How I used Linux network tools to solve real problems

Computerworld - Previously, I explained how to use a computer that others have cast off as being unusable as a powerful network analysis tool.

By combining the Linux distribution Fedora Core with the open-source packages libpcap, tcpdump, iptraf and Multi Router Traffic Grapher (MRTG), I demonstrated how useful statistics on network usage and trends can be obtained.

In this final installment of the series, I present examples based on actual cases I've encountered where these tools were utilized to solve the problem.

Slow connection

In the first example, a small network with a 384Kbit/sec. ISDN connection to the Internet was slow at best and unusable at worst. The LAN performance was fine; only Internet traffic was affected.

In all network troubleshooting situations, an understanding of the network topology is paramount to place the sniffer at the appropriate location. This wasn't a network I was familiar with, so I performed a walk-through with the network administrator. The network was simple: one private subnet NATed to a single public IP address, distributed by two hubs and a switch with a couple of local servers off the switch, and a connection from the switch to the ISDN Internet router, as shown in Figure 1.
 
Figure 1: First example network diagram

(Click image to see larger view)

As port mirroring wasn't an option on the 100Mbit/sec. switch, I took out a minihub from my network tool bag (everyone carries one, right?) and placed it inline between the 100Mbit/sec. switch and the ISDN router as shown in Figure 2. True, this changed the original network topology, but since port mirroring (whereby all traffic seen on one port is copied to another) was not available, the hub placement was the best alternative. There are advantages to this method, as port mirroring will not show physical layer errors, but generally I prefer port mirroring.