Archive for November 2014
Ever so often when I was doing some packet analysis I would come across systems that were sending packets larger the Ethernet MTU of the segment. Or so I thought those packets were getting transmitted, eventually I finally figured out why I was seeing packets with an increased packet size.
The answer was large segment/send offload (LSO) – When this feature is enabled it is the responsibility of NIC Hardware to chop up the data ensuring why it conforms to the MTU of media/network segment.
Now that we know why we are seeing these large packets, the next part of the question is how are we seeing these large packets in Wireshark. Well, Wireshark relies on WinPCAP or LibPCAP depending on your platform, these two tools capture the packets just before the packets hit the NIC Card and get transferred to the actual network.
The above image is from Winpcap.org, showing the kernel level NPF just above NIC Drive, thus explaining how Wireshark is able to see the larger traffic. Before it hits the NIC Driver and gets segmented due to its LSO capabilities.
Ever so often I find myself troubleshooting some type of wireless related issue, and while wireless issue’s vary from
- Slow performance
- Clients can’t connect
- Poor voice performance
- Or even random disconnects, the list is endless.
However one of the common things I hear during the troubleshooting process is without a doubt along the lines of:
“But it says I have an excellent signal with five bars!”
And…. my favorite question in response to that statement is:
“What is your data rate?” (usually with this same expression)
Signal strength is only a small piece to the puzzle what determining whether or not you have a good quality signal strength. The signal strength indicator itself could even be misleading, just because a client is registering ‘5 bars’ with a good RSSI and SNR does not necessarily mean the AP on the other end of the connection is seeing a similar RSSI & SNR to the WLAN Client. Do I hear a transmit power mismatch, or a highly reflected RF environment?
Nowadays WLAN clients comes in all shapes and sizes (Phones, Tablets, wireless scanners, VoIP handsets) long gone are the days of wireless is just for laptops. With this wide array of hardware clients, you can guarantee each of these devices have a wireless transmitter with different specifications, and while it is impossible to take into account every WLAN client, the client audience should be considered when designing a WLAN or deploying AP’s.
Consider the an access point is transmitting at it’s max power rating, you can guarantee the wireless phone or VoIP handset does not have that same power level. It’s like two people trying to communicate with each other that across a football field and only one person has a mega-phone. The other guy without the megaphone will need to probably repeat himself a few times for the other person to understand him (Think of that as Data Retries).
One of the better ways to identify a proper Wireless connection would be to verify the the data rate, and see review the data rate statistics. Many of the different WLAN Client software have this functionality, telling us what percentage of the data was transmitted/received at a specific data rate. Now shifting data rates is common in a WLAN, but seeing 90% of data operating at the 1, 2, or 5.5 Mbps data rate is just poor performance.
A while back I posted about Understanding a wireless connection, and I wanted to dive a bit deeper and expand on the concept (albeit years later, but hey better late then never right?)
Since Cisco started announcing the Sourcefire FirePower (Hardware & Software) modules earlier this year I have been wondering what was going to happen to their existing IPS line. Looks like the End Of Sale announcement was recently made, with an EoS date in April of next year.
The EoX announce affects both the IPS Modules and IPS 4xxx sensor platforms. IOS IPS will remain available, but I do wonder for how long?
This will be an interesting shift for those of us that have used the original Cisco IPS software for a long time now. As we know there is more that goes into this than just buying a module or IPS Appliance. we will also need a central management server to quickly and easily manage these types of devices. Monitoring signature updates and keeping singatures in-sync company wide can be a massive problem if you don’t have it under your thumb. So far I have not seen any support added for SourceFire in Cisco Security Manager, so FireSIGHT will be the way to go.
I wonder if anything will happen to the CX Modules, since they ran their own Next-Generation IPS Signature set. Time will tell I suppose.