways of learning ofcollisions had to be developed.

The latest is optical fiber. This is generally used as a backbone orfor high-speed servers. Our diagram shows the ordinary usersconnected with cat 5 cabling with an uplink on the hub or switch tothe high-speed optical backbone. High performance servers maybe connected directly with optical cable.

There is mention of Twinax on the bottom. It is used in one GigabitEthernet configuration.


Sn

iffe

r U

niv

ersi

ty

1

-15

Media Access Evolution

Shared media half-duplex with collisions

Dedicated RX/TX linesShared media half-

duplex with collisions

Hub or Concentrator

Dedicated RX/TX linesDedicated media full-duplex

without carrier sense orcollision detection

Switch

Dedicated RX/TX linesDedicated media half-duplexwith carrier sense and collisiondetection - (collisions avoided)

Switch

Coax cables are broadcast in nature. Every station sees every signal on the wire.Each must wait its turn to use the wire and only one signal can be on the wireat a time.

Twisted pair cabling provides dedicated receive and transmit wires in the cable,but only one wire can be active at a time. Concentrators or hubs repeat thesignals out to all stations attached, so each station must sense whether the wireis busy, wait the interframe gap and sense collisions and retransmit if a collisionoccurs.

The introduction of full duplex connections allowed bandwidth to double, sinceeach direction can be busy simultaneously.

The advent of the switch allowed dedicated connections between two devices ina switched temporary point-to-point connection. Even though collisions areavoided in this configuration, the same adapter cards are used, so the devicesstill sense for carrier, wait the interframe gap and sense collisions.

When faster technologies were introduced, full duplex switched point-to-pointconnections allowed signals on each wire simultaneously. Since the links arepoint-to-point, there is no need to sense carrier or detect collisions.


Page 1 - 15

Slide Title: Media Access Evolution


This attempts to show how access to the wire has changed overthe years.

The birth of CSMA/CD meant everyone listening, waiting their turn,then transmitting while listening for collisions. The cards can eithersend or receive, not both simultaneously.

All of the newer technologies still have this as the basis for theirspecifications.

The introduction of twisted pair wiring to a central repeater stillmaintained the need for CSMA/CD, since everything received onone port was repeated out to all the others.

When full duplex was developed, each device had two lines in apoint-to-point connection to the other end. There was no need towait for the line- you always had access to the receive port on theother side. But the listen-and-wait and retry was maintained forbackward compatibility.

With the introduction of switches, every port is its own collisiondomain. Collisions are almost non-existent. But there still is the littlematter of being able to talk to the older NICs and devices, so eventhe faster devices know how to deal with CSMA/CD.


Sn

iffe

r U

niv

ersi

ty

1

-16

Summary of Ethernet Features

• Uses Carrier Sense Multiple Access/CollisionDetection (CSMA/CD) for its media access control– Switches and faster technologies avoid collisions with

dedicated and/or full-duplex connections

• Original specifications defined as a bustechnology– Usually installed as a star topology today

• Variable size frames• Best effort delivery• Various data encoding techniques are used

The minimum frame size is 64 bytes. This includes 4 bytes of frame checksequence but does not include the 8 bytes of preamble sequence. Themaximum frame size is 1518 bytes including CRC.


Page 1 - 16

Slide Title:Summary of Ethernet Features

ImportantPoints toCover: Original specifications are based on bus technology and

CSMA/CD. CSMA/CD has always been the defining feature ofEthernet. With the introduction of switches and Full DuplexEthernet, this can no longer be the feature common to all varieties,since some don’t use carrier sense (CS), are not multiple access(MA), and do not have collisions to detect (CD).

Nevertheless, there are other details that have been maintainedthrough all the iterations, so the name has stuck.

This is the beginning of the real class.


Sn

iffe

r U

niv

ersi

ty

1

-17

Digital Signal Encoding

0 1 0 0 1 1TTL

Manchester(10 MbpsEthernet)

DifferentialManchester(Token Ring)

• TTL is used on circuit boards• Manchester Encoding is used in 10 Mb/s Ethernet/802.3• Differential Manchester Encoding is used by Token Ring/802.5• Faster Technologies use different encoding schemes

Bit Cell Bit CellBit CellBit CellBit CellBit Cell

Bit Cell Boundaries

Manchester and Differential Manchester encoding are methods of embeddingthe clock into the data stream so the adapter can determine whether a bit is aone or a zero.

TTL has no timing encoded in the data. It is used on circuit boards wheresynchronized clocking can be applied to multiple circuits.

The encoding techniques for Fast Ethernet and Gigabit Ethernet are covered insection five.


Page 1 - 17

Slide Title:Digital Signal Encoding

ImportantPoints toCover: Don’t dwell on this slide. It is only really important for the students

to understand that the timing is imbedded in the data stream sothat adapters can tell a 1 from a 0.

Fast Ethernet and Gigabit Ethernet use different encodingmethods. They will be covered in their respective sections.


Sn

iffe

r U

niv

ersi

ty

1

-18

Ethernet Frame Formats


Page 1 - 18

Slide Title:Ethernet Frame Formats

ImportantPoints toCover: Topic Title slide only. Keep going.


Sn

iffe

r U

niv

ersi

ty

1

-19

Section Objectives

Upon completion of this section, you will be able to:• Describe protocol concepts• Differentiate between Ethernet Frame Formats• Recognize network configuration issues with different

frame formats• Identify frame format incompatibilities


Page 1 - 19

Slide Title:Section Objectives

ImportantPoints toCover: State the objectives for this section. This prepares the students and

set expectations about the desired outcome of learning thisinformation.


Sn

iffe

r U

niv

ersi

ty

1

-20

Ethernet Frame Formats

Version 2 Ethertype EthertypeNovell Raw 802.3 length but no LLC header 802.3802.3 802.3 length and LLC header 802.3802.3 SNAP SAP = AA, then SNAP Header 802.3

Frame Type Detail Window Label Expert DLC Label

LLC: Logical Link Control. A protocol that provides connection control andmultiplexing to subsequent embedded protocols; standardized as IEEE 802.2and ISO/DIS 8802/2.

SAP: Service Access Point.

(1) A small number used by convention or established by a standards group,that defines the format of subsequent LLC data; a means of demultiplexingalternative protocols supported by LLC.

(2) Service Advertising Protocol. Used by NetWare servers to broadcast thenames and locations of servers and to send a specific response to any stationthat queries it.

SNAP: Sub-Network Access Protocol (also sometimes called Sub-NetworkAccess Convergence Protocol). An extension to IEEE 802.2 LLC that permits astation to have multiple network-layer protocols. The protocol specifies thatDSAP and SSAP addresses must be AA hex. A field subsequent to SSAP identifiesone specific protocol. Interpreted in the TCP/IP PI suite and the AppleTalk PIsuite. (See RFC 1042 for further information on SNAP.)

MAC frames are used in Full Duplex Ethernet

The Expert Detail Panel shows the frame type associated with each device at theDLC layer.


Page 1 - 20

Slide Title:Ethernet Frame Formats

ImportantPoints toCover: This is a list of what we will cover in the next set of slides.

Ethertype, LLC DSAP and SSAP are addresses.SNAP defines a different location in the frame for the address ofthe receiving process.NetWare originally started with a proprietary frame but nowsupports everything.Carrier extend and MAC Control are mentioned in this section, butwill be explained fully in section five.


Sn

iffe

r U

niv

ersi

ty

1

-21

Ethernet Version 2 Frame

• Preamble: 64 bits (8 bytes) of synchronization• Destination: (6 bytes) address of destination node• Source: (6 bytes) address of source node• Type: (2 bytes) specifies upper-layer protocol• Data: Data link layer views all information handed to it by higher

layers as data, whether it is protocol information or user data• CRC: Cyclic Redundancy Check Frame Check Sequence (FCS), or

checksum value

Preamble DataTypeSourceDest CRC

8 6 6 2 46 - 1500 4

1010...10101011

Sniffer Pro Capture Range

Ethertypes are managed by Xerox.


Page 1 - 21

Slide Title:Ethernet Version 2 Frame Format

ImportantPoints toCover: Emphasize the preamble and its function.

Hit the bit pattern and reference the AAAAs and 55555s.

Demo:Demonstrate frame structure with TCPDEMO6.CAP.

Walk the students through performing a pattern match on a versiontwo Ethertype. Repeat this for each frame type, each time using adifferent match. Be sure to name the matches. After the last frametype in this section, walk the students through saving setups so thatthey now have a predefined filter that can be used later.


Sn

iffe

r U

niv

ersi

ty

1

-22

Ethernet Version 2 Data Link Layer

• Pre-dates IEEE specs• Identifies the hardware address of the adapters for both receiving and

sending stations• Identifies the receiving process with a two byte Type field in the DLC

header• Requires the Network Layer to ensure a minimum packet size of 46

bytes of data• Only provides connectionless services

Non-IEEE Networks(e.g., Ethernet, ARCNET, Local Talk)

Network Layer

Data Link ControlLayer

Physical Layer


Page 1 - 22

Slide Title:Ethernet Version 2 Data Link Layer

ImportantPoints toCover: Information on slide should suffice.


Sn

iffe

r U

niv

ersi

ty

1

-23

Novell NetWare 802.3 “Raw” Frame

• Preamble: 64 bits (8 bytes) of synchronization• Destination: (6 bytes) address of destination node• Source: (6 bytes) address of source node• Length: (2 bytes) specifies the number of bytes (46-1500) in the

data field• Data: IPX Header starting with 2 bytes checksum (usually FFFF)

followed by NetWare higher layers (‘data’)• CRC: Cyclic Redundancy Check Frame Check Sequence (FCS),

or checksum value

Preamble DataLengthSourceDest CRC

8 6 6 2 FFFF

Sniffer Pro Capture Range1010...10101011

4

Novell developed their frame type before the IEEE committee was finished. As aresult, they identified the length but did not use LLC.

This is not a problem provided all stations use the same frame type.

It does have a negative impact on IEEE compliant implementations when Novellissues broadcast frames. Service Access Point of FF is the broadcast SAP. Allstations have to copy.


Page 1 - 23

Slide Title:Novell NetWare 802.3 “Raw” Frame Format

ImportantPoints toCover: Use a third match as you take the students through this process. If

performed correctly, you will certainly speed up the exercises at theend of this section, if not eliminate them.Point out that Novell’s frame type was defined while the IEEEcommittees were still meeting. It really did not matter, since oneonly installed a single operating system. We were not designingenterprise networks with LANs and we certainly were notinterfacing a lot of dissimilar systems.In today’s environment however, it is definitely an issue.


Sn

iffe

r U

niv

ersi

ty

1

-24

• Only uses the bottom half of the DLC Layer• MAC layer contains hardware addresses of destination and sending

stations• Uses a two byte length identifier• Does not use LLC• Specified while IEEE was formulating 802.3 specs• MAC Layer ensures minimum frame length

802.3 “Raw” Data Link Layer

Physical Layer

DataLinkLayer

IEEE Networks (e.g., 1BASE5, 802.3, 802.5)

Network Layer

Media Access Control Sublayer


Page 1 - 24

Slide Title: 802.3 “Raw” Data Link Layer

ImportantPoints toCover: NetWare IEEE 802.3. Information on slide should suffice.


Sn

iffe

r U

niv

ersi

ty

1

-25

Logical Link Control(LLC) 802.2

IEEE 802.3 Frame

• Preamble: 56 bits (7 bytes) of synchronization• SFD: (1 byte) start frame delimiter (transition from synch to DA)• DA: (6 bytes) Destination Address: address of destination node• SA: (6 bytes) Source Address: address of source node• Length: (2 bytes) specifies the number of bytes (3-1500) in the LLC and data fields• DSAP: (1 byte) Destination Service Access Point; receiving process at destination• SSAP: (1 byte) Source Service Access Point; sending process in source• Control: (1 byte) Various control information (2 bytes for connection-oriented LLC)• Data/Pad: The upper-layer protocol information, if any. The MAC layer pads the field

to ensure overall 64-byte minimum frame size requirement• CRC: Cyclic Redundancy Check Frame Check Sequence (FCS), or

checksum value

Preamble Data +Pad LengthSADA CRC

7 6 6 2 42 - 1497 4

1010...10101011

DSAP SSAP Control

11 1 or 2


1

SFD

Stations know if a frame is Version 2 or 802.3 by evaluating the 2 bytesfollowing the source address. If they are greater than 05DC hex (1500 decimal),then the frame is Version 2; if they are less, they are assumed to be a lengthfield.

IEEE defines the preamble as 56 bits (7 bytes) of alternating 10101010...etc.,followed by 8 bits (1 byte) of starting delimiter with bit pattern of 10101011.


Page 1 - 25

Slide Title:IEEE 802.3 Frame Format

ImportantPoints toCover: Repeat of previous page. Be sure to select a different match and to

disable the first match.Stations know if a frame is Version 2 or 802.3 by evaluating the 2bytes following the source address. If they are greater than 05DChex (1500 decimal), then the frame is Version 2; if they are less,they are assumed to be a length field. Note: the exception is PUP,which uses Ethertype 2ØØ. (PUP stands for PARC UniversalPacket.)


Sn

iffe

r U

niv

ersi

ty

1

-26

IEEE 802.3 Data Link Layer

• Splits the DLC layer into two distinct sublayers• MAC layer contains hardware addresses of destination and sending stations• Provides LLC services

– Receiving and sending processes identified by SAP addressing– Accommodates both connectionless and connection oriented

implementations– Provides for the use of SNAP

• MAC Layer ensures minimum frame length

Physical Layer


Logical Link Control SublayerData

LinkLayer


Network Layer


Page 1 - 26

Slide Title:IEEE 802.3 Data Link Layer

ImportantPoints toCover: Information on slide should suffice.


Sn

iffe

r U

niv

ersi

ty

1

-27

IEEE 802.3 SNAP Frame

• Preamble: 56 bits (7 bytes) of synchronization• SFD: (1 byte) start frame delimiter• DA: (6 bytes) Destination Address: address of destination node• SA: (6 bytes) Source Address: address of source node• Length: (2 bytes) specifies the number of bytes (3-1500) in the LLC and data fields• DSAP: (1 byte) Destination Service Access Point; receiving process at destination• SSAP: (1 byte) Source Service Access Point; sending process in source• Control: (1 byte) Various control information• SNAP: (5 bytes) First three bytes identify the vendor. Last two bytes identify the

protocol• Data: The data link layer views all information handed to it by higher layers as

data, whether it is protocol information or user data• Pad: Pads frame to minimum of 46 bytes total for the data and LLC (so collisions

can be detected)• CRC: Cyclic Redundancy Check Frame Check Sequence (FCS), or

checksum value

Preamble

Data +Pad

LengthSADA CRC

7 6 6 2 38 - 1492 4

1010...10101011 DSAP SSAP

Control

AAAA 1

Logical Link Control (LLC)

802.2


SNAP Header

Vndr Code

Type

3 2

SFD

1

SNAP allows vendors who do not have an assigned Service Access Point tobecome IEEE compliant.

Service Access Point of AA identifies a SNAP header immediately following theLLC header.

A Snap header is five bytes. The first three bytes identify the vendor and thelast two bytes identify the protocol used. The first three bytes (the vendor ID)are usually padded with zeroes. The version 2 Ethertype is generally used as theidentifier.


Page 1 - 27

Slide Title:IEEE 802.3 SNAP Format

ImportantPoints toCover: Finish with the pattern match and save “setups.”

TIP: TCPDEMO6 is a good trace to use to show this.


Sn

iffe

r U

niv

ersi

ty

1

-28

Physical Layer


Network Layer

LLC

SNAP

• SNAP (Sub-Network Access Protocol)• SNAP is a sub-set of LLC• Allows Protocols without an assigned IEEE SAP to implement an IEEE

compliant MAC layer• Provides for an additional 5 byte header to specify the receiving process

(three bytes identify the vendor and two bytes identify the protocol)• MAC layer contains hardware addresses of destination and sending

stations• MAC Layer ensures minimum frame length

IEEE 802.3 SNAP Data Link Layer

DataLinkLayer



Page 1 - 28

Slide Title:IEEE 802.3 SNAP Data Link Layer

ImportantPoints toCover: Is a subset of LLC.


Sn

iffe

r U

niv

ersi

ty

1

-29

• The field formerly called the “length” field by IEEE isnow labeled “length/type” field– This provides backward compatibility for version 2

0-1500 = Length1536 - 65,535 = Type1501-1535 reserved

Length

Length/Type

X

IEEE Ethernet Frame Evolution

• Version 2 was historically not an IEEE recognizedframe

• As of 1997, it is a part of the Ethernet frame formats

Preamble Data +Pad SADA CRC

7 6 6 42 - 1497 4

DSAP SSAP Control

11 1 or 21

SFD

2

+


Page 1 - 29

Slide Title:IEEE Ethernet Frame Evolution

ImportantPoints toCover: This is an automated build slide that will display on a timer. Don’t

click until you’re ready for the next slide!

A “+” in the lower left corner of the build slides tells you how manyclicks you need before it goes to the next slide. When there is nonumber after the “+”, the slide is totally automated. The next clickshows the next slide.

This brings the previous information into the present definition ofthe Ethernet frame type.

Point out the field values at the bottom that devices use to tell whattype of frame is arriving. Of course, they’ve always done it this way,but now the specification matches the process.


Sn

iffe

r U

niv

ersi

ty

1

-30

Ethertypes and SAPs

E-Type ValueNetWare 8137XNS 0600, 0807IP 0800IP (VINES) 0BAD, 80C4ARP 0806RARP 8035DRP 6003LAT 6004LAVC 6007ARP (ATalk) 80F3

SAP ValueNetWare E0XNS 80NetBIOS F0IP 06BPDU 42SNA 04, 05, 08, 0CX.25 7EISO 20, 34, EC,

FE, 14, 54SNAP AA

Note: A comprehensive listing of Ethertypes and SAPs is in the appendix.

Http://www.iana.org keeps an updated list of Ethertypes.

SnifferPro maintains a list of the Ethertypes and SAPs and decodes the UpperLayer Protocols (ULP) based on the Ethertype or SAP found in the Data Linkheader.


Page 1 - 30

Slide Title: Ethertypes and SAPs

ImportantPoints toCover: There is a more complete list from the Sniffer Pro analyzer’s main

menu.

Demo: Go to Define Filters and demonstrate for the students the protocolfilters.

Use data pattern matching to filter on specific SAPs andEthertypes.


Sn

iffe

r U

niv

ersi

ty

1

-31

You have just determinedthat the frame is a Novell802.3 raw frame

YESSTOP

Look at the SAP values to determinewhat ULP the frame is carrying

You have just determinedthat the frame is astandard 802.3 frame

NO

STOP

YES

You have justdeterminedthat the frameis an Ethernetversion 2frame

Look at theEthertype valuesto determinewhat ULP theframe is carrying

STOP

Start here

Observe the hex value ofthe field following theDLC source address

Are the 2 bytes equal toFF FF hex?

Is the value of the fieldgreater than Ø5DC hex?

Look at the 2 bytes atoffset ØE

NO

Determining Ethernet Frame Types

You have justdetermined that theframe is an 802.3SNAP frame

YES Look at theEthertype values todetermine what ULPthe frame is carrying

STOP

Are the 2 bytes at offsetØE equal to AA AA hex?

NO

+3


Page 1 - 31

Slide Title: Determining Ethernet Frame Types

ImportantPoints toCover: Student reference.

This is a semi-automated build slide.

There are 3 clicks; one at each stop sign after each determinationhas been made.


Sn

iffe

r U

niv

ersi

ty

1

-32

Expert Shows Frame Types• The DLC Layer Objects show the frame types

received and transmitted– Shows only as Ethertype or 802.3

Version 2 frames are shown as Ethertype Frames.All others are shown as 802.3 Frames.


Page 1 - 32

Slide Title:Expert Shows Frame Types

ImportantPoints toCover: Student reference.

You may want to demonstrate this with a trace file.Beware, only Ethertype frames are differentiated in this window. Allthe other frames show up as 802.3


Sn

iffe

r U

niv

ersi

ty

1

-33

Examine the DLC Details

Version 2 Frame

802.3 Frame


Page 1 - 33

Slide Title:Examine the DLC Details

ImportantPoints toCover: This is a quick visual shot of how version 2 and 802.3 frames

appear in the Detail window.

802.3 Ethernet II Demo: Mixed01.cap frame 1

802.3 Frame Demo: Mixed01.cap frame 75


Sn

iffe

r U

niv

ersi

ty

1

-34

Examine the DLC Details

SNAP Frame

NetWare “Raw” Frame


Page 1 - 34

Slide Title:Examine the DLC DetailsImportantPoints toCover: This is a quick visual shot of how NetWare “raw” and SNAP frames

appear in the Detail window.

802.3 SNAP Demo: TCPDEMO6.CAP frame 547

802.3 “Raw”Demo: Mixed01.cap frame 22


Sn

iffe

r U

niv

ersi

ty

1

-35

Sniffer Pro Filter Elimination Patterns

• To filter Version 2, use the Ethertype• To filter 802.3, use the SAP• To filter NetWare, use the FFFF checksum bytes

– If the checksum is in use, use the IPX Packet Type (but becareful, because a one-byte pattern match may be ambiguous)

• To filter SNAP, use DSAP and SSAP equal to AA• By determining what frame formats are in use on the

network, you can make sure no incompatibilities exist

Choose your operand firstthen click Add Pattern

Summary of the match willbuild here

Highlight frame in Summary windowbefore accessing this window

Create a new profile

1

2

3

4

1) Highlight the data in the Detail window2) Click Set Data 3) Data will be pasted into the pattern area 4) Click OK

ChangeFrame

Choose your next operandand repeat thesteps until all your matchesare pasted in

Summary of the match

12


Page 1 - 35

Slide Title:Sniffer Pro Filter Elimination Patterns

ImportantPoints toCover: This replaces the several data pattern match slides in the previous

version of the course.Those screen shots are placed in the student notes on this pagefor their reference.The exercise that used pattern matching has been replaced by oneusing the Expert.


Sn

iffe

r U

niv

ersi

ty

1

-36

So How Does This Matter?

• Devices using different frame formats will notbe able to communicate directly– They must send their frames to a translating bridge

or router which converts and forwards the frames– This creates a local router situation which doubles

the traffic

• Devices configured with multiple unnecessaryframe formats load the network– NetWare servers RIP and SAP for each frame type

• Upper Layer Protocols expect a certain frametype and may not be able to communicate ifthe wrong frame type is in use


Page 1 - 36

Slide Title: So How Does This Matter?


This helps to link this information to practical uses for theinformation.


Sn

iffe

r U

niv

ersi

ty

1

-37

Exercise: Which Frames Are on the Network?

Turn to the lab sectionto complete this exercise


Page 1 - 37

Slide Title:Exercise: Which Frames Are on the Network?

ImportantPoints toCover: This exercise has been modified. It no longer uses data pattern

matching.

Be sure to practice this before class so you are ready for it!


Sn

iffe

r U

niv

ersi

ty

1

-38

Ifyou have no questions aboutthe previous exercise

thencontinue with the next exercise

orif you need a demonstration orexplanation

ask your instructor to help younow


Page 1 - 38

Slide Title:Yield

ImportantPoints toCover: This slide is here so you can control the exercise process.


Sn

iffe

r U

niv

ersi

ty

1

-39

Exercise: A Surprise at 23:00



Page 1 - 39

Slide Title:Exercise: A Surprise at 23:00

ImportantPoints toCover: This exercise is unchanged.


Sn

iffe

r U

niv

ersi

ty

1

-40

Summary

In this section, you learned how to:• Differentiate between Ethernet Frame Formats

– Ethernet Version 2– Novell 1983 proprietary frame format– IEEE 802.3– IEEE 802.3 SNAP

• Recognize network configuration issues with differentframe formats

• Identify frame format incompatibilities


Page 1 - 40

Slide Title:Summary

ImportantPoints toCover: Wrap up the section by reviewing the labs and the objectives. Ask

the students if they have any questions.

Target Time: Breaktime of Day 1

© Network Associates Ethernet Network Analysis and TroubleshootingEthernet Sniffer Pro Hardware

Sn

iffe

r U

niv

ersi

ty

2

-1

Ethernet Sniffer ProHardware


Page 2 - 1

Slide Title: Ethernet Sniffer Pro Hardware -

Section 2

Section Timing: Start: Day 1 Approx. ______

Finish: Day 1 Early afternoon

ImportantPoints toCover: Section 2 title slide only.

Files: 02_snf_g.PPT 02_snf_g.DOC

Traces: bcast.cap 100mbfile.caz GB.cap

Exercises: Comparing Ethernet Data

This is a new section. We hope that by putting this information at the front of the course,the students will feel this is an up-to-date course. They get to seethe new faster Ethernet products right away and see in an exercisethat Ethernet looks almost the same on the Sniffer, no matter whatthe speed of the network.

Please remember this instructor guide is a living document. It is notcomplete to start and is intended to grow with time. Add to yourown copy as you gain experience. Please e-mail suggestions to thecourse Subject Matter Expert (SME) for future updates to thecourse material.


Sn

iffe

r U

niv

ersi

ty

2

-2Section Objectives

Upon completion of this section, you will be able to:• Select the appropriate Sniffer configuration for each type of

Ethernet network• Ensure system requirements are met for each type of Sniffer• Attach Sniffer Pro to the various Ethernet networks


Page 2 - 2

Slide Title: Section Objectives

ImportantPoints toCover: State the objectives.


Sn

iffe

r U

niv

ersi

ty

2

-3

10/100 Ethernet


Page 2 - 3

Slide Title: 10/100 Ethernet

ImportantPoints toCover: Title Slide Only.


Sn

iffe

r U

niv

ersi

ty

2

-4

• PAC 64 or 65 or CardBus compatible notebook PC– Can also be loaded on a desktop PC– Pentium 200 MHz CPU or higher

• Windows 95c*/98 or NT SP3 server or workstation• Sniffer 10/100 Ethernet adapter• 85 MB Disk space for software

– Much more for traces

• 64 MB RAM– Some topologies require more

• Keyboard and Pointing Device

10/100 Portable System Requirements

PAC 64

Windows 95c requires Winsock 2. Windows NT has been tested through SP 6a.

Consult the Sniffer documentation for a list of the adapters supported with this release.

On heavily loaded Ethernet networks, increase the receive buffer size and capture rate on theEthernet adapter.

In Windows 95/98:

1.In the Windows control panel, select the Network icon.

2.In the list box at the top of the Configuration tab, select the adapter, then click Properties.

3.Click the Advanced tab.

4.In the Property list box, select Receive Buffers and increase the value to a larger number. Werecommend you increase the buffer size in increments of 10 to the highest possible setting,which still enables the card to load.

5.Change the Capture Rate to High - No CPU Throttling.In Windows NT:

1.In the Windows control panel, select the Network icon.

2.Click the Adapter tab.

3.Select the adapter, then click Properties.

4.Increase the Receive Buffers value to a larger number. We recommend you increase thebuffer size in increments of 10 to the highest possible setting, which still enables the card toload.

5.Change the Capture Rate to High - No CPU Throttling.


Page 2 - 4

Slide Title: 10/100 Portable System Requirements


Quickly review the three optionsNotebookDesktop (this means that desktops are included in the NAI suite ofportable software, though desktops are not really portable!)DolchReview the system requirementsThe readme instructions for setting the Ethernet card parametersfor heavily loaded networks in included in the student notes.


Sn

iffe

r U

niv

ersi

ty

2

-5Attaching Sniffer Pro to the Network

• Attach the RJ45 jack intoa port on the hub– All signals are seen on the

Sniffer

• Attach the RJ45 jack intoa port on the switch– Use the Switch Expert or

switch software to mirrorthe port(s) to the Snifferport

• Attach in series on coaxcable segments

Ethernet Hub

Ethernet Switch

PAC 64

PAC 64


Page 2 - 5

Slide Title: Attaching Sniffer Pro to the Network

ImportantPoints toCover: Discuss the various ways they can attach the Sniffer. It doesn’t

matter if it is notebook, Dolch or desktop. All attach the same way.


Sn

iffe

r U

niv

ersi

ty

2

-6DSPro Agents

• DS Pro consists of two computers:• Agents permanently installed in

production networks– Attach the Agent’s Ethernet monitor card

to the production network to be analyzed– Attach the transport Ethernet card to

either a dedicated network or theproduction network

• A console to access Agents remotely– Attach the Console to a network that has

access to the networks where the DS ProAgents are installed

– SniffView application accesses themremote Sniffers and controls them withthe familiar user interface

DSPro Agent

EthernetNetwork

DSPro Console

OptionalTransportNetwork

DSPro AgentEthernetNetwork

Sniffer University has a two day TNV-012-DSP class that teaches the uniqueconfiguration processes required for the DS Pro system.


Page 2 - 6

Slide Title: DSPro Agents

ImportantPoints toCover: Don’t get sidetracked into explaining the DS Pro system.

Direct them to the TNV-201-DSP class!


Sn

iffe

r U

niv

ersi

ty

2

-7

Full DuplexSniffer Pro


Page 2 - 7

Slide Title: Full Duplex Sniffer Pro

ImportantPoints toCover: Title Slide Only.


Sn

iffe

r U

niv

ersi

ty

2

-8System Requirements

• PAC 63, 64 or 65 or CardBus compatible notebook PC• Windows 95c/98 or NT SP3 server or workstation• Sniffer 10/100 Ethernet adapter

– Set to 100 Mbps

• Full Duplex pod• 85 MB Disk space for software

– Much more for traces

• 64 MB RAM (128 is better)• DSPro also has a 4 port Ethernet adapter you can

configure in several modes

A Fast Ethernet Full Duplex Pod installation consists of the following majorcomponents:

A PC with Sniffer Pro or Sniffer agent (Distributed Sniffer) software installed onthe hard disk (the Sniffer PC).

A supported Fast Ethernet network adapter installed in the Sniffer PC. Consultthe Sniffer documentation for a list of the adapters supported with this releaseof the Full Duplex Pod.

A Fast Ethernet Full Duplex Pod is connected to the Sniffer PC via the FastEthernet adapter and the Ethernet port on the Fast Ethernet Full Duplex Podlabeled, "Host Channel 10/100 UTP.”


Page 2 - 8

Slide Title: System Requirements

ImportantPoints toCover: Slide moved here from section five of the previous version.

Needs a 10/100 adapter in the main PCPod attaches through the Ethernet cablePod attaches into the networkNeeds lots of buffer and disk space, since the traffic load is veryhigh and will create large trace files.


Sn

iffe

r U

niv

ersi

ty

2

-9Full Duplex Pod

• Troubleshoots and analyzes all traffic on 10/100 full-duplex backbone connections

• 148,800 Packets per Second (PPS) wire speed packetcapture– Full line rate on two channels in High Speed mode– Near 100 Mbps in streaming mode– Stores to a hardware buffer configurable to 512 MB

• Full-duplex Dual-channel Synchronous capture

The Fast Ethernet Full Duplex Pod is a separate network interface pod providedby Network Associates for use with Sniffer Pro and the Distributed Sniffer. TheFast Ethernet Full Duplex Pod provides two separate receive channels (one foreach side of a full duplex Fast Ethernet network) and can capture at full FastEthernet line rate speeds in either a passthrough mode or a terminated mode.The Fast Ethernet Full Duplex Pod lets you use the Sniffer with a Fast Ethernetcard installed to monitor or capture data from Ethernet, Fast Ethernet, FullDuplex Fast Ethernet, and Half Duplex Fast Ethernet.

This is called the “Pod-FEDC-NA-100” for Fast Ethernet Dual Channel in the NAIorder book.


Page 2 - 9

Slide Title: Full Duplex Pod


Buffer is in the pod.Frames captured on the pod are encapsulated into Ethernetframes, then delivered to the PC for analysis.This is listed in the order list as “Pod-FEDC-NA-100” for “FastEthernet Dual Channel Pod.”


Sn

iffe

r U

niv

ersi

ty

2

-10

Full Duplex Pod Connectors

• Connects to High-Speed 100Base-TX and 100Base-FXEthernet Networks– RJ-45 ports offer a power-off pass-through– Fiber and T4 supported through MII connectors

PowerConnector

SynchIn

SynchOut

SerialPort

10/100UTP

10/100UTP MIIMII 10/100

UTP

Probe Channel B Probe Channel A HostChannel

Connection

Channel Bconnections to

the network (UTPand MII)

Channel Aconnections to thenetwork (UTP and

MII)

Connection buttonselects between

Pass-through andTerminate Modes

Connect straight-through Ethernet

cable to the laptop

The Fast Ethernet Full Duplex Pod captures network data off the connectedcircuit and stores it in its own internal buffer. The captured data is thenencapsulated in Ethernet frames and sent to the Sniffer PC over a Fast Ethernetconnection. There, the analyzer strips the encapsulated capture data out of theEthernet frame, making it available to the full set of Sniffer features.

The pod can capture frames up to 4082 bytes in length (including CRC). Frameslarger than 4082 bytes will be treated as illegal frames. Normal Ethernet framesare 1518 bytes maximum.


Page 2 - 10

Slide Title: Full Duplex Pod Connectors


Point out the separate channel connector. They can attach to TXvia UTP or FX via the MII (Media Independent Interface)connectors.The connection button allows you to set pod to either pass-throughor terminate mode.The right-most UTP connector attaches the pod to the 10/100 cardin the PC.The Synch In and Out connectors are not used.


Sn

iffe

r U

niv

ersi

ty

2

-11

Full Duplex Pod LEDs

Host Pass-throughChannel A Channel B Terminate

LINK

ACT

Clock Activity PowerHWChk

• Separate LNK (Link) and ACT (Activity) LEDs show thestatus of each port– The LNK LED illuminates when the indicated prt is connected

and working properly– The ACT LED blinks when there is activity on the indicated

port

LED DescriptionPassthrough Lit when pod is in passthrough mode. Switch with the

button on the back of the podTerminate Lit when pod is in terminate modeClock Lit periodically to indicate the pod’s software is alive and

activeActivity Lit when there is potential loss of data.The data may be

lost when there is more data than the pod can handlePower Lit when the pod is receiving powerHW Chk Lit when there is pod hardware or software failure

Flashes in test mode


Page 2 - 11

Slide Title: Full Duplex Pod LEDsImportantPoints toCover: Slide moved here from section five of the previous version.

Review quickly. Mainly for reference.


Sn

iffe

r U

niv

ersi

ty

2

-12

Connecting the Pod to the Sniffer

• Power down the Sniffer and unplug the pod• Attach the pod to the Sniffer with a standard Ethernet

cable– Connect between the Ethernet port on the PC and the Host

Channel 10/100 UTP port on the pod

• Power on the PC• Connect the power to the pod• Connect the pod to the network

When the pod is powered on before the host, pod initialization may fail. Turnthe pod off, then on if this occurs.

The pod provides a pass-through mode. When you remove power from the podin pass-through mode, the link will go down! You may wish to install a splitter inthe line that will enable you to attach the pod when needed without bringingdown the link. Be sure it meets the dB loss specifications so the link is notdegraded.


Page 2 - 12

Slide Title: Connecting the Full Duplex Pod to the Sniffer


Emphasize that this pod has a different power adapter from therest.It is huge and heavy and nicknamed “the brick” for good reason –it’s as big and heavy as a brick.

It’s important they follow this order. They may damage the podand/or PC if they don’t or the Sniffer may not be able to see thepod.


Sn

iffe

r U

niv

ersi

ty

2

-13

Attaching FDX Pod to the Network

• Insert directly in the link– Copper pass-through

prevents losing link, evenwhen powered off

• Tap into the line with asplitter– Can leave the splitter in at

all times and tap the linewhen necessary

– Use a copper or fibersplitter/transceiver

• Tap into the line througha monitor port on aswitch or hub

EthernetHubs orSwitches

Channel A

Channel B

Routers /Switches

Beam Splitters TapOptical Signal from

Channels A and B andSend to Pod

To Channel AEthernet Hub


Page 2 - 13

Slide Title: Attaching Full Duplex Pod to the Network


Three ways:Break open the link and insert the pod. Push the button to place itin pass-through mode.Keep splitters in the line at all times so you won’t need to break theconnection to attach the Sniffer. Set the button to terminate modeso the signals are not repeated back onto the wire!Attach to a monitor port on the switch. This is vendor-specific, butwill probably allow you to select which channels you want tomonitor.


Sn

iffe

r U

niv

ersi

ty

2

-14

Attaching FDX Pod to DSPro Agents

• When using the DistributedSniffer System, attach the FullDuplex pod to the Agent and usethe remote console to configurethe options.

• Attach using the diagrams onthe previous page

ChannelA

DSSProAgent

EthernetNetwork

ChannelB

DSPro Console

MonitorCableTransport

Cable


Page 2 - 14

Slide Title: Attaching Full Duplex Pod to DSPro Agents


Included here mainly to emphasize this pod can be used on the DSPro system.

There is also a 4 port Ethernet card that can be used in the DS Proto monitor several different full-duplex connections, including 400MB pipes that combine full-duplex channels.

It is covered in the 201-DSP class.


Sn

iffe

r U

niv

ersi

ty

2

-15

Gigabit Sniffer

There are several paragraphs of information in the 4.0 Readme.wri that iscopied to the Sniffer Pro program directory when you load the Sniffer Prosoftware. Read them before you use the Sniffer!


Page 2 - 15

Slide Title: Gigabit Sniffer

ImportantPoints toCover: Title slide.


Sn

iffe

r U

niv

ersi

ty

2

-16

Gigabit Sniffer Pro Minimum Host CPU

• Microsoft Windows 98 or NT4.0 SP6• 233 MHz Pentium or better• 128 MB RAM for traffic generation• 800 x 600 Screen 256 Color Monitor• Large GB disk for huge trace files• Full length PCI slot for Gigabit Ethernet card• Half length ISA slot for power adapter if CPU doesn’t

have 3.3v power available• PCI to PCI bridge support v2.1• Plug and Play v1.0a• AMI or Award BIOS xx0617

PAC 64

Windows 95 is not supported for the Gigabit Sniffer. Use a compatible portable(Dolch) or desktop that has a Peripheral Component Interconnect (PCI ) slot.

AMI and Award are popular BIOS chips. The BIOS version should be AI5TV-D2-0617 You can contact DOLCH to get the BIOS Flash upgrade. There shouldbe two files:

awdflash.exe, size=7,847 Bytes, Dated 3/8/96

Dolch-2.bin, size=131,072 Bytes, Dated 6/19/97

Upgrade the Flash BIOS for PAC-64

To Upgrade the Flash BIOS for PAC-64, follow these instructions:

1. Insert the Flash BIOS upgrade diskette into driver A:

2. Run the awdflash.exe file.

3. You will be prompted to enter bios file name, enter Dolch-2.bin and save theBIOS.

4. You then will be prompted to save a file. Give this file the nameDolch-1.bin.

5. Save and program the BIOS.

6. Reboot after update.


Page 2 - 16

Slide Title: Gigabit Sniffer Pro Minimum Host CPU

ImportantPoints toCover: Slide moved here from section five of the previous version

Slide is adequate.


Sn

iffe

r U

niv

ersi

ty

2

-17

Hardware Included

• Xyratex 1250 SX or LX Protocol Analyzer Adapter Card– SC connectors

• Long and Short External Trigger Cables• Duplex Fiber Optic Cable• 3.3v Voltage Regulator Card• PC Power Supply ‘Y’ cable• Voltage Regulator to Protocol Analyzer Power Cable

SX Short Wave 850 nm

LX Long WaveThe Xyratex Gigabit card is designed to analyze network; on installing the card,it will not bind to the TCP/IP binding, in other words, no IP address should beassigned for the card.


Page 2 - 17

Slide Title: Hardware Included


Slide is adequate.


Sn

iffe

r U

niv

ersi

ty

2

-18

Interfaces

• 1000 Base -SX• 1000 Base -LX• 1000 Base -CX through external adapter• 1000 Base -T• Can analyze both sides of full-duplex

connection or two separate single links• Captures and analyzes raw bits from the link

– Sees 10-bit codes, autonegotiation, errorpropagation, collisions, preambles, packetencapsulation, idles and code violations

SX and LX transceivers are available.


Page 2 - 18

Slide Title: Interfaces

ImportantPoints toCover: New slide.

Just run down the list.


Sn

iffe

r U

niv

ersi

ty

2

-19

3.3v Power

• Two sources:• Mother boards in newer CPUs have 3.3v power supply

connector– Dolch PAC 65 and newer has 3.3 v power, PAC 64 needs the

card (PAC 63 and older are not supported for Gigabit)– Attach to the Protocol Analyzer card

• 3.3v Voltage Regulator half-slot ISA card for CPUswithout the 3.3v power supply– Generates 3.3v from PC’s 5v power supply– Drives up to 3 Protocol Analyzer cards– Y cable inserts between power supply and CD-ROM/floppy

disk– Connects to Protocol Analyzer boards with short cable

ATX mother boards include the 3.3 v connector.


Page 2 - 19

Slide Title: 3.3V Power


Needs 3volts power. If the motherboard doesn’t have it, you needanother card that supplies it.Jumper from this card to the PacketMaster card.


Sn

iffe

r U

niv

ersi

ty

2

-20

Xyratex 1250 Connectors

Connector 1 to Device 1

Connector 2 to Device 2

Tx 1

Rx 2

Rx 1

Tx 2

Channel 2

Channel 1

PacketMaster1250 CardSync In (Trigger In)

Sync Out (Trigger Out)

• Two1000Base-SXor LX GigabitEthernet SCConnections

• Externaltrigger in andtrigger outconnections

Available external connections are:

• two 1000Base SX Short Wave Fiber Optic connector pairs

• a single micro coax external trigger input

• a single micro coax external trigger output

Trigger conditions can be independently defined for each channel or combinedfor both channels, just as for filtering. The system can accept external inputsand can also be synchronized to other test equipment. The system can alsoprovide external TTL output from a trigger.

Interfaces available:

• 1000 Base -SX

• 1000 Base -LX

• 1000 Base -CX through an external adapter

• 1000 Base -T* coming later

• SX and LX transceivers are available.

* T Specification under development


Page 2 - 20

Slide Title: Xyratex 1250 Connectors


Slide is adequate.


Sn

iffe

r U

niv

ersi

ty

2

-21

Connecting the AnalyzerFull Duplex

connection between2 hubs, switches

Full Duplexconnection betweenswitch and end node

Attached to hub orswitched port (canbe a SPAN port)

Use this for trafficgeneration also

PA C 62

PA C 62

PA C 62

Tx

Tx

Rx1

Rx2

Rx1

Rx2

Tx

Tx

Rx1 Tx

Loopback betweenTx1 & Rx2

Full Duplexconnection between

end nodes

PA C 62

Rx1

Rx2

Tx

TxTx1

Tx2Rx

Rx


Page 2 - 21

Slide Title: Connecting the Analyzer


This will help those students who have the Sniffer now. (They arevery lucky- they are in high demand and short supply.)Slide is self-explanatory.


Sn

iffe

r U

niv

ersi

ty

2

-22

Gigabit DSPro

• The Xyratex card isalso supported in theDSPro Agent

• Attach this card tothe Gigabit networkas you do for theportable Sniffer

• Attach the 10/100monitor adapter tothe transport network

DSProAgent

10/100EthernetNetwork

MonitorCableTransport

Cable

GigabitNetwork


Page 2 - 22

Slide Title: Gigabit DSPro


Mainly FYI

Screens still look the same when you connect to the Agent.


Sn

iffe

r U

niv

ersi

ty

2

-23

Exercise: Comparing Ethernet Data

Turn to the lab section tocomplete this exercise. Usethe diagram on the nextpage as a reference to thenetwork layout


Page 2 - 23

Slide Title: Exercise: Comparing Ethernet Data

ImportantPoints toCover: New Exercise.

This exercise is here to let them see right up front how the datalooks in almost all speeds of the Sniffer. I was unable to get a 100MB full-duplex trace file, so it has been mentioned briefly.

Do not mention the 10 bit hex decode in the Gigabit screens now!Wait until they have been explained in the Gigabit section.


Sn

iffe

r U

niv

ersi

ty

2

-24

Summary

In this section, you learned how to:• Select the appropriate Sniffer configuration for each type of

Ethernet network• Ensure system requirements are met for each type of Sniffer• Attach Sniffer Pro to the various Ethernet networks

More details on using these Sniffers are in the sectionsfollowing


Page 2 - 24

Slide Title: Summary

ImportantPoints toCover: Review the section objectives and answer any remaining

questions.

Target Time: Day 1 at noon or earlier if possible.

© Network Associates Ethernet Network Analysis and TroubleshootingEthernet Physical and Data Link Layers

Sn

iffe

r U

niv

ersi

ty

3

-1

Ethernet Physical and Data LinkLayers


Page 3 - 1

Slide Title: Ethernet Physical and Data Link Layers –Section 3

Section Timing: Start: Day 1 Approx. 1pmFinish: Day 1 End of day


Files: 03_phy_g.PPT 03_PHY_g.DOC

Traces: HUB6ARC.caz

Exercise: Cable Specifications

This is a critical section that must be covered thoroughly so thestudents understand the basis of all Ethernet standards. Theexercise comes close to the end, so your challenge will be to keepthe students engaged through the lecture.

The 10BASE5 and 10BASE2 specific slides are now in theOptional Technologies section. Be prepared to jump there if youhave students who still want to see the physical components of theold technologies.

The diagrams have been spiffed up so they show mainly starconfigurations.

Please remember this instructor guide is a living document. It is notcomplete to start and is intended to grow with time. Add to yourown copy as you gain experience. Please e-mail suggestions to thecourse Subject Matter Expert (SME) for future updates to thecourse material.


Sn

iffe

r U

niv

ersi

ty

3


Upon completion of this section, you will be able to:• Describe the access method used in Ethernet• Discuss the responsibilities of the MAC layer• Differentiate the various types of Physical Layer devices• Explain the importance of the physical size limitations of the

Ethernet networks• Determine when the physical characteristics of the Physical

Layer have been extended beyond the specifications


Page 3 - 2



The focus of the prior revision was on the new components mostcustomers have in their environments.

The specifications for 10BASE2 and 10BASE5 are still the basis forthe newer environments and need to be covered.

We’ve tried to make it as painless as possible while still giving themeverything they need to know to understand the buzz words andmore importantly why collision domains and timing specificationsare still important!

Most of our students think they know the Ethernet “nitty gritty”details, but they invariably learn new things in this section.


Sn

iffe

r U

niv

ersi

ty

3

-3

OFF

ON

Switched SegmentDedicated Connections:Only Broadcasts are propagated to all

• There is a wide variety ofconfigurations and options available

• All still adhere to core concepts thatdefine Ethernet

• Segments are extended logically bychaining hubs or switches, or byusing bridges

• Networks are segmented usingrouters

Ethernet Components Today

Hubs

SwitchesSwitches

Network InterfaceCard (NIC)

Broadcast SegmentEverything broadcast to all

Router

Switches

Network A Network BHubs

OFF

ON

Ethernet networks are undergoing unprecedented change. Standard hubs andswitching hubs are becoming commonplace. Fast Ethernet is being included.Full Duplex Ethernet may be installed. Fast transmit adapters enable largeamounts of data to be transmitted and received.


Page 3 - 3

Slide Title: Ethernet Components Today

ImportantPoints toCover: Today networks are undergoing change. We are installing switches

and hubs now. No one is really installing 10BASE5 or 10BASE2today.

Fast Ethernet

Full duplex

Fast transmit adapters

Gigabit Ethernet

Yesterday, hubs were the new devices in networks, pushing out theolder 10BASE5 and 10BASE2 networks.

Today, switches may start to push out hubs. The only constant wereally have is change.

Emphasize the fact that whether we are talking about 10BASE5 orswitches, Ethernet is still contention-based, designed to a busconcept.


Sn

iffe

r U

niv

ersi

ty

3

-4Ethernet Contention Access Control

• Broadcast environment• All network stations contend for available network bandwidth• Simultaneous transmissions cause collisions, which produce

runt frames• Contention Access Control works well with bursty traffic

Concentrator or Hub


Page 3 - 4

Slide Title: Ethernet Contention Access Control

ImportantPoints toCover: No inherent line control is used. The only requirement to transmit

data is that the wire is quiet for 9.6 bit times.


Sn

iffe

r U

niv

ersi

ty

3

-5CSMA/CD

The Basis for Ethernet Specifications

• Carrier Sense– Listen until no carrier is sensed, then transmit after a delay

• Multiple Access– Designed for a broadcast environment– Every station hears every frame

• with Collision Detection– Listen for a collision while you transmit

• Designed for a bus, usually implemented as a star– The rules are observed in half-duplex switched networks even

though collisions are usually avoided by using dedicatedconnections


Page 3 - 5

Slide Title: CSMA/CD The Basis for Ethernet Specifications

ImportantPoints toCover: The basics. Preparing the students for what is to come later.


Sn

iffe

r U

niv

ersi

ty

3

-6MAC Frame Transmission

• Construct a frame from data supplied by upper-layer– A legal frame must be at least 64 bytes long and no longer

than 1518 bytes (counting the CRC, but not the Preamble)– If necessary, the 802.3 MAC layer adds a pad so that the

frame is at least 64 bytes

• Calculate and append the CRC• Sense Carrier: Defer to stations already transmitting• Observe Interframe spacing: There is always at least a

96 bit time delay between frame transmission– 9.6 µs for 10 Mbps, .96 µs for 100 Mbps, 96 ns for 1000 Mbps

• Transmit and listen• Detect collisions• Backoff and retransmit if collisions occur

All adapters are manufactured to the Ethernet specifications. The card has noknowledge of whether it is plugged into a switch or hub port.

These specifications apply to all speeds of Ethernet. The interframe spacing isalways 96 bit times. The actual time between frames is dependant on thespeed of the network and shrinks in proportion to the increase in speed.

Specifications dictate that there be a minimum 9.6 micro-second delaybetween frames in 10 Mbps Ethernet. An adapter must sense that the wire hasbeen quiet at least 9.6 micro-seconds before it can transmit.

In Fast Ethernet, the interframe gap is .96 microseconds.

The gap in Gigabit Ethernet is 96 nanoseconds.


Page 3 - 6

Slide Title: Media Access Control (MAC) Frame Transmission

ImportantPoints toCover: With IEEE MAC layer, it is the MAC’s job to ensure the minimum

frame length.

This is a departure from the V2 specifications, which forced thenetwork layer protocol to guarantee the minimum frame size. Nowthe version two frames have been brought under the IEEE, so allversions must pad.

The MAC layer is responsible for accessing the channel andensuring correct transmission of the data.

MAC functions reside on the adapter on the chipset.

Import change: The Interframe gap has been changed from 96microseconds to 96 bit times to imply this is used in allspeeds. Use this term throughout this section.

The Interframe Gap is 9.6 microseconds in 10 Mbps, 960nanoseconds in 100 Mbps and 96 nanoseconds in Gigabit1000 Mbps.


Even in switched environments, stations must wait the interframe time afterthe line goes silent before they start transmitting.

Sn

iffe

r U

niv

ersi

ty

3

-7Frame Transmission

• The source station listens while transmitting

Concentrator or Hub

*Timing slowed to show process

• After sensing that there is no carrier on the wire during theinterframe gap period, stations with data to send transmit theframe

PreambleDest Address

1010101..010110101..0101

010101..0101

1010..10101

101..1010101

• The signal is propagated everywhere

1001000110101101..0101

PreambleDest Address

SourceStation

• It assumes the frame was delivered if it sensed no interference

+


Page 3 - 7

Slide Title: Frame Transmission

ImportantPoints toCover: This is a timed build slide and covers only the transmission part of

the process. It builds automatically.

The station that wants to transmit listens for carrier

When it senses there is no carrier, it waits the interframe gap time,then begins to transmit.

This is a good time to discuss the adapters that jump the gunand start transmitting before the interframe gap time. This ismentioned in the student notes and should be discussed inclass.

When the signal is transmitted, it is intended to go everywhere.

All stations hear it.

Stations continue to listen while they transmit.


Sn

iffe

r U

niv

ersi

ty

3

-8Collisions

• It uses truncated binary exponential backoff to ensure that twostations will not collide with each other again during the wait cycle– Each time it retries, it waits a random amount of time

Concentrator or Hub

Transmit Collision Transmit

• When two stations with data to transmit sense that the media isavailable at the same time, they both transmit and a collision occurs

Jam Jam

• The transmitting adapters sense the collision and continue totransmit a 32-bit jam signal, and wait a random amount of timebefore retransmitting


• If there are repeated collisions, the adapter tries again (up to atotal of 16 times)

+3

Stations continue to listen as they transmit.

Twisted pair environments are basically point-to-point communications. Whilean adapter is transmitting, it listens on its receive pair. If a receive signal isdetected, the adapter has detected a collision.

On a bus, the transceiver detects an increase in voltage on the wire if anotherstation transmits at the same time. The transceiver notifies the adapter of acollision.

Any other stations with frames queued sense the wire is busy and they waituntil the interframe gap has passed after the wire goes silent.


Page 3 - 8

Slide Title: Collisions

ImportantPoints toCover: This is a timed build slide. Some is automated on a timer, and

some requires a mouse click to activate.

Wait to click until the first collision occurs.

There are three clicks for the slide.

--------------------------------------------------------------------------------

The signal from the transmitting station will not be heard by thesecond station some distance from it, so it begins to send its frame.

If a collision occurs, the participating stations output a minimum of32 bits as a jam.

Its purpose is simply to busy out the wire on a 500 meter segment.

Import change: The wording was changed slightly to indicateit does not stop transmitting, but just continues to transmit thejam signal instead of the frame.

IEEE states a minimum jam of 32 bits but does not specify amaximum jam period past 150 ms.

There is no specified jam pattern for the adapters.

Manufacturers can do what they want as long as it is not the CRCof the bits that were just transmitted.

The transmitting adapters back off a random amount of time. Thefirst station to timeout tries again. In the meantime, a totallydifferent station may have gotten a frame out onto the network.

Each time the adapter is involved in a collision trying to transmit thesame frame, it waits a longer period of time before listening forcarrier.

It gives up after 16 unsuccessful attempts and purges the framefrom its transmit buffer. The upper layer protocol must queue itagain. This of course involves more delay than the collisions andbackoff induced.


Sn

iffe

r U

niv

ersi

ty

3

-9

Retry Random Time Range

1 21 = 0....2 x 51.2µµµµsec

2 22 = 0....4 x 51.2 µµµµsec

3 23 = 0....8 x 51.2 µµµµsec

4 24 = 0....16 x 51.2 µµµµsec

5 25 = 0....32 x 51.2 µµµµsec

6 26 = 0....64 x 51.2 µµµµsec

7 27 = 0....128 x 51.2 µµµµsec

8 28 = 0...256 x 51.2 µµµµsec

Truncated Binary Exponential BackoffRetry Random Time Range

9 29 = 0...512 x 51.2 µµµµsec

10 210 = 0....1024 x 51.2 µµµµsec

11 210 = 0....1024 x 51.2 µµµµsec

12 210 = 0....1024 x 51.2 µµµµsec

13 210 = 0....1024 x 51.2 µµµµsec

14 210 = 0....1024 x 51.2 µµµµsec

15 210 = 0....1024 x 51.2 µµµµsec

16 210 = 0....1024 x 51.2 µµµµsec

(1024 x .0000512 = 52.4 milliseconds)

The backoff time is measured using the propagation delay of the media (slottime). The figures above are for 10 Mbps Ethernet. 100 Mbps times are one1/10th these times, gigabit are 1/100th of these times.


Page 3 - 9

Slide Title: Truncated Binary Exponential BackoffImportantPoints toCover: For student reference. Don’t spend any time here.

The previous two slides are now combined on this single slide.


Sn

iffe

r U

niv

ersi

ty

3

-10

Half Duplex MAC Transmit

Yes

Calculateand add CRC

No Pad to 60 bytes

TransmitUntil End

No

End ofdata?

Yes SendJam

YesNo Done.Transmit

OK!

Done.Excessive

errors

Yes

Compute backoff.Wait backoff time No

Too manyattempts?

Data to

send

< 60 bytes?

DetectCollision?

TransmitData

Listen for collision

NoWait96 bittimes

CarrierSense?

Defer

Yes

All speeds of Ethernet follow this flowchart. Only the timing changes.


Page 3 - 10

Slide Title: Half Duplex MAC Transmit

ImportantPoints toCover: Spend time taking the students through the process. Make sure

they understand.

There is a new diagram similar to this in the Full Duplex sectionnow.


Sn

iffe

r U

niv

ersi

ty

3

-11

Frame Reception

• All adapters synchronize clocks to the preamble bit pattern• Upon receipt of “end of preamble flag,” adapters copy the DLC

destination address• If the destination DLC address is equal to their own or a

broadcast, stations continue to copy, otherwise they stopcopying and release the buffer

Concentratoror Hub


..AAAAA

..AAAAA ..AAAAA

..AAAAA

Destination080069020FD3

C788CD809782Source

C788CD8097823DF020960080BAAAAAA..AAAAAAAAA

PreambleDest AddressSource Address

+1


Page 3 - 11

Slide Title: Frame Reception

ImportantPoints toCover: This is an automated build slide. Click the mouse when you are

ready to show the action after you have covered the bullets.

Stations hear the preamble and synchronize their clocks to it. TheStart if Frame delimiter indicates the destination field is comingnext.

Stations listen for as long as it takes to determine if the frame isaddressed to them or not.

If it is addressed to them, they copy it.

If the frame is not intended for them, they discard the bits from theirreceive buffer and passively wait for a new signal or the quiet timeso that they may send their own data.


Sn

iffe

r U

niv

ersi

ty

3

-12

Assessment of Received Frames

Runt Frame

Good Frame!Pass to higherlayer protocol

No

Discard FrameAlignment Error

CRC Error

>512 Bits?

YesYes

Yes

CRCValid?

End on8-bit

Boundary?

NoNo

MAC Frame Reception:• Recognize if frame is destined for this station• Discard frame if it is too short (runt)• If frame does not end on an 8-bit boundary, truncate it to the nearest 8-bit

boundary• Calculate CRC. If the calculated CRC does not match the CRC in the frame,

discard the frame (If the discarded frame does not end on an 8-bit boundary,report Alignment Error; otherwise report CRC error)

• Pass good data to upper-layerFrames are always truncated because transmitters have a hard time stoppingimmediately after the last data bit. Transmitters are allowed 1.6 bit times after thefinal data bit to let their transmission level reach 0.Any bits whose signal level is less than the receiving adapter’s minimum levelrequirements will be disregarded. It is possible for a transmitting adapter to send anextra bit or two after sending the CRC field, and for these bits to be of sufficientamplitude to be seen as bits by a receiving adapter. In these circumstances, the bitsare referred to as dribble bits and will be truncated by the receiving adapter to thenearest 8-bit boundary. Dribble bits become more evident in Fast Ethernet and GigabitEthernet networks, due to the increased number of bit times required for transmittingadapters to return to zero.


Page 3 - 12

Slide Title: Assessment Of Received Frames

ImportantPoints toCover: Cover well.

A similar diagram is in the Full Duplex section.


Sn

iffe

r U

niv

ersi

ty

3

-13

OFF

ON

OFF

ON

AUI AUI

Repeater

Repeaters

• A repeater is a physical layer device that extends the network lengthand topology by regenerating and retiming the signal one bit at atime

• A repeater repeats every signal that comes in on one port onto everyother port. A repeater does not isolate traffic or collisions

• A repeater is transparent to other stations on the network. A repeateris not addressable. It does not store and forward data

• A 10BASE-T hub acts as a multiport repeater

AUI

10BASE2 10BASE5

Multiport Repeater

1 2 3 4 5 6Hub or Concentrator10BASE-T

10BASE5 10BASE5

A repeater can cause more collisions, since a collision signal is propagated outall ports.Hubs managed through SNMP have an IP address assigned to theinterface that communicates with the management application. This address isNOT used in frame regeneration.


Page 3 - 13

Slide Title: Repeaters

ImportantPoints toCover: Repeaters are required to quickly forward data from one port onto

all others.

A repeater doesn’t isolate collisions, it propagates them.

A hub graphic has been added to the slide.


Sn

iffe

r U

niv

ersi

ty

3

-14

Repeaters are Responsible For:

• Preamble Regeneration– Remove preamble from received frame and regenerate it on

sending frame

• Data Repeat– Repeat all signals received on one segment to all other

segments attached to the repeater

• Signal Amplification– Ensure the amplitude of signals is correct

• Signal Retiming– Ensure encoded data output is within jitter tolerances

• Fragment Extension– Extend repeated signal if less than 96 bits (including

preamble)

Preamble: 8 bytes of 1010101...10101011 at the beginning of each Ethernetframe. The preamble is discussed in more detail in the data link layer section.A repeater uses the preamble to sync up to bits, just like any station does.Some bits may be lost, in which case the repeater regenerates a newpreamble.

If a repeater receives a little fragment (runt) frame that is less than 32 bitsplus preamble, the repeater will extend the bits to at least 96 bits. Thisensures that the signal meets the next repeater while the repeater is stilltransmitting, so that the attached segments are “busied out” for the durationof the original collision.


Page 3 - 14

Slide Title: Repeaters Are Responsible For:

ImportantPoints toCover: Repeaters do not repeat preamble. They create a new preamble.

When they see the “11” indicating the end of preamble, they go intorepeat mode.

Repeaters jam out all ports on detection of a collision.

They are the only devices for which IEEE has defined a jam pattern(documented in the student notes).


Sn

iffe

r U

niv

ersi

ty

3

-15

10BASE-T Ethernet Cabling

• Media = .4 to .6 mm diameter (26 to 22 AWG) unshielded wire in a multi-pair cable

• Maximum distance from hub to transceiver = 100 meters• A hierarchical star topology is allowed, with up to four levels of

concentrators

Concentrator or Hub

RJ-45 jacks

InternalTransceiver on NIC

and RJ-45 jack

RJ-45 jack

External TransceiverAUI cable

OlderImplementations

UTP100 metersmax

Telephone wire meets the requirements because it is usually unshieldedtwisted-pair cable composed of .5 mm (24 AWG) twisted pairs. Whenunshielded twisted pair cabling is used, you must be concerned withelectromagnetic and radio interference, as well as cross-talk. Cross-talk iscaused by excessive coupling of signals from one line to another, due to thegeometry of the twist. Use a cable scanner to test for cross talk.

The 10BASE-T specification states that any two stations communicating cannottraverse more than four hubs. This follows the four repeater rule contained inthe IEEE 802.3 specification. Each hub contains repeater functionality.

The limit of 100 meters is for the worst case of 11.5dB of signal attenuation.Many manufacturers now use transceiver chips that drive typically from 125meters to 200 meters (626 feet). However, the moment you attach a hub withthese cable lengths to another hub, overall propagation delay comes into play.If you're using a standalone hub AND your new and improved TDR says all ofthe requirements for segment signal conformance are being met, you don'thave to worry about using the longer UTP cable.


Page 3 - 15

Slide Title: 10BASE-T Ethernet Cabling

ImportantPoints toCover: Hubs are repeaters.

Cover the cable distance specifications.


Sn

iffe

r U

niv

ersi

ty

3

-16

Inboundsignal fromtransmitting

station

10/100Base-T Frame Transmission

• A group of multiportrepeaters

• Signal received off of aport is repeated onto thebackplane, then floodedout all other ports

10/100Base-T Hub or Concentrator

WorkstationWorkstation

Floodedout to all

otherports

File ServerFile Server

+

Concentrators (hubs) are the equivalent of a bus in a box and function likemultiport repeaters. A signal received from a transmitting station is repeatedonto the backplane and then repeated (flooded) out all other ports. Hubs andrepeaters do not repeat preamble. They regenerate a new one. When the endof preamble is reached, repeaters then go into repeat mode. Fragments areextended to the minimum of 96 bits. Concentrators (hubs) do not segmentcollision domains. Upon detection of a collision, hubs jam out all ports.

Repeaters are the only devices that have an IEEE-specified jam pattern. Thefirst 62 bits (of 96) must be 10101010...etc.

The concentrator may partition any port with 32 consecutive collisions.Unmanaged hubs will re-enable the port upon receipt of any good data frame.Managed hubs tend to require that the administrator re-enable the portthrough the elemental manager.


Page 3 - 16

Slide Title: 10/100Base-T Frame Transmission

ImportantPoints toCover: Note the edition of 100Base info here.

This is an automated build slide showing the signal propagation.

It’s still a bus with the backplane propagating the signaleverywhere.


Sn

iffe

r U

niv

ersi

ty

3

-17

The Hierarchy of Ethernet Hubs

Simple, low-cost Desktop Hubs• Standalone hubs typically support 8-16 ports• Some larger multi-slot hubs support from 4-12

“line cards,” each containing 12-24 ports, for atotal of about 288 physical ports

• All users are connected to same backplane,hence the same LAN

• 10/100 Autosensing

Workgroup Hubs• The need for autonomous work groups requires

backplane segmentation of larger hubs• Hub backplanes are physically separated into 2

or 3 or 4 different Ethernet segments• 10/100 Autosensing

Interconnection of these separate LANs is accomplished by the inclusion ofbridge-on-a-card or router-on-a-card modules to one of the segmented LANs.Standalone bridges and routers are also used, but the trend is toward space-conserving configurations. Some vendors offer tiny “micro” bridges to connectone Ethernet to another. All networking components reside within the hub ornetworking platform, which makes them ideal for locked wiring closets.

Workgroup hubs typically have an element manager that will support both in-band (Telnet via TCP/IP on Ethernet) and out-of-band (RS232 for modems)access. These element managers provide physical level data about the healthof the LAN and can send SNMP “traps” to, or respond to SNMP polls fromintegrated network management systems or “umbrella” managers. Some hubsare equipped with redundant hot-standby power supplies for maximum up-time. Power supply or line card “swaps” can be performed during off-peaktimes.

The reality: although hubs have evolved into the heterogeneous networkingplatform, they have also become the single point-of-failure for manyworkgroups.


Page 3 - 17

Slide Title: The Hierarchy of Ethernet Hubs

ImportantPoints toCover: Student notes and slide are adequate.

The names of the hubs have changed to reflect how they aremarketed today.


Sn

iffe

r U

niv

ersi

ty

3

-18

Backbone Hubs

• Multiple “flavors” of backbone hubs proliferate today. Some offerdedicated functions, while others offer add-in functionality via linecards like:– Multiple media Ethernet segments: AUI, BNC, 10/100BASE-T, FOIRL– Multiple media Token Ring segments: STP, UTP, fiber repeaters– Multiport local and remote bridges with FDDI backbone interfaces– Multiport, multi-protocol local and remote routers– Ethernet packet switches. These are discussed in more detail later– LAT and TCP/IP terminal servers for RS232-based devices– X.25 gateways, SNA gateways– Novell NetWare file servers– Etc. The list continues to grow

OFF

ON

OFF

ON

SNMP Management applications are used to control these sophisticated hubs.Many offer click and drag operations to logically move stations.

SNMP agents collect port, backplane and other statistics. The managementstations periodically poll the devices for the statistics. Data is collected andreports are generated to track the health of the device and network.


Page 3 - 18

Slide Title: Backbone Hubs



Sn

iffe

r U

niv

ersi

ty

3

-19

Link Test Pulse

• Many transceivers and hub ports feature a Link LED (usually greenin color) that provides a confidence check of wire pair integrity

• A pulse is transmitted on one end’s transmit pair to the other end’sreceive pair every 201 µs. The pulse is unique and will not bemistaken for a data frame or a collision

• It provides status of the hub’s transmit wire pair to the node’sreceive wire pair (node Link LED), and the node’s transmit pair tothe hub’s receive pair (hub Link LED)

• An illuminated Link LED is not a guarantee that the wire pair ispolarized or phased correctly (TX+ to RX+, TX- to RX-) or that thewire pair is twisted together end-to-end (pin 3 twisted with pin 6,for example: orange/white wire twisted with white/orange wire)

TX RX COL LINK

TX

RX

RX

TX

NIC

TX RX

COL LINK

10Mbps link test pulses are 100 nanoseconds (100 nanoseconds = 0.1microseconds = 1 bit time) in size, and are transmitted every 201microseconds. Unless there is a regular link test pulse, data is not transferredfrom the wire to the receiver, or from the transmitter to the wire.

Polarization or phase is the correct match of TX+ to RX+ instead of TX+ toRX-. Some early 10BASE-T products did not incorporate auto-polarity and auto-phase matching capabilities. The wires connecting these devices must beoriented correctly. Subsequent products do incorporate these features.

100BASE-T Link Integrity pulses are sent continuously on the T4 primarytransmit pair about 1 ms apart. Failure to detect these pulses generates anerror.


Page 3 - 19

Slide Title: Link Test Pulse

ImportantPoints toCover: The link pulse test does check for correct phasing of the signal.

It is simply a continuity test.

If the pulse is not there, the devices will not communicate.

We are going to be doing some comparisons of these link pulsesas we discuss Fast and Gigabit Ethernet.

The characteristics of the 10 Mbps links pulses is important tomention here.

One pulse

Evenly spaced at 201 microseconds


Sn

iffe

r U

niv

ersi

ty

3

-20

10 Base T Ethernet Pinouts

Contact Signal X-over1 white/orange

2 orange/white

3 white/green

4

5

6 green/white

7

8

Transmit +

Transmit -

Receive +

Not used

Not used

Receive -

Not used

Not used

Jackat NIC

RJ-45Plug

3 white/orange

6 orange/white

1 white/green

2 green/white

18

The 8-pin connector is used as the mechanical interface to the twisted paircable. The connector is used on the hub as well as the NIC. Typically the NICconnects to a wall outlet using a twisted pair patch cord. Wall outlets connectthrough building wiring and a cross-connect function to the repeater hub. Thecross connect (or crossover) function connects the transmitter at one end ofthe twisted pair link to the receiver at the other end of the twisted pair link.The cross connect can be built into the receiving end.

There are two pairs used for each station attachment. Two wires (one pair)are used to receive data from the hub to which it is attached. The second pairis used to transmit data to the hub. Normally a light on the hub indicates thepair from the station to the hub are attached correctly (this is the TX+ and TX-from the station to the RX+ and RX- on the hub). A light (Link LED) on thecard indicates the pair from the hub to the station are correct (this is the TX+and TX- from the hub to the RX+ and RX- on the station).

Most 10 and 100 MBPS twisted-pair Ethernet is still half duplex: a station iseither transmitting or receiving, not both.


Page 3 - 20

Slide Title: 10BASE-T Ethernet Pinouts

ImportantPoints toCover: Ethernet hubs used to require correct phasing. You could not get

away with reversing the leads.

Most hubs today will auto-sense and compensate if the polarity isreversed.

Pins 4 and 5 are not used. They were reserved for tip and ring.

Pins 7 and 8 were used in the old days for a second line or topower a phone with auxiliary features.


Sn

iffe

r U

niv

ersi

ty

3

-21

Which Wires are Paired at the Jack/Plug?

• If you suspect noise is damaging data to a station, check to see if thereceive pair has been “split out”

• If the receive pair is not twisted together, the wires will not be mutuallyaffected by the same noise, thus Common Mode Rejection will not beeffective

123456

87

568Bwiring

standard

Wire #

568Awiring

standard

white/green

green

white/orange

blue

white/blue

orange

white/brown

brown

white/orange

orange

white/green

blue

white/blue

green

brown

white/brown

pair 3

1 2

4

pair 2

1 3

4

Ethernet(802.3)

Token ring(802.5)

T+

T-

R+

R-

How will you know if noise is affecting data to a station? For one thing, you willsee lots of CRC errors on the Sniffer with that station as the destinationaddress. There will also be various other errors (especially retransmissions)associated with the station.

The EIA/TIA 568 wiring standards shown above is somewhat different fromthe widely used “USOC” wiring scheme (not shown) for telephone signals.Because of the wire-pair layouts, a 568 link can be used for voice signals;however, USOC wiring is not properly paired for Ethernet signals.

EIA/TIA 568 standards specify an 8-pin connector (RJ-45), pinned out in oneof the two options--568A or 568B--shown above. Today’s connecting hardwareis color-coded to match the wires, and modern cable testers can quicklydetermine if the link is capable of carrying a 10 or 100 Megabit Ethernet signal.


Page 3 - 21

Slide Title: Which Wires are Paired at the Jack/Plug?

ImportantPoints toCover: 10BASE-T requires the transmit leads and the receive leads to be

discreet pairs.

It does not matter how your plant is cabled, but you need to knowso that the pairing can be maintained.

10BASE-T will not work if the pairs are not maintained.


Sn

iffe

r U

niv

ersi

ty

3

-22

Common Mode Rejection (CMR)

• For CMR to function properly, a pair of wires need to be twisted aroundeach other

• CMR uses the voltage differences between each signal (TX+) and its mirrorimage (TX-) to determine the logic state of each bit. (The differentialvoltage is typically either 5v or 0v)

• Voltage spikes, when they occur, will induce themselves onto the wire pairbut the difference in voltage (5v or 0v) will remain the same

• CMR is not perfect, as excessive electrical “noise” may defeat thecancellation process and destroy the transceivers at the hub and the node

TX+

TX-

RX+

RX-

TX+

TX-

RX+

RX-

+2.5v0 volts -2.5v

+2.5v0 volts -2.5v

+2.5v0 volts -2.5v

+2.5v0 volts -2.5v

For Common Mode Rejection (balanced signaling, or longitudinal voltages) towork properly, the signal and its reference need to be subject to the sameinterference. For the signals to be subject to the same interference, they aretreated as a pair and mutually twisted. There are several different schemes ofpairings. Unshielded twisted pair wiring that is correct for Ethernet may not becorrect for telephony, or wire that is correct for Token Ring may not be correctfor Ethernet.

Observe standard wiring guidelines such as NOT routing UTP over florescentlights, near high-voltage or high-current sources, etc.

The diagram above depicts the hex pattern of 6E, which Intel uses as thecable test pattern.


Page 3 - 22

Slide Title: Common Mode Rejection (CMR)

ImportantPoints toCover: This is what allows 10BASE-T to work.

The important concept is that you want the same amount of noiseon the receive minus wire as the noise on the receive plus wire.

Equal noise maintains the relationship of the signal and can befiltered out so that the chips can still determine a one from a zero.

When wires are not twisted together and noise hits, therelationship is not constant and common mode rejection doesn’twork.


Sn

iffe

r U

niv

ersi

ty

3

-23

OFF

ON

OFF

ON

2 3

4 5

6

8 9

10

1

Cabling Installations

TX+ TX- RX+ RX- TX+ TX- RX+ RX- TX+ TX- RX+ RX- TX+ TX- RX+ RX- TX+ TX- RX+ RX- TX+ TX- RX+ RX-



0 1 2 3 5 6 7 8 9 10 114

0 1 2 3 5 6 7 8 9 10 114

0 1 2 3 5 6 7 8 9 10 114

0 1 2 3 5 6 7 8 9 10 114

Beware of too many connections. Each one contributes to signalattenuation and represents a potential failure point

NIC CardConnection

Wall Plate

Punch DownBlock

Patch PanelsPort

7

The diagram above can apply to Ethernet or Token Ring. The connections inthe diagram are: 1) PC NIC and UTP patch cord

2) UTP patch cord and wall plate 3) Wall plate and UTP cable 4) UTP cable and punchdown block Punch down blocks include BIX 1A, Telco 66, and/or AT&T MT 110

(for level 5) 5) Punchdown block and 25-pair cable 6) 25-pair cable and first patch panel 7) First patch panel and UTP patch cord 8) UTP patch cord and second patch panel 9) Second patch panel and 25-pair cable 10) 25-pair cable and interface moduleThis cabling diagram may be simplified in most locations. The shaded areafrom points 4-9 are the equivalent of a harmonica, a device in common usagein many installations.


Page 3 - 23

Slide Title: Cabling Installations

ImportantPoints toCover: This cabling diagram does not represent the ideal, but rather is an

example of how things should NOT be done. Unfortunately, this isthe cabling found in some environments.

Each mechanical connection induces loss and an opportunity for afailure point.

This cabling diagram represents the way things were done in thepast -- to meet category 3 standards. Most new installations DONOT install wiring this way. Each mechanical connection inducesloss and an opportunity for a failure point.

New installations wire the network to category 5 specifications. Anexample would be to connect the wallplate (3) to the back of thepatch panel (8). Cross connects are made directly to the hub.


Sn

iffe

r U

niv

ersi

ty

3

-24

OFF

ON

OFF

ON

OFF

ON

OFF

ON

Hub-to-Hub Connections

• Hubs typically cross internally over the transmit and receive pairsfrom the nodes

• Hub-to-hub connections must be “crossed over” so that thetransmit pair of one hub’s port goes to the receive pair of theother hub’s port and vice-versa

• This can be done with a “crossover cable,” or at the punchdownblock, or via an “MDI-X” port that internally crosses the pairs

1

12

36

63

2

TX+

RX+RX-

TX-TX+RX-

TX-

RX+

Some manufacturers do not support hubs being connected via node ports.Some of these manufacturers are circumventing the IEEE rules by usingspecial connections for hub-to-hub connections, and advertise themselves ashalf-hop hubs, that may be cascaded further (to more hops) than the IEEErules allow, using the special connections, and no crossovers.

Some hub manufacturers are now offering proprietary higher speedsynchronous links between THEIR hubs. Other manufacturers have developedFull Duplex Ethernet hubs.

MDI-X should only be enabled on one end.


Page 3 - 24

Slide Title: Hub-to-Hub Connections



Sn

iffe

r U

niv

ersi

ty

3

-25

Timing Specifications


Page 3 - 25

Slide Title: Timing Specifications

ImportantPoints toCover: Title slide only.


Sn

iffe

r U

niv

ersi

ty

3

-26

Collision Domain

...and news of aproblem, if any,must propagate allthe way back,while the originalstation is stilltransmitting

Repeaters

A transmissionon this segment...

...is propagatedthrough repeatersall the way to allsegments!

A "collision domain" is defined as the physical area within which a collision ispropagated. Repeaters propagate everything, even bad frames.


Page 3 - 26

Slide Title: Collision Domain

ImportantPoints toCover: This is an automated build slide.

This slide was updated to show repeaters (hubs) instead of coaxcable. The rule still applies, whether we’re using thick, thin ortwisted pair as long as the media is shared.

Extremely important concept.

All equipment (old and new) must follow this rule.

All timing specifications are based on the collision domain.

The round-trip time for the worst-case scenario must be less thanthe time to transmit the minimum-sized frame, since the card onlylistens while it is transmitting.

Cable lengths, repeater rules and propagation delay all must reachthis target.


Sn

iffe

r U

niv

ersi

ty

3

-27

Ethernet Signal Propagation Speed

• Determination of the maximum topology and minimum frame sizedepends on information about the speed that data travels

• Data travels at less than the speed of light (c)• c = speed of light in a vacuum = 300,000 kilometers per second

(approximately 1 foot per nanosecond)• Thick Coax Cable: Signal travels at .77c (231,000 km/sec)• Thin Coax Cable: Signal travels at .65c (195,000 km/sec)• Twisted Pair Cable: Signal travels at .59c (177,000 km/sec)• Fiber Cable: Signal travels at .66c (198,000 km/sec)• AUI Cable: Signal travels at .65c (195,000 km/sec)

It’s important to be aware of this information (though not memorize thenumbers) to gain an understanding of the maximum Ethernet topology andthe minimum Ethernet frame size.

Twisted pair cable is the slowest data mover. We must be concerned aboutover-extending the network length, which will exceed the propagation budget,and contribute to late collisions, which in turn results in extremely slowresponse to most network users.


Page 3 - 27

Slide Title: Ethernet Signal Propagation Speed

ImportantPoints toCover: This is a lead-in to the next slide.

This information comes from the 802.3 spec.

It is an auto build slide.


Sn

iffe

r U

niv

ersi

ty

3

-28

So, How Long is a Bit?

For thick Ethernet, the basis of the specification:• 231,000 km/sec divided by 10 million bits per second = 23.1

meters• A bit occupies 23.1 meters on thick Ethernet, slightly fewer

meters for thin and twisted pair Ethernet• An extension of 32 bits would cause an additional 32 x 23.1

meters or 739 meters to be busy, which makes it possible to busyout a maximum size Ethernet segment

• This explains why a repeater extends a fragment frame by atleast 32 bits. It also explains the 32 bit jam added to a collisionframe

For 10Base-T:• 177,000 km/sec÷10 million bits per second = 17.7 meters• 32 x 17.7 meters = 566.4 meters are busy on jam, easily

exceeding the maximum length between end devices

This information is used to determine where a collision can reasonably beexpected to occur in a worst case scenario in your specific network. Collisionsthat occur past this point are the result of defective hardware somewhere inthe network. For example: If your maximum latency is 300 meters (includesdelay in hubs and all equipment), would you expect to see a collision 20 bytesinto the frame?

On thick Ethernet, 1 bit = 23 meters. 300 meters total. 300 divided by 23 =approx. 13 bits. Multiply by 2 for the round trip. A collision in a network withlatency equivalent to 300 meters should never occur past bit number 26. Youshould not see a collision past the preamble.

[(300 / 23) = 13] x 2 = 26 bits.

(This information is taken from the 1992 edition of the 802.3 specification.)

On twisted pair Ethernet, the maximum cable length from hub port totransceiver is 100 meters (200 meters from end device to end device).

[(200 / 17.7) = 11.3] x 2 = ~23 bits.

In twisted pair, then, a collision should never occur beyond bit number 23,still within the preamble.


Page 3 - 28

Slide Title: So, How Long is a Bit?

ImportantPoints toCover: Our favorite slide. (Lightbulb goes on.)

The pictures you see of a tiny frame on a big network are all wrong.

The frame quickly envelopes the entire cable segment, thuscollisions are much more rare than you have been led to believe.


Sn

iffe

r U

niv

ersi

ty

3

-29

Historical IEEE 802.3 Maximum Topology (5-4-3 Rule)

• The maximum transmission path permitted between any two stations is fivesegments and four repeater sets

• Of the five segments, a maximum of three may be coax segments; theremainder are link segments

• A coax segment is a cable terminated at both ends in its characteristicimpedance, with a maximum end-to-end propagation delay of 2165 Ns for10BASE5 and 950 Ns for 10BASE2

• A point-to-point link segment is a non-coax segment, terminated in a repeaterset at each end, with a maximum end-to-end propagation delay of 2570 Ns. A10BASE-T connection between a hub and station is also considered a point-to-point link

• If there are no link segments on a transmission path, there may be a maximumof three coax segments on that path given current repeater technology.

RepeaterSet 2 Station 2

RepeaterSet 4

Segment5

RepeaterSet 3

Segment4

Station 1Repeater

Set 1

Segment2

Segment3

Segment1

This information is taken from the 1992 edition of the 802.3 specification.

Maximum end-to-end propagation delay is derived by dividing the maximumlength by the speed. See previous page for speed.

For thick coax, this is 500 m divided by 231,000 km/sec = 2165 nanoseconds.

For thin coax, this is 185 meters divided by 195,000 km/sec = 950nanoseconds.

Each tap and each device adds additional delay, so the total network must notintroduce more than 51.2 micro seconds of delay.

Even though these rules are specified for coax cable, the 5-4-3 rule still appliesto the newer fast technologies. Cable lengths are modified and delaycharacteristics are calculated to obtain the maximum topology rules.


Page 3 - 29

Slide Title: Historical IEEE802.3 Maximum Topology (5-4-3Rule)

ImportantPoints toCover: These rules are derived from the collision domain concept.

They are taken directly from the IEEE specs that have been inplace for many, many years.

The slide is a lead-in to the new concept of transmission modelsexplained on the next pages.

Explain the 5-4-3 rule so they understand it fully.

The newer transmission models 1 and 2 slides have been movedto the Optional Technologies section since most people are notusing equipment where it is important. You can still go there toshow them if you think a student needs them for clarification.


Sn

iffe

r U

niv

ersi

ty

3

-30

Minimum Frame Length Determination

• The minimum length for an Ethernet frame is 64 bytes or 512 bits. This isbased on the round-trip propagation delay on a frame for the worst-casescenario

• Station 1 transmits to adjacent Station 2 on Segment 1• Station 3 just misses hearing Station 1’s transmission and also transmits.

Station 3’s transmission collides with Station 1’s transmission• The damaged frame travels back down the network to inform Station 1 that a

collision has occurred. This takes approximately 50 microseconds or 500 bittimes

• The minimum frame length is defined such that the:–Message from Station 1 is long enough so that Station 1 is still sending when thecollision is detected

–The resulting runt message from Station 1 is short enough such that Station 2 (thereceiver) can throw out the message on the basis of it being too short (less than 64bytes)

Station1

RepeaterSet 2

Station3

RepeaterSet 4

Segment5

RepeaterSet 3

Segment4

Station2

RepeaterSet 1

Segment2

Segment3

Segment1

The node needs to know it had a collision, so the damaged frame can be re-sent at the MAC level. Retransmitting at the MAC level is very fast: withinmicroseconds. A retransmission at the LLC level takes a few milliseconds. Aretransmission at upper-layers can take a few seconds per frame.


Page 3 - 30

Slide Title: Minimum Frame Length Determination

ImportantPoints toCover: These rules are derived from the collision domain concept.


Sn

iffe

r U

niv

ersi

ty

3

-31

So How Does this Apply to TP?

The frames must be long enoughso that stations 1 and 5 are stilltransmitting when the collision

signal gets back to themCount the repeaters between thefurthest end stations to ensureyou have not broken the 5-4-3

rule

RepeatersHubs or

Concentrators

Populating one ofthese repeaterswould break the

rule

1

R1

R2

R3

R4

2

3

4

5

+

A "collision domain" is defined as the physical area within which a collision ispropagated. Repeaters propagate everything, even bad frames.


Page 3 - 31

Slide Title: So How Does This Apply to TP?


Automated build slide.

Shown to emphasize that hubs / concentrators must follow the 5-4-3 rule. It’s easy to inadvertently break the rule when you have themall stacked in racks in a wiring closet.

Perhaps they should label the devices so unused ports are notused incorrectly.


Sn

iffe

r U

niv

ersi

ty

3

-32

Is this a Valid Application of 5-4-3?

ACME 10BASE-T ConcentratorACME 10BASE-T Concentrator

ACME 10BASE-T Concentrator ACME 10BASE-T ConcentratorACME 10BASE-T Concentrator

ACME 10BASE-T Concentrator


Page 3 - 32

Slide Title: Is This a Valid Application of 5-4-3 with 10BASE-T?

ImportantPoints toCover: Yes. This is a 10BASE-T network with a 3-level cascade. The

topmost concentrator serves as the “backbone” to the other hubs.The middle-end hubs are populated, whereas the middle-centerhub is not: it is a link segment to the two lower populated hubs.Note that no frame needs to traverse more than 5 segments or 4repeaters (hubs) to its destination.

This is the recommended configuration by the 10BASE-T vendor SMC.Followthe path of every station to ensure that it obeys the 5-4-3 rule.

The development of the 5-4-3 rule can be summarized as follows.

(1) The length of any given segment of a network is limited by the electrical andphysical properties of the cable type employed. The primary characteristic is therate of attenuation over a given length of the cable. For example, for thick coax,500 meters is considered to be the maximum length over which we can transmita signal while ensuring that the signal does not attenuate or otherwise degradeto the point of being unacceptable to a receiver.

(2) Based on section 13.4.2 of the 802.3 specification, the number of repeatersthat can be used is limited by the potential for shrinkage of the interframe gap. Ifthe interframe gap is reduced, the potential for misinterpretation of framesincreases. Shrinkage of the gap will likely prevent receiving network interfacesfrom having sufficient time to perform housekeeping functions such as postinginterrupts, managing the buffer, and updating statistical counters, etc.Specifically the IEEE specifications say, "The worst-case variabilities oftransmission elements in the network plus some of the signal reconstructionfacilities required in the 10 Mbps baseband repeated specification combine insuch a way that the gap between two packets travelling across the network maybe reduced below the interframe gap specified in section 4.4.2.1. This parameterlimits the equipment (i.e. number of repeaters) between any two DTEs."

(3) Knowing the facts as given in (1) and (2) above, we can now see how theminimum frame length of 64 bytes was calculated. We have segments of 500 mdue to the signal characteristics of the cable. We can have a maximum of 4repeaters and, therefore, 5 segments between any two stations. This creates amaximum topology as described in the text. Then, knowing that we mustguarantee collision detection while the stations participating in the collision arestill transmitting, we must specify a minimum frame length of 64 bytes due to theinherent normal propagation delay of the maximum topology size describedabove.


Sn

iffe

r U

niv

ersi

ty

3

-33

Turn to the lab section tocomplete this exercise. Usethe diagram on the nextpage as a reference to thenetwork layout



Page 3 - 33

Slide Title: Exercise: Cable Specifications

ImportantPoints toCover: Use the instructor notes in the back of the instructor manual to

review the exercise.

Go over the diagram on the next page before they begin.


Sn

iffe

r U

niv

ersi

ty

3

-34

Node 2WstDig96EC2

Hub1

Hub6

Hub5

Hub4

Hub3

Hub2


Node3

Sniffer

UTPThin Ethernet RG58 coax?? coax

50 meters

Network DiagramNode 1WstDig178C4

BridgeFile ServerCOFFEE.1

WstDigFF965F


Page 3 - 34

Slide Title: Exercise: Cable Specifications-network diagram

ImportantPoints toCover: Review the network configuration.

Note that the picture is not complete. For example, there probablywere other stations on the thin Ethernet. The Sniffer analyzer wasconnected somewhere near the end of the thin Ethernet.(Otherwise the Sniffer technician probably would have noticed theARCNET cable!?!) We don’t know exactly what was on the otherside of the bridge shown on the left.

Originally the Sniffer analyzer was placed at the end of the topologyand saw no errors. In the actual trace, the Sniffer analyzer wasplaced at the junction and saw errors. The node was moved to theend of the topology and worked without incident.

Client addresses in the trace all exist off of the Concentrator withthe Server Coffee.1

Since the transmission model slides were moved to the back, youwill probably not cover this with the class. The calculations are lefthere just in case you need them.

To calculate the p v v, we calculate from right to left:

8+8+8+8+8+16 = 56This does not exceed the delay, but it is higher than the 49 p v vallowed in Model 2.

H H H H H H

N

N

B

FS

N S

50 meters


Sn

iffe

r U

niv

ersi

ty

3

-35

Degree of Degradation

• Ethernet retransmission occurs, typically, within a fewhundred microseconds

• Type II LLC retransmissions may occur withinmilliseconds

• Transport layer retransmissions may occur withinseconds

• Application layer retransmissions may occur withintens of seconds

• User programs may wait minutes before timing out• Conclusion: The higher the layer responsible for

retransmission, the longer the user has to wait


Page 3 - 35

Slide Title: Degree of Degradation

ImportantPoints toCover: Important concept.

Physical layer recovery is fast.

Each layer higher takes more time to recover from an error.


Sn

iffe

r U

niv

ersi

ty

3

-36

RetransmissionsMAC Layer vs. Application Layer

943: NFS request.944: Unanswered request (943) is retransmitted 0.7s later.945: Unanswered request (944) is retransmitted 3s later.946: Frame 945 is collided and is retransmitted 0.2mS later.947: Frame 946 is collided and is retransmitted 0.3mS later.948: Frame 947 is collided and is retransmitted 0.2mS later.949: Frame 948 is collided and is retransmitted 2.6mS later.

950: Frame 949 is collided and is retransmitted 24.2mS later.951: Frame 950 is collided and is retransmitted 11.4mS later.952: Frame 951 is collided and is retransmitted 50mS later.953: Unanswered request (952) is retransmitted 12.3s later.954: Frame 953 is collided and is retransmitted 0.3mS later.955: pc150 times out after request is unanswered and ARPs

for natco-4 26.9s later.

Trace file FRAGS.ENC.Note that all frames with a CRC flag are actually collided. At the time that thetrace was taken, Network Associates was using an adapter which wasincapable of counting or flagging frames as collided.The client NFS request to look up the file wp50 in the directory handleE71D is retransmitted four times without answer for a total of 43.4 secondsbefore the user application gives up and ARPs to see if its server is still alive.The Truncated Binary Exponential Backoff Algorithm (progressively largermultiples of the slot time) is demonstrated in frames 945 to 952: the randombackoff timer is lengthening until the first good request in frame 952. OnceNFS retransmits in frame 953, which is collided, we see the algorithm startover again at the beginning.The NFS retransmissions occur at 0.7s, 3s, 12.2s, and 26.8s or so, when theclient finally gives up.


Page 3 - 36

Slide Title: MAC Layer vs. Application Layer Retransmissions

ImportantPoints toCover: Retransmission timer as revealed in the Sniffer Pro analyzer

screens.

Demo: FRAGS.CAP

Frames 945-952 show the retransmission timer in action.


Sn

iffe

r U

niv

ersi

ty

3

-37

Summary

In this section, you learned how to:• Describe the access method used in Ethernet• Discuss the responsibilities of the MAC layer• Differentiate the various types of Physical Layer

devices• Explain the importance of the physical size limitations

of the Ethernet networks• Ensure the physical characteristics of the Physical

Layer have not been extended beyond thespecifications


Page 3 - 37


ImportantPoints toCover: Wrap up the section by reviewing the objectives and answering any

questions the students may have.

Target Time: End of Day 1.

Go further is you can, since the stuff that’s coming is whatthey want to hear.



Page 3 - 38

© Network Associates Ethernet Network Analysis and TroubleshootingTroubleshooting Methodologies

Sn

iffe

r U

niv

ersi

ty

4

-1

Troubleshooting Methodologies

Section 4 – TNV-202-GUI Ethernet Network Analysis and Troubleshooting

Page 4 - 1

Slide Title: Troubleshooting MethodologiesSection 4

Section Timing: Start: Day 2 Beginning of the dayFinish: Day 2 Late morning if possible!


Files: 04_tbls_g.PPT 04_tbls_g.DOC

Traces:HUBPORT1.CAP HUBPORT2. CAP BADCABLE. CAPBAD03. CAP FRAGS. CAP 01.CAP05.CAP 06.CAP 16.CAP17.CAP 19.CAP 20.CAPBadcrc.cap Badcrc-1.cap 21.CAP (was

GIANT.ENC)

Exercises: HubportsMore ProblemsTest Your SkillErrors

Optional- Evaluating Hub JamsEthernet Physical Errors

Modifications were made for the new software version. Someanswers have changed. Be sure to review them before youteach!

There are too many to do all and have time to cover the newertechnologies. Choose those you feel will meet your student’sneeds.


Sn

iffe

r U

niv

ersi

ty

4


Upon completion of this section, you will be able to:• Recognize and isolate failures in the network using the Sniffer

Pro Network Analyzer• Examine Monitor Statistics to determine whether there are

problems• Use the Expert symptoms and diagnoses to get the details• Gather Monitor statistics for trend analysis and baselining


Page 4 - 2



This section is just troubleshooting with lots of suggestions andpractice.


Sn

iffe

r U

niv

ersi

ty

4

-3Capturing Error Frames

• You must use NAI-supported adapters withenhanced drivers to observe and capturephysical error frames– NAI-21140UC

• Adaptec (Cogent) ANA-6911A/TX PCI• Adaptec (Cogent) ANA-6911A/TXC PCI

– Xircom CBE-10/100 BTX CardBus– Xircom CBE2-10/100 BTX CardBus


Page 4 - 3

Slide Title: Capturing Error Frames


Use this slide to emphasize they need to use NAI supported cardsand drivers in order to capture the error frames.

These cards capture both 10 and 100 Mbps networks.


Sn

iffe

r U

niv

ersi

ty

4

-4Analyzing the Ethernet Physical Layer

• Frame Corruption– Collisions– Propagation delay– Reflected signals– Electrical noise– Hardware failure

• With any of these problems, users will seedecreased performance due to multipleframe retransmissions


Page 4 - 4

Slide Title: Analyzing the Ethernet Physical Layer

ImportantPoints toCover: Look for evidence of these in the Sniffer Pro analyzer.


Sn

iffe

r U

niv

ersi

ty

4

-5Some Guidelines

• More than one bad frame per Mbyte of data deservesattention

• Any unexplained change in the baseline deservesattention

• More than 1% Error Rate deserves attention

The IEEE specifications stipulate that the Bit Error Rate (BER) should notexceed 10-8 in worst case. A typical LAN 10Mbps segment should have a BERof 10-11 or better. This translates to a frame loss rate of 10-7.


Page 4 - 5

Slide Title:Some Guidelines

ImportantPoints toCover: These are important guidelines for determining when they need to

act.

Be sure to cover these, since these are important CNX numbersthey need to know.

CNX guidelines do not allow you to specifically state that this is aCNX concept, however, so do not say this is on the test!

We have met the requirement that it is documentedin the course materials.


Sn

iffe

r U

niv

ersi

ty

4

-6Fast Transmit Adapters

• Do not count these incomplete bad CRC frames in the1 bad frame /MB calculation

TransmitBuffer

Frame fromupper layer

Partial frame on the wire

Complete frame on the wire

• Some adapters start transmitting before the entireframe has arrived in their transmit buffer– If the remainder of the frame has not arrived when the

first part is on the wire, it just quits transmitting, leavingthe short incomplete frame on the wire

– The adapter waits for carrier to drop and 96 bit times toelapse before it sends the complete frame

– Since it has no CRC, the Sniffer calculates the CRC basedon the last 4 bytes and shows a CRC error

CRCError!

+4

The name depends on the vendor. The adapter may also be called a paralleltasking adapter.


Page 4 - 6

Slide Title: Fast Transmit Adapters

ImportantPoints toCover: This is a new slide that discusses the effect of “fast transmit” or

“parallel tasking” adapters. (They may be known by other vendor-specific names)

It is a build slide that is partially timed and partially relies on mouseclicks.

The slide is pretty self-explanatory and should help you explainaway some of the false CRC errors the Sniffer reports.


Sn

iffe

r U

niv

ersi

ty

4

-7Troubleshooting Tip

• It is always easier to identify what is wrong if one knowshow it is supposed to work

• One recommendation would be to capture an example of“how it looks” when the network is working

• Save the captured data to a file• When the network stops working, capture another

snapshot and compare the working scenario with the non-working scenario

• Then simply identify what is different between the twoexamples


Page 4 - 7

Slide Title: Troubleshooting Tip



Sn

iffe

r U

niv

ersi

ty

4

-8

• All speeds of half-duplex Ethernet are contention-based

• Because of its nature, we are still troubleshootingEthernet with the “Binary Search” method

• Divide the domain in half. Which half does theproblem follow?– This is still valid for star networks

• We could always use a network map!

Divide and Conquer

Problem? Problem?

+1

Some hubs will autopartition devices out of the network that have too manybad CRCs or if they are jabbering.You can also look at the hub with a solid activity light. That usually indicatesproblems.


Page 4 - 8

Slide Title: Divide and Conquer

ImportantPoints toCover: This is an automated build slide.

It’s an old method “tried and true” on bus topology Ethernet.

It still works on star configurations, too. Of course, managed hubsand switches provide a lot of information to the managementsoftware, so this may be a last resort technique.

A star configuration should prompt a discussion about hubs andswitches.

Be sure to mention the student notes topics, too. A blinking light onthe hub/switch is there to remind you to talk about autopartitioninghubs and looking at the lights in the wiring closet for lights that areabnormal. Not all hubs and switches support them, but they needto know which is supported on their equipment and use thoseclues, too.


Sn

iffe

r U

niv

ersi

ty

4

-9Exercise: Hubports

Turn to the lab section tocomplete this exercise.Use the diagram on thenext page for reference


Page 4 - 9

Slide Title: Exercise: HubportsImportantPoints toCover: Use the diagram on the next page to introduce this exercise.


Sn

iffe

r U

niv

ersi

ty

4

-10

Exercise: Hubports Continued

10BASE-T Hub

Hubport1: known good portHubport2: suspect portNetWare client: Novell~FAANetWare file server: 3Com~704

NetWare client: 3Com~F91

Network Diagram

• The user’s PC wasreplaced by a Sniffer.The same cableconnecting the PCwas used

• Another Sniffer isplugged into a knowngood port. BothSniffers werecapturingsimultaneously

1) The network is broadcast-oriented: every node hears everything on thewire, including bad or collided frames.

2) Communication is half-duplex and asynchronous in nature: each node mustwait until the wire is quiet before accessing the network.

3) Although the network is physically wired as a star, it is still logically a bus.


Page 4 - 10

Slide Title: Exercise: Hubports DiagramImportantPoints toCover: Give the background information before the students begin the

exercise. They may not catch all the clues, but that’s the fun of theexercise.

10BASE-T Hub

Sniffer analyzer: suspect port

NetWare file server:

NetWare client:

NetWare client:

NetWare client:


Sn

iffe

r U

niv

ersi

ty

4

-11

Legal Collisions

• Collision occurs within the first 512 bits (64 bytes) ofdata

• Preamble collisions have no recoverable frame data• Typical collisions occur within the first 48 bytes of

data• Sniffer Pro Analyzer needs to see 96 bits to capture

the frame, otherwise it just increments the collisioncounter– This includes the preamble and the first bytes of the

destination address– 64 bits of Preamble 32 bits of the destination address

• Networks up to 37% sustained utilization are oftenvery “clean”


Page 4 - 11

Slide Title: Legal Collisions

ImportantPoints toCover: These collisions are a normal part of Ethernet.

Sniffer adapters:

The Sniffer Network Analyzer uses two basic types of adapters:

Those that can report collisions.

The adapter senses that a collision has occurred and marks theframe with an “x.”

Those that do not report collisions.

Sniffer Pro software uses a “soft collision” counter. If thepacket is analyzed and has a CRC error nd the last 2 bytes ofthe packet are 0xAAAA or 0x5555, then the packet isconsidered to be a soft collision.


Sni

ffer

Un

iver

sity

4-1

2Normal Collisions

• Preamble collisions are not captured• Local coax collisions do not have AAs or 55s in the data• Remote collisions show AAs and 55s in the data field

inserted by the repeater• They may be labeled collision fragments or runts

Preamble D Addr S Addr Tp/Ln Headers Data CRC

8 6 6 2 varies varies 4

Runts


Page 4 - 12

Slide Title: Normal Collisions

ImportantPoints toCover: New slide

Screen shot showing a normal collision. It is labeled as a collisionfragment in the Detail window.

This is from 01.CAP


Sn

iffe

r U

niv

ersi

ty

4

-13

Late Collisions• On coax, the signal becomes much more negative

when the collision occurs. The squelch filter drops thissignal, so you see good data then nothing.

• On UTP repeated sections, look for evidence of jamfrom the repeater after 6010 bytes– Either aa aa aa aa... or 55 55 55 55 …– 101010101010 is aa aa aa, 010101010101 is 55 55 55– 64 byte minimum minus the 4 byte CRC– 6010 = 3D16

Late CollisionsPreamble D Addr S Addr Tp/Ln Headers Data CRC

8 6 6 2 varies varies 4


Page 4 - 13

Slide Title: Late Collisions

ImportantPoints toCover: This is a screen capture that “draws the line” in the hex window to

show where the dividing line is between a normal and late collision.

The Expert gives a symptom that indicates when it has seen acollision after the 64th byte when the frame meets certain criteria.

17.cap has a lot of collisions, some are marked as occurring afterthe 64th byte. There are no AAs or 55s in the hex data, so it wascaptured on a local coax segment.

Badcrc.cap has a late collision in frame 6 way out at offset 38F,but it must be beyond what the Sniffer uses to call a late collision.

This should help you in teaching them how to determine when thecollision was too late.


Sn

iffe

r U

niv

ersi

ty

4

-14

Rogue Nodes or Bad Hubs• Rogue nodes with “hearing problems” may think the

wire is quiet when they send their frame in the middleof someone else’s frame

• Bad hubs can also cause late collisions• Calculate the math pertaining to network size

– If collisions are occurring well beyond where they should be,suspect a rogue node or bad hub


Page 4 - 14

Slide Title: Rogue Nodes or Bad Hubs


Sniffer recognizes when a collision occurs too late and shows it inthe Expert and on the Summary and Detail panels in the decodewindow.

05.cap and 04.cap both have frames marked as “collision after 64bytes”.

This slide was suggested by Don Prefontaine. Thanks, Don!


Sn

iffe

r U

niv

ersi

ty

4

-15

Propagation Delay Problems

• Propagation delay is part of normal communications– Example: a signal sent from the Moon takes 1.29 seconds to

reach Earth

• Excessive propagation delay causes corruption• Corruption is random

– Size of corrupted frame is random– Victim (source) is random, but skewed by participation

• Corruption typically occurs before the 64th byte– This is NOT an absolute rule

• Cause: Cable is too long, or out of spec, or there aretoo many repeaters or hubs– The faster technologies have shorter cable specifications and

require high quality cables, old legacy cables may have beenoverlooked and are still in use

FRAGS.ENC shows an example of propagation delay. Filter out the goodframes and turn off symptoms. Look at frames 958-964 in the hex panel.


Page 4 - 15

Slide Title: Propagation Delay Problems

ImportantPoints toCover: Important skill which allows you to know what may have caused the

corruption the Sniffer analyzer is showing.


Sn

iffe

r U

niv

ersi

ty

4

-16

Excessive Propagation Delay

• Users at end of topology may have more problems thanother users

• Sniffer Pro Analyzer sees:– “Physical errors” symptoms or diagnoses– Damaged frames (CRC errors)– Only a few runts (many frames will be legal minimum length)– Collision counter will be high if cable is too long

• May not be high if collisions are across a repeater

• Examine frames for “Collision data” visible at end offrame– aa aa aa… or 55 55 55...


Page 4 - 16

Slide Title: Excessive Propagation Delay




Sn

iffe

r U

niv

ersi

ty

4

-17

Signal Reflection Problems• These problems occur on all media, but are not seen

in UTP frames because the adapter does not seethem. They are easy to detect on coax.

• Corruption is non-random– Frames are corrupted by their own reflected preamble

• A victim node’s frame will typically be corrupted atthe same offset– Corruption often occurs prior to the 32nd byte (3210 = 1F16)

– Collision data may be visible

• If signal reflection is suspected, the best way toexamine it is to examine the coax segments with aTime Domain Reflectometer (TDR)

Sniffer ProTransmit

+1

CRC errors-collision data

Signal reflection problems occur everywhere on every medium. They cannot beobserved on UTP because, unlike coax, a node cannot “see” the bits it istransmitting. It is simply looking for link pulse to know if the link is still there.It does not do current sensing, voltage sensing, and Manchester encodingdetection like it can with coax.On coax, one pair is used for both transmission and reception. On UTP, onepair is for transmission and the other is for reception. When a node sends bitsto a hub, the hub repeats it out all ports except the one it received on. Thatmeans that a node cannot see what it is transmitting.Reflections are also the result of poor termination or no termination. If a hubuplink or switch uplink is not working properly, change the cable to a knowngood cable and test again. If the UTP cable is flexed too much, it can create a“near open” (resistance too high; exceeds the 110 ohms or 130 ohms ofnormal termination) that will not pass enough current, thus creating a signalreflection. A TDR will tell you if the cable is good, bad, or ugly.


Page 4 - 17

Slide Title: Signal Reflection Problems



Important point: This shows up almost exclusively in coax Ethernet,so you can skip it if no one has it anymore.

The diagram is automated.

You may want to discuss some of the things that may show up inthe Sniffer’s hex window. Of course, where the Sniffer wasattached in relation to the open cable and where the transmittingstation is located directly affect it.

There may be reflected preamble in the frame. It is doubtful thatyou would see any of the destination address folding back.


Sn

iffe

r U

niv

ersi

ty

4

-18

Electrical Noise Problems• Users see intermittent disconnections and problems

connecting to network services• Sniffer Pro Analyzer sees:

– “Physical errors” symptoms or diagnoses– Damaged frames resulting in CRC errors– The frames are the “right” size but have incorrect data,

maybe only one or a few bits got changed– Not many more runts or collisions than baseline

• Cause:– Radio Frequency Interference (RFI)– Electromagnetic Interference (EMI)– Poor quality cabling not meant for high speed data

transmissionSniffer Pro

Transmit

+1

CRC errors


Page 4 - 18

Slide Title: Electrical Noise Problems

ImportantPoints toCover: Review quickly.

The diagram is automated.


Sn

iffe

r U

niv

ersi

ty

4

-19

Troubleshooting Electrical Noise

• Corruption is random• No collision data is visible

– This is an absolute!

• Noise typically has no effect on frame length• Worst case scenario:

– If the damaged frame is greater than 64 bytes, it willappear as a CRC or Alignment in the status field

– If the damaged frame is less than 64 bytes, it will appearas a Runt or Fragment in the status field

– Noise disrupts the clock; adapter thinks the frame ended


Page 4 - 19

Slide Title: Troubleshooting Electrical Noise



Sn

iffe

r U

niv

ersi

ty

4

-20

Hardware Problems / Issues• Corruption can look like all the other types of physical

errors• Typical evidence is too many bytes

– Much more than 8 bytes of corrupted data• Corrupted data may resemble preamble sequence of AAs and

55s

• Could be a jabbering transceiver or NIC– The 802.3 specification states that a transceiver should

contain a self-interrupt capability to inhibit a station fromsending for more than 150 milliseconds. The Ethernet V1 andV2 specifications did not have this feature

• A managed hub will autopartition the port out quickly– An unmanaged hub waits until it misbehaves for .25 to .75 s– The port LED will flash and Sniffer shows chronic errors

A hardware card that is jabbering can jabber with preamble sequence or allones.


Page 4 - 20

Slide Title: Hardware Problems / Issues



Sn

iffe

r U

niv

ersi

ty

4

-21

Jabbering NIC

• Lots ofones orzerosthatseem togo onforever


Page 4 - 21

Slide Title: Jabbering NIC


Screen shot showing jabber in a frame. This shot was taken fromjabtest.enc from HQ engineering. It may have been created, but itmeets the Expert’s criteria for jabber as you see on the screens.

Warning- the Jabber.cap file we previously used for jabber may notactually show jabber. The Expert doesn’t label it that way and youwill see the same pattern of bits in the frame that was retransmittedand others around it.


Sniffer Pro Physical Error DescriptionsCRC Errors A legal frame with a CRC error, a frame whose CRC does not agree

with the actual bytes receivedShort/Runt A frame that is less than 60 bytes with a good CRCSoft Collision A runt frame with a CRC error and one of the following patterns in

the last three bytes: 0X5555, 0XAAAA, 0X0D0D, 0X1A1A, 0XA1A1,0X6868, -X8989, -X3434, 0X4343

Alignment A frame with a dribbling bit set that is larger than 60 bytes with aCRC error or the frame contains a non-integer multiple of 8 bits

Jabber A frame with a CRC error and size larger than 1514 bytesOversize A frame with a good CRC and size larger than 1514 bytesFragment A frame with a CRC error and size less than 60 bytes

Sn

iffe

r U

niv

ersi

ty

4

-22

Sniffer Pro Ethernet Error Analysis

#Collision 64 bytes or greater N/A (Truncated) Representative of late collisions on coaxial media.Frames will be truncated. Causes includepropagation delay or faulty hardware.

Alignment

# Alignment

<64 bytes

>64 bytes

Look for 8 to 12 bytesof AAAAs or 5555s.If not there, or greateramount, seecomments.

Alignment errors with the AA/55 pattern are mostoften caused by normal collisions on UTP cable.The data pattern is caused by the repeater jamsignal. If data length is greater than 64 bytes onany damaged frame, include propagation delay andhardware as causes. If the AA/55 pattern exceeds12 bytes, a jabbering NIC or repeater is most likely.

CRC >64 bytes No specific pattern. Most commonly caused by noise or hardware,especially damaged or improperly installed wiring.

Runt <64 bytes May contain theAA/55 pattern, usuallyfrom 8 – 12 bytes.

Runts have the same causes as Alignments.

Fragment <64 bytes May contain theAA/55 pattern, usuallyfrom 8 – 12 bytes.

Fragments are defined as Runts with an invalidCRC. Handle the same as Alignments.

Jabber May be any size.The pattern isimportant

Greater than 12 bytesof AAs or 55s.

The cause is hardware, usually a NIC or repeater.

Oversize >1514 bytes Pattern will includelots of AAs and 55s.

Hardware has failed and is streaming data.Managed hubs may permanently partition nodestreaming for more than 150ms; unmanaged hubsmay not.

Sniffer Label Frame Size Error patterns Probable Causes


Page 4 - 22

Slide Title: Sniffer Pro Ethernet Error Analysis

ImportantPoints toCover: Review quickly. Do not attempt to read this fine print from the

screen.

Have them mark this page for future reference forlabs and when they get back to the job.


Sn

iffe

r U

niv

ersi

ty

4

-23

Exercise: More Problems



Page 4 - 23

Slide Title: Exercise: More ProblemsImportantPoints toCover: Tell the students whether to go on to this or wait for you to discuss

the previous exercise.


Sn

iffe

r U

niv

ersi

ty

4

-24

• Per 802.3: If a collision is detected on any of the portsto which the repeater (hub) is transmitting, therepeater transmits a 96 bit Jam, such that the first 62bits transmitted are a pattern of alternate 1s and 0s.– The 96 bits is 12 bytes if 55 or AA, 4 from source

collider, 4 from destination collider, and 4 bytesfrom the hub

Sniffer Pro Analyzer

Most Hubs Bit Jam on a Collision

+


Page 4 - 24

Slide Title: Most Hubs Bit Jam on a Collision

ImportantPoints toCover: When the hub senses a collision, it sends a 96 bit jam out all of the

ports.


Sn

iffe

r U

niv

ersi

ty

4

-25

Hub Jam Signatures

Look for AAAAAAsor 55555555s inthe hex window


Page 4 - 25

Slide Title: Hub Jam Sniffer Signatures


Two screen captures showing both 5s and As. Both the Summaryand Hex windows are shown so you can point out how the Sniffershows in each panel.

The screen shots are taken from 02.cap and busy-jam.cap.


Sn

iffe

r U

niv

ersi

ty

4

-26

Analyzing Collisions and Hub Jam

Sniffer Pro 3sees a partialframe with jambits

Sniffer Pro 1sees a partialframe withjam bits

Sniffer Pro 2 seesa partial framewith jam bits

2-The hubpropagates jamsignals out toall devices

1-A collisionoccurs here

Collision

Jam

Repeaters

+


Page 4 - 26

Slide Title: Analyzing Collisions and Hub Jam


This slide shows what you see in Sniffer screens in a hub-basednetwork.


Sn

iffe

r U

niv

ersi

ty

4

-27

Frame Type Interoperability Problems

• User sees:– Inability to connect to specific network services

• Sniffer Pro Analyzer sees:– No more error frames than usual

• Examine frames to see:– If the user’s system is using Ethernet frame format and the

network service IEEE 802.3 frame format (or vice versa)– If the user’s system is using SNAP frame format while the

network service is not (or vice versa)• Cause:

– Driver software configured incorrectly– Some implementations support only Ethernet or only IEEE

802.3

If the network is not experiencing physical layer problems, verify the frametypes being used by both communicating parties.


Page 4 - 27

Slide Title: Frame Type Interoperability Problems

ImportantPoints toCover: Review quickly.


Sn

iffe

r U

niv

ersi

ty

4

-28

Check Dashboard Statistics

• Look here for indications of high utilization and errors


Page 4 - 28

Slide Title: Check Dashboard Statistics

ImportantPoints toCover: The following screen shots enable you to discuss the areas of

Sniffer Pro that help them to troubleshoot Ethernet specifically.This should be familiar if they have been to the 101 G class, but itnever hurts to re-emphasize these.

You may want to do a demo of this.

Open a trace file and display the decode windows.

Either use the traffic generator screen from the tools menu or rightclick over the Summary panel and choose “Generate currentbuffer” and send it out continuously so you’ll have plenty of time toshow these next screens.

Click the Dashboard icon to show this screen.


Sn

iffe

r U

niv

ersi

ty

4

-29

Monitor Dashboard Details

• Use the Dashboard Detail counters to find physicalerrors

Reminder: You must have the enhanced drivers loaded to detect and captureerror frames. Supported Ethernet adapters are:Adaptec Fast Ethernet AdapterNetwork Associates Card Bus Ethernet 10/100 Adapter (Xircom)


Page 4 - 29

Slide Title: Monitor Dashboard Details

ImportantPoints toCover: Click the Detail tab to show this view.

Point out the important fields:Utilization ErrorsCRCs RuntsOversize FragmentsJabber AlignmentCollisions


Sn

iffe

r U

niv

ersi

ty

4

-30

Dashboard Error Timeline• Click on the Network and Detail Error sections to see

a graphic representation of Ethernet physical errors

6

0

5

0

10

0

9


Page 4 - 30

Slide Title: Dashboard Error Timeline


Show all of the lower timelines and relate them to Ethernet counts.

Be aware that this data cannot be exported – it shows real-timestatistics. You can start history sample if you want to save this typeof information.

The lower graph was fabricated by adding lines to the display.There is no trace that will generate this type of display. Heavenhelp the people who would be on a network this bad!


Sn

iffe

r U

niv

ersi

ty

4

-31

Track Errors with History Samples

• Run theseand savethe data asa .CSV file

• Open inExcel or areportingapplication


Page 4 - 31

Slide Title: Track Errors with History Samples

ImportantPoints toCover: There are more. Demonstrate on your Sniffer.


To create a multiple history report, open the History Samples window fromeither the Monitor menu > History Samples or by clicking the HistorySamples icon.Click the Add Multiple History icon, assign a name to your sample andmodify the sample interval and Graph Type on the General dialog box.Click the Selection tab, then the New (Insert) icon and scroll and click tochoose a sample from the Statistics List window. Repeat this process until youhave chosen all the statistics you want included in your report. Use the up anddown arrow icons to place the statistics that will have the highest values atthe bottom. Adjust any colors as you wish. Click OK when done.Double click the icon with the sample name to start collecting the statistics.Minimize the window to get it out of your way if you wish. It will continue togather statistics in the background.When you want to save the statistics to a file, click the Export icon andname the file and choose the file type (comma, tab or space delimited) andpath. The application will continue to gather statistics until you close thewindow.You will also be able to save the information in graphic format when you closethe sample window. This can be viewed later within the History samplesapplication. If you want to import a snapshot of this screen, just press the altand print screen keys to copy it to the clipboard. Then paste it into yourdocument or a paint program for further editing.

Sn

iffe

r U

niv

ersi

ty

4

-32

Create a Multiple History Report

• Collect the data, then save to a file to import into aspreadsheet or reporting program

• Include the errors you need to see


Page 4 - 32

Slide Title: Create a Multiple History Report

ImportantPoints toCover: Demonstrate how to create a Multiple History report of the Ethernet

errors.

Suggest they may want to run this as a baseline and for trendanalysis or scheduled reports for the boss.

Run for a specific time and save the file as comma, space or tabdelimited file for import into a spreadsheet or database.

They can also save a snapshot of this graph as a .HST file whenthey close the window.


Sn

iffe

r U

niv

ersi

ty

4

-33

Check Utilization In Global Stats

• Remember, for best performance, utilization should bebelow 37% sustained utilization to be considered“clean”


Page 4 - 33

Slide Title: Check Utilization in Global Stats

ImportantPoints toCover: Demonstrate this screen under Global Statistics.

The 37% given here will re-emphasize this statistic they need forCNX.

If they are seeing a high level of physical errors, they should checkfirst if the network is overloaded. If the traffic is within normalranges, they need to look at a possible physical reason for theerrors.


Sn

iffe

r U

niv

ersi

ty

4

-34

Look at the Expert’s DLC Layer

Check theSymptoms and

Diagnoses

Who’s thesource?

Is this really theculprit, or is itjust impacted?

The physical errors include:• CRC errors• Runts• Oversize• Fragments• Jabber• Alignment errors• Collision packets


Page 4 - 34

Slide Title: Look at the Expert’s DLC layer

ImportantPoints toCover: This emphasizes “troubleshoot from the bottom up”.

The DLC layer is the only place they will see Ethernet-relatedspecific information.

Demonstrate with your favorite trace file that shows several DLClayer symptoms and diagnoses.

Point out the information available for each symptom or diagnosisin the Expert Detail panel on the lower right.

This is not the place to teach the Expert. They learned this in TNV-101-GUI (we hope they went).

Expert help is available for symptoms and diagnoses by clicking the? icon.


Sn

iffe

r U

niv

ersi

ty

4

-35

Troubleshooting Exercises

Your instructor will choose theexercises to meet class needs.Turn to the lab section tocomplete the selected exercises.

• Test Your Skill• Errors• Ethernet Physical Errors• Evaluating Hub Jams

If you complete them early, tryanother one. Come back to themwhen you get back to work andneed review.


Page 4 - 35

Slide Title: Troubleshooting Exercises

This single slide points to all of the exercises for this section. Theseare time-consuming. You may wish to eliminate any that you feeldo not meet the needs of the class you are teaching.

Emphasize that you are selecting based on the needs of thestudents in this class so they don’t feel you are skipping things theyreally want to see.

Test Your Skill Exercise

This one is very important. It gives them a chance to look attraces with no clues of the problems in them. Have them mark thematrix on page 22 to help them determine what the problems mightbe.

Errors ExerciseThe conversation always recovers prior to frame 941. The damageappears to be hardware related. We don’t know what was causingthat damage and can only speculate that it was bad hardware (theoriginal repeater? A bad NIC card on the segment?)or an out ofspec network (unlikely since they are on the same segment, butw/o a network map it is difficult to know).

The administrator suspected the repeater and replaced it withanother that was not being used. This replacement was defective.It was replaced prior to frame 941 which is the reason for the largedelta time and since it was defective, it is the reason there is norecovery in the conversation starting with frame 941.

Ethernet Physical Errors

See impact of Parallel Tasking feature of some Ethernet cards

Evaluating Hub Jams

Practice troubleshooting hub jams.


Sn

iffe

r U

niv

ersi

ty

4

-36

Summary

• Use a bottom-up process for troubleshooting Ethernetnetwork problems

• Work on the crises first, then spend time doingproactive monitoring to look for areas whereperformance is degrading and make appropriatechanges

• Eventually, the crises should be fewer and theproactive preventive work will take on moreimportance

• Use the clues in the Sniffer Pro Monitor, Expert andDecode screens to help you determine the cause offrame damage


Page 4 - 36


ImportantPoints toCover: Wrap up the section by reviewing the bullets and answering any


Add your own suggestions to this list that’s here.

We’re trying to emphasize using the tool for proactivenetwork management here to plant a seed. Goodtechnicians try to avoid problems by looking for signs ofdegradation and fixing them before they become crises.

The Sniffer is much more than a troubleshooting tool!

Target Time: Lunch or before if possible.

© Network Associates Ethernet Network Analysis and TroubleshootingBridging and Switching

Sn

iffe

r U

niv

ersi

ty

5

-1

Ethernet Bridging andSwitching Concepts

We are including a very brief overview of bridging and switching techniqueshere to enable you to troubleshoot a switched Ethernet environment.Since many of these same principles are used for Full Duplex and Fast Ethernet,this section will lay the groundwork for those discussions.Sniffer University has a three day class TNV-315-GUI with many more details.


Page 5 - 1

Slide Title: Ethernet Bridging and Switching Concepts –Section 5

Section Timing: Start: Day 2 Before Lunch Work through thebridging section if you canFinish: Day 2 Mid-afternoon


Files: 05_brg_g.PPT 05_brg_g.DOC

Traces: scbridge.caz busy_jam.caz VLANprob.caz

8021q.cap VLANprob2.cap 8021q-gig.cap

Exercises: Short Circuited BridgesBusy JamSwitch Traffic (Optional) new

The bridging and switching sections are somewhat short to allowtime for the VLAN and expanded Fast Ethernet, Full Duplex andGigabit Ethernet sections.

VLAN tagging information has been added.

Move through it as quickly as you can to have time for the newsection.

The bridging section is also used as an introduction to concepts forthe switching section. Spanning Tree is covered very briefly in thiscourse. Refer the students who need more to the 315 course,which covers it in great detail.


Sn

iffe

r U

niv

ersi

ty

5


Upon completion of this section, you will be ableto:

• Differentiate between bridging and switching ona conceptual level

• Recognize network configuration issues withbridges and switches

• View VLAN information in frames• Use Sniffer Pro to identify common problems

associated with bridges and switches


Page 5 - 2


ImportantPoints toCover: State the objectives for the section.


Sn

iffe

r U

niv

ersi

ty

5

-3

Bridges


Page 5 - 3

Slide Title: Bridges



Sn

iffe

r U

niv

ersi

ty

5

-4Ethernet Bridges

• A bridge is a store-and-forward Data Link layer device• A bridge increases the size of a network without increasing bandwidth

contention, since segments separated by a bridge are in differentcollision domains

• A bridge is protocol independent. A bridge bases its forwarding decisionon the Data Link layer destination address in a frame

• Bridges only pass valid frames• An Ethernet bridge is transparent from the end node’s point of view

LOCAL REMOTE

LAN or WAN link

HUB HUB HUB HUB

BridgeBridge

Bridges work at the Data Link layer of the OSI Reference Model, specifically at theMAC sub-layer. Bridges are only concerned with physical layer addresses. They learn theaddress of each device on each segment to which the bridge is connected, typically twosegments. When a frame is received on one port of the bridge, it examines the physicallayer address to determine whether or not the frame should be forwarded to the othersegment. The bridge stores this information in a "Forwarding Table."Bridges are also what is termed "Protocol Transparent." Since they work at the MAClayer and are only concerned with physical layer address (like Ethernet), they have noreason to be concerned with higher layer protocols like DECnet, XNS, TCP/IP. One bridgecan forward (or filter) all of these higher layer protocols.Some bridges allow complex filters to be used to determine which frames get forwardedand which frames don't. This might be used in the case where a router was previouslyinstalled to route IP frames. Due to company growth, a new protocol is added andeventually a bridge to allow access to a second segment. Since an IP router is alreadybeing used to forward IP frames, the bridge must not forward these same frames. Thebridge is programmed (using a filter) not to forward IP frames, but allow remainingframes to be forwarded if the destination address deems it necessary.With any luck at all your bridge is sophisticated enough to have some sort of bridgemanager. The bridge manager will allow you to configure the bridge, maintain its addresstable, as well as allow you to examine how effective the bridge is to forward and filterframes. Additionally, consider this: is your vendor's manager going to manage anothervendor's bridge? When determining a vendor for your bridge purchase, you may want toconsider its management capability.


Page 5 - 4

Slide Title: Ethernet Bridges

ImportantPoints toCover: Work at the Data Link Layer.

Forward frames based on the MAC layer address.

Bridges learn the addresses on each of their ports and build aforwarding table.

They are protocol transparent.

Some may do complex filtering.

Many are managed by bridge management programs.

Label was added to indicate the link can be LAN or WAN.


Sn

iffe

r U

niv

ersi

ty

5

-5

OFF

ON

OFF

ON

Multiport Ethernet Bridges

• Learns the addresses of devices that reside off each port• Maintains a list of the addresses for each port in hardware “Content

Addressable RAM”• Logically extends the cabling segment, but physically separates into

separate collision domains• RAM for storage usually holds 1024 addresses• Can be increased, but the maximum limit is vendor specific

Hub

Port AAddress 1Address 2Address 3

Port BAddress 4

Port CAddress 5Address 6

Port DAddress 7Address 8

Multi-Port Bridge

Mini-Hubs

A list must be kept of what node addresses lie beyond a bridge port. The list canbe lengthy.The number of addresses are vendor dependent, but usually start with 1024.


Page 5 - 5

Slide Title: Multiport Ethernet Bridges

ImportantPoints toCover: As noted on the slide.


Sn

iffe

r U

niv

ersi

ty

5

-6Ethernet Bridges are Responsible For:

Flooding:If the destination address is unknown, or if it’s a multicast/broadcastdestination address, the bridge sends the frame out each port exceptthe port on which the frame was received

Learning:A bridge is promiscuous and sees every frame on the segments towhich it is attached. By examining the source address in frames, abridge learns which stations are on which side of it

Forwarding:Once a bridge learns where stations are, it only sends a frame out thecorrect port to reach the destination station

Filtering:If the destination and source addresses are on the same port, thebridge just drops the frame

User Filtering:Allows a network manager to filter, based on protocols, addresses,packet type, etc., to increase the network's efficiency or add securitymeasures

The filtering function might seem so obvious it's not worth mentioning, butactually it is worth mentioning in order to compare a bridge to a repeater: arepeater repeats everything, even if the two stations communicating are on thesame side of the repeater. Since a bridge looks at the data link header, it learnsthe locations, it does not need to forward unnecessarily.The filtering rate advertised for a bridge is the number of frames per second onwhich the bridge can make forwarding/nonforwarding decisions. User filteringmay employ a technique similar to the Sniffer analyzer’s pattern match function,allowing some manufacturers to claim to filter on layer three protocol addresses,even though a bridge is a layer two device.


Page 5 - 6

Slide Title: Ethernet Bridges Are Responsible For

ImportantPoints toCover: Cover the slide points well.


Sn

iffe

r U

niv

ersi

ty

5

-7Store and Forward

• Bridges are “Store and Forward” devices• They must copy the entire frame and verify the CRC before

forwarding• If the CRC is good, the bridge will forward as it should• If the CRC is bad, the bridge will discard the frame

– A higher layer protocol will time out and attemptretransmissions

A BDA = B

HUB HUB

CRC bad? If yes,throw frame away.

CRC good? If yes,then forward.

+

This technique requires the bridge to look at the entire frame before making aforwarding decision. A benefit of this feature is that the bridge can determinewhether there is an error in the frame before making a forwarding decision.Error frames are removed from the network. A drawback is that the bridge willintroduce latency (delay).


Page 5 - 7

Slide Title: Store and Forward

ImportantPoints toCover: This is now an animated build slide.

Slide and notes are adequate to explain the concept.

Review them.


Sn

iffe

r U

niv

ersi

ty

5

-8Bridge Data Flow

NoEnter into

Port xTable

Yes Read DestMAC

MAC Port Age

No

MAC DAin Table?

Receive frame onPort x

Read sourceaddress

Is itBdcst?

NoForward frameon correct port

MAC SA inTable?

MAC Port AgeYes

Flood toall portsexcept x

Yes

Discardframe

DA onPort x?

Yes

No

+4

All speeds of Ethernet follow this flowchart. Only the timing changes.


Page 5 - 8

Slide Title: Bridge Data Flow

ImportantPoints toCover: New partially automated build slide.

Click to reveal each step in the decision process as you discuss it.


The Spanning Tree specification is defined in IEEE 802.1d. Topology loops canoccur in a switched network just like a bridged network.Bridges are assigned an ID by the administrator (two byte field).

The MAC address of the adapter is appended to the two byte ID, and the resultbecomes the Bridge Identifier.

The lowest value Bridge Identifier becomes the Root bridge.

The network manager configures a cost for each port on the bridge. For example,the cost for a T1 link could default to 100, while the cost for a 56 kbps line coulddefault to 500.

Costing information is exchanged with BPDU frames.

Sn

iffe

r U

niv

ersi

ty

5

-9

Forward

Forward

Forward

Forward

ForwardForward

BroadcastFramescircleendlessly

Bridging Loop

• Ethernet bridges are susceptible to loops• The Spanning Tree Algorithm handles loops by disabling alternate

routes– All traffic flows toward the root bridge

• Bridges use Bridge Protocol Data Unit (BPDU) frames to negotiate aunique device-to-device path

• The picture above does not have Spanning Tree enabled. WhenStation A sends a broadcast frame, the frame can be forwarded byall bridges in a constant loop


Page 5 - 9

Slide Title: Bridging Loop

ImportantPoints toCover: Broadcast frames will be forwarded continuously when

Spanning Tree is not enabled.

IEEE 802.1d is the specification covering Spanning Tree.


Sn

iffe

r U

niv

ersi

ty

5

-10

Cost = 1

Cost = 5

Cost = 4

Spanning Tree

• Bridges in a mesh configuration use a “cost” metric todetermine the best (cheapest) path– The best path is used for forwarding– The other paths are backups and not used unless the best

path fails

• One bridge is elected “root”– All frames are directed towards the root

Cost = 2

Cost = 4

Cost = 2

Cost = 1

Cost = 5

Cost = 2

BestBackup

Many switches in meshed configurations use Spanning Tree to prevent loops.Anytime you see BPDUs in your traces, you’ll know it is active. Many vendorshave proprietary protocols that allow you to do load balancing in a meshenvironment. If you are using one of these and see BPDUs, check to make sureSpanning Tree is not needed, then disable it on the bridge(s) sending theframes.


Page 5 - 10

Slide Title: Spanning Tree


You might want to mention here that switches frequently useSpanning Tree to maintain forwarding tables to indicate thecontinued use of Spanning Tree and BPDU frames.

Each bridge/switch has a unique identifier.

Administrators can assign IDs to control which bridge/switchbecomes the root of the tree.

The administrator can control paths by assigning a high cost to anexpensive, slow link used as a backup path and a low cost to a fastprimary path.

The fast primary path will be used until it fails.

The bridges/switches exchange BPDU frames when a link fails toreconfigure the tree to cover the segment that’s down.

You need a good logical drawing of the bridged/switched segmentsto plan the best paths and assign costs appropriately.


Sn

iffe

r U

niv

ersi

ty

5

-11

BPDU Frames

• Sent by thebridge toneighbors toshareconfigurationinformation Type of frame

Root Bridge

Link Cost

SourceinformationTimers

MulticastDest. Address

The destination address is a functional address assigned to “all bridges”.The source address is the address of the port sending the BPDUThe Root ID in the frame is the bridge this one assumes is the rootSending bridge ID is the ID of the bridge sending this frameThe cost is the least cost path to the root from this bridgeBridges build forwarding tables from the BPDU framesWhen a bridge receives a BPDU frame from its neighbor, it compares themessage received from that port with what it would send out that port. Itchanges its table if it discovers a better route and stops sending configurationmessages on that LAN.If the message age reaches a certain threshold, the message is considered staleand the bridge recalculates the best route as if it had not received the message.For a detailed explanation of the Spanning Tree algorithm, see Section 3 inInterconnections, Bridges and Routers, Radia Perlman, Addison Wesley, 1992ISBN 0-201-56332-0.


Page 5 - 11

Slide Title: BPDU Frames


Cover only the basics in this class. TNV-315“Interconnection Concepts and Troubleshooting” willteach the specifications and structure of the BPDU framesin detail. There is no time for it here.


Sn

iffe

r U

niv

ersi

ty

5

-12

Capturing in a Bridged Environment

Node D

Node E

Node F

Node A

Node B

Node C

SnifferPro

HUB HUB

Frames seen by Sniffer Pro

The Sniffer Pro Network Analyzer will:See frames going between Nodes A, B and C.See traffic bridged between the two networks.Not see frames going between Nodes D, E and F.

At the data link layer, the source and destination addresses will be the endnode’s addresses. You will not see the bridge’s addresses.Example: Node A is communicating with Node D via a bridge. The Sniffer ProNetwork Analyzer will show Node A and Node D's Ethernet addresses.


Page 5 - 12

Slide Title: Capturing in a Bridged Environment

ImportantPoints toCover: “New” Slide. (Actually a resurrection of the slides we always

included in this class – updated to star wiring.

You might want to mention the bridge could actually be a switch.


Sn

iffe

r U

niv

ersi

ty

5

-13

Exercise: Short Circuited Bridges (Optional)



Page 5 - 13

Slide Title: Exercise: Short Circuited Bridges (Optional)

This exercise is optional due to the time constraints of the class.Since the Spanning Tree discussion has been expanded again,you may not want to skip this exercise.

Fit it in, as you are able.


Sn

iffe

r U

niv

ersi

ty

5

-14

Exercise: Short Circuited Bridges

SnifferProanalyzer

192 Kb Link

192 Kb Link


Page 5 - 14

Slide Title: Exercise: Short Circuited Bridges (Diagram)

If you are questioned about the small delta times that appear in thistrace file, you may want to work through the following math with thestudents. For this discussion, label the bridges 1-4 starting in the upperleft-hand corner and continue on clockwise.

Time to transmit a minimum length Ethernet frame across the 192 Kb link

Minimum frame = 512 bitsPreamble = + 64 bits

=============Total bits transmitted = 576 bits576 bits / 19,200 bits/second = .03 seconds

Time to transmit one frame on an Ethernet where 1 bit = 1/10,000,000Seconds = .000001

Seconds = 1 microsecond. Therefore to transmit 576 bits takes 576microseconds.

(.000576 Seconds or roughly half a millisecond.)

Assume the propagation delay across the Ethernet or WAN link is 0. Wecan assume this because the network as shown is symmetrical.

TIME LINE

Station on left sends ARP. Assume within 576 microseconds Bridge 1and Bridge 4 receive the frame.

.03 seconds later Bridge 1 has transmitted the frame to Bridge 2. Duringthe same time period Bridge 4 to Bridge 3.

Either Bridge 2 or Bridge 3 will be able to access the Ethernet media onthe right.

Assume Bridge 2 puts the frame out. (For argument’s sake, let's say thisis the ARP Frame 1 we see on the Sniffer.) Within 576 microseconds,Bridge 3 is receiving the frame Bridge 2 transmitted.

Bridge 3 begins transmitting Frame 1 back towards Bridge 4.

Bridge 3 begins transmitting its frame out on to the Ethernet (Frame 2 onthe Sniffer).

Bridge 2 receives Frame 2 after 576 microseconds.

During which time, Bridge 4 begins putting Frame 1 onto the left Ethernetsegment.

Bridge 2 will transmit the frame back toward Bridge 1 and then theprocess continues...


Sn

iffe

r U

niv

ersi

ty

5

-15

Switches


Page 5 - 15

Slide Title: Switches



Sn

iffe

r U

niv

ersi

ty

5

-16

Switches

• Switches are similar to bridges and do these actions:– Learn which addresses are available at each port– Maintain lookup tables by port (as bridges do)– Look at the destination address and forward immediately if

possible– Switch packets between ports– Switching fabric maintains multiple, simultaneous

conversations on different ports (unlike bridges)– Provide full bandwidth at each port– Do not verify the validity of the CRC (unlike bridges)

• Most switch vendors implement Spanning TreeAlgorithm

A switch connects LAN segments like a hub does, but unlike a hub, which divides thebandwidth among all attached segments, a switch provides full bandwidth at each port.A port can be dedicated to a single file server, for example. Like a bridge, a switchlearns which addresses are available at each port. Unlike a bridge, when forwarding apacket a switch may look at just the destination address, instead of the whole packet,and forward immediately if possible. If the destination segment is busy, the frame isqueued in a buffer, just like a bridge, until the destination segment is free. Usually thedestination segment is not busy.Packets are processed in parallel by very fast hardware. One vendor claims a switchingdelay of only 40 microseconds, which they measure as the time between the first bit ofa packet received and the first bit of the packet sent.Some switches support software configuration to specify which ports can talk to whichports, sort of an “electronically controlled patch panel.” It really is hard to compareswitches, especially because they have very different architectures and because vendorsare getting very creative in combining the functions of layer 1, layer 2 and layer 3relays. The late 1990s started major innovations in this area.Issues with using switches instead of bridges or routers include:1. A switch may forward a bad CRC and a runt that has a destination address.2. Switches will not isolate broadcast storms. They often cannot be set up for protocol

filtering. They generally won’t do fragmentation and re-assembly.3. Using the switch’s “electronically controlled patch panel” feature sounds great, but

could wreak havoc with IP addressing and subnet mask schemes.


Page 5 - 16

Slide Title: Switches

ImportantPoints toCover: Vendors are doing many things to improve the performance of their

products.

Read the fine print!

Will it work with what you have?


Sn

iffe

r U

niv

ersi

ty

5

-17

Switched Networking

• Switched networking provides a simple solution toexisting networks suffering from traffic congestion

• In Ethernet environments, each switch port is aseparate collision domain

• Switches allow you to micro-segment• Some switches provide monitor ports to attach a

Sniffer Pro• Switches are not governed by standards, so a

combination of vendor switches is difficult– There are many proprietary implementations

Microsegmentation means that there is only one device at each switch port,rather than a shared LAN on a port as in segmented network.The overall benefit of switching is that multiple conversations can occursimultaneously on a single switched hub, providing the user or segment withalmost dedicated bandwidth.Switching extends the life of existing legacy LAN networks, provide increasedperformance without replacing existing wiring plant, and increase networkthroughput, reducing response times. Switches are a small cost, when comparedto other alternatives.Switches are plug and play, easy to implement, but much pre-planning isrequired. As an example, if your bandwidth is being eaten up by DLC layerbroadcasts, a switch will not improve the condition. Traffic is aggregated on thebackplane of the switch. This backplane should be between 1.5 - 10 Gbps withrecent announcements for 85 Gbps backplanes.


Page 5 - 17

Slide Title: Switched Networking

ImportantPoints toCover: Slide and notes points.


Sn

iffe

r U

niv

ersi

ty

5

-18

Basic LAN Switching Defined

• A switch allows dedicated communications paths tobe rapidly built and torn down between multiplesources and destinations. The total aggregatebandwidth goes up with switch technology

• A 12 port switch can support six simultaneousconversations

Server

Workstation Workstation

Server

+

A switch allows devices or segments to have a unique dedicated path to eachother. The path is active for the duration of the frame, then is broken down andmade available for the next frame.Each port on a switch is, in effect, a separate collision domain or ring. Switchescan act like fast bridges, they are layer 2 devices. But some vendors are addinglayer 3 functions to switches, like the ability to route IP and IPX.In 12 port switches, backplane speed needs to equal six times the individual wirespeeds of the ports. Similar ratios apply to other size switches.The VLAN concept, by which you can logically group switch ports, is growing inacceptance. VLAN schemes are proprietary to the different vendors. A VLANgenerally divides your network into broadcast domains. VLAN is popular in today'sdynamic environment where “Tiger Teams” are created across departmental linesto address a particular problem or project and then disbanded once that problemor project has been resolved.


Page 5 - 18

Slide Title: Basic LAN Switching Defined

ImportantPoints toCover: Collisions are in switched environments.

Each pair of communicating devices has the entire bandwidth (inthis case 10 Mbps) for their frame.

The path is active for the duration of the frame only. It is torn downafter each frame has been transmitted.

Each port is a separate collision domain.

The Virtual LAN (VLAN) concept allows the administrator to groupports through software for workgroup segmentation.

A bullet and student note was added that addresses the issues ofthe speed of the switching fabric.

Many switches implement Spanning Tree to avoid topology loopswhere broadcast frames circulate endlessly.

Other manufacturers use proprietary methods to avoid loops.

A switch should have a very low PLR or Packet Loss Rate. It canhave congestion control, where a switch will slow things down ifports become overloaded. Switching times may degradenoticeably, but at least you won’t lose any packets which will causeretransmissions.

For switches without active congestion control, the ability to handle100 to 300 back-to-back, min. and max. size frames pretty muchassures negligible packet loss no matter what the traffic pattern.

Switches that can buffer more than 100 1518 byte packets areconsidered very robust.


Sn

iffe

r U

niv

ersi

ty

5

-19

Capturing in a Switched Environment

Vendor Dependent

SnifferPro sees onlyBroadcast Traffic

plus...

Node D

Node E

Node F

Node A

Node B

Node C

The Sniffer Pro Network Analyzer sees different things based on the switchtechnology and how the switch has been set up. At the data link layer, thesource and destination addresses will be the end node’s addresses. You willnot see the switch’s addresses. Switch vendors have provided variousmechanisms for network analysis tools to evaluate network traffic andconversations.


Page 5 - 19

Slide Title: Capturing in a Switched Environment

ImportantPoints toCover: What you see is what the vendor allows you to see.

Addresses are like the addresses in a bridged environment.

DLC addresses are the end station’s.


Sn

iffe

r U

niv

ersi

ty

5

-20

Seeing the Frames

• Switch sends all traffic to a monitor port

• Switch sends selected port or VLAN traffic to amonitor port

SnifferPro

SnifferPro

+2

Tapping the backplane of the switch does not limit the traffic sent to themonitor port. You will get all traffic that occurs on any port in the hub. This maypresent problems due to high utilization on the monitor port. It will work wellwhen overall use of the switch is low, but if several users of the switch aredemanding high amounts of bandwidth individually, their combined traffic maybe greater than the switch can process through a single monitor port. You willmost likely lose packets.A port tap limits traffic seen to just what happens on that one port.


Page 5 - 20

Slide Title: Seeing the Frames

ImportantPoints toCover: Several separate slides are now combined so you can cover them

quickly and compare them more easily.

All traffic to a Monitor Port (This is not an industry-standard labelfor this port.)

Issues: Is the port able to handle the aggregate bandwidth of thebackplane?

Is the Sniffer Pro analyzer able to handle the aggregate bandwidthof the backplane?You can’t just put a Fast Ethernet Sniffer Pro analyzer here. Thesignals and timing are different in Fast Ethernet.

You’ll need to set a capture filter to focus on the traffic that will helpyou solve the problem.

Station address filterAddress class filterProtocol filter

Gives a very limited view of just one station’s traffic.

Selected port or VLAN traffic to a monitor port

But if the port can’t deliver it, you still can’t capture it.


Sn

iffe

r U

niv

ersi

ty

5

-21

Seeing the Frames Continued

• Attach a shared mediahub between a server andthe port to see all servertraffic

SharedMediaHub

(mini-hub)

• Install a matrix switch toview several segments

ServerWork-

stations

SnifferPro

Switched Media Hub

Server

SharedMediaHubs

Server Server

Monitor Card

TransportCard

Matrix Switch

DSS/RMON Agent+

The hub should be attached when the server is inactive, and left in place toenable real-time monitoring. There are several inexpensive mini-hubs on themarket. This is a very easy solution to implement and, in some environments, avery effective solution. For example, when there are only a couple of servers ina server-client environment, everyone will be talking to those servers, thereforeyou’re actually getting all traffic on the switch by just monitoring the servers’ports. This also works well with unsophisticated switches that have do not havea built-in monitor port.Several companies make matrix switches.Portable Sniffer Pro Network Analyzers can also be used in place of theDSS/RMON. If you are using a DSS/RMON Agent, you should use a NetworkAssociates supported switch like the DataComm switch. There are severaladvantages to using a Network Associates supported switch.Remember, though, you can only monitor one port at a time. Adding the hubmay change the timing characteristics of the segment and may introduce itsown set of errors if you exceed the collision domain. Be sure you are notintroducing a repeater into a full-duplex link by mistake.


Page 5 - 21

Slide Title: Seeing the Frames (Continued)

ImportantPoints toCover: Permanently install minihubs in the line to your servers.

Allows you to see all the traffic to and from the server.

Permanently install a minihub in the line to your bridges androuters.Allows you to see all traffic directed to or from them.

SniffView allows you to switch the DS Pro Agent into multiplesegments so you can monitor the conversations to multiple servers(or routers) one at a time.

There are several vendors that supply switches from DS Pro. Someof them can be controlled directly with SniffView.

We also sell DSS/RMON Multiview, which is a DS Pro in a matrixswitch. There are several models that can attach into acombination of Ethernet and other topologies.


Sn

iffe

r U

niv

ersi

ty

5

-22

Switch Control and Expert• Switch control allows you to access supported

switches and span one port or VLAN to a monitor port• Two adapters are required to span a port

– The configuration adapter sends SNMP signals to the switch’sIP address to control the switch and retrieve MIB data• Attach to the switch control port

– The monitor adapter does the assigned Sniffer tasks• Attach to the mirrored port

• One adapter is enough if you just want MIB data

Switch

SPANPort

Monitoradapter

Configurationadapter

Port orVLAN

Frames

SNMPCommands

+

Sniffer Pro version 4.0 switch expert supports:Cisco models: * = this versions or newer2900 v.4.5(2) 2916XL v11.2(8)SA5*2924(M)XL v12.0(5.1)XP* 2926 v4.5(2) 5000 v4.5(2)* 5002 v4.5(2)* 5500 v4.5(2)* 5505 v4.5(2)* 5509 v4.5(2)*6000 v5.4(1)* 6002 v5.4(1)* 6500 v5.4(1)* 6509 v5.4(1)*Nortel models:Baystack 450 v HW:RevB, FW:V1.04, SW:V1.1.0Not all features are supported. Contact NAI tech support for specific issues.SPAN (Switched Port ANalyzer) is a proprietary Cisco protocol used to mirror trafficfrom a port or VLAN to a monitor port.If you have just one adapter in your Sniffer, it must have TCP/IP bound to it so it canconnect to the switch to control it. It is connected to the switch control port whichcannot be a monitor port. You would need to stop Sniffer Pro and reconnect it into themonitor port and restart it as a Sniffer to sniff the monitor port. You then would not beable to control the switch or see the MIB data.Mirroring places a heavy load on the switch. Be sure to disable it when you havecompleted your analysis or capture!The TNV-201-DSP and TNV-315-GUI classes have more information on switch controland Expert.


Page 5 - 22

Slide Title: Switch Control and Expert


Unfortunately we just don’t have time to delve into this in this class.You also need a switch to demonstrate all the functions of thisfeature.

It is covered in detail in the TNV-201-DSP class. That class has aswitch, so all of the MIB and control screens can be demonstrated.

It will also be shown in the Advanced TNV-102-GUI class beingwritten.

The basics:

You can get all the MIB data from the switch and see it in theSniffer windows.

You can use these MIB screens to mirror a port or VLAN to the portwhere the Sniffer is attached. (VLAN mirroring is not supported forall switch models.)

You can do all the Sniffer functions on the mirror port i.e. startMonitor screens, capture, set triggers, etc.

Try to attend a TNV-210-DSP class to see this in action so you candiscuss it better.

You need the second card only if you want to do the Snifferfunctions. You can get the MIB data with a single adapter. Youcannot use a single card to send the SNMP commands to theswitch to control it AND then turn around and sniff using the samecard. Port mirroring (or SPAN) puts a big load on the switch. DONOT leave it enabled constantly. Turn the mirroring off when youare done!


Sn

iffe

r U

niv

ersi

ty

5

-23

Switch Frames

• Once you get the frames from the switch, theylook just like any other Ethernet frame

• Expert shows symptoms and diagnoses plusvaluable VLAN information

• Use the skills you’ve gained here to determinewhere problems lie


Page 5 - 23

Slide Title: Switch Frames


The main difference in the Sniffer screens is the VLAN informationin the Expert. The students will see that in the VLAN section.

Any VLAN symptoms and diagnoses will be labeled in theSummary display.

You can filter from the Expert’s VLAN symptoms and diagnoses.

You can get the switch MIB statistics on adapter and VLAN MIBcounts that can be very helpful.


Sn

iffe

r U

niv

ersi

ty

5

-24

Switch Performance

• Switches are often faster than bridges• They segment collision domains• Cut Through switches are fastest

– They read only the destination address and forward to a newor established port

– The provide the least amount of data integrity (they onlyverify the destination MAC address)

• Some switches offer FFCT (fragment-free cut-through)mode– Only frames at least 64 bytes in size are forwarded

• Switch latency increases the further into a frame theswitch checks for data integrity

• Switches forward damaged frames if damage occurs pasttheir check point


Page 5 - 24

Slide Title: Switch Performance

ImportantPoints toCover: Slide is adequate.


Sn

iffe

r U

niv

ersi

ty

5

-25

Exercise: Busy Jam



Page 5 - 25

Slide Title: Exercise: Busy Jam


Sn

iffe

r U

niv

ersi

ty

5

-26

Hub10 Mbps

ClientStations

ServerSniffer

Proanalyzer

Exercise: Busy Jam Diagram

Switch


Page 5 - 26

Slide Title: Exercise: Busy Jam Diagram

Network Diagram


Sn

iffe

r U

niv

ersi

ty

5

-27

Virtual LANs (VLANs)


Page 5 - 27

Slide Title: Virtual LANs (VLANs)

ImportantPoints toCover: New Section - New title Slide.


Sn

iffe

r U

niv

ersi

ty

5

-28

VLANs• Many switches allow you to set up virtual LANs

– A VLAN is roughly a broadcast domain– Stations in different physical locations can communicate as if

they were on a common LAN– Some manufacturers allow you to place ports on more than

one switch in a VLAN– There are many vendor-specific implementations

1st Floor

2nd Floor

3rd FloorExecVLAN

HRVLAN

FinanceVLAN

Port configurations aggregate stations based on the port where they areattached. This was the first implementation of VLAN groups. It is a good way toisolate groups using non-routable protocols.Protocol-based VLANs group stations based on their protocol type or layer 3address. The switches use standard routing protocols to communicate withrouters, but all traffic in the VLAN is switched.MAC address-based VLANs group stations based on their MAC address. This isuseful when you have laptop users who carry them around and attach theirPCMCIA cards in different locations. Problems arise when they dock theselaptops and use the docking station’s NIC card or software overwrites the MACaddress.IP Multicast address groups segregate the multicast traffic and send only tothose devices that are in the VLAN. This extends beyond the normal network-maintenance address types for routing and bridging support to specializedapplications like broadcast audio or video data.802.1Q VLAN tagged frames is a new IEEE standard that uses an additionalheader in the frames between the switches that identifies the VLAN.Since many of the mechanisms are vendor-specific, you should try to buy allyour switches from one vendor or only use switches that support the 802.1Qstandard.


Page 5 - 28

Slide Title: VLANs


VLANs have been around for a long time and most students willhave basic knowledge about them. What they may not know is howtheir traffic looks on the wire.

Emphasize the broadcast domains. See, the stuff we taught in thetechnology section hasn’t gone away!

VLANs provide a way to logically link devices in different layer 1-2physical network segments into a logical layer- three networksegment.


Sn

iffe

r U

niv

ersi

ty

5

-29

VLAN Grouping Techniques

• Port– Assign each port to a particular VLAN– Quick and simple, moves require reconfiguration

• Protocol (Layer 3 grouping)– Groups all devices with the same protocol - isolates protocol-

specific broadcasts– Stations with multiple protocols belong to multiple VLANs– Router required between different protocols and IP subnet

VLANs

• MAC address– Assign each NIC to a particular VLAN IP multicast address– Good for laptops that move around

• Multicast Address– Proxy address for a group of devices


Page 5 - 29

Slide Title: VLAN Grouping Techniques


Quickly review the ways vendors implement VLANs.


Sn

iffe

r U

niv

ersi

ty

5

-30

VLAN Tagging

• When devices are spread across severalphysical segments, there needs to be a way toquickly send them to the proper switch

• Cisco developed a proprietary protocol calledInterswitch Link Protocol (ISL) which added afew bytes or “tag” at the beginning of theframe– The tag identifies the VLAN– This eliminated the need to do a table lookup for

each frame - just send them to the right port

• The IEEE modified this for the 802.1Qspecification


Page 5 - 30

Slide Title: VLAN Tagging


This is just a page to introduce the reason for tags and the VLANtagging methods


Sn

iffe

r U

niv

ersi

ty

5

-31

Interswitch Link (ISL) Protocol

• The Grandfather of the IEEE 802.1Q taggingstandard

• A proprietary Cisco protocol developed tosupport trunks between Cisco switches

• Tags added to the frames between theswitches include a VLAN group identifier toroute them to the proper VLAN

• Several other vendors licensed ISL• 3Com used VLT frame tagging method


Page 5 - 31

Slide Title: Interswitch Link (ISL) Protocol


This is a Cisco vendor proprietary protocol. Other vendors licensedit.

Tags are carried on the trunk links between Cisco Switches

We can see them and decode them on frames captured on theselinks


Sn

iffe

r U

niv

ersi

ty

5

-32

Cisco ISL Frame Tags• Ethernet frame

is attachedafter the 26byte ISL Header

• VLAN identifier

Inter Switch Link (ISL) protocol was developed by Cisco and has beenincorporated into the 802.1Q standard.ISL adds a 10 bit address to every frame as it enters the switch fabric. Theframe is forwarded only to switches and interconnected links with the same 10bit address.This tag is removed before the frame is forwarded to the end station or switchoutside the VLAN.


Page 5 - 32

Slide Title: Cisco ISL Frame Tags


This screen capture was taken from VLANprob.caz frame 1. Thestudents will use it in the exercise at the end of this section.

Don’t go into details of this protocol. Let Cisco teach that in theirclasses!


Sn

iffe

r U

niv

ersi

ty

5

-33

Cisco ISL Expert Information• VLAN information shown at the Global Layer• VLAN list in the Detail Tree• Statistics and details in the Expert Detail panel


Page 5 - 33

Slide Title: Expert Cisco ISL Information


This screen capture was taken from VLANprob2.cap Expert viewwith the Global symptoms highlighted.

Explore more of the Expert information with the students.


Sn

iffe

r U

niv

ersi

ty

5

-34

802.1Q VLAN Standard• The 802.1Q standard is based on the 802.10 standard

– 802.10 is the Interoperable LAN/MAN Security (SLIS) standardwhich defines a single Protocol Data Unit (PDU) with an 802.10header inserted between the MAC header and the frame datafor secure transmission of data

• 802.1Q uses frame tagging to carry VLAN membershipinformation across multiple multivendor devices– The security header from 802.10 is modified to support VLAN

tagging– Tags allow frames to be forwarded quickly to other switches

within the VLAN

• Routers are required to forward frames between VLANs– Can be internal to the switch or external one-armed routers

• Vendor proprietary implementations are still also used– This creates vendor interoperability problems

Several issues need to be addressed when implementing VLANs:Management: Even though most vendors use management software to createthe VLANs and move ports into the VLAN, there is an issue of keeping up withall the moves (though this is certainly easier than moving cable to keep a personin the same network segment!). People also may feel isolated when they aremoved out of the area where their co-workers are.80/20 Rule: It is difficult to maintain the “80/20” where 80% of the trafficremains local and 20% goes outside the area and through a router.Shared resources like servers and printers need to be managed so people in adifferent VLAN can print to the local printer and access their server.You may choose to put these devices into more than one VLAN so all who needthem can access them.


Page 5 - 34

Slide Title: 802.1Q VLAN Standard


This is the IEEE standard for VLAN tagging. The headers aredifferent.

Highlight the last bullet.

All the switches in the VLAN must support the same taggingmethod or frames will not get where they need to go!


Sn

iffe

r U

niv

ersi

ty

5

-35

8100 User Priority Tunnel Type VLAN ID

802.1Q VLAN Headers

2 bytes Tag Protocol Type field identifies the 802.1Qheader

2 bytes Tag Control field has three fields:3 bits user priority1 bit tunnel type i.e. Ethernet or Token Ring12 bit VLAN ID

Fits between the Source MAC address and Type/Lengthfield of the MAC header of the Ethernet frame

MAC D & S Type Tag Control MAC Type/Length Data

802.1Q standard works hand in hand with the 802.1P standard for assigningpriority levels to frames. You may see it called 802.1 Q/p in some publications.The user priority field allows applications that require guaranteed bandwidth tobe delivered before applications that are not time-sensitive.3 bits allow for 8 different priority levels. The switches must maintain internalqueues for each priority. Incoming frames are placed in the queue for thepriority in the field and the highest priority frames are transmitted out beforethe lower priority frames.This enables lower cost Ethernet installations to compete with the high-maintenance and cost ATM networks that provide robust Quality of Serviceguarantees.Keep in mind that this is priority done at layer 2. RSVP at the network layer inthe stack needs to inform layer 2 to set the priority bits to match the level of thedata being sent. To have end-to-end priority, all devices in the intervening pathmust recognize the priority levels at both layers.The 802.3ac standard has extended the maximum frame size to 1522 bytes toallow for these 4 additional bytes.


Page 5 - 35

Slide Title: 802.1Q VLAN Headers


This shows a breakout of the fields in the tag to prepare them forwhat the Sniffer shows.

Point out that the tag comes in the MAC header! This was veryconfusing when I first viewed these frames. I wanted to put theType/Length field in with the tag, because the Sniffer puts it therewithout identifying that it is part of the DLC header. The number ofbytes in the spec didn’t match what I saw in the frames that way.

The destination and source addresses come first, then the tag,then the MAC type or length field.


Sn

iffe

r U

niv

ersi

ty

5

-36

802.1Q Header

•Ethernetframe isencapsulatedinside the802.1QHeader

•VLANidentifier

•Maximum length frames grow to 1518 bytes

•Sniffer does not capture the last 4 bytes of the frame– No CRC error is posted

The tag Protocol Type is used for FDDI, Token Ring and SNAP encoded fields.Ethernet sets this to 8100.


Page 5 - 36

Slide Title: 802.1Q Header


Hey – the Ethernet maximum frame size has been exceeded!

If a max size Ethernet frame is encapsulated in a tagged frame, it is1518 bytes. The Sniffer knows this is OK when it sees the 8100Type field and it doesn’t post an oversize symptom or count is asbad.

It does indicate only the first 1514 bytes were captured in the Detailwindow. That shouldn’t create problems for us, since it still hasalmost the entire frame, certainly enough to get through all the ULPlayers to see if there are problems there.

BTW – a question has been raised about how the Sniffer handlesthe max size Ethernet frames captured by a pod. Remember itencapsulates them in Ethernet frames to send them to the PC. Thepod transparently fragments these oversize frames and the PCreassembles them in the driver software before they are sent upthe stack for analysis.


Sn

iffe

r U

niv

ersi

ty

5

-37

Expert 802.1Q Information• VLAN information is shown at the Global layer• Symptoms and diagnoses break out stations in

the VLAN

8021Q Protocol in useVLAN

numbers andswitch MACaddresses VLAN Info


Page 5 - 37

Slide Title: Expert 802.1Q Information


You might want to demonstrate this on your Sniffer using the8021q.cap trace file the students will use for their exercise.

If time is running short, give them the details and skip the exercise.If you’re doing OK, cover it very briefly here and let them discoverthe details on their own in the exercise.

There is another 8021q-gig.cap trace that shows this informationcaptured from a gigabit Sniffer. Point out the [A] and [B] in thestatus column and show the Statistics tab where 1000 is the linespeed.

This was a serendipity trace I found just before press time.


Sn

iffe

r U

niv

ersi

ty

5

-38

VLAN Frames

• Sniffer sees VLAN headers only between switches thatsupport them– Tap into the trunk link or mirror the trunk port to the Sniffer

port with Switch control

1st Floor

2nd Floor

3rd FloorExecVLAN

HRVLAN

FinanceVLAN

More details on the switch Expert are available in these Sniffer Universityclasses:TNV-101-GUI, Troubleshooting with the Sniffer Pro AnalyzerTNV-201-DSP, Implementing Distributed Sniffer System/RMON ProTNV-315-GUI, Interconnection Concepts and Troubleshooting


Page 5 - 38

Slide Title: VLAN Frames


This is just a visual reminder you will see these only if you tap intothe trunk link either physically or by spanning the trunk port to theSniffer. This is risky!


Sn

iffe

r U

niv

ersi

ty

5

-39

Optional Exercise: Switch Traffic



Page 5 - 39

Slide Title: Optional Exercise: Switch Traffic

ImportantPoints toCover: New Exercise.

The students will observe several types of traffic in a switchedenvironment. They will look at typical switch-related protocols andthe different VLAN tagging encapsulation methods.

This is a great exercise to satisfy the students who came to seeswitch troubleshooting. Try to allow time to do it so they feelgood about at least seeing the Expert part of switch analysisand see the frame tagging.

They won’t see the MIB data or be able to do a SPAN, but this willhelp.


Sn

iffe

r U

niv

ersi

ty

5

-40

Summary

In this section, you learned how to:• Differentiate between bridging and switching on a

conceptual level• Attach Sniffer Pro to bridged and switched

networks• View VLAN identifying information in tagged

frames• Use Sniffer Pro to identify common problems

associated with bridges and switches


Page 5 - 40


ImportantPoints toCover: Wrap up the section by reviewing the objectives and answering any


Target Time: Day 2 early afternoon. This is a good place for abreak if you haven’t already done so.

© Network Associates Ethernet Network Analysis and TroubleshootingFast Ethernet

Sn

iffe

r U

niv

ersi

ty

6

-1

100 MbpsFast Ethernet


Page 6 - 1

Slide Title: 100Mbps Fast EthernetSection 6

Section Timing: Start: Day 2 Mid-afternoonFinish: Day 2 Approx. 3:00


Files: 06_fe_g.PPT 06_fe_g.DOC

Traces: 100MBFIL.CAP, BACKPRES.CAP, BACKPRES1.CAP ,Big_bad_rich.caz

Exercises: Fast Ethernet Troubleshooting and Back PressureFast Ethernet Problems10/100 Hubs

The former three-part section covering all the fast technologies hasbeen split into sections for each.

Please allow enough time to present it if the class is interested. Bynow, they have seen Fast Ethernet several times, so this sectioncan be taught very quickly.

Have the students do the exercises if possible. The first showsvarious different vendor implementations of back pressure.

The second is a filtered trace and shows lots of hub jams andcollisions.

References:

Fast Ethernet: dawn of a New Network by Howard W. Johnson,1996, Prentice Hall Publishing, ISBN 0-13-352643-7

Switched, Fast and Gigabit Ethernet 3rd Edition by Robert Breyerand Sean Riley, 1999, Macmillan Technical Publishing, ISBN1-57870-073-6


Sn

iffe

r U

niv

ersi

ty

6


Upon completion of this section, you will be able to:• Summarize the features of Fast Ethernet• Summarize 100BASE-T4, 100BASE-TX, and 100BASE-FX

implementations• Recognize back pressure frames in a trace• Attach Sniffer Pro to your Fast Ethernet networks• Use the Sniffer Pro statistics and decodes to locate areas of

concern


Page 6 - 2


ImportantPoints toCover:

Troubleshooting Fast Ethernet is basically the same as 10mbEthernet.


Sn

iffe

r U

niv

ersi

ty

6

-3Overview of Fast Ethernet

• 100Mbps version of the Ethernet standard• Uses the same timing criteria as 10 Mbps

Ethernet• 100BASE-Tx supports Category 3,4 and 5

twisted-pair wiring and fiber cabling• Standard defined by IEEE 802.3u• Many switches and hubs combine 10 Mbps

and 100 Mbps ports to link legacy networksinto high speed backbones

IEEE802.3u (100BASE-T) adopted in 1995 as a supplement to IEEE802.3

Several clauses are included in the specification. Earlier versions of 802.3 aredefined in clauses 1-20. 802.3u is defined in clauses 21-30

Clause 21 100BASE-T Introduction

Clause 22 Medium Independent Interface

Clause 23 100BASE-T4 Transceiver

Clause 24 100BASE-X Transceiver

Clause 25 100BASE-TX PMD*

Clause 26 100BASE-FX PMD*

Clause 27 Repeaters

Clause 28 Autonegotiation

Clause 29 Topologies

Clause 30 Management


Page 6 - 3

Slide Title: Overview of Fast Ethernet

ImportantPoints toCover: The specification calls for a few changes from the previous spec,

but mostly outlines the new features.


Sn

iffe

r U

niv

ersi

ty

6

-4

Remote Router

WorkgroupLANs

WorkgroupHubs/Switches

Server Cluster

Router

Campus10/100 Mbps Hubsand Switches

Network Center10/100 Mbps

Switches

FirewallRouter

Router

Hub

Remote LAN

FasterServerLinks

Token Ring

Where to Deploy Fast Ethernet

WAN

Fractional T1,

T1, X.25,Frame Relay

Due to the small collision domain and repeater limitations, most Fast Ethernethub installations will be in workgroup areas. It is not useful in the backbones oflarge enterprise networks. Fast Ethernet switches or other technologies areneeded to go the distances.


Page 6 - 4

Slide Title: Where to Deploy Fast Ethernet

ImportantPoints toCover: Key words: “In place of” does not mean pull out all of your FDDI

and use Fast Ethernet instead. FDDI has been around a long timeand is a proven technology. This is to say, “If you need to install anew highspeed backbone, consider Fast Ethernet.”

Pulling out FDDI would be a real waste of money, and FastEthernet is probably inferior.

Fast Ethernet is, however, cheaper to implement, and easier, sincetroubleshooting skills students already have transfer over to thistechnology.

Also mention the environments listed in the studentnotes section where Fast Ethernet could beimplemented.


Sn

iffe

r U

niv

ersi

ty

6

-5Similarities between 10BASE-T and 100BASE-T

• Both use CSMA/CD• Frame formats and frame lengths are the same• Both can run on Category 3, 4 and 5 UTP

• It must be four-pairs for 100BASE-T to run on 3 and 4

• Interconnections are made with hubs, repeaters,switches, etc.

Fortunately, 100BASE-T makes use of CSMA/CD and the same frame formats as10Mbps Ethernet. Therefore, most of what has been covered in this course isapplicable to 100BASE-T also.

Wiring specification

Page 131 of IEEE 802.3U - 1995 spec details the pinout for internal and externalcrossover cables.

pin

1 ----------| Dedicated Transmit pair +

2 ----------| Dedicated Transmit pair -

3 ----------| Dedicated Receive pair +

4 ----------| Bi-directional pair 1 +

5 ----------| Bi-directional pair 1 -

6 ----------| Dedicated Receive pair -

7 ----------| Bi-directional pair 2 +

8 ----------| Bi-directional pair 2 -


Page 6 - 5

Slide Title: Similarities Between 10BASE-T and 100BASE-T

ImportantPoints toCover: Point out just how similar the two are. The differences do not affect

us as the protocol analyst. Of course, as a network managerconcerned with the installation and overall network design, thesimilarities and differences are critical.


Sn

iffe

r U

niv

ersi

ty

6

-6100BASE-T Features

• 100BASE-T transmits ten times as much data in thesame amount of time

• It has new PHY standards• The network design is more compact• The interframe gap is .96 microseconds instead of 9.6

microseconds• It is still 96 bit times for 10/100/100, the times just get shorter

as the speed increases

• Coding schemes 4B5B and 8B6T replace Manchesterencoding

100BASE-T does have some important differences from 10BASE-T. Changeshave been made to the PHYsical layer components. New sub-layers such as theReconciliation sub-layer and an interface called the MII (Media IndependentInterface) have been defined in the specification.

There are new rules defining the number of repeaters allowed.


Page 6 - 6

Slide Title: 100BASE-T Features

ImportantPoints toCover: This slide shows key differences

Point out the interframe gap is still 96 bit times, the bit times arejust 10 times shorter!


Sn

iffe

r U

niv

ersi

ty

6

-7Physical Layer Specifications

• 100BASE-TX: Fast Ethernet for Category 5 UTP– Most widely used physical layer specification for

100BASE-T today

• 100BASE-T4: Fast Ethernet for CAT3 UTP– Use when you have a large installed base of voice grade

wiring– Requires four wires of the cable– Not implemented very often, so there is very little

vendor support for it

• 100BASE-FX: Fast Ethernet for Fiber OpticCabling– Used in sites that are considering fiber cabling or have it

installed– Usually used between floors of a building


Page 6 - 7

Slide Title: Physical Layer Specifications

ImportantPoints toCover: Use this page as a preview of what we will cover in more detail.


Sn

iffe

r U

niv

ersi

ty

6

-8100BASE-TX for Category 5 UTP

• Transmission over two pairs of Category 5 UTP orIBM Type 1 STP wire

• RJ-45 connector is exactly the same as that used by10-BASE-T where the RJ-45 links two pairs of wires

• The punchdown blocks in the wiring closet must beCategory 5 certified

• Traditional DB-9 connector used for STP wiring• 4B5B coding


Page 6 - 8

Slide Title:100BASE-TX for Category 5 UTP

ImportantPoints toCover: Slide information is adequate.


Sn

iffe

r U

niv

ersi

ty

6

-9

• Operates over four pairs of Category 3, 4, or 5 UTPwiring

• Three pairs are used for transmission and the fourthwire is used for collision detection

• Since it can run on Category 3, provides for easiermigration to 100BASE-T without rewiring

• Three of the four pairs are used to transmit or receive,so full-duplex operation is not possible

• 8B6T coding

100BASE-T4 for Category 3 UTP

TIA/EIA Cabling standardsCategory Application Support Bandwidth Year Std

1 Voice only voice 1950s

2 Voice or low speed data 1 1960s

3 Voice, 10BASE-T 16 MHz 1991

4 16 Mbps Token Ring 20 MHz 1993

5 CDDI, 100BASE-TX, ATM 155 100 MHz 1994

5 1000BASE-T (higher specs) 100 MHz 1999

5E 1000BASE-T 100 MHz 1998

6 TBD 200 MHz 1999

7 TBD (Work in Process) 600 MHz 9/2000


Page 6 - 9

Slide Title:100BASE-T4 for Category 3 UTP



Sn

iffe

r U

niv

ersi

ty

6

-10

100 Base T Ethernet Pinouts

Pin Signal Wire Color1

2

3

4

5

6

7

8

Transmit 3

Receive 3

Transmit 2

Receive 1

Transmit 1

Receive 2

Transmit 4

Receive 4

EIA/TIA-T568A

white/green

green/white

white/orange

blue/white

white/blue

orange/white

white/brown

brown/white

18

1

2

3

4

5

6

7

8

Transmit 2

Receive 2

Transmit 3

Receive 1

Transmit 1

Receive 3

Transmit 4

Receive 4

white/orange

orange/white

white/green

blue/white

white/blue

green/white

white/brown

brown/white

Pin Signal Wire Color

AT&T 258A andEIA/TIA-568B

RJ45

It doesn’t matter which wiring spec you choose, you just need to ensure youfollow through with the same pinouts for all the cables.

Both T4 and 1000BASE-T require four pairs. Gigabit requires a higher qualityconnector.

Wiring specification

Page 131 of IEEE 802.3U - 1995 spec details the pinouts for internal andexternal crossover cables


Page 6 - 10

Slide Title: 100BASE-T Ethernet Pinouts


For student reference.

10BASE-T required only:pin 1 Transmit 2 – white/orangepin 2 Receive 2 – orange/whitepin 3 Transmit 3 – white/greenpin 6 Receive 3 – green/white

If they are upgrading NICs to 100 or 1000 Mbps, they will need toconnect all eight of the pins to make the old cable work for the newspeed!


Sn

iffe

r U

niv

ersi

ty

6

-11

100BASE-FX for Fiber Optic Cabling

• Operates over two strands of multimode orsinglemode fiber cabling (just like FDDI)

• Fiber optic media transmits over greaterdistances than UTP; useful for connectionsbetween interconnect devices on a FastEthernet backbone

• Uses the MIC, ST or SC fiber connectors definedfor FDDI and 10BASE-FX networks

• 4B5B coding

The Fiber MIC connector uses one keyed connector.It is quite large and is being replacedby the SC connector.

The ST connector is the bayonet-style connectors thattwist onto separate fiber cables.It is the most popular connector.

The SC connector is smaller and uses a duplex connector.It is the connector of choice for future designs.


Page 6 - 11

Slide Title:100BASE-FX: Fast Ethernet for Fiber Optic Cabling



Sn

iffe

r U

niv

ersi

ty

6

-12

4B5B Encoding Technique(100BASE-FX and 100BASE-TX )

• Upper layer protocols send data in 8bit bytes

• The MAC driver splits the bytes into 4bit nibbles– A look-up table is used to convert the 4-

bit nibble to a 5-bit symbol or symbolcode

• Clocking information is carried withinthe data stream

• 100BASE-FX uses a two-state NRZIsignal– A change in signal level represents a

binary code-one; no signal level changerepresents a binary code-zero

ULP

MAC

PHY

8 bitbytes

4 bitnibbles

5 bitsymbols

The conversion from 4 bits to 5 bits does not involve any mathematicalcalculations - it is merely a table lookup.

Q: How does 4B5B contribute to making Fats Ethernet fast?

A: By processing bits in parallel blocks as they pass through the MAC layerrather than serially as in Manchester encoding.

Fast Ethernet operates at 100 Mbps as data passes through the NIC. After theaddition of the extra bit, it theoretically transmits at 125 MHz.


Page 6 - 12

Slide Title: 4B5B Encoding Technique (100BASE-FX and100BASE-TX)

ImportantPoints toCover: New diagram requested by Linda Richman. Thank you!

Encoding is red bold to emphasize this is and encoding scheme todifferentiate it from the purpose of the next slide.

This is “nice to know” information but not needed to troubleshootFast Ethernet. Cover it quickly so you have time to present the stuffthat will help them.

The codes do not directly map to the hex value of the byte, so don’tget hung up on the fact that a 1 maps to 01001 and F to 11101.The codes were defined to keep the number of sequential zerosless than 3 to maintain clock.

In 4B5B, every four bits will be sent out over five bit times.

Look at the beginning of the bit cell to see if there’s a transition. Ifthere is, you’ve got a one, otherwise it’s a zero.

What makes 4B5B different from other encoding schemes is thatthe kind of transition is not always the same.

The transition order (+1,0,-1,0,+1,0…) tells us that if there is goingto be a transition, this is where the signal goes.


Sn

iffe

r U

niv

ersi

ty

6

-13

• 100BASE-TX uses MLT-3 ternary signaling– Any signal change in TX is represented by

circulating among three progressive levels: (+1, 0,-1, 0, +1, 0,-1, 0 ...)

• Hex 1F to 4B5B: 1 maps to 01001, F maps to11101

• A transition = binary 1; No transition = binary 0• Transition order: +1 0 -1 0 +1 0 -1 0 endlessly

+1 0 -1

0 1 0 0 01 1 1 1 1

Notransitionpresent,so this is abinary 0

Transitionpresent,so this is abinary 1

1 F

4B5B Ternary Example

Each 4 bit nibble is translated into a 5 bit symbol. The five bit symbol for 1 is01001, the 5 bit symbol for F is 11101.

What happens if you connect a 10 Mbps hub to a 100 Mbps port?

Autonegotiation signals will not be sent by the 10Mbps hub, so the 100 Mbpshub will adjust the port to 10 Mbps.

The slow hub will send frames using Manchester encoding, the fast hubconverts it to 4B5T encoding and uses MLT-3 ternary signaling to forward it outa fast port. It does the opposite conversion before forwarding any frames fromthe fast port to the slow port.


Page 6 - 13

Slide Title: 4B5B Ternary Example

ImportantPoints toCover: This is electrical signaling – how we get the bits we just converted

form 4 bit patterns into 5 bit symbols.

Notice that after each group of four bits, there’s a transition. Thistransition does not provide data but is used for clocking.


Sn

iffe

r U

niv

ersi

ty

6

-14

8B6T Encoding Technique(100BASE-T4)

• Based on a ternary symbol - meaning it may take onone of three values: 1,0 or -1 also represented as +,0 or -

• Each byte is mapped to a 6 bit-time ternary codesymbol, called a 6T symbol– (i.e., to represent 1F, the 6T code group is 0 - + 0 + -)– A lookup table is used to convert the 8 bit byte into the 10 bit

symbol

• Each 6T code symbol is fanned out onto the threepairs in round robin fashion

• Preamble is still 8 bytes in length– A special pattern is used to help the receiver locate the

beginning of data on each pair– The receiver strips this pattern and returns an ordinary

preamble to the MAC


Page 6 - 14

Slide Title: 8B6T Encoding Technique (100BASE-T4)

ImportantPoints toCover: This is “nice to know” information but not needed to troubleshoot

Fast Ethernet. Cover it quickly so you have time to present the stuffthat will help them.

The 802.3u spec defines a six part code for each byte.


Sn

iffe

r U

niv

ersi

ty

6

-15

Taken from the 802.3u specification:

1F uses code word 0 - + 0 + -

Data 6T code groupoctet

00 + - 0 0 + -01 0 + - + - 002 + - 0 + - 0 : :1F 0 - + 0 + -

+3.5 Volts +/- 10%

0 Volts +/- 50 mV

-3.5 Volts +/- 10%

0 - + 0 + -

8B6T Example


Page 6 - 15

Slide Title: 8B6T Example

ImportantPoints toCover: Cover quickly.


Sn

iffe

r U

niv

ersi

ty

6

-16

BYTES

Convert to 6T code groupConvert to 6T code groupConvert to 6T code groupConvert to 6T code groupConvert to 6T code groupConvert to 6T code group

3 (of the 4 pairs)

Data Frame Transmission in 8B6T


Page 6 - 16

Slide Title: Data Frame Transmission in 8B6T

ImportantPoints toCover: As we showed earlier, 100BASE-T4 operates over four pairs of

UTP wiring. Three are used for transmission, the fourth doescollision detection.

Each byte goes to a different wire in a round robin fashion.


Sn

iffe

r U

niv

ersi

ty

6

-17

Maximum Collision Domain

• The physical size and number of repeaters is limited inorder to meet the round-trip propagation delayrequirements

– 100 meters (328 feet) is the maximum for each UTP link– A maximum of two repeaters is allowed– Two “classes” of repeaters are used (depending on their

latency characteristics): Class I and Class II– The maximum collision domain for Fast Ethernet over cat 5

UTP using one class I repeater is 200 meters (672.4 feet)– Two class II repeaters extend it to 205 meters

• Because of these constraints, switches are frequentlyused to extend the distances.

The 512 bit-time propagation limitation still applies. However, 512-bit timesequals only 5.12 micro-seconds. Therefore, the performance of the repeaterdetermines the number of repeaters allowed. To make things easier, certainclassifications regarding the repeater’s characteristics have been defined.


Page 6 - 17

Slide Title: Maximum Collision Domain



Sn

iffe

r U

niv

ersi

ty

6

-18

Class I Repeaters

• Used to connect unlike physical signaling systems• Only one Class I repeater can reside within a single

collision domain when maximum cable lengths areused

• Standard Class I repeater has maximum round-tripdelay of 140 bit times– Late collisions result if limits are exceeded

Class I100m

UTP100Base-TX

100mUTP100Base-T4

200m

Class one repeaters convert each incoming analog signal to digital before thedata is placed on the backbone and repeated out. The digital data then must beconverted back to analog at each port before it is sent out. This allowstranslation between different encoding, but adds latency to the repeater. Forthis reason, only one level one repeater is allowed in the collision domain.

Analog Digital

Analog Digital

Analog Digital

Analog Digital Backplane

Analog Digital

Analog Digital

Analog Digital


Page 6 - 18

Slide Title: Class I Repeaters

ImportantPoints toCover: A little more clarification has been added to help differentiate

between Class 1 and 2 repeaters.

Because Class 1 repeaters can do translation between differentcabling systems, it takes longer to repeat the signal.

This limits you to just one repeater due to the longer propagationdelay.


Sn

iffe

r U

niv

ersi

ty

6

-19

Class II100m UTP 100m UTP

Class II5mUTP

Class II Repeaters

• Provide ports for only one physical signaling systemtype– Timing constraints do not allow translation between 100BASE-

TX and 100BASE-T4

• Have smaller internal delays so that two class IIrepeaters may reside within a given collision domainwhen maximum cable lengths are used

• Standard Class II repeater has 92 bits as its maximumround trip delay – 67 bits for Class II repeaters with any T4 ports

205m

Class II repeaters repeat the analog signal BEFORE it is converted to digital. Thelatency of these repeaters is less, but no conversion between encoding can bedone.

Analog

Analog

Analog

Analog Backplane Digital

Analog

Analog

Analog


Page 6 - 19

Slide Title: Class II Repeaters

ImportantPoints toCover: Because Class II repeaters cannot translate, they can forward the

information much more rapidly. That allows for two in a collisiondomain.


Sn

iffe

r U

niv

ersi

ty

6

-20

Stackable Hubs Provide More Ports

• Stackable hubs are multiport repeaters• Their backbones are connected with external

cables to repeat all the frames• The stack acts like a single repeater

Timing slowed for demonstration!+1


Page 6 - 20

Slide Title: Stackable Hubs Provide More Ports


Stackable hubs allow you to put a lot more devices in a collisiondomain than you could with single hubs.

Essentially the backbone is extended through the external cablesso the stack acts like a single repeater.


Sn

iffe

r U

niv

ersi

ty

6

-21

Fiber Repeaters

• Fiber cabling allows much larger collisiondomains

• Fiber and UTP can be mixed• Just be sure the end-to-end propagation delay

does not exceed 512 bit times+Delay for each cable to the node (x2)+Delay for each repeater+Delay for cable between repeaters

Class II105m Fiber 105m Fiber

Class II18mFiber

228m

Class II Class II


Page 6 - 21

Slide Title: Fiber Repeaters


Since fiber optic is becoming quite common now, (especially on thebackbone) this slide was added to show the optical repeaterspecifications.

The calculations for maximum collision domains need to add thedelay of each wire based on type and length plus the delay of therepeater(s), expressed in bit times.

The Switched, Fast, and Gigabit Ethernet book mentioned on thefront of this section has great information on how to calculate all thedifferent combinations. If you carry a book with you, this is the oneto carry.


Sn

iffe

r U

niv

ersi

ty

6

-22

OFF

ON

OFF

ON

Auto-Negotiation• “The algorithm that allows two devices at either end of a link segment

to negotiate common data service functions”• RJ-45 connector may have any one of five different Ethernet signals:

10BASE-T, 10BASE-T full-duplex, 100BASE-TX, 100BASE-TX full-duplexor 100BASE-T4

• Both 100BASE-T NICs and hubs send a modified 10BASE-T linkintegrity test pulse sequence (called Fast Link Pulses -FLP)– 10BaseT devices don’t understand the pulses and ignore them– 100BaseT devices adjust to 10 Mbps when they receive 10BASE-T link

pulses• Hub and NIC automatically adjust their speed to the highest common

denominator both can accommodate

10 or 100?

Full or half?

AUTO-NEGOTIATE!

Useful if you’reunsure whatyou’re plugginginto AND whenupgrading to100BASE-T hubsor cards

??

Hub orswitch

10BASE-T link pulses are a single signal every 201 µs.

Fast Ethernet link pulses are bursts containing information about the capabilitiesof the adapter. They are used for all the faster Ethernet interfaces. Priority bitsin the pulses identify the type of the device connection capabilities and areassigned as below. The highest common connection type is used for theconnection.

Priority Connection type1 1000BASE-T full-duplex2 100BASE-T2 full-duplex3 100BASE-T24 100BASE-TX full-duplex5 100BASE-T46 100BASE-TX7 10BASE-T full-duplex8 10BASE-T

Autonegotiation is a common source of incompatibility problems when using a10/100 card from one vendor and a hub from another vendor.


Page 6 - 22

Slide Title: Auto-Negotiation

ImportantPoints toCover: Good coverage of this on pages 133 through 135 of the Seifert

book.

Autonegotiation created a lot of problems in the early NICs. Notvendors used the same algorithm and things worked OK until youintroduced a new brand of NIC into the network. These earlyimplementation problems are now corrected and most cards arecompatible.

Most hubs allow you to turn autonegotiation off to force the networkto specific parameters.

Autonegotiation is done on power up. Generally there are deviceson the network that are never powered down, so they control theparameters of a broadcast segment.

The negotiation is done for a specific link. Most hubs and switchescan negotiate on each port, so you may have a combination of 10and 100 MB stations on the ports.

The pulses sent to negotiate are ignored by any cards that do notsupport it. 16 bit “pages” are sent that carry information thatidentifies the parameters. There is a larger discussion of these inthe gigabit section.

Cards are able to differentiate between the link pulses,autonegotiation and data signals on the wire. The Sniffer will notcapture any of these signals, so we will not see them in traces.

Autonegotiation is used only on 100 Mbps twisted pair networks.The IEEE has not been able to overcome the negotiation problemsin fiber optic networks, so the ends of the links must be manuallyconfigured.

The Sniffer does not capture Fast Ethernet autonegotiation – thegigabit Sniffer Pro does.


Sn

iffe

r U

niv

ersi

ty

6

-23

10/100 Hubs and Switches

• There are many varieties of 10/100 hubs– Hubs with separate linked backbones for each

speed• Frames between different speed devices crosses over the

link

– 10 Mbps hubs with 100Mbps uplinks• 10 Mpbs traffic is aggregated onto the high speed uplink• The frames are buffered until they can be forwarded• Be sure the uplink is switched to enable longer distances

• Each 100 Mbps device autonegotiates thespeed of the port– Since 10BASE-T devices have no autonegotiate

pulses, their port is set to 10Mbps


Page 6 - 23

Slide Title: 10/100 Hubs and Switches


Slide information is adequate.

This slide also answers the question of “what if I plug in the wrongSniffer?” (We address it later, too.)

The best advice is to leave the 10/100 Ethernet card in your Snifferset to autonegotiate the speed. Attach it to the network, then powerit up. It will learn automatically the correct speed and begin towatch the frames even before you start any monitor or captureprocesses.

If you plug any 10/100 card into the wrong port, the worst thathappens is the card (including the Sniffer) won’t see anything!


Sn

iffe

r U

niv

ersi

ty

6

-24

10/100 Flow Control

• Devices with a mixture of port speeds mustprovide buffers to hold the data between thehigh and low speed devices– Flow control must be used to signal devices to stop

sending data when the buffer is full– Half-duplex uses back pressure signals


Page 6 - 24

Slide Title: 10/100 Flow Control


This is a lead-in to the back pressure discussion and the exercisewhere we see two traces from a 10/100 autosensing hub.

There will be a delay between the 10 and 100 connections becauseof the bridging effect inside the hub or switch.


Sn

iffe

r U

niv

ersi

ty

6

-25

Back Pressure• Switches send “back pressure” frames as a “busy

signal” to end stations to prevent them from sendingframes when the switches internal buffers havereached their capacity– Switches that do not use back pressure or some other “flow

control” mechanism will simply DROP FRAMES when theirinternal buffers cannot handle the traffic flow

• Frames are vendor-specific– IEEE specifies this as preamble bits not followed by a start of

frame delimiter. Not all vendors follow the spec– Show up in the Sniffer hex window with 5555555555,

AAAAAAAA, 202020202, 34343434, D0D0D0D0 patterns– To determine your back pressure patterns, disable back

pressure and capture a trace• If fragments are there, it is jam• If they are gone, it is back pressure

Switches discard frames when their buffers are full. This causes retransmissionsat the higher layers, which degrades performance.

If the switch causes collisions when the buffer is full to keep from discardingframes, the backoff algorithm in the end station will keep incrementing the timethe card waits to retransmit and will finally give up.

Back pressure eliminates this problem. By keeping the line busy with bits, thecards can transmit as soon as they sense the line is free and the backoffalgorithm will not be started.


Page 6 - 25

Slide Title: Back Pressure

ImportantPoints toCover: This slide discusses the features of back pressure and how to deal

with and identify it in the network.

Demo: If you don’t have time for the exercise in class, show theBACKPRES.CAP and BACKPRES1.CAP trace files. If they will dothe exercise, let them discover it.

Here is the text of an email from a former instructor while she wasworking at 3 Com about the BACKPRES.CAP trace. It is copiedverbatim from the IFAQ.

The same patterns can be used as jams, too. I differentiate bylooking at the fragments in the trace. (The suggestion in the lastbullets are hers.) 3 Com calls it Intelligent Flow Management (IMF)in its documentation.

Here’s how it works: There’s an input buffer (size varies by device);let’s use 256k for our example. When the switch detects there’s254k in the input buffer, it sends those signals to the network. Thefilling of the input buffer could mean the outbound segment is busyand the switch is having difficulty sending frames out, etc.

A few things to remember:

Since these are not valid frames, their only function is to triggercarrier detect on the cards on that segment. There is no meaning totheir content.

Backpressure is a good thing! It looks like collisions, but keep thisin mind. Ethernet cards are designed to backoff and retransmit ifthey detect a collision while transmitting. This takes microseconds.Backpressure will prevent them from transmitting in the first placeor may cause a few collisions here and there (the switches don’tcarrier sense before they output backpressure). Anyway, it’s thephysical layer that handles this. If you disable backpressure,frames may be dropped at the switch. This means no collisionoccurs and the upper layer has to time out to detect the lost packet.With LLC this could be a matter of milliseconds. With TCP, thiscould be a matter of hundreds of milliseconds. That’s an eternity,especially on Fast Ethernet. Bottom line, leave backpressure on.

Thanks, Michelle!!!


Sn

iffe

r U

niv

ersi

ty

6

-26

Troubleshooting Fast Ethernet

• Troubleshooting Fast Ethernet is pretty much liketroubleshooting 10 Mbps Ethernet

• Look for bad ports on the switch or hub– Check the Dashboard Detail panel for error counts– Look for corruption in the frame’s hex window

• Check if the collision domain is too large– Collision domains are much smaller than 10BASE-T– Are there too many repeaters in series?– Is the fiber segment too large?– Look for propagation delay clues in the frames: collision

evidence late in the frame


Page 6 - 26

Slide Title: Troubleshooting Fast Ethernet

ImportantPoints toCover: The slide is self-explanatory.

Refer them back to the hubports exercise we did. The sametechnique applies in Fast Ethernet.


Sn

iffe

r U

niv

ersi

ty

6

-27


• Autonegotiation vendor incompatibilities– Not all vendors implement– TX idles simulate jabber that keeps network busy

• View the Dashboard Detail panel for jabber and oversizeframes

• Look for garbage in the frames– May autonegotiate to T4 assuming cable may not be category

5• Result is lower performance for the higher quality wiring• Turn off autonegotiate and enable TX with cat 5• Check your switch port information if this statistic is

available


Page 6 - 27


ImportantPoints toCover: The slide is adequate.


Sn

iffe

r U

niv

ersi

ty

6

-28


• Cabling problems– All RJ-45 jacks look alike. Cables coming into the wiring closet

may come from a lower speed NIC and cause problemswithout autonegotiation

– Updated NIC may connect to old wires and cause degradationin the signals

– Look for evidence of physical corruption, CRC errors, jabber,etc., in the Dashboard Detail panel

– Check for a link light– 100BASE-TX NICS plugged into 10BASE-T ports

• Their idle signals can cause collisions on the 10BASE-T hub


Page 6 - 28


ImportantPoints toCover: The slide is adequate.


Sn

iffe

r U

niv

ersi

ty

6

-29

Fast Ethernet Exercises

Turn to the lab sectionto complete the FastEthernet exercises

• Fast EthernetTroubleshooting andBack Pressure

• Fast EthernetProblems


Page 6 - 29

Slide Title: Fast Ethernet Exercises

ImportantPoints toCover: Please do these two exercises. They teach valuable skills and give

them another chance to work with Fast Ethernet and how it impactsthe network.

Fast Ethernet Troubleshooting and Back Pressure

The first shows Fast Ethernet traffic. At the end are 2 trace filesshowing different types of backpressure.

If you run out of time, you could use these trace files todemonstrate the patterns.

The second exercise discusses some of the issues in the 10/100autosensing hubs.

Look back to page 25 for the backpres.cap story. This is the storythat came with the backpres2.cap file:

This trace came from a company that was having problems from aline running in the proximity of a generator in a warehouse usingcat 5 cabling. The errors coming from the EMI was overflowing thebuffer on the 10/100 switch so the switch was sending out thebackpressure. To solve the situation the customer installed a fiberzip cord and it worked. This proves the point that the back pressurewas not the problem but the EMI was. I hope this fills in the gapsfor everyone. Michael "Mickey" Giovingo


Sn

iffe

r U

niv

ersi

ty

6

-30

Summary

In this section, you learned how to:• Summarize the features of Fast Ethernet• Differentiate the 100BASE-T4, 100BASE-TX, and 100BASE-FX

implementations• Recognize back pressure frames in a trace• Attach Sniffer Pro to your Fast Ethernet networks• Use the Sniffer Pro statistics and decodes to locate areas of

concern


Page 6 - 30



questions.

Target Time: Day two at afternoon break.

© Network Associates Ethernet Network Analysis and TroubleshootingFull Duplex

Sn

iffe

r U

niv

ersi

ty

7

-1

Full Duplex Ethernet


Page 7 - 1

Slide Title: Full Duplex Ethernet

Section Timing: Start: Day 2 after breakFinish: Day 2 Approx. 3:00


Files: 07_fd_g.PPT 07_fd_g.DOC

Traces: None available – sorry!

This section looks back to Fast Ethernet and forward to GigabitEthernet. Both use Full Duplex.

Please remember this instructor guide is a living document. It is notcomplete to start and is intended to grow with time. Add to yourown copy as you gain experience. Please e-mail suggestions tothe course Subject Matter Expert (SME) for future updates to thecourse material.


Sn

iffe

r U

niv

ersi

ty

7


Upon completion of this section, you will be able to:• Summarize the features of Full Duplex Ethernet• Differentiate Full Duplex Ethernet standards and cabling• Recognize Pause frames in the trace and why they are sent• Attach Sniffer Pro Full Duplex pod to your Full Duplex Ethernet

networks• Configure Sniffer Pro’s full duplex features• Use the Sniffer Pro statistics and decodes to locate areas of

concern• Attach the Full Duplex pod to analyze full duplex connections


Page 7 - 2


ImportantPoints toCover: You will not have access to the FDX pod for this class.

This section, Full Duplex, has no exercises accompanying themand consist of many slides depicting configuration. How you handlethese sections will depend on your comfort level with the material.

Since many students may have questions regarding how the Snifferwill handle Full Duplex and Gigabit, you have these sections as anoverview.

References:

Fast Ethernet: dawn of a New Network by Howard W. Johnson,1996, Prentice Hall Publishing, ISBN 0-13-352643-7

Gigabit Ethernet, Technology and Applications for High SpeedLANs by Rich Seifert, 1998, Addison Wesley Publishing, ISBN0-201-18553-9Switched, Fast and Gigabit Ethernet 3rd Edition by Robert Breyerand Sean Riley, 1999, Macmillan Technical Publishing, ISBN1-57870-073-6


Sn

iffe

r U

niv

ersi

ty

7

-3

Full Duplex Switch

Half-duplexWorkstations

FullDuplex

Server orRouters

Full-duplexPower Users

Switch

Full-duplexUplinks

Full Duplex Communication

• Simultaneous Transmit andReceive on separate cables

• Eliminates collisions• Must be supported by both

hub and end-node• Can allow full distance

limitation of media(2km for fiber optic cable)

• Defined in the 802.3xSpecification

• Many half-duplex switcheshave full-duplex uplinkports

Full duplex cards are usually practical only for servers with high levels of trafficon both the receive and transmit lines.

Adding a full duplex card to a workstation is only practical for one with a multi-tasking operating system running applications that require and can handlesimultaneous read and write operations.


Page 7 - 3

Slide Title: Full Duplex Communication

ImportantPoints toCover: Each station has two cables: one to transmit to the port, the other

to receive. They can send and receive simultaneously.

Because there are no collisions, the cables can be much longer.

Full duplex doubles the aggregate channel capacity, but does notdouble the maximum data transfer rate due to the nature of thetraffic. Most connections send a lot of data in one direction andacknowledgements in the other direction. This imbalance will bemost apparent in a client-server link between a single user andserver. With a server or router connected to a backbone and manystations accessing them, the receive and transmit channels aremore likely to have an equal amount of traffic.

Each link must be a dedicated connection. If they were shared,you’d need the CSMA/CD and all the advantages go out thewindow.


Sn

iffe

r U

niv

ersi

ty

7

-4

Remote RouterCampus WorkgroupLANs 10/100 MbpsHubs and Switches

WorkgroupHubs

Server Clusterattached full duplex

Router

Network CenterFull DuplexConnections

FirewallRouter

Remote LAN

FasterServer Links

Where to Deploy Full Duplex Ethernet

WANSONET, ATM or

ISDN with Hchannels

Traffic management for frames going to non-duplex stations is handled by theinternal buffering on the switch.


Page 7 - 4

Slide Title: Where to Deploy Full Duplex Ethernet

ImportantPoints toCover: In the backbone so edge devices can have full bandwidth in each

direction.

In powerful servers that service many clients.

Anywhere there is a need for a huge fast pipe.

Note that is can be used in 10, 100 or 1000 Mbps networks.

This is a very simplified diagram. Most companies will have muchlarger configurations!


Sn

iffe

r U

niv

ersi

ty

7

-5Switched Full Duplex

• Only two devices on the segment - the node andswitch port

• Simultaneous receive and transmit• No need to wait for carrier, always available

– Queue up the frames and send immediately

• No collisions– No backoff delays– No Carrier Sense, No Multiple Access, No Collision Detection -

No CSMA/CD!


Page 7 - 5

Slide Title: Switched Full Duplex

ImportantPoints toCover: Emphasize the first bullet.

Idea from Seifert: Ethernet has always been defined as CSMA/CD.If it didn’t do it, it was Token Ring, FDDI, Token Passing- you getthe idea.

Now we have an environment that doesn’t do CS, isn’t MA anddoesn’t need to do CD, but we still call it Ethernet!


Sn

iffe

r U

niv

ersi

ty

7

-6Full Duplex Transmit

• Receive frame from the upper layer• Transmit out the transmit port• Wait interframe gap• Transmit the next frame

FrameFrame

FrameFrame FrameFrame IFG


Page 7 - 6

Slide Title: Full Duplex Transmit

ImportantPoints toCover: This slide is animated.

If you have a frame to send, by golly, just put it on the wire!

If you have a bunch of frames to send, just keep pumping themout, but be sure to put the interframe gap for the technologybetween them so the receiver can catch it’s breath, send the frameup the stack and get ready to synch up for the next one.


Sn

iffe

r U

niv

ersi

ty

7

-7Full Duplex Receive

Good Frame!Pass to higherlayer protocol

Yes

Yes

Yes

CRCValid?

No

No

Assemble FrameSFD?

Wait

MyAddress?

No

Discard Frame

Yes

>512 Bits?

No

10101010...


Page 7 - 7

Slide Title: Full Duplex Receive

ImportantPoints toCover: This is a modified version of the 10 Mb flow chart. A couple of

things have been added here that were assumed in the 10 Mbchart: SFD recognition, frame assembly, address recognition.

The other one had so many things going on, that we just didn’thave room for them there!

Question: Does the receiver need the gap to tell when the framehas ended?

Nope. It has the length filed to tell it how long the frame is.


Sn

iffe

r U

niv

ersi

ty

7

-8Full Duplex Flow Control

• Switches discard frames when their buffers overflow• Full duplex transmission bursts can fill buffers,

especially if different speed devices are conversing• MAC Control Frames were developed to allow the

switch to tell the nodes to throttle back– PAUSE is the only MAC Control frame defined today

• MAC Control frames are part of the Data Link Layer– Sent to a well-known address– Bridges and switches do not forward– The switch sends the PAUSE to the device on the TX wire– The NIC stops sending for the time specified in the PAUSE

frame– The switch can send multiple PAUSE frames until the buffers

reach the lower threshold


Page 7 - 8

Slide Title: Full Duplex Flow Control

ImportantPoints toCover: MAC frames in Ethernet????? And they still call it Ethernet???

The PAUSE is the only MAC frame defined yet. It is anticipatedmore will be added as needed.

These frames replace backpressure.


Sn

iffe

r U

niv

ersi

ty

7

-9MAC Control Frame

Preamble and SFDDestination AddressSource AddressType = 8808MAC Control OpcodeMAC Control ParametersPad to 44 bytesCRC

0180C2000001Sending Station’s AddressMAC Control Frame TypePAUSE = 0001Pause time in 512 bit-timeincrements

Bytes86622

44

4

The destination address is a multicast address that has previously beenreserved. Only stations that support the PAUSE function will accept the frame.

All MAC Control frames will be type 8808.

The opcode specifies the type of control frame. PAUSE frames are opcode 0001and are the only MAC Control frames currently defined. They are sent by eitherside when their buffer is full and are used to notify the receiving side to wait acertain period of time before sending more frames.

A time is included in the MAC Control Parameter field that indicates the amountof time the receiver must wait. It is measured in 512-bit times so it is specific toeach data rate. It can be used for 10, 100 and 1000 Mbps Ethernet. 10 Mbps willbe 51.2 µsecond increments, 100 Mbps is 5.12 µseconds, 1000 Mbps is 512nanosecond increments.

The station can modify the wait time by sending a new PAUSE frame with thetimer set either shorter or longer to reflect current buffer conditions.


Page 7 - 9

Slide Title: MAC Control Frame

ImportantPoints toCover: The 8808 type filed identifies this as a MAC Control frame.

The opcode indicates which type of MAC frame. Right now the onlyone is 0001 for the PAUSE.

The time is always listed in 512 bit-time intervals. Conceivably theycan be used for all speeds- the spec was written with that in mind.

Later on there may be control frames that need more fields. Spaceis reserved for more parameters.

Question: Does the full duplex Sniffer capture these controlframes?


Sn

iffe

r U

niv

ersi

ty

7

-10

400+ Mbps Full Duplex

• 802.3ad specifies link aggregation• Port aggregation allows up to four full-duplex Fast

Ethernet ports to be aggregated into what appears asa single high speed link

• Each channel runs 100 Mbps in each direction• Can be used only in point-to-point configurations• Some links can be configured as standby links

– Failure of a primary link automatically switches the traffic tothe backup link

• Device drivers and software configure full-duplexadapters

• NAI’s DSPro has a card that can sniff these links

NAI sells a four port Ethernet adapter and tap card for DSPro Agents whichallows you to designate all four ports as an EtherChannel.

The TNV-201-DSP course has more information on this card.


Page 7 - 10

Slide Title: 400+ Mbps Full Duplex


This slide is here to answer questions from students about whetherthe Sniffer can capture on these high-speed links.

DO NOT try to give them details here. It is only for the DS Pro andwe cover this card and all the other non-portable solutions in theTNV-201-DSP class.


Sn

iffe

r U

niv

ersi

ty

7

-11

Full DuplexSniffer Pro


Page 7 - 11

Slide Title: Full Duplex Sniffer Pro

ImportantPoints toCover: Title page to lead into covering the Sniffer.


Sn

iffe

r U

niv

ersi

ty

7

-12

Create an Agent for the Pod

• File >SelectSettings1 Choose the

Ethernet card2 Choose the

FDX pod3 IP address

should fill inone higherthan yourcard’saddress

Pod initializeswhen you click

OK

When configuring the new agent, you must select the Ethernet network cardbefore you check the Full Duplex pod radio button. This will enable the IPaddress box.

The Host adapter must be configured with a fixed IP address. DHCP for thehost is not supported. Set the pod’s IP address one higher than the addressof the Ethernet card in your computer if the address is not automatically sensed.


Page 7 - 12

Slide Title: Create an Agent for the Pod

ImportantPoints toCover: Remind them the system requirement and pod information was

covered in section two so we haven’t repeated it here.

Use the familiar File > Select Settings to create the new agent.

First select the Ethernet adapter in the PC

When you select the Full Duplex pod in the Netpod type field, theIP address becomes active.

Important: the IP address for the pod must be one host numberhigher than the address of the Ethernet card. They can useIpconfig.exe or open the Windows network window to get theaddress if they don’t know it.

When you click OK on this screen and select it from the SelectSettings window, you’ll see some progress report messages as thecode is downloaded to the pod.

If all goes well, you should see the Sniffer window open and theagent name and pod speed shows up in the title bar.


Sn

iffe

r U

niv

ersi

ty

7

-13

Set Line Speed• Before you start a capture, check the line

speed settings in Tools > Options > FullDuplex Pod


Page 7 - 13

Slide Title: Set Line Speed

ImportantPoints toCover: The first thing you need to do is set the line speed of the link.

Use Tools > Options > Full Duplex pod tab window to do that. Allof the choices are shown in the drop-down list.


Sn

iffe

r U

niv

ersi

ty

7

-14

Two Memory Pools

• Pod Memory– The physical memory installed

in the box– Up to 512 MB– Frames from the network are

copied here

• Sniffer PC Memory– Set through the Buffer tab on

Capture Filters– Frames from the pod are copied

here


Page 7 - 14

Slide Title: Two Memory Pools

ImportantPoints toCover: This is preparation for the next slide that shows the options you

have in capturing this traffic.

Explain it quickly and move on.


Sn

iffe

r U

niv

ersi

ty

7

-15

Two Transfer Modes• Set by clicking the icons on the toolbar or the

Capture Menu• Stream Mode

– The pod streams the data to the analyzerapplication as it is captured off the network

– Counts appear in the Sniffer window

• High Speed Capture Mode– The data is held in the pod buffer until the capture

is stopped– Use this mode when you are capturing from a very

busy network– You can set the options to stop the capture when

the buffer is full• The frames are transferred to the PC for analysis


Page 7 - 15

Slide Title: Two Transfer Modes

ImportantPoints toCover: Stream Mode – the pod sends the frames to the Sniffer PC as they

arrive on the network. The pod may miss capturing some frames asthe frames are transferred to the PC on very busy networks.

The software decodes the frames and shows statistics, but doesnot so real-time Expert analysis.

You must stop the capture and upload the frames to the PC beforeyou get Expert analysis.

High Speed Capture Mode is used on very busy networks. Thisallows you to focus on capturing the frames without the holesintroduced in Stream Mode.

You’ll want to watch the buffer dial to make sure you stop thecapture before the pod buffer recycles and writes over the firstframes. You can also configure the Sniffer to stop when the podbuffer is full and upload the frames to the PC.

How? Read on…..>


Sn

iffe

r U

niv

ersi

ty

7

-16

Pod Buffer Action ConfigurationCapture > Define Filter > Full Duplex

Pod


Page 7 - 16

Slide Title: Pod Buffer Action Configuration

ImportantPoints toCover: This configuration sets the actions on the pod buffer


Sn

iffe

r U

niv

ersi

ty

7

-17

Sniffer Buffer Action Configuration

• Capture <DefineFilter >Buffer

• Set theSniffer Bufferactions here– Same

options asotherSniffers


Page 7 - 17

Slide Title: Sniffer Buffer Action Configuration

ImportantPoints toCover: This panel controls the PC buffer actions. There are no unique Full

Duplex settings here.


Sn

iffe

r U

niv

ersi

ty

7

-18

Capture Panel Display Window

ViewBoth

Shownwhen youstart acapturefrom thecapturemenu oricon

SnifferStatistics

PodStatistics

The Decode window Summary panel shows the channel number as[A] and [B] in the Status column


Page 7 - 18

Slide Title: Capture Panel Display Window

ImportantPoints toCover: This is the display when you have enabled the View Both option.

PC statistics at the top.

Pod statistics at the bottom.

The graphs on the lower panel are color-coded for each channel.

The pod counts show numbers for each channel and total counts.


Sn

iffe

r U

niv

ersi

ty

7

-19

Special Icons on the Toolbar

• View Full Duplex Pod Only– Provides statistics for the capture session on

the pod itself

• View Sniffer Only– Standard capture panel display and more– Provides run-time statistics for the capture

session on the PC

• View Both– Split screen to show statistics for both


Page 7 - 19

Slide Title: Special Icons on the Toolbar

ImportantPoints toCover: These icons control which panels are open on the Sniffer capture

screen.

You can select just the Sniffer PC counts, just the pod counts orboth.


Sn

iffe

r U

niv

ersi

ty

7

-20

Pod Gauges

• Frames Received persecond on each channel

• Percentage of freememory on eachchannel

• Number of errors persecond received oneach channel


Page 7 - 20

Slide Title: Pod Gauges

ImportantPoints toCover: Slide is self-explanatory.


Sn

iffe

r U

niv

ersi

ty

7

-21

Setting Pod Properties

• Click the Properties icon in the Full Duplex podwindow or click the right mouse button overthe capture window and select the Propertiesoption

• Identify shows:– Pod version– Pod IP Address– Pod Ethernet Mac

Address– Connection mode– Line Speeds– Total Memory

Pod Version number specifies the version of the software on the pod

IP Address shows the IP address assigned to the pod

MAC Address shows the hardware address of the Ethernet adapter in thepod

Connection shows whether the pod is set to passthrough or terminatemode

Channel A Line Speed shows the line speed of the network segmentsattached to Channel A

Channel B Line Speed shows the line speed of the network segmentsattached to Channel B

Total Memory shows the amount of memory installed on the pod (inDIMMs)


Page 7 - 21

Slide Title: Setting Pod Properties



Sn

iffe

r U

niv

ersi

ty

7

-22

Address Filters

• If Mode is set to Include and you set address filterswith less than or equal to 16 sources and 16destinations, the filter is applied as a hardware filter

• If Mode is set to Exclude or if you have more than16 sources or 16 destination, the filter is applied as asoftware filterType of address filter # Sources # Destinations

2 2

1 0

0 1

1 1“Any” does not count as a source or destination

Hardware filters are applied at the pod as the frames are captured from thenetwork. The frames excluded by hardware filters are not saved in the podbuffer.

Software filters are applied by the Sniffer application to the frames uploadedfrom the pod buffer to the Sniffer buffer.

Hardware filters

Software filters


Page 7 - 22

Slide Title: Address Filters



Sn

iffe

r U

niv

ersi

ty

7

-23

Filters in High Speed Captures

• When capturing in high speed at full line rate,address filters are particularly helpful

• When the mode is set to High Speed, theframes are stored in the pod buffer until thecapture is stopped

• Limiting the frames that are accepted ensuresyou will have the frames needed to isolate theproblem

• When hardware filters are in effect, the podwill automatically filter out all frames shorterthan 55 bytes, CRC included


Page 7 - 23

Slide Title: Filters in High Speed Captures


Set capture filters to save room for what you need to see!


Sn

iffe

r U

niv

ersi

ty

7

-24

Error Frames with the Full Duplex Pod

Frame Size <51+4 >50+4 & 60+4 to 1514+4 & >4082+4<60+4 1514+4 <4082+4 >4082+4

Valid CRC Illegal Runt Normal Oversized Illegal

Invalid CRC Illegal Fragment CRC Jabber Illegal

(frame sizes in bytes + CRC)

For more details, see Appendix A in the Full Duplex Product Manual on yourstudent CD.


Page 7 - 24

Slide Title: Error Frames with the full Duplex Pod


If you want more details, look at Appendix 2 in the Full Duplex poduse documentation on the student CD.


Sn

iffe

r U

niv

ersi

ty

7

-25

ReceiveFAST ETHERNET 100 Mbps SPLITTER

Transmit

Receive Transmit1

2Fast EthernetSwitch

Sniffer Port 2Receives data from ServerTransmit/Switch Receive

Sniffer Port 1Receives data from ServerReceive/Switch Transmit

Fast EthernetSniffer Pro Analyzer

Fast EthernetSniffer Pro Analyzer

3Server

PA C 62

2 LAN Sniffer Pros in Full Duplex• Interim solution when you don’t have an FDX

pod


Page 7 - 25

Slide Title: Using 2 LAN Sniffer Pros in Full Duplex

ImportantPoints toCover: This is the same diagram we had before. It is possible to use two

regular Fast Ethernet Sniffers attached to a splitter to capture eachchannel separately.

Remind them to time synchronize them as close as they can beforethey start to capture and start the capture as simultaneously asthey can.

They will need to match request and reply sequences in the framesto line up the frames for comparison.

Once they have the trace files saved, both can be opened in SnifferPro and their windows set side by side to compare them directly aswe did in the hubports exercise.


Sn

iffe

r U

niv

ersi

ty

7

-26

Summary

In this section, you learned how to:• Differentiate Full Duplex Ethernet standards and cabling• Recognize Pause frames in the trace and why they are sent• Attach Sniffer Pro Full Duplex pod to your Full Duplex Ethernet

networks• Configure Sniffer Pro’s full duplex features• Use the Sniffer Pro statistics and decodes to locate areas of

concern• Attach the Full Duplex pod to analyze full duplex connections


Page 7 - 26

Slide Title:Summary


questions.

Target Time: Day 2 at 3:30

© Network Associates Ethernet Network Analysis and TroubleshootingGigabit Ethernet

Sn

iffe

r U

niv

ersi

ty

8

-1

Gigabit Ethernet


Page 8 - 1

Slide Title: Gigabit Ethernet

Section Timing: Start: Day 2 late-afternoonFinish: Day 2 Approx. 5:00


Files: 08_gig_g.PPT 08_gig_g.DOC

Traces: GBautonegotiation.cap GB.cap 8021q-gig.cap

Exercise: Gigabit Traffic

This section was updated to reflect the new technologiescustomers are beginning to employ in their networks.

There should be a gigabit dummy driver defined on the classSniffers. There is a warning that Monitor mode is disabled, Justclick OK to move beyond it.

This will enable you to create a new agent and show the features ofthe Sniffer.



Sn

iffe

r U

niv

ersi

ty

8


Upon completion of this section, you will be able to:• Summarize the features Gigabit Ethernet• Differentiate Gigabit Ethernet standards and cabling

• Summarize 1000Base-SX, 1000Base-LX, 1000Base-CX and 1000Base-T implementations

• Attach Sniffer Pro to your Gigabit Ethernet networks• Configure Sniffer Pro’s gigabit-specific features• View the autonegotiation process in the Sniffer and determine if

there is a problem• Use the Sniffer Pro statistics and decodes to locate areas of

concern


Page 8 - 2


ImportantPoints toCover: Cover the objectives quickly.

We do have dummy drivers so you can show the Gigabit screens.

Practice with them so can present the information in this section.

References:

Gigabit Ethernet, Technology and Applications for High SpeedLANs by Rich Seifert, 1998, Addison Wesley Publishing, ISBN0-201-18553-9

Switched, Fast and Gigabit Ethernet 3rd Edition by Robert Breyerand Sean Riley, 1999, Macmillan Technical Publishing, ISBN1-57870-073-6


Sn

iffe

r U

niv

ersi

ty

8

-3Gigabit Overview

• 1000 Mbps Ethernet is able to transmit a frame at ten timesthe data rate of 100 Mbps Ethernet

• It allows you to use familiar Ethernet technology whileproviding much higher bandwidth

• The standard using optical cabling is defined in 802.3zaddendum

• 802.3ab addendum defines the Physical Layer parametersfor 4-pair over Cat 5 balanced copper cabling

• Switches with 10/100 and Gigabit port link legacy networksinto high speed Gigabit backbones– Frequently used in server clusters, links between switches and

servers– Some implementations even allow you to aggregate 1000BASE-X

or 1000BASE-T segments into 10 Gigabit links

• Check the Gigabit Ethernet Alliance www.gigabit-ethernet.org

The aggregate data rate of 100 Mbps is achieved by transmission at a data rateof 250 Mbps over each UTP wire pair. Full duplex transmission allows symbols tobe transmitted and received on the same wire pairs at the same time. Basebandsignaling with a modulation rate of 125 Mbaud is used on each of the wire pairs.The period for each symbol is 8 ns.

TRTRTRTR

TRTRTRTR


Page 8 - 3

Slide Title: Gigabit Overview

ImportantPoints toCover: You may want to poll the class to see what their plans are for

gigabit vs. ATM.

Review the bullets quickly.


Sn

iffe

r U

niv

ersi

ty

8

-4

WANSONET, ATM or

ISDN with Hchannels

Deploying Gigabit Ethernet

Remote Router

WorkgroupLANs

WorkgroupHubs

Server Cluster withGigabit connections

Router

Campus10/100 Mbps Hubs

and Switches withGigabit Uplinks Network Center

Gigabit BackboneConnections

Firewall

Router

Remote LAN

Due to the cost of Gigabit switches, only high throughput links will initially useor need Gigabit Ethernet.


Page 8 - 4

Slide Title: Deploying Gigabit Ethernet

ImportantPoints toCover: One last slide like this.

Early implementations will concentrate these very expensive highspeed connections where the highest levels of traffic exist.

Fast Ethernet switches for the LANs will have gigabit uplinks tomultiplex the traffic onto the high speed backbone.

Later slides address the move to gigabit to the desktop.


Sn

iffe

r U

niv

ersi

ty

8

-5

FC-4 UpperLayer MappingFC-3 CommonServicesFC-2 Signaling

IEEE Gigabit Data Link Layer

• Uses thePhysical Layerof the FiberChannel

• Uses the MACand LLC layersof the 802.3specification

• Increases datarate to 1.25Gbps

Connector

Serializer/Deserializer

8B/10BEncode/Decode

DataLinkLayer

IEEE Networks(1000Base-3z)

CSMA/CD or FullDuplex MAC

IEEE 802.3 LLC

Network Layer

FC-1 Encode/DecodeFC-0 Interfaceand Media

IEEE 802.3 Physical Layer

ANSI X3T11Fibre Channel

IEEE 802.3 Ethernet

IEEE 802.3 LLCIEEE 802.3 CSMA/CD

The Gigabit Ethernet standard draws from two separate specifications. ThePhysical layers are derived from the ANSI X3T11 Fibre Channel specification.

The Data link layers are derived from the IEEE 802.3 Ethernet specification thatspecifies CSMA/CD for half duplex or full duplex rules for media access control.The LLC layer is moved intact from the IEEE specification.


Page 8 - 5

Slide Title:IEEE Gigabit Link Layer

ImportantPoints toCover: Don’t spend much time on it here, since it is mainly FYI stuff.


Sn

iffe

r U

niv

ersi

ty

8

-6Physical Limitations of Shared Gigabit

• Using the standard Ethernet specifications for copperwire, the half-duplex network diameter would bereduced to 20 meters - not very practical!

• Carrier extension is used to extend the frame so thediameter can be extended to 200 meters using fiberor copper media– Different cables yield higher diameters– This compares to the 200 meter limit for 100Mbps Ethernet

over copper– Only one repeater (hub) can exist between any two devices

on the network

The large number of cable choices allows for a maximum network diagram to range from 200meters with category 5 UTP to 550 meters using 1300 nm single mode 500Mhx/km fiber atattenuation 2.32 all the way to 5000 meters using 1300 nm single mode 10/125 µm cables fiberat attenuation 4.5.


Page 8 - 6

Slide Title: Physical Limitations of Shared Gigabit

ImportantPoints toCover: A VERY small collision domain IF you use it in a half-duplex

configuration.

Emphasize again we are still building on the old 10Base5 specs ifwe are going to share the media.


Sn

iffe

r U

niv

ersi

ty

8

-7Gigabit Carrier Extend

• Carrier Extend is used in Half Duplex gigabitEthernet to extend frames less than 512 bytes to theslot time minimum (4096 bit-times)– Fills the Inter Frame Gap (IFG) in burst mode– This allows collisions to be sensed on shared media while

both sides transmit, but contributes a lot of overhead to eachsmall frame!

– The standards committee wanted to provide backwardcompatibility even though this is impractical

– It also appears at the end of some full-duplex frames

P DA SA L/T Data FSSDS Ctr Carrier Extend 448-1 bytes

64 + 448 = 512 byte minimum bytes

Most Gigabit implementations will use Full Duplex mode to enable long cable lengths.P Preamble

DA Destination Address

SA Source AddressL/T Length/Type

DS Destination SAP

SS Source SAP

Ctr LLC ControlA SNAP header not shown here may follow this field

Data Frame data

F Frame Check Sequence (CRC)Carrier Extend allows the network diameter to remain at the 200 meter limit used byFast Ethernet over twisted pair media.

This is also inefficient. If a device only has 64 bytes of data to send (a minimum-lengthEthernet frame), it still must send 512 bytes, most of which is only a carrier signal.

It imposes a great deal of overhead for a network where smaller frames predominate.


Page 8 - 7

Slide Title: Gigabit Carrier Extend

ImportantPoints toCover: This is a multi-faceted tool.

Extend small frames to the 512 byte minimum in half-duplex so allstations will hear the transmission and wait to transmit.

Fill the interframe gap in burst mode (covered on the next slide).

One or more inserted between each frame in full-duplex mode.

The Carrier Extend length is purposely written as 448 – 1 bytes,since it is dependent on how long the frame is.


Sn

iffe

r U

niv

ersi

ty

8

-8Carrier Extend in the Sniffer

• Turn on 10 Bit decodes from the Hex right-click menu– This frame was captured from a full duplex network

• Note the [A] channel indicators• Even the 1472 byte frame 23 has one Carrier_Extend field


Page 8 - 8

Slide Title: Carrier Extend in the Sniffer

ImportantPoints toCover: This shows how to enable the Sniffer to display the 10 bit codes.

This may help in resolving vendor interoperability problems.


Sn

iffe

r U

niv

ersi

ty

8

-9Frame Bursting Part One

• Frame bursting is used to overcome the overhead ofcarrier extend

• The first frame is transmitted using the normalprocedures for half-duplex Gigabit Ethernet

• A frame burst timer is started to allow transmissionsof up to 64 Kbits

• If additional frames are queued for transmission andthe 64 Kbit timer has not expired, two things happen:– The first frame is followed by carrier extend– The next frame is transmitted


Page 8 - 9

Slide Title: Frame Bursting Part One

ImportantPoints toCover: If the station has multiple frames queued in its transmit buffer,

packet bursting allows it to send them until the 64Kbit timer runsout.

The station waits until there is no carrier sensed, then it begins totransmit the first frame. It extends it to the slot time if it is short.

If a collision occurs, it backs off and waits its turn to transmit.

When the first frame is out, it keeps the line busy by transmittingnondata symbols (carrier extension symbols) to fill the interframegap, then it transmits the second frame.

It can continue to transmit frames separated by carrier extend untilthe 64 Kbit timer runs out (8192 bytes). If it has a frame in process,it finishes sending it, then yields the line.

Collisions should not occur during the burst, since all stationsshould hear carrier and wait. If the collision domain limit isexceeded or a device has failed, it may cause a late collision. If thisoccurs, the adapter stops transmitting data and starts jamming,then it backs off and retries, starting the process over again.

Packet bursting is not used in full-duplex, since the stations ownsthe wire in each direction and has full bandwidth to transmit at alltimes.


Sn

iffe

r U

niv

ersi

ty

8

-10

Frame Bursting Part Two

• The process is repeated until there is no more data tosend or until the timer expires

• If the 64 Kbit limit is reached during the transmissionof a frame, that frame may be completely sent– In many cases a station could theoretically transmit more

than 64 Kbits– The actual maximum bits that could be sent would be seen

where the 64 Kbit limit is reached on the first bit of amaximum-length frame

– In this case, the total bits transmitted would be 64 Kbits plusthe length of that frame which would be 1518 bytes or 12,144bits


Page 8 - 10

Slide Title: Frame Bursting, Part Two

ImportantPoints toCover: Notes on previous page cover this page.


Sn

iffe

r U

niv

ersi

ty

8

-11

Problems of Shared Media

• Using hubs requires that all devices share the media toform a single collision domain

• Even with frame bursting, the overhead of carrierextension is still significant

• A topology with a maximum diameter of 200 meters isnot workable in many large environments

• Therefore, shared media hubs are probably not apractical option with Gigabit Ethernet– All vendors offer Full-duplex switches to overcome the

inefficiencies


Page 8 - 11

Slide Title: Problems of Shared Media

ImportantPoints toCover: Review the bullets quickly.

This is a quick recap of the problems of shared media 9and why fullduplex is the choice for everyone.

Emphasize again the IEEE chose to build on the old 10Base5specs for backward compatibility.

But fortunately they moved on to create an environment whereGigabit can really speed things up.


Sn

iffe

r U

niv

ersi

ty

8

-12

Full-Duplex, Switches & Jumbo Frames• Gigabit switches will be the solution of choice

– Since switches act like bridges - each port is a separatecollision domain

– Switches can be connected in a hierarchical fashion to extendthe network without the concern of collision detection

• Most switches offer full-duplex ports which willeffectively double the potential throughput to 2 Gbpsand extend the cable length.

• Many 100 Mbps hubs and switches will be equippedwith gigabit uplink ports to provide connectivity withthe network’s gigabit backbone

• Pause frames are used for flow control• Jumbo frames are now allowed

– Up to 9,000 bytes!

Single mode fiber increases the length of the cable substantially. One vendorsupports single mode cable lengths up to 9 miles.

Since sending frames requires CPU processing, sending a lot of small frames isinefficient. By allowing servers to send large frames, the CPU can queue a largeframe, then work on other tasks while it is being sent.


Page 8 - 12

Slide Title: Full Duplex, Switches & Jumbo Frames

ImportantPoints toCover: Can you imagine Gigabit without using switches?

Each connection is its own collision domain. There still can becollisions between the switch and the end station, but these will bevery rare.

Half duplex still does contention, full duplex doesn’t need it.

The best solution is full duplex gigabit. You get full bandwidth inboth directions, reduce the overhead doing contention and increasethe cable lengths.


Sn

iffe

r U

niv

ersi

ty

8

-13

Physical Media - Optical Fiber

• Three varieties of fiber are specified:– 50 µm multimode– 62.5 µm multimode– 10 µm single mode

• The specs allow for two types of laser drivers– 1000BaseSX: 850 nm (short-wave)– 1000BaseLX: 1350 nm (longwave)

µm = micron

nm = nanometers


Page 8 - 13

Slide Title: Physical Media – Optical Fiber

ImportantPoints toCover: This is the first of 3 slides that discuss the various types of media.

Cover them quickly.

Lasers are expensive. See big bucks $$$$$$$$$


Sn

iffe

r U

niv

ersi

ty

8

-14

Copper Cable• 1000BASE-CX

– Can only be used as patch cables or “jumpers” due to adistance limit of 25 meters

– Created to help reduce cost of the many short connectionsrequired in a wiring closet

– Consists of 2 pairs of shielded 150-ohm Twinax cable– Much like Type 1 STP used in traditional token ring

environments, but with higher electrical quality standards

• 1000BASE-T– 4 pairs of category 5 UTP balanced copper cable– 100 meter cable limit– Uses 4D-PAM5 (4-dimensional 5-level Pulse Amplitude

Modulation) coding (8B1Q4)• 8 bits are converted to 4 quinary symbols• Levels are +2 +1 0 -1 -2• Start-of-Stream delimiter signals beginning of frame• End-of_stream delimiter signals the end of the frame

1000BASE-T clock frequency is 125 MHz (v.s. 25 MHz for 100BASE-T2). Itsimultaneously transmits on all four pairs to achieve the 1000 Gbps rate. Eachwire transmits 250 Mbps which aggregate to 1000 Mbps.

The Twinax cable consists of two center conductors surrounded by an insulatedspacer which is surrounded by a tubular outer conductor (usually braid, foil orboth.) It is then covered entirely by an insulating and protective cover.

It is similar to twisted pair in that it uses differential or balanced transmission.


Page 8 - 14

Slide Title: Copper Cable

ImportantPoints toCover: Slide is adequate.


Sn

iffe

r U

niv

ersi

ty

8

-15

Gigabit to the Desktop

• Very limited deployment - usually used in servers– Use multiple parallel high speed processors to handle the data

flow effectively

– Install plenty of fast memory to cache the data, since diskdrives operate in milliseconds, while gigabit data flows atnanosecond speeds

– Use a 64 bit 66 MHz PCI slot so the CPU bus can handle theamount of traffic

The gigabit transceiver chip on the board contains more than 200,000transistors, about the processing capability of an Intel 486 chip. Many differentmanufacturers use this chip on the r boards.


Page 8 - 15

Slide Title: Gigabit to the Desktop

ImportantPoints toCover: Big challenges:

Coax cable limitations for such high speeds

Big Bucks $$$$$$$$


Sn

iffe

r U

niv

ersi

ty

8

-16

Encoding Technique: 8B10B• Used for fiber optic and 1000BASE-CX media• Derived from 4B5B encoding used in 100BaseTX,

100BaseFX, and FDDI• Each 8-bit byte is represented by a 10-bit code

– There are two code groups or categories:• “D” Group - Used for data transmission• “K” Group - Used to send control signals• Uses a look-up table for the conversion values

• The clock signal is embedded in the data stream– To insure that there are adequate voltage transitions, a data

signal (“D” groups) never have more than 4 consecutive onesor zeros in them

– 8B10B includes a number of unique control signal patterns(known as “commas”) that allow devices to synchronize andalign their bit cells

IBM developed and patented the 8B10B encoding standard and it licensed it forFibre Channel and Gigabit Ethernet.

It ensures there are enough clock transitions for receiver clock recovery andallows control signals to be embedded in the data stream.

Single and multiple bit errors can be corrected.

The data code words never include more than 4 consecutive ones or zeros orthe ten bit codes do have an imbalance of more than one, i.e., 5 ones and 5zeros, 6 ones and 4 zeros or 4 ones and 5 zeros.

The IEEE std 802.3ab -1999 spec lists the entire bit-to-symbol mapping table ofcodes. It is also referred to as 8B1Q4 coding technique. The conversion processis called 4D-PAM5 and refers to the 4 Dimensional 5-level Pulse Code AmplitudeModulation process.


Page 8 - 16

Slide Title: Encoding Technique 8B10B

ImportantPoints toCover: Nice to know information.

Won’t help troubleshoot.

Cover quickly.

A table of symbols is included in the spec and table A-1 page 387of Seifert’s book and the IEEE spec (of course).

The Gigabit Sniffer interface in current use gives statistics of the Dand K group bits.


Sn

iffe

r U

niv

ersi

ty

8

-17

Autonegotiation

• Gigabit autonegotiation is used to configureoperational parameters– Fast Ethernet negotiates the speed with fast pulses

• Gigabit uses special normal-rate signaling– Signals indicate whether it is using full or half-duplex

• 16 bit message pages are exchanged on linkinitialization, multiple pages can be used

If only one side supports full duplex, the connection will use half-duplex if each side allowsnegotiation.

The PAUSE and Asymmetry direction bits are used together to determine if the device supportsflow control and if it does, whether is is capable of asymmetric flow control.

(Asymmetric refers to a large discrepancy between the amount of data on each line at the sametime. If the device is a server, it can process requests from multiple clients on the transmit andreceive lines, so the traffic will be somewhat even on the two sides. If the device is a node, datatransfer will occur on only one line with acknowledgments on the other, so the traffic tends to beheavy on one line and light on the other line.)

There are four possibilities with the two bits:

1) No flow control 2) Asymmetric flow control toward the node 3) Asymmetric flow control fromthe node and 4) Symmetric flow control.

The Remote Fault bits indicate error conditions that prevent normal operation. Codes are shownRemote Fault bit 1, Remote Fault bit 2.

00 = No error, 01 = Device Offline, 10 = Link failure, 11 = Auto-negotiation failure

Autonegotiation messages are sent repeatedly until the sender receives an acknowledgement.The acknowledgement bit indicates the sender has received 3 sequential autonegotiationmessages with the same contents.

The next page bit is reserved for future use when more than 16 bits are required to negotiateparameters.

Special K and D combinations identify the autonegotiation signals so they are not interpreted asdata.


Page 8 - 17

Slide Title: Autonegotiation

ImportantPoints toCover: We’ve talked about autonegotiation before in the Fast Ethernet

section.

Here are the details about the 16 bit message pages and thesignificance of each of the bits.

This shows all the different parameters that can be negotiated.

Student notes should help you present this.


Sn

iffe

r U

niv

ersi

ty

8

-18

Autonegotiation Process

Send idlesor data

Yes

Yes

Yes

No

No

PHY comes up as SlaveEnter slave silent mode

Masteron NW?

Yes

No

Start wait timer & send 0s

Enter training modeEstablish receive operationSend info to link partner

Receive link info from partner

Link Status = FailScan for carrier

Send fast link pulses

Processfail?

Processfail?

Link Status = Fail

The fast link pulses are identical to the Fast Ethernet pulses. They indicate thetype of connection the system is able to use. The highest level for both sidesbecomes the negotiated transmission characteristic.

Priority Connection type

1 1000BASE-T full-duplex

2 100BASE-T2 full-duplex

3 100BASE-T2

4 100BASE-TX full-duplex

5 100BASE-T4

6 100BASE-TX

7 10BASE-T full-duplex

8 10BASE-T


Page 8 - 18

Slide Title: Autonegotiation Process

ImportantPoints toCover: Use this flow chart to explain the autonegotiation process and the

symbolism of the Master and Slave bits they will see in the Snifferscreens.

They will look at this in the exercise, so you can cover it in the slidenow and let them discover it in the exercise if you have time for it.


Sn

iffe

r U

niv

ersi

ty

8

-19

Bits Parameter

0-4 Reserved

5 Full-duplex

6 Half-duplex

7 PAUSE

8 Asymmetrydirection

9-11 Reserved

12 Remote Fault 1

13 Remote Fault 2

14 Acknowledgement

15 Next Page Present15 0

Autonegotiation Frame Details

This is very useful when you need to troubleshoot vendor incompatibility issues.


Page 8 - 19

Slide Title: Autonegotiation Frame Details


The bits are listed on the side.

You can send multiple “pages” of information in the process. Wesee two duplicate pages here.

Developer note: I tried very hard to get new Full Duplex and Gigabittraces, but no one came through for me. I asked a couple ofdifferent mailing lists and HQ people and there just don’t seem tobe many floating around.

I surely hope to get one showing the autonegotiation processthrough real work for the next revision!


Sn

iffe

r U

niv

ersi

ty

8

-20

Autonegotiation Frame Summary

Pulses- noaddresses

Number of ten bitcodes in the set

32 nanosecondtimestamps

• 10 bit Hex decodes are automatically enabledfor autonegotiation signals


Page 8 - 20

Slide Title: Autonegotiation Frame Summary

ImportantPoints toCover: Point out that there are not addresses in these signals


Sn

iffe

r U

niv

ersi

ty

8

-21

10 Bit Decode of the Signals• Right-click in the

Hex window andselect 10 Bit to seethe autonegotiationdecodes


Page 8 - 21

Slide Title: 10 Bit Decode of the Signals

ImportantPoints toCover: This shows how to see the 10 bit decodes


Sn

iffe

r U

niv

ersi

ty

8

-22

Gigabit Sniffer


Page 8 - 22

Slide Title: Gigabit Sniffer

ImportantPoints toCover: Title Page.

This is a brief overview.


Sn

iffe

r U

niv

ersi

ty

8

-23

Some Advice

• Full wire speed transmission can create 125MB of data every second!

• That’s just too many frames to analyze• Run Monitor applications to gather statistics

and narrow in on problem areas• Set capture filters to accept the frames where

you see problems• Turn off real-time Expert analysis and view

Expert after you stop the capture


Page 8 - 23

Slide Title: Some Advice

ImportantPoints toCover: Capture filters!

Turn off real-time Expert


Sn

iffe

r U

niv

ersi

ty

8

-24

What if I Plug in the Wrong Sniffer?

• First of all, the media and connectors will limitthe number of mistakes you can make

• Then there’s autonegotiation– If you have the wrong speed card, the

autonegotiation will fail, so you won’t get any dataat all (and will get a failure to open the adaptermessage)

• If you plug a 10/100 adapter into a full-duplexFast Ethernet port, you’ll just get one side ofthe conversation


Page 8 - 24

Slide Title: What If I Plug in the Wrong Sniffer?


Slide is sufficient


Sn

iffe

r U

niv

ersi

ty

8

-25

Gigabit User Interface• Uses the standard Sniffer Pro interface with

enhancements for Gigabit technology

The Gigabit Sniffer now has the Sniffer Pro interface. Due to the complexity ofthe products, it and Full Duplex Ethernet will be covered in detail in a separateHigh Speed Ethernet class.


Page 8 - 25

Slide Title: Gigabit User Interface

ImportantPoints toCover: The Monitor screens and Expert are the same

The capture panel has a tab for Channel Info that shows counts foreach channel

The Summary window shows [A] and [B] to indicate which channelthe frame was captured from.


Sn

iffe

r U

niv

ersi

ty

8

-26

Other Differences

• The Dashboard and Capture Panel showcounts for each channel

• History samples are doubled- one for eachchannel

• Global Statistics shows individual channelstatistics and colored-coded graphs for each

• The Summary window shows [A] and [B] inthe status columns to indicate which channelcaptured the frame

• Packet Generator has tabs to set the rate,override addresses and preamble and changethe CRC


Page 8 - 26

Slide Title: Other Display Differences


Cover the bullets.

Demo if you like.


Sn

iffe

r U

niv

ersi

ty

8

-27

Three Separate Buffers

• Adapter Memory– 144 MB trace buffer memory

• 72 MB per channel (2)

– Configure parameters on the Tools > Options >Gigabit tab• Monitor or Emulation mode• Enable Jumbo frames• SPAN port connection

• SnifferPro software RAM– Configure Buffer size on the Buffer tab

• Configuration process is similar to Full Duplex

PAC 62

.


Page 8 - 27

Slide Title: Three Separate Buffers


Two on the card, one on the PC

Note there are no choices for uploading since the frames arealready in the Sniffer buffer.


Sn

iffe

r U

niv

ersi

ty

8

-28

More New Options

• Capture > Define Filter– Control card buffers– Capture filters can be set on

one channel or both

• Tools >Options>Gigabit– Set mode– Enable jumbo frames

The Gigabit Packet Generator has more options than the other EthernetSniffers:

The Rate tab allows you to set the Interpacket Delay, Packets per seconds, andNetwork Utilization

The Address tab allows you to override the source and destination address inseveral different ways

The Advanced tab (single frames only) choices are: random size packets, setdata offsets, include sequence numbers, adjust timestamps and generatecertain types of errors.

The Gigabit tab allows you to set the preamble length and change the CRC.


Page 8 - 28

Slide Title: More New Options


These two screens adjust how you want to control the buffers andthe behavior of the ports.

The Define Filter > Gigabit Ethernet tab shows up from Display >Define Filter, but not all of the options are enabled.

The Tools > Options > Gigabit tab sets the action of the port.Yes, you can span a gigabit port to the Sniffer. The 8021q-gig.captrace file shows VLAN information from a spanned gigabit port.

Explain the options as shown on the screen caps.

Use the Sniffer with the dummy driver to demonstrate theseoptions when needed.

There is a good bit of information on the gigabit packet generator inthe student notes. Open a trace file, then use Tools > PacketGenerator to show these new tabs, choosing both a new frameand buffer option.


Sn

iffe

r U

niv

ersi

ty

8

-29

Solving Gigabit Ethernet Problems

• Gigabit Ethernet is quite stable now that the vendorsare manufacturing to the specification

• Ensure you use high quality cables and connectors• Use the same vendor when possible to avoid vendor

incompatibilities• Watch the autonegotiation sequence when you have

stations that cannot communicate at all or show poorperformance due to negotiating to a lower capability

• SMNP and RMON statistics of the interfaces showlong-term statistics– Use a management application to watch for trends


Page 8 - 29

Slide Title: Solving Gigabit Ethernet Problems

ImportantPoints toCover: These notes are based on a conversation with the Gigabit Ethernet

people in the University of New Hampshire Interoperability lab.


Sn

iffe

r U

niv

ersi

ty

8

-30

Summary

In this section, you learned how to:• Differentiate between Gigabit Ethernet standards and cabling• Attach the Gigabit Sniffer to Gigabit networks• Configure Sniffer Pro’s gigabit-specific features• Use the Sniffer Pro statistics and decodes to locate areas of

concern• Analyze autonegotiation frames to look for incompatibilities and

downgraded connection setup


Page 8 - 30

Slide Title:Summary


questions.

Wrap up the class.

Thank them for coming.

Gather student evaluations.

Distribute certificates.

Make sure the students have deleted their probes and have themRun > Clean to empty the CLASS directories of files they’ve saved.

Make sure that the HUBPORT3 and 4 trace files are removed.

Remove demo Sniffer software from rental PCs using the uninstallprogram on the first installation disk if you have been instructed todo that.

Target Time: Day 2 at 5pm

© Network Associates

Ethernet Network Analysis and TroubleshootingLLC, 10BASE2 & 5

Sn

iffe

r U

niv

ersi

ty

9

-1

Optional Technologies


Page 9 - 1

Slide Title: Optional Technologies


Files: 09_app_g.PPT 09_app_g.DOC

Trace: LLCNetb2.cap (new)

Exercise: Observing LLC Traffic (new)

This section is now called Optional Technologies.

Time: The LLC section has 2 hours of material in it if a student asks for it.

It is not expected you will need to cover this very often.




Sn

iffe

r U

niv

ersi

ty

9

-2Contents

Logical Link Control (LLC) 9-310BASE-5 and 10BASE-2 Ethernet 9-23Exponential Backoff Formula 9-31Transmission Models 1 and 2 Details 9-32

The backoff time is an integral random multiple of the Slot Time.

0 is considered by some to be an integer, and some implementations do choose0 constantly. It is rather rude: some chipsets will see the resulting transmissionnot as a runt followed by a good frame, but as a single oversize frame, or maynot see the good frame at all.This is the basis of some of the accusations of theSniffer analyzer losing frames. Choosing 0, by the way, assumes that no oneelse on the net is playing the same rude trick, or that everyone who is playingthat trick can sense a new frame at 1.6 instead of 9.6 bit times. It can causerepeated collisions between the same two stations.


Page 9 - 2

Slide Title: Contents




Sn

iffe

r U

niv

ersi

ty

9

-3

Logical Link Control


Page 9 - 3

Slide Title: Logical Link Control

LLC was designed by the IEEE 802.2 committee to providetransparent connectivity between any IEEE-compliant LAN physicallayer to any upper-layer protocol. It does this by using ServiceAccess Points (SAPs) in the header to address the network layerprotocol.

Members of the IEEE pushed for more functionality, so 3 types ofdata exchange were defined. (One more may be coming, accordingto Radia Perlman in Interconnections, Bridges and Routers.)

LLC uses a subclass of the HDLC “superset” and is classified asBA (Balanced links, Asynchronous balanced mode), with severaloptions on how to use the functional extensions.

It acts like HDLC, but is intended for a LAN.

It is independent of, yet utilized by, all the various media accessprotocols defined by the 802 working group.



Sn

iffe

r U

niv

ersi

ty

9

-4Objectives

Upon completion of this section, you will be able to:• Explain the three types of LLC connections and when

each one is used• Know the purpose of the LLC frames and when they

are used• Follow a connection-oriented LLC conversation from

setup through data exchange and shutdown


Page 9 - 4

Slide Title: Objectives

Review the objectives.



Sn

iffe

r U

niv

ersi

ty

9

-5Logical Link Control

• Point to point data integrity• Flow control• Link maintenance• Service access point

addressing• Connection oriented or

connectionless services• Functions independently of

MAC layer

LLC

MAC

Data

Link

Layer

IEEE 802.2

Many of these connection-oriented features of Type II LLC are found in reliableTransport layer protocols like TCP.The IEEE specifications refer to the frames as “Protocol Data Units” or PDUs.


Page 9 - 5

Slide Title: Logical Link Control

Upper part of the Data Link Layer

Review the points on the slide.

IEEE 802.2

Upper half of the Data Link Layer

Lower half controls how the devices access the wire,i.e., contention or token passing.



Sn

iffe

r U

niv

ersi

ty

9

-6

802.X Header DSAP SSAP Control

MAC Sublayer LLC Sublayer

802.2 Header Format

DSAP: (1 byte) Destination Service Access Point;receiving process at destination

SSAP: (1 byte) Source Service Access Point;sending process in source

Control: (1 byte) Various control information (2bytes for connection-oriented LLC)

• The control field used in type 1 datagrams is always one byte long.• The control field can use one or two bytes for LLC type 2.


Page 9 - 6

Slide Title: 802.2 Header Format

Header fields:

DSAP: (1 byte) Destination Service Access Point; receiving process at destination.

Least significant bit is Individual or Group Address indicator.

SSAP: (1 byte) Source Service Access Point; sending process in source.

Least significant bit is the command or response indicator. 0 = command, 1 = response.

Analogy: Post Office Box: Frame is addressed with the SAPnumber (PO Box number). The Physical layer (post office) placesthe frame in the appropriate buffer (box). Protocol listening (postalcustomer) retrieves the frame from its box.

Alternate: A numbered hole in the ceiling. The protocol abovelooks for frames at its assigned hole.

The SAP numbers are reserved for IEEE and ISO protocols.

8 bits is not nearly long enough to define the number of protocols.The numbers were assigned on a first-come, first-served basisfollowing strict rules for the types of organizations and protocolsthat may have a SAP number.

To make things even worse, two of the 8 bits are reserved for otheruses, so the field is actually only 6 bits long!

Control: (1 byte) Various control information(2 bytes for connection-oriented LLC)

The control field byte(s) are very complex, with the different typesof functions having different bit meanings. No attempt has beenmade here to delineate all the various frame headers, since theSniffer analyzer decodes them.



Sn

iffe

r U

niv

ersi

ty

9

-7LLC Service Access Points (SAP)

BPDU 42 Bridge Protocol Data UnitsBanyan BC Banyan VINESIBM_NM F4 IBM Network ManagementIP 06 Internet ProtocolISO FE International Standards OrganizationNetBIOS F0 Network Basic I/O SystemNovell E0 Novell (NetWare)SNA 04, 05, 08, 0C Systems Network ArchitectureSNAP AA SubNetwork Access ProtocolGlobal FF BroadcastNull 00 IBM SAP Negotiation

• SAPs are a pass-through between any IEEE-compliant physical layer and anyupper-layer protocol.

• 00 is a Null SAP. Only real use at this time is by IBM which forces SAPnegotiation for connection to 3745s. This is the only SAP initially active on a3745 so the initial request must be addressed to the Null SAP.


Page 9 - 7

Slide Title: LLC Service Access Points (SAP)

Just mention quickly. This is for their reference.



Sn

iffe

r U

niv

ersi

ty

9

-8SNAP Header Format

802.X HeaderDSAP

(AA forSNAP)

SSAP(AA for SNAP)

ControlOrganization/Vendor Code

(optional)Type

MAC Sublayer SNAPLLC Sublayer

SubNetwork Access Protocol (SNAP) provides a standardway of encapsulating upper-layer protocols on IEEE 802networks

Organization Code: (3 bytes) Identifies the vendor or manufacturer. Same as vendor code in MAC layer address.

Often 0000 if Upper-Layer Protocol (ULP) did not change.Type: (2 bytes) Identifies the ULP.

Same as Ethertype for protocols that came from theEthernet environment.

• The SNAP field allows version 2 Ethertype fields to be included in IEEE-compliant frames.

• It also allows vendors to specify their "type" within the SNAP header.

• The vendor code is usually not supplied when the upper-layer protocol isunchanged to run on SNAP instead of 802.X or Ethernet. For example, youwill see that TCP/IP implementations on SNAP do not supply the vendorcode.

• A nifty expression: “SNAP allows us to snap Ethertypes into 802.xframes.”


Page 9 - 8

Slide Title: SNAP Header Format

SNAP was added to enable non-IEEE protocols to be supported atthe LLC layer.

The vendor code and Type fields are “bought” by a vendor.

If they want to write their own proprietary protocols, they can usetheir vendor code and the “type” that was assigned them in thesefields. Then stations will be able to feed the frames to the correctupper-layer protocol. The problem arises when different vendorsimplement the protocols differently, so there may be problems withinterconnectivity across vendor lines.

The most frequent use we see of the SNAP header is for Ethernetversion II Ethertypes to be included in an IEEE frame.



Sn

iffe

r U

niv

ersi

ty

9

-9LLC Functions

• Some protocols use LLC merely as a pass-throughheader to carry data. All control of the connection ishandled by higher layers. The frames are UnnumberedInformation frames

• Other protocols use the additional functionality thatthe IEEE provides– LLC connection-oriented service at OSI layer 2 offers many of

the data integrity functions we expect to find at OSI layer 4 -the transport layer

– The primary difference is that LLC deals with point-to-pointconnections, whereas layer 4 protocols like TCP deal with end-to-end connections


Page 9 - 9

Slide Title: LLC Functions

Some protocols use LLC merely as a pass-through header to carrydata. Higher layers handle all control of the connection. The framesare Unnumbered Information frames.

NetWare uses the LLC layer this way. The only reason LLC is thereis because it is using standard IEEE 802.5 frames that have theLLC header. NetWare predates the IEEE specs, so the originaldesign was for non-IEEE compliant frames like ARCNET andproprietary Ethernet. Neither of these has an LLC layer. The LLCSAPs are used to identify this frame as a NetWare frame(SAP = E0).

Other protocols use the additional functionality that the IEEEprovides. This is what we will cover here.

LLC connection-oriented service at OSI layer 2 offers many of thedata integrity functions we expect to find at OSI layer 4 - thetransport layer.

The primary difference is that LLC deals with point-to-pointconnections, whereas layer 4 protocols like TCP deal with end-to-end connections.



Sn

iffe

r U

niv

ersi

ty

9

-10

LLC Frame Types

• Unnumbered frames:– Establish link connections/disconnections– Provide link maintenance and error recovery– Provide connectionless (datagram) support

• Supervisory frame:– Acknowledges frames received– Requests retransmission of frame(s)– Provides flow control

• Information frames:– Transport user data and higher-layer

protocols– Increment sequence numbers

• These frames are identified by bits in the LLC headers.• There are many types of fields in LLC frames. Fortunately, the Sniffer

Network Analyzer knows all of them and decodes them in the Summary andDetail windows for you, so we will not break them out here.


Page 9 - 10

Slide Title: LLC Frame Types

Quickly go over the three types of frames and their purposes.

Mention that we will cover them in more detail in the followingpages.



Sn

iffe

r U

niv

ersi

ty

9

-11

LLC Unnumbered Frame Types

SABME

UA

DISC

FRMR

XID

TEST

UI

Set Asynchronous BalancedMode Extended

Command

DM

Unnumbered Acknowledgment

Disconnect

Disconnect Mode

Frame Reject

Exchange Identification

Test

Unnumbered Information

Command

Response

Response

Response

Either

Either

Either

ConnectionOriented

Connection orConnectionless



ConnectionOriented

ConnectionOriented

ConnectionOriented

ConnectionOriented

• SABME is used to set up a duplex connection, using a modulo 128 window.• UA acknowledges a SABME or DISC message.• DISC requests connection termination.• DM is transmitted by the receiver of a DISC to let the other side know it has

received the DISC.• FRMR indicates the receipt of an invalid frame.• XID is used only with Type 1. An XID command from the transmitter informs

the receiver of the identity of the transmitter and which LLC types thetransmitter supports. A response is required to an XID command. It containsthe same information as the command.

• TEST also has command and response frames. The transmitter can send thisto see if the recipient can receive and return a packet. Data can be includedthat the recipient must return in the response frame.

• Unnumbered Information frames are used for connection control and to carryunsequenced data.


Page 9 - 11

Slide Title: LLC Unnumbered Frame Types

Use the student notes to explain each type of unnumbered frame.



Sn

iffe

r U

niv

ersi

ty

9

-12

LLC Supervisory Frames

RR Receive Ready Command/Response

RNR Receive Not Ready Command/Response

REJ Reject Command/Response

I Information Command/Response

LLC Information Frame

(Type 2 - Connection oriented only)

(Type 2 - Connection oriented only)

• Receive Ready is an acknowledgment frame. It contains a sequence numberof the frame it is next expecting to receive and indicates the receiver is readyto receive more data.

• Receive Not Ready is an acknowledgment for previously received frames.The “Next expect to Receive” sequence number (NR) is included in the RNRframe. It also indicates that the receiver is temporarily busy and furtherframes should not be transmitted until the busy station sends a receive readyframe.

• REJect frames are sent when the receiver is requesting retransmission offrames. The REJ frame includes the sequence number of the next frame itexpects. LLC rejects only once. If it doesn’t get an ACK, it starts polling withRRs.

• Information frames are sequence numbered data frames.


Page 9 - 12

Slide Title: LLC Supervisory Frames

These are for connection oriented delivery only.

Note that there are both command and response types.

RR Receive Ready Command/Response

RNR Receive Not Ready Command/Response

REJ REJect Command/Response

LLC rejects only once. When it doesn’t get an ACK, it starts pollingwith Receiver Ready. (Hello? Are you still there?)

LLC Information Frame

Connection oriented only

I Information Command/Response

These carry the data and acknowledgments.

This is a building block for looking at the Sniffer analyzer displays.



Sn

iffe

r U

niv

ersi

ty

9

-13

Type 1 Connectionless Services

Data Messages Data Messages

To use the Post Office as an example: It’s like mailing a letter

• No connection establishment is required.

• Type 1 supports point-to-point, multicast and broadcast communications.

• Messages are not sequenced.

• No flow control is provided.

• Delivery is not guaranteed.

• There is no retransmission on error.

• Sequential delivery is not guaranteed.

• Type 1 service is unreliable, but this is not a problem as long as an upper-layer protocol can recover from the error.

• Higher layers are responsible for flow control, error recovery and reliability.

• Three types of frames are supported: Unnumbered Information (UI),Exchange Identification (XID), and TEST. The control byte indicates the frametype.


Page 9 - 13

Slide Title: Type 1 Connectionless Services

This is just data transport.

No setup.

No acknowledgments.

No teardown.

No error correction.

No flow control.

Upper-layer protocols are responsible for these functions.

Frames are generally unnumbered information frames.



Sn

iffe

r U

niv

ersi

ty

9

-14

Type 2 Connection Oriented Service

Session Setup

ACK

Sequenced Data Messages

Disconnect

ACK

Like making a telephone call: The end-to-end connection is setup before

your conversation begins, then torndown when you hang up

+

• Type 2 is very similar to HDLC.• Connection establishment and termination are required.• Type 2 service provides a sequenced, acknowledged delivery of data.• Each side of the connection maintains independent sequence numbers.• Acknowledgments can be sent in separate frames or can be “piggy-backed”

onto data frames, making it capable of very efficient use of the wire.• Error recovery processes are available.• Type 2 uses sliding window flow control (modulo 128).• Example: Sessions between IBM LAN Manager and IBM bridges make use

of this connection type when they're talking to each other.• Type 2 frames can use one or two byte control fields.• Frames with a one byte control field are: Set Asynchronous Balanced Mode

Extended (SABME), DISConnect, Disconnected Mode, Frame Reject(FRMR) and Unnumbered Acknowledgment (UA).

• Frames with a two byte control field are: Information, Receive Ready,Receiver Not Ready and REJect.


Page 9 - 14

Slide Title: Type 2 Connection Oriented Service

Based on HDLC

Sequence numbers are maintained by each side andacknowledgments are sent based on the other side’s sequencenumber.

Because acknowledgments can be “piggy-backed” on data frames,it uses the wire efficiently.

Session Setup ACK

Sequenced Data Messages Disconnect ACK

Frames will have either one or two byte control fields.

Example: Sessions between IBM LAN Manager and IBMbridges make use of this connection type when they're talking toeach other.



Sn

iffe

r U

niv

ersi

ty

9

-15

Type 2 Connection Setup

Workstation ServerTEST (Optional)

TEST (Optional)XID (Optional)

XID (Optional)SABME P(oll)

UA F(inal)RR NR=0 P

RR NR=0 FI NS=0 NR=0

RR NR=1

+

Some upper-layer applications will send TEST frames to make sure both sidescan communicate.They may follow with one or two pairs of XID frames to negotiate the type ofconnection both can support.The first frame that establishes the connection is the SABME. You can do aSearch for text on SABME to find the first instance of a connection being setup.Once the connection is made, the data will be sequenced and acknowledged.The Poll bit when set to a “1” forces the other side to respond.The Final bit is set to a “1” in the response frame.


Page 9 - 15

Slide Title: Type 2 Connection Setup

This slide was included to discuss how sessions are setup inpreparation for what they need to observe in the Sniffer Summarywindow. It deliberately does not show the additional information onthe Summary line. It will be added later.

This slide has a “build” which will display one line per click.

Workstation ServerTEST (Optional)

TEST (Optional)XID (Optional)

XID (Optional)

The above frames are application-dependent. If you turn All layerson with no protocol filters set, you will see that the upper-layerprotocol may actually be starting this. SNA uses TEST and XIDframes to set up Physical Unit (PU) Allocations. They are also usedfor Source Route bridging explorer frames.

This is the important part:

SABME P(oll)UA F(inal)

RR NR=0 PollRR NR=0 Final

I NS=0 NR=0RR NR=1

Discuss the play of the Poll and Final bits.

Poll means “Answer me.”

Final means “This is my answer to your poll.”



Sn

iffe

r U

niv

ersi

ty

9

-16

Workstation ServerDISC P

UA F*DM

UA

Type 2 Connection Teardown

Normal teardown can be started from either side in thefashion described above.If there is a problem with the sequence numbers, the sidedetecting the problem will send a REJect and include thesequence number it next expects to receive. If the otherside is able to back up and send that sequence numberedframe, all is well. If the two sides cannot resynchronize,one side will send the DISC to “hang up.” The other sidewill then respond with a UA(optional)* or DM.+

So what is the difference between a REJect and a DISConnect?A REJect is sent when a problem occurs. The two sides will attempt to getresynchronized. If that fails, they will DISConnect. You can look for this by doinga Search for text on REJ, then follow through to see if they were able to rollback to a point where they can move forward again.A DISC is the normal conclusion of a connection. The first side will send theDISC when it has completed its work. The other side responds with theDisconnect Mode, indicating it is finished, too. A DISC will also be used whenone of the two stations determines that the efforts to resolve a problem arefruitless and it needs to shut the connection down. Upper-layer protocols willdetermine whether a new attempt is made to open a new connection.


Page 9 - 16

Slide Title: Type 2 Connection Teardown

This slide is also preparation for what they will see in the Snifferanalyzer.

This slide has a “build” which will reveal one line at a time.

Workstation ServerDISC P ---------->

<---------UA* F<---------DM*

UA -----------à

DISC is used to shut down a connection for either a normal End ofOperation or upon the failure of a resynchronization effort.

REJ does not end the conversation. It is sent when a problem isencountered. Attempts are made to back up to a point wheresequence numbers can be synchronized. The data exchange willrestart if synchronization is achieved; if not, then a DISC will besent to close the connection.

* This is according to the IEEE802.3 specification.



Sn

iffe

r U

niv

ersi

ty

9

-17

FRMR vs. REJ

• FRMR is sent upon:– Receipt of a frame with a data field that is not permitted

• i.e., an unnumbered acknowledgment (UA) with data

– Receipt of an unsolicited Final (F) bit set to one– Receipt of an unexpected UA– Receipt of an unsupported frame type– Receipt of an I frame that exceeds the established maximum

length– Receipt of an invalid receive sequence number N(R)– Receipt of an invalid send sequence number N(S)

• REJ is sent to:– Request the resending of I frames starting with the frame

number N(R)

• Upon receipt of an FRMR a station should:Send a SABME or DISC.

• Upon receipt of a REJ a station should:Send the corresponding I frame as soon as it is available.Resend any unacknowledged I frames.

• Behavior upon receipt of an invalid send sequence number varies:If the data is within the receive window, then an REJ should be sent.If the data is not within the receive window, then a FRMR should be sent.The receive window size can be specified in an XID frame.

In the real-world, we see more REJs than FRMRs. REJ is preferable becausethe session doesn’t need to be re-established.


Page 9 - 17

Slide Title: FMR vs. REJect

Slide is self-explanatory.

Cover the student notes, also. This is an important concept tounderstand when they troubleshoot an LLC problem.



Sn

iffe

r U

niv

ersi

ty

9

-18

Type 3: Acknowledged Connectionless

• Connectionless service• Guaranteed in-sequence delivery of data• Uses stop and wait flow control

Sequenced Data Messages

ACK

Like a conversation where one side is saying “Uh huh,” “Yes,” “I see”

LLC Type 3 was developed primarily for process control applications over atoken bus, so it is very seldom seen today.


Page 9 - 18

Slide Title: Type 3 Acknowledged Connectionless

This is here to complete the types of LLC connections.

As the student notes indicate, it was intended for process controlapplications over a token bus (computer-aided car manufacture?)and is seldom used today.

Don’t spend any time on this.



Sn

iffe

r U

niv

ersi

ty

9

-19

Decoding LLC Connection-Oriented Frames

From Workstation LLC C D=F0 S=F0 RR NR=0 PCommandD=F0 Destination Service Access Point = F0 (NetBIOS)S=F0 Source Service Access Point = F0 (NetBIOS)RR Receive ReadyNR=0 Frame Number Workstation expects to receive is 0Poll bit is on: Workstation expects a response from Server

From Server LLC R D=F0 S=F0 RR NR=0 FResponseD=F0 Destination Service Access Point = F0 (NetBIOS)S=F0 Source Service Access Point = F0 (NetBIOS)RR Receive ReadyNR=0 Frame Number Server expects to receive is 0Final bit is on: Response to Workstation's Poll

From Workstation LLC C D=F0 S=F0 I NR=0 NS=0CommandD=F0 Destination Service Access Point = F0 (NetBIOS)S=F0 Source Service Access Point = F0 (NetBIOS)Information frame: Higher layer data is includedNR=0 Workstation is still expecting to receive frame 0 nextNS=0 Workstation is sending frame number 0

From Server LLC R D=F0 S=F0 I NR=1 NS=0 PResponseD=F0 Destination Service Access Point = F0 (NetBIOS)S=F0 Source Service Access Point = F0

(NetBIOS)Information frame; higher layer data is includedNR=1 Server expects to receive frame number 1 nextNS=0 Server is sending frame number 0Poll bit is on: Server expects a response from Workstation

Now sending 0

Next expect to receive 1,now sending 0

The easiest way to view LLC conversations is to set up a Station addressfilter for the two communicating stations. Then turn on Two station formatin the Summary window. The top line is what you would see in the Summarywindow.In the first two frames, we see both ends of the logical connection advertise thesequence numbered frame they expect to receive next (NR = Receivesequence Number). These are also the initial frames.In the third frame, the workstation issues the sequence numbered Informationframe the server expects (NS = Send sequence Number).In the fourth frame, the server both acknowledges the workstation’s frame byspecifying the next frame it expects to receive (NR), and also sends the framethe workstation asked for earlier (NS).


Page 9 - 19

Slide Title: Decoding LLC Connection-Oriented Frames

This is the key page to explain what they will see in the Snifferanalyzer’s Summary screen.

Emphasize that they should:

Set up a station address filter on the two sides.

Protocol filter on LLC (or enable All layers and leave allprotocols visible if they want to watch how the upper-layerprotocols are using LLC).

Use two-station format.

Presentation Idea: You may want to place a paper over thescreen and pull it down as you explain each field in the Summaryline. Because of the way this screen is constructed, a build couldnot be created.



Sn

iffe

r U

niv

ersi

ty

9

-20

Understanding LLC Frame Numbering

Workstation Server# N(R) N(S) N(R) N(S)1 02 03 0 04 1 05 1 16 2 17 28 39 4

+

• Here we see a graphical representation of the first 4 frames. We are alsowitnessing a “window of 1” because each “I(nformation)” frame is“ACKnowledged” before the next is issued. If we assume that the “piggy-backing” of an I frame onto the ACK continues, we will see frames 5 and 6.

• The server expands its window to 3, so we see 3 sequenced I frames(NS=1,2,3) starting in frame 6 to frame 8, with the subsequent ACK (NR=4)by the workstation in frame 9.

• Many times, upper-layer protocols start their sessions by setting up an LLCconnection first, then you can watch the middle layer set up connections untilthe highest layer protocol establishes its connection. You may want to set aprotocol filter so you see just the LLC layer, or you may choose to enable Alllayers so you can see the progression of the connections being establishedat each layer.

• LLC can be set to efficiently use the wire. Data can be being piggybacked onthe ACK frame from the server.


Page 9 - 20

Slide Title: Understanding LLC Frame Numbering

Each side maintains separate sequence numbers.As you explain this, use the terms “Now sending” and

“Next expect to receive” to help them make the link between theNS and the NR.

This slide has a “build” that will display one line per click.

Frames 1 and 2 are the Receive Ready setup- each side tells theother their first sequence number will be 0.

Frame 3 Workstation “Now sending” number 0, next expects toreceive 0.

Frame 4 Server “Now sending” number 0, next expects to receive1. (In other words, I’m acknowledging I got frame 0.)

Frame 5 Workstation now sending frame 1, next expects to receiveframe 1 (acknowledges frame 0).

Frame 6 Server now sending frame 1, next expects to receiveframe 2 (acknowledges frame 1).

Frame 7-8 Server sends frames 2-3.

Frame 9 Workstation acknowledges frames 1 through 3 by saying“I next expect 4.”

Question: If frame 7 (NS=2) becomes lost or is damaged andthe workstation receives frames 6 and 8 (NS=1 and NS=3), whichframe will the workstation ACK (NR=?)?

Answer: The workstation will ACK 2 (NR=2).



Sn

iffe

r U

niv

ersi

ty

9

-21

Common LLC Problems

• LLC is usually very reliable• When problems happen the most

common reasons are:– Connection reset– Unsupported LLC frame types– Flow control lockup– Frame sequence retransmission– Excessive length information field– Expired timers– Expired counters

• Connections get reset when one side stops responding or stops sendingcorrectly sequenced frames. We will see an example in the exercise.

• Unsupported LLC frame types and excessive length information fieldsshouldn't happen if the implementation follows the LLC specification.

• Flow control lockup happens when a station continually sends Receive NotReady due to lack of buffers or other resource problems.

• Retransmissions may be happening because the sender's timer isn't setcorrectly, and the sender isn't waiting long enough for acknowledgment.Counters refer to how many times a station will retransmit. Timers andcounters are configurable.


Page 9 - 21

Slide Title: Common LLC Problems

LLC is pretty reliable. When failures occur, look for:

Connection resets if the parameters were not negotiated properly.

Connection resets due to incorrect sequence numbers. They mustresend every frame after the error.

Unsupported frame types.

Flow control lockup -each one hears the other’s hold music.

Excessive length fields.

Buffer allocation problems causing RNR.

Adjust configuration file.

Short retransmission timers, which cause retransmissions.

Configure longer. Vendors may have configuration files thatoverride the driver’s timers.

Problems are frequently caused by device drivers.



Sn

iffe

r U

niv

ersi

ty

9

-22

Exercises: Observing LLC (Ethernet)

Turn to the lab section tocomplete this exercise


Page 9 - 22

Slide Title: Exercises:

Observing LLC (Ethernet)

This is a new exercise suing a new trace file.

It is mostly FYI and pretty straightforward.

Practice it!



Sn

iffe

r U

niv

ersi

ty

9

-23

10BASE5and

10BASE2


Page 9 - 23

Slide Title: 10BASE5 and 10BASE2

Important

Points to

Cover: Section Title Page.

Header page to show the components that the specifications werebuilt upon.

Even though we have placed this further in the back of the booknow, we cannot neglect it.



Sn

iffe

r U

niv

ersi

ty

9

-24

10BASE2 and 5 Components

10BASE-T Hub

AUI cable

Transceiver

Network Interface Card (NIC)

Repeater

10BASE5 Thick Ethernet

10BASE2 Thin Ethernet


50 ΩΩΩΩ Terminator

50 Ohm Terminator

50 Ohm Terminator

50 ΩΩΩΩ Terminator

Ground


Unshielded Twisted Pair

Ground

Transceiver: Used to physically and electrically attach DTE equipment to thenetwork.

Transceivers sense carrier and detect collisions. If a collision occurs, thetransceiver notifies the adapter by outputting a voltage on the collision presentcircuit. V2 Ethernet added SQE. The Transceiver notifies the adapter during theinterframe gap time that it is capable of informing the adapter if a collisionoccurs. With 802.3 specs, a transceiver provided a jabber latch. There are threeversions: Version 1 used with the early Ethernet specification, Version 2Ethernet (Heartbeat added), and IEEE 802.3 version (changes to the AUIwiring). A transceiver can be built into the Network Interface Controller (Card).This is used in 10BASE-T and 10BASE2. A fourth type of transceiver is the FiberOptic transceiver.

Repeaters: Used to extend the cable segment beyond the maximum segmentdistance for the topology used. Repeaters are also used when changing fromone media type to another (that is, from thick to thin Ethernet).


Page 9 - 24

Slide Title:10BASE 2 and 5 Components

ImportantPoints to

Cover: Terminators remove the signal from the wire and preventreflections back onto the wire.

Thick Ethernet cable

Color defines the place it is installed.

Some give off noxious fumes, so they must be installed in plenums.

Spec defines as a “bright color.”

Thin Ethernet (Cheaper net)

Transceivers

External: Vampire tap into the thick cable or small box attached to the AUI connector of the adapter.

Internal: On the card.

AUI Cable

NICs

Grounding rules

Ground only one end of each segment to a good earth ground.

Repeater: Used to extend the signal and other functions.

Hub: Yes, they are used frequently today.

This shows a way that they can be integrated into legacy environments.



Sn

iffe

r U

niv

ersi

ty

9

-25

10BASE5 Thick Ethernet

50 ΩΩΩΩterminator

50 ΩΩΩΩterminator Coax cable Transceiver

AUI cable

Maximum segment length = 500 meters• Each end terminated with 50 ohm terminators• Maximum number of attachments per segment = 100• Maximum length of AUI cable = 50 meters*• Minimum separation between attachments = 2.5 meters

2.5m minimum separation makes sure that signal reflections, when they occur(that is, the cable is unterminated), do not add up in phase, which wouldprobably blow the transceiver. The 500 meter segment does not need to bemade from a single length of cable. Cable sections can be joined together using"N" type barrel connectors. The IEEE 802.3 specification recommends thefollowing when slicing thick cable:

1. Use cable sections from the same manufacturer and cable lot number, toavoid impedance mis-match and other problems.

2. To minimize signal reflection problems, use segments that are lengths of23.4m, 70.2m, and 117m. Since these lengths are odd integralmultiples of a half wavelength in the cable at 5 MHz, reflections donot have a high probability of adding in phase. (A 5MHz signal is achievedwhen the transceiver is outputting only alternating ones and zeros, as itdoes with the preamble.)

*The maximum length of the AUI cables refers to the transmission model onewhich we will discuss later.


Page 9 - 25

Slide Title: 10BASE5 Thick Ethernet

ImportantPoints toCover: Slide and notes are adequate.



Sn

iffe

r U

niv

ersi

ty

9

-26

10BASE5 Components

Transceiver

Transceiver

Transceiver

AUI Cable

AUI Cable

AUI Cable

TerminalServer

Multi-PortRepeater

Thick CoaxCable

Multi-PortTransceiver

50 Ωterminator toground

50 Ωterminator

A terminal server could be used to support RS-232 connected ASCII "dumb"terminals to the Ethernet. CSMA/CD is done in the terminal server.

The Multi-Port Transceiver is also known as a Fan Out box, Delni, or a multi-tap.It is a dumb wiring concentrator that connects multiple workstations using asingle tap in the thick Ethernet cable. CSMA/CD is done by the end stations.


Page 9 - 26

Slide Title: 10BASE5 ComponentsImportantPoints toCover: There are probably still some of these lurking in older

environments.



Sn

iffe

r U

niv

ersi

ty

9

-27

Signal Quality Error Test

• SQE is used to test the collision presencecircuit

• After successfully transmitting data, theTransceiver asserts the SQE signal on thecollision presence circuit

• When the Network Interface Card sees theSQE signal asserted, it knows theTransceiver can inform the NetworkInterface Card when a collision does occur

• Not supported by Ethernet Version 1equipment

• Turn off SQE on a transceiver attached toan AUI port on a repeater or repeating hub

• Transceivers that are integral to the NIC donot require SQE to test the AUI linkbetween NIC and transceiver: the link ishard-wired

AUI cable

Transceiver

NetworkInterfaceCard (NIC)

SQE TEST

From 802.3: "At the conclusion of the output function, the Data TerminalEquipment opens a time window during which it expects to see the SQE signalasserted on the Control In (collision presence) circuit. The time window beginswhen CARRIER_STATUS becomes CARRIER_OFF. The duration of the windowshall be at least 4.0 microseconds but no more than 8.0 microseconds. Duringthe window, the Carrier Sense Function is inhibited."

SQE should be turned off on transceivers connected to repeatersbecause a repeater can't be inhibited for 4.0 microseconds. It may receive bitson its other port and need to send them. Most people just turn SQE off becauseit causes confusion when counting collisions. Some transceivers and networkmanagement tools will count the SQE test as a collision (for example, theCollision LED may be lit when the SQE test is asserted).


Page 9 - 27

Slide Title: Signal Quality Error Test

Important

Points to

Cover: Turn SQE off on repeaters and hubs (that act as repeaters).

Some manufacturers require that SQE be turned on for their cardsand Media Access Unit (MAU) combinations. (HP required this ontheir cards. Present requirement is unknown.)

The specifications don’t say what the NIC card does if it expectsthe SQE test and it doesn’t see it. It is probably driver-dependent(that is, implementation-dependent).

It is important to note that this signal does not go out onto thecable. It is a loop-back between the transmit side of the card,looping through the MAU and back into the receive side of the card.Many students talk about their collision counts going up when theyhave SQE turned on. You need to ascertain if they are referring tostatistics gained by SNMP polls of the collision register on the card(which may count these as collisions) or if they are seeing this oncable statistics. If this is going out onto the cable, it is not obeyingIEEE rules.



Sn

iffe

r U

niv

ersi

ty

9

-28

R3

R2R1

50m AUI cables

Transmittingstation

SnifferPro 2

50m AUIcables

50m AUI cables

50m AUI cable

SnifferPro 3

2nd station SnifferPro 1

800m

Fiber

Link

x450 m

(Point of collision) Evidence of collision will arrive at station A ______ bytes into station A’s transmission

50m AUIcable

Analyzing Coax Collisions

B

A

NAI enhanced drivers required tosense and capture collision frames

Once you understand the concepts of signal propagation delay, you can begin toapply them to perform more precise analysis of the collision frames you find inyour Sniffer Pro analyzer traces.As shown in the diagram above, what you will see in the trace will depend upon:

1) The point of collision.2) The location of the Sniffer Pro analyzer relative to the collision point.

The diagram shows one collision event. However, each of the three Sniffer Proanalyzers will show different indications of the event. This fact is key to effectivetroubleshooting.

All components are given in terms of theirequivalent lengths in Thicknet coax

R1 = 231 m (10 bit times)R2 and R3 pair = 231 m50 m AUI segment = 59 m800 m fiber segment = 933 m

Total equivalent Thicknet distance between points A & B


Page 9 - 28

Slide Title: Analyzing Coax CollisionsThis has been included in the student appendix.

This diagram should enable you to tie together three important concepts you have learned:1. The propagation delay of a signal on different types of media (per How long is a bit)2. How different Ethernet physical components react during a collision (station jam signal, hub jam, etc.)3. How different Sniffers react to the same collision event.The scenario is as follows: Station A starts a transmission. The transmission goes both ways towardsSniffers 1 and 2, and towards Sniffer 3. Just before the leading bit of the preamble reaches the far end ofthe uppermost Ethernet segment, the station near point B starts a transmission, causing a collision at PointB. The following concepts will help you understand the scenario:• The station at point B will be the first station to detect the collision; what will it do? (Send a 32-bit jam

signal) Why? (To busy the wire and enable repeater R3 to detect evidence of the collision).What is theevidence? (2 signals on the same coaxial media—R3’s and the jam from station at point B).

• Sniffer 1 will not show any evidence that a collision occurred (unless it’s a version that’s countingpreamble collisions). Why? (Because we don’t capture preamble collisions.)

• How repeaters R3 and R2 react to the collision when the jam signal reaches them. (R3 will begin to jam96 bits back to R2; R2 will begin to jam 96 bits on the middle coaxial segment towards Station A.)

• What Station A has been doing during all this time. (Still transmitting its signal.) How much of StationA’s signal has gotten out on the wire before the jam signal from R2 reaches it? Here is some of themath to show the different propagation delays by differing types of media and repeaters:

Total equivalent Thicknet distance between points A & B:59+450+ 59+231+59+933+59+59 = 450 = 2359m2359m / 23.1 = 102 bits, or 12.75 bytes

• What will happen when the jam signal reaches Sniffer 2? (Because this is coaxial media, thecombination of Station A’s transmission and the 96-bit jam signal from R2 will cause the receivefunction on Sniffer 2 to lose synchronization/clocking. When this happens, the Sniffer stops capturingthe frame and truncates it if enough of the frame – 2 bytes past the preamble – has been received.)What sort of flag will be posted with this frame? (The “X” flag.)

• Major learning point: If someone hands you a trace file for analysis and you see the X flag posted ontruncated frames, you can say with a high degree of certainty that the trace was captured from coaxialmedia!

• What will happen when Station A realizes that a collision has occurred? (Starts jamming 32 bits.) Hasthis been a “legal” collision event. (Yes, because it has happened well before 64 bytes have left StationA.)

• What does repeater R1 do when it sees evidence of the collision? (Starts jamming 96 bits onto thelowermost Thicknet segment.) What causes R1 to sense the collision event? (The combined jamsignals from R2 and Station A.)

• What will be recorded on Sniffer 3? (Because the Sniffer was on a segment where only one signal—the one from the lower half of R1—was being broadcast, the frame will appear similar as it does onSniffer 2. However, the frame will not be truncated but will be followed by R1’s jam pattern ofalternating 1’s and 0’s, that will be translated to the hex values of AA’s or 55’s.) What flags will beposted? (R and C, but certainly not an X flag.) How many bytes of AA’s and 55’s will be shown. (Thiswill depend upon what the vendor has implemented as the jam pattern; remember that 96 bits are aminimum. Generally, it is safe to assume that you will see a value of 12 bytes, plus or minus 4.)

Major learning point: Because Sniffer 3 has been on the far side of a repeater for this event, this simulatesexactly what happens in 10baseT environments. In 10baseT shared environments, a station can onlyreceive direct evidence of collision if the hub sends a jam signal while that station is transmitting. And sinceSniffers don’t transmit, it has to use the jam pattern to deduce that a collision occurred somewhere.



Sn

iffe

r U

niv

ersi

ty

9

-29

10BASE2 Thin Ethernet

50 Ωterminator 50 Ω

terminatorto ground

BNC Tee Connectors

• Maximum segment length = 185 meters• Maximum number of attachments per segment = 30• Minimum separation between stations = .5 meters

RG 58 Cable

Thin Ethernet, at 0.18 inches in diameter, is also known as Cheapernet.

T connectors must be right at the network interface card. Adding additionalcable to go from the T to a network interface card is not permitted, thoughpeople do it. This will suffice if you're not approaching length limitations, thoughthe signal will attenuate. The problem with this solution is that most peopleforget to count it in their length considerations.

Drop cable not permitted!


Page 9 - 29

Slide Title: 10BASE2 Thin Ethernet

ImportantPoints toCover: Again, focus on the termination rules.

Mention the drawing in their notes section.



Sn

iffe

r U

niv

ersi

ty

9

-30

Exponential BackoffTransmission Models 1 and 2 Details


Page 9 - 30

Slide Title:Exponential Backoff Transmission Models 1 and 2DetailsImportantPoints toCover: Title page only.



Sn

iffe

r U

niv

ersi

ty

9

-31

• BackoffTime = RandomNumber multiplied by SlotTime• SlotTime = time to propagate 512 bits (i.e., 51.2

µseconds)• RandomNumber is greater than or equal to 0 and less

than 2n

• n = number of times it has tried for first 10 times or n= 10 for the 11th through 16th try

• After 16 tries, report error to the upper-layer protocol

Truncated Binary Exponential Backoff

The backoff time is an integral random multiple of the Slot Time.

0 is considered by some to be an integer, and some implementations do choose0 constantly. It is rather rude: some chipsets will see the resulting transmissionnot as a runt followed by a good frame, but as a single oversize frame, or maynot see the good frame at all.This is the basis of some of the accusations of theSniffer analyzer losing frames. Choosing 0, by the way, assumes that no oneelse on the net is playing the same rude trick, or that everyone who is playingthat trick can sense a new frame at 1.6 instead of 9.6 bit times. It can causerepeated collisions between the same two stations.


Page 9 - 31

Slide Title: Truncated Binary Exponential Backoff




Sn

iffe

r U

niv

ersi

ty

9

-32

New IEEE Maximum Topology Specs

• The maximum topology of a 10 Mbps basebandnetwork is limited by two factors:– Round-trip collision delay– Interpacket gap shrinkage

• There are two methods, or “transmission models,” forcalculating the round-trip collision delay (i.e.,maximum copper and fiber lengths), according to thestandard– Model 1 closely follows the 5-4-3 rule– Model 2 assigns a value to each type and length of copper or

fiber media, which corresponds to a worst-case round-tripdelay for the Ethernet signal

The new standards allow you to mix media types in your networks.More details on these specifications are in the appendix.


Page 9 - 32

Slide Title:New IEEE 802.3 Maximum Topology Specs


This presents the factors in the determination and states there aretwo ways to calculate the maximum topology.

Factors: Round-trip collision delayInterpacket gap shrinkage

Models 1 and 2 detailed on the next pages.



Sn

iffe

r U

niv

ersi

ty

9

-33

Transmission Models 1 and 2

• 10 Mbps maximum topology rules• Transmission Model 1 is the more conservative and

restrictive of the two– It has the advantage of being validated to work with all

vendors’ products

• Transmission Model 2 uses tables to calculate:– Round-trip delay times for all types of media– Interpacket gap shrinkage for multiple repeaters

Model two is more cumbersome than model 1, but has the advantage ofextending the topology farther.

It also more accurately reflects the types of distances found in real networks.


Page 9 - 33

Slide Title: Transmission Models 1 and 2




Sn

iffe

r U

niv

ersi

ty

9

-34

Transmission Model 1

• Closely matches the traditional “5-4-3 rule” oftraditional Ethernet networks– FOIRL, 10baseFL, 10baseFB and 10baseFP links are included– AUI cables, if used, are restricted to 25 meters in length– The maximum allowable length of any inter-repeater fiber

segment is restricted to 1000 meters (FOIRL, FL, and FB)• If all five segments are present, the maximum length of

any fiber segment shall not exceed 500 meters– The maximum length for a fiber hub-to-station (repeater-to-

DTE) drop is 400 meters in an Ethernet network that alsocontains a 1000-meter link segment• If fiber link segments are held to 500 meters, the

maximum fiber hub-to-station drop is increased to 500meters

Since no vendors are known to manufacture to 10baseFP standards, we will notconsider 10baseFP in this course.

FOIRL = Fiber Optic Repeater Link

FP = Fiber Passive

FL = Fiber Link (replaces FOIRL)

FB = Specification for fiber with lower repeater delay that allows for longerlength


Page 9 - 34

Slide Title: Transmission Model 1

ImportantPoints toCover: Most similar to 5-4-3.

AUI cables 25 meters maximum.

Maximum interrepeater fiber cable is 1000 meters, but if 5 areused, then the maximum of each is reduced to 500 meters.

Add diagram here.



Sn

iffe

r U

niv

ersi

ty

9

-35

Model 2 Path Delay Value

• Model 2 assigns a value to each type and length of copperor fiber media, which corresponds to a worst-case round-tripdelay for the Ethernet signal– The value also takes into account the repeater for any fiber or copper

segment

• Starting from the point of highest variability your network(call it the “left end”), calculate the length of each segmentacross repeaters to the farthest station on the network(called the “right end”)– Add the individual segment values to arrive at a total Path Delay

Value, or PDV– The total should not exceed 572 bit times– The number of repeaters on any path may exceed the Model 1 limit

of four

R R R RDelay A Delay B Delay C Delay D PDV A + B +C + D + E <= 572

Delay E

The standards add an additional value of 5 to the Path Delay Value for a marginof error.


Page 9 - 35

Slide Title: Transmission Model 2 (Calculating Path Delay Value)

ImportantPoints toCover: Calculations are made using two types of variables: Path Delay

Values and Interpacket Gap Shrinkage. We’ll cover the first onehere and the second one on the next slide.

A B C D E

Tables have been established that set delay for segments.Delay values reflect the media type and repeater.Total delay of A + B + C + D + E must be less than 572.There may be no more than four repeaters.



Sn

iffe

r U

niv

ersi

ty

9

-36

Transmission Model 2(Calculating Interpacket Gap Shrinkage)

• The distance (in bit times) in the gap between frameswill decrease with each repeater in the path asrepeaters regenerate the preambles of Ethernet frames– This limits the number of repeaters that can be installed on any

given path on very short networks

• The calculation is made by adding the path variabilityvalues, (or P V V) for each segment across repeatersthat the signal must pass– The total value must not exceed 49 bit times

R R R RP v v A P v v B P v v C P v v D

P v v A + B +C + D <= 49 bit times

The starting point is called the transmitting end, the center segments are called“mid-segments”.

The far end (“receive end”) across the last repeater is not taken intoconsideration.

We will be using a network diagram in the next exercise to determine if itpasses the model 1 or 2 requirements.


Page 9 - 36

Slide Title: Transmission Model 2 (Calculating Interpacket GapShrinkage)

ImportantPoints toCover: Here is part two.

Repeaters shrink the interpacket gap as they regenerate thepreambles. Each successive repeater shortens it more.

This calculation is the deciding factor in how many repeaters canbe in a segment.

A B C Dpvv A + pvv B + pvv C + pvv D must be less than 49 bit times



Sn

iffe

r U

niv

ersi

ty

9

-37

Repeater Repeater

Repeater

Maximum Transmission Paths

Repeater

100 m 10BaseT or 500m 10BaseFL Link MAU

DTE

AUICable

MAU

DTE

AUICable

500 m 10Base5 or 185m10Base2 Coax Links

Four Repeaters, Five Segments

Three Coax Segments

Two 10BaseT or Fiber Optic Links

Fiber Optic

The fiber link is called FOIRL (Fiber Optic Inter-repeater Link).You’ll often hear the maximum distance between two stations on an Ethernetnetwork is 2.8 kilometers. That number is derived by drawing the topology shownabove. The 2.8 kilometers limit is mentioned in the Ethernet Version 2 Blue Bookspecification. It is not mentioned in 802.3. (802.3 has the picture from theprevious page.)Note: the Ethernet maximum distance specification does abide by the newer802.3 specification: the 2.8 Km limit is a special case of the general rules.

The Version 2 specification explained the maximum topology slightly differently

Repeater

500 Meters Maximum 500 Meters Maximum 500 Meters Maximum

Repeater RepeaterFiber Optic

AUI Cable 50 Meters Maximum

2800 meters total distance between transmitting stations

Meter coax cable segments 1500 meters500+ 1000 metersMeter fiber optic link 1

6 + 300 metersMeter AUI cables

3100050

xxx

EndStation

EndStation


Page 9 - 37

Slide Title: Maximum Transmission Paths

ImportantPoints toCover: Here is a graphic representation of allowable cable lengths for

various types of media.



Sn

iffe

r U

niv

ersi

ty

9

-38

Model 1Max Transmission Paths

RptrSet

RptrSet

RptrSet

RptrSet

RptrSet

100m 10BaseTLink

100m 10BaseT Links

500m Fiber Optic Links

500m Coax10Base5 Link

RptrSet

RptrSet

RptrSet

1 km Fiber Optic Links

MAU DTE

AUICables

4 Repeaters, 5 links(1-Coax, 3-10BaseTand/or 2-Fiber OpticLinks)

3 Repeaters, 4 linksegments (2- 10BaseT and2- 1 km Fiber Optic links)


Page 9 - 38

Slide Title: Model 1 Max Transmission Paths

ImportantPoints toCover: This is the first of two diagrams showing different allowed

maximum path configurations.

These diagrams are modified from the diagrams in section 13 ofthe 802.3 spec. The 10Base FP sections were replaced with FL orT since FP is not used in current networks.

The slide is complete.



Sn

iffe

r U

niv

ersi

ty

9

-39

Model 1 Max Transmission Paths

RptrSet

RptrSet

RptrSet

1 km FOIRL Link

MAU DTE

25 mAUI

Cables

3 Repeaters, 4 linksegments (1- 1 km10BaseFB,1- 1km FOIRL, 2-400 m 10BaseFL)

RptrSet

RptrSet

RptrSet

500m 10BaseFB Links

MAU DTE

25 mAUI

Cables

4 Repeaters, 5 linksegments (2- 500m10BaseFB, 1- 500m FOIRL, 2-500m 10BaseFL)

RptrSet

400 m 10BaseFL Links

1 km 10BaseFB Link

500 m 10BaseFL Links

500mFOIRLLink


Page 9 - 39

Slide Title: Model 1 Max Transmission Paths

ImportantPoints toCover: This is the second two of four diagrams showing different allowed

maximum path configurations.

The slide is complete.




Page 9 - 40

Section 9 Ethernet Network Analysis and Troubleshooting

Page 9 - 41

Helpful Information

Helpful Information...........................................................................................41List of Known Ethertypes .................................................................................43Ethernet Frame Type References....................................................................46An explanation of the Analyzing Coax Collisions diagrams in the appendix ....47Recommended Reading List............................................................................48Helpful WWW Links.........................................................................................49


Page 9 - 42

List of Most Common Service Access Points (SAPs)Ethertype Protocol Purpose Organization

00 Null XID or Text IEEE02 LLC Individual Sublayer Management IEEE03 LLC Group Sublayer Management IEEE04 SNA Individual Path Control IBM05 SNA Group Path Control IBM06 IP IP SAP for TCP/IP DOD08 SNA IBM0C SNA IBM0E IEC 955 PROWAY Network Management IEEE10 IPX Novell18 Texas Instr20 CLNP Network Layer ISO34 CLNP ISO42 BPDU Spanning Tree Bridge Management IEE4E EIA RS-511 Manufacturing Message Service IEEE7E ISO 8208 X.25 over 802.2 Type 2 LLC IEEE80 XNS 3 Com86 Nestar8E IEC 955 Active station list maintenance IEEE98 Address Resolution Protocol (ARP) ARPANETAA SNAP Subnetwork Access Protocol DODBC VIP BanyanE0 IPX Network Layer Routing NovellEC CLNP ISOF0 NetBIOS IBMF4 LM Individual IBMF5 LM Group IBMF8 Remote Program Load (RPL) IBMFE Network Layer Protocol ISOFF Global LSAP


Page 9 - 43

List of Known EthertypesEthertype Protocol Purpose Organization

0000-05EE None IEEE 802.3 Length Field IEEE0000-05FF 802.5 IEEE 802.5 Length Field IEEE0101-01FF PUP Xerox0200 PUP Address Translation Xerox0201 PUP Address Translation Xerox0400 Nixdorf0600 XNS IDP Xerox0601 XNS Address Translation 3MB Only Xerox0800 IP IP DOD0801 X.25 Internet0802 NBS Internet0803 ECMA Internet0804 CHAOSNet Texas Instr0805 X.25 Level 30806 ARP For IP and CHAOS DOD0807 XNS081C Private Symbolix0888-088A Debugger0900 Address Translation UB0A00 PUP Address Translation Xerox0A01 PUP Xerox0BAD VIP Banyan1000 Trailer Negotiation Berkely1001-100F IP Trailer Block Encapsulation Berkley1600 Simnet Valid System Protocol BBN4242 PCS Basic BI5208 Simnet Private BBN6000 Unassigned DEC6001 MOP Dump Load Assistance DEC6002 MOP Remote Console DEC6003 Phase IV DRP Routing DEC6004 LAT Local Area Transport DEC6005 Diagnostics DEC6006 User Protocol DEC6007 LAVC System Communication Architecture DEC6008-6009 Unassigned DEC6010-6014 3Com7000 Download UB7001 NIU UB7002 BootDiagLoop “Broadcast at Boot Stage, DL” UB7020-7029 LRT7030 Proteon7034 Caletrom


Page 9 - 44

Ethertype Protocol Purpose Organization8003 VLN Chronus8004 Direct Chronus8005 Probe Protocol HP8006 Nestar8008 Local Use AT&T Stanford8010 Excelan8013 Diagnostics SGI8014 Network Games SGI8015 SGI8016 Stanford8019 Bounce Server HP Apollo802E Native Ethernet Tymeshare802F Tigan, Inc8035 RARP DOD8036 Aenoic

Systems8038 BPDU Spanning Tree Bridge Management DEC8039 DSM/DTP DEC803A Argonaut Con DEC803B VAXLN DEC803C Unassigned DEC803D CSMA/CD Encryption DEC803E DNA Time Service DEC803F LAN Traffic Monitor DEC8040 NetBIOS Emulator DEC8041 LAST Local Area System Transport DEC8042 Future Use DEC8044 Plan Res Co8046-8047 AT&T8049 Expert Data805B V Kernel Experimental Stanford805C V Kernel Production Stanford805D Evans &

Suther8060 Lt Machines8062 Counterpoint8065-8066 Univ of Mass8067 Integrated Automation Veeco8068 General

Dynamics8069 AT&T806A Autophon806C ComDesign806D Compugraphic806E-8077 Graphics Landmark


Page 9 - 45

Ethertype Protocol Purpose Organization807A Matra807B Data Elektronik Dansk807C Merti807D-807F Bridge, Router, WANManager Vitalink8080 TranLAN III Management Vitalink8081-8083 Counterpoint8088-808A Xyplex809B Ether-Talk Kinetics809C-809E Datability809F Spider80A3 Nixdorf80A4--80B3 Seimans80C0-80C3 DCA80C6 Pacer

Software80C7 Applitek Corp80C8-80CC Intergraph Inc80CD-80CE Harris/3M80CF-80D3 Taylor80D4 Rosemont80D5 RT Distributed Services/DB IBM80DD Varian80DE Transparent Remote File System Integrated

Systems80DF Integrated

Systems80E0-80E3 Allen Bradley80E4-80F0 Datability80F2 Bridge Management Retix80F3 AppleTalk Apple80F4-80F5 AppleTalk Shiva80F7 HP Apollo80FF-8103 Bridge Management Wellfleet8107-8109 Private Symbolics8130 Waterloo8131 VG Labs8137-8138 NetWare IPX Novell8139-813D KTI9000 LAN Loopback DEC9001 Bridge Comm. Management Xerox9002 3Com9003 3ComFF00 Vital LAN Bridge cache wake BBN


Page 9 - 46

Ethernet Frame Type References

Version 2 Frame IEEE 802.3 FrameBytes Field Bytes Field8 Preamble 8 Preamble (7 bytes preamble, 1 byte

of Start of Frame Delimiter)6 Destination Address 6 Destination Address6 Source Address 6 Source Address2 Ethertype 2 Length46 to1500

Data – Padded to minimumframe length of 64 bytes L

1 Destination SAP

4 Frame Check Sequence (FCS) L 1 Source SAPC 1-2 Control

42 to1497

Data – Padded to minimum lengthof 64 bytes

4 Frame Check Sequence (FCS)

New IEEE FrameBytes Field8 Preamble (7 bytes preamble, 1

byte of Start of FrameDelimiter)

6 Destination Address6 Source Address2 Type/Length1 Destination SAP1 Source SAP42 to1497

Data – Padded to minimumlength of 64 bytes


NetWare “Raw” Frame IEEE 802.3 SNAP FrameBytes Field Bytes Field8 Preamble 8 Preamble (7 bytes preamble, 1 byte

of Start of Frame Delimiter)6 Destination Address 6 Destination Address6 Source Address 6 Source Address2 Length 2 Length46 to FFFF followed by Data – L 1 Destination SAP1500 Padded to minimum frame L 1 Source SAP

length of 64 bytes C 2 Control4 Frame Check Sequence (FCS) S

N3 Vendor Code

AP

2 Type

38 to1492

Data – Padded to minimum lengthof 64 bytes



Page 9 - 47

An explanation of the Analyzing Coax Collisions diagrams in theappendixThis diagram should enable you to tie together three important concepts you have learned:

1. The propagation delay of a signal on different types of media (per How long is a bit)2. How different Ethernet physical components react during a collision (station jam signal, hub jam,

etc.)3. How different Sniffers react to the same collision event.

The scenario is as follows: Station A starts a transmission. The transmission goes both ways towardsSniffers 1 and 2, and towards Sniffer 3. Just before the leading bit of the preamble reaches the far end ofthe uppermost Ethernet segment, the station near point B starts a transmission, causing a collision at PointB. The following concepts will help you understand the scenario:• The station at point B will be the first station to detect the collision; what will it do? (Send a 32-bit jam

signal) Why? (To busy the wire and enable repeater R3 to detect evidence of the collision).What is theevidence? (2 signals on the same coaxial media—R3’s and the jam from station at point B).

• Sniffer 1 will not show any evidence that a collision occurred (unless it’s a version that’s countingpreamble collisions). Why? (Because we don’t capture preamble collisions.)

• How repeaters R3 and R2 react to the collision when the jam signal reaches them. (R3 will begin to jam96 bits back to R2; R2 will begin to jam 96 bits on the middle coaxial segment towards Station A.)

• What Station A has been doing during all this time. (Still transmitting its signal.) How much of StationA’s signal has gotten out on the wire before the jam signal from R2 reaches it? Here is some of themath to show the different propagation delays by differing types of media and repeaters:

Total equivalent Thicknet distance between points A & B:59+450+ 59+231+59+933+59+59 = 450 = 2359m2359m / 23.1 = 102 bits, or 12.75 bytes

• What will happen when the jam signal reaches Sniffer 2? (Because this is coaxial media, thecombination of Station A’s transmission and the 96-bit jam signal from R2 will cause the receivefunction on Sniffer 2 to lose synchronization/clocking. When this happens, the Sniffer stops capturingthe frame and truncates it if enough of the frame – 2 bytes past the preamble – has been received.)What sort of flag will be posted with this frame? (The “X” flag.)

• Major learning point: If someone hands you a trace file for analysis and you see the X flag posted ontruncated frames, you can say with a high degree of certainty that the trace was captured from coaxialmedia!

• What will happen when Station A realizes that a collision has occurred? (Starts jamming 32 bits.) Hasthis been a “legal” collision event. (Yes, because it has happened well before 64 bytes have left StationA.)

• What does repeater R1 do when it sees evidence of the collision? (Starts jamming 96 bits onto thelowermost Thicknet segment.) What causes R1 to sense the collision event? (The combined jamsignals from R2 and Station A.)

• What will be recorded on Sniffer 3? (Because the Sniffer was on a segment where only one signal—the one from the lower half of R1—was being broadcast, the frame will appear similar as it does onSniffer 2. However, the frame will not be truncated but will be followed by R1’s jam pattern ofalternating 1’s and 0’s, that will be translated to the hex values of AA’s or 55’s.) What flags will beposted? (R and C, but certainly not an X flag.) How many bytes of AA’s and 55’s will be shown. (Thiswill depend upon what the vendor has implemented as the jam pattern; remember that 96 bits are aminimum. Generally, it is safe to assume that you will see a value of 12 bytes, plus or minus 4.)

Major learning point: Because Sniffer 3 has been on the far side of a repeater for this event, this simulatesexactly what happens in 10baseT environments. In 10baseT shared environments, a station can onlyreceive direct evidence of collision if the hub sends a jam signal while that station is transmitting. And sinceSniffers don’t transmit, it has to use the jam pattern to deduce that a collision occurred somewhere.


Page 9 - 48

Recommended Reading List

Standards

IEEE Standard 802.3, 1998 EditionThis includes the contents of the 8802-3:1996 Edition plus IEEE standard 802-3aa-1998, IEEE Standard 802-3r-1996, IEEE Standard 802.3u-1995, IEEEStandard 802-3u-1995, IEEE Standard 802-3x and y-1997 and IEEE Standard802-3z-1998.1268 pages ISBN 0-7381-0330-6

Supplements to IEEE Standard 802-3-1998802.3ac-1998 Frame Extensions for Virtual Bridged Local Area Network (VLAN)Tagging on 802.3 networks 20 pages ISBN 0-7381-1421-9

802.3ab-1999 Physical Layer Parameters and Specifications for 1000 Mb/sOperation over 4-Pair of category 5 Balance Copper Cabling, Type 1000BASE-T144 pages ISBN 0-7381-1741-2

Approved draft 802-3ad-2000 Aggregation of Multiple Link Segments184 pages 0-7381-2468-0

Books

Switched, Fast, and Gigabit Ethernet, Understanding, Building and ManagingHigh-Performance Ethernet Networks 3rd Edition 1999 618 pages RobertBreyer and Sean Riley, Macmillan Technical Publishing ISBN 1-57870-073-6

Gigabit Ethernet, 1998 411 pages Rich Seifert Addison WesleyISBN 0-201-18553-9

Fast Ethernet, Dawn of a New Network, 1996 310 pages Howard W. Johnson,Prentice Hall ISBN 0-13-352643-7


Page 9 - 49

Helpful WWW Links

http://www.sniffer.comSniffer Technologies website

http://www.Standards.ieee.org/IEEE website

http://www.idg.net/metcalfe/Bob Metcalf’s website – the inventor of Ethernet)

http://www.ansi.orgANSI website

http://www.iol.unh.eduUniversity of New Hampshire Interoperability Labs. Leaders in interoperabilitytesting for many new technologies. This site has links to tutorials.

http://www.gigabit.ethernet.orgThe gigabit alliance website

http://www.tolly.comIndependent hardware testing and industry reports

http://www.nstl.comNational Software Test Lab – independent testing

http://www.global.his.comOfficial supplier of IEEE and TIA/EIA standards documents – not free

Instructor Exercises

Sniffer UniversityTNV-202-GUI4.0-OCT2000

________________________________________________

Ethernet Network Analysis and Troubleshooting

4.0-OCT2000 Network Associates 10-1

Table of Contents

Table of Contents............................................................................................................................. 1Exercise Section 1: Which Frames Are on the Network?................................................................ 3Exercise Section 1: Isolating Frame Types with Pattern Matching (Optional)................................. 7Exercise Section 1: A Surprise at 23:00 (Optional) ....................................................................... 11Exercise Section 2: Comparing Ethernet Data .............................................................................. 13Exercise Section 3: Cable Specifications....................................................................................... 15Exercise Section 4: Hubports......................................................................................................... 21Exercise Section 4: More Problems............................................................................................... 25Exercise Section 4: Test Your Skill ................................................................................................ 27Exercise Section 4: Errors.............................................................................................................. 31Exercise Section 4: Evaluating Hub Jams ..................................................................................... 35Exercise Section 4: Ethernet Physical Errors (Optional) ............................................................... 37Exercise Section 5: Short Circuited Bridges .................................................................................. 41Exercise Section 5: Busy Jam ....................................................................................................... 43Exercise Section 5: Switch Traffic (Optional)................................................................................. 47Exercise Section 6: Fast Ethernet Troubleshooting and Back Pressure ....................................... 51Exercise Section 6: Fast Ethernet Problems ................................................................................. 55Exercise Section 6: 10/100 Hubs................................................................................................... 57Exercise Section 8: Gigabit Traffic................................................................................................. 59Exercise Section 9: Observing LLC ............................................................................................... 63

A word of explanation about the formatting of the exercises

Choices you need to make in the menus or configuration windows are in bold.

When you are navigating through a series of steps, they have been shortened and separatedwith a right arrow.

Example: Pull down the Monitor menu, choose Select Filter, click Select Filter becomesUse Monitor > Select Filter > Select Filter.

As you work through the exercises, you will be opening a series of windows. When asked toclose many of them, Sniffer Pro will ask if you want to save them. Do not save the dataunless specifically instructed to save the data.

There are more exercises here than can be done in the allotted class time. The instructor willchoose exercises that meet the needs of the majority of the students in each class. All of thetrace files needed for these exercises are on the CD in your class manual. You may wish towork on these independently if you finish your exercises early or do them outside of classtime.





Exercise Section 1: Which Frames Are on the Network?

Objective: Use data pattern filters based on frame formats to determine what frame typesare in use on the network and make sure no incompatibilities exist.

Procedure: Identify the most common frame format and then eliminate all frames of that type.When they are gone, you will see what remains. Repeat this process until youhave identified all frame types present on the network.

1. Configure the analyzer then open the file:

a. Create a new Agent for this class called "TNV202": File > Select Settings... > New.Name it TNV202 and choose the 10/100 Ethernet adapter. Don’t copy any settings. ClickOK twice.

b. Use Display > Display Setup> General to enable the Expert and Post Analysis tabs.(They may already be enabled.) Click OK.

c. Set the agent to loopback with File > Loopback Mode.

d. Open the file C:\202GUI\Mixed_01.cap.

2. From the Expert click on DLC layer Objects. There should be 35. The frame types for eachobject (adapter) are shown in the Expert Detail panel on the lower right. Hint: on the ExpertSummary screen, identify the separator bar on the right. If you drag that up, you’ll see theObjects listed in the upper right, highlighting each in the top right shows its details in thelower right panel.

3. Observe the frame types shown for each adapter. How many different frame types (otherthan broadcast and multicast) are shown?

Just 2 types, 802.3 and Ethertype. There are actually 3 frame types in this trace file:one standard 802.3 frame with the LLC header and 10 “Raw” Ethernet frames.Unfortunately, the Expert doesn’t distinguish between them.

4. Display the Decode windows and click the Monitor’s Protocol Distribution icon. We’lluse this tool to determine the protocols on the network and their distribution. We’ll need togenerate the trace file once to see the protocols. Right-click over the Decode window andchoose Send Current Buffer and click OK to send the buffer 1 time.

5. Fill in the table on the next page as you answer the questions from the Protocol Distributionview when the entire trace has been sent (wait until the counter on the lower right goesblank).

a. With the MAC layer and Table view selected, which protocols are listed and how manyframes were sent for each protocol?

Click the arrow onthe top of the upperleft window toenlarge the rightwindows.

Separator bar

Expert Detail panel



b. Look at the Pie Chart view and note the percentages of each protocol shown by clickingon each slice or look at the Bar Graph view and click on each bar to see the stats.)

Protocol DECnet IP IPX IP_ARP LAT Others

# Packets 35 27 10 1 1 3

% of Total 45.45% 35.06% 12.99% 1.30% 1.30% 3.90%

You may want to mention that LAT is a part of DECnet, so the total is 36 packets and46.75%

6. Close the Protocol Distribution window. From the Decode display, we can get a quicksummary of frame types by using Display > Display Setup. On the Summary Display tab,exclude All protocols in the lower window, and then click on Ethernet to enable it. You nowsee which frames are version 2, but no differentiation is made between the rest. Highlight thenon-Ethertype frames, then look in the Detail panel and note the frame types you see.

Most are “raw”, but frame 75 is 802.3 with the LLC header. There are no SNAP frames.

7. To see which station is using each protocol, click the Matrix tab.

a. With the Traffic Map showing the MAC layer, click off all protocols except Other. Ctrlclick to select all those end station addresses with “Other” traffic, then press the Visual

filter icon to display only these frames. How many frames did you get? 2What frame type(s) are they using?

Stations HP1 012BB4 and 090009012BB4 (multicast) are using 802.3 frames withthe LLC header (SAP FC); stations DECnet 00C8CC and broadcast are usingversion 2 frames (Ethertype 0804 for Chaosnet).

b. Click back on the Matrix tab (this still reflects the original trace file with all the frames).Now enable only the IPX stations in the Matrix Traffic Map view. Ctrl click on each IPXaddress to select all of them, then press the Visual filter icon and display the frames.How many frames are there?

10

Does this agree with the number you noted in the chart above?

Yes

Does the frame type match what you anticipated it would?

Yes, they are “raw” frames, typical of NetWare frames

c. We’ll use a similar process to determine the frame types the DECnet stations are using.Click the Matrix tab. Enable only DECnet on the MAC layer of the Traffic Map. Lookingat the pattern of the frames on the traffic map, what do you observe?

Almost all of the traffic is to and from the level one router. Only two stations aretalking to each other.



CTRL click to select all DECnet addresses, then filter them into a new window. Howmany frames do you have?

35

Use Display > Display Setup > Summary Display to exclude none of the protocols.What information is being sent?

Most are Router hellos, end node hellos and route advertisements. Only one (frame40) carries NSP data between 51.4 and 51.30.

What frame type does DECnet use?

Version 2.

d. Last, let’s look at the IP traffic next. We’ll use a protocol filter to see those frames. Startwith the Decode tab with 77 frames (this is the original unfiltered trace file.)

e. Right click over the Summary window, choose Define Filter, then create a new profilecalled IP using Profiles > New > name = IP, copy the Default filter. Click OK, then Done.

f. Now click the Advanced tab and enable only the IP and IP ARP protocols, click OK.

g. Right click over the Summary window and use Select filter to choose the IP filter. Howmany frames did you get in the new window?

28

What version frames are they?

Version 2.

This is a fairly quick way of seeing what frames are on your network. The traffic map isespecially useful to see IP local router situations. If you see a lot of frames going to a routerwhen they should stay local, you need to look for local router diagnoses in the Expert.

In a NetWare environment, you normally see most of the client traffic going to the servers,since it is a client-server environment. If you see a lot of traffic between servers, investigateto see if a server is being used to forward frames that are not compatible with the intendedserver’s configuration.

If you are migrating from an IPX-based network to NetWare 5 on IP and are using anintermediate server to forward the frames to the new server, this is a normal phenomenon.This should be an interim short-term solution, since the traffic is doubled with thatconfiguration.

8. Close the window. Do not go on to the next exercise.





Exercise Section 1: Isolating Frame Types with Pattern Matching(Optional)

Objective: Determine what frame formats are in use on the network and make sure noincompatibilities exist.

Procedure: Identify the most common frame format and then eliminate all frames of that type.When they are gone, you will see what remains. Repeat this process until youhave identified all frame types present on the network.

1. You can also use pattern match filtering to eliminate frames based on data patterns. We'llrepeat this process until you have filtered most frame types present on the network. Whenthe frames you want to exclude are gone, you will see what remains.

Exit the Sniffer application, then start it again so your filtered tabs start at 1. Open the fileC:\202GUI\Mixed_01.cap.

2. Which frame format is being used in Frame 1?

Ethernet Version 2

3. Eliminate all frames using the Ethertype in Frame 1. We'll start a new profile and configure ahexadecimal pattern match display filter. Highlight frame 1.

a. Look at the DLC header in the Detail window and note the Ethertype here:

6003

b. From Display > Define Filter. Click Profiles > New > Name it Pattern Match,

c. Copy Existing Profile = Default.

d. Click OK > Done.

e. Click the Data Pattern tab, click Add NOT, then Add Pattern (This window opens).



f. Make sure Pkt: 1 is displayed (If not, use the Previous button).

g. Click on Ethertype = 6003 (DECNET) in the DLC layer of the frame data.

h. Click Set Data. Note the pattern 60 03 is pasted in the data area above and the offsetfield is updated to C.

FYI: If you wanted to do a different type of pattern match, you would need to click theFormat button and choose from Binary, ASCII, EBCDIC before pasting in the data. Youcan paste up to 32 bytes of data for matching.

i. Click OK here, then OK on the Define Filter window.

4. That's a start, but the filter hasn't been applied yet. Let’s apply the filter now.

a. Right click in the display window, click Select Filter and select the Display PatternMatch filter. Note: Data Pattern should read (NOT DLC: Ethertype = 6003[DECNET]).Click OK.

b. You should have a new Filtered x window with a frame count in the title bar.

c. How many frames are there?

42

5. Note this new filtered window has maintained the original frame numbers. The window shouldstart with frame 3, a DNS OK status frame.

What frame format is being used in Frame 3?

V2

6. We’ll add this Ethertype to our filter to eliminate all frames with the Ethertype in the DNS OKframe.

Write the Ethertype here:

0800

a. Display > Define Filter > Data Pattern tab.

b. Add NOT > Add Pattern.

c. Highlight DLC: Ethertype = 0800 (IP) then click on Set Data. 08 00 pastes in at C.

d. Then click OK. Your match should now look like this:

e. Hold your cursor over the AND line to see how the match has been built this far.Click OK if it matches. Go back and fix it if it doesn't.



f. Right click in the Filtered x display window, click Select Filter > select the DisplayPattern Match filter. Click OK.

g. You should get a new Filtered x window with 15 frames that starts with a LAT changenode frame.

Is the LAT frame the same frame format as the previous frames?

Yes.

7. Eliminate all frames with the Ethertype in the LAT frame.

Write the Ethertype here:

6004

8. Repeat the same filtering process to eliminate this frame type:

a. Display > Define Filter > Data Pattern tab > Add NOT > Add Pattern.

b. Highlight Ethertype 6004 (DEC LAT), click on Set Data, then click OK.

c. Click OK to save the updated filter.

9. Display > Select Filter > select the Display Pattern Match filter again. Click OK.

How many frames are in the new Filtered x window that pops up?

14

a. What is the frame format in the NSAP frame?

Novell Raw.

b. What field can be used to filter this frame type?

IPX Checksum.

c. What is the hex pattern and offset used to perform this filter?

FFFF at offset 0E.

10. First, we'll create a filter to view only the Novell Raw frames then we'll change it so weexclude these frames along with the previously excluded Ethertype frames.

a. Since we plan to filter out the Novell Raw frames in the last step, we'll start by adding aNOT before we add the pattern as we did before.

b. Display > Define Filter > Data Pattern tab > Add NOT > Add Pattern.

c. Highlight IPX Checksum = 0xFFFF, click on Set Data, then click OK.

d. Before we finish, remember that we want to include all of the Novell Raw frames andexclude all of the others. To make this happen, click on the NOT left of the IPXChecksum entry so it turns to a solid red (the NOT disappears). Your match should nowlook like this:



e. Click OK if it matches. Go back and fix it if it doesn't.

11. Display > Select Filter > select the Pattern Match filter again. Click OK.

How many frames are in the new Filtered x window that pops up?

10

12. Review the DLC header in each frame. These should all be 802.3 Raw frames.

13. Let's change our filter to exclude these frames and see what type of frames are left in thetrace.

a. Display > Define Filter > Data Pattern tab.

b. Enable the NOT above the IPX Checksum pattern by clicking on the red block.

c. Click OK when finished.

14. Now we need to apply this filter as we did before.

What do you think will happen if we apply the filter to this filtered window?

You'll get the error message "No frames matched the filter!" because this window onlycontains the 802.3 Raw frames (all other frames were filtered out earlier).

a. Let's go back to our original trace window by clicking the Decode tab.

b. Display > Select Filter > select the Pattern Match filter again. Click OK. How manyframes are in the new Filtered 5 window that pops up? 4

15. You have now eliminated all Novell NetWare frames and enough Version 2 traffic so that youcan easily examine the remaining frames. Answer the following questions:

a. How many standard 802.3 frames (with only an LLC header) are there?

One - RPL Unknown

b. How many 802.3 SNAP frames are there? zero

c. How many Version2 frames remain?

Three - ARP, LOOP Reply Receipt, Chaosnet

16. Close the window. Do not go on to the next exercise.



Exercise Section 1: A Surprise at 23:00 (Optional)

Objective: In the real world, you often encounter unexpected results. This exercise presentsan unexpected situation and asks you to describe your findings. Your instructorwill explain the technical background causing the situation AFTER you havedone the exercise. (We don't want to spoil the surprise!)

Instructor Note: You will want to omit this exercise, demo it, or do it with the class ifyou have chosen not to do the previous optional pattern match filtering exercise. Thepattern match required here is not detailed in these steps since it was detailed in theprevious exercise.

1. Open the file C:\202GUI\Mixed_02.cap. Display the Decode view.

2. What is the frame format used in Frame 1?

802.3 Raw as evidenced by the 802.3 Length field and missing LLC header.

3. What field will you use to eliminate all these packets to see what else might be on thisnetwork?

You will use the IPX Checksum field ('FFFF' pattern).

4. Create a new Data Pattern match called No Raw Frames to eliminate all frames using thisframe format. Select the filter.

5. Carefully study your results. Can you explain the 5 frames?

These frames DON'T GO AWAY! When you examine the HEX you will see the '1111'padding bytes between the LENGTH field and the 'FFFF' checksum in the XNS Header.Sniffer Pro assumes they are IPX and decodes them as IPX, posting a message in theDetail window noting the incorrect IPX length field.

6. Close the window. Stop here. Do not proceed to the next exercise.

Instructor Note: Here's the story behind the problem:

These bytes were included when IBM, Sytek (the broadband vendor) and Novell built theIBM Broadband/Ethernet bridge. Although we don't know exactly why Novell put themthere we do know that the request came from Novell. One speculation is that somethingmoved data in 4 byte words and the header, when padded from 14 to 16 bytes, provided 4even 4-byte words. You will only encounter this in some obscure environments. Theexercise is intended to give the student an opportunity to encounter a strange situationand make reasonable observations about it. (Think about a bridge set to filter FFFF!)





Exercise Section 2: Comparing Ethernet Data

Objective: To look at a series of trace files captured from different speeds of Ethernet dataand compare how they appear in the Decode windows. We’ll start at 10 Mbpsdata and work to Gigabit. We are not going to do any type of response timemeasurements; we’ll just look at the delta times between the frames to see howquickly a station can get a frame into the network after the last frame completes.We won’t look at any errors there may be, either. We’ll save that for later.

Background: The appropriate Sniffer Pro was connected to each of these networks and a filewas saved.

1. We’ll look at a 10 Mbps trace first. Open C:\202GUI\bcast.cap to the Decode window. Thisis a trace where every device on the network responded to the RWHO in frame 1 about asfast as they could get them onto the network. There are no physical errors to confuse thetiming, but there is one long pause we’ll ignore.

a. What is the range of Delta times between the ARP frames? (Ignore frame 20)

0.002.985 to 0.003.150 – about 3 milliseconds apart (frame 54 is about 4 ms)

b. Click the Statistics tab. What is the line speed shown here?

10 Mbps

2. Now let’s see what’s different in the 100 Mbps screens. Open C:\202GUI\100mbfile.caz tothe Decode window.

a. Click the Statistics tab. What is the line speed?

100 Mbps

b. What is the Delta time of frame 108, one of the shortest delta times?

0.000. 161 = 161 microseconds, a good improvement.

3. Finally, we’ll look at some Gigabit data. Open C:\202GUI\GB.cap to the Decode window.

Instructor note: There are CRC errors and Code Violations (CV) errors in this trace. Thehelp screens give this definition: Gigabit Ethernet uses the 8B/10B transmission codeto map signals into 10-bit code groups. 8B/10B coding provides a set of 210 possiblecode groups. A given 10-bit code group can be categorized as either legal, showing apositive running disparity error, showing a negative running disparity error, or as anillegal code group. The Sniffer Pro reports a code violation when it sees a code groupthat is either illegal or that has a running disparity error as compared to the previouscode group. The students will look at the help screen in the Gigabit section exercise.

a. Click the Statistics tab. What is the line speed shown?

1000 Mbps



b. In the Decode view, what is the Delta time of frame 16, one of the shortest delta times inthis trace? (Expand the width of the Delta Time column to see the entire value.)

0.000.000.012 = 12 nanoseconds!

c. Note that an extra 3-digit column has been added to the Delta and Relative time columnsto compensate for this faster speed. It can measure down to 32 nanoseconds.

d. What is different about the Status column?

It shows [A] and [B] to indicate which channel captured the frame. The FastEthernet Full Duplex pod captures show the [A] and [B] indicators, too.

4. This has been just a short comparison of what you see in the Sniffer windows. We hope itpoints out that once you learn how to use the Sniffer for one speed, you can apply thosesame techniques to looking at the other speeds. In the next sections we’ll give you morespecific information on how to look in different areas to help you analyze your traffic.

5. Close all the open windows. Do not go on until instructed.



Exercise Section 3: Cable Specifications

Objectives: Use Output from Sniffer Pro and a network map to:

1) Determine if the fact that the 5-4-3 rule was broken in this network design isthe "Cause" of the problem

2) Determine the round trip propagation delay for this network

3) Determine if the collisions are "Legal" or appropriate for this network design

4) Narrow the "Fault Domain" and determine the best place to starttroubleshooting this problem

5) Determine if there is a relationship between collisions and a LAN overloadsymptom

Background: You have been called in to investigate problems on an Ethernet network thatwas designed by someone else. As far as you can tell, the network looks likethe drawing below.

Student note: Note that the picture is not complete. For example, there probably were otherstations on the thin Ethernet. The Sniffer analyzer was connected somewherenear the end of the thin Ethernet. We don't know exactly what was on the otherside of the bridge shown on the left.

Originally the Sniffer analyzer was placed at the end of the topology and saw noerrors. In the actual trace, the Sniffer analyzer was traded with Node 3 and sawerrors. Node 3 was moved to the end of the topology and worked withoutincident. Client addresses and the Server COFFEE.1 all exist off of Hub 1.

Instructor Note: Questions in step 13 have been changed to reflect the actual forwarding delayof 15 bits on the Gandolf hubs. Please review them and be ready for newnumbers! Questions 14 and 15 have also been reworded with new assumptions.

1. Configure the Alarm settings.

a. Select Tools > Expert Options > Alarms tab.

b. Click on the + next to Global to expand it.

c. Under the LAN overload entry, notice the value of 50 (percent) as the threshold for LANOverload.

Node 1WstDig178C41

Node 2WstDig96EC2C

Node3BridgeFile Server

COFFEE.1WstDigFF965F

Hub1

Hub2

Hub3

Hub3

Hub3

Hub3

50 meters

?? CoaxThin Ethernet RG

58 coax

Sniffer



d. Click in the Lan Load field and change the value to 30 so we will be alerted when thelower threshold is exceeded.

e. Click on the Apply button. Click OK to exit the Alarms.

f. When you change these settings for your own Sniffer, adjust the Dashboard settings,too, so it will reflect the same thresholds.

g. Open the Dashboard, click the Set Thresholds… button. Change the Utilization(%)High Threshold setting to 30. Click OK and note the red area on the Utilization dial nowstarts at 30%. (This will have no effect unless we generate some traffic for the Dashboardto monitor.) Close the Dashboard.

2. Open the file C:\202GUI\HUB6ARC.caz.

3. Click on Global Symptoms.

What are the symptoms?

LAN overload and Bad CRC

4. Let's take a closer look at these errors.

a. Click on the Objects tab on the upper right. (Drag the separator bar to the bottom if thetab is not visible on the right.) Specific information about the condition should nowappear.

b. Click the icon to see the Expert Explain on the LAN Overload symptom. Read theexplanation of the problem and possible remedies. Close the Help window when done.

c. What is the First Time for the LAN Overload symptom?

16:36:56.765 (or 4:36:56:765 PM as it will show later)

d. What is the Duration of the symptom?

1s 436 ms (1.436 seconds) (4:36:56:765 + 1:436 = 4:37:492:765 PM end time)

e. What was the value recorded for Maximum and Average LAN Overloads?

35% Maximum, 11% Average

f. Record the stations involved.

4 stations: WstDig0A065A, WstDigFF965F, Gandlf100738, and WstDig178C41

g. Click the F7 key and observe the similar information on the Bad CRC symptom.

5. Click on the Summary tab to return to the Expert Overview window.

What are the symptoms at the DLC layer? What stations are involved?

Runt frames (2 stations: WstDigFF965F and Gandlf100738)



What are the diagnoses at the DLC layer? What stations are involved?

High rate of physical errors (3 stations: WstDigFF965F, WstDig96EC2C andWstDig178C41)

Are any of the stations involved in the LAN Overload condition also reporting errors at theDLC layer?

Yes, 2 out of 4 were involved in the DLC Diagnosis (WstDigFF965F and WstDig178C41sent bad frames); 2 out of 4 were involved in the DLC Symptoms (WstDigFF965F andGandlf100738 sent or received Runt frames).

6. Press the Decode tab to display the data. Enable Relative time if the column is not visible.What is the total time of this capture?

Only 11.201 seconds

7. In the next few steps we are going to try to determine what, if any, correlation exists betweenthe LAN Overload condition and the bad frames. This is a common approach used byanalysts when troubleshooting.

The questions one might ask are:

Are the bad frames the result of excessive collisions that will occur whenever utilizationon an Ethernet network starts to reach a critical state?

If so, with the topology involved, at what maximum point within a frame could one expectdamage to occur?

In this example, one simple way to begin to rule out a correlation is to look for bad framesoccurring at times when no LAN overload condition exists.

8. Reference the time you recorded earlier for the start and duration of the LAN Overload, let'suse a filter to display only bad frames.

a. Select Display > Define Filter > Profiles > New. Name it allbadframes. Click OK andDone…

b. Select the Advanced tab.

c. Disable Packet Type Normal, which will leave only problem frames enabled. Click OK.

d. Select the allbadframes display filter. Display > Select Filter > allbadframes > OK. Anew Filtered x window should open with 2503 frames.

9. Zoom in (F4) on the Summary window. We’re going to examine the Status column.

a. Enable the Summary Display Optional Fields, Status, Absolute Time and Bytes (Len)by clicking on Display > Display Setup > Summary Display > Optional Fields. ClickOK.

b. What types of errors do you observe?

Lots of Alignments and Runts, 21 Collisions, 1 Fragment, and 11CRCs

10. Scroll over to the far right-hand column and scan through the Absolute Time values.



a. Did most of the bad frames happen during the LAN Overload?

The bad frames were happening before the LAN Overload, during the LAN Overload,and after the LAN Overload. (Expert shows military time, decode shows AM, PM)

b. In your judgement, are the bad frames the result of the LAN Overload condition?

The error frames are not just due to the network being busy.

c. If not, what else could be a cause of the bad frames?

The errors could be caused by signal reflections, noise, hardware problems,propagation delay, etc., at this point we don’t know enough to isolate the problem.

11. Scan through the LEN (Bytes) column values. The Sniffer stops capturing a frame when acollision causes the bits to no longer be recognizable.

With a network only 50 meters in length, would you expect to see collisions occurring so farinto the Ethernet frames?

No

12. We're now going to determine how far into the frames collision damage is occurring. To dothat, you will need to define and select a new display filter.

a. Display > Define Filter...

b. Create a New Profile called Collisions (copy the Default profile).

c. OK > Done.

d. Select the Advanced tab.

e. In the Packet Type text window, clear all of the boxes except for the Collision box.

f. Click OK to save the filter.

g. Display > Select Filter... When you select the Collisions filter, you should see a newFiltered x window appear with 21 frames.

h. Zoom into the Summary window and observe the LEN (bytes) column.

What is the largest collision frame recorded?

11 bytes

13. With a network of six repeaters in series and a total cable distance of fifty meters betweenend stations in the collision domain, do the collision frame sizes seem appropriate?

(Hint: each of these hubs adds about 15 bit times of latency to the network. Also, in 10BaseTeach bit is 17.7 meters long.)

To determine the answer to this question, let's calculate the round trip delay: (use theWindows calculator if you like)



a. Cable latency in bit times = total distance \ length of bit:

50 / 17.7 = 2.82 bits

b. Total Hub Latency in bit times = latency of each hub * number of hubs:

15 * 6 = 90 bits (/ 8 = 11.25 bytes)

c. Total Delay = cable latency + total hub latency:

2.8 +90 = ~93 bits ( / 8 = 11.6 bytes)

d. Round trip latency = Total Delay * 2:

93 * 2 = 186 bits (23.2 bytes)

e. Subtract preamble (preamble is on the wire only):

186 bits – 64 bits = 122 bits (15 bytes)

f. Subtract CRC (CRC is on the wire only):

122 bits – 32 bits = 90 bits (11 bytes)

g. Total number of bytes displayed in the Sniffer:

90 bits/8 = approx. 11.25 bytes or > 11

h. Compare your calculations to what you’re seeing on the Sniffer Pro analyzer. Does yourworst case calculation concur?

The collisions (maximum of 11 Bytes) are “Legal” (appropriate) for this networkdesign. These collisions are also within 64 bytes, which is an IEEE "LEGAL"collision.

14. Was the fact that the network broke the 5-4-3 rule the reason the collision is occurring so farinto the frame?

No, the network is only 50m or “3 bits” in length. The accumulated propagation delayof the 6 hubs is what caused the collision to occur so far into the frame.

15. Will extending the length of each of the hub lengths to their maximum of 100m cause “latecollisions” that occur beyond the 64th byte mark in the frame?

Potentially yes.

16. In the next few steps, we are going to look at a conversation in the original trace file andattempt to isolate the location of the problem on this LAN. Note that on the network diagram,the Sniffer Pro is behind the suspect cable. Sniffer Pro will therefore, see “error” frames fromthis conversation that really do not exist due to the intermittent cable problem.

a. Select the Expert tab to return to the main file.

b. Click on the DLC Objects column.



c. Click on the WstDig96EC2C address in the Summary view to select it.

d. Click on the Display Filter icon to filter on this node, a new Filtered x window appears.

e. What are the errors noted in the Status column?

Mostly Alignment and a few Runt errors.

f. Notice that throughout the conversation between these two nodes, not one frame is re-sent – even the runt frames!

g. Is this conversation operating normally?

It must be.

h. Apply your filter for Collision frames. Are there any collisions in the conversationbetween these two nodes?

No

i. There are Runt frames in the trace file between these two nodes. What are they if not theresults of a collision? To find out, define a new filter for Runt frames only and select it.

j. How long are the frames?

All 56 bytes- could be an indication of a “partial reflection” but it is more like astanding wave that can run the entire length of the cable after the node hasfinished sending. True reflections occur BEFORE the 32nd byte in a frame. Thereare no AAs or 55s in the frames, either, indicating it was a local collision on a coaxsegment.

17. Based on the errors reported in the Sniffer, is the conversation working correctly?

No – (at the Sniffer end of the network).

18. Where is the "Fault Domain" and what is causing this problem?

The conversation is working correctly between the workstation and the server -- sosomething is damaging the frames between the workstation and the Sniffer.

19. If you could physically inspect the cabling in the Fault Domain, you would notice a piece ofARCnet cable (RG62) connecting a machine to the Thinnet (RG58) segment.

Could replacing bad cable correct physical layer errors?

Yes!

20. Close the trace file window.

21. Stop here. Do not proceed to the next exercise.



Exercise Section 4: Hubports

Objective: Use two related trace files to isolate the cause of physical errors on a 10BASE-Tnetwork. Evaluate traces taken by the DOS Sniffer with Sniffer Pro.

Background: A user on a 10BASE-T network was experiencing intermittent problems. Otherusers appeared to be working fine. Two DOS Sniffer analyzers were used to take"simultaneous" traces. One trace (Hubport2) was taken at the user's work areaby disconnecting the drop cable at the back of the workstation and attaching it tothe Sniffer's RJ-45 port. The second trace (Hubport1) was taken at the 10BASE-T hub that served the user's work area. (See the diagram below.)

We are going to show you how you can use a single Sniffer Pro to perform analysis andcomparison on two trace files.

Fact One: The user's PC was replaced by a Sniffer analyzer.

Fact Two: Another Sniffer analyzer is plugged into a known good port. Both Sniffer analyzerswere capturing simultaneously.

1. Evaluate the network diagram then proceed.

2. Think about different ways to approach isolating the source of the problem. What have youcome up with?

3. Use the Display menu > Display Setup..., disable the Expert tab.

4. Open the files C:\202GUI\ Hubport1.cap and Hubport2.cap.

5. Use Window > Tile to display both files simultaneously and do a frame to frame comparison.

(Use the Ctrl-Tab keys to switch between the windows.)

6. How many frames are in the file Hubport1.cap? 71

Hubport2.cap? 75

7. These two trace files start at different frames because the captures could not be started atexactly the same time. You will need to "align" the two trace files to start at the same frame.

10BaseT Hub

Hubport 1: Sniffer on known good portHubport 2: Sniffer on suspect portNetWare client: Novell~FAANetWare File Server: 3Com~704

NetWare Client: 3Com~F91



Think about different ways to approach aligning the two trace files to start at the same packetbefore continuing with the lab.

8. We're going to align the two trace files by examining the first frame in Hubport1.cap for aunique string of data and then search for that string in Hubport2.cap.

a. In frame 1 of Hubport1.cap, notice the NCP read command ("Read 512 at 2812416").The offset value (2812416) is the unique string we will use to align these trace files.

b. Ctrl-Tab to Hubport2.cap > click on frame 1 in the Summary window.

c. Use the Find Frame feature to find the first frame that matches this string:

- Right Click in the Summary window > Select Find Frame

- Choose Text tab

- Input the value of the offset (2812416)

- Search from = Summary text

- Search Direction = Down

d. Click OK.

9. What is the frame number in Hubport2.cap that matches Frame 1 of Hubport1.cap?

Frame 5

If the "found frame" in Hubport2.cap matches the first frame in Hubport1.cap, can weassume that the rest of the trace will match as well?

If they were both set to capture without a filter, yes.

10. Since we have found a frame in Hubport2.cap that matches Frame 1 in Hubport1.cap, weshould be able to select all of the rest of the frames as well. If we select these frames as agroup, we should have a file that matches Hubport1.cap exactly. Let's give it a try:

a. Right Click in the Summary window of Hubport2.cap.

b. Click Select Range.

c. Choose Range, From = 5, To = 75.

d. Click Select.

Note: The boxes to the far left of frames 5 to the end of the trace should contain an X.

e. Right Click in the Summary view.

f. Click Save Selected.

A new window titled Snif(n) should appear (The “n” represents a number). The newwindow should have 71 frames and be aligned frame for frame with Hubport1.cap. Wedon’t need the Hubport2.cap file any longer so close it now.



11. Do a quick comparison of the first few frames to verify that the traces are aligned.

12. Choose Window menu > Tile so we can see parts of both windows.

13. The next thing we need to do is quickly search through each of the trace files to locate anybad Ethernet frames. We'll use the Find Frame feature again:

a. Highlight the Snif(n) window, select Alt-F3 (the Find Frame window should pop up).Choose the Status tab and select all frame error boxes under Trigger, then select OK.

b. Were any bad frames located? If so, write down the frame number(s) here:

Yes – Frame 40

c. Repeat the search until there are no other error frames.

14. Repeat the search process with the Hubport1.cap window.

a. Were any bad frames located here?

No

b. What could account for the differences in the traces?

One trace was captured from a known good port on the hub, the other was takenfrom a suspect port.

15. While looking at the Hubport1.cap Summary view, use Display > Go to Frame, to go to theframe number of the bad frame from the Snif(n) window (recorded in Step 13).

Compare the two frames in each of the windows. Have you gotten closer to isolating theproblem?

You should be able to see that the frame is damaged in one trace and is not in theother- think about the situation that might cause this to happen.

You may think the problem in frame 40 of HUBPORT2.cap was caused by a collision.But if it were a collision, HUBPORT1.cap would have seen a damaged frame also. Inaddition, if a collision had occurred, the NetWare client would have retransmitted thedata. But in HUBPORT1.cap , we can see that the client and the server seem to thinkthere was nothing wrong with frame 40. It seems that only the Sniffer analyzer onhubport 2 saw a problem. In fact, that was the case: the port was bad. The hub took agood frame off the backplane and output a bad frame at the bad port only.

16. Use Display > Display Setup and Enable the Expert tab on the General window and closeall open windows without saving.






Exercise Section 4: More Problems

Objective: Evaluate and describe the traffic from a network that was experiencing problems.

1. Open the file C:\202GUI\BADCABLE.cap. What are the Expert diagnosis and symptoms atthe DLC layer? How many are there?

1 diagnosis - High rate of physical errors, 18 symptoms - Runt frame, DLC sourceaddress multicast and DLC source address broadcast.

View the Decode window. How many frames are there in this trace?

The total number of frames is 79

2. Select the allbadframes display filter to show only error frames.

a. How many damaged frames are there in the Filtered x window?

56 frames

b. Based on the number of Runt, Alignment and Bad CRC frames, do you think there's aproblem?

Absolutely! 56 out of 79 frames in error is a 71% error rate. We'll discuss latersome of the “rules of thumb” for excessive damaged frames.

3. Scroll right in the Summary panel.

What is the range of the size (in bytes) of the damaged frames?

2 ~ 566 bytes

4. Evaluate the Delta times between some of the damaged frames.

Is there any consistency to the delta times?

No, it varies between .0001 and 1.9 seconds.

5. Look in the Hex window for evidence of hardware-related problems.

Do you think this is a hardware-related problem? How would you describe the damagedframes?

Yes. Many of the longer damaged frames include more than 8 bytes of FFs.

6. What would you do next to fix this problem?

Consider using binary search method to isolate the problem and identify where thedamage is occurring.

The problem here is that someone put his own plugs on UTP and incorrectlyconnected the wire pairs so there was no Common Mode Rejection of noise. It might



as well have been flat satin wire. The FFFFs show that noise was affecting the trafficand changing the 0 bits to 1s. Unfortunately, noise is not always so obvious and doesnot always leave the telltale FFFFs.

7. Close the window.




Exercise Section 4: Test Your Skill

Objective: To evaluate several different types of frame corruption.

Hint: Consider using the Sniffer Pro Ethernet Error Analysis table located before theexercise slides in your student guide.

1. Configure the Display options to show DLC addresses in the Summary view

Display > Display Setup > Summary Display tab > disable Show Network Addresses

2. For each of the following files, write down the characteristics of the damaged frames (length,any pattern present at the end of the frame, whether frame appears to be repeated, etc.) andassess the probable type of frame corruption demonstrated in the trace. Assume that thetrace shows a representative sample of the error. Close each window when you’ve answeredthe questions. Choose between:

• Normal collisions• Propagation delay• Reflected signals• Electrical noise• Hardware problems

a. C:\202GUI\01.cap

Sniffer Pro shows collision indication in the Status column. The Hex window showsthat the bad frame, Frame 2, is perfectly truncated at Byte 12, indicating that this tracewas taken from coaxial-based media. Frame 3 is most likely a retransmission of Frame2.

Probable cause: Legal local coax collision. This trace came from a pulp and paper millwhere the thick and thinnet cables were occasionally run over by forklifts carrying alarge roll of paper. The steel pipe that was embedded in the grooved concrete floor (itcarried the coax) had become crushed over time. The problem always surfaced for amoment whenever the forklifts ran over the crushed pipe containing the coax cable

b. C:\202GUI\05.cap

(Note: For a detailed review of this trace file, please consult the document "trace fileaddendum" located at the back of this manual.)

Legal and late collisions caused by a faulty (crushed) cable. Sniffer Pro shows frameswith collision indication in the Status column. Also, the Summary window indicatesthat the collision on frames 4 and 6 occurred after 64 bytes. This is accurate, but onthese larger size frames it is difficult to tell if the frames have been truncated becauseSniffer Pro does not decode past the DLC layer. So we can't tell (from layer 3 info) howbig the frame was supposed to be unless we manually draw out the layer 3 details.(Protocol forcing does not give us an option for the DECnet DRP protocol, only LAT.)



c. C:\202GUI\06.cap

Sniffer Pro shows frames with collision indication in the Status column.

All are small 24 byte frames. Contains DLC addresses, no pattern at end of frame.

Probable cause: If this were truly representative of the traffic, it's probably signalreflection.

d. C:\202GUI\16.cap

Variable but small-sized frames. All have 11-12 bytes of 55s, representing hub/repeaterjam, appended to 43 bytes of data.

Probable cause: repeated collisions on a remote 10BASE-T network. They look likereflections but cannot be. Remember, the majority of the signal moves towards thetermination and will not be reflected back. That means that in a full-size 32-bytenetwork, the collision can never be more than one-half the network – that’s 16 bytesfrom the center to the unterminated end and 16 bytes back towards the sender headedtowards the termination. That’s 32 bytes total.

This is jut a “lucky break”. The frames were selected to create the individual trace toensure the students learned to identify this pattern as hub jam, not reflection. It isstrictly coincidental that the collision occurs 55 bytes into the frame.

e. C:\202GUI\17.cap

Sniffer Pro indicates that frames 5 through 8 are damaged by collisions. Frame 7 andframe 8 are late collisions, as indicated in the Summary and Expert views.

Four damaged frames come from same source. Frames 5 and 6 are truncated at byte42. Frames 7 and 8 are truncated late at byte 86. Frames 7 and 8 are evidence of latecollisions combined with signal reflection. There are possibly multiple problems withthis network.

Probable cause, in order: Propagation delay, hardware, and signal reflection.

f. C:\202GUI\21.cap. (Be sure to look at frames 124, 178,179 and 321.)

Sniffer Pro reports Alignment and CRC errors in the decode Status column.

The Expert doesn’t report any errors other than the Global CRC errors. This may seemodd with so many problems in this trace. The answer is that the Expert builds theobject database from addresses seen in frames without CRC errors. Then, when it seeswhat it knows is a valid address associated with a problem frame it reports theSymptom/Diagnoses.

Since every frame in this trace has a CRC error, the Expert never builds the objectdatabase, never learns the valid addresses and therefore has nothing to associate aSymptom/Diagnoses with even though the addresses here are most likely valid – theExpert would not have learned that.



If you need to demonstrate this, load FRAGS.cap. Select the allbadframes filter. Youwill have a decode full of Alignment, Fragment and Runt frames. Select a few of onekind and Save Selected. You will notice that Alignment and Fragment frames all haveCRC errors and the Expert will not learn about any DLC objects associated with thoseframes. However, Runt frames do not have a CRC error and the Expert will learn aboutthose DLC objects.

Probable cause: Hardware, a jabbering NIC.

3. Close all open windows.

4. Use Display > Display Setup > Summary Display to reset the Display option to ShowNetwork Addresses.






Exercise Section 4: Errors

Objective: Use filtering options to identify physical errors on an Ethernet Network.

Background: The NFS client pc150 [192.9.200.150] is experiencing problems communicatingwith the NFS server natco-4 [192.9.200.203]. The client and server areseparated by a repeater.

1. Open the file C:\202GUI\FRAGS.cap. Click on the Decode tab and note the frame count.How many frames?

1173

2. Let's investigate how many of the frames in this trace have been damaged in some way.Apply the allbadframes filter to only show the bad frames.

a. How many frames are bad in the Filtered x window?

111

b. Does this seem to be a problem?

111 bad frames in 1173 is more than a 9% error rate. It certainly warrants more of aninvestigation.

c. Return to the Decode tab to show the original entire trace.

3. Look at the detail of frame 1. This should be part of a conversation between [192.9.200.150]pc150 and [192.9.200.203] natco-4. The subnet mask for these devices is 255.255.255.0.Are they on the same or different subnets?

The same subnet.

4. Let's apply a filter to isolate this conversation.

a. Click on the Matrix tab. Change the view to IP and use Ctr-click to highlight[192.9.200.203] and [192.9.200.150].

b. Click on the Visual Filter icon to create the filter.

c. How many frames are in this new Filtered x window?

947

5. Now let’s analyze the conversation between these two stations. Right click on the currentFiltered x window and choose Create New Filtered Window. This will allow Expert analysisof these frames. The new window should be named FilteredFramesx.cap.

a. Use the search function to find any frames that contain physical errors (or othersymptoms):

Display > Find Frame > Expert tab > Any symptom/diagnosis string > Down > OK.Use F3 to repeat the search.



b. When a bad frame occurs, notice who is sending the frame and the C/R sequence, doesthe conversation recover after each error?

Yes, for error frames up to Frame 940. Starting with Frame 941 it does not recover.

c. Prior to frame 941, is [192.9.200.203] or [192.9.200.150] always receiving a bad frame?

Both are receiving bad frames. This would rule out a bad NIC card in one of thenodes

d. Repeat the process to find and analyze all of the error frames in this conversation. Howmany symptom frames are there?

17 frames have symptoms, some are physical errors, others are NFS problems.

e. Apply the allbadframes filter to this trace to see how many frames contain physicalerrors. How many frames do we see in the new filtered trace?

11

f. What types of physical errors are found in this display?

Alignment errors

g. Does the number of errors found here seem excessive?

11 errors in 947 frames equals slightly more than 1% errors. This does not seem tobe a problem.

h. Use F4 to zoom in the Hex window and look at the damaged frames. What do you noticeabout the damage?

4 of the frames show 5555s . All frames are damaged beyond 64 bytes.

6. Can we draw any conclusions?

5555s are evidence of hardware problems or collisions. If they are collisions, they allextend beyond 64 bytes and would be late or illegal collisions indicating a possible outof spec network or propagation delay.

7. Press the Decode tab to return to the FilteredFramesx.cap display window with 947 frames.GoTo Frame 943 and evaluate the conversation.

a. Does the conversation seem to continue normally at this point?

No, we see PC150 sending messages but Natco-4 never responds. Theconversation always recovered prior to frame 943.



b. What is the delta time between frames 941 and 943?

206.953.080 seconds!

c. What could cause this type of delay?

A number of problems or changes in the physical network could cause the networkto go down for this amount of time (over 3 minutes!)- all of them caused by humanintervention.

8. Based on what we know now, draw a diagram of this network including the cabling, PC150and Natco-4, the repeater, the Sniffer, and any other devices that you can identify. Use thediagram to try and isolate the problem.

9. Close the windows without saving.






Exercise Section 4: Evaluating Hub Jams

Objectives: Be able to recognize indications of a Hub/Repeater Jam by examining examplestaken from a live network.

Procedure: Open these trace files and answer the questions for each:

C:\202GUI\19.cap

C:\202GUI\20.cap

C:\202GUI\BAD03.cap

1. Open and evaluate the Expert information

There are no symptoms or diagnoses in any of these traces.

2. Press the Decode tab to display the frames.

3. What type of frame damage is present?

a. File 19.cap

Shows one Runt frame, 7 bytes in length with all AAAAs.

b. File 20.cap

Shows one Runt, 8 bytes long, all AAAAs.

c. File BAD03.cap

Shows two Runts, each 8 bytes long, with all 5555s.

Instructor Notes:From the Hex view point out the characteristics of a hub jam as seen on the Snifferanalyzer: 5555555s. May also see AAAAAAs. Hubs are repeaters. When they detect acollision off of a port, they will jam and ensure at least 96 bits. The first 62 bits aredefined by IEEE to be 10101010...

Presumably the real preamble came from the sender of the frame. A collision occurred.It was followed by the repeater's jam. The repeater jam is 96 bits. When we see 8 bytesof AA or 55, we are seeing the first 64 bits of the jam. The remaining 32 bits are used bythe Sniffer Pro analyzer for the CRC check and thus are not visible.







Exercise Section 4: Ethernet Physical Errors (Optional)

Objective: Determine whether apparent frame errors should be counted as part of overallNetwork statistics.

Background: The parallel tasking feature of many Ethernet cards can throw off baselinestatistics unless you know what to look for.

1. Manually create address book entries for the two stations communicating in this trace. Assignthe name Server to 161.69.97.200 and Client to 161.69.97.202. Enable Show networkaddress in Display < Display Setup > Summary Display.

2. Open and display the trace file C:\202GUI\BADCRC.cap. Press the Decode tab to displaythe data.

3. In Frame 1, we see Client (NGC 030B4D) issue an SMB Read command for 32 kb of data,starting at offset 3964928 (00803c00h) for the file handle (F=) 1009.

4. Frames 2 and onwards show Server using NetBIOS to move 1460-byte blocks of data (overa TCP connection) until the TCP window is filled and an acknowledgement is received. (Notethat the first block of data is 1456 bytes.)

a. What is unusual about frame 6?

Bad CRC

b. What is the frame length?

978 bytes

c. From the information within the IP header, what size frame did the IP stack on Serverindicate that it was sending to the DLC layer for encapsulation?

1500 bytes – a maximum size frame. The Sniffer also notes the frame wasretransmitted in frame 13, but the Summary window associates it with frame 14. Frame13 is the retransmission looking at the hex data and the TCP sequence number.

5. Let's change our display to show only the TCP protocol information:

a. Display > Display Setup… > Summary Display tab.

b. Click on the All button on the bottom to exclude all protocols, then press T repeatedlyuntil you find Transmission Control Protocol. Uncheck the box for it, then click on OK.

c. You should now see only the TCP layer displayed.

d. Lastly, adjust the width of the Summary column in the main display to allow the ACK,SEQ, LEN and WIN values to be displayed.

(Instructor Note: Note that the column will retain this length for all future trace filesuntil you change it again, or until you delete the Sniffer.INI file in your operatingsystem's configuration files directory.)



6. Examine the LEN= value in the Summary view for Frame 6. What is the value? 924 bytes

a. Look at the Len(Bytes) column in the Summary window. How many bytes are there in theframe? 978 bytes

b. What it the IP total length? 1500 (Sniffer is showing the actual length of the data inthe Summary panel line rather than what was originally sent.)

7. What is the delta time between Frames 7 and 8? 323.6 milliseconds.

a. Does this appear consistent with the times for previous exchanges of data between thesetwo stations? No, it is much longer.

b. Frame 8 is a retransmission of which previous frame?

Frame 2, from the sequence number 60142096. (If you go back to frame 2, the Sniffertells you it was retransmitted in frame 8.)

c. Why is the Server retransmitting frames?

It did not receive an ACK from Client before before the retransmit timer expired.

8. Look for the retransmitted frame that has the same SEQ number as frame 6 (the bad frame).

In which frame did you find it?

Frame 13 (The first line of the TCP header in frame 6 points us to frame 13)

9. To confirm that the communication continues normally, compare Client's next SMB Read inFrame 38 with that of Frame 1. Is the Read 32KB further into file 1009? Look in the SMBdetail of this frame at “Starting offset.”

Yes, the next read is 32KB further into the file, 3997696.

10. We have just seen a scenario where a corrupted Ethernet frame causes the upper layerprotocol to time out and retransmit. Now, let's examine a scenario where things do notproceed as we expect.

11. Close the trace file, in preparation to load a new one. Also, return to the Display Setup >Summary Display tab, and click on the None button to clear all the protocol filters. Click OK.

12. Click on the Address Book icon on the main toolbar. Change the Server's address to206.116.6.132, and the Client's address to 206.116.6.135.

When you have edited both stations, close the address book.

13. Open the trace file C:\202GUI\BADCRC-1.cap and click on the Decode tab to display theframes.

14. In Frame 1 Client opens the file PRO40A1.TMP. In Frame 3 it issues a command to theserver of Write Block Raw 65520 bytes at offset 0 of the file. Then Client starts sending thedata using NetBIOS in frames 4 and 5. Frame 6 is a TCP Ack to frames 4 and 5.



15. Frame 7 shows Server's response to Client's write request in frame 3. Look in the SMB WriteRaw Data header. It indicates Server is ready to write the data Client will send. The Bytesactually written shows 0, the bytes remaining to be read is 65535 (actually a little morethan the client said it would send.) Evidently it has not read the NetBIOS data sent in frames4 and 5 yet.

16. In Frame 8 we see Client use NetBIOS to write another 1456 bytes of data.

17. Examine the Status and LENgth columns in the Summary view along with the Detail windowof Frame 9.

a. What kind of error does SnifferPro post against the frame? CRC error

b. What is the frame length? 516 bytes

c. What type of problem do we normally associate with this type of frame corruption?

Electrical noise

18. Now examine Frame 10. With the exception of the actual frame length, do Frames 9 and 10appear to be the same? To be sure, compare the unique IP Identification fields, IP Lengthfields, the unique TCP Sequence numbers and Hex ASCII data patterns.

Both Frames 9 and 10 are identical: same IP Identification fields (14342, incrementedby at least one for each frame sent), same IP Length fields of 1500 (although the firstframe contains considerably less than 1500 bytes), and same TCP Sequence numbers(60550401). Even the TCP Checksum fields are the same, although the first framecontains less data than the second frame, which means the Checksum must bedifferent as Sniffer analyzer points out (8722). The Hex data matches to the point ofcorruption.

19. When a frame is damaged in transit that is not the result of a legal collision, the receiver willrequest the SMB Write again. Does this occur?

No, Server does not request the write again in Frame 73. In fact, the client continuesonward, with Server's permission, in writing the next 64KB of data in Frame 75.

20. Now examine the Delta time between Frames 9 and 10.

a. How much time elapses between when Expert Sniffer Analyzer sees the beginning ofFrame 9 and when it sees the beginning of Frame 10?

1.6 ms elapses between Frames 9 and 10.

b. How is it possible that Client knew it had sent an undersized and error frame andcompensated by retransmitting it immediately?

Normally, it is impossible for a sender to know it transmitted a bad frame or that itsframe became damaged in transit and, subsequently, retransmit it immediately.Normally, the receiver's transport layer protocol makes the decision to have theoriginal frame retransmitted properly, which may include repeating the entire writeprocess of all 64KB as we saw in the earlier example.



c. After reviewing a typical retransmission as in the earlier trace file, doesn't this seem morelike "magic" than a protocol with a structured retransmission mechanism at work?

Yes, this does defy convention and seems more like magic than normalcommunication.

21. Use F8 repeatedly to advance to Frame 17. Use the same method to compare Frames 17and 19. Does the earlier situation repeat itself or is this a different problem?

The situation repeats itself in Frames 17 & 19.

22. There is a general performance guideline for baselining that suggests a network segmentshould have no more than one CRC error per MB of data seen "on the wire."

Do the cumulative physical errors exceed this guideline?

There are 2 physical errors, specifically CRC errors, for 153,902 bytes seen “on thewire”. If 1 CRC error for 1MB of data = 100%, then 2 CRC errors for 154KB = 1,300%.This exceeds the guideline substantially!

23. It may be difficult for us to speculate as to what is causing the CRC-error frames to beretransmitted so quickly in the second trace file. In reality, it is the implementation of arelatively new performance feature called “early transmit”. The frame is copied from the PC'smemory buffer directly to the network, instead of going through the NIC's memory buffer first.Unfortunately, the PC in this trace file couldn't provide the data fast enough to the NIC card,which was creating and transmitting the frame simultaneously. Subsequently, the first framewas undersized and aborted. Fortunately, the entire frame was ready for transmittal thesecond time, in both instances.

There are actually two scenarios that can cause this kind of problem. One scenarioinvolves incompatibilities between PCI-based personal computers and PCI-basedEthernet NICs. Another scenario involves “early transmit.” This trace file deals with“early transmit” of newer high performance NIC cards with “parallel tasking” or“pipelining” features. This trace file came from a client and server using 100MhzPentium PCs with 64MB of RAM and 3COM 3C59x PCI-bus based Ethernet NICs.Although the PCs were fast, the NIC was faster. (Note that an operating system andconcurrently executing applications can also bog down a fast PC so as to cause thetransmit underrun situation.) Periodically, the PC couldn't provide the data for an entireframe before the NIC had sensed the 10BASET network was free and started sendingthe frame it was creating “on the fly.” The result is a 516 byte frame instead of a 1514(Sniffer analyzer interprets the last 4 bytes in an Ethernet frame as the CRC anddoesn't show them to us). SMC uses an Early Transmit Threshold (ETT) of 64 byteswith an increment of 8 bytes for each transmit underrun situation. It appears as though3COM uses an ETT of 516B.





Exercise Section 5: Short Circuited Bridges

Objective: Evaluate the results of an incompatible implementation of Spanning Tree ordisabled Spanning Tree.

Background: The network was in its initial stages of development. There were very few actualusers connected at this time. New users were being added and the networktopology was changing. Not all bridges in use were managed bridges. The fewusers that were connected were complaining of extremely slow response timeand sessions that were disconnecting. There were no problems with the physicallayer. The design of the network provided for redundant backup paths. SpanningTree would prevent the occurrence of network loops.

Instructor Note: This trace file was taken in a lab network. The bridges were buffering andwere doing 8:1 compression. The WAN links are true full-duplex.

1. Evaluate the network diagram, then proceed.

2. What should Spanning Tree accomplish in this network?

Spanning tree should disable one of the 192 Kb links.

3. Open the trace file C:\202GUI\SCBRIDGE.caz.

4. Select the DLC Objects. How many station (non-broadcast) addresses are displayed?

Only one (WstDigFD965F).

5. Select the Global Symptoms. Record the two symptoms displayed.

Broadcast / Multicast Storm and LAN overload.

6. Does this seem logical, given the number of devices detected by the Sniffer Pro?

Not really.

7. Press the Decode tab to display the Summary window.

8. What is the range of Delta times for the first 10 frames?

From .076 to .172 milliseconds.

SnifferProanalyzer

Bridge Bridge192 Kb

Bridge Bridge192 Kb



9. Are all the frames the same size?

Yes. They are all 60 bytes.

10. Press the End key to go to the last frame of the trace. How many frames were captured?

12,406.

a. Observe the value in the Relative Time column.

How long did it take for all the frames to be captured by Sniffer Pro?

1.576 seconds.

11. What conclusions do you make?

Either that the adapter is streaming with the same frame or there is a bridging loop inthe network. In fact, this is indicative of a bridging loop. All the frames are copies ofthe same frame endlessly circulating the network. If there had been more stations thenyou would see two, maybe three stations at the maximum, transmitting.

12. If the speed of the bridged links was 10 Mbps instead of the two 192 Kbps links, what effectdo you think it would have on the utilization value?

Nearly 100%.

What would happen to the Delta times?

They would decrease to about half their current range values.





Exercise Section 5: Busy Jam

Objective: Determine the cause of continued network slow downs.

Background: The network has been using hubs for some time. NetWare’s Pburst was recentlyinstalled to improve the throughput when reading files from and writing files to thefile server. Due to the volume of complaints about network response time, aswitch was installed to give the file server the equivalent of its own 10 MbpsEthernet segment. Network performance was not improved.

1. Evaluate the network diagram, then proceed.

2. Open the trace file C:\202GUI\BUSY-JAM.caz.

3. How many DLC addresses does Expert Overview display?

18

Instructor note: the DOS Sniffer showed 13. Sniffer Pro counts all stations receiving validframes as objects, even if they have not transmitted any frames.

4. Click on the number posted in the Global Symptoms column.

a. What symptom is posted?

LAN overload.

b. How long has this symptom been active?

10.096 seconds

c. Press the Decode tab. Using the value in the Relative Time column at the end of thetrace, can you determine if this symptom was occurring throughout the duration of thetrace?

Yes, the trace took 10.61 seconds total; Sniffer Pro adds the minimum time that theLAN will remain at overload before resolving itself, if it does.

10 Mbps

NetWareServerNetWare

Clients

SnifferPro Hub

Switch



5. Back in the Expert view, double-click on the LAN overload symptom to display more detailrelated to the problem. (Drag the separator bar to the bottom if you do not see the Objectstab on the top right.)

a. What value is recorded for Maximum LAN Overload?

Maximum was 94%.

b. What value is recorded for Average LAN Overload?

Average was 80%

c. Click on the for an explanation of this problem.

6. Given the number of DLC addresses identified by the Sniffer analyzer does it seem logicalthat we have a switch loop in our network?

Not really. There are too many stations participating for a loop to be the cause.

7. Can we always rely upon the correctness of our network map?

In most networks, no. They should be close, however.

8. Display the data and evaluate the delta times.

Do the Delta times posted by the Sniffer analyzer seem consistent with a switch or bridgeloop in our network?

No. They are larger than one would expect to see with a loop. They are not the sameframe, either.

9. Frame 1 shows an NCP command to open a file. The destination address of A1.1 is theaddress of the Novell File Server. If you cannot see the entire client address, adjust the widthof both of the address columns until the entire address is visible.

10. Let's take a look at the lower two layers to see what's happening there.

a. Apply our Allbadframes filter (Display > Select Filter)

b. A new Filtered x window with 618 frames should appear.

11. Looking through the frames, do you see signs of physically damaged frames?

8 or 9 bytes of AAAAAs for the destination address and question marks for the sourceaddress. Each frame is also 8 or 9 bytes long.

12. What problems do we associate with this pattern of damaged frames?

Signal Reflection and Hub Jams.



13. With the network topology (type of equipment and design) and indicators from the data, whatconclusions do you reach?

This is most likely not a Signal Reflection problem. We are using hubs and switchesexclusively. These devices reduce the network to a series of point-to-point links with abus compliance. Each station transmits its data to the hub/switch; the hub/switcheither repeats or switches the data to the appropriate port.

The transmit leads from each device are a discreet pair, as are the receive leads.

We are witnessing Hub Jams (either from the hub or the switch).

The real problem is that the server is still on a 10Mbps link. By installing a switch wehave done nothing to eliminate the bottleneck in the network (it is now the switchinstead of the cable segment that existed earlier).

The switch will also introduce one full frame of latency to all buffered frames. If theserver is responding to the client, then the client port must buffer the incoming clientframes. This really adds latency to all transactions and is a classic example of poornetwork design. Switches can be very helpful, provided they are deployed correctly.







Exercise Section 5: Switch Traffic (Optional)

Objective: To view several types of frames captured in a switched network. You will look attypical switch-related protocols and the different VLAN tagging encapsulationmethods.

Background: The first trace was captured using the Switch Expert control to SPAN a port tothe Sniffer port. Several protocols are used in this switched environment:Spanning Tree BPDUs, VTP (Cisco Virtual Trunk Protocol) to maintain the treeof switches, Cisco ISL (Interswitch Link Protocol) encapsulation, CDP (CiscoDiscovery Protocol), and DISL (Cisco Dynamic Inter-Switch Link). We are notgoing to explore the proprietary protocols, but will look at the ISL headers anduse the Expert information to learn how to troubleshoot from it. Most of the datahas been stripped out of the trace. You can also see the switch’s MIB data whenyou attach to a switch. Once you get the port mirrored, the captured data lookspretty much like other Sniffer traffic with added VLAN information and switchtraffic.

The second trace and third show 802.1Q encapsulation.

1. Open C:\NAI\202GUI\VLANprob.caz. In the Expert windows, answer the followingquestions.

a. At the Global layer, what protocols are active?

BPDU, Cisco ISL and Cisco VTP

b. What symptoms are listed?

VTP versions different, VLAN not operational, Spanning Tree Topology Change,VLAN removed from Domain

c. How many VLAN objects are there at the Global layer?

40 – from the upper right panel, there are 36 VLANs, 2 domains and 2 segments.Note that some of them are FDDI and Token Ring in addition to the EthernetVLANs.

d. At the DLC layer, what protocol is shown?

Ether and Token Ring

e. We’ll limit our exploration to the Global layer. It looks like that will provide us a lot ofthings to learn!

2. The Global layer symptom “Spanning Tree Topology Change” is related to BPDU frames.We’ll start there. The Expert gives us a lot of help in determining what has happened.

3. With all five of the Expert windows open, highlight the symptom associated with VLAN #1,then look at the lower right panel to see the information shown about the BEFORE andAFTER configuration. If we had a good network map, it would be very easy to see how themesh has changed with this information. It’s a lot better than trying to make sense of theseries of frames on our own!



a. What is the Priority ID of the root bridge before and after the change?

b. Before: 0001.0060478F9A00 After: 012c.00100706D000

4. Click the Decode tab. Look at the details of the first BPDU frame. What type of encapsulationis it using? Are all the frames encapsulated?

It is a standard Ethernet frame encapsulated in an ISL header. The Ethernet frame isdirected to the multicast address 0180C2000000

No, all the frames are not encapsulated. Some of the DISL frames have just a DISLheader with two parts: one that looks like a version 2 DLC header followed by a“Pseudo LLC/SNAP header” that contains the DISL information. CDP frames are notencapsulated, either. They look like standard LLC/SNAP frames. (In the originalunfiltered trace, there were also NSAP frames that were not encapsulated.)

5. Notice that frame 9 has a different “Pri” number from the earlier frames. Look at the BPDUheader of frame 9. Compare the BPDU header information with frames 1-8. What is differentabout the flags in this frame?

It is a topology change frame

a. Compare the root ID in frame 8 and frame 9. Does this agree with what we saw in theExpert?

No, frame 8 shows the root as 8000.Cisco58F9AFD, frame 9 shows0001.Cisco58F9A00 as root. These frames are repeated in frames 29 and 30.

6. Since these frames didn’t apply to the information we saw in the Expert, go back to theExpert and highlight the VLAN #1 Spanning Tree Topology Change symptom, then pressthe Expert’s Display Filter icon.

7. Compare the root identifier in frames 9 and 113. Does this match what we saw in the Expert?

Yes, this is what triggered the symptom. The BPDUs in the trace allowed theExpert to build the BEFORE and AFTER table.

8. Let’s go back to the Expert and look at those VLAN changes we saw.

a. Look at the Global symptoms and highlight the VTP Versions Different symptom. Clickon the ? help icon to see what this symptom means. From the lower right panel, whatwas the last VTP version received? 2

b. What VLAN was removed? 333 We can assume this is related to the VTP versionproblem. If you look at the VLAN Removed from Domain symptom, you’ll see that it isthis same VLAN and the incorrect version shows in these panels.

c. Click on the TNV layer in the Detail Tree in the center bottom panel. What is the VTPversion being used? 1

d. What VLANs are in this domain?

1, 225, 226, 1002, 1003, 1004, and 1005



e. Highlight the VTP Versions Different symptom, then click on the Display Filter icon tosee the frames associated with this symptom. Find the VTP frames and locate the framethat shows version 2. Which frame shows version 2? Frame 64

What is the updater's IP address? 161.69.225.250 This and the DLC address shouldmake it quite easy to locate the device that needs the upgrade.

If you want to isolate the VTP frames, you’ll need to do a data pattern match filter on theSNAP Type = 203 (VTP) which pastes 20 03 at offset 2E. (There are 12 in the trace.)

f. In the Expert, highlight one of the VLAN Not Operational symptoms and click the ? helpbutton to get some information about what caused this symptom. Note the reason for thenon-operational state shown in the lower right window. This information will help youreconfigure the devices so you can bring them up.

# 2 is Undefined, # 10 shows MTU Too Big For Trunk, # 11 shows MTU Too Big ForDevice, and # 12 shows Suspended.

g. If you want to find the frame(s) that triggered these symptoms, go to the Decode windowand right click, then Find Frame. Type MTU too big and click to search in the Detailwindow and disable match case.

Frame 106 shows all the VLAN that are “Not Operational”.

9. Last, let’s look at some 802.1Q headers. This trace is using ISL, so we’ll close it and look atanother trace. Open C:\NAI\202GUI\8021q.cap. This trace is pretty clean, fortunately, sowe’ll just look at the frames in the Decode window.

a. Scroll up in the Detail window and look at the 8021Q headers. It’s pretty simple- showingjust the 8100 protocol type field that identifies this field as a tag, then the next byteshowing the frame priority, tunnel type and the VLAN ID. Remember that the Ethertypefield shown in this header actually belongs to the part of the DLC header – the tag isinserted between the source DLC address and the type/length field.

b. Scroll down to one of the 1518 byte frames just to see how the Sniffer labels thesemaximum size 1518 byte Ethernet frames that have the 4 byte header added. There is noCRC error posted, but you will see a TCP checksum error message.

c. We may see longer frames in the future as the specifications are changed to makeEthernet more efficient at the higher speeds.

10. Close the 8021q.cap trace and open C:\202GUI\8021q-gig.cap trace. This is a trace takenfrom the trunk between gigabit switches, since we see the VLAN tags in the frames and thetelltale full-duplex channel identifiers in the Status column. The Statistics tab shows the linkis 1000 Mbps.

11. Check the tag header in the Detail window. Is it like the one we saw from the 100 Mbps link?

Yes

12. There are some frames labeled Oversize in this trace. Evidently the Sniffer allows 1518 byte802.1Q frames because it knows the tag adds 4 bytes to the maximum size Ethernet frame.Because these are greater than 1518 bytes, it labels them as Oversize.



13. Remember that Sniffer Pro’s switch Expert and Control functions also shows the MIB data forswitches. MIB data allows you to see the version of the switch’s operating system andstatistics for each module, port and VLAN. This is covered in more detail in the TNV-201-DSPand TNV-112-GUI classes.

14. Close all windows. Do not go on to the next exercise.



Exercise Section 6: Fast Ethernet Troubleshooting and BackPressure

Objective: To review Ethernet troubleshooting techniques using a trace captured from aFast Ethernet network, then recognize back pressure frames sent by FastEthernet switches.

Background: Both trace files were taken from switched Fast Ethernet networks. They haveseveral problems. We'll use the Expert to tell us about them.

1. Open C:\202GUI\100MBFIL.caz.

2. Look at the Expert. What symptoms do you see at the Global layer?

Broadcast/Multicast Storm.

a. How many stations are involved in this?

Thirteen. Several of them are DECnet stations, which tends to be a very “chatty”Protocol.

3. What diagnoses do you see at the DLC layer?

High rate of physical errors.

a. What symptoms do you see at the DLC layer?

Lots of runts and “DLC address is a multicast address” caused by frame corruption inthe destination address field. If you highlight a station with this symptom in the upperright window and look at the DLC addresses in the Detail tree, you’ll see that many ofthem have 5s or As in the address.

4. Look at the Decode window and frame 13.Decnet stations periodically send these “Hello”frames.

a. What is the DLC address for 46.307?

DECnet0033B9 (WISHPB)

b. Highlight that address in the Expert DLC object list and click on the Display Filter icon.A new Filtered x window with 6 frames will open. Enable Relative Time column if notshown. How often is 46.307 sending these “Hello” frames?

Every 14.5 seconds

DECnet nodes multicasting at this rate will contribute to Broadcast/Multicast storms.Based on this, you will want to adjust your Expert Alarm thresholds for broadcaststorms to a much higher level to eliminate these Global symptoms.



5. Apply your allbadframes filter to the unfiltered Decode window. How many frames haveerrors?

219.

a. Of the 6059 frames in the original trace, what is the percentage of frames with physicalerrors?

219/6059 = 3.6%. This is outside what is considered normal and should be corrected.

b. Analyze the problem by looking at the hex of the damaged frames. What conclusions canyou draw?

Frames are damaged anywhere from 2 to 51 bytes into the frame. AAAAs and 5555sappear in most of the damaged frames. We’d rule out normal collisions because thereare far more than 8 bytes of AAAAs and 5555s. It is most likely a hardware problem orbackpressure. (We don’t have the story on this trace.) We’d need a network map or theactual network to probe further. Fix the physical problems before moving on to theupper layer problems.

6. Let’s look at a couple of traces with backpressure so you will recognize it. System Engineersgave these traces to us. They were captured from different networks using different hubs.Close the 100mbfil.caz window and open the C:\202GUI\Backpres.cap trace file. This is afiltered trace that shows only bad frames. Normally, backpressure will not have such acatastrophic effect on the network. What data patterns do you see in Decode window?

D0D0D0, 434343 and 343434 patterns.

a. What size range are most of the frames?

12 to 20 bytes (a few are larger). This trace was from Michelle Coomes when she wasat 3Com.

7. Now open the C:\202GUI\Backpres2.cap trace file. From the Expert, what symptoms ordiagnoses do you see at the DLC layer?

Collision after 64 bytes.

a. What station is involved?

0008C7A4ACB3. This is coincidental-- it happened on many stations.

8. View the Decode window and look at the hex data for the frame with this symptom. Whattype of errors do you see in this frame?

Repeating 55s starting at offset 236 in frame 6.

9. Follow the sequence of the bytes and offsets in this file transfer. Frame 9 below the damagedframe, you’ll see a burst frame from the client requesting retransmission of the frame that gotdamaged. Look in the Detail window for the offset and size. Which frame retransmits thedamaged frame?

Novell’s Pburst has selective retransmission of frames not received in a burst.

Use Two station format to show this sequence. Disable Show Network Addresses,then use the Matrix to set a filter on the 2 MAC addresses. It becomes very easy to



see the effects of the backpressure on the transfer and how the upper layers handleany collisions that result.

The Intel client requests a big read in frame 4

The server sends packets 5, 6, 7 and 8 with the data, but 6 gets damaged.

The client comes back in frame 9 with the request for the missing frame

Frame 10 is the retransmission of frame 6.

This trace came from a company that was having problems from a line running in theproximity of a generator in a warehouse using cat 5 cabling. The errors coming fromthe EMI was overflowing the buffer on the 10/100 switch so the switch was sendingout the backpressure. To solve the situation the customer installed a fiber zip cord andit worked. This proves the point that the backpressure was not the problem but the EMIwas. I hope this fills in the gaps for everyone. Michael "Mickey" Giovingo

10. These are two examples of backpressure sent by switches to slow the stations. Evidentlythe buffer is full and they need to slow things down so they can free buffer space.Remember that the specification allows the switch to send preamble bits (alternating onesand zeros) to keep the line busy. This shows up as 5s or As in the traces. If the vendorchooses to use another bit pattern, you will see other bit patterns.

11. To determine the bit pattern for your switches, capture during a busy period and look forframes with suspicious patterns. Disable backpressure on your switch, while capturing atrace. See which patterns are missing. Document the information for your co-workers.

12. If you see a lot of “errors” like this on your Fast Ethernet segments, look at where the backpressure bits show up in the frames to ensure you don’t have a different problem. You mayneed to segment a network if the switch is unable to keep up with the normal traffic.





Exercise Section 6: Fast Ethernet Problems

Objective: Look at a trace taken from a busy Fast Ethernet network.

Background: Several Windows NT workstations were copying files across the network in aSniffer University classroom. The stations were connected to a 100 Mbps hub.Many errors caused slow response times. In spite of the problems shown here,most stations did not experience much difficulty. This trace was captured with afilter set to capture only physical error frames.

1. Open C:\202GUI\Big_bad_rich.caz. What problems does the Expert see and how long didthey last?

Bad CRC errors at the global layer, lasting 3 minutes, 45 seconds and 723 ms

2. How many DLC objects are shown?

Only two, both have NGC cards

3. Look at the Decode window. What type of errors are reported in the status column?

CRC, alignment, collision, unknown

4. What conclusions can you draw from what you’ve learned in class?

The 55s are collision data that are the result of the two colliders and the hub alljamming at about the same time. On bigger networks, the jam is accumulated. Onsmall networks, the jam overwrites each other. Result: big networks can have 8 to 12bytes of jam, small networks can have 0 to 8 bytes of jam, depending on where itstarted in the frame or preamble.

The partial frames showing the conversation from 10.10.0.7 (NGC 100D4E) to 10.10.0.9(NGC 100EF8) show CRC errors, probably due to a marginal or failing card.

5. Close the window. Stop; do not go on to the next exercise.





Exercise Section 6: 10/100 Hubs

Objective: Explore traces taken from 10 Mbps and 100 Mbps ports on a single autosensinghub (multi-port repeater) to see if there are differences in what each port sees.

Background: Two Sniffers were attached to a hub, one was attached at 10 Mbps, the other at100 Mbps. Each port on the hub was capable of either speed. We could assumethere were two backplanes in the hub, one for each speed with a link betweenthem to propagate traffic to all ports.

Instructors: These traces are from Steve Hammill. They were taken from the Hawking10/100 multiport repeater that is advertised as a hub. Each port autosensesthe speed of the connection. Any ports that are not the same speed havethe frames bridged between them. There are other issues in these tracesthat are not related to the forwarding we point out in this exercise. Stayaway from them unless you are cornered or are prepared to discuss them!

1. Open these two trace files: C:\NAI\202GUI\Hawk10b.enc and Hawk100b.enc. UseWindows > Tile to see both of the traces Expert overview simultaneously.

2. How many frames are in the Hawk10b.enc trace? 130 The Hawk100b.enc trace? 42

(This does not imply that there is a difference in what the Sniffers saw, it may just be a matterof when each was started and stopped.)

3. Note any differences in Expert information here.

Hawk10b.enc has 2 ICMP redirect symptoms and 1 Router Storm diagnosis at theStation layer, and 1 WINS No Response diagnosis at the Session layer.

Hawk100b.enc has only the router storm diagnosis

There are different object counts at the Session, Connection, Station and Subnetlayers, too.

4. Adjust each window so it occupies one half of the screen vertically so you can compare thetraces frame by frame. Press F4 to zoom each Summary panel. Look at the frame data soyou can align the first matching frames side by side. What are the first two identical frames?

Frames 1-5 in each trace are identical. Starting at frame 6, the Hawk100b.enc hasframes that are not found in the Hawk10b.enc trace.

5. Let’s see if we can filter out some of the frames to get an idea of the criteria this device isusing to forward the frames. First let’s find out how many are broadcast frames. Create a newprofile called Broadcast. Use the Address tab, leave the Address type set to Hardware,then click the + in front of the Broadcast/Multicast Address icon. Scroll down and highlightBroadcast(FFFFFFFFFFFF), drag it to the top Station 1 field, click in the Station 2 top field toselect Any, then click OK. Select this filter on each trace. How many frames are there in eachtrace?

Both have 24 broadcast frames, so we know the hub forwarded all of those as it shouldhave.



6. Now go back to your Broadcast filter and click the Exclude button and apply the filter toeach of the Decode-tabbed windows again. How many non-broadcast frames are in eachtrace?

Hawk10b.enc has 106 frames, Hawk100b.enc has 18 frames.

7. Click the Host Table tab for each trace and compare the IP addresses. How many hosts arein each trace and which ones appear in each trace?

Both traces have 192.168.1.13, 192.168.1.192, 192.168.1.252-255.

Hawk10b.enc also has 192.168.1.251, 10.1.1.11, 10.1.1.53, 161.69.33.11, 161.69.5.203

8. Change the layer to MAC. How many DLC addresses are in each trace?

The same six devices appear in both traces. This means there is at least one router.

9. What conclusions can you draw from the behavior of this hub/multiport repeater?

This device seems to be doing more than bridging the frames between the backplane.It is forwarding frames based on criteria above the datalink layer.

Note that only the Ping and ARP frames between .13 and .192 are in the Hawk100b.enctrace.

These frames are also in the Hawk10b.enc trace, but there are lots of WINS “RefreshName” frames in the Hawk10b.enc that aren’t in the Hawk100b.enc trace.

All the WINS non-broadcast frames were filtered by the hub on the 100 Mbps port.

10. This seems like non-standard behavior. You may want to do a similar check of any oddconnection problems you see on your 10/100 hubs. You may find that this type of behaviormight impact what you see on the Sniffer, security devices, network management tools, etc.

11. Enlarge both trace file windows to normal size, then close them. Stop here. Do not go on tothe next exercise unless directed by your instructor.



Exercise Section 8: Gigabit Traffic

Objective: Follow autonegotiation frames and analyze a trace with errors.

Background: The first trace was taken as a Gigabit Ethernet device was initializing. We willfollow the sequence of frames each side sent. The second trace was captured ona network and has many Expert symptoms.

1. Use File > Select Settings to create a new Gigabit agent. Click New. Name it Gigabit andchoose the Network Associates Gigabit Ethernet PCI Adapter_x from the NetworkAdapter drop-down list. Don’t copy any settings. Click OK twice. Click OK on the “Failed toSet Monitor Mode” message. You should see Gigabit, SX in the title bar. Ignore the blinking“Channels A and B Link Faults” indicator in the title bar.

2. Open C:\202GUI\GBAutonegotiation.cap. This trace has 12 frames captured betweenchannels A and B. Zoom the Detail window and press F8 to advance frame by frame. Notethe contents of C1 for each.

Frame Channel A Direction Channel B

1 ç All zeros

2 All zeros è

3 Asymmetric & SymmetricPause, Full Duplex

è

4 ç Ack, Link Failure, SymmetricPause, Half & Full Duplex

5 Ack, Asymmetric & SymmetricPause, Full Duplex

è

6 Idle è

7 All zeros è

8 Asymmetric & SymmetricPause, Full Duplex

è

9 ç Ack, Symmetric Pause, Half & FullDuplex

10 Ack, Asymmetric & SymmetricPause, Full Duplex

è

11 Idle è

12 ç Idle

3. Though we don’t see definitive frames where both agree in this trace, we can assume theywill settle on Symmetric Pauses and Full Duplex as the highest common denominator. Theywill maintain this mode until they are reset or reboot. The rule is to acknowledge after a side



has received 3 consecutive identical frames. These devices do not seem to follow the rule.There is no field to indicate the media type in use.

4. Notice the 10 bit decodes in the Hex panel are automatically enabled for autonegotiationsignals.

5. The proof of success lies in seeing whether the devices go on to exchange data (we don’tsee that in this trace). If they do, then the inconsistencies with the specification don’t matter. Ifthey don’t exchange data, you have the frames to follow to see where the sides disagree andwork from that point. Close this file.

6. Open C:\202GUI\GB.cap. You will see in the Expert that this trace file has 5 Time-to-LiveExpiring symptoms at the Station layer. We won’t worry about those – that’s for anothercourse! We can do some examination of the Global symptom of a Bad CRC.

7. Looking in the Decode window, we see that almost every frame has a symptom associatedwith it. Let’s pull in only the frames with bad CRCs. From Display > Define Filter > Profiles> New name the filter CRC Errors, click Done and OK. On the Advanced tab select 3 onlythe CRC errors. Now right-click on the Summary window and choose Select Filter from themenu and choose the CRC Errors filter. A new window will open with 24 frames showingCRC and CV (code violation) errors.

8. Use Help > Help Topics > Find. Wait while the help files build. Enter code vi to find theexplanation for these. Highlight the Code Violation Errors in the bottom panel and clickDisplay. Close the Help screen when you’ve learned how the Sniffer makes thisdetermination.

9. Do you see any single source address that might indicate a bad card?

No, there are several different IP source addresses, though all of them are sent to thesame IP and DLC multicast address.

10. Let’s look for evidence of physical damage or other erroneous data in these frames. Tab intothe Hex window and press F4 to zoom it. Now press F8 to advance one frame at a time. Doyou see evidence of physical damage?

No, the frames look pretty normal.

11. Now click back on the Decode tab to view the entire trace again. We’ll check to see if any ofthese frames were retransmitted. Highlight frame 10 and note the IP identification numberin the frame. ID = 52848.

12. Right-click and choose Find Frame, type in this ID number in the text search window andclick the Detail window radio button, then click OK. Repeat this for a couple of the other CRCerror frames. Are they retransmitted?

No, they are not, so it appears the other side got them OK.

13. Let’s do one last thing with this trace. Right-click over the Hex window and choose 10 Bit sowe can see the 10 bit decodes. (This is automatically enabled for Autonegotiation frames, butyou must set it manually for gigabit data frames.) Scroll through the Hex window to see howthis data looks. You will see some Carrier Extend and idle bits at the end of most of them.Even though Carrier Extend was developed for half-duplex links, one or more are insertedbetween each frame in full-duplex mode, too.



14. We don’t have more information on this trace to tell you how this was resolved. We hope thishas given you some confidence that you can use the skills you’ve learned here to analyzeGigabit Ethernet frames.

Use File > Select Settings to return to your 10/100 Ethernet agent.





Exercise Section 9: Observing LLC

Objective: Use the Sniffer Pro Network Analyzer Display options to study an LLC session.

Background: This trace file was taken from a Fast Ethernet network running Windows NT4running on NetBIOS and LLC.

1. Open the file C:\202GUI\LLCnetb2.cap. You should have 221 frames.

2. View the Detail of frame 1. Is this an Ethernet Version 2 or 802.3 frame? 802.3 frame.

3. Use Display > Display Setup > Summary Display to enable Two-station format andexclude All protocols, then click Logical Link Control to enable only LLC, click OK.

4. Is this an LLC Type 1 (connectionless) or LLC Type 2 (connection-oriented) session?

LLC TYPE 2 (connection-oriented). There are send [N(S)] and receive [N(R)] numbersfor connection-oriented sequencing. There are also two bytes in the Control Field inthe hex window.

5. Which frame starts a new LLC connection?

Frame 10 is the SABME

6. Which is the first frame where data is sent? Who sent it? What sequence number is sent?

Frame 14 is sent by Intel B41D55 using sequence number 0

7. In which frame does Dell D45AE8 send sequence number 3? 23

8. Which frame shuts down the connection? Who sent it?

The Intel B41D55 sends the DISC in frame 107

9. What is the response to this frame?

Dell D45AE8 sends a UA in frame 108 and that’s the end of this session.

10. What was the purpose of all those frames where no LLC data was sent? Hint: Enable thedisplay of all protocols in Display > Display Setup > Summary Display > enable Show alllayers, then click None at the bottom.

The first LLC data frame (14) carried the NetBIOS session initialization frame.

Frame 18 begins the CIFS/SMB protocol negotiation and account setup process

Once that is done, it appears that the LLC frames are just keep alives. There is noupper layer activity.

CIFS/SMB ends the session in frame 105 and LLC disconnects in frame 107.

11. Close all open windows without saving and disable Two-station format.

12. Shut down the Sniffer. We hope this class will enable you to effectively troubleshoot yourEthernet networks back at your company



Documents

Ethernet Network Analysis and Troubleshooting