Resolve Network Protocol Analysis Software Installation Problems

Many friends may encounter some problems when using network protocol analysis software. Some problems may occur during the installation of network protocol analysis software. Some people often ask why I can only see my own communication? Why can't I see the Communication Status of XX? Is it software limitations?

In fact, this kind of problem is not the limitation of the software, but caused by improper installation and deployment of the software.

We know that the network protocol analysis software works in sniffing mode. It must collect raw data packets in the network to accurately analyze network faults. however, if the installation location is incorrect, the collected data packets will be significantly different, which will affect the analysis results and cause the above problems.

In view of this situation, I think it is necessary to introduce the installation and deployment of the network protocol analysis software. I will briefly introduce it below.

Generally, the installation and deployment of the network protocol analysis software are as follows:

Shared Network

The network that uses the Hub as the network switch device is a shared network. The Hub works in the OSI Layer in the shared mode.

The network protocol analysis software can be installed on any host in the LAN. In this case, the software can capture all the data communication in the network.

Swap network with image Function

Switch) the network that acts as the center Switch device of the network is a switched network.

Switch) works in the data link layer of the OSI model, and its ports can effectively separate conflicting domains. The network connected by the Switch will separate the entire network into many small domains.

If the vswitch in your network has the image function, you can configure the port image on the vswitch, and then install the network protocol analysis software on the host that connects the Image Port, in this case, the software can capture all the data communication in the entire network.

Swap network with no image Function

Some simple vswitches may not have the image function and cannot monitor and analyze the network through port images.

In this case, you can concatenate a shard Tap or Hub between the vswitch and the vro or firewall to complete data capture.

When analyzing a department or a network segment at a specified point, the network topology is often very complex. During network analysis, we do not need to analyze the entire network, you only need to analyze the departments or CIDR blocks of some abnormal jobs. in this case, you can install the network protocol analysis software on a mobile computer, and then attach a shard Tap) or Hub ), you can easily capture data from any department or network segment.

Proxy Server Internet sharing

A large part of the current small network may still share the Internet with the proxy server. For this network analysis, you can directly install the network analysis software on the proxy server.

Note: In this case, you must capture data from both the internal and external NICs of the proxy server.

Note that most of the current hubs are also exchange-type. That is to say, it is basically impossible for you to increase the HUB to capture traffic. the specific HUB type depends on the manufacturer's manual. I feel that as long as the negotiation is 100 M/FULL, the switch type is used.

Because of the CSMA/CD principle, if you can enable full duplex, your HUB is not broadcast-style.

It depends on your needs to select which ports are connected to the Image Port. for example, a vswitch has four ports, namely, 1 port, 2 port, 3 Port, and 3 port, which are connected to the Internet, and 2 port and 3 port are connected to the following host, 4. It is the host of the Network Analysis System of the Image Port installation section.

Requirement 1: only capture data communication between all hosts on the network

Image configuration: Use Port 1 as the Image Port.

Requirement 2: capture communications between all internal hosts

Image configuration: Use Port 2 and Port 3 as the Image Port.

NOTE: If vswitches 2 and 3 are connected, even if the ports 2 and 3 are used as mirror ports, internal communication between vswitches 2 and 3 cannot be captured. Why? The reason is that the switch separates conflicting domains.