Most network administrators have many tools at their disposal. In this video, you’ll learn about protocol analyzers, port scanners, device discovery, and speed test sites.
Every network administrator will eventually be faced with a problem that says the network is slow. In actuality, the network probably is working just fine. But it will be the responsibility of the network administrator to determine what part of the network communication is performing poorly.
And one of the ways that you can find this information is with a protocol analyzer. This will capture frames that are on a wired or wireless network and present the results of those frames in a format that a human being can understand. This capture capability may be built into the device you’re using. So the switch, the router, or the firewall may have a capture function built into the software.
Sometimes you can view the output on that device, or you may be able to output the file and view it in a protocol analyzer such as Wireshark. Wireshark can often show additional protocol decodes and additional details about the entire conversation traversing the network. And some network administrators will capture all packets to disk for later analysis. This is a big data analysis feature that allows you to store large amounts of information and quickly sift through that information to find exactly what you’re looking for.
Although this is used often in IT security, a network administrator will also find a great deal of use in the program nmap. Nmap is network mapper. And it’s able to find a great deal of information about open port numbers, operating systems, and the versions of applications. You would use nmap to scan this device. And it could return information such as all of the open port numbers that may be available on that remote device.
You can also use nmap to find information about operating systems, what type of operating system is on a device, what version of operating system is on a device. And you can do all of that without actually logging in to that device. And nmap is able to scan services on that device. So not only are you able to tell that there’s an open port. You’re able to tell what service is running on that open port.
Nmap also has an additional scripting engine so you can write your own scripts and extend the capability of this utility. Nmap is an active scan. It sends queries to a device. And it examines the results of those queries to make decisions about what ports may be open, what operating systems are on that device, and what services may be running.
If you’re not scanning a single device, you can tell nmap to scan an entire range. And it will find all of the active devices in that IP address range. This allows you to build a map not only of the IP addresses that are on the network but information about the operating system services and so much more. If you were trying to find rogue devices or devices that you were not expecting to find on the network, nmap is a great way to scan for those. Nmap can perform scans on the same subnet with just layer 2, which makes it very difficult for a rogue device to hide from an nmap scan.
Here’s the results of an nmap scan that was done to a single device at 10.1.10.222. You can see that nmap ran and found the host was up and then found a number of different open ports on that device, including port 22, which normally would be for SSH, port 80 for HTTP, and of course port 443 for HTTPS. There’s also other ports open on this device, such as 548 for the Apple Filing Protocol. And NFS is open on this device on port 2049.
If your nmap scan discovers that there are port numbers on that device that are open but you weren’t expecting those port numbers to be open, then you might need to do additional research and find out what services are running on those individual ports.
If you were to look at the front of a switch, it’s very difficult to tell what devices are plugged in, what VLANs they might be a part of, or what their IP address might be. Fortunately, there are some protocols that we can use on this network to be able to gather that information automatically. One of those protocols is a proprietary protocol from Cisco, known as CDP, or the Cisco Discovery Protocol. Although this is very specific to Cisco devices, it can provide a lot of information about the configurations of that switch without having to log in to the device itself. A more vendor-neutral version of this protocol is LLDP, or the Link Layer Discovery Protocol. And almost all switches support LLDP at a minimum so that you can start to gather information about how that device has been configured.
Here’s a protocol decode I took of a device that has both CDP and LLDP on it. This Cisco device is sending CDP packets. And you can see a breakdown of the Cisco Discovery Protocol version 2 in this protocol decode. Within this decode, we can see that CDP is telling us that we have one address on this particular interface. And it is 10.1.10.251. And the port number associated with that IP address is port Gigabit Ethernet number 2. You can also see information about the software that’s running on this device, the native VLAN on this device, and how individual interfaces may be configured at the hardware level.
LLDP shows similar information. This is the protocol decode for the Link Layer Discovery Protocol. You can see MAC address information for the interface. It is indeed Gigabit Ethernet interface number 2. This is a switch named Studio-300-28. And you can see, for this, there is a VLAN ID associated with this interface. It’s running on VLAN 10.
Using both CDP and LLDP can tell you a lot about a switch without having to log in. And many third-party applications and devices can use these protocols to present this information in a consolidated form.
When you’re connecting to the internet, it’s often useful to know how much bandwidth is available on that particular link. And one way that you can test this is to send a lot of information over the link and measure how long it took to send that information, both in a download and an upload form. We can do that by using a number of free sites that are speed test sites. This can be very useful to perform prior to making a change and then after making a change to the network so that you can tell if there’s any difference in speeds between the pre- and postconfiguration update.
It might also be useful to measure this information at different times of the day. You will probably have more bandwidth available during the off hours than you might have during the middle of a workday. And although there are many different speed test sites, they are certainly not the same. Some are located farther away and therefore may give you a different value than a speed test site that might be located closer to you.
Some speed test sites may also be constrained by bandwidth and therefore may not be able to provide you with the most accurate statistics. Often, some of the most accurate speed test sites are going to be those that are provided by your local ISP. So if you’re running on an Xfinity network, you might want to use the Xfinity Speed Test site. If you’re on an AT&T network, you might want to use AT&T’s speed test. That way you’re getting the most accurate representation of the speeds available on your local network.
If you’d rather use some third-party speed test sites, there are a number available on the internet. Fast.com and SpeedOf.Me are very good choices, along with speedtest.net and testmy.net.