Analysis of the encapsulated traffic

In the trace of Frame Relay messages and encapsulated traffic of higher levels protocols two approaches got spread in forming of the route. The first approach assumes the presence of a specialist working with the route, complete knowledge about the structure of the protocol, structure of all elements of information, etc. In this case, tracing protocol is executed up to bit. Usually, the values ​ ​ of bits are represented in a form suitable not only for the analysis, but for the location in the information field. This approach provides routes with a maximum detailisation. These routes can be successfully used both in the development of data transmission equipment, and at the operational dimensions. Negative factor here is the need for deep knowledge about the structure of the protocol for operating personnel and a large redundancy of information in the route, which often makes it difficult to understand. As an example, such routes will be presented below by Sniffer Expert protocol analyzer developed by Company Network General Corp.

The second approach focuses on the making of operational measurements. Routes that are generated in this case, reflect only the most essential messages and information elements for signal exchange. As a result, information redundancy, which occurs in the first approach, is reduced. In addition, the requirements for speed of analyzers is decreased and, consequently, their cost. As a negative factor here is the inability to use such analyzers for measuring during the development of data transmission equipment, as well as in the case of incorrect implementation of the protocol (route identifies the incorrect implementation of the protocol, but does not specify exactly, which bits are incorrect values; in practice such cases aren’t usually met). As an example such operational routes will be presented below the route analyzer ParaScope2000 produced by Frederick Engineering Inc.

As an example of the analysis of the encapsulated traffic, let’s consider the analysis of a hypothetical data network linking two or more local area networks (Figure 8.1).

Рис. 8.1 Scheme of high-levels protocol encapsulations (NetWare)

At combining of local networks, measuring physical channel can include virtual connections, which transmit the encapsulated information of the various protocols (in general, in the PD networks there are used about 100... 150 or more of different protocols and modifications). As a result, multi-protocol exchange, route of the Frame Relay protocol will contain encapsulated message of various protocols (route 1).

Route 1 An example of simple route of multi-protocol-traffic in the Frame Relay network (Sniffer Expert analyzer)

As can be seen from the route, among messages, which are sent through the point of measurement, there are a variety of high-level protocols, including routing protocol RIP (Routing Information Protocol), which is used for Xerox Network Systems (XNS) network, the main NetWare networks protocol (NCP - NetWare Core Protocol), the diagnostics protocol of NetWare networks (NDIAG), the RIP protocol, which is used for exchanging in TCP / IP protocol, the SNAP protocol, which is used to encapsulate data traffic from the LAN. In addition, the route contains control information LMI (posts 44, 45), which was seen in the lab number 5. It should be noted that in order to preserve the confidentiality of the IP, address in the route is replaced by X and Y.