MANAGING TCP/IP NETWORKS
Managing TCP/IP Networks: Techniques, Tools and
Security Considerations. Gilbert Held
Copyright & 2000 John Wiley & Sons Ltd
Print ISBN 0-471-80003-1 Online ISBN 0-470-84156-7
MANAGING TCP/IP NETWORKS:
TECHNIQUES, TOOLS, AND
SECURITY CONSIDERATIONS
Gilbert Held
4 Degree Consulting
Macon, Georgia, USA
JOHN WILEY & SONS, LTD
Chichester
.
New York
.
Weinheim
.
Brisbane
.
Singapore
.
Toronto
Managing TCP/IP Networks: Techniques, Tools and
Security Considerations. Gilbert Held
Copyright & 2000 John Wiley & Sons Ltd
Print ISBN 0-471-80003-1 Online ISBN 0-470-84156-7
Copyright #2000 by John Wiley & Sons Ltd
Baf®ns Lane, Chichester,
West Sussex, PO19 1UD, England
National 01243 779777

International (+44) 1234 779777
e-mail (for orders and customer service enquiries):
Visit our Home Page on or
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning
or otherwise, except under the terms of the Copyright Designs and Patents Act 1988 or under the terms
of a licence issued by the Copyright Licensing Agency, 90 Tottenham Court Road, London, UK W1P
9HE, UK, without the permission in writing of the Publisher, with the exception of any material
supplied speci®cally for the purpose of being entered and executed on a computer system, for exclusive
use by the purchaser of the publication.
Neither the authors nor John Wiley & Sons Ltd accept any responsibility or liability for loss or damage
occasioned to any person or property through using the material, instructions, methods or ideas
contained herein, or acting or refraining from acting as a result of such use. The authors and Publisher
expressly disclaim all implied warranties, including merchantability of ®tness for any particular
purpose. There will be no duty on the authors or Publisher to correct any errors or defects in the
software.
Designations used by companies to distinguish their products are often claimed as trademarks. In all
instances where John Wiley & Sons is aware of a claim, the product names appear in initial capital or
capital letters. Readers, however, should contact the appropriate companies for more complete
information regarding trademarks and registration.
Other Wiley Editorial Of®ces
John Wiley & Sons, Inc., 605 Third Avenue,
New York, NY 10158-0012, USA
WILEY-VCH Verlag GmbH
Pappelallee 3, D-69469 Weinheim, Germany
Jacaranda Wiley Ltd, 33 Park Road, MIlton,
Queensland 4064, Australia
John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-01,
Jin Xing Distripark, Singapore 129809
John Wiley & Sons (Canada) Ltd, 22 Worcester Road

Rexdale, Ontario, M9W 1L1, Canada
Library of Congress cataloging-in-Publication Data
Held, Gilbert, 1943-
Managing TCP/IP networks: techniques, tools and security
considerations/Gilbert Held.
p. cm.
ISBN 0-471-80003-1 (alk. paper)
1. TCP/IP (Computer network protocol) 2. Computer networks±
Management. I. Title.
TK5105.585.H447 2000 99-44748
004.6'2 Ð dc21 CIP
British Library Cataloguing in Publication Data
A catalogue record for this book is available from the British Library
ISBN 0 471 80003 1
Typeset in 10/12pt Bookman-Light by Dobbie Typesetting Limited
Printed and bound in Great Britain by Bookcraft (Bath) Ltd
This book is printed on acid-free paper responsibly manufactured from sustainable forestry, in which
at least two trees are planted for each one used for paper production.
Managing TCP/IP Networks: Techniques,Tools and
Security Considerations. Gilbert Held
Copyright & 2000 John Wiley & Sons Ltd
Print ISBN 0-471-80003-1 Online ISBN 0-470-84156-7
CONTENTS
Preface xv
Acknowledgments xvii
1Introduction 1
1.1 Rationale for network management 1
1.1.1 Cost of service interruptions 2
1.1.2 Size and complexity of networks 2
1.1.3 Performance monitoring 2

1.1.4 Coping withequipment sophistication 3
1.2 The network management process 3
1.2.1 The OSI framework for network management 4
Con®guration/change management 4
Fault/problem management 5
Performance/growthmanagement 6
Security/access management 7
Accounting/cost management 7
1.2.2 Other network management functions 8
Asset management 8
Planning/support management 9
1.3 Tools and systems 9
1.3.1 Monitoring tools 10
1.3.2 Diagnostic tools 10
1.3.3 Computer-based management systems 10
1.4 Book preview 11
1.4.1 The TCP/IP protocol suite 11
1.4.2 The Internet Protocol 12
1.4.3 The transport protocols 12
1.4.4 DNS operations 12
1.4.5 Layer 2 management 12
1.4.6 Layer 3 and layer 4 management 13
1.4.7 SNMP and RMON 13
1.4.8 Management by utility program 13
1.4.9 Security management 13
Managing TCP/IP Networks: Techniques, Tools and
Security Considerations. Gilbert Held
Copyright & 2000 John Wiley & Sons Ltd
Print ISBN 0-471-80003-1 Online ISBN 0-470-84156-7
2 TheTCP/IP Protocol Suite 15

2.1 Evolution 15
2.2 Governing bodies 16
2.2.1 The IAB 16
2.2.2 The IANA 16
2.2.3 The IETF 17
2.2.4 RFCs 17
2.3 The ISO Reference Model 18
2.3.1 Layers of the OSI Reference Model 19
Layer 1: The physical layer 19
Layer 2: The data link layer 19
Layer 3: The network layer 20
Layer 4: The transport layer 20
Layer 5: The session layer 21
Layer 6: The presentation layer 21
Layer 7: The application layer 21
2.3.2 Data ¯ow 22
2.3.3 Layer subdivision 22
Addressing 22
Universally vs. locally administered addresses 24
2.4 The TCP/IP protocol suite 24
2.4.1 Comparison withthe ISO Reference Model 25
The network layer 25
ICMP 26
The transport layer 26
TCP 26
UDP 26
Port numbers 26
2.4.2 Application data delivery 27
3TheInternetProtocol 29
3.1 The IPv4 header 29

3.1.1 Vers ®eld 30
3.1.2 Hlen and Total Length®elds 30
3.1.3 Type of Service ®eld 30
3.1.4 Identi®cation ®eld 31
3.1.5 Flags ®eld 32
3.1.6 Fragment Offset ®eld 32
3.1.7 Time-to-Live ®eld 33
3.1.8 Protocol ®eld 33
3.1.9 Checksum ®eld 33
3.1.10 Source and Destination Address ®elds 33
3.1.11 Options and Padding ®elds 36
3.2 IP addressing 36
3.2.1 Overview 37
3.2.2 IPv4 38
vi
CONTENTS
The basic addressing scheme 39
Address classes 40
Address formats 40
Address composition and notation 41
Special IP addresses 42
Class A 42
Class B 43
Class C 43
Class D 44
Class E 44
Reserved addresses 45
Subnetting and the subnet mask 46
Host addresses on subnets 48
The subnet mask 49

Con®guration examples 50
Classless networking 52
3.3 The IPv6 header 53
3.3.1 Ver ®eld 55
3.3.2 Priority ®eld 56
3.3.3 Flow Label ®eld 57
3.3.4 Payload Length®eld 57
3.3.5 Next Header ®eld 57
3.3.6 Hop Limit ®eld 57
3.3.7 Source and Destination Address ®elds 58
3.3.8 Address types 58
3.3.9 Address notation 58
3.3.10 Address allocation 59
Provider-Based Unicast addresses 60
Multicast address 61
3.3.11 Transporting IPv4 addresses 61
3.4 ICMP and ARP 62
3.4.1 ICMP 62
ICMPv4 62
Type ®eld 62
Code ®eld 63
ICMPv6 64
Type ®eld 64
Code ®eld 64
3.4.2 ARP 64
Need for address resolution 67
Operation 67
Hardware Type ®eld 68
Protocol Type ®eld 68
Hardware Length®eld 68

Protocol Length®eld 68
Operation ®eld 69
Sender Hardware Address ®eld 69
Sender IP Address ®eld 69
CONTENTS
vii
Target Hardware Address ®eld 70
Target IP Address ®eld 70
ARP notes 70
4TheTransportLayer 73
4.1 TCP 73
4.1.1 The TCP header 74
Source and Destination Port ®elds 74
Port numbers 75
Well-known ports 75
Registered port numbers 76
Dynamic port numbers 76
Sequence Number ®eld 76
Acknowledgment Number ®eld 78
Hlen ®eld 78
Reserved ®eld 78
Code Bit ®elds 78
URG bit 79
ACK bit 79
PSH bit 79
RST bit 79
SYN bit 79
FIN bit 79
Window ®eld 79
Checksum ®eld 80

Urgent Pointer ®eld 80
Options ®eld 80
Padding ®eld 81
4.1.2 Operation 81
Connection types 82
The three-way handshake 82
Segment size support 83
The Window ®eld and ¯ow control 84
Timers 85
Delayed ACK 85
FIN-WAIT-2 timer 85
Persist 86
Keep Alive 86
Slow start and congestion avoidance 86
4.2 UDP 87
4.2.1 The UDP header 87
Source and Destination Port ®elds 88
Length®eld 88
Checksum ®eld 88
4.2.2 Operation 88
5 The Domain Name System 89
5.1 Evolution 89
viii
CONTENTS
5.1.1 The HOSTS.TXT ®le 89
5.2 DNS overview 90
5.2.1 The domain structure 91
5.2.2 DNS components 92
Resource records 92
Name servers 93

Resolvers 93
The resolution process 93
5.3 The DNS database 95
5.3.1 Overview 95
5.3.2 Resource records 96
5.3.3 Using a sample network 98
5.3.4 DNS software con®guration 98
The BOOT ®le 98
5.3.5 Using resource records 100
SOA record 101
NS records 101
MX records 101
A records 102
CNAME records 102
PTR records 102
Loopback ®les 103
All-zero/all-ones ®les 103
For further resolution 104
5.3.6 Accessing a DNS database 105
nslookup 105
The Whois command 112
6 Layer 2 Management 113
6.1 Ethernet frame operations 113
6.1.1 Ethernet frame composition 114
Preamble ®eld 115
Start-of-Frame Delimiter ®eld 115
Destination Address ®eld 115
I/G sub®eld 116
U/L sub®eld 117
Universal versus locally administered addressing 117

Source Address ®eld 118
Type ®eld 120
Length®eld 121
Data ®eld 122
Frame Check Sequence ®eld 123
6.2 Ethernet media access control 124
6.2.1 Functions 125
6.2.2 Transmit media access management 126
6.2.3 Collision detection 128
Jam pattern 128
Wait time 128
CONTENTS
ix
Late collisions 130
6.3 Ethernet Logical Link Control 130
6.3.1 The LLC protocol data unit 130
6.3.2 Types and classes of service 132
Type 1 132
Type 2 133
Type 3 133
Classes of service 133
6.4 Other Ethernet frame types 133
6.4.1 Ethernet_SNAP frame 133
6.4.2 NetWare Ethernet_802.3 frame 134
6.4.3 Receiver frame determination 135
6.5 Fast Ethernet 135
6.5.1 Start-of-Stream Delimiter 136
6.5.2 End-of-Stream Delimiter 136
6.6 Gigabit Ethernet 136
6.6.1 Carrier extension 137

6.6.2 Packet bursting 139
6.7 Token-Ring frame operations 139
6.7.1 Transmission formats 140
Starting/ending delimiters 141
Differential Manchester encoding 141
Non-data symbols 142
Access control ®eld 143
The monitor bit 146
The active monitor 146
Frame Control ®eld 147
Destination Address ®eld 147
Universally administered address 148
Locally administered address 148
Functional address indicator 148
Address values 148
Source Address ®eld 149
Routing Information ®eld 151
Information ®eld 152
Frame Check Sequence ®eld 152
Frame Status ®eld 152
6.8 Token-Ring Medium Access Control 154
6.8.1 Vectors and subvectors 155
6.8.2 MAC control 156
Purge frame 157
Beacon frame 157
Duplicate Address Test frame 158
6.8.3 Station insertion 158
6.9 Token-Ring Logical Link Control 159
6.9.1 Service Access Points 159
DSAP 160

SSAP 160
x
CONTENTS
6.9.2 Types and classes of service 161
6.10 Summary 161
7 Layer 3 and Layer 4 Management 163
7.1 Using WebXRay 163
7.1.1 Overview 164
7.1.2 Operation 164
Autodiscovery 165
Service selection 167
Topology discovery 167
Hosts information 168
Services information 169
Traf®c measuring 169
Server Host Table 170
Server±Client Matrix Table 171
IP Host Table 171
IP Matrix Table 171
Protocol distribution 173
Filtering and packet decoding 174
7.2 Using EtherPeek 176
7.2.1 Operation 176
Packet capture 176
Filtering 177
Selective packet capture 179
Packet decoding 179
7.2.2 Network statistics 182
8SNMPandRMON 185
8.1 SNMP and RMON overview 185

8.1.1 Basic architecture 186
Manager 186
Agents 187
Management Information Base 188
8.1.2 RMON 188
Probes and agents 188
MIBs 188
Operation 189
Evolution 190
8.2 The SNMP protocol 191
8.2.1 Basic SNMP commands 191
GetRequest 192
GetNextRequest 192
SetRequest 193
GetResponse 193
Trap 194
8.2.2 SNMP version 2 194
New features 195
GetBulkRequest 196
CONTENTS
xi
InformRequest 196
8.2.3 SNMPv3 197
Architecture 198
SNMP engine modules 199
Application modules 199
Operation 200
8.3 Understanding the MIB 200
8.3.1 The object identi®er 201
8.3.2 Structure and identi®cation of management information 202

8.3.3 Network management subtrees 203
The mgmt subtree 203
The experimental subtree 203
The private subtree 204
Program utilization example 204
8.3.4 MIB II objects 207
The System Group 208
The Interfaces Group 210
The Address Translation Group 213
The Internet Protocol Group 214
The Internet Control Message Protocol Group 214
The Transmission Group 216
The Transmission Control Protocol Group 217
The User Datagram Protocol Group 218
The Exterior Gateway Protocol Group 218
The SNMP Group 218
Authentication traps 218
Incoming traf®c counts 219
Outgoing traf®c counts 220
9ManagementbyUtilityProgram 225
9.1 Network utility programs 225
9.1.1 Ping 225
Overview 226
Operation 227
Utilization 228
Operational example 228
9.1.2 Traceroute 229
Overview 229
Operation 230
Utilization 231

Operational example 231
9.1.3 Nbtstat 232
Operation 233
9.1.4 Netstat 234
Operation 235
9.2 Monitoring server performance 236
9.2.1 Using Windows NT/2000 Performance Monitor 236
Overview 236
xii
CONTENTS
Utilization 237
Observing processor performance 240
9.2.2 Working withalerts 241
10 Security 245
10.1 Router security 246
10.1.1 Need for access security 246
10.1.2 Router access 247
10.1.3 Telnet access 247
10.1.4 TFTP access 249
10.1.5 Securing console and virtual terminals 250
10.1.6 File transfer 251
10.1.7 Internal router security 251
10.1.8 Additional protective measures 252
10.2 Router access-lists 253
10.2.1 Overview 254
10.2.2 TCP/IP protocol suite review 254
10.2.3 Using access-lists 256
Con®guration principles 256
Standard access-lists 257
Extended access-lists 260

Limitations 262
10.3 Using ®rewall proxy services 263
10.3.1 Access-list limitations 263
10.3.2 Proxy services 264
10.3.3 ICMP proxy services 266
10.3.4 Limitations 268
10.3.5 Operational example 268
Using classes 268
Alert generation 269
Packet ®ltering 270
The gap to consider 272
10.4 Network address translation 272
10.4.1 Types of address translations 274
Static NAT 274
Pooled NAT 274
Port Address Translation 274
Appendix A The SNMP Management Information Base (MIB-II) 275
Appendix B Demonstration Software 325
Index 327
CONTENTS
xiii