Packet Sniffers/Network Monitors

Unlike port scanners, packet sniffers actually look inside every packet on a network segment. Packet sniffers come in many flavors, and some of them, like Microsoft’s Message Analyzer, are even free today. Message Analyzer comes bundled with Windows Server and does allow you to analyze network communications traffic.

All good, but personally, I use Wireshark instead. It’s also free, and you can easily download it from www.wireshark.org. A nice feature of Wireshark is that it runs from Windows, OS X, Linux, and Unix platforms. It easily captures data on all my interfaces, including my wireless and virtual private network (VPN) connections, and looks at all traffic on the network segment. There are tons of packet sniffers available, and to get your hands on most of them, you’ll have to pony up some cash. Sometimes they’re worth it, though, because these higher-end products can even provide solutions to problems you find on your network—nice.

Anyway, free or not, the basic purpose of packet sniffers (or network analyzers) is to collect and analyze each individual packet that is captured on a specific network segment to determine if problems like bottlenecks, retransmissions, and security breaches are happening. Packet sniffers are a must-have for every network administrator to troubleshoot and find problems or security holes in a network. For example, you may discover that users are using an application on the network with usernames and passwords being sent unencrypted over the network.

You can also use packet sniffers to see if there is too much traffic on a segment, to see router or switch interfaces (referred to as interface monitoring), or even to see if a broadcast storm has been created by a bad network interface card (NIC). And remember—I do mean on a network segment—you can’t use them to catch packets passing through routers. These network analyzers can also show you top talkers and listeners on your network and provide packet flow monitoring.

Yes, they can help you find a hacker stalking around in there, but you’d really have to be looking closely and constantly to discover this. For that level of monitoring, you’d be better off using a tool known as an IDS/IPS. It can really help you track and even defeat hackers. (We’ll talk about IDS/IPS software in the next section.) The more expensive network sniffers can help find anomalies in your network, like a hack, and even alert you to these problems. Figure 18.1 shows output from a packet sniffer. Notice that you can identify both the IP addresses and the MAC addresses associated with any of the packets captured as well as identify the protocol in use.

You can definitely see that a packet sniffer can provide you with huge amounts of information. This means you really need something to narrow things down and help you to more readily find the needle in the haystack that you’re looking for, right?

In this case, help comes in the form of some handy built-in filters that can be used to gather information from just one specific host or server; without them, you’d have to go through possibly thousands of packets to find the problem. For the packet I’ve highlighted, you can see that there’s a probable User Datagram Protocol (UDP) checksum error. And by the way, because UDP is connectionless, this is a pretty common error.

You should download and start working with a network sniffer right away. As I mentioned, you can download Wireshark at www.wireshark.org for free, so what are you waiting for? Go for it!

Now comes the fun stuff—let’s take a look at ways we can find and stop hackers dead in their tracks.

Intrusion Detection and Prevention Software

An IDS detects unwanted attempts to manipulate network systems and/or environments, and an IPS is a computer-security device that monitors network and/or system activities for any strange or malicious behavior. It can react in real time to prevent and even block nasty activities. An IDS identifies, detects, and reports attempts of unauthorized access to the network as well as any suspicious activity, and it’s the best software type for identifying an attack. However, if you want to stop the attack in its tracks, you need to add an IPS device. So, unlike IDSs, which can identify an attack and report it, an IPS can stop the attack by shutting down ports or dropping certain types of packets.

A bunch of different IDS/IPS software packages are available on the market, and a lot of them are free. Again, predictably, the best ones aren’t, and they can be a bit pricey. These high-powered versions run on Linux or other proprietary hardware. But there are still many IDS/IPS software applications available for Windows.

Snort is one of the most popular IDS/IPS software products around. It runs on both Linux and Windows, and it’s a free, open-source platform, which happens to be a big reason for its popularity. But that’s not the only reason—just because it is free doesn’t mean it doesn’t offer up some pretty cool features. On the other hand, if you’re dealing with a large, corporate environment, you need some serious weaponry, and Cisco offers an Adaptive Security Appliance (ASA) as an enterprise solution that’s powerful but definitely far from free. It’s worth it, though.

Figure 18.2 shows a picture of a Cisco ASA box I use in my security classes.

Personally, I think the Cisco box is the best IDS/IPS box on the market today. Still, Snort isn’t bad (check out Cisco’s new acquisition, Sourcefire), so if cost is an issue, rest assured you can use it, as well as several other tools, and be much better equipped than you would be without them working on your network to help you keep it secure.

Figure 18.3 shows where you’d find a typical IDS/IPS in a internetwork.

To be honest, because of the device’s complexity and the many different physical configurations possible, this is a relatively simplistic view of an IDS/IPS working within a network. The important thing I want you to pay attention to is the fact that you would typically find the IDS/IPS software positioned between your internal router and the firewall to the outside network (Internet). If you’re using Snort, just add the software to a Linux box, and connect this box between the firewall and the router. This area would typically be your demilitarized zone (DMZ). The Basic Analysis and Security Engine (BASE) displays and reports intrusions and attacks logged in the Snort database in a web browser for convenient analysis.

Port Scanners

A port scanner is a software tool designed to search a host for open ports. Those of us administering our networks use port scanners to ensure their security, but bad guys use them to find a network’s vulnerabilities and compromise them. To port scan means to scan for TCP and UDP open ports on a single target host either to legitimately connect to and use its services for business and/or personal reasons or to find and connect to those ports and subsequently attack the host and steal or manipulate it for nefarious reasons.

In contrast, port sweeping means scanning multiple hosts on a network for a specific listening TCP or UDP port, like SQL. (SQL injection attacks are super common today.) This just happens to be a favorite approach used by hackers when trying to invade your network. They port sweep in a broad manner, and then, if they find something—in this case, SQL—they can port scan the particular host they’ve discovered with the desired service available to exploit and get what they’re after. This is why it’s a really good idea to turn off any unused services on your servers and routers and to run only the minimum services required on every host machine in your network. Do yourself a big favor and make sure this is in your security policy.

Remember that three-way handshake I discussed in Chapter 6, “Introduction to the Internet Protocol”? Well, it just so happens that a SYN scan is the most popular form of TCP scanning. Rather than use the operating system’s network functions, the port scanner actually generates raw IP packets itself and monitors for responses. This scan type is also known as half-open scanning because it never really opens a full TCP connection. The port scanner generates a SYN packet, and if the targeted port is open, it will respond with a SYN-ACK packet. The scanner host responds with an RST (reset) packet, closing the connection before the handshake is completed.

Never use the tools I’m telling you about on computers belonging to any businesses or government agencies without their permission. It’s against the law in a big way, and they do monitor and prosecute! Know that I am not exaggerating here, so please do yourself a favor and use the following tools only to test your own network for vulnerabilities.

Although a free program named Network Mapper (Nmap) can be used as a port scanner, you can use it to do so much more. I give it two thumbs up and recommend that you download Nmap (http://nmap.org) and play with this cool program.

Nmap, like Snort, is open source. But Nmap runs on all platforms and can provide port-scanning ability, check all the open services running on each host, find firewalls, and even help tremendously with network management.

Figure 18.4 shows Nmap running on a Windows Vista platform, performing a Domain Name Service (DNS) resolution, and then a port scan to the host being monitored (Zenmap is the name of the GUI interface it uses). Pretty chill, right?

Nmap is very flexible, and again, I really encourage you to check it out. One of the other nice features of Nmap is its documentation capacity. It comes with a complete set of instructions and equips you with documentation to help you troubleshoot and map your network.

Even though Nmap is pretty simple, there are even simpler tools out there—a whole lot of them. Angry IP is a program I also use that provides both IP-scanning and port-scanning abilities. It’s definitely not as complex as Nmap, but because it’s extremely easy to use, you might want to try out this free, open-source program as well. Figure 18.5 illustrates port scanning with Angry IP.

You can see right away that this is a much simpler program than some of the other sniffing and port mapping tools we’ve discussed, but simple doesn’t mean it isn’t powerful. Angry IP slowed the PC I was scanning way down when I performed a full port scan on the host using this program. Check it out at http://angryip.org.

Wi-Fi Analyzer

A Wi-Fi analyzer, or wireless analyzer, is similar to the network analyzers that I’ve already discussed but is used for sniffing wireless networks. Wi-Fi analyzers can find the channels in use, the amount of clients and bandwidth used, top talkers, and more. On wireless LANs, one can capture traffic on a particular channel or on several channels when using multiple adapters.

Wi-Fi analyzers identify networks by passively collecting packets and detecting standard named networks, detecting (given time) hidden networks, and inferring the presence of nonbeaconing networks via data traffic.

Figure 18.6 shows an output of a wireless analyzer.

In addition to using a wireless analyzer, to create a good wireless network, you need to do a wireless survey of the floor or building where you are installing your network. To do this, you need a wireless survey tool. Wireless survey tools help you design and deploy the most accurate indoor and outdoor wireless LAN networks (802.11n/a/b/g/ac) correctly the first time and prevent costly rework and IT complaints.

You can collect real-world data by performing unique true end-user experience measurements (wireless LAN throughput, data rates, retries, losses). You can also minimize the (expensive) impact of RF interference sources on wireless 802.11n/a/b/g/ac LAN performance by performing simultaneous wireless spectrum analysis in a single walk-through.

In addition, you can certify the wireless network for any design/application requirements using customer-ready pass/fail assessment reports. Figure 18.7 shows an output of a wireless survey tool.

Bandwidth Speed Tester

A bandwidth speed test is exactly what it sounds like. It is a device that tests the speed of data transfer in the network. While there are many Internet-based tools for testing the Internet connection to test the performance the LAN, you will need a tool that operates within the network.

An example is LAN Speed Test from Totusoft. It is designed to measure your file transfer and network speeds (wired and wireless). It does this by building a file in memory, then transfers it both ways (removing the effects of windows file caching) while keeping track of the time, and then does the calculations for you.

Network Monitoring

Some key network-monitoring tools and diagnostic utilities around today are software additions that run on an existing server operating system like Windows Server or Unix. Others are stand-alone hardware devices that you plug into your network, but both are basically the packet sniffers we talked about back in Chapter 14. Although it’s true that hackers can and do use sniffers to capture network traffic and gather data for an attack, we make good use of them too. And strange but true, being a bit of a hacker yourself can make you a much better sys admin—knowing your enemies and their methods can help you find the same holes they would use for evil, and you can use that knowledge to plug security holes and even optimize your network’s performance.

Packet sniffers allow you to examine network traffic down to details of individual packets. You can put the packet’s header under the microscope: It contains vital information about the protocol being used to encapsulate it, plus the source and destination IP addresses. This is super-valuable information—if I’m seeing the speed of traffic on a specific segment grind to a crawl, one of first the things I’ll look for is one IP address that’s spewing tons of data. If that’s the case, it could mean that I’ve got a failing network adapter because a common symptom of a dying NIC is to become extremely “chatty” by sending out broadcast packets and clogging things to the point that legitimate traffic can’t get through. It’s like getting a deluge of junk mail and being forced to read every last bit of it; a broadcast packet is technically addressed to everyone, meaning that all the other NICs on the segment have to stop and read what’s in it—not so good.

Good news—routers are, by default, configured to prevent broadcasts from going from one segment to another. Most switches sold today are also able to prevent broadcasts from spreading to multiple network segments, but not by default.

When you hear people refer to things like load testing, connectivity testing, and throughput testing, they’re really talking about network monitoring. You’ll also hear network monitors referred to as protocol analyzers. Microsoft has a graphical utility called Network Monitor that can be used to capture network traffic. The current version is 3.4, and it’s supported by Windows Vista, Windows 7/8/10, and Server 2003/2008/2012/. You can download it from Microsoft’s website, but for it to work, your network adapter must be able to work in promiscuous mode (yes, you read that right!). Several third parties specialize in producing network monitors, such as, for example, Fluke Networks, which makes some cool tools like the OptiView Network Analyzer.

SNMP

Although Simple Network Management Protocol (SNMP) certainly isn’t the oldest protocol ever, it’s still pretty old, considering it was created way back in 1988 (RFC 1065)!

SNMP is an Application layer protocol that provides a message format for agents on a variety of devices to communicate with network management stations (NMSs)—for example, Cisco Prime or HP Openview. These agents send messages to the NMS station, which then either reads or writes information in the database, stored on the NMS, that’s called a Management Information Base (MIB).

The NMS periodically queries or polls the SNMP agent on a device to gather and analyze statistics via GET messages. These messages can be sent to a console or alert you via email or SMS. The command snmpwalk uses the SNMP GET NEXT request to query a network for a tree of information.

End devices running SNMP agents would send an SNMP trap to the NMS if a problem occurs. This is demonstrated in Figure 18.8.

Admins can also use SNMP to provide some configuration to agents as well, called SET messages. In addition to polling to obtain statistics, SNMP can be used for analyzing information and compiling the results in a report or even a graph. Thresholds can be used to trigger a notification process when exceeded. Graphing tools are used to monitor the CPU statistics of devices like a core router. The CPU should be monitored continuously, and the NMS can graph the statistics. Notification will be sent when any threshold you’ve set has been exceeded.

SNMP has three versions, with version 1 being rarely, if ever, implemented today. Here’s a summary of these three versions:

SNMPv1 Supports plaintext authentication with community strings and uses only UDP.

SNMPv2c Supports plaintext authentication with MD5 or SHA with no encryption but provides GET BULK, which is a way to gather many types of information at once and minimize the number of GET requests. It offers a more detailed error message reporting method, but it’s not more secure than v1. It uses UDP even though it can be configured to use TCP.

SNMPv3 Supports strong authentication with MD5 or SHA, providing confidentiality (encryption) and data integrity of messages via DES or DES-256 encryption between agents and managers. GET BULK is a supported feature of SNMPv3, and this version also uses TCP.

Syslog

Reading system messages from a switch’s or router’s internal buffer is the most popular and efficient method of seeing what’s going on with your network at a particular time. But the best way is to log messages to a syslog server, which stores messages from you and can even time-stamp and sequence them for you, and it’s easy to set up and configure! Figure 18.9 shows a syslog server and client in action.

Syslog allows you to display, sort, and even search messages, all of which makes it a really great troubleshooting tool. The search feature is especially powerful because you can use keywords and even severity levels. Plus, the server can email admins based on the severity level of the message.

Network devices can be configured to generate a syslog message and forward it to various destinations. These four examples are popular ways to gather messages from Cisco devices:

• Logging buffer (on by default)
• Console line (on by default)
• Terminal lines (using the terminal monitor command)
• Syslog server

As you already know, all system messages and debug output generated by the IOS go out only the console port by default and are also logged in buffers in RAM. And you also know that routers aren’t exactly shy about sending messages! To send message to the VTY lines, use the terminal monitor command.

So, by default, we’d see something like this on our console line:

*Oct 21 17:33:50.565:%LINK-5-CHANGED:Interface FastEthernet0/0,

changed state to administratively down

*Oct 21 17:33:51.565:%LINEPROTO-5-UPDOWN:Line protocol on

Interface FastEthernet0/0, changed state to down

And the router would send a general version of the message to the syslog server that would be formatted something like this:

Seq no:timestamp: %facility-severity-MNEMONIC:description

The system message format can be broken down in this way:

seq no This stamp logs messages with a sequence number, but not by default. If you want this output, you’ve got to configure it.

Timestamp Date and time of the message or event.

Facility The facility to which the message refers.

Severity A single-digit code from 0 to 7 that indicates the severity of the message.

MNEMONIC Text string that uniquely describes the message.

Description Text string containing detailed information about the event being reported.

The severity levels, from the most severe level to the least severe, are explained in Table 18.1. Informational is the default and will result in all messages being sent to the buffers and console.

If you are studying for your CompTIA Network+ exam, you need to memorize Table 18.1.

Understand that only emergency-level messages will be displayed if you’ve configured severity level 0. But if, for example, you opt for level 4 instead, level 0 through 4 will be displayed, giving you emergency, alert, critical, error, and warning messages too. Level 7 is the highest-level security option and displays everything, but be warned that going with it could have a serious impact on the performance of your device. So always use debugging commands carefully with an eye on the messages you really need to meet your specific business requirements!

SIEM

Security information and event management (SIEM) is a term for software products and services combining security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. You can get this as a software solution or a hardware appliance, and some businesses sell managed services using SIEM. Any one of these solutions provides log security data and can generate reports for compliance purposes.

The acronyms SEM, SIM, and SIEM are used interchangeably; however, SEM is typically used to describe the management that deals with real-time monitoring and correlation of events, notifications, and console views.

The term SIM is used to describe long-term storage, analysis, and reporting of log data. Recently, vSIEM (voice security information and event management) was introduced to provide voice data visibility.

SIEM can collect useful data about the following items:

• Data aggregation
• Correlation
• Alerting
• Dashboards
• Compliance
• Retention
• Forensic analysis

Speed Test Sites

Speed test sites are especially helpful for testing the bandwidth of your Internet connection. I typically use Speakeasy’s Speed Test, but just search for speed tests, or DSL speed tests, and you’ll get a whole host of speed test sites.

Figure 18.10 shows the speed test site that I use.

Looking Glass Sites

You can access a Looking Glass (LG) server remotely to view routing information. They are servers on the Internet that run Looking Glass software that is available to the public. The servers are essentially read-only portals to the router belonging to the organizations running them. They are basically just providing a ping or traceroute from a remote location for you.

Figure 18.11 shows an output from a Looking Glass server.

Server Logs

Windows Server 2016 (and most other Windows operating systems) comes with a tool called Event Viewer that provides you with several logs containing vital information about events happening on your computer. Other server operating systems have similar logs, and many connectivity devices like routers and switches also have graphical logs that gather statistics on what’s happening to them. These logs can go by various names, like history logs, general logs, or server logs. Figure 18.12 shows an Event Viewer system log display from a Windows Server 2003 machine.

On Windows servers, a minimum of three separate logs hold different types of information:

Application Contains events triggered by applications or programs determined by their programmers. Example applications include LiveUpdate, the Microsoft Office suite, and SQL and Exchange servers.

Security Contains security events like valid or invalid logon attempts and potential security problems.

System Contains events generated by Windows system components, including drivers and services that started or failed to start.

The basic “Big Three” can give us lots of juicy information about who’s logging on, who’s accessing the computer, and which services are running properly (or not). If you want to find out whether your Dynamic Host Configuration Protocol (DHCP) server started up its DHCP service properly, just check out its system log. Because the computer depicted in Figure 18.12 is configured as a domain controller, its Event Viewer serves up three more logs: Directory Service, DNS Server, and File Replication Service, for a total of six.

Windows 2000 Server and Windows Server 2003 came with System Monitor—another graphical tool used to create network baselines, provide performance logs, and identify bottlenecks. Windows Server 2008 R2 offered an optional monitoring and optimization tool called System Center Operations Manager 2010.

Utilization

Wired and wireless analyzers can show you the bandwidth used on your network segments or wireless area. There are tools to help you find the stats on storage, network device CPU, and device memory for your servers and hosts.

For example, if you have a Mac, you can use the built-in activity monitor, which provides the CPU usage, memory statistics, energy used by the applications, disk usage, and network bytes sent and received, as shown in Figure 18.13.

In addition to utilization information for your hosts, servers, networks, and so on, you need information about the wireless channel utilization on your network. To get it, you need to use a wireless analyzer, which I’ve already discussed.

The wireless analyzer in Figure 18.14 is showing channel utilization. Notice that three channels—1, 6, and 11—are in use.

Cable Testers

The best way to deal with a faulty cable installation is to avoid the problem in the first place by purchasing high-quality components and installing them carefully. Still, this isn’t a perfect world—no matter how careful you are, problems are bound to arise anyway. The tools that I’m going to cover can be used to test cables at the time of their installation and afterward, if and when you need to troubleshoot cabling problems. Cable-testing tools can range from simple, inexpensive mechanical devices to elaborate electronic testers that automatically supply you with a litany of test results in an easy-to-read pass/fail format. Figure 18.15 shows an example of an inexpensive cable tester for twisted-pair wiring testing.

This little box can verify the connection through the cable and tell you if the cable is straight-through or crossover. It can also identify problems such as grounding issues. Sometimes the problem is not a complete lack of connectivity. Sometimes performance is slow, which can also be a cabling issue that a cable tester can identify. This tool is as cheap as they come.

Let’s focus on the types of tools available for both copper and fiber-optic cable testing. This is not to say that you need all of the tools listed here. In fact, I’ll try to steer you away from certain types of tools. Sometimes you’ll get lucky and have the luxury of choosing between high-tech and low-tech devices that perform roughly the same function. You can choose which ones you prefer according to the requirements of your network, your operational budget, even your temperament and time constraints. Some of the tools are extremely complicated and require extensive training to use effectively, whereas others can be used by pretty much anybody equipped with a functioning brain.

Other important considerations to keep in mind when selecting the types of tools you need are based on the descriptions of cable tests given earlier in this chapter, the test results required by the standards you’re using to certify your network, and the capabilities of the people who will be doing the actual work. And don’t forget the potentially painful cost of some of them.

Loopback Adaptor (Plug)

A loopback test is a diagnostic procedure in which a signal is transmitted and returned to the sending device after passing through all or a portion of a network or circuit. The returned signal is compared with the transmitted signal to evaluate the integrity of the equipment or transmission path. A computer needs a loopback plug that is inserted into a port in order to perform a loopback test.

Loopback plugs are made for both Ethernet and fiber applications. Figure 18.16 shows an Ethernet loopback plug and Figure 18.17 shows a plug for fiber applications.

Wire-Map Testers

A wire-map tester is a device that transmits signals through each wire in a copper twisted-pair cable to determine if it’s connected to the correct pin at the other end. Wire mapping is the most basic test for twisted-pair cables because the eight separate wire connections involved in each cable run are a common source of installation errors. Wire-map testers detect transposed wires, opens (broken or unconnected wires), and shorts (wires or pins improperly connected to each other). All of these problems can render a cable run completely inoperable.

Wire-map testing is nearly always included in multifunction cable testers, but sometimes it’s just not worth spending serious cash on a comprehensive device. Dedicated wire-map testers that run about two to three hundred bucks are relatively inexpensive options that enable you to test your installation for the most common faults that occur during installations and afterward. If, say, you’re installing voice-grade cable, a simple wire-mapping test is probably all that’s needed.

A wire-map tester essentially consists of a remote unit that you attach to the far end of a connection and a battery-operated, handheld main unit that displays the results. Typically, the tester displays various codes that indicate the specific type of fault that it finds. You can also purchase a tester with multiple remote units that are numbered so that one person can test several connections without constantly traveling back and forth from one end of the connections to the other to move the remote unit.

The one wiring fault that is not detectable by a dedicated wire-map tester is something known as split pairs. This fault flies under the radar because even though the pinouts are incorrect, the cable is still wired straight through. To detect split pairs, you must use a device that tests the cable for the near-end crosstalk that split pairs cause.

Protocol Analyzer

A protocol analyzer is often confused with a packet sniffer because some products really are both. Remember—a packet sniffer looks at all traffic on a network segment. On the other hand, a protocol analyzer (surprise!) analyzes protocols. These tools come in both software and hardware versions, but compared to the products I listed earlier in this chapter, a network protocol analyzer is likely to give you more information and help than a sniffer will. This is because a bona fide protocol analyzer can actually help you troubleshoot problems, whereas most sniffers just provide information for you to have a ball deciphering.

A network protocol analyzer can perform the following functions:

• Help troubleshoot hard-to-solve problems
• Help you detect and identify malicious software (malware)
• Help gather information such as baseline traffic patterns and network-utilization metrics
• Help you identify unused protocols so that you can remove them from the network
• Provide a traffic generator for penetration testing
• Possibly even work with an IDS

And last, and perhaps most important for you, they can really help you learn about networking in general. This means if you just want to find out why a network device is functioning in a certain way, you can use a protocol analyzer to sniff (there’s that word again) the traffic and expose the data and protocols that pass along the wire.

Certifiers

Certification testers—or certifiers—are used to determine whether your network meets specific International Organization for Standardization (ISO) or Telecommunications Industry Association (TIA) standards (Cat 5e, Cat 6, or Cat 7). They are the only option for you in this case. Also, if your network is wired with both copper and fiber, you really must use a certification tester.

Basically, a certifier is a combination cable tester and network analyzer, only better because it comes with more options. This is wonderful because it makes your job easier and makes you seem smarter to everyone around you—you’re only as good as your tools, right? A good certifier will test the performance and response times of network resources like web, file, email, and even DNS and Dynamic Host Configuration Protocol (DHCP) servers. And, at the same time, it will certify your full Category 6 cable installation. After it finishes all this, you can provide your boss with a detailed network test report complete with dazzling, colorful graphics to make it simple to explain and understand—voilà! You’re instantly the genius of the day.

To get these smarts, all you need is a lot of money. These products are not for the small office, home office (SOHO) market because they cost literally thousands of dollars, starting at about $5,000.

Time-Domain Reflectometer

A time-domain reflectometer (TDR) is a tool that finds and describes faults in metallic cables like twisted wire pairs and coaxial cables. The equivalent device for optical fiber is an optical time-domain reflectometer (OTDR), which I’ll talk about in a minute.

A TDR works in the same basic way that radar does. It transmits a short rise time pulse along the conductor, and if it turns out to be of a uniform impedance and properly terminated, the entire transmitted pulse is absorbed in the far-end termination; no signal is reflected back to the TDR. Any impedance interruptions will cause some of the incident signal to be sent back toward the source, letting you know all is not well.

So basically, any increases in the impedance create a reflection that reinforces the original pulse and decreases the impedance, thereby creating a reflection that opposes the original pulse. The resulting reflected pulse that’s measured at the output/input to the TDR is displayed or plotted in measures of time. And because the speed of signal propagation is pretty consistent for a given type of transmission medium, the reading can also tell you about the cable length.

Because of this sensitivity to any variation in impedance, you can use a TDR to verify these things:

• Speed and condition of the cable
• How long it takes to send a signal down a cable and how long it takes to come back
• Cable impedance characteristics
• Splice and connector locations and their associated loss amounts
• Estimated cable lengths

Now, let’s take a look at a device that tests fiber-optic cables.

Optical Time-Domain Reflectometer

An optical time-domain reflectometer (OTDR) is an optoelectronic instrument used to give you the skinny on optical fibers, typically referred to as light meters. It works by putting out a series of optical pulses into the specific fiber you want to test. From the same end that sent these impulses, it collects and measures the light that is scattered and reflected along the length of the fiber. It then records the change in the amount of refraction at various points. This is a lot like the way an electronic TDR measures reflections caused by impedance changes in a cable that you’re testing. The strength of the return pulses is incorporated into a measure of time, which also conveniently gives you the fiber’s length.

We use OTDRs to give us the following information:

• The fiber’s estimated length
• Its overall attenuation, including splice and mated-connector losses
• The location faults, such as breaks

Figure 18.18 shows the output from an OTDR testing a fiber connection.

The spike shows where a splice in the fiber is located, which has resulted in the signal being degraded. This is a very typical output. As the signal attenuates, you see a gradual but quick drop in decibels (db). Any connector will actually show a reflection, which, as mentioned, shows up as a spike in the OTDR output. The connector then creates more attenuation and loss of more db. The more splices, the less distance you can run with fiber.

Multimeter

A multimeter, or a multitester (also called a volt/ohm meter [VOM]), is a multitasking electronic measuring instrument. Your average multimeter typically includes features like the ability to measure voltage, current, and resistance. Multimeters come in analog and digital versions, and they range from basic handheld devices useful for simple fault-finding and field-service work to more complex bench instruments that will give you measurements with a very high degree of accuracy.

They can be used to troubleshoot electrical problems in a wide array of electrical devices like batteries, motor controls, appliances, power supplies, and wiring systems. Figure 18.19 shows output of the multimeter that I use to help troubleshoot my networks.

Multimeters come in lots of flavors with different ranges of features and prices. Cheap ones cost less than 10 bucks, but the top-of-the-line models can set you back up to 5 thousand bucks.

Spectrum Analyzer

A spectrum analyzer is a tool that focuses on the Physical layer, which will vary based on the type of analyzer. Although vendors make these analyzers for both audio and optical signals, in most cases spectrum analyzers are used to analyze wireless or radio frequency signals. Spectrum analyzers is primarily used to identify and measure the strength of radio signals that are present in the area. It can visually display these signals by frequency on the device. These devices are used to locate sources of inference that may impact the operation of a wireless network. Figure 18.20 is a shot taken from the screen of a spectrum analyzer showing the relative use of each channel in the area.

Toner Generator (Probe)

A toner probe, also called a tone generator, is a simple copper cable tester that is simple to use and can be used to trace a wire in a wall. It is a two-piece unit that’s basically a tone generator and probe, sometimes called a “fox and hound” wire tracer. This type of device consists of one part that you connect to a cable with a standard jack—or to an individual wire with alligator clips that transmit a signal over the cable or wire—and another part that’s a penlike probe that emits an audible tone when it touches the other end of the cable, the wire, or even its insulating sheath.

Most often, you will use a toner probe to locate a specific connection in a punch-down block because (annoyingly) some installers run all the cables for a network to the central punch-down block without labeling them. They (or you, if you’re unlucky enough) then have to use a tone generator to identify which block is connected to which wall plate and label the punch-down block accordingly. This tool can identify a particular cable at any point between the two ends, and because the probe can detect the cable containing the tone signal through its sheath, it can help you to locate one specific cable out of a massive cable-spaghetti bundle in a ceiling conduit or other type of raceway.

Just connect the tone generator to one end, and touch the probe to each cable in the bundle until you hear the tone. Figure 18.21 shows a picture of my toner and the probe I use to find the tone on the other end of the cable.

Also, by testing the continuity of individual wires using alligator clips, you can use a tone generator and probe to find opens, shorts, and miswires. An open wire won’t produce a tone at the other end, a short will produce a tone on two or more wires at the other end, and an improperly connected wire will produce a tone on the wrong pin at the other end.

Sound like fun to you? Well, not so much—it takes a really long time, and it’s super tedious. Worse, the whole process is almost as prone to errors as the cable installation itself. You have to either continually travel from one end of the cable to the other to move the tone generator unit or use a partner to test each connection, keeping in close contact using radios or some other means of communication to avoid confusion. So, considering the time and effort involved, investing in a wire-map tester is just a much more practical solution unless you’re numbingly bored or really easily amused.

Metrics

When using any the tools discussed in the preceding sections, especially the network testing tools, collecting and comparing metrics over time is a valuable exercise. Once a baseline has been established for these metrics, you can determine when an issue has gotten better or worse over time. It also allows you to determine if measures you have taken to improve a scenario have done so.

Butt Set

A butt set is essentially a portable telephone that allows you to test analog wet or dry lines and is used to monitor those lines. The most common type, shown in Figure 18.22, can both monitor and transmit.

You see these all the time with telco guys up on the telephone poles. They use their butt sets to connect to telephone lines, test them, and even make phone calls.

Another handy tool that will take the place of a butt set is a hound. This noncanine device is nothing more than an inductively coupled amplifier with a small speaker in a handheld tool. It’s used to monitor the audio on a given line to verify that you have the right pair before connecting it and typically used with a toner probe. It will also monitor for noise.

Punch-Down Tool

Most networks today are built using twisted-pair cable of some sort. This cable is usually terminated in wiring closets using a tool known as a punch-down tool. It’s called that because that’s exactly what the tool does—punches down the wire into some kind of insulation displacement connector (IDC).

There are different types of punch-down tools. The most common is a punch-down with replaceable blades for the different types of connectors (either 66 or 110). Figure 18.23 shows an example of this type of punch-down tool.

IDCs make contact by cutting through, or displacing, the insulation around a single conductor inside a twisted-pair cable.

As shown in Figure 18.24, the punch-down tool pushes a conductor between the sides of a V inside an IDC, in this example a keystone connector, allowing the small metal blade inside the connector to make contact with the inner conductor deep inside the wire.

Now let’s take a look at how to put a cable end together.

Cable Stripper/Snips

A wire crimper, often simply called a crimper, is a handy tool found in most network technicians’ tool bags. Crimpers are primarily used for attaching ends onto different types of network cables via a process known as—that’s right—crimping. Crimping involves using your hands to apply a certain amount of force to press some kind of metal teeth into the inner conductors of a cable. Before you can crimp a connector onto the end, you’ve got to strip the cable with a type of cable stripper (or snip) and then properly put the wires into the connector.

Figure 18.25 shows what a cable stripper and snip looks like (this particular tool also includes a crimper).

Often, network technicians will make patch cables with a crimper. They’ll take a small piece of Category 5e unshielded twisted-pair (UTP), strip the cable, and crimp two RJ-45 ends onto it to create the cable. Snips will create the type of cable needed to connect a host to a wall jack connection, for example. There are strippers and crimpers for the other types of cable as well—even specialized crimpers for fiber-optic ends.

Voltage Event Recorder (Power)

Alternating current (AC) is basically the food that PCs and other network devices require in specific amounts to function properly. In the United States, it’s normally 110 volts and changes polarity 60 cycles a second (60 hertz). These values are referred to as line voltage. Any deviation from these values can create some major problems for your PC or other electronics—like death. While we’re on the subject, you should also know that when a telephone rings, the phone company central office puts 140 VAC on the line to ring that bell; telephone lines are not always the “low-voltage” devices we think they are. Do all phone systems do this, even PBX systems within buildings? Are you willing to bet your life that they don’t? Didn’t think so.

This is why we have surge protectors. These little saviors use a special electronic circuit that monitors the incoming voltage level and trips a circuit breaker when the voltage level reaches critical mass, which is known as the overvoltage threshold. Even though having a surge protector is definitely better than nothing, they too can fall victim to overvoltage events—I’m reminded of a friend whose home was struck by lightning during a thunderstorm and he found his surge protectors literally melted into the carpet! But they’re still cool because even though they’re really only somewhat protective, they are multiple-outlet strips that give us a lot more places to plug in our stuff.

By contrast, a quality voltage event recorder can troubleshoot and even provide preventative maintenance on your entire electrical system, whether it’s for a home or a huge factory. Although they do big things, they’re typically small devices that just plug into a wall and record, over time, the power quality of a given circuit. You would typically use a voltage event recorder for the following applications:

Recording Voltage The voltage event recorder monitors and records the supply voltage and checks whether the socket outlet is providing voltage within specifications.

Measuring Distortion The device measures frequency and harmonics, and it checks whether your uninterruptible power supply (UPS) system is functioning correctly.

Measuring Flicker It checks the switching loads on lighting systems.

Capturing Voltage Transients It can help you find intermittent, momentary events that may be affecting your equipment; the full waveform is captured with date, time stamp, and duration.

But you still have to do more to ensure the vitality of your electronic devices because they’re very sensitive to temperature as well. This means you also need a way to monitor the temperature of the place(s) where your equipment is stored.

Environmental Monitors

Environmental monitors are designed to monitor the temperature, humidity, power, and air flow in an area or in a device. Temperature and humidity are both critical factors in the health of computing equipment. High temperatures lead to CPU overheating, and shortly thereafter, systems start rebooting.

High humidity cannot be tolerated because it leads to corrosion of electrical parts followed by shorts and other failures. Low humidity sounds good on paper, but with it comes static electricity buildup in the air, which can fry computer parts if it reaches them. Both of these conditions should be monitored.

A temperature and humidity monitor can save you and your precious devices from a total meltdown. By their very nature, networks often include lots of machines placed close together in one or several location(s)—like server rooms. Clearly, these devices, all humming along at once, generate quite a bit of heat.

Just like us, electronics need to “breathe,” and they’re also pretty sensitive to becoming overheated, which is why you’ll often need a jacket in a chilly server room. It’s also why we need to set up and use temperature-monitoring devices. Twenty years ago or so, these devices didn’t send alerts or give off any kind of alarms; they were just little plastic boxes that had pieces of round graph paper to graph temperature. The paper was good for a month, and for that duration, it would just spin around in a circle. As the temperature moved up or down, the pen attached to the temperature coil moved in or out, leaving a circle line around the paper. All of this allowed you to manually monitor the temperature modulation in the server room over time. Although intended to “alert” you when and if there were climate changes, it usually did so after the fact, and therefore, too late.

Today, these temperature/humidity systems can provide multiple sensors feeding data to a single control point—nice. Now we can much more accurately track the temperature in our server rooms dynamically in real time. The central control point is usually equipped with HTTP software that can send alerts and provide alarms via a browser should your server room experience a warming event.

Temperature/humidity monitors also come in a variety of flavors. They vary in size and cost and come in hardware and/or software varieties. The kind you need varies and is based on the size of the room and the number of devices in it. You can even get one that will just monitor your PC’s internal heat.

What else will indicate you have a temperature problem in your server room? When you install new servers in a rack and you have network instability and other issues across all the servers in the rack but the power resources and bandwidth have been tested, this would be a good time to check your temperature monitor and verify that the servers are staying cool enough. Another red flag when it comes to environmental issues is a problem that occurs every day at the same time. This could be the time of day when the room temperature reaches the problematic stage.