Events in the Packet World

It is strange, quite strange. A latest release version number is smaller than the last one.

As everybody knows,  last version of Sniffer Pro is 4.9, however, the newest version is 3.0.

Maybe after the acquisition, the mentality of product management people is changed too. Anyway still many highlights in the new software version attract the eyes.

Many new decoders are added into Sniffer Portable Professional 3.0

• VoIP – UNISTIM, Megaco-binary , updates to Cisco SCCP for version 6.0
• Wireless – 802.11n, 802.11h, 802.11e
• Financial – Russell Index 1000, IBM LLM, LMSD, OPRA Fast, NSADAQ UQDF, NSADAQ UTDF, NSADAQ OMDF, ARCA equity, FIX 4.0 and NSX FAST
• Mobile – Gb over IP Stack, Blackberry RIM and Radius A12
• Fiber Channel decodes – FCoE, FC
• Other – 802.1ah, 802.1ad, X.25 over Ethernet

When connecting a network monitoring tool (aka Sniffer) into a network environment through mirror or span ports, it is very likely that duplicated packets will be captured.

The duplicated packets generated usually due to incorrect switch configuration, e.g. both ingress and egress packets are captured however the inter-VLAN traffic will result packets record double for those packets leave and enter both monitored VLAN.

Some older equipments like Cisco 6509 Catalyst OS are reported, they will always get duplicated packets mirrored to the monitor tool.

From the Ethernet level, it is hard to distinguish whether the frame is duplicated or not. Let’s focus to a level 2 packet, such as ARP request. There is neither sequence number nor packet ID to identify the difference of 2 packets with same content. However, the packet may still be correct, we cannot simply filter them out, because those similar ARP packets may point out an ARP storm, if we remove those duplication, mistakes will easily come.

The duplicated packets are a nightmare to analyzers. All of the response time, TCP round-trip, retransmission detection, and application level responses are messed up regarding on the packets duplicated condition. So to identify packet duplication and remove that not important duplication is very important for the analysis procedure.

To assess packet duplication, the best way is go to the layer 3. When I talk about Layer 3, actually I meant IP Layer. The IP layer provides a very good field to make sure passive packet duplication. The key is the IPID field, when a machine sends IP packets; the OS will automatically increase the IPID count and put that number into the IP Packet.  This number will not be changed by the inter-path routers or switches. So if the packets with the same IPID and same pattern, normally we can confirm, it is duplication. However, the IPID field has only 2 bytes which means only 65,536 numbers can be a potential candidate of the IPID value. So if there is a very busy server, in a single second, more than 100K packets may be sent. So the IPID verification must go together with the content and packet length validation.

The real world is more complicated, the duplicated packets may be not that the SAME with each other. Let’s consider such a case. A Packet received in Port A, this packet has no VLAN tag at all and when this packet being forwarded to Port B, an 802.1Q/ISL tag is tagged into this packet by the switch to adapt to Port B Vlan settings. So if there are some reasons, the switch mirrors both Packets at Port A and Packet at Port B to the monitor port, the monitor tool will see a duplicated packet pair with different length and byte-to-byte content match.

IPID still work in this case, and we need to take all of the IP layer data to compare the content and length despite of the difference at frame level.

Another case, packets transferred from a router to a firewall, the firewall and router both are working under load balancing/dynamic routing mode. So the packet received and sent by the firewall/routers will usually from and to different Mac address, although they are the same equipment and even same port.  So this cause another kind of packet duplication, the MAC address are different however all others are the same.  The good news is the IPID algorithm with IP Layer byte match is still working under such condition.

The IPID measurement has its limitation, e.g. difficult when handling the NAT packets; and it is difficult to handle the fragmented vs. non-fragmented packets for duplication detection purpose. On some heavy load environment, the algorithm might result faulty. Reducing fault can be easily fine tuned by a continuous detection and duplication count limit algorithm. So basically, the IPID detection works very well in most cases. Someone may ask whether the IPID based packet duplication will remove the TCP retransmission? Definitely not, the TCP retransmission is actively generated by communication hosts, so the IPID will be increased for each TCP transmission.

P.S. These information can be also found on packetbone website.

The crazy vendor Packetbone releases their software for 2nd major version.

Why call them crazy?

PacketBone is the only vendor who provide the integration to make a packet analyzer embedded into Microsoft Windows and Office. Now, in the second release, they extend the integration with Wireshark in this recent release. The wireshark fruitful dissectors can be used to parse the packet and export the decode information into BoneLight XLView. It is quite useful.

Another interesting point is BoneLight 2.0 provides a IP Deduplicate feature. According to the experiences, many multiport capture will result duplicated packets, some earlier SPAN settings can lead to duplication too. With those confusing deplicated packets, the analysis feature in mainstream analyzers such as Sniffer, OmniPeek, Observer, Wireshark will work definitely poor and identify everything as retransmission.

Every packet fans should have a try on this, go http://www.packetbone.com

if you have an iPhone, you may already play iTunes Remote which is a tool released by Apple to remote control the Apple TV and iTunes from the iPhone/iPod Touch directly.  If you didn’t tried that, I suggest you go to AppStore to download one, it is free and very easy to use.

The remote control has no limit on distance, in theory, even at Office, you can directly remote control your home iTunes in real time. How it implemented? Is that a magic? Let’s look into the actual packets.

My iPhone got a LAN address at 172.16.0.102, the iTunes PC got 172.16.0.106.  When the iPhone remote starts, it began to send  a Multicast-DNS packet to 224.0.0.251. This is a multicast which means the devices and computers in the same group will hear this packet.

The computer with iTunes installed will reply packets if it received the multicast packet. The reply is a multicast-DNS response too which provides the information about the iTunes version and capacities.

One of the replies indicates the service port of the iTunes, by default , it uses TCP port 3689. Then, the iPhone will happily connect to iTunes talking through a protocol similar to Digital Audio Access Protocol. More information about RAOP can be seen http://en.wikipedia.org/wiki/Digital_Audio_Access_Protocol

iPhone also send some discardable broadcast packet in the meanwhile which seems not make any sense.

Here, we are not going to dig into the protocol specification, but just go through the packets payload roughly, we can see the protocol is actually encapsulated by HTTP.

the login sequence is as below

iPhone   –>     iTunes       :             GET /server-info HTTP/1.1
iTunes   –>      iPhone      :                         HTTP/1.1 200 OK
iPhone   –>     iTunes       :             GET /login?pairing-guid=* HTTP/1.1
iTunes   –>      iPhone      :                         HTTP/1.1 200 OK

After the login, the iTunes and iPhone will exchange some library information. if you play a song remotely on iTunes, many calls related to  /ctrl-int are involved.

The implementation is compact and efficient. The multicast implementation is quite good and adaptive even to a routed complex network.

10G is not a new word which stands for a network type  carrying 10 times of Gigabits traffic in each second, it can be 10 Gigabits Ethernet or OC192 POS link. A few customers already implemented 10G at their backbone and the price per port for 10G is going to be affordable.

The high volume of network traffic means many packets. On 10G, one direction may have up to 15 million packets in each second. Most x86 based systems are not ready for processing over 10 million data pieces in a single second. So to provide an analysis solution, the 10G means nightmare to most packet analysis vendors.

The Packet analyzing companies are now fighting with the challenge. The solution are mainly for 10Gigabits Ethernet.

NetScout released a 10GE probe around 1 or 2 years ago which bases on their Gigabits probe platform. The 10GE probe can process around 1 million packets per second which means around 5G ~ 8G bits traffic can be handled well in a real network condition with larger average packets size. However, if dealing with some small packets like syn flood, the NetScout probe can only work well till 1 Gigabits level.

Network General previously launched a 10GE portable analyzer, the product was almost just for show without enough real customer cases.  BTW, Network General developed many “just for show” products such as a Sniffer Wireless for PDA and a web performance management product in the year of 2000.

A japanese vendor called ClearSight offers a 10 Giga capture box which can be called first real design-for-10G packet analysis product. The 10G analyzer is designed to capture packets in line rate and featured mainly offline analysis facilities.  By applying to Forensics purpose, the product maybe useful; however, lacking of the realtime expert systems and protocol inspection features, the product cannot support real traffic analysis in 10G condition very well.

After that, Network Instruments and WildPackets tap into 10GE area by their own ways as well.  Both Network Instruments and WildPackets are software only vendors in around 7 years ago. They began to be  more hardware/appliance vendors after the revenue paused to increase fast by providing software only solution. Network Instruments directly runs into traffic storage market with Gigastor product line which is successful. The OEM partnership between NetQoS and Network Instruments strengthen the market share of the Gigastor products.

WildPackets focused into Wireless in the beginning, the wireless analysis product bring them good revenue stream and reputation. However, the wireless analysis market grows slow. So now WildPackets emphasize the traffic storage and analysis solution with several important releases on a product line called Omnipliance.

Both Network Instruments and WildPackets had the strength in analysis with many decodes and expert systems as Network General. So the performance of their systems are not very good. Their products can provide a good realtime view into 10GE environment, however, they are not able to delivery good user experience on the 10G as well as they have done good on the lower bandwidth networks.

Till today, there is no perfect packet analysis solution for 10G, the coming WildPackets SuperCore maybe worth to see the actual performance. However, limited by the computer bus speed and analysis complexity, the analysis software plus a high-end server still cannot indicate a great future of 10G packet analysis.

There are a few FPGA/ASIC players entered this market as well, Endace, a New Zealand based company, provides 10G capture network card to offload the x86 cpu computing pressure. GigaMon provides a solution base on one-to-many  distribution purpose to share the analysis work on multiple machines.  Napatech, who was Xyratex, recently announced a 20G pattern match card beside their famous multiple port giga/10G analysis cards.

Eventually, the 10G analysis will come to reality and be common,  let’s wait and see how long it’s gonna happen.

 The Network management and Application performance management vendor PacketBone, releases a new style network analysis product.

  July 1, 2008 — The network management and application performance management vendor PacketBone today releases a new product called BoneLight.

PacketBone claims the product is a start of revolutions in the network analysis area. BoneLight will not rely on traditional independent GUI to analyze the traffic, instead, BoneLight integrate deeply into Microsoft Windows and Office systems to provide seamless analysis features inside of Operating Systems.

BoneLight provide  trace file conversions among libpcap/winpcap, cisco ids traces, Sniffer Pro cap, WildPackets pkt and Observer bfrs. The Wireshark and Endace Dag ERF are supported either.  BoneLight can convert the trace files into an Excel xlsx/xls result, it does provide a brand new experience for the network analysis people.

BoneLight is not only a trace file tool but also bringing benefits to the communication and collaboration for the network guys troubleshooting problem. The integrated Outlook preview handler provides a chance for people using Email and Exchange directly see and input ideas about traffic inside of Office software.

Last year (Sep 20, 2007).  Network- and application-performance management vendor announced plans  to acquire Network General for roughly $205 million.

The deal wascompleted in Nov 2007.  The merged company has around 750 staffs with the head quarter located in Boston and San Jose. NetScout didn’t have experience in an equal size acquisition in its history from 1984 when NetScout was founded. This acquisition is obviously a big risk and huge opportunity for NetScout to enlarge their competitive advantages in the network performance management market.

Network General invested resources into mobile carrier analyzing technology which includes 3G protocol analysis and expert intelligence. NetScout has also the plan to penetrate into the the mobile carrier market, so this merge will generate a new strong player in the telecom/mobile traffic analysis market.

NetScout indicates the changes to major customers are mostly benefits. The existing customer may get double-armed nGenius product with Sniffer technology built-in for their future upgrades. But till now, the benefits did not reflect clearly except NetScout decided to release a multi-thousand-dollar product, Sniffer Application Intelligence, into free to their exist customers.

NetScout Stock (Nasdaq:NTCT) price change in last a few month during and after acquires Network General