Category Archives: Network

Computer networks over IPv4 and IPv6. Switching, Routing, and Firewalling.

ICMP-Meldungen zur Fehlersuche im Netz einspannen

ICMP/ICMPv6, Internet Access, Routing, , , , , , , , , , , ,

Sie sind Admin und Ihr Netz kränkelt. Wo fangen Sie an mit der Fehlersuche? Unser Tipp: Tasten Sie Ihre Netzwerkpatienten mal nach ICMP-Symptomen ab. Viele führen direkt zur Ursache.

Wenn man Netzwerkschluckauf behandeln muss, gilt Wireshark als eines der Lieblingswerkzeuge von Netzwerkadmins. Denn falsch angestöpselten oder fehlkonfigurierten Servern kommt man oft schon anhand eines Netzwerkmitschnitts auf die Spur und erspart sich so den Adminzugriff auf Abteilungsrouter oder -switches. Als behandelnder Admin müssen Sie das aufgefangene Paketkonfetti nur noch mit einem geeigneten Display-Filter sieben, um jene Paketsorte im Kescher zu behalten, die Fehlerhinweise gratis unter Ihre wissenden Augen bringt: die ICMP-Päckchen.

Continue reading ICMP-Meldungen zur Fehlersuche im Netz einspannen

ICMP ‘Destination Unreachable’ Messages @ SharkFest’24 EU

Conference Talks, ICMP/ICMPv6, Internet Access, , , , , , ,

I did a presentation at SharkFest’24 EU in Vienna, the “Wireshark Developer and User Conference“, about the topic: “Unveiling Network Errors – A Deep Dive into ICMP ‘Destination Unreachable’ Messages“. It covers the following:

“Effective troubleshooting of network issues is a critical concern for network technicians. While many are familiar with basic ICMP tools like ping and traceroute, the breadth of ICMP capabilities often goes underutilised. This session delves into ICMP messages, specifically the ‘Destination Unreachable’ type, and the insights they provide into network errors.

We will explore methods for capturing and analysing network traffic, highlighting practical tips and tricks for using Wireshark to diagnose and resolve issues efficiently. Attendees will gain a deeper understanding of ICMP message functions and how to leverage them for improved network troubleshooting.”

You can watch the whole session and download the slides. And you can do the six challenges at the end of the session as well. (The answers are not in the PDF, but shown in the video.)

Continue reading ICMP ‘Destination Unreachable’ Messages @ SharkFest’24 EU

Azure PTP Accuracy

Microsoft Azure, NTP, , ,

The Network Time Protocol (NTP) is widely used to synchronize computer clocks. The Precision Time Protocol (PTP) can be used as a time source as well, which is expected to be accurate within microseconds. However, at Microsoft Azure VMs, PTP-derived time-of-day errors could exceed 50,000 microseconds, which may be inadequate. Let’s go into some details:

Continue reading Azure PTP Accuracy

Bad IPv6 Approaches

IPv6, , , , , , , , , , ,

I just got a few emails from an administrator of a medium-sized company, asking some IPv6 questions. They want to use IPv6 to reach the Internet, using two ISPs, while remaining IPv4-only on their internal networks. For whatever reason, they came across three different ideas that were almost completely wrong, speaking of a sound IPv6 design. But why? Maybe because IPv4 thinking is a bigger problem than we ever thought? Or because admins rely on firewall vendors (like Fortinet) that suggest completely wrong network approaches?

Let’s dig into some misconceptions concerning IPv6:

Continue reading Bad IPv6 Approaches

Path MTU Discovery

ICMP/ICMPv6, Internet Access, Routing, , , , , , ,

One of the mysteries for me in IP networks was the Path MTU Discovery (PMTUD) process. I’ve seldom seen any problems with the MTU at all. Fortunately, while troubleshooting some router issues, I captured several ICMP “packet too big” errors along with the original packets. 👍🏻

Let’s have a look at those PMTUD processes for IPv6 and legacy IP with Wireshark. Of course, these captured connections are part of the Ultimate PCAP as well, hence, you can download the most current version of it and analyze it by yourself.

Continue reading Path MTU Discovery

Dual-Stack PPPoE on a FortiGate Firewall

Fortinet, Internet Access, IPv6, , , , , , ,

You can use a FortiGate to connect to the Internet (that is: Dual-Stack!) directly in various ways. In my current setup, I’m using a PPPoE residential xDLS connection. It’s not that easy to configure everything correctly since it requires the use of many different protocols such as PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. But here it is:

Continue reading Dual-Stack PPPoE on a FortiGate Firewall

DHCPv6 Prefix Delegation on a FortiGate Firewall

DHCP/DHCPv6, Fortinet, IPv6, , , , , , ,

I got DHCPv6-PD aka prefix delegation up and running on a FortiGate. Yes! ✅ Configuring it is tricky since it’s not always clear which options to use. You cannot see everything in the GUI (it even changes depending on other options made later on or selects hidden and wrong default values), hence, you must set specific options via the CLI. I navigated around some bugs and finally got it running. Here we go:

Continue reading DHCPv6 Prefix Delegation on a FortiGate Firewall

Dual-Stack PPPoE on a Palo Alto Firewall

Internet Access, IPv6, Palo Alto Networks, , , , , , ,

If you want to establish an Internet connection (that is: IPv6 and IPv4) right away from your firewall through xDSL connections, you need quite some technologies: PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. Fortunately, with PAN-OS 11.0 and 11.1, those missing IPv6 links were finally added by PANW to their Strata firewalls. (I have been awaiting them since 2015!)

So, here it is: Connecting a Palo through an xDSL modem to a residential ISP:

Continue reading Dual-Stack PPPoE on a Palo Alto Firewall

xDSL-Modems

FRITZ!Box, Internet Access, , , , , ,

Wenn man eine Enterprise-Firewall an einem klassischen DSL-Anschluss verwenden möchte, benötigt man ein extra DSL-Modem. Dies unterscheidet sich von Heimkundenroutern wie der Fritzbox, die immer schon ein DSL-Modem mit eingebaut hat. Back to the roots – so wie damals, als man ein Dreiergespann aus Splitter, Modem und Router hatte – kennt ihr es noch? ;)

In meinem Fall wollte ich eine Palo bzw. Forti an einem Telekom VDSL-Anschluss betreiben. Zwei Varianten habe ich getestet: Eine zum Modem degradierte Fritzbox (Bastellösung) und ein reines DSL-Modem aus dem Hause DrayTek. Hier ein paar Notizen und Screenshots:

Continue reading xDSL-Modems

Das Domain Name System

DNS/DNSSEC, , , , , ,

Kaum ein anderes Element ist so essenziell für das Internet wie das Domain Name System. Ruckelts mal im DNS, reagieren Webseiten und überhaupt alle Internetanwendungen gleich langsamer oder gar nicht. Doch um Fehlerursachen zu ermitteln und zu beseitigen, brauchen Firmen- und Heim-Admins ein weitreichendes Verständnis der Zusammenhänge.

Continue reading Das Domain Name System

It’s Always DNS! @ SharkFest’23 EU

Conference Talks, DNS/DNSSEC, , , , , ,

This time (2023) at the yearly Wireshark Developer and User Conference in Europe, I gave a talk about DNS. How could it have been any different –> The title simply had to be ‘It’s Always DNS‘. 😂

“This session dives deeper into the Domain Name System, covering recursive vs. iterative DNS queries, resource records types, TTL & caching, DNS errors, a little DNSSEC, flags, and of course: Wireshark with its useful display filters, custom columns, colouring rules, and so on. And we will explore some other tools to analyze and troubleshoot DNS even further.”

You can watch the whole session and download the slides. And you can do the six challenges at the end of the session as well. (The answers are not in the PDF, but shown in the video.)

Continue reading It’s Always DNS! @ SharkFest’23 EU

It’s Always DNS – Poster

At a Glance, DNS/DNSSEC, , , , , , ,

We all know the DNS, right? But when we need to troubleshoot it, it’s getting much more complicated than initially thought. DNS ≠ DNS ≠ DNS. And unfortunately: It’s Always DNS.

To get a better understanding of those different kinds of DNS servers (authoritative vs. recursive), DNS messages (recursive, iterative, zone transfer, …) as well as other techniques (conditional forwarding, DoH, …), I drew a poster to have it all at a glance! Here it is:

Continue reading It’s Always DNS – Poster

Joining an Active Directory: A Packet Capture

Network, Windows, , , , , , , , , , ,

What happens on the network if you’re joining a Microsoft Active Directory domain? Which protocols are used? As I suspected, it’s a bit more complex than just seeing a single known protocol like HTTPS. ;)

Since a PCAP is worth a thousand words, I captured the process of a Windows PC joining an AD. Let’s have a look at it with Wireshark and NetworkMiner. And, as always, you’re welcome to download the packet capture to analyse it by yourself.

Continue reading Joining an Active Directory: A Packet Capture

Getting started with the APIs from Palo Alto Ntwks

API, Palo Alto Networks, Tutorial/Howto, , , , ,

You can talk to firewalls and Panorama from Palo Alto Networks in various ways. The well-known GUI (which I really love, by the way) and the CLI are quite common at first glance. Nearly everyone using the Palos is familiar with these configuration options.

When it comes to automation at some point, either to configure those devices or just to read out some KPIs for your monitoring, APIs are in place. Plural because Palo has two APIs: The so-called “XML API” and the “REST API“. Let’s get started with both of them:

Continue reading Getting started with the APIs from Palo Alto Ntwks

iPad Ping: WLAN vs. LAN

Bandwidth/Delay, Internet Access, iPhone/iPad, Ping/Traceroute, WLAN/Wi-Fi, , , , , , ,

Meine Kids spielen derzeit häufig Brawl Stars, ein Echtzeit Onlinespiel. Und sie schauen auch immer mal Videos dazu, bei denen ihnen jetzt der Floh ins Ohr gesetzt wurde, dass man ein iPad ja auch per LAN-Adapter mit einem Netzwerkkabel ausstatten kann, was ja den Ping verbessert.

JAAAA, endlich waren meine Kenntnisse in Sachen Netzwerktechnik mal von meinen Kindern gefragt. “Papa, weißt du, was ein LAN-Kabel ist?” “Ja klar.” “Hast du so eines?” “Ja, circa Hundert.” “Waaas? Echt jetzt? Dann muss ich mir ja gar keins kaufen.” 😂

Neben der Subjektivität, ob das Zocken per LAN-Kabel jetzt merklich besser wird, wollte ich mal objektiv messen, wie sich die Latenz eines per Ethernet-Adapter angeschlossenen iPads denn nun wirklich verhält. Wie viel besser wird der Ping im Idle- bzw. im Volllastfall? Was sagt die Laufzeit zum Default Gateway? Hier ein paar Tests:

Continue reading iPad Ping: WLAN vs. LAN