8Network tools
8.1Finding the IP address
In Section 7.5, we discussed how a device gets an IP address. But how do we know what it is? This is a common problem when working with TCP/IP based devices. Normally, you know which TCP port you want to address, but what is the IP address?
A very common strategy is to give up on finding the IP address, and instead simply set it to its default. Many devices have a reset button of some kind, and a label specifying the default IP address and mask. The default is typically a static address like, for example, 192.168.1.1 with mask 255.255.255.0. In other words, an address in a private range in a /24 network. After resetting to this default, you configure an Ethernet port on your PC to, for example, 192.168.1.2 and the same mask. Now you connect the PC directly to the device, and you should be in business. Now you typically set the device to the preferred IP address and mask, or maybe to DHCP. When this is done, you must remember to set your PC back to whatever it was before, maybe DHCP.
A second strategy is brute force, using an IP scanner. This is a good strategy if you are on a small network like, for example, a home office, and you believe the device to be already inside the subnet of this network. An advantage here is that you do not need to change the settings on your PC back and forth.
Figure 8.1 shows the popular “Angry IP Scanner” in action.
Table 8.1: Network analyzer pro icons.
| Icon | Meaning |
| G | Gateway |
| S | Scanning Device (the iPhone itself) |
| P | Pingable |
| U | UPNP/DLNA services available |
| 6 | IP6 availability |
Figure 8.2 shows the result of a similar action; this time using a small app called “Network Analyzer Pro” on an iPhone. The explanation for the small icons is found in Table 8.1.
If this is all performed on a small home network, a third alternative could be to look at the wireless SOHO router. This typically has a table showing the devices on the network. If the device in question is connected to the network, you can find it here.
The fourth alternative is bringing out Wireshark. You connect the device to your PC, fire up Wireshark, and then power up the device. Often, it will start to chat a little, and if the IP address is static, it is easy to see what it is in Wireshark.
If the address is not static, it will be looking for a DHCP server as we saw in Section 7.6, and we need to supply this. If we connect the device to our company network or home-office network, we are back to the previous choices (IP scanner or table in SOHO router). An alternative is to setup our own PC as DHCP server. On Linux, this is generally a question of setting a checkmark in the packet manager or similar, but on Windows you need to find something you can trust. A German developer, Uwe Ruttkamp, has made a nice DHCP implementation for Windows that can be found here: “dhcpserver.de.” It comes with an easy-to-use setup wizard and is absolutely free to use.
Don’t forget to turn of your private DHCP server, before connecting to a company network. The IT guys are not too happy about “alternative” DHCP servers.
8.2The switch as a tool
8.2.1Mirroring
If you are working with networks, you are used to switches. A switch is a nice plug’n play device allowing you to expand the number of devices you can connect. However, it is also a good tool. Wireshark is great, but it runs on your PC, and what if you want to measure between two embedded devices that both are too small to run Wireshark?
This is where we bring out the managed switch (or sometimes better, a tap, see Section 8.3). A managed switch can be bought for less than $200. Managed switches typically have the ability to select a “mirror port.” This means that you can ask the switch to output on this port; any data going in and/or out of one or several other ports. So if, for example, your two devices are connected to ports 1 and 2, you can set up the switch to mirror one of these to port 3, which is where you connect the PC. A similar setup is seen in Figure 8.3 where port 1, Tx and Rx, as well as Port 4, Tx only, is mirrored to port 8.
In a normal star configuration with, for example, 1 Gbps connections, it is possible to have 1 Gbps in both directions at the same time, which means that the mirror port would need to output 2 Gbps—not possible. Typically, this is not a real problem, as most transmissions tend to have the most traffic in one direction, but it is something we must be aware of. If Wireshark reports lost frames, this could be the reason.
A switch can be used in any network “as is,” but when you want to manage it, this is typically via the built-in web server. In order to be able to use this, the switch must be addressable in your subnet. This means that you need to set the IP address of the switch, and typically to set it, you need to know the current IP address—a classic “Catch 22.” See Section 8.1 on how to solve this problem.
Most switches have an RS-23241 or more commonly a USB connection with a command-line interface that can be used directly, without knowing the switch IP address. However, these interfaces can be cumbersome to use, and very vendor specific.
8.2.2Statistics
Managed switches have a statistics page. If an embedded system is suspected of having problems on the physical layer, this statistics page is a good place to start, especially the “Receive Error Counters” that Figure 8.4 has zoomed in on.
Naturally, this only tells us about the quality of the output frames from the embedded system, although many TCP retransmissions will also occur if there are problems with the input. To see information about the input or to dig deeper, SNMP may be used as described in Section 8.4.
8.2.3Simulating lost frames
Sometimes it is tempting to test retransmissions and general robustness by simply pulling out the Ethernet cable from the embedded device and plugging it in after a few seconds. Unfortunately, in this scenario, this typically causes a “link down” event on the device as well as the client PC, and you get to test something completely different. If, however, two switches are inserted between the device and the client PC, and the cable between the switches is unplugged, there are no “link down” events, and the cable can be swiftly inserted again.
8.2.4Pause frames
Ethernet has a concept called pause frames—or rather 802.3x flow control. This has its pros and cons. Unmanaged switches typically use pause frames if the other side of the connection does, but managed switches can be configured to turn this feature on or of. See Figure 8.5.
Here, flow control is configured on all ports on the switch. Only port 8 is connected and it has negotiated with its peer to use flow control in both directions. Note that this particular switch also allows us to set the max frame size. This can be used to provoke and test the so-called IPv4 fragmentation; see Section 7.14.
The ability to toggle flow control on and of, can help investigate the pros and cons in a given system. The really nice thing is that sometimes the statistics include the number of pause frames sent. This can be seen in Figure 8.6.
The arguments against pause frames are two-fold:
–Typically a connection is using TCP which has its own flow control and the two types of flow control may work against each other. The counter argument is that TCP’s flow control is end-to-end, and somewhat slow to react, whereas the Ethernet flow control is on both sides of a link, and thus can assure against the packet loss that otherwise happens when a switch has full buffers and receives a frame.
–If “fast” gigabit devices and “slow” 10 Mbps devices are connected to the same switch, the slow device may cause back-pressure through the switch, stopping all other traffic through the switch for long intervals. This is a good argument for not using flow control in such a mixed environment.
Figure 8.7 is a Wireshark capture where frame 1 ends the previous pause, while frame 2 starts a new one.
The quanta parameter is multiplied by the transmission-time of 512 bits. It is a timeout, and comes into play if the pause is not ended by a pause frame with 0 as argument (as in frame 1) before this time has passed. The MAC source is always the transmitting port, while the destination can be the MAC address at the other end—or the special PAUSE pattern seen in the Wireshark capture—01:80:c2:00:00:01. The Wireshark info field can be a little confusing by relating this to spanning trees.
8.3Tap
A tap is a device inserted between two network devices, with an Ethernet connector for each, and a third connector for a PC. See Figure 8.8.
Taps come in different speeds, typically 100 Mbps or 1 Gbps per port. The third connector is typically a USB connector, with a driver for PCs so that Wireshark works via this. If it is USB3—and if this is supported by your PC—it will be capable of handling the full 1+1 Gbps of traffic.
Some of these taps even have built-in high-precision time stamping that Wireshark understands. Thus it is a more professional and easy-to-plug-in tool than the managed switch in the previous section, but on the other hand something that you need to buy in good time before you need it. A switch is readily available in most labs.
8.4SNMP
An SNMP (simple network management protocol) server is implemented in many network devices such as switches and routers, but also in general embedded operating systems. The network device implements a MIB (management information base). This is an object model, as described in Section 4.5.
The server collects a huge amount of useful information that can be retrieved with the help of an SNMP client. Figure 8.9 is a selected part of a screen-shot from such a program from iReasoning (not free, but with a trial period of one month). It is possible to define a group of devices, and thus pinpoint the weakest point in a network.
The figure is cut out of a bigger screenshot in order to be readable. The following is a description of the full screen, not shown here. At the very top left is the IP address of the network device—in this case an embedded device running Windows CE. Just below the IP address is the MIB in tree form. At the top right is the actual command sent—here, “Get Subtree.” This is very practical and is the one used to generate the right side containing the actual current data from the MIB. The lower left window has static help information on the selected line.
The part of the screen, actually seen in the figure is thus a small part of the MIB, selected in the tree (outside the picture). Clearly, there is a lot of information to comprehend, but with almost no work invested, it may very well be worth a try. As usual, it is a good idea to have a working device to compare to when looking for the needle in the haystack.
8.5Wireshark
Wireshark is used extensively in the network chapters in this book, and is the most important tool, when it comes to networks. It is not always easy to use, and a given capture can look very different from one day to another, if your preferences has somehow changed. Here are some simple guidelines:
–In the bottom right corner, there is an innocent looking little field called “Profile.” Open the dialog and click the link showing where the profiles are saved on your PC. Now create backups.
–It is normally important to show the “info” and coloring according to the highest level protocol; see “View”—“Coloring Rules.”
–In “Preferences”—“Protocols” you should select IPv4 and then uncheck “Validate the IPv4 checksum.” Do the same with TCP. Since validation is normally done in your network interface card, after Wireshark has seen the data, you will get false checksum errors unless this uncheck is done.
–In the main menu item “Analyze,” there is an “Expert Info” item. This is a good place to start after a capture.
–In the main menu item “Statistics,” there is a “TCP Stream Graphs” item, under which there are some very valuable submenus that will help you get an overview of your TCP communication. Remember first to select a packet from the relevant flow, preferably in the relevant direction.
–In the middle view where a selected packet is dissected, you can select many of the header fields, and with a right-click select to “Apply as Column” or “Apply as Filter.” This hidden gem is invaluable.
–In the top view, where we have an overview, you can, for example, select an HTTP packet, right-click it, and in the context menu select “Follow TCP stream.” This gives you a filter on the stream but also a nice window with the full request and response in clear text.
–If there is much traffic, it is a good idea to disable screen updates in order not to lose frames in the capture.
–When analyzing traffic flow, the actual traffic is often irrelevant. You can ask Wire-shark to only save, for example, the first 60 bytes of each frame. This will give the PC better performance.
8.6Network commands
Table 8.2 is a list of the most general and usable network commands. You can go very far with this list.
Table 8.2: Network commands (Linux specific name in parentheses).
| Command | Usage |
| arp | Show or edit the arp table |
| (Known IP addresses and their MAC address) | |
| “-a” shows all | |
| “-s” can be used to add manually | |
| ipconfig | Show current netcard configurations. |
| (ifconfig) | “/all” gives more info |
| “/renew” causes a DHCP update | |
| netstat | Show current TCP/UDP connections, their state and attached processes |
| “-a” shows all – including listeners | |
| “-b” shows the executable (warning: slow!) | |
| “-n” uses numbers instead of names for ports | |
| “-o” shows process IDs | |
| nslookup | DNS lookup. Shows the correspondence between IP addresses, names, etc. |
| ping | Simplest way to see if there is “hole through” to a remote host |
| route | Show or edit the route table |
| (routes to networks and hosts) | |
| “PRINT” shows the table | |
| “ADD” allows adding | |
| ssh | The modern “secure shell” replacement for telnet. |
| telnet | Client shell that redirects you keyboard commands to a remote device and see its output. |
| Can be used with nondefault port numbers to do manual http etc. | |
| “Set localecho” is useful when simulating, for example, http | |
| tracert | Trace the route to a given host. |
| (traceroute) | New packets are sent with increasing hopcount. |
| This is decremented at each router as usual. | |
| When 0 a timing message is sent back home. |
8.7Further reading
–dhcpserver.de
A free DHCP server for Windows
–angryip.org
An IP scanner for Windows, Mac and Linux
–ireasoning.com
Home of an SNMP browser (as well as an SNMP agent builder)
–Rich Seifert and Jim Edwards: The All-New Switch Book
This is a fantastic brick of a book. If you read this, you will know all about switches, and then some. This book stays in the bottom two layers of the internet stack, which works very well.
–Wireshark.org
The home of Wireshark.
–telerik.com
Home of Fiddler. This is an analyzer for http only.