Linux in the Enterprise

Linux Tools For Network Analysis

In the first article in this series, I talked about how to make the case for Linux in your company's portfolio of computing technologies. A logical next step would be to find a nice, self-contained application where we can use Linux to make a good impression. A good candidate would be a place where Linux could show its value without a lot of support issues. In fact, the best place would be where we could use Linux to solve some support issues. For this discussion, we'll examine using Linux as a network diagnostic tool.

Network problems

Networks are funny places where all sort of things happen in a matter of microseconds. Domain Name System (DNS) lookups are answered, and data blocks traverse the network as part of file-sharing protocols (such as SMB and NFS) while packets make their way from the Internet to your web browser. At any moment a network printer could go haywire and start broadcasting an endless stream of address resolution requests, or an NFS client could send mangled data to its server wreaking havoc on your work.

If you've done any systems administration work, you have probably seen these problems and dozen of others. Debugging them requires experience, as well as the right tools to diagnose what has gone wrong and to help determine what to do about it.

Network analysis

One of the most valuable tools in diagnosing a network problem, besides the manuals that come with all of your networking gear, is a network protocol analyzer. A network protocol analyzer listens to the network, then displays the data in a way that lets you watch things such as

• interactions of clients and servers,
• broadcasts,
• packet storms, and
• routing updates.

Commercial network analysis software packages can cost more than $1,000 for the software alone. Add a dedicated top-of-the-line laptop and a high-speed network controller, and the cost can easily exceed $5,000.

Fortunately, there are open source, Linux-based solutions that can give you all of the benefits of a commercial product (along with the ability to extend the software) at a fraction of the price.

Two packages that make network diagnostics and troubleshooting easier are Ethereal and Netwatch.

• Ethereal is a "network sniffer" package that allows you to look at all of the traffic on a network.
• Netwatch monitors traffic flow between clients and servers (such as between a web browser and a web server) and determines what ports are being used in those communications.

Ethereal

Ethereal, as shown in Figure 1, is a GUI-based program that displays packet traffic on a network. In this figure, Ethereal displays several packets on my home network, including DNS lookup packets, NFS transactions, and e-mail being delivered via the POP3 protocol. The packet highlighted in this example is a WHO packet that is part of a protocol that reports on machine uptimes, and records who is logged in to which machine.

Figure 1. Ethereal displays packet traffic on a network. (Click on image for full-size view)

In this example, the middle panel of Ethereal shows the decomposition of the WHO packet that contains sub-fields which describe who is logged into the machine that broadcast the packet along with other relevant machine info such as load averages and uptimes.

The bottom panel of Ethereal shows the actual packet-data as a hexadecimal dump of bytes.

Taken as a whole, Ethereal is a complete network traffic analysis tool. A short list of features includes:

• A session tracer that shows network sessions as collections of transactions, rather than just as network packets
• A text-mode tool that uses the Ethereal packet engine, then can be run from either an X-window terminal or in a shell window with no windowing support
• Colorization modes for the packet displays
• The ability to read dump files from other (commercial) network analyzer packages

Next, we'll look at the network monitoring tool, Netwatch, and consider some of the prickly legal issues involved with monitoring and testing the systems of your company.