INLS 184: Protocols and Network Management

March 2005

Departmental Network Analysis Project

The final result of this project will be a report (no set length requirement) describing the overall network architecture, utilization patterns, and recommendations, if any, for potential improvements of the assigned departmental network. You should provide basic information on the following:

- a description and diagram of the network:

- type of network; how it's wired

- types of hosts/computers/network nodes in use

- how the network is used (based on descriptions from the network manager)

- an analysis of adherence to Ethernet standards/specifications (as much as you can tell; I don't expect you to take measurements of cable lengths, but you should see if the network manager is aware of length requirements, point out any possibilities of illegal lengths, number of repeaters - if any - in the path, etc.).

I will expect you to base your results on at least five separate samples of network traffic through appropriate network monitoring/analysis software. These samples should be collected over time on different days of the week, different times of day, and different lengths of time over each collection period, if possible.

You are free to use any tools at your disposal, but I am providing (with appropriate authorization from the software vendors) two tools for doing network performance analysis (from the switch perspective) and packet analyses (Ethereal and/or EtherPeek; note: EtherPeek is the preferred software choice due to its enhanced network performance collection capabilities):

       - NetSight Element Manager: for collecting information from the switches;
       - Ethereal and/or EtherPeek, for doing packet analyses and collecting additional network performance information (EtherPeek is available for checkout from SILS Library; Ethereal is available at http://www.ethereal.com)

Based on these data, provide the following:

- a percentage distribution of network traffic by protocol type, including your judgment as to whether this distribution seems reasonable based on the description of how the network is being used;

- a summary of the actual utilization over these samples, describing peak utilization times and periods of low utilization; does the utilization rate vary based on time of day or day of week?

- a summary of the relative amount of traffic (%) coming from broadcast packets; based on discussions with others in the class, does this seem like an unusual or high percentage? does the amount of broadcast traffic seem to vary based on time of day or day or week?

- identification of the major sources and destinations of traffic; specifically identify as best as you can the top five (5) source addresses and destination addresses in terms of total traffic from your samples; do these change across samples? do these surprise the network manager? (You will need the help of the network manager to associate the hardware addresses you find with the actual computers.)

- a description of any ICMP packets that you find; is there anything unusual showing up on the network, such as ICMP redirects or an unusual number of host or network unreachable packets? (Note: read the Bellovin article on reserve for an indication of the sorts of things to look for here.)

- a review of IP traffic by application; what seem to be the dominant IP applications being used on the network (based on a review of your samples)?

- any other characteristics or patterns of network traffic that you find of interest.

Finally, I will expect a summary of any recommendations that you may have in terms of how the network is designed or used that may improve performance. It is quite likely that there will be no recommendations that can be made either due to lack of problems on the network or insufficient information. If you do not have any recommendations to make, I would like to know what leads you to that decision; if it is due to inadequate information, what additional data would you need to make any recommendations?

This report is to be prepared jointly by the designated team of three students. I encourage discussion and interaction with other students and their case studies; "normal network performance" is a very subjective concept. You will be responsible for directly contacting the departmental network manager (they will have been told to expect you) and set up the terms, times and requirements for your "intrusions". If you have any problems or questions about the network, ask the departmental manager; if you have any questions about what you find or about this report, ask me.

Spring 2005