 | UNIX Connectivity |
| RAS Connectivity |
| Network Monitor |
UNIX connectivity is an important issue in many enterprise networks. FTP and WWW access are based on basic UNIX connectivity as are many other Internet facilities. In this chapter, we’ll look at RAS (Remote Access Service), the Windows NT facility that connects machines together. Most RAS connections use modems or ISDN adapters. We’ll also discuss Network Monitor, which is a tool used to view packets on the network.
Because TCP/IP was first designed for UNIX, there are many services on UNIX platforms that Windows NT needs access to. Therefore, it is necessary to develop UNIX connectivity solutions.
On a daily basis, users are connecting to UNIX platforms without even realizing it. In fact, until recently nearly every FTP and WWW server on the Internet was a UNIX system. The most common uses of UNIX connectivity are for FTP and WWW services.
FTP (File Transfer Protocol) enables file transfer from an FTP server to a local workstation. Traditionally FTP servers are UNIX servers, but recently FTP servers have been developed for Windows NT and other operating systems. FTP uses port 21 for its initial communication, or control port. An FTP server service is included with Microsoft Internet Information Server, which is included in Windows NT Server 4.0.
Similar to FTP, WWW originated in the UNIX community, and has since been integrated onto nearly every platform, including Windows NT. WWW traffic uses the HTTP (Hyper Text Transport Protocol) to complete transfers requested by users. HTTP uses port 80 to accomplish these transfers.
LPD (Line Printer Daemon) Printing Service allows printing from operating systems that would normally not be able to print to Windows NT Server. For example, LPD allows a UNIX workstation to print through a Windows NT Server.
Exercise 11-1 Configuring LPD Print Service
LPD is fairly easy to configure:
Once this has been installed, any workstation can print to the LPD print service by specifying the NT Server’s IP address followed by a colon and the share’s name.
RAS (Remote Access Service), connects a remote workstation to a RAS server using a non-Ethernet connection. RAS is Windows NT’s implementation of Dial-up Networking. RAS is most commonly used with modems or ISDN adapters. RAS clients can connect to services provided by the RAS server and, if the RAS server is configured to allow it, any resources on the network to which the RAS server is connected.
The most common RAS connections are PPP (Point-to-Point Protocol), or SLIP(Serial Line Internet Protocol). Both PPP and SLIP can connect RAS clients to a RAS server via modem / telephone line. PPP, however, is replacing SLIP because it is more robust, and guarantees cross-platform connectivity. Because SLIP is declining in popularity, RAS is capable of using SLIP only for dial out, not for dial in.
PPP is a cross-platform protocol that can be used to connect to both NT and UNIX systems. By utilizing the PPP protocol, an NT workstation can be connected to a UNIX server and vice versa. When the PPP protocol is used, the server and workstations are not required to be running the same operating systems.
As with any TCP/IP connection, RAS connections are required to have TCP/IP addresses. These addresses can be assigned manually or automatically. Automatic address assignment is usually referred to as dynamic and manual is referred to as static.
Each RAS connection requires an IP address, which is taken from a designated range of IP addresses, called a pool. Each RAS connection will obtain an address from this pool.
Assigning IP addresses manually is tedious and error-prone. When manually assigning addresses to RAS ports, each assignment must be tracked to avoid duplicate address assignments.
DHCP (Dynamic Host Configuration Protocol) dynamically tracks the assignment of IP addresses. DHCP automatically assigns an IP address to each machine, and tracks the machine’s usage of this IP address. After the machine no longer uses the IP address, it can be returned to the address pool for reassignment at a later time.
If RAS clients each use an assigned address, it is necessary to track the usage of these IP addresses and maintain a list of all active IP addresses in order to avoid possible duplicate IP address assignment.
If RAS is configured to use DHCP addresses for each RAS client, a great deal less work is required. DHCP automatically assigns an IP address to each port of the RAS server and no additional configuration is required.
A combination of DHCP assigned addresses and statically configured IP addresses can be used. The primary reason for using a manually assigned IP address in a mixed environment is to establish a link to another network where it is important that the IP address not be changed. A good example of this is when a RAS connection is used as a permanent link to the Internet, in which case it would be desirable for the IP address not to change.
Exercise 11-2 Configuring TCP/IP Parameters for RAS Clients
When RAS clients are configured for dial-in, they must be configured properly in order to communicate.
Network Monitor is a utility that shows network activity. Network Monitor can be used with any protocol, not just TCP/IP. There are two different versions of Network Monitor available. The version that ships with Windows NT Server 4.0 is only capable of viewing packets to and from the server that acts as the network monitoring agent. Another version of Network Monitor that ships with SMS (Systems Management Server) is capable of viewing all data transmitted on the network.
The installation of Network Monitor is a simple process. You need to add it through the services tab of the Network Control Panel. Actually using Network Monitor is a bit more involved. The amount of information that can be acquired through Network Monitor’s facilities is enormous.
To capture data with Network Monitor, click on Capture and then on Begin. Network Monitor requires very little work on your part. When capturing data it is important to remember that every packet that is transmitted on the network will be added to your capture. You can lessen the amount of data that you will receive by creating a filter: click on Capture and Filter.
Interpreting the results of Network Monitor is a skill that can only be honed by practice. Once you are satisfied with the quantity of data that you have captured, click on Capture, then on Stop and View Data. A summary of all packets that were captured will then be presented. From this summary you can double-click on any one that interests you.
The middle window that is displayed shows the information that we are primarily interested in. There are many different sections that are usually displayed. We are primarily concerned with the Frame, Ethernet, and IP sections.
The Frame information section gives us information about the capture of the frame, which usually includes the time at which the frame was captured, the point in time that the frame was captured, and the total length of the frame.
Exercise 11-3 Installing and Configuring Network Monitor
Network Monitor is a utility that can be used to provide assistance in troubleshooting. Installation and configuration of Network Monitor is extremely simple.
The Hardware Ethernet Frame gives us information such as the source and destination MAC addresses. This information can be used to pinpoint exactly where packets are coming from and going to, since in general MAC addresses are unchangeable addresses.
The IP section gives us information such as the Source and Destination addresses, the version of IP that was used to create the packet, a packet identification number, a Time to Live for the packet, along with some additional information that is not often used.
As we discussed earlier, Network Monitor allows you to view all of the frames that have been sent across the network. Most of the packets are semi self-explanatory. There are some packets that are of special interest to us.
DHCP packets contain messages that are used between DHCP servers and clients during communications to establish and manage a lease for an IP address and related information. In Network Monitor, these packets will be of type DHCP. Since you can see the DHCP conversation between the client and server with Network Monitor, it is a useful way to troubleshoot DHCP problems.
Point-to-Point messages are usually messages between a RAS server and a RAS client pertaining to the connections status.
WINS messages are between the WINS server and clients. There are primarily three different types of WINS messages: broadcast, announce, and request. A broadcast is a standard broadcast message used by a workstation or server to announce its existence. These are standard broadcasts that will occur with or without the presence of a WINS server. If a WINS server is present, the server will use these broadcasts to help maintain the WINS database. An announce message sent to the WINS server announcing the existence of a client. This message is sent repeatedly for a predefined period of time. A request message is when a client requests the IP address of another client from the WINS server in order to resolve a NetBios name.
The only type of DNS message is a request from a client. When a client requests that a DNS name be resolved by the DNS server, the DNS server responds with the target IP address.
Exercise 11-4 Viewing TCP/IP Packets with Network Monitor
Viewing packets provides information about the performance of your network. Network Monitor not only provides information about packets, but also includes the packets. For this reason, it is important to use Network Monitor with the utmost care and integrity.
Network Monitor is undoubtedly the most powerful device to track network usage. Unfortunately with this great ability comes a bad side. Network Monitor can literally see everything. Network Monitor is capable of viewing the contents of every packet that crosses the network. This ability can be a bit humbling at times, and can give you the power to truly implement the "Big Brother is Watching" security system. Using Network Monitor to do anything other than troubleshooting a specific network problem is entirely unethical.
A simple standard to follow, that seems to be acceptable to the judicial system and to the corporate world, is that you are not at any time permitted to view the contents of user-generated packets. Any machine-generated packet is fair game for your viewing pleasure. A machine-generated packet is further defined as a packet that the machine generates without any specific interaction on the user’s part, while a user-generated packet is one that is generated by an action of the user or an application that the user is running. Table 11-1 give some examples of user- and machine-generated packets.
Administrator.
| {q10}User-Generated | Machine-Generated |
| POP3 transfer | ARP request for mail server’s IP Address |
| FTP transfer | Keep alive Message |
| SMTP transfer | Ping |
| SMB transfer | DHCP |
| HTTP transfer | WINS |
| Broadcasts |
Table 1: User- and Machine-Generated Packets
Unfortunately, no matter how well defined a system you have, the correct use of Network Monitor is still a gray area. As a Network Administrator it is important to be very careful how you use Network Monitor and verify that its use is permitted within your organization. Table 11-2 gives some typical scenarios you may encounter as a Network Administrator.
| I have this problem | Is the use of Network Monitor Ethical? |
| Two machines have been assigned the same IP address and I am unable to manually find the offending computers. | Yes, IP address conflicts are machine-generated problems. |
| I think my boss is trying to fire me, I’ll bet I could find out more information from his e-mail. | No, intentionally reading anyone’s e-mail is undoubtedly unethical, and possibly illegal. |
| A user is browsing sites that are considered inappropriate during the workday. I can use Network Monitor to prove this. | Maybe, viewing the contents of user’s HTTP packets is generally considered unethical. This may be allowable by company policies but you should consult your company’s lawyers. |
| DNS requests are being made by workstations, but are not being answered by the server. I suspect there is a configuration error. | Yes, DNS messages are machine-generated and could be used to troubleshoot network problems. |
Table 2: Typical Network Monitor Scenarios
Connectivity to UNIX servers is crucial to connect to hosts on the Internet. In addition many companies have UNIX servers that users benefit from being able to connect to. Services such as FTP and WWW traditionally have been located on UNIX servers. FTP and WWW services are now being provided by a other platforms, including Windows NT.
Remote Access Service (RAS) helps to connect a RAS workstation to a RAS server using non-Ethernet mediums. Common mediums for RAS connections are modems and ISDN adapters. These connections are usually made using either the Point-to-Point Protocol (PPP) or Serial Line Interface Protocol (SLIP). RAS servers can be configured to provide either a pre-assigned pool of IP addresses or to use DHCP to assign IP addresses to RAS clients. DHCP is most commonly used.
Network Monitor is used to view the activity of a network. Network Monitor can be used with any protocol, not just TCP/IP. Network Monitor, as it is shipped with Windows NT Server 4.0, captures all packets that are sent to and from the server that is being monitored. Network Monitor is capable of extracting information from the packets such as source and destination IP and MAC addresses. Network Monitor is a powerful tool that could be used in an unethical manner. It is important to evaluate if Network Monitor is being used ethically in each particular situation.
| Because TCP/IP was first designed for UNIX, there are many services on UNIX platforms that Windows NT needs access to. |
| The most common uses of UNIX connectivity are for FTP and WWW services. |
| LPD (Line Printer Daemon) Printing Service allows printing from operating systems that would normally not be able to print to Windows NT Server. |
| RAS (Remote Access Service), connects a remote workstation to a RAS server using a non-Ethernet connection. |
| The most common RAS connections are PPP (Point-to-Point Protocol), or SLIP(Serial Line Internet Protocol). |
| PPP is a cross-platform protocol that can be used to connect to both NT and UNIX systems. |
| RAS connections are required to have TCP/IP addresses. |
| DHCP (Dynamic Host Configuration Protocol) dynamically tracks the assignment of IP addresses. |
| DHCP automatically assigns an IP address to each machine, and tracks the machine’s usage of this IP address. |
| It is important to remember that RAS clients can use statically assigned IP addresses, dynamically assigned IP addresses, or a combination of both. The most common configuration is dynamic assignment using DHCP. |
| Network Monitor is undoubtedly the most powerful device to track network usage. |
| There are two different versions of Network Monitor. One can view only the traffic to and from the server that the network monitoring agent is installed on and the other one can view all traffic on the network. These versions of Network Monitor ship with Windows NT Server 4.0 and Systems Management Server, respectively. |
| Interpreting the results of Network Monitor is a skill that can only be honed by practice. |
| Remember that the MAC address is an address assigned to a network interface card by the hardware manufacturer. This address can-not be changed on most current network interface cards. |
| DHCP packets contain messages that are used between DHCP servers and clients during communications to establish and manage a lease for an IP address and related information. |
| Point-to-Point messages are usually messages between a RAS server and a RAS client pertaining to the connections status. |
| WINS messages are between the WINS server and clients. There are primarily three different types of WINS messages: broadcast, announce, and request. |
| The only type of DNS message is a request from a client. |
| As a Network Administrator it is important to be very careful how you use Network Monitor and verify that its use is permitted within your organization. |