Events in the Packet World

It is strange, quite strange. A latest release version number is smaller than the last one.

As everybody knows,  last version of Sniffer Pro is 4.9, however, the newest version is 3.0.

Maybe after the acquisition, the mentality of product management people is changed too. Anyway still many highlights in the new software version attract the eyes.

Many new decoders are added into Sniffer Portable Professional 3.0

• VoIP – UNISTIM, Megaco-binary , updates to Cisco SCCP for version 6.0
• Wireless – 802.11n, 802.11h, 802.11e
• Financial – Russell Index 1000, IBM LLM, LMSD, OPRA Fast, NSADAQ UQDF, NSADAQ UTDF, NSADAQ OMDF, ARCA equity, FIX 4.0 and NSX FAST
• Mobile – Gb over IP Stack, Blackberry RIM and Radius A12
• Fiber Channel decodes – FCoE, FC
• Other – 802.1ah, 802.1ad, X.25 over Ethernet

When connecting a network monitoring tool (aka Sniffer) into a network environment through mirror or span ports, it is very likely that duplicated packets will be captured.

The duplicated packets generated usually due to incorrect switch configuration, e.g. both ingress and egress packets are captured however the inter-VLAN traffic will result packets record double for those packets leave and enter both monitored VLAN.

Some older equipments like Cisco 6509 Catalyst OS are reported, they will always get duplicated packets mirrored to the monitor tool.

From the Ethernet level, it is hard to distinguish whether the frame is duplicated or not. Let’s focus to a level 2 packet, such as ARP request. There is neither sequence number nor packet ID to identify the difference of 2 packets with same content. However, the packet may still be correct, we cannot simply filter them out, because those similar ARP packets may point out an ARP storm, if we remove those duplication, mistakes will easily come.

The duplicated packets are a nightmare to analyzers. All of the response time, TCP round-trip, retransmission detection, and application level responses are messed up regarding on the packets duplicated condition. So to identify packet duplication and remove that not important duplication is very important for the analysis procedure.

To assess packet duplication, the best way is go to the layer 3. When I talk about Layer 3, actually I meant IP Layer. The IP layer provides a very good field to make sure passive packet duplication. The key is the IPID field, when a machine sends IP packets; the OS will automatically increase the IPID count and put that number into the IP Packet.  This number will not be changed by the inter-path routers or switches. So if the packets with the same IPID and same pattern, normally we can confirm, it is duplication. However, the IPID field has only 2 bytes which means only 65,536 numbers can be a potential candidate of the IPID value. So if there is a very busy server, in a single second, more than 100K packets may be sent. So the IPID verification must go together with the content and packet length validation.

The real world is more complicated, the duplicated packets may be not that the SAME with each other. Let’s consider such a case. A Packet received in Port A, this packet has no VLAN tag at all and when this packet being forwarded to Port B, an 802.1Q/ISL tag is tagged into this packet by the switch to adapt to Port B Vlan settings. So if there are some reasons, the switch mirrors both Packets at Port A and Packet at Port B to the monitor port, the monitor tool will see a duplicated packet pair with different length and byte-to-byte content match.

IPID still work in this case, and we need to take all of the IP layer data to compare the content and length despite of the difference at frame level.

Another case, packets transferred from a router to a firewall, the firewall and router both are working under load balancing/dynamic routing mode. So the packet received and sent by the firewall/routers will usually from and to different Mac address, although they are the same equipment and even same port.  So this cause another kind of packet duplication, the MAC address are different however all others are the same.  The good news is the IPID algorithm with IP Layer byte match is still working under such condition.

The IPID measurement has its limitation, e.g. difficult when handling the NAT packets; and it is difficult to handle the fragmented vs. non-fragmented packets for duplication detection purpose. On some heavy load environment, the algorithm might result faulty. Reducing fault can be easily fine tuned by a continuous detection and duplication count limit algorithm. So basically, the IPID detection works very well in most cases. Someone may ask whether the IPID based packet duplication will remove the TCP retransmission? Definitely not, the TCP retransmission is actively generated by communication hosts, so the IPID will be increased for each TCP transmission.

P.S. These information can be also found on packetbone website.

The crazy vendor Packetbone releases their software for 2nd major version.

Why call them crazy?

PacketBone is the only vendor who provide the integration to make a packet analyzer embedded into Microsoft Windows and Office. Now, in the second release, they extend the integration with Wireshark in this recent release. The wireshark fruitful dissectors can be used to parse the packet and export the decode information into BoneLight XLView. It is quite useful.

Another interesting point is BoneLight 2.0 provides a IP Deduplicate feature. According to the experiences, many multiport capture will result duplicated packets, some earlier SPAN settings can lead to duplication too. With those confusing deplicated packets, the analysis feature in mainstream analyzers such as Sniffer, OmniPeek, Observer, Wireshark will work definitely poor and identify everything as retransmission.

Every packet fans should have a try on this, go http://www.packetbone.com

Network Packets is a technical term over internetworking, however, this term now involves into the conflict of nations very frequently.

Recently, the noises about cyber attack appear during Georgia War. The Russia hackers are launching a large scale DDoS attack regarding to the Georgia government web site.  The result is much more significant than the real war. The Georgia government has to seek asylum for moving their hosting web to abroad at once. Personally, I hope this is not the final result of current Georgia government in reality.

Launching a Packet cyber war is quite simple, so an inconspicuous citizen may launch a very huge attack on any country wide target. The technology usually used is DDoS which means flooding a lot of packets from many machines to the victim.  The machines sending the packets usually are zombie, they are hacked by hackers and remotely controlled to do anything in commands.

It is not easy to stop the war-packets over the Internet, as they are hiding in billions of normal packets every minute. There are a few companies providing the solutions to see the War by monitoring the anomaly traffic across the Internet borders.  Maybe UN should employ more packet-war observers to manage the peace in the cyberspace.

Few hours later, the Beijing Olympic Games will begin. For the topic, this post is not to talk about package delivery by UPS or FedEx for Olympics. I’m always focusing on network packets, this time, with Beijing Olympic.

As led by communist party, China is famous by the clampdown. The monitoring and controlling for the communications moved from phone line to Internet for quite a few years. An unknown wise create a term “Great Firewall” to describe the technology and behaviors of China government to control and monitor the people speech and media publishing over Internet.

What is the Great Firewall (GFW)? The description on Wikipedia is not exactly. On the Wikipedia, The GFW is mixed up with Golden Shield Project in China which is a public internet security project announced led by Public Security Agency. Actually the GFW is managed by another independent department directly reports to central government which covers Internet Virus/Worm detection and censorship of the text, pictures and video on internet.

What GFW does?  In simple, if you travel to China and try to browse some international Web sites with sensitive content, the GFW will actively block your traffic.  What is sensitive?  It can be vary, anti-government reports, rumors of political leaders, sex taps and etc. What really interesting is, the Google becomes the most victim beside the Chinese people. Many sensitive keywords searching from China will immediately cause Google to be blocked for few minutes. That is one of the major reasons for Google failed, or let’s say not so successful, in China when competing with local searching providers.

How GFW implemented? From a trusted source, the GFW already scales up to more than 100,000 computers. Those computers work in parallel to analyze the Internet traffic leaving China. The censorship analysis focus on Web, Email and now moving to Video monitoring as many people reported YouTube (Google again) become unavailable in many locations in China. The mechanism behinds the blocking actually is sending manipulated TCP RST to victim IP to interrupt the connection. The mechanism is working just as IDS, so the GFW technically should be called Great IDS/GIDS. In a recent technical analysis for GFW, it is believed, more techniques are adopted by GFW includes DNS fraud and/or manually updating ACLs(access control lists) in Internet border routers.

The architecture of the GFW is reported consist of many Cisco/Juniper special designed monitoring equipments to forward traffics and Server computers running AMD/Intel CPUs to parse the packet payload inside of the traffic.  Yes, quite a few US vendors involved into this infrastructure. States always provide weapons to help tyrants and then claim to protect the rights of the victims after years.

The Beijing Olympic Games changes a lot on the censorship policy on GFW. The China government was reported commit to unblock most traffic during the Olympic Games.  During the Olympics Games, maybe it is another Internet surfing game for Chinese people to know the world changes during this time window. This change are mainly triggered by numerous complains by international travelers to China recently for Olympics, besides donate to quake-afflicted people and adoption of the Chinese orphans, maybe complains will help the Chinese people to get a better life too.

Most public company handling packet business announced their Q2 (April to June) results. Let’s summarize some of them here.

Logo	Company	STOCK	net income	Revenue	Revenue Increase  YoY
	RiverBed Technology	NASDAQ:RVBD	$3.9M	$44M	+ 61%
	NetScout	NASDAQ:NTCT	$1.5M	$60.6M	+ 17%
	OPNet	NASDAQ:OPNT	$1.2M	$30.1M	+29%
	F5	NASDAQ:FFIV	$19.1*	$165M	+25%
	SourceFire	NASDAQ:FIRE	$-3.1M	$16M	+ 42%
	Cisco	NASDAQ:CSCO	$2B	$10.4B	+ 10%

* FFIV net income reduce  by 13% comparing same period in 2007

OPNet acquired Network Physics last year,  the company shows a good performance for dealing with the expansion.

NetScout just completed the acquisition of Network General. From the revenue result, it seems that the company successfully have original Sniffer customers converted.

Acquired by Bluecoat, the Packeteer is missed from the list. The merges and acquisitions are quite frequent in packet industry recently. Most people expected more acquisitions will happen soon.

Cisco submit a record revenue for the first quarter surpass 10B. Their profit rate and revenue number really over expectation. It is impressive that the packet giant keeps strong growth ability despite of the economic worry.

( Click above graph for larger view)

If we compare these trends in last 4 days, I added F5, RiverBed, NetScout, NetApp into the watch list. What we can see is the only strong growing is NetScout. All other vendors’ prices stay in marsh. Especially RiverBed, after the finance call, the price jumped by a 15% increase, however, just 72 hours later, the price now is lower than the number before announcing results.

  + 

Storage networking company Brocade Communications Systems Inc. last week agreed to acquire Foundry Networks Inc., a maker of enterprise LAN technology, for about $3 billion in cash and stock.

Foundry has 20 years history, a specialist in enterprise Ethernet LANs, have 1100 employees. The company didn’t disclose the number of staffs to lay off.

The acquisition purposed to merge the 2 companies power to fight with Cisco. Cisco has been the only company with both the vision and technology to create a FCoE unified fabric. Brocade, on the other hand, has had the FCoE vision but not the Ethernet goods. So after the acquisition completes, there will be 2 vendors in the market have the FCoE and Ethernet solution.

if you have an iPhone, you may already play iTunes Remote which is a tool released by Apple to remote control the Apple TV and iTunes from the iPhone/iPod Touch directly.  If you didn’t tried that, I suggest you go to AppStore to download one, it is free and very easy to use.

The remote control has no limit on distance, in theory, even at Office, you can directly remote control your home iTunes in real time. How it implemented? Is that a magic? Let’s look into the actual packets.

My iPhone got a LAN address at 172.16.0.102, the iTunes PC got 172.16.0.106.  When the iPhone remote starts, it began to send  a Multicast-DNS packet to 224.0.0.251. This is a multicast which means the devices and computers in the same group will hear this packet.

The computer with iTunes installed will reply packets if it received the multicast packet. The reply is a multicast-DNS response too which provides the information about the iTunes version and capacities.

One of the replies indicates the service port of the iTunes, by default , it uses TCP port 3689. Then, the iPhone will happily connect to iTunes talking through a protocol similar to Digital Audio Access Protocol. More information about RAOP can be seen http://en.wikipedia.org/wiki/Digital_Audio_Access_Protocol

iPhone also send some discardable broadcast packet in the meanwhile which seems not make any sense.

Here, we are not going to dig into the protocol specification, but just go through the packets payload roughly, we can see the protocol is actually encapsulated by HTTP.

the login sequence is as below

iPhone   –>     iTunes       :             GET /server-info HTTP/1.1
iTunes   –>      iPhone      :                         HTTP/1.1 200 OK
iPhone   –>     iTunes       :             GET /login?pairing-guid=* HTTP/1.1
iTunes   –>      iPhone      :                         HTTP/1.1 200 OK

After the login, the iTunes and iPhone will exchange some library information. if you play a song remotely on iTunes, many calls related to  /ctrl-int are involved.

The implementation is compact and efficient. The multicast implementation is quite good and adaptive even to a routed complex network.

iPhone 2.0 Firmware was come around 2 weeks ago. It was a good news for all apple fans. Well, after the DEV team released the unlock tool for iPhone. It becomes the good news for packet fans.

Applied the pwnagetool, you can receive many applications which can never be seen in apple iTunes store. The applications includes
Tcpdump - a famous packet capture tool
ngrep - a packet payload seach tool
nmap - exellent network scanning tool
And many more

The iPhone hacker team ships the libpcap, de facto packet capture library, into iPhone also. This is really amazing which simply convert the iPhone to be a network packet processor over the wifi interface.

So you must realize a young guy with an iPhone standing beside you might be a hacker equipped by the handheld Sniffer and scanner. Hacker anywhere

As you may know, Snort, the most famous open source IDS(Intrusion detection System) are now promoting snort 3.0. The new software release currently still in beta. However, through the design and the description posted, the open source giant intends to be a total platform of all packet based software.

The Snort 3.0 emphasized the lower level native support for IPv6, MPLS and GRE. This helps the carrier users have a chance to put snort into the newest networks for wired and wireless data. To be a platform, this is necessary. 

Inline snort previously is an independent project, now the inline feature integrated into Snort 3.0 as standard offering. The multi-threading and subsystem architecture shows ambitious to let plugins or component from 3rd parties to easily port to.

So the snort 3.0 is actually called SnortSP 3.0 which means Snort Security Platform.

As linux unified the core of many operating system distribution, can SnortSP 3.0 unify the core of security systems?

Keep walking…