Iowa State University Capstones, Theses and Retrospective Theses and Dissertations Dissertations
1990 Design of an Ethernet monitor and protocol analyzer Gwenna S. Jacobson Iowa State University
Follow this and additional works at: https://lib.dr.iastate.edu/rtd Part of the Hardware Systems Commons
Recommended Citation Jacobson, Gwenna S., "Design of an Ethernet monitor and protocol analyzer" (1990). Retrospective Theses and Dissertations. 16878. https://lib.dr.iastate.edu/rtd/16878
This Thesis is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Retrospective Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Design of an Ethernet monitor
and protocol analyzer
by
Gwenna S. Jacobson
A Thesis Submitted to the
Graduate Faculty in Partial Fulfillment of the
Requirements for the Degree of
MASTER OF SCIENCE
Department: Electrical Engineering and Computer Engineering Major: Computer Engineering
Signatures have been redacted for privacy
Iowa State University Ames, Iowa 1990 11
TABLE OF CONTENTS
ACKNOWLEDGEMENTS VIll
1. INTRODUCTION ... 1
2. MONITORING TECHNIQUES 3
2.1 C en t ralized ~Ioni tor 3
2.1.1 Probe Monitor 3
2.1.2 Spy Monitor. 3
2.2 Distributed Monitor 4
2.3 Hybrid l\Ionitor ... 4
3. NETWORK PROTOCOLS .5
3.1 OSlo 5
3.1.1 Physical Layer. 6
3.1.2 Data Link Layer 6
3.1.3 Network Layer 8
3.1.4 Transport Layer. 11
3.1.5 Session Layer . . 13
3.1.6 Presentation Layer 1.5
3.1.7 Application Layer. 17
3.2 TCP/IP ...... 18 III
3.2.1 IP 20 3.2.2 TCP 21 3.2.3 FOP 23 :3.2.-! IC\IP 24
·V 3.2 ..5 ARp!RARP. ~.)
.)- 3.2.6 RIP _I
3.2.7 Telnet 28 3.2.8 FTP 28
3.2.9 S~ITP 28 3.3 Ethernet 29
4. NETWORK MONITOR DESIGN 37 4.1 Hardware 37 4.2 Software 37 4.2.1 F ser Interface 38 4.2.2 Filters 39 4.2.3 Data Capture 39 4.2.4 Data Display Windows 39
4.2 ..5 File I/O 44
4.2.6 Statistics. 44
4.2.7 Driver Software 44
5. CONCLUSIONS 47
6. BIBLIOGRAPHY 49 IV
7. APPENDIX A: ACRONYMS . .. .')1
8. APPENDIX B: SOURCE CODE. .')3 v
LIST OF FIGURES
Figure 3.1: OSI Layers...... 7
Figure 3.2: ISO IP packet data unit formats 9
Figure 3.3: ISO transport protocol fixed header formats 12
Figure 3.4: ISO session protocol data unit 14
Figure 3.5: ISO presentation protocol data unit 16
Figure 3.6: Comparison of DPA protocols to OSI layers. 19
Figure 3.7: Internet protocol format 20
Figure .3.8: TCP protocol data unit . 22
Figure 3.9: UDP protocol data unit. 23
Figure 3.10: ICMP protocol data unit 25
Figure 3.11: ARP jRARP protocol data unit 26
Figure 3.12: RIP protocol data unit 27
Figure 3.13: Ethernet frame .... 29
Figure 4.1: Block diagram of the User Interface 38
Figure 4.2: Filtering Setup Menus. 40
Figure 4.3: Data Capture Screen 41
Figure 4.4: Data Display Windows 42
Figure 4.5: Summary Display \Vindow 43 VI
Figure 4.6: Detail Display Window . . 43
Figure 4.7: Hexadecimal Display \Vindow 44
Figure 4.8: Store/Restore Menu ...... 4.5 Vll
LIST OF TABLES
Table 3.1: Ethernet Address Assignments for Vendors 31
Table 3.2: Ethernet Type Field Assignments . . . . . 34
Table 7.1: Acronyms ...... 52 VIll
ACKNOWLEDGEMENTS
I would like to thank Professor Terry Smay, my major professor, for his help on the project and helping me meet the deadlines. I would also like to thank Professor
Dick Horton and Professor Dale Grosvenor for serving on my committee.
I want to thank Lynn Christiansen who worked with me on this project. She encouraged me when I needed encouragement and worked with me although my schedule was difficult to work around.
I also need to thank Pam Myers, the graduate secretary, because I am sure without her constant reminders of deadlines I would have missed a few of them.
I am grateful to my parents for never imposing limitations on me and always encouraging me to test my abilities.
I especially want to thank my husband, Doug, for knowing this was something I wanted to finish and helping me to do it. He answered my many questions on various aspects of this project: He also spent many evenings taking care of things at home, enabling me to complete my degree. 1
1. INTRODUCTION
As local area networks have proliferated over the last decade, it is necessary to be able to monitor and analyze activity on these networks. This is even more necessary when LANs are internetworked together and all the computer systems on the network are not under one person's control or even one department's control.
A network monitor and protocol analyzer allows you to capt ure, decode, exam ine and analyze frames on the network and to isolate and identify problems on the network.
A protocol analyzer would be a valuable tool in computer networking classes.
Students could use the protocol analyzer to see the packets decoded. Several network protocol analyzers are commercially available, however they are expensive. An ad vantage of a protocol analyzer that is especially developed for the classroom instead of the commercial marketplace is that it would allow students to examine source code and write code modules for other protocols, thus giving them experience in network programrrung.
The network monitor and protocol analyzer discussed in this thesis was developed for the Ethernet protocol. The hardware used was an off-the-shelf 386 personal computer installed with a 3eom Ethernet board [1]. The Ethernet board used was a 3C505 intelligent Ethernet adapter board and came with driver software. The 2 board has an 80188 microprocessor, 512 Kbytes of memory and a DMA interface.
It captures, decodes and analyzes Ethernet protocols, TCP lIP protocols and OSI protocols.
The user interface was standardized to that of an FDDI monitor currently be ing developed by Lynn Christiansen. It was developed with a windowing library of routines called C \Vindows Toolkit [2]. 3
2. MONITORING TECHNIQUES
There are three commonly used monitoring techniques. They are centralized, distributed, and hybrid [3] [4].
2.1 Centralized Monitor
A centralized monitor is a monitor in which a dedicated station on the net work collects and analyzes data on that station. There are two types of centralized monitoring techniques. They are the probe monitor and the spy monitor.
2.1.1 Probe Monitor
The probe monitor injects packets onto the network and can be used to analyze how the network will perform under varying loads.
2.1.2 Spy Monitor
The spy monitor is a special node dedicated to monitoring the network passively.
It listens to already existing traffic on the network and does not introduce any ar tificial traffic onto the network. The monitor designed in this research was a spy monitor. 4
2.2 Distributed Monitor
A distributed monitor is a monitor where each station collects and analyzes data and then sends this information to a central location for further analysis.
2.3 Hybrid Monitor
A hybrid monitor is a monitor where data are collected and analyzed at both a central location and distributed locations. .5
3. NETWORK PROTOCOLS
A network protocol is a set of rules that govern the exchange of data between two communicating entities. There are two major protocol standards for the higher protocol layers, the OSI reference model and TCP /IP. At the two lower protocol layers the standards for local area networks (LANs) are the IEEE 802 series of standards.
There are three major types of LANs defined in IEEE 802, CSMA/CD bus, token ring and token bus. CSMA/CD is also known as Ethernet and is the type of LAN used in this research. The OSI reference model, Tep /IP and Ethernet are discussed in further detail in the following sections. The part of the protocol that is examined by the network monitor is the actual protocol data units (PDUs) associated with each layer.
3.1 OSI
In 19ii the International Organization for Standardization (ISO) established a subcommittee to define a communications architecture. The result was the Open
Systems Interconnection (051) reference model adopted in 1983. The OSI reference model uses the structuring technique of layering, where each layer in the network performs a certain subset of functions and passes the information on to the next lower layer where the next layer performs more primitive functions and conceals the 6 details of those functions [,5] [6] [i]. Each layer also provides serVIces to the next higher layer [8]. The OSI model has seven layers listed below and shown in Figure
3.1.
• the physical layer
• the data link layer
• the network layer
• the transport layer
• the session layer
• the presentation layer
• the application layer.
3.1.1 Physical Layer
The Physical Layer is concerned with the transmission of data over the physical medium. It deals with the mechanical, electrical, functional and procedural char acteristics to access the physical medium. The physical layer protocol used in this proje,ct is Ethernet and will be discussed in another section.
3.1.2 Data Link Layer
The data link layer provides for the reliable transfer of information across the physical link. It sends blocks of data (frames or packets) with the necessary synchro nization, error control, and flow control. This will also be discussed further in the
Ethernet section. 7
User 1 I APData I User 2
Application I All I Data Unit I Application
Presentation Iml Data Unit ] Presentation
Session ISH I Data Unit I Session
Transport Iml Data Unit I Transport
Network I NHI Data Unit I Network
Data Link IFIAlel Data Unit IFCSI FI Data Link
Physical I BITS I Physical
Connection Media
Figure 3.1: OS1 Layers 8
3.1.3 Network Layer
The network layer provides upper layers with independence from the data trans- mission and switching technologies used to connect systems. It is responsible for establishing, maintaining, and terminating connections between systems.
ISO has developed a protocol called the internet protocol or IP which is a con- nectionless service. The ISO IP has two defined packet data unit (POD) types. They are the data POD and the error report POU.
The formats of the ISO IP protocol data unit are shown in Figure 3.2 and the field descriptions are listed below.
• Protocol identifier: When the source and destination station~ are connected to the same network, and internet protocol is not needed. In that case, the internet layer is null and the header consists of this single field of 8 bits.
• Length indicator: Length of the header in octets.
• Version: Included to allow evolution of the protocol. Either header format or semantics might change.
• POU Lifetime: Expressed as a multiple of .500ms. It is determined and set by the source station. Each gateway that the IP data unit visits decrements this field by 1 for each .500 ms of estimated delay for that hop (transit time to this gateway plus processing time).
• Flags: The SP flag indicates whether segmentation is permitted. The MS flag is the more flag and indicates if there are more fragments. The ER flag indicates whether an error report is desired by the source station if an IP data unit is discarded.
• Type: Indicates whether this is a Oata or Error PD U.
• POU Segment Length: Total data unit length in octets.
• POU checksum: Checksum on header. 9
Network Layer Protocol Network Layer Protocol 1 Identifier Identifier
Length Indicator 2 Length Indicator
Version/Protocol Id Extension 3 VersionlProtocol Id Extension
Lifetime 4 Lifetime
SP MS C/R Type 5 SP MS Reserved Type
Segment Length 6,7 Segment Length
Checkswn 8,9 Checkswn
Destination Address Length 10 Destination Address Length Indicator Indicator
Destination Address 11,m-1 Destination Address
Source Address Length Indicator m Source Address Length Indicator
Source Address m+1,n-1 Source Address
n n Data Unit Identifier n+1 Options n+2 P Segment Offset p-1 n+3 n+4 Total Length Reason for Discard ~ n+5 n+6 q1 q Options P p+1 Error Report Data Field Data z z Data Packet Format Error Packet Format
Figure 3.2: ISO IP packet data unit formats 10
The address part is always present.
• Destination Address Length
• Destination Address
• Source Address Length
• Source Address
The segmentation fields are present if the SP flag is set to 1.
• Data unit identifier: Intended to uniquely identify the PD F.
• Segment offset: Indicates where in the initial PD U this segment belongs, mea sured in 64 bit units.
• Total length: Specifies the total length of the original PD U.
An optional part may be included in the header.
• Options: These may include; padding, security, source routing, recording of route, quality of service and priority.
The Error Report. PDU is essentially the same as the Data PDU. The three flags, (SP, MS, ER) are set to 0 and there is no segmentation part of the header. In addition there is an extra field called the Reason for Discard.
• Reason for Discard: The major reasons include; general, address, source rout ing, lifetime, PDU discarded, and reassembly. 11
3.1.4 Transport Layer
The transport layer provides reliable, transparent transfer of data between end points. It provides end-to-end error recovery and flow control. It ensures that data packets are delivered error-free, in sequence, with no losses or duplication. This layer is the keystone of the concept of a computer communications architecture. It makes the network transparent to higher layers and is the last layer to do any error detection or correction.
The ISO protocol makes use of ten types of transport protocol data units (TP
DUs). They are listed below and the transport PDU format is shown in Figure
3.3.
• CR: Connection request
• CC: Connection confirm
• DR: Disconnect request
• DC: Disconnect confirm
• DT: Data
• ED: Expedited data
• AK: Acknowledgment
• EA: Expedited acknowledgment
• RJ: Reject
• ER: TPDU error
The descriptions of the fields found in the TPDU are listed below. 12
C onnecto JOn R eQues t Length CR CDT Source Reference Class Opt Indicator
Connection Confirm Length CC CDT Destination Reference Source Reference Class Opt Indicator
DOIsconnec t R eaues t Length DR Destination Reference Source Reference Reason Indicator -
Disconnect Confirm Length DC Destination Reference Source Reference Indicator --
Data (Class 0.1) I ~:~, IDT I-I~TPDU-NRI Data (Class 2.3 . and 4) E Length DT Destination Reference 0 TPDU-NR Indicator -- T E xpe dOtI e dDta a E Length EDTPDU- ED -- Destination Reference C Indicator T NR A c kIdnow e 1gement Length AK CDT Destination Reference ~ YR-TU-NR Indicator T
E x~e dOtIe d A c k noweI dIgemen t E Length EA Destination Reference YR-EDTU- Indicator - ~ NR Reject Length RJ CDT Destination Reference YR-TU-NR Indicator ~ T
TPDU Error Length ER -- Destination Reference Cause Indicator
Figure 303: ISO transport protocol fixed header formats 13
• Length indicator (Ll) (8 bits): Length of the header in octets.
• TPDU code (4 bits): Type of TPDU
• Credit (CDT) (4 bits): Flow control credit allocation.
• Source reference (16 bits): Reference used by the transport entity to identify the transport connection uniquely in its own system.
• Destination reference (16 bits): Reference used by the peer transport entity to identify the transport connection uniquely in its own system.
• Class (4 bits): Protocol class.
• Option (4 bits): Specifies normal or extended flow control fields, also whether flow control is to be used in Class 2.
• Reason (8 bits): Reason for requesting a disconnect or rejecting a connection request.
• EOT (1 bit): Used when a TSDU has been segmented. It is set to 1 on last TPDU.
• TPDlL~R (7 bits): Send sequence number of a DT TPDU.
• EDTPDU-NR (7 bits): Send sequence number of a ED TPDU.
• YR-TU-NR (8 bits): The next expected DT sequence number.
• YR-EDTU-NR (8 bits): The next expected ED sequence number
• Cause (8 bits): Reason for rejection of a TPDU.
3.1.5 Session Layer
The session layer provides the control structure for communication between ap- plications. It establishes, manages, and terminates connections (sessions) between cooperating applications.
The formats of the session protocol data units are shown in Figure 3.4. The length of the parameters is variable and the descriptions are given below. 14
SPDU SI u PGI/PI - Field User Information
PGI PGI u PV Unit
or
PGI u Pl- Field
PI PI u PV Unit
Figure 3.4: ISO session protocol data unit 1.5
• SI: SPDU identifier
• LI: Length indicator
• PGI/PI: One or more PGI and/or PI units
• PV: Parameter Value
• PI-Field: One or more PI units
• PI: Parameter Identifier
3.1.6 Presentation Layer
The presentation layer provides independence to the application processes from differences in data representation. The ISO presentation protocol data units are shown in Figure 3.5.
• Type: This field has three subfields itemized below.
CC ( 2 bits): This subfield has four classes. They are itemized below. '" Universal (00): These are the generalized types such as integer and are defined in this standard. * Application wide (01): These are common to a particular application. * Context specific (10): These are related to the specific context III which they are used. * Private (11): These are user definable but not part of a standard. - P /e (1 bit): This subfield has two types itemized below. * Primitive (0): The content field directly represents the data. * Constructor (1): The content field is the encoding of one or more data values. - ID code (5 bits): This subfield defines the data type with different tag values. If the value of the ID code is greater than or equal to 31, then ad ditional octets must be added to the frame. The 28 types for the universal class of data types are itemized below. '" 1: Boolean 16
(a) Encoding of Each Value
TYPE Length VALUE
or
TYPE Length VALUE IEOCI
EOC = 0000 (b) Type Field
I CC I PIC I 10 Code
Icc IPIC 11 1 1 1 1 11 Ix X X X X X xl • • • First octet next octet
10 Ix X X X X X X Last Octect
CC = Class Code PIC = Primitive / constructor XX ..... X = 10 Code
(c) Length Field
0 Length (L) 1 <= L <= 127 1 1
K Length (L) 1008 11 I 128 <= L <= 2
1 0 0 0 0 0 0 Value terminated by EOC 1 1 01
Figure 3.5: ISO presentation protocol data unit 17
* 2: Integer * 3: BitString '" 4: OctetString '" 5: Null '" 6: Object Identifier * 7: Object Descriptor '" 8: External * 9-15: Reserved for addenda '" 16: Sequence and Sequence-of * 17: Set and Set-of * 18: N umericString (Character String) * 19: Printable String (Character String) * 20: TeletexString (Character String) * 21: VideotexString (Character String) '" 22: IA.5 String (Character String) * 23: UTCTime '" 24: GeneralizedTime * 25: Graphic String (Character String) '" 26: Visible String (Character String) '" 27: General String (Character String) '" 28: Reserved for addenda
• Length: This field specifies the length of the contents field if it is less than 128 octets. Otherwise, the first octet specifies the length of the length field and the remaining octets specify the length of the contents field. If the length of the contents field is not known then the length field has the value 1000000 and the contents field is terminated by an end-of-contents marker consisting of 16 zeros.
• Value: This is the actual data.
• EOC: End of Contents.
3.1.7 Application Layer
The application layer provides access to the OSI environment for users and also provides distributed information services such as electronic mail. 18
Since the format of the POlis for this layer is application dependent no format is shown.
3.2 TCPjIP
The U.S. Department of Defense has issued standards for a set of communication protocols referred to as the DOD protocol architecture (DPA) ~9] [10] [11]. These are based on the outgrowth of the ARPANET which was built by the Defense Advanced
Research Projects (DARPA) starting in the late 1960s. TCP lIP, named after the two main standards, is the name commonly used to refer to these standards. The National
Science Foundation (NSF), the Department of Energy, and the National Aeronautics and Space Administration (NASA) all participate using TCP lIP to connect many of their research sites with those of DARPA to form a national research internet. This collection of networks is known as the DARPA Internet, the TCP JIP internet or just the Internet. Because the TCP lIP was developed before the OSI reference model it does not map into the OSI reference model exactly.
The OPA architecture is based on a view of communication that involves three agents: processes, hosts, and networks. The OPA organizes protocols into four layers.
• Network access layer
• Internet layer
• Host-host layer
• Processl application layer
Figure 3.6 compares the protocols of the OPA to the seven layers of the OSI model. 19
5-7 SMTP FTP TELNET ISOTP
4 TCP UDP RIP
ICMP 3 IP ARP RARP
2 Ethernet Others
Figure 3.6: Comparison of DPA protocols to OSI layers 20
o 4 8 16 31 Internet Version Header Type of Service Total Length Length
Identifier lFIag~ Fragment Offset
TimetoUve Protocol Header Checksum
Source Address
Destination Address
Options & Padding
I I I------I Figure 3. i: Internet protocol format
3.2.1 IP
The internet protocol (IP) provides a connectionless, or datagram service, be- tween hosts. Applications that need this service can have this provided by the trans- mission control protocol (TCP) which is the next higher layer. The format of the IP protocol data unit is shown in Figure 3.i.
• Version (4 bits): Version number.
• Internet header length (4 bits): Length of header in 32-bit words. The minimum number of words is five so a header must be 20 octets long.
• Type of service: Specifies reliability, precedence, delay, and throughput param eters.
• Total length (16 bits): Total datagram length. 21
• Identification (16 bits): Intended to uniquely identify the datagram.
• Flags (3 bits): The More flag is used to identify a fragmented packet. The next flag indicates whether segmentation is permitted. The third flag is not currently used.
• Fragment offset (13 bits): Indicates where in the datagram this fragment be longs measured in 64 bit units.
• Time to live (8 bits): :\Ieasured in 1 second intervals.
• Protocol (8 bits): Indicates the next level protocol that is to receive the data field at the destination.
• Header checksum (16 bits): Used for error detection.
• Source address (32 bits): Coded to specify a variable allocation between the network address and the station address (i and 24, 14 and 16. or 21 and 8).
• Destination address (32 bits): Encoded same as source address.
• Options (variable):
• Padding (variable): Ensures that the internet header ends on a 32 bit boundary.
• Data (variable): The data field is a multiple of 8 bits with a maximum of 6.5,535 octets.
3.2.2 TCP
';I'he transmission control protocol (TCP) was developed for the ARPANET and its interconnected subnetworks. TCP was designed to have minimal dependence on underlying networking services and therefore it is very robust, operating accurately when network and system failures occur.
The Tep protocol data unit is shown in Figure 3.8.
• Source port (16 bits): Identifies source port. 22 o 16 32
Source Port Destination Port
Sequence Number
Acknowledgement Number
Data Window Size Offset Reserved
Checksum Urgent Pointer
Options & Padding
Figure 3.8: TCP protocol data unit
• Destination port (16 bits): Identifies destination port.
• Sequence number (32 bits): Sequence number of the first data octet in this seg ment, except when SYN is present. If SYN is present, it is the initial sequence number and the first data octet is the initial sequence number plus one. The TCP protocol date unit is shown in Figure 3.8.
• Acknowledgment number (32 bits): A piggybacked acknowledgment. Contains the next octet that the TCP entity expects to receive.
• Data offset (4 bits): Number of 32-bit words in the header.
• Reserved (6 bits): Reserved for future use.
• Flags (6 bits):
URG: Urgent pointer. ACK: Acknowledgement field significant. - PHS: Push function. RST: Reset the connection.
SY~: Synchronize the sequence numbers. FIN: No more data from sender. 23
o 16 32
Source Port Destination Port
Length Checksum
Figure 3.9: UDP protocol data unit
• \Vindow (16 bits): Flow control credit allocation, in octets. Contains the num ber of data octets beginning with the one indicated in the acknowledgment field that the sender is willing to accept.
• Checksum (16 bits): Used for error detection.
• Urgent Pointer (16 bits): Points to the octet following the urgent data. This allows the receiver to know how much urgent data are coming.
• Options (Variable): At present, only one option is defined, which specifies the maximum segment size that will be accepted.
3.2.3 UDP
The User Datagram Protocol (UDP) is the Internet standard protocol that allows an application program on one machine to send a datagram to an application program on another machine. It uses the IP layer and adds the ability to communicate with different programs on the remote machine by means of a protocol port number.
The format of the UDP protocol data unit is shown if Figure 3.9. It is at the same layer as TCP.
• Source Port (16 bits): This is optional and for sending replies.
• Destination Port (16 bits); This is the port number of the waiting process. 24
• Length (16 bits): Length of UDP packet in octets.
• UDP Checksum (16 bits): Used for error detection.
3.2.4 ICMP
A host or gateway needs to be able to communicate control information and report error information. This is accomplished with the Internet Control ).Iessage
Protocol (ICMP) which is a required companion of the IP protocol but is not itself a higher layer protocol. There are several types of defined ICMP message types and they are:
• Echo Reply
• Destination Unreachable
• Source Quench
• Redirect (change a route)
• Echo Request
• Time Exceeded for a Datagram
• Parameter Problem for a Datagram
• Timestamp Request
• Timestamp Reply
• Information Request
• Information Reply
• Address Mask Request
• Address Mask Reply 2.5
o 8 16 31
Type Code Checksum
Parameters
I Information ~------
Figure 3.10: IC:\IP protocol data unit
The ICMP POU format is shown in Figure 3.10 and the field descriptions are given below.
• Type (8 bits): Specifies the type of IC~IP message.
• Code (8 bits): Used to specify parameters that can be encoded in a few bits.
• Checksum (16 bits): Used for error detection.
• Parameters (32 bits): Used to specify more lengthy parameters.
• Information (variable): Provides additional information related to the message.
3.2.5 ARP jRARP
The address resolution protocol (ARP) allows a host to find the physical address of another host on the same physical network when only the Internet address is known. The physical address is then used by the network access layer. It does this by broadcasting an ARP request that contains the host's internet address from which 26 o 16 32
Hardware Type Code Protocol Type Code
Octets in Each Octets in Each Hardware Address Protocol Address Operation Code
Sender Hardware Address (octets 0-3)
Sender Hardware Address (octets 4-5) Sender Internet Address (octets 0-1)
Sender Internet Address (octets 2-3) Target Hardware Address (octets 0-1)
Target Hardware Address (octets 2-5)
Target Internet Address (0-3)
Figure 3.11: ARP /RARP protocol data unit it needs the physical addresses. To keep from sending too many unnecessary ARP re.quests each machine keeps a cache of physical addresses it has used recently.
The ARP protocol does not take into account the case of a diskless workstation, where the workstation would have to use the network to access to the server and obtain the physical address. For this case the reverse address resolution protocol
(RARP) was developed.
These protocols do not map exactly into the OSI reference model but are between
the data link layer and the internet layer. The format the ARP IRARP protocol data
uni t is shown in Figure 3.11.
• Hardware (16 bits): This field specifies the hardware interface type, it is 1 for Ethernet. 27
o 8 16 31
COMMAND VERSION RESERVED
FAMILY OF NET 1 NET 1 AD DR., OCTETS 1-2
NET 1 ADDRESS, OCTETS 3-6
NET 1 ADDRESS, OCTETS 7-10
NET 1 ADDRESS, OCTETS 11-14
DISTANCE OF NETWORK 1
Figure 3.12: RIP protocol data unit
• Protocol (16 bits):
• HLEN (8 bits): Physical hardware address length.
• PLEN (8 bits): Protocol address length.
• SENDER HA (variable): Hardware address of sender.
• SENDER IA (variable): Internet address of sender.
• TARGET HA (variable): Hardware address of destination.
• TARGET IA (variable): Internet address of destination only in response.
3.2.6 RIP
Routing Information Protocol (RIP) is the protocol used to exchange routing information among computers. It is the most popular interior gateway protocol
(IGP) because it is distributed with many UNIX systems.
The protocol format is shown in Figure 3.12. 28
• Command (8 bits): Either a request or response for routing information.
• Version (8 bits): The protocol version number.
• Reserved (16 bits): Reserved for future use.
• Family of Net 1 (8 bits): Identifies the protocol family.
• Net 1 Address (variable): Can be up to 14 octets.
• Distance of Network 1 (8 bits): Integer count of gateway hops.
3.2.7 Telnet
Telnet is the Internet standard protocol for remote terminal connection service.
Telnet allows a user at one site to interact with a remote computer at another site as if the user's terminal connected directly to the remote machine. This process does not use a PD tT but communicates directly with the TCP layer by setting the source port and destination port fields in the Tep PDU to 23.
3.2.8 FTP
File Transfer Protocol (FTP) is the Internet standard high level protocol for transferring files from on computer to another. This process does not use a PDU but communicates directly with the Tep layer by setting the source port and destination port fields in the Tep PDU to 21.
3.2.9 SMTP
Simple Mail Transfer Protocol (SMTP) is the Internet standard protocol for transferring electronic mail messages from one machine to another. SMTP specifies how two mail systems interact and the format of control messages they exchange to 29
Destination Source Packet Preamble Address Address Type Data CRC
I 8 Bytes I 6 Bytes I 6 Bytes I 2 Bytes I 42-1500 Bytes I 4 Bytes
Figure 3.13: Ethernet frame transfer mail. This process does not use a PDU but communicates directly with the
TCP layer by setting the source port and destination port fields in the TCP PDU to
25.
3.3 Ethernet
Ethernet is a network with a bus topology that uses a medium access control
(~IAC) technique known as Carrier Sense ~Iultiple Access with Collision Detection
(CSMA/CD) [12] [13]. Ethernet was developed by Xerox and has become an IEEE standard, IEEE 802.3. Each station wishing to transmit listens to see if the bus is idle and if it is idle then it transmits. If however, the bus is busy the station waits until the bus is idle and then transmits. If a collision is detected during transmission the station stops transmitting and instead transmits a jam signal. The node then waits a random amount of time and then retransmits.
The format of the frame of for Ethernet is shown Figure 3.13.
• Preamble (64 bits): Provides packet and bit synchronization.
• Destination Address (48 bits): This is variable in IEEE 802.3 frame format.
• Source Address (48 bits): This is variable in IEEE 802.3 frame format. Each vendor is assigned a range of Ethernet addresses based on the upper 24 bits. Table 3.1 shows most of the current vendor address assignments. 30
• Packet Type (16 bits): In IEEE 802.3 frame format this is the length field. In Ethernet it determines the protocol type. Table 3.2 shows most of the current assignments for the type field.
• Data (Variable): This has some additional information at the beginning and padding at the end in the IEEE 802.3 frame format.
• eRe (32 bits): 31
Table 3.1: Ethernet Address Assignments for Vendors oooooe Cisco OOOOOF :.i eXT 000010 Sytek OOOOlD Cabletron 000020 DIAB (Data Intclustrier AB) 000022 Visual Technology 00002A TRW 0000.5A S &: Koch 0000.5E IA~A 00006.5 :'{ etwork General 00006B .\IIPS 000077 .\IIPS 00007A Ardent 0000S9 Cayman Systems Gatorbox 000093 Proteon 00009F Ameristar Technology 0000A2 Wellfleet 0000A3 :'{etwork Application Technology 0000A6 :'{ etwork General (internal assignment. not for products) 0000A7 NCD X-terminals 0000A9 :'{etwork Systems OOOOAA Xerox Xerox machines 0000B3 CIMLinc 0000B7 Dove Fastnet OOOOBe Allen-Bradley ooooeo Western Digital 0000C6 HP Intelligent :'{ etworks Operation (formerly Eon Systems) OOOOCS Altos 0000C9 Emulex Terminal Servers 0000D7 Dartmouth College (:\"ED Router) OOOODS 3Com? Novell? PS/2 OOOODD Gould OOOODE Unigraph 0000E2 Acer Counterpoint OOOOEF Alantec 32
Table 3.1 (Continued)
OOOOFD High Level Hardvare (Orion, FK) 000102 BB~ BB0i internal usage (not registered) 001iOO Kabel 00802D Xylogics. Inc. Annex terminal servers 00808C Frontier Software Development OOAAOO Intel OODDOO U ngermann-Bass 00DD01 U ngermann-Bass 020iOl :vnCOM/Interlan FNIBUS or QBUS machines. Apollo 020406 BBN BBN internal usage (not registered) 026086 Satelcom :\1egaPac (UK) 02608C 3Com IB:\1 PC: Imagen: Valid: Cisco 02CF1F C:\1C :\1asscomp: Silicon Graphics: Prime EXL 080002 3Com (Formerly Bridge) 080003 ACC (Advanced Computer Communications) 08000.5 Symbolics Symbolics LISP machines 080008 BBN 080009 Hewlett-Packard 08000A N estar Systems 08000B U nisys 080010 AT&T 080011 Tektronix. Inc. 080014 Excelan BBN Butterfly, :\Iasscomp. Silicon Graphics 08001i NSC 08001A Data General 08001B Data General 08001E Apollo 080020 Sun Sun machines 080022 NBI 080025 CDC 080026 Norsk Data (Nord) 08002i PCS Computer Systems GmbH 080028 TI Explorer 08002B DEC 08002E Yletaphor 33
Table 3.1 (Continued)
08002F Prime Computer Prime .SO-Series LHC300 080036 Intergraph CAE stations 080037 Fujitsu-Xerox 080038 Bull 080039 Spider Systems 080041 DCA Digital Comm. Assoc. 08004.5 ???? (maybe Xylogics. but they claim not to know this number) 080046 Sony 080047 Sequent 080049 LTnivation 08004C Encore 08004E BICC 0800.56 Stanford C niversity 0800.58 ,)?? DECsystem-20 0800.5A IBM 080067 Comdesign 080068 Ridge 080069 Silicon Graphics 08006E Excelan 08007.5 DOE (Danish Data Elektronik A/S) 08007C Vitalink TransLA~ III 080080 XIOS 080086 Imagen/QMS 080087 Xyplex terminal servers 080089 Kinetics AppleTalk-Ethernet interface 08008B Pyramid 080080 XyVision XyVision machines 080090 Retix Inc Bridges 4844.53 HDS ??? 800010 AT&T misrepresentation of 080010? AAOOOO DEC obsolete AAOOOI DEC obsolete AA0002 DEC obsolete AA0003 DEC Global physical address for some DECs AA0004 DEC Local logical address for running DEeNET 34
Table 3.2: Ethernet Type Field Assignments
000 OOOO-Oo5DC IEEE802.3 Length Field 2.57 0101-01FF Experimental 0512 0200 XEROX PUP (see OAOO) .513 0201 PCP Addr Trans (see OA01) 1.536 0600 XEROX ~S IDP 2048 0800- DOD IP 2049 0801 X.i.5 Internet 20.50 0802 ~BS Internet 20.51 0803 EC~IA Internet 20.52 0804 Chaosnet 20.53 080.5- X.2.5 Level 3 20.54 0806 - ARP 20.5.5 0807 X);S Compatability 2076 081C Symbolics Private 2184 0888-088A Xyplex 2304 0900 Ungermann-Bass net debugr 2560 OAOO Xerox IEEE802.3 pep 2.561 OA01 PUP Addr Trans 2989 OBAD Banyan Systems 4096 1000 Berkeley Trailer nego 4097 1001-100F Berkeley Trailer encap/IP .5632 1600 Valid Systems 16962 4242 PCS Basic Block Protocol 21000 .5208 BBN Simnet 24.576 6000 DEC Unassigned (Exp.) 24.5ii 6001 DEC ~IOP Dump/Load 24578 6002 DEC ~IOP Remote C'onsole 24.579 6003 DEC DECNET Phase IV Route 24580 6004 DEC LAT 24581 6005 DEC Diagnostic Protocol 24582 6006 DEC Customer Protocol 24583 600i DEC LAVC', SCA 24584 6008-6009 DEC Unassigned 24586 6010-6014 3C'om Corporation 28672 iOOO F ngermann-Bass download 286i4 i002 C ngermann-Bass dia/loop 28i04 i020-i029 LRT 28i20 7030 Proteon 3.5
Table 3.2 ( Continued)
28724 7034 Cabletron 32771 8003 Cronus VL~ 32772 8004 Cronus Direct 32773 800.5 HP Probe 32774 8006 ~ estar 32776 8008- AT&T 32784 8010 Excelan 32787 8013 SGI diagnostics 32788 8014 SGI network games 32789 801.5 S G I reserved 32780 8016 SGI bounce server 32783 8019 Apollo Computers 3281.5 802E Tymshare 32816 802F Tigan. Inc. 32821 803.5 Reverse ARP 32822 80.36 Aeonic Systems 32824 8038 DEC L.-\NBridge 3282.5 8039-803C DEC F nassigned 32829 8030 DEC Ethernet Encryption 32830 803E DEC F nassigned 32831 803F DEC LAN Traffic ~Ionitor 32832 8040-8042 DEC Unassigned 32836 8044 Planning Research Corp. 32838 8046 AT&T 32839 8047 AT&T 32841 8049 ExperData 32859 805B Stanford V Kernel expo 32860 805C Stanford V Kernel prod. 32861 8050 Evans & Sutherland 32864 8060 Little ~Iachines 32866 8062 Counterpoint Computers 32869 8065-8066 Fniv. of Mass.g Amherst 328i1 8067 Veeco Integrated Auto. 32872 8068 General Dynamics 32873 8069 AT&T 32874 806A Autophon 32876 806C ComDesign 32877 8060 Computgraphic Corp. 32878 806E-8077 Landmark Graphics Corp. 36
Table 3.2 ( Continued)
32890 807A ~Iatra 32891 807B Dansk Data Elektronik 32892 807C ~Ierit Internodal 32893 807D-80iF Vi t alink Communications 32896 8080 Vitalink TransLAN III 3289i 8081-8083 Counterpoint Computers 32923 809B Appletalk 32924 809C-809E Datability 32927 809F Spider Systems Ltd. 32931 80A3 ~ixdorf Computers 32932 80A4-80B3 Siemens Gammasonics Inc. 32960 80CO-80C3 DC'A Data Exchange Cluster 32966 80C6 Pacer Software 32967 80C7 Applitek Corporation 32968 80C8-80CC Intergraph Corporation 32973 80CD-80CE Harris Corporation 32974 80CF-8002 Taylor Instrument 32979 8003-8004 Rosemount Corporation 32981 800.5 IB~I SN A Service on Ether 32989 8000 Varian Associates 32990 800E-800F Integrated Solutions TRFS 32992 80EO-80E3 Allen-Bradley 32996 80E4-80FO Oatability 33010 80F2 Retix 33011 80F3 AppleTalk AARP (Kinetics) 33012 80F4-80F5 Kinetics 3301.5 80F7 Apollo Computer 33023 80FF-8103 \Vellfleet Communications 33031 8107-8109 Symbolics Private 33072 8130 Waterloo ~Iicrosystems 33073 8131 VG Laboratory Systems 33079 8137-8138 Xovell, Inc. 33081 8139-8130 KTI 33100 814(' SNMP 36864 9000 Loopback 3686.5 9001 3Com( Bridge) XNS Sys ~lgmt 36866 9002 3('om( Bridge) T(,P-IP Sys 36867 9003 3Com( Bridge) loop detect 6.5280 FFOO BBN VITAL-LanBridge cache 3;
4. NETWORK MONITOR DESIGN
4 .1 Hardware
The hardware used for this research was a 386 IB'\I compatible PC computer with an Ethernet board installed. The board is described below.
The 3Com Etherlink Plus adapter (3('.505) is a high-performance intelligent adapter board for IB~I AT's, PC's and compatibles. The adapter contains its own on-board 80186 microprocessor and 2.56 to .512KB of memory. ~etwork packet recep tion and transmission is handled by and 82.586 Ethernet coprocessor. The board has
16K bytes of RO.\I installed, which implements firmware to provide a host accessi ble command structure. initialization diagnostics, packet transmission and reception. and the capability to load programs onto the board. The board has two interfaces to allow connection to Ethernet. It has an on-board transceiver and B)j(' connection which allows you to directly connect to a thin Ethernet coax segment, or a serial transceiver connection to allow you to connect through a transceiver cable to an external transceiver that can be for either thick or thin Ethernet coax cable.
4.2 Software
The software was written in the (' language coded for the Microsoft (' compiler. and assembly language coded for the .Microsoft macro assembler. A library of driver 38
USER INTERFACE
DATA DATA FILElfO COLLECTION DISPLAY FILTERS
PROTOCOL DRIVER DISPLAY
Figure 4.1: Block diagram of the User Interface routines that came with the Ethernet board were also used. C \Vindows Toolkit,
\vhich is a C windowing library of routines, was also used.
4.2.1 User Interface
C Windows Toolkit was chosen to develop the user interface after looking at sev-
eral different libraries because it had windows that could be scrolled both horizontally
and vertically, and the other C windowing libraries did not have windowing routines
with this capability. The user interface was designed with Lynn Christiansen, who is
developing an FDDI monitor. The monitor designed in this thesis and that designed
by Lynn Christiansen were to be used in computer networking courses at Iowa State,
so the user interface was standardized as much as possible.
A block diagram of the user interface menu structure is shown if Figure 4.1. 39
4.2.2 Filters
The monitor was designed to allow the user the capability of setting filters for the data to be captured. The three types of filters are:
• Ethernet Address: This can be either source or destination addresses.
• Protocol: This could be any of the higher layer protocols based on the Ethernet type field.
• Pattern: This is to capture frames that contain this pattern.
Selecting a combination of the three types of filters is also allowed. The user interface menu for setting up the filter options are shown in Figure 4.2.
4.2.3 Data Capture
The monitor was designed to allow a user to capture data and store it to the
hard disk for later display and analysis.
The screen displayed during data capture is shown in Figure 4.3.
The data can be displayed as the user is capturing the data, although no detailed analysis can be done on the data during capture.
4.2.4 Data Display Windows
After the data are captured it can be displayed in several different windows. The
different windows include a summary display window, a detail display window, and a
hexadecimal display window. All three windows or any combination of two windows or a single window can be displayed on the screen. Figure 4.4 shows a view of the
screen with all three windows active. 40
, • , • , •••••• , • I. III LI "ETHERNET'MClNrTbR' " AND PROTOCOL ANALYZER 111111.1111111111 II
II II II "" II II "" II
~ Main Menu ~ Fi l tel' Menu _ _ Protocol Type _ Filter Setup Station Address »LLC Packets Capture Data ProtocoL »IP Packets Examine Data Match Pattern »ARP Packets Store/Restore Data No Filter )>RARP Packets Network Statistics »3COM Packets Quit ).Apollo Packets ).Ethertalk Packets ).A II Others
TH KEY EX S H URR N MENU X ~ N M NU
, ••• 1'11,,"., •• "•• ,. IllEtHERNHIMONHoR ,. AND PROTOCOL ANALYZER I I ••• , , " ••• I •••• , " I. " " I , I , , , II 'I I I I I I • I. r- Main Menu r- Filter Menu - I"'" Address Filter Setup Station Address From Station: Capture Data Protocol To Station: Examine Data Match Pattern Both To & From: Store/Restore Data No Filter Network Statistics Quit
1111111 " "'"11"""11111"'111" "' "' II IUlllllII II II !IIIIIIIIII '1111111 Llllll ,'"11' "'" 11111111 ,.111111.11111111.11. IFilter Address: ( -- - - - ) I it II 'III III II _~ c1111 II I I 11111 III I I III 11111 II :11 L 11111 !lllil 11 lill lUll H K Y X L' lU LN L' M NU IX I', 'ii M LIiu ,.
Figure 4.2: Filtering Setup Menus 41
I~llll'""'" I~ll~ I' 'ETHERNET 'MONitoR'" AND PROTOCOL ANALYZER I .. " " " " II II I ~ L1ll~ '""" "".11 1111 it II
~ Main Menu ~ Filter Menu - Filter Setup Station Address Capture Data Protocol Examine Data Match Pattern Store/Restore Data No Filter Network Statistics Quit
llll~ lllLllllll I~Lllll LLl ~Lll~~1 LIt 11111 It III UIIIIIIIIIIIIIIIII U 1111111111 11111111111111111111111111, 111111 " " OFFSET: (00-10) VALUE: (08-88) I III "11'" "' II IIII~ II II 1/ W [111 [I II" Llll llll1 II 1111111111 III 1111 II II 1111 11111 ~ , H I( Y X H 'tuRREN M N~ X IN'M LN~" Figure 4.2 (Continued)
NUM LEN DESTINATION SOURCE TYPE DATA nbytes left = 167175 36 60 800010031011 AA00040002EC 0800 4500002A1FEE00001E0672A081BA016681 37 60 AA00040002EC 800010031011 0800 4500002AB46EOOOOOF06ED1F81BA056681 38 62 FFFFFFFFFFFF 0000C093981A 8137 FFFF0030000100000001FFFFFFFFFFFF04 39 60 800010031011 AA00040002EC 0800 450000291FEF00001E0672A081BA016681 40 60 AA00040002EC 800010031011 0800 45000029846FOOOOOF06ED1F818A056681 41 60 800010031011 AA00040002EC 0800 450000281FF000001E0672A081BA016681 42 60 800010031011 AA00040002EC 0800 4500002A1FF100001E06729D81BA016681 43 60 AA00040002EC 800010031011 0800 4500002AB47000000F06E01D81BA056681 44 60 0180C2000000 08002B187A8D 0026 4242030000000000007E08002B14D20EOO 45 60 800010031011 AA00040002EC 0800 450000281FF200001E06729E81BA016681 46 110 FFFFFFFFFFFF 0000COE6261C 0060 FFFF0060000000000001FFFFFFFFFFFF04 47 60 FFFF00600000 0000C0822B13 002E 0000C0822B130A1811FF01FFFFFF000080 48 60 FFFF00600000 0000C0A3DA14 002E 0000C0A3DA140A1811FF01FFFFFF00001F 49 60 fFFF00600000 0000COF8EC14 002E 0000COF8EC140A1811FF01FFFFFF00001F 50 60 FFFF00600000 0000C04FF912 002E 0000C04FF9120A1811FF01FFFFFF00003A 51 60 FFFF00600000 0000C042DD14 002E 0000C042D0140A1811FF01FFFFFF00001F 52 60 FFFF00600000 OOOOCOB8DB14 002E OOOOCOB8DB140A1811FF01FFFFFF00001F EJ1 E]7
Figure 4.3: Data Capture Screen 42
M MUM LEN DESTINATION SOURCE TYPE DATA
~ 59 S7 09000700003F 0260SC06E45F 0049 AAAA030S0007S09B0041000000008003FF ~ 60 87 09000700003F 0260BC06E45F 0049 AAAA03080007B09B0041000000008003FF :.t:;.~.;. 6621 B670 °09S000002701070905314F °OS26000B8C7060E745F 0049 AAAA030B0007809B004100000000B003FF ~L-______B 0 60S OSOO 450 0002C00020000400612FAS1BA631581~ ~ Detail IP:''''INTERNET PROTOCOL HEADER,'", IP: Version of IP 4 IP: Datagram Header Length 5 IP: Type of Service 00 HEX ASCII
0000 0800 2S 1795 14 0800 87 00 76 DB OS 00 45 00 •• +., ••••• v.,.E. 0010 00 2C 00 02 00 00 40 06 12 FA 81 SA 63 15 B1 SA ., •••. @...•. c .•• 00200147 10 BO 00 1700 OS 07 2C 00 00 00 01 6002 .G •• , •••• , •••• •• 0030 01 00 4C 20 00 00 02 04 01 00 00 00 5700 09 00 •• L, •••••••. W••• 1 rs;,~ ~ r~;EVl ~ EJ ~~ ~~~
Figure 4.4: Data Display Windows
4.2.4.1 Summary Display Window In the summary display window just one line is displayed for each packet and the packet is truncated at the edge of the screen. It includes the source address and destination address fields of the Ethernet frame. Figure 4 ..5 shows the summary display window.
4.2.4.2 Detail Display Window In the detail display window each proto, col type is identified and each standard field in the protocol is labeled and decoded and is usually diplayed on a line by itself. Figure 4.6 shows the detail display window.
4.2.4.3 Hexadecimal Display Window In the hexadecimal display win- dow all bytes are shown in hexadecimal and beside it is a translation into ascii. Figure
4.7 shows the hexadecimal display window. 43
NUM LEN DESTINATION SOURCE TYPE DATA 1 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF 2 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF 3 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF 4 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF S 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B00410000000oa003FF 6 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF 7 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF 8 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF 9 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF 10 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF 11 60 0180C2000000 08002B187A8D 0026 4242030000000000007E08002814D20EOO 12 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF 13 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF 14 73 FFFFFFFFFFFF 0000C06AC811 003B 0000C06AC8110EDSC0010S0E0000210007 1S 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF 16 73 FFFFFFFFFFFF 0000COA1141A 003B 0000COA1141AOED4COOS010E00002100DC 17 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF 18 87 09000700003F 02608C06E4SF 0049 AAAA03080007809B0041000000008003FF ~CRN t.AiNl ~r~~~ OPTS I~ ~~~
Figure 4 ..5: Summary Display 'Window
Detai l IP:------INTERNET PROTOCOL HEADER---- IP: Version of IP 4 IP: Datagram Header Length S IP: Type of Service 00 IP: Total Length 002C IP: Identification 0002 IP: Flags 0 IP: Fragment Offset 0000 IP: Time to Live 40 IP: Protocol Type 06 IP: Header Checksum 12FA IP: Source IP Address 129.186.99.21 IP: Destination IP Address 129.186.1.71 TCP:------TRANSPORT CONTROL PROTOCOL--- TCP: Source Port 4237 Unkown Type TCP: Destination Port 23 Telnet TCP: Sequence Number 000BD72C TCP: Acknowledgement Number 00000001 1 rs;,t.AiNl ~ I~REVFRAME I foo Figure 4.6: Detail Display 'Window 44 HEX ASCII 00000900070000 3F 0260 8e 06 E4 SF 0049 AA AA ••••• 7 •..••• 1 •• 0010 03 08 00 0780 9B 00 41 00 00 00 00 80 03 FF 07 ••••••• A•.• : •••• 0020 02 02 02 21 B7 80 04 35 SO 00 1A 47 72 61 70 68 .•• ! ... 5 ••• Graph 0030 69 63 73 20 4e 61 73 65 72 57 72 69 74 65 72 20 ics LaserWriter 0040 50 6e 75 73 20 OB 4e 61 73 65 72 57 72 69 74 65 Plus .LaserUrite 0050 72 05 41 4C 4E 45 54 57 00 0900 0700 00 3F 02 r.ALNETW •....• 7. rs;,~ ~EXTFRAME [:.evFRAME f~IN ~~ I I I Figure 4.i: Hexadecimal Display Window 4.2.5 File I/O A menu is needed to be able to store and restore the captured data files onto and off the hard disk. Figure 4.8 shows the store/restore menu. 4.2.6 Statistics This feature was not implemented but the option was included in the menu so that it could be added at a later time. 4.2.7 Driver Software The Etherlink Plus adapter comes with driver software. This includes a ROM that provides extensive functions for handling the 82586, and software that resides on the PC. The software includes assembly language routines that are coded using 45 1111",.,,"11 " II , ,. ETHERNEt I MaN i tOR' • • AND PROTOCOL ANALYZER ,.,. ,,,,'"1111'"' 1111" III' "Ii 11111111 r- Main Menu ~: Store Menu e Filter Setup Load from ~ ilel Capture Data Store to FIle Examine Data Store/Restore Data Network Statistics Quit "'1 II Ill" """"'" I. I. " I. " " '" " 111111111 1111111111111111111111111111111 1111'", II II II II II " " " II "" IEnter Filename: (TEST' ) II , I 1111111111' II J.i1 ' '" II lL JHIIIIIIIII 11111 J illli II II II I III 111111111111 11111 II 111111111111 TH S AP KEY X '5 HE'cURRENf'M 'NU'EX !p "MAiN MENU II Figure 4.8: Store/Restore Menu the :\Iicrosoft ~Iacro Assembler, and demonstration C language source file coded in :\Iicrosoft C 4.0. The assembly language programs were written in small code model format and needed to be rewritten in large code model format. A library of callable driver support routines was created from the assembly language and C language routines. The command interface between the host PC and the EtherLink Plus adapter is accomplished by the host passing PCBs (primary command blocks) and the adapter returning response PCBs to the host. 4.2.7.1 Interrupts The host can be interrupted by the adapter for a PCB response or request, or for DMA done. The adapter can be interupted by a DMA done, a timer, a command register full, an 82586 interrupt or to reset it. 46 4.2.7.2 DMA Data Transfers Some PCB's initiate a data transfer to or from the host. This is usually accomplished by the host or adapter setting up its D':\IA to transfer data using the adapters data register port. 4i 5. CONCLUSIONS This network monitor allows the LAN manager or computer engineering student to monitor what type of packets are on the network and to look at the decoded packets. Future enhancements that can be added to this monitor include the ability to do statistical analysis of the data. An example of this might be a graphical display of network traffic versus time. Other statistics that might be useful would be percentage of the traffic attributed to a protocol type or station address. This monitor concentrated on the Tep lIP protocols and applications because they are currently the most prevalent type used. The DOD is however committed to migrate to the OSI protocol suite as are all government agencies by the year 1992. This standard is' called GOSIP which stands for government OSI protocol. OSI applications that can be included are listed below. • FTAM: File transfer, access and management. • MHS: Message Handling System Model (Electronic ~Iail). • VTP: Virtual Terminal Protocol. Ethernet was the physical layer that was selected for this monitor because it is the most prevalent type on campus. ~Ionitors for other types of physical layers such 48 as token ring or FDDI could also be implemented. They would, however, require a different board in the PC to attach to that type of network. 49 6. BIBLIOGRAPHY [1] 3Com. The Developer's Guide to Network Adapters. 3Com Corporation. Santa Clara, California. 1989. [2] Magna Carta Software. C Windows Toolkit. ~Iagna Carta Software. Garland, Texas, 1989. [3] Jacobson, D., Gaitonde, S., Kim, J .. Lee, J., Rover, D., Sarwar, ~I., Shafiq, M. "A ~Iaster/Slave Monitor Measurement Technique for an Operating Ethernet Network." IEEE Network, 1, No.3 (July 198i), 40-48. [4] Network General Corporation. The Sniffer: Operation and Reference Manual, Ethernet ~'·ersion. Network General Corporation, Menlo Park, California, 1988. [.5] Rose, ~Iarshall T. The Open Book: A Practical Perspective on OS!. Prentice Hall, Englewood Cliffs, New Jersey, 1990. [6] Stallings, \Villiam, Mockapetris, Paul, McLeod. Sue and ~Iichel, Tony. Hand book of Computer Communications Standards, Volume 1: The Open Systems Interconnection (OSI) Model and OSI-Related Standards. Macmillan Publishing Company, New York, 198i. [i] Halsall, Fred. Data Communications, Computer Networks and as!. Second Edi tion. Addison- Wesley Publishing Company, Wokingham, England, 1988. [8] Stallings, ·William. Data and Computer Communications. Second Edition. Macmillan Publishing Company, New York, 1988. [9] Comer, Douglas. Internetworking with TCPlIP: Principles, Protocols, and A.r chitecture. Prentice Hall, Englewood Cliffs, New Jersey, 1988. [10] McConnell, John. Internetworking Computer Systems: Interconnecting Networks and Systems. Prentice Hall, Englewood Cliffs, New Jersey, 1988. .50 l'111 . Stallings, William. Handbook of Computer Communications Standards. ~rolume 3: Department of Defense (DOD) Protocol Standards. :\Iacmillan Publishing Company, New York~ 1988. [12] Stallings, \Villiam. Handbook of Computer Communications Standards. Volume 2: Local Network Standards. Macmillan Publishing Company, New York, 1988. [13] Stallings, William. Local Networks. Second Edition. :\lacmillan Publishing Com pany, New York, 198i. .j1 7. APPENDIX A: ACRONYJ\;lS .52 Table i.I: Acronyms ARP Address Resolution Protocol ARPANET Advanced Research Projects Agency :.J"etwork CSMA/C'D Carrier Sense Multiple Access with Collision Detect DARPA Defense Advanced Research Projects Agency DMA Direct Memory Access DOD Deparment of Defense DPA DOD Protocol Architecture FDDI Fiber Distributed Data Interface FTAM File Transfer Access and Management FTP File Transfer Protocol GOSIP Goverment OSI Protocol ICMP Internet Control Message Protocol IEEE Institute of Electrical and Electronic Engineers IGP Interior Gateway Protocol IP Internet Protocol ISO International Standards Organization LAN Local Area Network OSI Open Systems Interconnection PCB Primary Command Block PDU Protocol Data U ni t RARP Reverse Address Resolution Protocol RIP Routing Information Protcol ROM Read Only Memory SMTP Simple Mail Transfer Protocol SPDU Session Protocol Data Unit TCP Transmission Control Protocol TCP /IP Transmission Control Protocol/Internet Protocol TPDU Transport Protocol Data Unit UDP User Datagram Protocol VTP Virtual Terminal Protocol .53 8. APPENDIX B: SOURCE CODE ;i~:t{111~i~;:fit:Jt!~~~: f~~tt~;;~%';;if.?:lit;i:": 1M.tiu. UP Ox0806 IdefiDe ZP Ox0800 1M.fiDe IlAItP Ox8035 , IdefiDe 'lB_CC*l Ox6010. IdefiDe 'lB COIIl Ox6011 IdefiDe 'lB-CC*3 OX60U IdefiDe 'lB:CClIC' Ox6013 IdefiDe 'lB_CC*5 Ox60U IdefiD. APOLLO Ox801'7 IdefiDe JmlBa'ULlt OX809S 1MefiDe UJtP Ox80!'3 IdefiD. LLC_HU Ox05DC .truot veDder_code. { UDeigued 10llg veDdor, char *u... , } veD_code.[) - { OXOOOOCO,·... teru Digital·, OXO:l60ac,· 3Co111·, OXO:l0701,·IDterlau·, OX800010,·~'T·, OX0800:lS, ·DBC·, o ,. ·h .truot ._type_u.... { UDeigued iDt e_type, char *u... , } ._type_u_[) - { BP,-AU-, zp,.zp., aAItl' , • aAaP· , 'lB_CC*l, ·3eo.·, Ql 'lB_COIIl, ·3Caa· , ,j:;. 'lB_CC*3, ·3Caa·, 'lB_COII', ·3Caa·, 'lB_C<*5, ·3eo.·, APOLLO,·ApOllo·, B'l'IIBJrZALJt, ·Bthertalk· , UItP, • Appletalk AI\P., 0,· .}, .truot port __ • { UDeigued iDt p_val, char *u... , } port_u .... [) { :11, .1"lP., :13, ·Teluet·, :15, • SIft'P. , 10:1, ·ISo-TSAP·, 513, ·who·, 0, • ·h :;i!i!;li!f{~ti~:f:~:i;1~1~li:i ;~1.b~i;!\*':;f;~~;~~i~!:. void filter""prot(void); "include ) hl_hexlDAX_lia •• ++].lea - 11 hl_hexlDAX_lia •• ] •• tart - .hift_val+61 void prD_ip_bdr(int .hift_val) hl_hex[DAX_lia •• ++] • lea - 21 ( hl_hexlDAX_lia •• ] •• tart - .hift_val+8, int i,j, ver, db_I, Pro_typal talte_out_flatJ., hl_hexlDAX_lia •• ++].lea - 11 hl_hexlDAX_lia •• ] •• tart - .hift_val+9, n..,printf(datail_v.,bright+white,blu., ·IPI----III'l'DIIB'l l'RO'l'OCOL BBADBR---·); hl_hexlDAX_lia •• ++].lea - 11 n..,printt(datail_v.,bright+white,blu.,·\a\rIPI Version ot IP ." hl_hexlmAX_liau] •• tart - .hift_val+101 db_I - dptrl.hift_val] , OxOP, hl_hexlDAX_lia •• ++].lea - 21 nr - dptrl.hift_val] , OxPO, hl_hexlDAX_liae.] •• tart - .hitt_val+121 nr - V8r » .; hl_hexlDAX_lia •• ++].lea - ., n..,printt(datail_v.,bright+white,blu.,·'OLZ·,ver)I hl_hexlDAX_liae.] •• tart - .hift_val+16, n..,printt(datail_v.,bright+white,blu., ·\a\rIPI DatatJr .. BeadBr Leagth .), hl_hexlDAX_liae.++].lea - ., n..,printt(datail_v.,bright+white,blu.,·'01Z·,db_l) I for (j-O,j«db_1-5)lj++){ n..,printt(datail_v.,bright+white,blu.,·\a\rIPI Type ot Service ")1 VB..,priatf(datail_v.,bright+vhite,blue,"\n\rIPI Option./Padding tor (i-.hift_val+1Ii ;~~lltlJl!tf~iil1i~i ;~i~lii~~}I,~(ii~t:~;~~. hl_helt[aalt_liD •• ++J • len - 2; ve-priDtf(detall_v.,bright+white,blu.,·'Olx·,.rror_report); } ve,JlriDtf (detall_v., bright+white,blu., ·\D\rISO IPI 'rJpe .); ve,Jlrintf(detall_v.,bright+white,blu.,·'OlX·,type_fi.ld); void prD_udp_hdr(iDt .hut_val) ve,JlriDtf(detall_v.,bright+white,blu., ·\D\rISO IPI SegJMDt Length .); { for (i-.hift_val+5; i<.hift_val+7; i++) "- iDt i; ve,Jlrintf(detall_v.,bright+white,blu.,·'02x·,dptr[iJ); unBigned iat port_val; ve-priDtf(detall_v.,bright+white,blu., ·\n\rISO IPI Check.WII .); for (i-.hift_val+7,i<.hift_val+9;i++) v.-PriDtf(detail_v.,bright+white,blue,·UDPI------USBR DAT1GRAHPROTOCOL ---.J, ve-printf(detall_v.,bright+white,blu.,·'02X·,dptr[i); ve-priDtf(detail_v.,bright+white,blu., ·\a\rUDPl Source Port .) , ve-printf (detall_v., bright+white,blu., ·\n\rISO IPI De.tiDatiOD Addre •• Len.·), port_val - (un.igned) (dptr[.hift_valJ*256+ dptr[.hift_val+1J), a_off.et - dptr[.hift_val+9J, ve-priDtf (detail_v., bright+white,blue, ·'d , •• ,port_val, get-port_a_(port_val»)J ve,JlriDtf(detall_v.,bright+white,blu.,·'02x·,a_off •• t); ve-priatf (detail_v., bright+white,blu., ·\a\rUDPl De.tiDation Port .); ve,Jlrintf(detall_v.,bright+white,blu., ·\n\rISO IPI De.tiDatiOD Addre.. .), port_val - (unBigned) (dptr[.hift_val+2J*256+ dptr[.hift_val+3J); for (i-ehift_val+10,i<.hift_val+10+-_off •• t,i++) ve-priDtf(detail_v.,br1ght+white,blu., ·'d , •• ,port_val, get-port_n-(port_val»; ve,JlriDtf(detail_v.,bright+white,blu.,·'02X·,dptr[iJ), ve-priatf(detail_v.,bright+white,blu., ·\a\rUDPl Length .); ve-priDtf (detall_v., bright+white,blu., ·\n\rISO IPI Sourc. Addr... Length .), for (i-.hift_valH;i vw-priDtf(detail_v.,bright+vhite,blue,·.02X·,dptr[i), vw-printf( detail_vs,bright+vhite,blue, "HACa------BBACOH nAKB------.)' 9W-priDtf(detail_v.,brigbt+vhite,blue, • \n\rRARP I OperatiOD (RUP) ." vw-priDtf(detail_vs,bright+vhite,blue, ·\n\:dIACa 1'1:_ COntrol .), for (i-.hift_val+6,i i~':·, i~':·, 0) 0) ~ ~ t\1~~i~41~t~1;:; t\1~~i~41~t~1;:; "), "), "), "), "), "), Address Address ID~PI~OR----"), ID~PI~OR----"), Address Address Contxol Contxol ST~IOR ST~IOR 1'), 1'), 1'), 1'), + + 1'), 1'), SOurce SOurce Destination Destination :rr_ :rr_ + + + + "'02X",dptr[iJ), "'02X",dptr[iJ), dptr[shitt_val+ll], dptr[shitt_val+ll], , , + + "\n\rtW:1 "\n\rtW:1 "HACI----HKXT "HACI----HKXT "\n\rtW:1 "\n\rtW:1 bright+white,blue, bright+white,blue, 6, 6, shitt_val+7, shitt_val+7, 6, 6, shitt_val+l, shitt_val+l, 1, 1, shitt_val, shitt_val, 13, 13, sbitt':"val, sbitt':"val, { { break, break, break, break, prn_ethertalk_hdr() prn_ethertalk_hdr() prn_BpOllo_hdr(), prn_BpOllo_hdr(), break, break, prn_lcOll_hdr(), prn_lcOll_hdr(), COII2I COII2I COIIlI COIIlI COIIll COIIll prn_rarp_hdr(shitt_val prn_rarp_hdr(shitt_val break, break, break, break, prn_ip_hdr(shitt_val prn_ip_hdr(shitt_val break, break, pra_&rp_hdr(shitt_val pra_&rp_hdr(shitt_val - - - - - - - - - - (void) (void) B'IIID'ULlt1 B'IIID'ULlt1 APOLLOI APOLLOI TB-COIISI TB-COIISI ftCOll'1 ftCOll'1 TB- TB TB TB TB IPI IPI ARPI ARPI len len bright+white,blue, bright+white,blue, dptr[shitt_val+12J*2S6 dptr[shitt_val+12J*2S6 bright+white,blue, bright+white,blue, • • .. .. .. .. .. .. - shitt_val) shitt_val) _ _ ca ca caM caM caM caM ca ca caM caM ca ca _RUPI _RUPI _ _ (deta11_vs, (deta11_vs, caee caee J.etart J.etart i, i, (deta11_vs, (deta11_vs, ."itch(pkt_type) ."itch(pkt_type) (deta11_vs, (deta11_vs, prn_enet_hdr(shitt_val), prn_enet_hdr(shitt_val), pkt_type pkt_type v.Jlrintt(deta11_vs,bright+white,blue,"'02X",dptr[il), v.Jlrintt(deta11_vs,bright+white,blue,"'02X",dptr[il), v.Jlrintt(deta11_vs,brigbt+wbite,blue,"'02X",dptr[il), v.Jlrintt(deta11_vs,brigbt+wbite,blue,"'02X",dptr[il), v.Jlrintt v.Jlrintt int int do_enst(int do_enst(int prn_etbertalk_hdr prn_etbertalk_hdr prn_apollo_hdr(void) prn_apollo_hdr(void) prn_lOOll_hdr(void) prn_lOOll_hdr(void) prn_next_station(shitt_val) prn_next_station(shitt_val) (i-shitt_val+7,i (i-shitt_val+l,i (i-shitt_val,i ( ( ) ) { { void void ) ) { { void void ( ( ) ) void void ) ) void void hl_hlllt[lIIIIlt_liaes++J.len hl_hlllt[lIIIIlt_liaes++J.len hl_hlllt[lIIIIlt_liaes].start hl_hlllt[lIIIIlt_liaes].start bl_hlllt[lIIIIlt_linul.start bl_hlllt[lIIIIlt_linul.start hl_hlllt[lIIIIlt_lines++] hl_hlllt[lIIIIlt_lines++] hl_hlllt[lIIIIlt_liau++J.len hl_hlllt[lIIIIlt_liau++J.len hl_hlllt[lIIIIlt_lines++l.len hl_hlllt[lIIIIlt_lines++l.len hl_hlllt[RUIlt_linesJ.start hl_hlllt[RUIlt_linesJ.start hl_hlllt[lIaX_linu hl_hlllt[lIaX_linu tor tor v.Jlrintt v.Jlrintt tor tor tor tor vSJlrintt(deta11_vs,bright+white,blue,"\n\rtW:1 vSJlrintt(deta11_vs,bright+white,blue,"\n\rtW:1 vSJlrintt(deta11_vs,bright+white,blue, vSJlrintt(deta11_vs,bright+white,blue, vs-printt vs-printt { { void void "), "), "), "), "), "), "), "), "), "), .), .), .), .), IMPLBKIRTOR----·)' IMPLBKIRTOR----·)' Addre.. Addre.. Address Address lOR lOR Address Address Address Address Contxol Contxol Contxol Contxol ,dptr[il), ,dptr[il), ,dptr[il), ,dptr[il), ~ ~ souroe souroe Destination Destination :rr_ :rr_ SOurce SOurce Destination Destination :rr_ :rr_ I I "'OU" "'OU" "\o2X" "\o2X" I I DI9.1LID DI9.1LID \n\rtW: \n\rtW: \n\rtW: \n\rtW: " " "HACI------alBBRVlD------"), "HACI------alBBRVlD------"), ·\n\rtW:1 ·\n\rtW:1 " " "\n\rtW:1 "\n\rtW:1 ·\n\rtW:1 ·\n\rtW:1 i++) i++) i++) i++) val, val, blue, blue, -. -. val, val, - 6, 6, shitt_val+7, shitt_val+7, shitt_val+l, shitt_val+l, 6, 6, 1, 1, shitt_val, shitt_val, 13, 13, shitt shitt shitt_val+7, shitt_val+7, 6, 6, 6, 6, shitt_val+l, shitt_val+l, 1, 1, shitt_val, shitt_val, 13, 13, shitt_val, shitt_val, shitt_val+7, shitt_val+7, 6, 6, 6, 6, shitt_val+~, shitt_val+~, 1, 1, shitt shitt shitt_val, shitt_val, 13, 13, - - - - - - - - - - - - - - - - - - - - - - - - (shitt_val) (shitt_val) len len len len bri9ht+white,blue, bri9ht+white,blue, bright+white,blue, bright+white,blue, len len len len lea lea • • bright+white,blue, bright+white,blue, bright+white,blue, bright+white,blue, bri9ht+white, bri9ht+white, i • • • • len len • • I • • I i start start • • ...... start start start start etm:t etm:t I. I. ++).len ++).len ++) ++) ++ ++ I. I. .etm:t .etm:t I. I. ++I ++I I. I. I I .. .. .. .. .. .. .. .. .. .. i, i, linul.start linul.start i, i, lines++l.len lines++l.len lines++l.len lines++l.len (detail_vs, (detail_vs, (detail_vs, (detail_vs, (detail_vs, (detail_vs, (deta11_vs, (deta11_vs, (deta11_vs, (deta11_vs, v.-printt(deta11_vs,bri9ht+white,blue, v.-printt(deta11_vs,bri9ht+white,blue, v.-printt(deta11_vs,bri9ht+white,blue, v.-printt(deta11_vs,bri9ht+white,blue, vs-printt(deta11_vs,bright+white,blue,"'02X",dptr[il), vs-printt(deta11_vs,bright+white,blue,"'02X",dptr[il), int int v.-printt(deta11_vs,bright+white,blue,"'02X",dptr[il), v.-printt(deta11_vs,bright+white,blue,"'02X",dptr[il), vs-printt(deta11_vs,bright+white,blue,"'02X",dptr[i)), vs-printt(deta11_vs,bright+white,blue,"'02X",dptr[i)), vs-Printt(deta11_vs,bright+white,blue,·'02X",~r[il)' vs-Printt(deta11_vs,bright+white,blue,·'02X",~r[il)' int int [RUIlt_lin [RUIlt_lin [1IaX_lin [1IaX_lin [1IaX_linu++I [1IaX_linu++I [RUIlt_lin_ [RUIlt_lin_ [RUIlt_lin_ [RUIlt_lin_ [1IaX_lin_++I [1IaX_lin_++I prn_reserved(shitt_val) prn_reserved(shitt_val) [RUIlt_lin_ [RUIlt_lin_ (i-shitt_val+7, (i-shitt_val+7, (i-shitt_val+1,i (i-shitt_val,i prn_1mpl_hdr(shitt_val) prn_1mpl_hdr(shitt_val) prn_invalid_tr prn_invalid_tr (i-shitt_val+7, (i-shitt_val+7, (i-shitt_val+l,i (i-shitt_val,i hex{aalIt hex{aalIt hex[RUIlt hex[RUIlt hex[RUIlt hex[RUIlt hl_hex[.u_lin hl_hex[.u_lin hl_hex[aalIt_linul.start hl_hex[aalIt_linul.start hl_hex[.u_lines).etart hl_hex[.u_lines).etart hl_hex[RUIlt_lin hl_hex[RUIlt_lin hI_hex hI_hex hl_hex[.u_lin"++I.len hl_hex[.u_lin"++I.len hl:hex[.u:lin hl:hex[.u:lin tor tor hI hI tor tor v.-printt(detail_vs,bri9ht+white,blue, v.-printt(detail_vs,bri9ht+white,blue, tor tor v.-printt(detail_vs,bri9ht+white,blue,·\n\rtW:1 v.-printt(detail_vs,bri9ht+white,blue,·\n\rtW:1 ( ( v.-printt v.-printt v.-priatt v.-priatt ) ) void void hI_hex hI_hex hl_hex[aalIt_lin_l.start hl_hex[aalIt_lin_l.start hI_hex hI_hex hl_hex[aalIt_lin_++I.len hl_hex[aalIt_lin_++I.len hl_hex[aalIt_lin_l.start hl_hex[aalIt_lin_l.start hI_hex hI_hex tor tor hI_hex hI_hex hI_hex hI_hex tor tor v.-printt v.-printt tor tor v.-printt v.-printt ( ( vs-printt vs-printt vs-Printt(detail_vs,bright+white,blue,·HACI------RlSBRVJD vs-Printt(detail_vs,bright+white,blue,·HACI------RlSBRVJD ) ) ( ( void void v.-printt(deta11_vs,bri9ht+white,blue,·\n\r v.-printt(deta11_vs,bri9ht+white,blue,·\n\r } } !:(l'f~~{f:~~11ilf~ !:(l'f~~{f:~~11ilf~ void void hl_hex[RUIlt_lin_++) hl_hex[RUIlt_lin_++) hl:hex[RUIlt:lines hl:hex[RUIlt:lines hl:hex[RUIlt:linesl.etm:t hl:hex[RUIlt:linesl.etm:t hI hI hl-hex[RUIlt-lin_++I.len hl-hex[RUIlt-lin_++I.len hl-hex[RUIlt-linesl.etm:t hl-hex[RUIlt-linesl.etm:t hI hI hI_hex hI_hex defaultl if (pkt_type <- 1500) prD_iavalid_fr ... (shift_val)J prD_llc_hdr(shift_val + 14)1 ) break, ) ) void fill_detail(iat curpaak) { void do':"fddi(iat sbift_val) if (detail_v_exists -- TIUJB) { alear_viadow(detail_v,5di.play._a,WBITI,BLOB,SP), unsigned char fc, bl alear_virtual_.areea(detail_VII,5di.plap_c,WBITB,BLUB,SP), VII_CDrsor(detail_vs,O,O) I fc - dptr[shift_val)J pkt_leD - pack-ptr[curpack)->leal dptr - pack-Ptr[curpack)->p&cketl if (fc - Ox80) { /* unrestricted tokeD */ curreat_field-O I prD_tokeD(shift_val,O) I max liDes-O, retUrDl if (fddi) { ) do_fddi(O), if (fc - 0ltC0) { /* restricted tOkeD */ if (max_liDe. > 4) curreDt_field - 41 prD_tokeD(shift_val,l) I ) retUrDl if (eaet) { ) do_enet( 0), if (max_liae. > 4) curreDt_field - 41 fa 5- 0xB!'1 /* clear address length */ ) max liaes--, if (fc - Ox82) { /* HAC BeacOli */ v_load_v.(detail_v, detail_vs,O,curreat_Ueld), prD_mac_bsacoD(shift_val)J if (detail_v_exi.ts -- TIUJB) hl_field_d(curreat_Ue1d)J returDJ ) if (fc - Ox83) { /* HAC claim */ void prD_rip_hdr(iat sbift_val) prD_mac_claim(shift_val)I { retUrDl iat i, ) 0) ~ b - (fc 5 OXPO)1 if (b -- Ox80) { /* HAC Frame */ VII-priatf ( detail_v., bright-hlhite ,blue, "RIP I------RIP IlBADD------"), prD_mac_hdr(shift_val)I VII-priatf(detail_vs,bright-hlhite,blue, "\D\rRIPl ec-aad "), returDJ for (i-.bift_valli hl_tield_d(++curreat_tield); p_error("ThiB key haB Dot been 1Dpl_ted",O); it (hex_,, __ ilitB - TlttlB) hl_tield_h(aurreat_tield); break; vw_aur.ar(detail_vB,O,current_tield); break; ca .. 1'31 I*SCRBBIII OP'1'IOII8 "Uf*1 a ... 'h'l it (BIIDIIU'Y_"_eUBtB 1- FALSB) ( .aroll_"iadov(~_",1, white, 0); hide_wiadow(B1IIIIIIIIry_,,) ; break; B1IIIIIIIIry_"_-UtB - PALSB; ) tr __ "indow _lIIIIIIDry(' B1IIIIIIIIry_,,) I break; ) aa_ PAGB_UPI it (detail_v_exiBtB 1- PALO) ( _itch(aurreat_"iadov) { hide_"indow( detail_,,) I ca .. '.'. detail_"_eUBtB - PALSB; it (.aroll_B __ UP(B~_,,->bb» ( tr __ "indow_lIIIIIIDry(,detail_w) ; till_detail(aurreat-p&cket); ) till_h_(aurreatJlaoket); it (hex_,,__ iBtB 1- PALSB) ( vw_aur.ar(~_vw,O,aurreatJlaoket-vB_BtartJlkt); hide_"iadow(hex_v) ; ) hex_"_e¥BtB - PALSB; break; tr __ "indow_lIIIIIIDry(,h__ ,,) ; aa_ 'd'i ) it (current_Ueld - detail_,,->bb <- 0) break, it (diBplaYB_,,_exiBtB - FALSB) ( ubl_tield_d(current_tield), create-PQPup_meDu(,diBplaYB_",'diBplaYJlB,O,O,O), it (~_,,_erlBtB)ubl_tield_h(aurreat_Ueld), diBplaya_"_eUBtB - TItUS; .aroll_"iadov(detail_", -(detail_,,->bb-l), white, 0) , ) current_tield - current_field -(detall_,,->bb-l); .. tup_BCreen() ; hl_tield_d(aurreat_tield); diaplay_"iadow(diaplaYB_v, SCR_COL, KBW_ROW, SCR_PR); it (heX_,,_erlBt.) hl_tald_h(aurreat_tald); rett3 - get_Belectioa(diBplaYB_w); vw_aur.ar(detail_vB,O,current_tield), it (rett3 - -1) ( break; key - BSCAPB; caBe 'h'l restart - 1; .aroll_"iadov(~_", -(h __ ,,->bb-l), white,o); ); break; ) hide_"iadow(displays_w); -1 break, olB(white,LIGBTGIAY); ...... aa_ PAGB DOIIIII .vitch(aurreat_"iadov) { esaa_scr~(rett3); aa_ 'B'I it (.aroll_B __ dova(n_ary_,,->bb)) ( it (reBtart 1- 1) ( till_detail (ourrent-p&aket), make_help_key( ); Ull_h_( aurreatJlaoket); make_diBplay_opt_key(); vw_aur.ar(Bu.aary_vw,O,curreatJl&Cket-vB_BtartJlkt); make_meDus_key() I ) make_a.xt_trame_key( ); break; makeJlrev_trame_key( ); aaBe 'd'i make_sOOIII_in_key ( ) ; it «aurreat_tald + detail_Y->bh-l) >- lIIa_llaeB) break, ubl_tield_d(current_tield), it t-~_,,_-ut.)ubl_field_h( current_field) ; break; .aroll_"iadov( detail_", detall_,,->bb-l, white, 0) , current tield - current tield + detail ,,->bb-l, ca .. 1'.1 I*HAIII KBW "Uf*1 hl_tal.d_d(ourreat_tald); - key-BSCAPB; it (~_,,_-ut.) hl_tald_h(aurreat_tald); break; vw_aur.ar(detail_vB,O,current_tield), aa_ 1'61 I *1IU'l' !'RAKB ElY* I break, it (acroll_B __ dowa(l» ( aa_ 'h'l till_detail(ourrent-p&cket); .aroll_"iadov(~_",h __ ,,->bb-l, white, 0); till_h_(curreatJlacket), break, vw_auraor(su.aary_vw,O,curreatJlacket-vw_BtartJlkt); ) ) break, _itch (aurreat_"iadow) ( caBe RIGB'l' ADOIfI caae '.' I it-(current_wiadow - 'B') paa_"iadov(BIIDIIU'Y_",l), vw_auraor(s1llllllllry_vw,0,curreat-P&Oket-vw_BtartJlkt); break, break; ca .. LBJ"! AIUIOIfI caM'd'l if (current_wiadow - 'B') paa_"iadov(BIIDIIU'Y_",-l); VB_curBor(detail_vB,O,ourrent_tield), break, break; aa_ I'll /*BBLP ElY*/ ca .. 'h'l :111.:tt~l~fit~<~flili: ;~\~:(I~i~(I:i:1\ii1ftll=::. V B_CurBOr(h.x_vB, 0, 0) 1 it (BUDDarY_V_arlBta) { break; clear_box(O,hex_v->atrow-l,O,hex_v->alrov,LIGII'l'GRAy,LI~ ) GRAY,SP) 1 break; current_window - 'e', ca_ P7. I*PRBVJ:OUS PRAIIBDY*I clear_box(O,BUDDarY_v->Btrow-l,O,aummarr_v->B1rov,LIGH!GR it (Bcroll_BUBm_Up(l» { AY,1IBITB,OxB2) , til1_detail(current-P8cket), vs_curaor(BWIIIIIIIrY_vs,O,curreDtJllICket-VB_Bt&rtJlkt); ti11_hex(currentJlacket), ) VB_cursor ( BID8IIrY_VB, 0 ,currentJlacket-VB_Bt&rtJlkt), .1a. it (detai1_v_arlata) { ) clear_box(O,hex_v->atrow-l,O,hex_v->a1rov,LIGH!GRAy,LI~ avitch (curreDt_viocSov) { GRAY,SP), case '.'. current_viDdow - 'd'1 vB_cursor( B~_VB, 0 ,current-packet-VB_Bt&rtJlkt) I clear_box(O,detail_v->atrov-l,O,detail_v->alrov,LIGH!GRAY break, ,WBITB,OxB2) I caB. 'd'. va_curaor(detail_va,O,current_tield); VB_cursor(detail_vB,O,current_ti.ld); ) break, break; CaB. 'h'. ) VB_cursor(hex_VB,O,O), break; break, detault. ) break; break, ) ca_ PB. I*.CONIR KBY*I ) while (key J- BSCAPB); p_8rror("'I'hia key haB Dot baeD ilIIpl_ted",O), tr_ acreenaO; break, cura~r_ott() I caae 'I'D. ) avitch(curreut_viDdov) { caa. 'B'. it (detail_v_exiatB) { clear_box(O,aummary_¥->Btrow-l,O,aummary_v->Blrov,LIGHTG RAY,LIGHTGRAY, SP) ; curreut viDdow - , d' , -1 clear_bOx(0,detail_v->atrow-l,0,detai1_v->Blrov,LIGHTGRA ~ Y, WIII'l'B, 0xB2 ) ; VB_curaor(detai1_va,0,current_ti81d), ) 81_ it (hex_v_exiata) { c1ear_box(O,aummary_¥->Btrow-l,0,aummary_v->B1rov,LIGHTG RAY,LIGII'l'GRAY, SP) , current_viDdow - 'h'; c1ear_box(O,hex_¥->atrow-l,O,hex_v->a1rov,LIGHTGRAY,WBI'l' .,Odl); VB_cursor(hBX_VB,O,O), ) break; caa. 'd'. it (hBX_v_exiata) { c1ear_box( 0, detail_v->Btrov-l, 0, detai1_v->a1rov ,LIGII'l'GRA Y,LIGHTGRAY,SP); current viDdow - , h' , olear_bOx(O,hex_¥->atrov-l,O,hBX_v->a1rov,LIGII'l'GRAY,WIII'l' .,Od2" VB_curaor(hex_VB,O,O), ) 81_ it (B~_v_.natB) { olear_box(O,detai1_v->atrov-l,0,detail_V->B1rov,LIGII'l'GRA Y,LIGII'l'GRAY,SP), current wiDdov - , a' , olear~x(0, BID8IIrY_¥->atrov-l, 0 , aummary_v->B1rov, LIGHTG RAY,WIII'l'B, 0d2 ) ; VB_cursor ( aummary_VB, 0 ,current-packet-VB_Bt&rtJlkt) , ) break; CaB. 'h'. 1:!i~i"[:~1~~f~tt1~"I~~ #!.aclude cr_te_field(,addr ... _f, ,fi.ldJI_c, aeutral., HULL, 1, do""prot_filter - 1; ·off •• t. ('[O-'A-Pa-f)c'[O-'~Pa-f)c-'[O-'~Pa-f)c'[O-'A-Pa-f)c) if (r.t - 0) filter_llc - 1; Value • ('[O-'A-Pa-f)c'[O-'~Pa-f)c-'[O-'~Pa-f)c'[O-'A-Pa-f)c)·); if (ret - II_PRO'l'OOOLS) filter_other. - 1; VII_load_fi.ld(addr ... .:.f, addre •• _v.f, t,O); } } fr __ wiDdow__ ry('protocol_w) I create-POPup_meIIu('protocol_w, 'protocol..,P., 0, 0, 0); addr ••• _f->p_uerr - u_err; di.play_willdov(protocol_w, PROT_COL, HBIItJ_ItOII, PRO_Pit); addr ••• _f->p_key. - 'field._mk; } edit_field(addre .. _f, BIIP'l'Y, lDIl'TI, lDIl'TI, JUIP'l'Y); } while (ret 1- -1); hide_window(protocol_w) ; w_cur.or(addre •• _vf, 30, 1'); } get_U.ld(addr ... _f, filterillfo), if (add_or_type) { '* match filter *' '* bcmp do match filter - 1; retUrD a 1 if they match •• canf(fIlterillfo,·'Otz'Otz·,~ff.. t, ,.value); el.. retura 0 }.1.. { '* addre.. filter *' do add filter - 1; *' •• canf(filterillfo,·,oaz,oaz,oaz,oaz,oaz'ozz·, int bcmp(UIlaigJltld cbar* ptr1, UIlsiCJl1ed char* ptrZ, int lllll) 'f_addre •• [O)[O), 'f_addre •• [O)[l), ,f_addr ••• [O)[Z), { ,f_addre •• [0)[3), 'f_addre •• [O)[t), 'f_addre •• [0)[5); int i; nitch (ret) { for (i-O;i '* 0 - p ... 1 - til ter out iDt*' tilter_aateh(1Dt lea) ( it (do __ teh_tilter - 0, returu(O)J it «WUligued)leu < IIOtbet, return(l), it (lIValue - (WUligued)(pkt[.att_t)*256)+ pkt[lIOtt,let+lJ)) returu(O), returu(l), ) -I CJ1 :~lllfjfili~!lljl':il ';~l'rj~~;I:::li'f~\i: #include void IIake_Btart_Btop_ltey(void) void make_belp_ltey(void) { ( clear_box (70,21,76,2~,wbite,blue,'')1 clear_box (2,21,8,2~,white,blu.,'')1 dr .. _box(70,21,76,2~,DOUBLB,DOUBLB,yellow,blue)I drBV_box(2 ,21,8,2~,DOOBLB,DOIJIILB,yellow,blu.) I priate(71,21, lwbite, blu., "10")1 printa(3,21, lvhit., blu., "1·)1 priatB(71,22, lwbite, blue, "S~"); printa(3,22, lvhit., blu., "BBLP")I priata(71,23, lwhite, blue, "'STOP")I ) ) void make_Ht_mark_ltey(void) void cl.ar_butt.r_key(void) ( { . clear_box (10,21,16,2~,white,blu.,'')1 clear_box (la,21,2~,2~,wbite,blu.,'')1 drBV_box(10,21,16,2~,DOOBLB,DODBLB,yellow,blu.)I dr .. _box(la,21,2~,2~,DOOBLB,DOUBLB,yellow,blue)I printa(11,21, lvhite, blue, "2")1 priate(19,21, lwhite, blue, "3")1 printa(11,22, lvhite, blue, "SBT")I priatB(19,22, lwbite, blue, "CLEAR")I printa(11,23, lwhite, blue, "NARK")I priata(19,23, lwbite, blu., "BUPPR")I ) ) void aake_diaplay_opt_key(void) void lIake_ent_key(void) ( { olear_box (18,21,2~,2~,white,blu.,'')1 clear_box (~6,21,52,2~,white,blue,''); drBV_box(18,21,2~,2~,DOOBLB,DODBLB,yellow,blu.); dr .. _box(~6,21,52,2~,DOUBLB,DOUBLB,yellow,blue)I printa(19,21, lvhite, blue, "3"); priat.(~7,21,lwbite, blu., "7")1 printa(19,22, lwhite, blue, "ScaB")I priate(~7,22,lvhite, blue, "BXIT")I printa(19,23, lvhite, blue, "OPTS")I ) ) -I 0') void aab~ __ fr __ ltey(void) { olear_box (~6,21,52,2~,white,blu.,'')1 drBV_box(~6,21,52,2~,DOOBLB,DODBLB,yellow,blu.) I printa(~7,21,lvhite, blue, "7")1 printa(n,22, lwhite, blue, "PUV·" printa(n,23, lwhite, blue, "PRAHIl") I ) void aab_uext_fr __ 1tey (void) { olear_box (38,21,~~,2~,white,blu.,'')1 drBV_box(38,21,~~,2~,DOOBLB,DODBLB,yellow,blu.) I printa(39,21, lvhite, blue, "6")1 printa(39,22, lvhite, blue, "nrr·" printa(39,23, lvhite, blue, "PRAHIl"" ) void aab __ a_by(void) { olear_box (26,21,32,2~,white,blu.,'')1 drBV_box(26, 21,32,2~,DOOBLB,DODBLB,yellow,blu.) I printa(27,21, lwhite, blue, ".")1 printa(27,22, lvhite, blue, "~")I printa(27,23, lwhite, blue, "IIDU")I ) void ..u_soc:a_in_by(void) { clear_box (5~,21,60,2~,white,blu.,'')1 ·fflitf~ii~;li'~~. #include #define HABit 1 HBIlU_'lBXT display_test[] - {" SuIIIaIary Screen", " Detail Screen", " BBX/ASCII Screen", " SuIIIaIary-Detail", COLORS pop_c - { " S~-BBX/ASCII", BLUB, /* forll9Z'Ound_color */ " Detail-BBI/ASCII", CYAII, /* bacqrouad_color */ " S~-Detail-BBI/ASCII", BRXGB'l'IfIII'l'B , /* hi9hligbt character color */ HULL}J CYAII, /* ..au bar foregrowad color */ BLAClt, / * ..au bar backgrowad color * / HBIlU 'lBXT store test [] - {" Load from File ", YELLOW, /* invalid chcice_foregrouad_color */ - -" Store to File", LIGII'lGUY /* invalid_choice_background_color */ HULL}, h /* There are pl8lfty to place BBD 1111 */ IIORDBR pop_b - { YBLLOIf, /* border foregrowad color */ int hchars[] - {l,l,l,l,l,l,l,l,BMPTY}, BLUB, /* border background color */ int pro_hc[] - {2,2,2,2,2,2,2,2,BMPTY}, DOtlBLB, /* border horisontal character */ DOtlBLB /* border ".rtical character */ }, POPUP mainJls - { int exits[] - {B&CAPB, '\O'}, /* keys that IIIIke ~u disappear */ 'pop_c, /* colors */ int exits_lI&in[] - {'\O'll /* keys that II&ke ..au disappear */ ,pop_b, /* border -- for no border II&ke this HULL */ MOLL, /* shadow - for no shadow II&ke this HULL */ HBIlU_ltBYS pop_Ilk - { ,pop_u_-in, /* menu keys */ KOHl, /* key that .,,,.s highlight to top */ DD, /* key that .,,,.s highlight to bottom */ /* TITLB PBA'l'URBS */ UP_AlUlOlf, /* key that IIO".S highlight up one itam */ BLUB, /* title foreground color */ DOMII_AlUlOif , /* key that .,,,.s highlight down */ CYAII, /* title background color */ BJI'l'BR, /* key that Hlects the highlighted it_*/ 2, /* title column position on first line_~/ PAGB_UP, /* key to pa911 up */ " Main lleDu ", /* ptr to the title string */ 00 PAGB_DOIIlf, /* key to pa911 down */ 0, /* UHr defined routine */ /* GBIIBRAL PBA'ltJRBS */ 0, /* user defined routine */ BLAIIlt, /* background character */ exits /* key that ..us ~u disappear */ main_tllltt, /* pointer to the menu test */ II RDlI 'lXHB, /* # of IIIIlldmum it_ (frCIII 0) */ RDlI-'lXHB, /* # of it-. displayed */ HBIlU_ltBYS pop_IIk_1I&iu. - { hchirs /* ptr. to array of _au highlight Is */ KOHl, /* key that .,,,.s highlight to top */ ), /* II&ke this IIULL for no DD, /* key that .,,,.s highlight to bottom */ highlight */ UP_AlUlOlf, /* key that .,,,.s highlight up oae itea */ DOIfIf_AlUlOlf, /* key that .,,,.s highlight down */ BJI'l'BR, /* key that Hleots the highlighted it_*/ POPUP filterJls - { PAGB_UP, /* key to page up */ 'pop_c, /* colors */ PAGB DOIIlf, /* key to page down */ 'pop_b, /* border - for no border II&ke this II1JLL */ 0, - /* UHr defined routine */ HULL, /* shadow -- for no shadow II&ke this II1JLL */ 0, /* UHr defined routine */ 'pop_Ilk, /* meau keys */ exits_main / * by that llllkes ..au disappear * / ), / * 'l'XTLB PBA'l'IJJtBS */ BLUB, /* title foreground color */ HBIlU_TBX'l main_text[] - {" Filter setup", " capture Data", CYAII, /* title background color */ " bBaiae Data", " Store/a.store Data", 2, /* title column position on first line */ " IIet1Iork Statistics", "Quit",IIlJLL), " I'ilter lleDu ", /* ptr to the title string */ HBIlU_TBX'l filter_text[] - {" Statioa Address", /* GBIIBUL PIA'l'IJJtBS */ " Protocol", " Hatch Pattern ", BLAIIlt, /* background character */ " IJo I'ilter" ,1IlJLL), fil tar tIIlt1:, / * pointer to the ..au test * / RDlI_'1'riis, /* # of IIIIlldmum it_ (frail 0) */ HBIlU_TBX'l address_test[] - {" PrCIII Statioal", RDII_'1'XHB, /* # of it-. displayed */ - " 'lo Statioa I " , hahars /* ptr. to array of _nu highli9ht #s */ " Both 'lo • PrCIIII ", h MOLL}, &111 POPUP addressJls - { HULL, shadow -- for DO shadow make this HULL *' 5pop_C, 5pop_mlt, '* 5pop_b, '* colors *' '* DeDU keys *' '* border -- for DO border make this HULL *' HULL, DO make HULL '* shadow -- for shadow this *' 'lI'lLB l'BA'lIJItBS 5pop_mlt, BLUE,'* *' '* keys *' '* title foreground color *' - CYU,., '* title background color *' '*- 'll'l'Lll PKA'l'OltBS *' '* title column position on first line *' BLUE, '* title foreground color *' • Store Menu ., '* Ptr to the title strinq *' CYU, '* title background color *' 2, '* title coluaa position on first line *' • Addre , '* GBDR1IL l'BA'lIJItBS *' ••• '* ptr to the title strinq *' BLARlt, '* background character *' store_text, '* pointer to the _nu text *' '* GDlDAL PKA'lURBS *' RmI_'lID, '* .,ot IIIIl%.imwI.it_ (trcm 0) *' BLAHlt, '* background character *' RmI 'lID, '*I ot iteme displayed *' address_text, '* pointer to the _nu text *' hchars '* ptr. to array of _nu hiqhliqht Is *' amL'lIHB, '* .,of ..n.u. it_ (frcm 0) *' }, amL'lIHB, '* .,of i~ displayed *' , hchars '* ptr. to array of _u hiqhlight "s *' h '* make this HULL for no hiqhlight *' POPUP protocolJls - { 5pop_c, '* colors *' 5pop_b, '* border - for no border make this HULL *' HULL, '* shadow - for no shadow make this HULL *' 5pop_mlt, '* _u keys *' '* 'll'l'Lll PKA'l'OltBS *' BLUE, '* title foreground color *' CYU, '* title background color *' 2, '* title ooluaa positioa on first line *' • Protocol 'lype ., '* ptr to the title strinq *' -I '* GDlDAL PKA'lURBS *' <0 BLAHlt, '* background character *' protocol_text, '* pointer to the manu text *' IUJ!L'lIHB, '* .,of .an- it_ (fraa 0) *' RmI 'lID, '* .,of it __ displayed *' -pro_he '* ptr. to array of _u hiqhliqht "s *' h '* make this HULL for DO hiqhlight *' POPUP displaYJls - { 5pop_O, '* colors *' 5POP-F, '* border - for DO border make this HULL *' HULL, '* shadow - for DO shadow make this HULL *' 5pop_mlt, '* _u keys *' '* 'll'l'Lll PKA'l'OltBS *' BLUE, '* title foreground color *' CYU, '* title background color *' t, '* title coluaa positioa OD first line *' • Display Optioas ., '* ptr to the title strinq *' '* GDlDAL PKA'lOItBS *' BLAHlt, '* background character *' display_ten, '* pointer to the _u text *' RmI_'lIHB , '* .,of .an- it_ (fraa 0) *' RmI 'lIHB, '* .,of it __ displayed *' -hohars '* ptr. to array of _u hiqhliqht "s *' h '* make this HULL for DO highliqht *' POPUP storeJls - { 5pop_O, '* colors *' 5pop_b, '* border -- for DO border make this HULL *' 80 ~ ~. .a ~ J~~.~ ! I liilJ ,..I ~~~~~ '. ~ ~~~~~ ~ ...... Ba lij~~!i;~:ll;:_ii'~i:~\tl #inclu&t 00 tV