IPXWATCH : A Protocol Analyzer for Novell Networks -------------------------------------------------- 1. Introduction --------------- Ipxwatch is a protocol analyzer for Novell's IPX protocol. It was developed at the Indian Institue of Technology, Bombay. It allows for identification of all routers, servers (file servers, print servers etc.) and nodes across an IPX internet. It also provides limited diagnostic facilities. It runs on packet drivers (you can get them from crynwr.com). It supports only class 1 packet drivers (i.e. ethernet class drivers). It has been tested on the following packet drivers: NE1000, NE2000, WD8003E, and ARCETHER. IPXWATCH can analyze the following protocols : IPX, SPX, NCP, SAP and RIP. 1.1 Copying ----------- See COPYING.DOC for details. No Warranty: see COPYING.DOC for details. 2. Installing IPXWATCH ---------------------- This section describes how to install IPXWATCH on your machine. IPXWATCH can be run on any IBM PC or its compatible running MS- DOS ver 3.0 or greater. The PC should be attached to the network and must have an ethernet class packet driver. By ethernet class we mean that although the media may not be ethernet the packet driver should be able to fake ethernet packets to the application. A good example is the Arcether packet driver from crynwr.com which runs on arcnet but fakes ethernet packets to the applications. Usage ----- IPXWATCH Before running IPXWATCH the packet driver has to be loaded (ipx should not be loaded). IPXWATCH requires two command line parameters. The first one is the protocol. You may be running either ethernet or arcnet. On an ethernet network the minimum packet size is 60 bytes. Smaller packets are padded up. This is not the case for arcnet. The command line parameter a|b is used to decide whether to pad smaller packets are not. However on the arcnet network you can still use the specifies that it is ethernet. The second parameter is the packet driver interrupt vector. IPXWATCH displays the addresses of the nodes in hexadecimal format. However for diagnostic purposes the node/network addresses can be specified in symbolic form. Create two configuration files in the directory from which IPXWATCH is run. The configuration files are node.ipx and net.ipx. The files node.ipx and net.ipx contain the numeric and symbolic addresses of the nodes and networks. A sample node.ipx and net.ipx files are given. Examples -------- a) For a network running IEEE 802.3, and a node having NE1000 card a sample batch file would look like rem example1.bat rem the -n switch of the packet driver converts packets of rem type 8137 to IEEE 802.3 and vice versa ne1000 -n 0x60 3 0x300 ipxwatch b 0x60 b) For a network running blue book ethernet, and a node having NE1000 card the batch file would look like rem example2.bat ne1000 0x60 3 0x300 ipxwatch b 0x60 c) For a network running arcnet, and a node having an arcnet card the batch file would look like rem example3.bat arcether 0x60 2 0x2e0 0xd000 ipxwatch a 0x60 4. Using IPXWATCH ----------------- By default IPXWATCH catches all IPX packets. It has a command prompt. Typing h at the command prompt gives a summary of the commands. The commands are explained below. Command Function ------- -------- A Match All Packets This is the default command when ipxwatch is invoked. This catches all ipx packets on the network. Note that in arcnet it is not possible to catch all the packets. Typing A at the command prompt puts IPXWATCH in the default command mode. B Display packet type Statistics This command displays the packet type count and the byte count for various packets (IPX, RIP, SAP, NCP etc.) C Clear Screen Clears the display window. D Match on Destination Address This is filter which displays/logs only the packets going to a particular destination node. To use this type d at the command prompt and enter the 6 byte or 12 digit address in hex, do not precede the address with the 0x symbol. F Close Log File This command closes the previously opened log file. H This Help Screen Displays a summary listing of all the commands I Node Information To use this command first use the Select Network command (N). This command displays the status of all nodes on the selected network. For nodes which are active and have ipx loaded the status is displayed as ACTIVE. If a node goes down after IPXWATCH has been invoked its status is displayed as DOWN and the time at which it went down is also displayed. For nodes which have their address specified in the configuration file node.ipx, if the node has never come up since the invocation of IPXWATCH its status is displayed as UNKNOWN. Also the type of the node is displayed. IPXWATCH can determine the following node types : WORKSTATION, FILE SERVER, and ROUTER. L List Servers Lists all the known servers on the network. The server name, type and the clock ticks are displayed. A server type 0004 means it's a file server. This command displays all known File Servers, Print Servers, Btrieve Servers and so on. The clock ticks tell the maximum number of seconds before which IPXWATCH should receive another SAP broadcast. If IPXWATCH doesn't receive any SAP broadcast within the remaining clock ticks, the server entry is removed from the table and will be no longer displayed. N Select Network Displays all known networks. To select a particular network for diagnostics use the cursor keys to move to the appropriate network and press enter. Subsequently use the Node Information command (I) to find out about the nodes on the selected network. Note that IPXWATCH can monitor only one network at a time. O Open Log File This command logs data on to a file. All the data displayed on the screen (only the packets) is logged into a user-specified file. To close the log file use the Close Log file command (F). Note that no data compression is done, the log file may chew up a lot of disk space. P Match on Destination Source Pair This is a filter which displays/logs only the packets going between a source-destination pair. To use this command type P at the command prompt and then enter the destination address (12 digits), immediately followed by the source address (12 digits). The address should be entered in hex. Q Quit Exit from IPXWATCH and return to DOS prompt. R Routing Information This command displays the routing table maintained by ipxwatch. It displays the network address, the number of hops, and number of ticks to reach the network. The address of the router is also displayed. For the current network the router address is shown as 00000000. S Match on Source Address This is a filter which displays/logs only the packets coming from a particular node. To use this type S at the command prompt and enter the 6 byte or 12 digit address in hex, do not precede the address with the 0x symbol. T Match on Packet Type (NCP/IPX/RIP/SAP/DIAG/NB) This is a filter which displays/logs only the packets of a selected type. To use this type T at the command prompt and enter the packet type NCP/IPX/RIP/SAP/DIAG/NB. Only one type can be selected at a time. IPXWATCH periodically sends diagnostic configuration request packets to any selected network. All the nodes in the selected network respond to this request with a diagnostic configuration response packet. As IPXWATCH implements Novell's routing information protocol, it maintains its own routing table. It can thus learn about all nodes even across routers. However at any point of time IPXWATCH sends diagnostic configuration request packets only to the selected network. In order to know about the active nodes on another network it is necessary to select that network. It is also possible to have information such as the nodes shell version, connection number, default file server etc., but due to lack of information on SPX this was not implemented (Hope somebody/Novell will provide us the details !!). Similarly the details of the NCP packets are also not displayed for lack of information on the packet structure. 5. Troubleshooting using IPXWATCH ---------------------------------- IPXWATCH can be used to identify many problems in a network. Login Process Using IPXWATCH one can observe a node trying to get attached and hence logging in. If a node is not attached to any file server, during the process of attach the following events take place. Below each event a sample output of IPXWATCH is displayed. i) The node sends a Get Nearest Server broadcast packet. 000000000003 FFFFFFFFFFFF SAP 110 Get Nearest Server ii) The servers/routers respond with a Give Nearest Server Packet 0000000000F1 000000000003 SAP 110 Give Nearest Server IIT/01/02 This packet can only be observed on ethernet networks. Here the server/router responds with the server name, address etc. However if a server/router does not reply, the node repeats the request. If the servers or routers do not reply after a number of repeated requests the node backs out by giving the message FILE SERVER COULD NOT BE FOUND. iii) After a server/router replies to the node, it tries to find the route to the server by making a request to the network on which the server is located. It sends a broadcast packet. 000000000003 FFFFFFFFFFFF RIP 54 Route request 000000A3 iv) The server/router responds to this request. If there is no response the node repeatedly broadcasts the request. If no router responds then the node backs out by giving a message like ROUTER OR GATEWAY NOT RESPONDING. 0000000000F1 000000000003 RIP 54 Route Info 000000A3 01/02 After this the node sends NCP packets to the server and the node gets attached. However on arcnet only the broadcast packets can be observed. 5.1 Booting of Diskless Nodes --------------------------------- A diskless node boots from a file server. When a diskless node is powered on it sends NCP broadcast packets on the net. Then it follows the same procedure as described above to get attached to a server. If a server/router does not respond to the NCP broadcast the node repeats the NCP broadcasts. If no server responds within a specified time the node backs out by giving a message FILE SERVER COULD NOT BE FOUND or YOUR STATION IS NOT CONNECTED PROPERLY. We were able to locate a faulty diskless node (it's boot prom was bad) by using IPXWATCH. The node was sending NCP broadcasts repeatedly but the server never responded and the node was unable to boot. The node information command can be used to identify all active nodes on a network. The nodes respond with DIAG packets as shown below. 000000000003 000000000094 DIAG 52 01110 -> 01110 The last two fields (01110 -> 01110) indicate the source and destination socket numbers. The routing information and the server information can be used to monitor the routers and servers. 6. Files ---------------- COPYING DOC 12375 /* GNU's General Public Licence */ DIAG C 16880 /* Diagnostics */ IBUFF C 1693 /* Buffer management */ IPX C 3675 /* IPX protocol code */ IPXWATCH DOC 15432 /* This file you are reading */ IPXWATCH H 1957 /* IPX protocol data structures */ PARSE C 3585 /* Parser for command prompt */ TIMER C 4156 /* The timer handler routine */ DIAG H 7365 /* The header files */ SAP H 936 /* " " */ IPXRIP H 1070 /* " " */ HELP H 1030 /* " " */ YAPCBR H 2337 /* " " */ IPXRIP C 7736 /* IPX routing information protocol */ SAP C 5688 /* SAP protocol */ NEW C 5623 /* Packet driver interface */ SCREEN C 4972 /* Screen management routines */ MISC C 1276 /* Miscellaneous functions */ MAIN C 14864 /* The main program */ SUP1 ASM 4794 /* Packet driver <-> assembly interface */ NODE IPX 470 /* Sample Configuration file : node addresses */ NET IPX 543 /* Sample Configuration file : net addresses */ IPXWATCH EXE 74563 /* The actual executable */ IPXWATCH PRJ 40608 /* TC++ prj file */ 7. Acknowledgments ___________________ We would like to thank all our colleagues especially Gadekal Gopal Reddy and K V Ramani for their comments and suggestions and code. 8. Future Work --------------- Currently IPXWATCH only supports a limited diagnostic facility. It would be very useful if all the features available in ipx diagnostic services were implemented. This was not implemented in this version as details of the SPX protocol were not available. Since ODI drivers are used by a number of users it would be a useful if this was ported on ODI drivers. All that is required to be done is to change the packet driver interface in sup1.asm and main.c to the ODI driver interface. The data logging facility is limited to the packets, the routing/server information table is not captured in a log file. Also the data is not compressed and it consumes a lot of disk space. As we are leaving the institute, we may not be able to support/enhance IPXWATCH. We would be glad if some one could make enhancements to IPXWATCH. Email address : srinivas@cse.iitb.ernet.in and vishwas@cse.iitb.ernet.in Postal address : V. Srinivas, Department of Computer Science and Engg, Indian Institute of Technolgy, Powai, Bombay, 400 076, India Thanks and enjoy :-)