Find out which client makes the network slow - networking

We have about 30 clients connected to a single cable-modem/router (Fritzbox 6360). Some clients also connect to a TP-Link W-LAN Router which is also connected to the cable modem.
Sometimes the internet is very slow and we can see an continous upstream (6 MBit/s). Unfortunately we can not see which clients cause that traffic. The Fritz Box provides a functionality to capture network traffic and then analyze it with Wireshark.
Following interfaces can be captured by the cable modem:
Internet connection
Interface 0 ('internet')
Routing interface
Network interfaces
tunl0
cni0
lbr0
wan0
eth0
lan
erouter0
esafe0
And there is an option to launch DTrace (default parameters are)
-D -s -m -i256 -dect -dlc -c1 -c2 -c3 -c4 -c5 -nt3 -d2 -d3
We already captured different interfaces and tried to understand the data with Wireshark but without much success. What would be right way to see which Client is uploading Data at the moment?

In Wireshark, to get a list of IP addresses and what percentage of the trace each of the IP Addresses are taking up, go to Statistics->IP Addresses.. and click "Create Stat" in the box that pops up while leaving the the "Filter" option blank. You should be able to figure out which of your client ip is hogging up the most bandwidth with this.
For a visual comparison, click "Statistics->IO Graph", and in the second filter next to Graph 2, type "ip.src == x.x.x.x" (where x.x.x.x is the ip address of the uploader you suspect is taking up the most bandwidth) and click "Graph 2". This will give you a packets vs time graph. You can also filter out other ip addresses as well to display simultaneously in the same graph for comparison.
Edit: I would also suggest keeping an eye out for IPv6 addresses.

Related

Two devices with the same IP delay when working non-simultaneously

I am working on automating my production process. I have two devices in a small LAN, they are stock so they both share the same IP address. The idea is to power up one device upload data via Modbus TCP/IP then Power it down. Wait like 10 seconds. Next power up the other device and do the same plus change its IP address.
Everything works fine but every time I switch TCP/IP connection from one device to the other it takes about one minute to establish the connection. When their IPs are set it works normally, it is only the first switchover when the IPs are the same that makes that long delay.
Why is that?
If you have 2 devices sharing the same IP address you might be hitting the ARP table limits. The ARP table is responsible for translating IP addresses to MAC addresses, and has a lifetime of a few minutes. When your computer opens communication with a never seen IP, it caches a MAC entry to the ARP table so that it doesn't need to look up the Ethernet device every time.
With 2 devices sharing an IP, your computer might be caching the MAC of the first until the entry expires.
On most OSs you can run arp -a to see the ARP table and arp -d to clear it. If you clear the ARP table after the switchover and it starts communicating right away that is your culprit.

Multiple programs on a machine should receive the network traffic arriving on one port

I have UDP network traffic arriving on my machine (OSC traffic from an iPad, to be exact) and I want two programs to be able to receive that traffic. The problem is that I can't bind to the same network port with two programs at once and I can't send to multiple ports with the iOS app I'm using. How can I solve this problem?
You can use the power of the command line for this. The following snippet uses socat (probably needs to be installed beforehand) and tee (should be preinstalled on any OS X or Linux).
socat -u UDP4-RECVFROM:8123,fork - | tee >(socat -u - UDP4-SENDTO:localhost:8223) | socat -u - UDP4-SENDTO:localhost:8323
Explanation: socat listens for traffic on UDP port 8123, pipes it to tee, which pipes it to two other instances of socat forwarding it to ports 8223 and 8323 on localhost respectively. With your two programs you need to listen to those ports on localhost.
While the answer with using socat is elegant it is not clear for me, what you are trying to do:
both programs should receive all parts of the traffic and they will only receive and not reply. This can be done with the proposed socat way
both program should receive all parts of the traffic and there reply will be mixed together (how?)
each of the programs should only receive parts of the traffic, e.g. the one which the other did not get. This should be possible if both of your programs use SO_REUSEADDR, SO_REUSEPORT. Replies will then be mixed together.
or do you actually want to communicate with each of the programs seperatly - then you would have to use either multiple sockets in the iOS app (which you don't want to do) or built your own protocol which does multiplexing, e.g. each message is prefixed with there target app and on the target machine a demultiplexer application will receive all packets and forward them to the appropriate application and wrap the replies back in the multiplexing protocol.
In summary: please describe the problem your are trying to solve, not only one small technical detail of it.
The problem is that I can't bind to the same network port with two programs at once
Yes you can. Just set SO_REUSEADDR and maybe SO_REUSEPORT on both of them before you bind.

Capturing data packets in closed LAN

In my college lab, all the PCs are connected via a hub. I want to capture data packets using Wireshark, but it only displays the interface of my own PC. How can I capture the packets of other PCs?
I've tried all the interfaces, and I can't get it to work.
Odds are you're connected to a switch rather than a hub. The problem there is that only packets intended for your network card's hardware (MAC) address and broadcast packets will be sent to your PC. The switch remembers the hardware address of devices plugged into it and performs packet forwarding based on those addresses. This vastly increases the potential bandwidth of your network segment, but makes snooping on other traffic more difficult. You will need to perform what's called ARP cache poisoning. Basically you need to trick every other computer connected to the switch to send its traffic to you rather than its true destination. You will then need to forward those packets not actually for you onto the correct destination otherwise it will take down the entire segment you're on and people will get nosy.
This type of redirection is possible, but it seems like you'll need to do quite a bit more research and understand exactly what is going on before attempting it. To get started, look into the Address Resolution Protocol; understand what a "layer 2" switch is doing; find out how to inject and reroute packets on the network; think about the consequences of getting caught.
If you're serious about moving forward, check out http://www.admin-magazine.com/Articles/Arp-Cache-Poisoning-and-Packet-Sniffing for some starting tips.

Using the second Ethernet Port for TCP on a NI PXI with LABVIEW

I'm using a PXI 8109 running Pharlap OS.
I'm trying to use the second ethernet interface of my PXI to send UDP and TCP packets.
Here the configuration of my two ethernet interfaces:
eth0 (primary):
IP : 10.0.0.3
subnet mask : 255.0.0.0
eth1 :
IP : 192.168.10.9
subnet mask : 255.255.255.0
For UDP, I have no problems, packets are sent to the second interface as I want. I think it work because there is a "net address" input on the "UDP Open" VI so the system can choose the right interface.
For TCP, I use the "TCP Open connection" VI but there is no this kind of input. And it is not working : I assume the system is trying to use the primary interface but it can't route packets...
For information, my two networks are physically independant.
Can you help me finding out what's going on ? Is it possible to use TCP on the second ethernet interface ?
TCP open is meant to open a connection to another computer, if you feed a valid (in one of the two subnets) TCP address it should open a connection on that specific interface.
I assume you need to use the TCP listener function and according to this KB article, you can specify on which address you want to listen. So yes, you should be able to use a specific ethernet interface.
disclaimer: I am not sure if all this info is valid on Pharlap as well.
Basically, the decision which NIC to use is up to the OS and I believe that normally it would choose based on the subnet of the address you're trying to connect to and those of the NICs - I don't know what the IP address is (maybe it's in the subnet of the wrong card?), but the subnets of the NICs certainly appear to be different from each other (10.0.0.0 and 192...).
On Windows, I believe you can set the routing tables to have some more control of this (although I don't know if you would be able to force something to go through the "wrong" NIC), but I have no idea how much control you would have over this on Phar Lap. I would suggest some searching. Here are a couple of relevant links:
http://forums.ni.com/t5/LabVIEW/RT-How-do-I-use-two-independent-Ethernet-ports/td-p/721269
http://forums.ni.com/t5/LabVIEW/Communicating-through-two-ethernet-ports-on-the-same-computer/m-p/1509450#M565374
I finally solved my problem. This was not related to the TCP connection ...
I was using a property node "Value (signaling)" to trigger the TCP connection and it seems that this is not supported on RT Targets.
This is why it was working on localhost.
Thanks for the help anyway ;)

Creating a TCP connection between 2 computers without a server

2 computers are in different subnets.
Both are Windows machines.
There are 2-5 IGMP-ready routers between them.
They can connect each other over multicast protocol (they have joined the same multicast group and they know about each other's existance).
How to establish a reliable TCP connection between them without any public server?
Programming language: C++, WinAPI
(I need a TCP connection to send some big critical data, which I can not entrust to UDP)
You haven't specified a programming language, so this whole question may be off-topic.
Subnets are not the problem. Routability is the problem. Either there is routing set up or there isn't. If they are, for example, both behind NAT boxes, then you're at the mercy of the configuration of the nat boxes. If they are merely on two different subnets of a routed network, it's the job of the network admin to have set up routing. So, each has an IP address, and either can address the other.
On one machine, you are going to create a socket, bind it to some port of your choice, and listen. On the other, you will connect to the first machine's IP + the selected port.
edit
I'm going to try again, but I feel like there's a giant conceptual gap here.
Once upon a time, the TCP/IP was invented. In the original conception, every item on the network has an IPV4 address, and every machine could reach every other machine, via routing, except for machines in the 'private' address space (10.x, etc).
In the very early days, the only 'subnets' were 'class A, class B, class C'. Later the idea of subdividing a network via bitmasks was added. The concept of 'subnet' is just a way of describing a piece of network in which all the hosts can deliver packets to each other by one hop over some transport or another. In a properly configured network, this is only of concern to operating system drivers. Ordinary programs just address packets over the network and they arrive.
The implementation of this connectivity was always via routing protocol. If you have a (physical) ethernet A over here, and a (physical) ethernet B over there, connected by some sort of point-to-point link, the machines on A need to know where to send packets for B. Or, to be exact, they need to know where to send 'not-A' packets, and whatever they send them needs to know where to send 'B' packets. In simple cases, this is arranged via explicit configuration: routing rules stuffed into router boxes or even computers with multiple physical interfaces. In more complex cases, routing boxes intercommunicate via protocols like EGP or BGP or IGMP to learn the network topology.
If you use the Windows 'route' command, you will see the 'default route' that the system uses to send packets that need to leave the local subnet. It is generally the address of the router box responsible for moving information from the local subnet to everywhere else.
The whole goal of this routing is to arrange that a packet sent from a.b.c.d to e.f.g.h will get there. TCP is no different than UDP, except that you can't get there by multicast or broadcast: you need to know the exact address of your correspondent.
DNS was invented to allow hosts to learn each other's IP addresses without having human being send them around in email messages.
All this stops working when people start using NAT and firewalls to turn off routing. The whole idea of NAT is that the computers behind the NAT box are not addressable at all. They all appear to have one IP address. They can send stuff out, but they can only receive stuff if the NAT box has gone to extra trouble to map them a port.
From your original message, I sort of doubt that NAT is in use here. I just don't understand your comment 'I don't have access to the network.' You say that you've sent UDP packets here and there. So how did you do that? What addresses did you use?

Resources