Great tool for testing QoS implementation

After my last post, some readers were asking what tool did I used for testing the QoS and how satisfied I’m with it.

The name of the tool is Packgen. According to its developer developers, “Packgen is a simple network packet generator handling diffserv markers, useful for testing network bandwidth and QoS.” It support features like:
– Network packet flows generation with given bandwidth (packets sent at each time interval depending on the bandwidth to produce and the size of the packets to generate);
– UDP and TCP flows;
– DSCP marking;
– Log generation which gives the possibility to compute statistics on the flows (to come later).

The main difference between IPerf (which is also a great testing tool, especially for bandwidth, jitter, packet loss tests…) and Packgen, is that the last one support diffserv marking natively. Of course you can achieve the same results with IPerf, with and ACL and inbound marking of the packets matched in the access-list, but with Packgen this is straight forward.

I had a little issue when downloading this tool, as the first result in Google search engine directed me to a page with no download link: http://packgen.rubyforge.org. This contains all the needed information about features, installation and how to use it (actually one of the best README that I ever saw for such tools), but no suggestion where to download the package. I search a little bit and you can download it from this official link.

To install this tool, you need to have Ruby on your system and then just run from inside the unpacked Packgen folder:

ruby ./setup.rb

Now some words about how to use it. From my post about AutoQoS, you can see that you need at least one client and one server. This 2 devices, use different files with Packgen (Don’t worry as the files come in the source package and if not, it’s very easy to create them).
First the server file, called listen.yml (if you create it, you can give whatever name you want) looks like this:

LISTEN:

udp:

ports: !ruby/range 17000..17002
tcp:

ports: !ruby/range 5002..5004

As you can see, there are 2 sections defined for UDP and TCP traffic. Then with “!ruby/range” you define a range where the server will listen. However, you can also simply use an Integer port number.

Then on the  client side, there is file called sent.yml:

SEND:

udp:

name: Voice
host: 10.10.10.100:17000
bandwidth: 700Kb
packet_size: 252B
dscp: ef
from..to: !ruby/range 0.0..60.0

name: Video
host: 10.10.10.100:5002
bandwidth: 2.8Mb
packet_size: 750B
dscp: cs4
from..to: !ruby/range 10.0..60.0
tcp:

name: Best Effort
host: 10.10.10.100:5002
bandwidth: 3.2Mb
packet_size: 1KB
from..to: !ruby/range 20.0..60.0

name: Background
host: 10.10.10.100:5002
bandwidth: 3.2Mb
packet_size: 1KB
dscp: cs1
from..to: !ruby/range 30.0..60.0

Here it’s a little bit more complex, but still human readable. This file also have 2 sections for UDP and TCP traffic, with the following paramters being defined:

-name: I believe it say everything
-host: ServerIP:port
-bandwidth: bandwidth to simulate
-packet size: packet in size in B, KB
-dscp: value
-from..to: !ruby/range: time intervals

After everything is defined, you just have to run Packgen to test.
On Server side first:

packgen -i listen.yml

Then on Client side:

packgen -i sent.yml

Optional you can add the -l file option, which will log the traffic send:

1258663872.6248 SEND dest=10.10.10.100:16385
1258663882.62591 SEND dest=10.10.10.100:5001
1258663895.65219 SEND dest=10.10.10.100:5002
1258663905.66876 SEND dest=10.10.10.100:5003
1258663933.72797 STOP dest=10.10.10.100:16385

or received:

1258663869.80496 LISTEN port=16384 proto=udp
1258663869.81079 LISTEN port=16385 proto=udp
1258663869.81441 LISTEN port=5002 proto=tcp
1258663869.81506 LISTEN port=5003 proto=tcp
1258663872.5886 RECV sent_at=1258663872.64102 flow=0 size=252 id=6
1258663872.58893 RECV sent_at=1258663872.64613 flow=0 size=252 id=7
1258663872.58903 RECV sent_at=1258663872.64719 flow=0 size=252 id=8
1258663872.58915 RECV sent_at=1258663872.65052 flow=0 size=252 id=9
1258663872.58924 RECV sent_at=1258663872.6742 flow=0 size=252 id=10

The configuration files and logs excerpt were from my AutoQos test. If you have any issues with using it, please contact me, or just check in details the documentation from developers site.

Draw network diagrams with Visio under Mac or Linux

Maybe one of the biggest loss of mine when I switched from PC to Mac, was the Microsoft Visio is not available for any other platform than Windows OS. Now, I’m not a big fan of Microsoft products, but I have to admit that they have some good products, and one of this is Visio. Like it or not, more than 75%  of the network diagrams that I get are in  VSD format, which we all know (or we should) is a closed proprietary format and cannot be imported in any other products until now.

I have no problem in drawing new diagrams in NeoOffice (as example) but, what should I do with the ones that I receive and I have to modify. Of course that before I use the solution below, I tried others like ConceptDraw or Omnigraffle, which are also good products and which promise that they can import a format called VDX in which Visio can export diagrams. I don’t know if only for me but most VDX files exported from Visio, looked not so nice when opened in another product. Lines where not aligned, some objects where moved, and so on. The final draw was looking nice, but not as expected and ready to work on it. And then again, I cannot call, e-mail everybody that send me a Visio diagram and say “well, you see, cannot you just export it to VDX…” so that I can check. It’s not professional and it’s a headache. On the other hand I really like my Mac, so I struggled my brains to find a solution.

The easiest one, it’s to have on a Mac or Linux, dual boot or a virtual Windows OS with Visio installed on it. Called me a freak, but I didn’t invest in a Mac to havea Windows running on it. In not saying anything about Linux which is open source and see Windows as it’s worst nightmare.

I decided to use something called Application Virtualization, which can deliver on your screen only the user interface of the software that you open. The solution is not new and I’m not the “genius” who think of it, but it’s the best that fit me as I can open any software (in our case Visio) over any network (including Internet) and compared with remote desktop solutions, proved to be more faster. What do you need for this to work properly?

First, you need a Windows Server OS available somewhere online, if you plan to have access to this applications when you are on the move. There are multiple solution. You can host one yourself at home if you have a 24/7 running machine (you can run it even on a virtual machine), maybe you have access to one at your company or maybe you can afford a VPS. As you don’t need so much power take the cheapest VPS with Windows Server (I saw some starting at 18$ / month). OK, this are some ideas, the important thing is to have one available.

Next, you need this Windows Server to have IIS and Terminal Services enabled as this is mandatory for the next step.

This step was the hard part. I needed some Application Virtualization software capable to stream application to any environment (mac, linux, windows) and to have affordable price or , unexpected, free. I found some out there in the Internet, but mostly were able to stream virtual application only to Windows platforms or they where doing something else that Application Virtualization. One product that immediately appeared was XenApp from Citrix. I used this in the past, and I know that it is reliable good product. But you can get it as trial only for 30 days and it was quite hard for me to achieve a working installation. Well, I’m not an expert in Citrix applications, so I assume that this is my fault, otherwise a great product but not for me.

I keeped searching and I found the X2 products webpage.

2x - virtualization When I saw there Free download, I was thinking immediately about Trial free download. I was right, the download of the product has a trial of 30 days. But then digging a little bit deeper, I saw that after this 30 days, you can still use the product free of charge, the only limitation is that you have to stick to 3 concurrent connections and one server (so you cannot use the LoadBalancer feature). I don’t care about LoadBalancer as I only have one server, and anyhow I’m the only person using it. The 3 concurrent connections is enough for 1-2 users with decent usage. I think is fair that if you use this for your productive environment and want more support and resources to pay for them.

I registered, got the free license immediately and started installation on a VPS with Windows 2003 Server. The installation was quite easy and configuration as well due to existing documentation their site. Just read and follow the instructions and you will end with a working software.

After the installation is finished, all you have to do is to provision the software that you want to be able to access over the network, directly on your screen. Also if you want to have the full virtualized desktop, X2 is capable to provide this.

Since a short screencast can show more than 1000 words, please have a look below, where I’ll try to show you the major benefits of this software and how you can manage it to obtain the desired result:

2x

I know that this is not the easiest way to do it, and maybe some of you just prefer to use a virtual machine or dual boot, but as I said this fits most to me and maybe you can use the same solution to solve your problems with other Windows based software, not only Visio. Regarding Visio, the best would be that Microsoft open the VSD format or release a Mac version. For Linux, I don’t think that they even consider such a possibility.

Routing + QoS + Security all free for you and your small business

OK, you catch me as this is not from Cisco, but is related to networking and security, so I believe it fit in the idea of this blog. What I’m talking about here?! Well, let’s assume that you are the IT guy of one small business or even your home network, and like all of us, you want what’s the best for your network. With today’s key words (even I don’t understand why) like saving, cost reduction, zero budget for new deployments no manager will approve new hardware to be bought. And to be fair enough why would you like to buy an expensive Cisco 6500 if you have 50 PCs in your network and some servers? Cisco and other brands in the same line are good, actually very good, and money worth spending to have them, but only if they are really required. Continuing on this idea, somebody asked me to find a solution for his small to medium business as he has a small user network and some servers. Of course he wanted all the possible features and security but without investing too much, or if possible nothing. To keep everything into this limits, I had the idea to use a Linux box with 3 NICs and a bunch of software for achieving the other features like QoS, routing and so on. But I found something better to manage and to maintain over the time.

The product is called Untangle and I found out to be perfect for my solution and maybe for yours if you want to give it a try. Among the other good features that it has integrated, you will see that this is a FREE product. Of course nothing is just white and black, and if you want some features you have to pay for them. Anyway I managed to do everything without paying anything. Untangle can be installed on a dedicated machine or as an application in Windows. Installing on Windows is …how can I say…useless, at least from my point of view. I mean who put the trust of his network gateway on a Windows machine?!  As a dedicated machine is one of the best solutions that I tested.

As explained on the Untangle documentation, this solution can be installed on any regular Intel / AMD machine with some decent configuration. If you want to keep this solution for a longer time and logs I would recommend something dual core with 2 GB of memory and at least 80GB hard-disk capacity. The minimum requirements from the developers would be a 800Mhz processor with 512KB of memory and 20GB hard-drive, if you plan to run this for a network with less than 50 stations. The process is very simple, you download an image, burn it on a disc and then install it. If you ever installed another OS, you will handle this for sure.

The new device can be deployed as a router or as a transparent bridge:
untangle-deployment On my private installation I deployed it as a router, as I wanted this to be the main gateway and to separate the LAN from the DMZ area.  After you configure the basic stuff, you may want to choose what services you will use on this machine. Everything is modular. You have a virtual rack in which you insert free or paid applications. Maybe you are wondering which are the free applications. Here is the list: Web Filter, Virus Blocker, Spam Blocker, Ad Blocker, Attack Blocker, Phish Blocker, Spyware Blocker, Firewall, Routing & QoS, Intrusion Prevention, Protocol Control, OpenVPN, Reports. This covers most of my basics needs for a small network. If you want advanced features like WAN Load Balancer, WAN Failover or Remote Access Portal than you have to buy this applications. Of course I would preferred to have this also for free, but as I said in other articles, nothing is 100% free on this world.

Every module is than configured in a graphical interface with easy to understand and follow menus. You can choose what to activate, what traffic to be inspected, what packets to be subject of QoS and may more. One thing before you proceed to test this. By routing please don’t understand Dynamic Routing Protocol or other advanced features. Like I said before this solution is for small to medium sites which does not have to support complex routing environment. However it does support basic routing and it can be installed as a router. Regarding the support you get for this product there is good forum and also a Wiki page

Below I prepared a small gallery with screenshots from Untangle. The screenshots are copyrighted to Untangle.com and can be found on there site together with a some nice video presentations of the product.

Please be aware that this site is not affiliated in any way with Untangle.com. The opinion presented here represent my own experience with Untagle product.

[nggallery id=16]

Wireshark’s most useful display filters

wireshark-logoNow and then, especially when you expect less, the network crashes or encounter an issue and then you had to troubleshoot. Sometime the problem is right there, you can see it and it’s easy to fix, but in other cases you’ll have to put an eye in the packets that are traveling through it and search deeper for the solution. When it comes to network sniffing or packet capturing or whatever you want to call it, I believe that the name Wireshark (formerly Ethereal) ring a bell in your head.

Wireshark is one of the world’s foremost network protocol analyzer, and is the de facto standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Some features of Wireshark:
– Deep inspection of hundreds of protocols, with more being added all the time
– Live capture and offline analysis
– Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
– Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
– Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and   uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
– Capture files compressed with gzip can be decompressed on the fly
– Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
– Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2

Wireshark is extremely useful when it comes to network troubleshooting as it capture the packets and you can have a detail look into them checking if everything is OK in parameters, message, format and so on. The problem is that if you capture the packets traveling through a backbone router you will end having  huge file ( yes, even up to 1G if you capture long enough) and a lot packets details in it. From this tons of information maybe you are interested in only a minor part like BGP traffic or a certain IP source and destination. Here is the part where Wireshark filters come into play.

There are 2 type of Wireshark filters:

– DISPLAY FILTERS – after you capture a lot of information, they help you to visualize only the packets that you are interested in
– CAPTURE FILTERS – from the beginning you know what is the interest for you and capture only those packets

I would recommed to use the Capture filters, when you know what are you looking for and you run the capture for more than couple of hours in a heavy traffic environment. This will help you stay in a reasonable amount on information being captured and file size.
If you run the packet capture for less time, like one or two hours, and you are not very sure what are you looking for, then I recommend to capture all the traffic and then use Display filters to visualize only the information that you are searching for.

For today I put together a list with the most useful Wireshark display filters. I compiled this list based on my personal experience and on my friends and colleagues advices. If you think that something is missing, or you are using a Display filter that might be useful for others please feel free to add it to a Comment to this topic and I will update the list. In one of the future posts I will show you how to capture the traffic and apply some of this filters.

DISPLAY FILTER EXPLANATION EXAMPLE
eth.addr source or destination mac-address eth.addr == 00:1a:6b:ce:fc:bb
eth.src source mac-address eth.src == 00:1a:6b:ce:fc:bb
eth.dst destination mac-address eth.dst == 00:1a:6b:ce:fc:bb
arp.dst.hw_mac target mac-address arp.dst.hw_mac == 00:1a:6b:ce:fc:bb
arp.dst.proto_ipv4 target IPv4 address arp.dst.proto_ipv4 == 10.10.10.10
arp.src.hw_mac sender mac-address arp.src.hw_mac == 00:1a:6b:ce:fc:bb
arp.src.proto_ipv4 sender IPv4 address arp.src.proto_ipv4 == 10.10.10.10
vlan.id vlan ID vlan.id == 16
ip.addr source or destination IPv4 address ip.addr == 10.10.10.10
ip.dst destination IPv4 address ip.addr == 10.10.10.10
ip.src source IPv4 address ip.src == 10.10.10.10
ip.proto IP protocol (decimal) ip.proto == 1
ipv6.addr source or destination IPv6 address ipv6.addr == 2001::5
ipv6.src source IPv6 address ipv6.addr == 2001::5
ipv6.dst destination IPv6 address ipv6.dst == 2001::5
tcp.port source or destination TCP port tcp.port == 20
tcp.dstport destination TCP port tcp.dstport == 80
tcp.srcport source TCP port tcp.srcport == 60234
udp.port source or destination UDP port udp.port == 513
udp.dstport destination UDP port udp.dstport == 513
udp.srcport source UDP port udp.srcport == 40000
fr.dlci Frame-Relay DLCI number fr.dlci == 112
icmp.type ICMP type code (decimal) icmp.type == 8
vtp.vlan_info.vlan_name VLAN name vtp.vlan_info.vlan_name == TEST
bgp.originator_id BGP id (IPv4 address) bgp.originator_id == 192.168.10.15
bgp.next_hop BGP Next Hop (IPv4 address) bgp.next_hop == 192.168.10.15
rip.ip RIP IPv4 address rip.ip == 200.0.2.0
ospf.advrouter OSPF advertising router ID ospf.advrouter == 192.168.170.8
eigrp.as EIGRP autonomous system number eigrp.as == 100
hsrp.virt_ip HSRP virtual IP address hsrp.virt_ip == 192.168.23.250
vrrp.ip_addr VRRP virtual IP address vrrp.ip_addr == 192.168.23.250
zebra.dest4 ZEBRA destination IPv4 address zebra.dest4 == 10.10.10.10
wlan.addr source or destination MAC address wlan.addr == 00:1a:6b:ce:fc:bb
wlan.sa source MAC address wlan.sa == 00:1a:6b:ce:fc:bb
wlan.da destination MAC address wlan.da == 00:1a:6b:ce:fc:bb

Materials that helped me for this post:
http://packetlife.net/static/cheatsheets/wireshark-display-filters.pdf – thanks Jeremy Stretch
http://www.wireshark.org/docs/dfref/ – here you can find the full list of filters – thanks developers of Wireshark

How to analyze Cisco NetFlow with FREE tool

NetFlow is a network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information. It’s proprietary and supported by platforms other than IOS, such as Juniper routers or FreeBSD and OpenBSD. Cisco routers that have the Netflow feature enabled generate netflow records; these are exported from the router in User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP) packets and collected using a netflow collector. Other vendors provide similar features for their routers but with different names Jflow or cflowd from Juniper Networks, NetStream from Huawei Technology or Cflowd from Alcatel-Lucent. Since my knowledge is mainly in Cisco’s devices area, I will focus on Netflow. A NetFlow record can contain a wide variety of information about the traffic in a given flow, like Version number, Sequence number, Input and output interface indices, Number of bytes and packets observed in the flow, Source & destination IP addresses, Source and destination port numbers, IP protocol, ToS and other… By analyzing flow data, a picture of traffic flow and traffic volume in a network can be built. Cisco Netflow have multiple version from which v5 is the most used at the moment being.

After this brief explanation of what is Netflow, let’s focus on the topic of this article. Lately I was searching for a tool that can analyze NetFlow flow and return to me an acceptable picture of what’s going on in the network. There are a lot in the market and I tried many of them, which offers free trials (maybe someday I will write some reviews about them), but for now I was really searching for something without any cost involving as it was for my private use.

The NetFlow analyzer software that I was looking for, should  be able to:
1. Display graphical format of traffic (graphs, picture…)
2. Allow me to analyze as many devices / interfaces I want
3. Allow to export some reports based on the network activity collected
4. …and the most important for me, to be FREE

As I said before, I tried some tools, with great capabilities (e.g. NetFlow Analyzer from ManageEngine) but they were having limitations that disturbed me (e.g. limitation to only 2 interfaces on the tool from ManageEngine).  Searching, I arrived to Scrutinizer NetFlow Analyzer produced by Plixer International. This tool offers exactly what I was searching for, and it is free. Now the ugly part (there is always a part like this…) is that the tool is keeping all information for 24 hours. The good part is that you can export logs on a daily basis (24 hours). E.g I had to monitor traffic for some device for 72 hours, so daily I have exported the logs and the end of the monitoring period I compared all the data. Well, it’s not so nice this limitation of 24 hours. I would prefer 48 or 72 hours, because usually this is the minimum time for monitoring a connection, device or interface. If you buy a license all this limitations are removed. As I said from begining I was searching something for private use…so, this tool was perfect for me. Anyway I believe big companies can afford to buy this tool if they test it and see that fit with their needs.

Anyway, skipping over this 24 hours limitation, the tool give you the ability to gather information from as much devices / interfaces as you want. The reports are presented in nice graphical format, with lots of details. You can download Scrutinizer NetFlow Analyzer from their site, by clicking here. On the download page, you will have the possibility to download the free version (with 24 hours limitation) or the trial version which will give you all features for a certain limited period of time. For the trial version you have to complete a form and they will issue you a trial license.

For an example how to do a basic netflow configuration on a Cisco router and how to operate Scrutinizer Netflow Analyzer please see the presentation below. For the test environment I used an old Cisco 2600 router and my notebook with Scrutinizer Netflow Analyzer installed.

Please note before watching this presentation: FirstDigest.com is not affiliated in any way with Plixer International and ManageEngine and this is not a “pay per post” article. I just wanted to share with you something that I belive it can be useful.

scrutinizer netflow analyzer