How to generate network packets – Ostinato Packet/Traffic Generator

Network Packet Generator or Network Traffic Generator is a tool every network engineer will sooner or later want to use. Here’s one I found and it’s great!

First time I saw an Ethernet frame in details on my CCNA class back in 2010 I immediately got the idea about generating some packets on my own. It was logical next step to ask myself: “Ok, so how can I make one of those and see what happens when I send it out on the network?”. I was not really sure that there is a tool that would make it possible.

Don’t get me wrong, net surfers don’t need this!

I mean, Yeah, ok, I know I am generating a lot of packets right now by not doing anything because my Mac is surely syncing who knows what across the Internet. The thing is, you are not really in control of your machine’s applications network layer which is talking across the network, so you can not really make much changes in frames header format and whats inside headers. Apps are sending out standard packets with standardised header format (flags, addresses etc.). The thing that we control is only the data that we send, the payload of those packets, headers, they do their thing to make the transfer possible.

You can control the packet source IP address of course, maybe MAC address sometimes on some Linux machines by editing your NIC configuration but I am sure you know that if you are still here 🙂

Network engineers do need this!

But I am a network engineer and I usually want:

  • to test something
  • make something that does not exist so far or is not standardised.
  • I want to try to create a new protocol that will talk using IP.
  • I want to change protocol implementation bugs from some vendor.
  • I need a way to create test packets to investigate strange firewall packet drops.
  • I want to see what will happen if some packets header flags are changed in strange way, how will that affect the packet forwarding.
  • I want to send stuff across the network and see what happens.
  • I need other stuff too.

SDN SOFTWARE DEFINED NETWORKS: AN OVERVIEW

Flowing text is a project done as a part of academic work that I am involved with for last few years at the University of Rijeka – Department of Informatics. It’s a short overview at latest achievements in the field of network automation with some lab experiments done to test different paths across the network. The work was presented at 6th International Conference on Information Technologies and Information Society (ITIS2014).

The scope of ITIS events are the applications of IT, particularly in social sciences. The conference also covers a wider range of topics related to IT and computational modeling and analysis, in the context of our Creative Core project “Simulations” and our Research Program “Complex networks”. These include cloud computing, complex systems and complex networks, bioinformatics, graph theory and optimization, statistical analysis, business and industrial processes, logistics, information systems and security.

Okaj, let’s go…

Authors

dr. sc. Božidar Kovačić & mag.edu.inf Valter Popeškić (me)
University of Rijeka – Department of Informatics

How to Enable Dot1x – more complex setup for wired network

This one is long. Do not be afraid though, I made it just to give you the fastest way to deploy functional dot1x to your company HQ without reading even more documentation and searching for those little timer default settings.

I the article prior to this I showed you how to setup your environment with simple dot1x and make it as simple as possible. I will not repeat again the part about setting up Radius Clients on server side, everything else is here once again just more complex. Now is time for a more complex example that will make your implementation work out-of-the-box for end users and they will probably not even know that you completed the implementation of one nice but fairly complex network security enhancement.

So, as I said, this is a better way to do it because it will be less intrusive and people in the office will start to use it but without prompt starting to show on everybody’s PC.

What needs to be done:

Here are the steps needed on all systems so you do not forget some of them. Of course you will not forget, but I know people who did forget, for example, the whole client computer part.

  1. We will configure the switch for dot1x but with much more options now.
  2. We will create Radius NPS policy to enable our Windows machines to authenticate using user or computer certificate. (This will enable us to skip boring credentials prompts mentioned above)
    Here the Radius config skips radius client configuration mentioned in previous article about dot1x.
  3. We will setup a new GPO object that will automatically setup all PC’s for dot1x.

What will we get using dot1x:

It’s give you all descriptions of all possible options that you would need and the example in the end will show configuration of all those components together. You will see, it will be easy to recognise which command does what. If there would be some thing not clear enough, I am fairly quick with my comment replies 😉

Basic

Dot1x will allow access to network only to authenticated users on your wired LAN. It’s also used to authenticate users on Corporate WiFi network but we will skip that part now.

Give Internet only to unauthenticated users

Don’t be cruel, maybe you have some guests in your meeting room. If they connect and get denied they will tell you your network jacks are not working and blame you that you are not doing your job as network admin.

“Hey, network is not working in meeting room! Some guest are complaining, is bad publicity :)”

If the users are not authenticated switch port where they connected the cable does not get them access to the network. There is an option to use VLAN auto-configuration in conjunction to basic security feature to get unauthenticated users access to the network but only to some isolated or Internet only VLAN. Cool.

How to Enable Dot1x authentication for wired clients

If your LAN is extending to some places where unauthorised people can just plug in and gain access to your protected network, it’s time to implement some security on your access switch. The best thing to do is to implement IEEE 802.1X port-based authentication which will enable users/machine authentication and prevent unauthorized devices from getting access switch port running when connected. IEEE 802.1X port-based authentication is mostly called simply as dot1x.

In this article I will show you how to configure some basic dot1x stuff on switch side. I will also include Windows machine side of configuration as this is something most people presume it’s working out-of-the-box but of course that’s not the case. Radius server policy is fairly simple so a screenshot of the policy will get you going. So as you see, to get dot1x running you need to configure:

Why numbering should start at zero?

Please note:

This has nothing to do with networking in particular! Not if you look from only one perspective. If you look from totally different perspective, with Cisco ACI and all other SDN solutions, you will probably meet with Python programming language (because you will) and then, somewhere in beginning of Python exploration this is the first question that will cross your mind. Of course, if you think like me!

Although not directly related to networking, the question bothered me for some time now and the answer is not only really logical when you read it but it is also given by a cool guy named prof.dr. Edsger W. Dijkstra

For almost every networking geek it will be enough to read through it.

Intro

After getting the CCIE I found the next thing I wanted to get my hands around. Python. As it seems, Cisco ACI fabric will be the next big thing in Cisco world. Other vendors all have something about SDN to offer these days. Most important part for us, networking engineers, is that they want us to give up the CLI and get us to use Python and REST calls to speak with our network equipment. Python was the logical next step.

I signed and passed Dr. Chuck’s Coursera Python class:

And got some books:

  • Python for Informatics by Charles Severance (Coursera Professor)
  • Learning Python, Fifth Edition by Mark Lutz
  • Python Pocket Reference, Fifth Edition by Mark Lutz
  • Fluent Python by Luciano Ramalho

After first few great lectures on Coursera by Dr.Chuck the question was born!

The Question

So my questions arose: “Why the hell in Python slices and range exclude the last item?”, “Why?”, “It’s not logical to me!”

The Answer

What is a non-blocking switch?

It is fairly common to hear about switch being non-blocking. It’s because almost all switches today are non-blocking. But what that means? When I asked people around me on what exactly non-blocking switch means, they were unable to get to the same conclusion.

I was going through a lot of different internet places and vendor documents before I wrote this here, but, do not hesitate to add something in comments if you have different view on the subject.

Line-rate switch means the same as if you would said wire-speed switch. It basically means that this switch has the forwarding capacity that supports concurrently all ports at full port capacity. It should be true for minimum packet sizes to. Non-blocking switch means the same thing. Non-blocking Switch internal bandwidth can handle all the port bandwidths, at the same time, at full capacity. Sometimes for high end switches non-blocking is also refereed to switch architecture ability to significantly reduce head-of-line blocking (HOL blocking).

HOL Head-of-line blocking

Head-of-line blocking (HOL blocking) in networking is a performance issue that occurs when a bunch of packets is blocked by the first packet in line. It can happen specially in input buffered network switches where out-of-order delivery of packets can occur. A switch can be composed of input buffered ports, output buffered ports and switch fabric.

When first-in first-out input buffers are used, only the first received packet is prepared to be forwarded. All packets received afterwards are not forwarded if the first one cannot be forwarded. That is basically what HOL blocking really is.