Using Ethereal for Network Troubleshooting

Every network administrator will have the unpleasant occurrence of being paged to solve a network problem. This can often result in a surge of emotions, panic, urgency, and maybe even a sense of heroism. The key to successfully troubleshooting a problem is knowing how your network functions under normal conditions. This will allow you to quickly recognize unusual and abnormal operations. One way to know how your network normally functions is to use your sniffer at various points in the network. This will allow you to get a sense of the protocols that are running on your network, the devices on each segment, and the top talkers (computers that are sending and receiving data most frequently). You may even find some things on your network that you didn’t know about, such as an old printer server that no ones uses any more and is flooding the network with broadcasts.

Once you have an idea of how your network functions, you can develop a strategy for network troubleshooting. This way you can approach the problem methodically and resolve it with minimum disruption to customers. With the basic concept of troubleshooting, a few minutes spent evaluating the symptoms can save hours of time lost because you are tracking down the wrong problem. A good approach to network troubleshooting involves the following 7 steps:

1. Recognize the symptoms

2. Define the problem

3. Analyze the problem

4. Isolate the problem

5. Identify and test the cause of the problem

6. Solve the problem

7. Verify that the problem has been solved

The first step to network troubleshooting is to recognize the symptoms. Besides the annoying beep of your pager, you might also learn about a network problem from another user, network management station alerts, or you may be having trouble accessing the network yourself. The problem could be performance issues, connectivity issues, or other strange behavior. Compare this behavior to normal network operation. Was a change made to the network, or to a server right before the problem started? Did an automatic process, such as a scheduled backup, just begin? Is there a prescheduled maintenance window for this time period? Once you have answered these questions and spoken to the helpdesk or other users, the next step is to write down a clear definition of the problem.

Once the symptoms have been identified and the problem has been defined, the next step is to analyze the problem. You will need to gather data for analysis and narrow down the location of the problem. Is it at the core of the network, a single building, or a remote office? Is the problem related to an entire network segment, or a single computer? Can the problem be duplicated elsewhere on the network? You may need to test various parts of your network to narrow down the problem. You may be using your network analyzer a lot at this step; this is when having it installed on a laptop makes things easier.

Now that you have analyzed and found the problem, you can move onto the next step of isolating the problem. There are many ways you could do this. You may need to disconnect the computer that is causing problems, reboot a server, activate a firewall rule to stop some suspected abnormal traffic, or failover to a backup Internet connection.

The next step to network troubleshooting is to identify and test the cause of the problem. Now that you have a theory about the cause of the problem you will need to test it. Your network analyzer can come in handy here to see what is going on behind the scenes. Sometimes, at this point, you may be researching the problem on the Internet, contacting various hardware or software vendors, or contacting your ISP. You may also want to verify with www.cert.org or www.incidents.org, that this is not some wide spread issue.

Once you have determined a resolution to the problem, you will need to implement it. This could involve upgrading hardware or software, implementing a new firewall rule, reinstalling a compromised system, replacing failed hardware, or redesigning the segments of your network.

The last step to network troubleshooting is to verify that the problem has been resolved. You will also want to make sure that the fix for this problem did not create any new problems, or that the problem you solved is not indicative of a deeper underlying problem. Part of this step of the process includes documenting the steps you took to resolve the problem. This will assist in future troubleshooting efforts. If you find that you have not solved the problem you will need to repeat the process again from the beginning. The flowchart in Figure 2.8 depicts the network troubleshooting process:

Figure 2.8: Network Troubleshooting Methodology