Cabling Tip

 

As I mentioned in the video, I am pleasantly surprised with the feedback from my quick videos.

Here's another tip for marking your cables.

Network Flooding, Really?

 

Flooding is one of those networking topics that people always assume someone else will have.

Some of the common myths that involve flooding are; huge multipath networks, complicated load balancing configurations, and of course, x-file type problems.

Flooding can happen with the simplest devices or configurations. Let’s start with my simple but brief definition of flooding. When you see a lot of other device unicast addresses on your switch port, that’s flooding. Seeing the occasional flooded packet, isn’t that unusual, but if you see hundreds of unicast packets per second (that aren’t yours), you should investigate.

In my experience, any device that has 2 ports or more can cause or contribute to flooding. The most common example of flooding is when you have a host with 2 ethernet cards and a virtual ip/mac address. When the host communicates with you, it uses a real mac address, but when you talk back, you use a virtual mac address that the switch might not be aware of resulting in those return packets going to all switch ports.

Lately, I’ve seen cameras that have ethernet and WIFI connectivity to cause flooding, and not sure why. In this video, I will show you an example of this exact problem. the key troubleshooting tip is to start with interrogating your switch bridge forwarding table and compare it with the client or router arp table entries.

Tip when working with devices that support Ethernet and WIFI; in most cases, you use the WIFI for the initial configuration, then move the device to an Ethernet port. In these cases, I would recommend you clear the WIFI configuration details after you are certain the host is working properly with the wired connection.

Create a Wireshark Desktop Shortcut To Automatically Capture

 

Here's how to create a Windows desktop shortcut to automatically start capturing when you launch the Wireshark GUI

- Using Wireshark's editcap to Remove Duplicate Packets

 

Depending on how you capture packets, you may run into scenarios where you have duplicate packets caused by the nature of your tool's placement and network topology.

Do not confuse this with legitimate duplicate packets caused by network-related issues. We want to see those packets to resolve the issue.

Here, I use Wireshark editcap utility to remove duplicate packets.

Device Baselining

 

Not a week goes by without hearing from people asking for me to perform a baseline.

I also got a lot of requests asking to create a template to help them perform a baseline.

Not to sound like a consultant, but every baseline is completely different depending on the equipment, the network, and your ultimate goal.

In this video I show you how I start a baseline with an ip camera and my Profitap IOTA, and what i find. Of course, you can start any baseline using Wireshark which is completely free, but the goal for your first baseline should be to document the equipment location, network topology, and the goal of the baseline.

For example you might say I want to see how this camera behaves when it boots up.

You would want to document which devices are communicating with the camera, which protocols are in use, and possibly any load on the network.

I strongly encourage you not to get overwhelmed with too much detail upfront because if you have a trace file, you should be able to go back and retrieve any information that you may decide is important at a later date.

Enjoy