Archive

Posts Tagged ‘network sniffer’

How to Detect Possible Network Loops in Network?

April 12th, 2010 23 comments

Do you know what a network loop is? Have you ever had a network loop in your LAN? No matter you want it or not, a network loop in the LAN can bring down your whole network.

First, let’s see what a network loop is. What does a network loop do? A network loop is a network configuration there is more than one path between two computers or devices, which causes packets to be constantly repeated. This is due to the fact that a hub will blindly transmit everything it receives to all connections – other devices, such as switches and routers, might be able to reduce or eliminate this problem.

In this article, I’m going to show you how to detect the network loops in network with Capsa network analyzer 7.1?

Let’s start Capsa, and then add in the packet file into the ready-to-replay list. Without any other settings, click this icon to start replay directly.
01
To detect network loops, first we come to the Dashboard tab. The graphs show that the traffic is not big. We can conclude that, no machine is keeping sending a large sum of packets, to block the bandwidth.
02
We can sure from the Protocol tab, that only ICMP is used in the traffic. However, in Diagnosis tab, there is one record, IP TTL too low, which means a packet has passed too many routers. That is a sign od network loop.
03
And we can see the anomaly happens at IP address, one seventy two, dot sixteen, dot two zero eight, dot thirty three. Let’s start from this address. Right-click on the address, and locate it.
04
Then, go directly to the packet tab. We can see all the packets are ICMP packets. And we find the delta time between the packets is very small, and there are more than twelve thousand packets. This couldn’t be normal. Just a simple ping can’t produce so many packets, it looks like network loop a little bit.
05
To confirm our guess, we should go down to the digits in the packets. We can compare the field information of different packets, by checking the fields in this pane. While we come to the identification field, we can see there are so many packets have the same identification number. We know that one ICMP packets has its own identification number, there’s no way that so many packets have the same number. Now we are much sure it’s a network loop. But to make sure of this, we need to see another important field, TTL value. Check the Time To Live field. We can see that the same ICMP packet loops around the router, and each time it passes the router, its TTL value is reduced by one. Until its TTL value comes to zero, it’s dropped by the router. Then another packet does it again.
06
This is the end of the story. Hope you already know how to find out network loop in network with network sniffer.
A video tutorial for troubleshooting network loops is avaliable at http://www.colasoft.com/download/arp_flood_arp_spoofing_arp_poisoning_attack_solution_with_capsa.php