Wireless packet flow explanation

Similar Messages

• Java Library to drop the incoming packet flow

  hi there,
  i m planning to make application layer filter. i need to drop the flow of incoming packets. So can anyone suggest me any java library which is able do this?
  or else if i have to create my own library then how can i proceed in that?

  thnx oscar 4 ur reply...
  actually i want to drop the incoming packets which r coming from restricted URL. means any how i want to restrict the user to see the particular webpage.
  so if cant hav this low level API in java, then can u suggest me how to implement it in other way?..
  i hav to make this project in JAVA only.
  i have got one API named "libipq" (source: snort.org) which can drop the packet flow. But this API is for linux OS and i want to implement on windows... pls help

• Need to Understand the Packet Flow

  Dear Friend,
  I need to understand the packet flow of the below diagram.
  I have configured MPLS on R2,R3 and R4. And IBGP is configured on R2 and R4. Now I am able to reach from R1 to R5's Loopback address. I need to understand the packect flow from R1 to R5 like If I ping from R1's Loopback  to R5's Loopback address then Source IP is 1.1.1.1 and destination IP is 5.5.5.5. What will be the packet structure at R2, R3,R4...??????????
  Please explain in details......Me really confused as R4 has not route about 5.5.5.5 also 1.1.1.1...How it forwards the packets??????

  Sanjib
  So R2 and R4 are PE devices and R3 is a P device ? And you are not doing MPLS VPNs, just normal MPLS ?
  If so R4 must have a route to 5.5.5.5. Did you mean R3 does not have a route ?
  With MPLS any P device only knows how to get to other P devices and PE devices. It does not know about any networks outside the MPLS network. The PE devices have routes to any external networks connected to them and know how to get to P and other PE devices.
  Note that in terms of PE/P reachability the routing/LDP information has already been exchanged and an MPLS forwarding table built. So for reachability between PE/P routers (ie. not outside the MPLS network) route lookup do not need to be performed, it is simply a matter of removing and adding labels.
  So assuming you are not using MPLS VPNs and that MPLS labels have been exchanged between all P and PE routers -
  R1 pings 5.5.5.5
  1) R1 does a route lookup for 5.5.5.5 and sends it to R2.
  2) R2 is a PE device. It does a route lookup for 5.5.5.5 and sees R4 as the next hop (this route has been exchanged via MP-BGP).
  3) R2 then need to send the packet to R4. To do this it looks in it's MPLS forwarding table to see how to get to R4. The MPLS forwarding table tells it which label to attach to the packet. It adds this label and sends the packet out of it's interface to R3.
  3) R3 is a P device. It does not need to do a route lookup for 5.5.5.5. It simply looks at the incoming MPLS label and consults it's MPLS forwarding table. It will have an entry in it's table saying that an incoming packet with an MPLS label of x should be sent out with an MPLS label of y. It changes the label and sends it out to R4.
  4) R4 receives the packet, removes the label, does an IP lookup for 5.5.5.5 and sends it to R5.
  Note that actually R3 might not add a label as there is something called Penultimate Hop Popping where if the net hop from the P router is a PE router it sends the packet without a label to save extra processing on the PE router. If you had multiple P routers only the last P router before the PE router would do PHP.
  The key thing to understand is that the P devices don't do route lookups when forwarding data. They simply switch labels. Whereas the PE devices do need to do route lookups for destinations outside the MPLS network. 
  Jon

• ASA 8.3 and Packet Flow

  Packet flow on ASA 8.3 changed ?
  In Earlier version 8.2 we used to put permit statment on mapped interface however in OS starting 8.3 access-list entries should have real address .
  Example
  Lan Server/Real ( 192.168.1.2 )
  Outside IP/Mapped ( 202.202.202.202 )
  Configured NAT
  ASA 0S 8.2 and earlier
  access-list outside_in extended permit ip host 4.2.2.2 host 202.202.202.202
  ASA OS 8.3 and later
  access-list outside_in extended permit ip host 4.2.2.2 host 192.168.1.2
  In earlier OS packet used to come on outside interface after which ACL was checked , if the ACL permits traffic packets flows further for NAT process
  In newer OS packet is coming to outside interface after which NAT is taking place , once the NAT is done mapped ip is changed to real ip and ASA checks for ACL . Dont you think in newer OS CPU will be used much because every packet with 202.202.202.202 is doing NAT while I have blocked all ip and allowed only 4.2.2.2 to access it ?

  You are right, with the change to the new NAT-model, there was also the change in the ACL that you mention. One benefit of the new model is that you have less to reconfigure if you change your ISP (and you don't have PI-addresses).
  The CPU didn't change that much on my ASAs after upgrading from 8.2 to 8.3 and higher.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• UCCX7 - Monitoring/Recording packet flow behavior

  Hi,
  I have single UCCX7 box which all services include monitoring/recording started and want to understand the packet flow behavior with CAD application.
  1. Monitoring, Desktop capture mode
  1) in CSD, select CAD and click "start Monitoring"
  2) copy the RTP packets from agent IP Phone to CAD via IP Phone "SPAN port" feature
  3) CAD sends the RTP packets to CSD and CSD able to hear the agent IP Phone conversation via CSD's sound card
  ->please advise whether the steps are correct!!
  2. Monitoring, Server capture mode
  1) how start the monitoring?
  2) where the actual file stores? which directory in UCCX box?
  (**I know UCCX's 2nd NIC which configured to VOIP monitor receiving RTP packets via switch's SPAN port but don't know how the monitoring start and where the file stored)
  3. Recording, Desktop capture mode
  1) click "start Recording" in CSD or CAD (CAD=add button from work flow user interface)
  2) copy the RTP packets from agent IP Phone to CAD via IP Phone "SPAN port" feature
  3) where the actual file stores? CAD box or CSD box?
  (**I know CSD can retrieve the recorded file and have an option to save but don't know where the recorded file retrieved)
  4. Recording, Server capture mode
  1) how start the recording?
  2) where the actual file stores? which directory in UCCX box?
  Advise please!!

  Hi,
  1. This is correct. CSD sends the startMonitoring message to CAD directly. CAD sends RTP packets to CSD directly and CSD plays them.
  2. CSD sends startMonitoring to UCCX server. Since the agent phone is spanned to the UCCX server's VOIP Mon NIC, the server then traps the packets and sends them back to the CSD which plays them.
  3. Recorded files are stored in TO and FROM .raw format in C:\Program Files\Cisco\Desktop_Audio on the UCCX server
  4. Same as above.
  The best thing to do, and how most of TAC troubleshoots is to use the CSD and CAD debugs set to TRACE and also Wireshark on the CAD, CSD and UCCX server all at the same time.

• Wireless data flow

  I have a question about how wireless data traffic flows between 2 wireless clients that are associated with the same AP/WLAN/subnet. It doesn't have to go through the WLC, does it?
  Is this documented some where on Cisco website that I can find?
  Thanks
  Binh Dinh

  When the access point (AP) joins a Wireless LAN (WLAN) controller, a Lightweight Access Point Protocol (LWAPP) tunnel is formed between the two devices. All traffic is sent through the LWAPP tunnel, which includes all client traffic. The only exception to this is when an AP is in REAP mode. When the AP is in Remote-Edge Access Point (REAP) mode, the control traffic is still tunneled to the controller but the data traffic is bridged locally on the local LAN.
  Here is the link info:
  http://supportwiki.cisco.com/ViewWiki/index.php/In_LWAPP_network,_does_all_the_network_traffic_both_from_and_to_the_WLAN_client_tunneled_through_a_4400_series_WLAN_controller_that_runs_firmware_version_3.2,_once_a_connection_is_established

• Ios operating system order of packet flow

  Is there a DETAILED packet processing flow chart for IOS (specially the ISR platform)?
  Something like;
  packet comes to input interface -->
       decision branches (depending on processing modes, route, inspection processes, session, policy lookup, nat, buffering, etc) -->
            packet goes out output interface--->

  Hi Lei Tian,
  and thank you for the prompt, and very informational response.
  I definately will put this book on my safari shelf. With that in mind, Are there any publications like this for the ISR platform? also detailing other features like voip? or would you say that this pretty much the general architecture for IOS and would be platform independent?
  thank you much,
  -Oscar

• Key provided but cannot decrypt wireless packets

  Hi,
  I'm working on a case for a Hospital and seeking advice as client is pretty unhappy with lack of resolution.
  Cisco 5508 WLCs HA-SSO running latest 7.6.130. Cisco 3602i APs.
  After an upgrade to the WLC code some time ago and/or network upgrades, the client's wireless pump devices stopped communicating. We have capture from NetMon v3.4 and capture shows the pumps de-authenticating, but TAC claims they cannot decrypt packets even though key was provided and we can login from a laptop with that same key no problem.
  Any observations, suggestions, recommendations appreciated.
  Thanks

  Symptom : Cisco WLC using Releases 7.3 and 7.4 fail authenticate One Time Password (OTP) users when attempting to authenticate to the Cisco WLC using TACACS+. The following debug output is displayed when the debug aaa tacacs enable command is entered on the WLC CLI:
  TPLUS_AUTHEN_STATUS_GETPASS auth_cont get_pass reply: pkt_length=25 processTplusAuthResponse: Continue auth transaction No auth response from: <SERVER IP> retrying with next server Preparing message for retransmit. Decrypting first Forwarding request to <SERVER IP> port=4900 AUTH Socket closed underneath No auth response from: <SERVER IP> retrying with next server Preparing message for retransmit. Decrypting first Forwarding request to <SERVER IP> port=4900 AUTH Socket closed underneath Exhausted all available servers for Auth/Author packet
  Conditions : Cisco WLC using Releases 7.3 and 7.4; TACACS+ used for Management User Authentication; OTP used for TACACS+ static passwords are not affected.
  Workaround : Extend the TACACS+ Management Server Timeout value by entering these commands:
  config tacacs auth disable server-index
  config tacacs auth mgmt-server-timeout server-index
  config tacacs auth enable server-index

• Problem Packet Flow through Cisco ASA Firewall

  I have a Cisco ASA 5540 8.2(1), with permit ip any any rules
  packet-tracer input inside tcp 10.56.149.129 871 10.40.170.10 3003
  show
  Phase: 1
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found flow with id 1374599592, using existing flow
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  if you change the source or destination port, the packet is successfully
  clear conn did not help
  please tell me how to solve the problem?

  Hi,
  I would suggest sharing the firewall configuration (except for any sensitive information they might have) so troubleshooting this would be easier.
  It would seem to me that during your "packet-tracer" test there is already an existing traffic flow through the ASA with the same information that you entered in the command.
  I don't know however why the connection would be blocked according to the "packet-tracer". In my own test this seemed to work. Output was otherwise the same but the "connection" wasnt dropped.
  - Jouni

• RV180W wireless packet loss

  I recently purchased an RV180W to upgrade (vlan features, etc.) from a Cisco/Linksys E4200.
  However, the wireless on the RV180W (even with identical settings channels, etc.) seems to be very flaky (consistent >1% packet lost, intermittent disconnections, etc.). I've compared it to a few other pieces of hardware (an Asus RT-N16 and old WRT56G), and they all work fine, but the RV180W has constant issues.
  Has anyone else seen this problem? Any suggestions on debugging (I've played with beacon intervals, etc.).

  Possibly wicd has some quirk-settings for your driver.
  Netcfg lets you specify some well-known quirks, and one of them might solve your problem.
  I had a similar problem with the new ath9k-driver and reverted back to ndiswrapper until the .28-kernel is out.
  Zl.

• Packet Flow

  PC--------------------L2switch-------------core----------------------L2switch
  172.16.4.2           172.16.11.1           172.16.11.222               172.16.11.2
  Vlan 4                     Vlan2                       Vlan2    (SVI)                Vlan2
                                                             172.16.4.222
                                                                  Vlan4 (SVI)
  PC wants to ping 172.16.11.2
  1)ARP request for 172.16.4.222 from PC
  2)packet will be sent from PC to Core with destination MAC of 172.16.4.222 and Destination IP of 172.16.11.2
  3)ARP request for 172.16.11.2 from Core
  4) Packet will reach 172.16.11.2
  If L2Switch ( 172.16.11.2) doesnt have default gateway set how will it be able to reply to 172.16.4.2???

  Disclaimer
  The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
  Liability Disclaimer
  In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
  Posting
  Maro.Cisco wrote:Daniel thats what i thought but my customer network has all the L2 switches without any GW and they are replying to the ping , how come ???
  Do GWs support proxy?

• [EXPLAINED] systemd wireless network service explanation

  In times before systemd was mandatory i was using a simple script to connect to internet via wireless upon boot that set up wlan0, associated it with wireless and when that was done did dhcpcd to get ip. When systemd kicked in i did a bit of a kludge to emulate rc.local. Today i decided to clean that mess up and to make a native systemd service. I found the folowing network.service on arch wiki.
  [Unit]
  Description=Network Connectivity
  Wants=network.target
  Before=network.target
  BindsTo=sys-subsystem-net-devices-wlan0.device
  After=sys-subsystem-net-devices-wlan0.device
  [Service]
  Type=oneshot
  RemainAfterExit=yes
  ExecStart=/sbin/ip link set dev wlan0 up
  ExecStart=/usr/sbin/wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf
  ExecStart=/sbin/dhcpcd wlan0
  [Install]
  WantedBy=multi-user.target
  This works perfectly. Now if someone is so nice to explain to me what happens here. Mainly where does it say that wpa_supplicant must be associated before dhcpcd starts? What exactly is network.target and what happens with this service when i suspend the computer?
  Best regards.
  Last edited by rokowsky (2013-03-29 12:12:09)

  Ok i'm sorry, now i see that network.target is under Before not After, which only means that this service delays netvork.target so that other units know when the network is up. This file actually defines what network.target means if i'm seeing this right. I have only one question, wpa_supplicant is started in background so that dhcpcd should start right after wpa_supplicant, perhaps before we are associated with a wireless network. In a script one would put something like "sleep 5" between them or pipe wpa_supplicant output to a file and check that file if we are associated and than start dhcpcd. Why does this service work?

• C3-01 Packet Data explanation needed

  Can someone explain how the packet data function works on the C3-01 and what all the submenus under the connectivity menu mean.  The manual does not cover any of this.  I only want to connect via WiFi and do not want the phone to be able to access or download any data via GSM at all.

   Go into Settings.  Go into Configuration.  Go into Personal Configuration Settings.  Now, press Add New (visible if you don’t have a previous Personal Setting created) or press the Options button. When you have pressed the Options button, choose Add new.  When you have pressed Add New, you will get a new menu, which will give several options to choose from.  Now, scroll down and choose the Access Point and press Select. (Please note that this option is not available on the Nokia 3220 model and maybe on some more models, you can instead use the Services option instead of the Access Point option on the Nokia 3220.) Do not choose the Web option, since this will not work with Opera mini.  Now go into Access Point Settings.  Go into Bearer Settings.  Go into Packet Data Access Point.  Now, enter you APN address corresponding to your provider. Then press OK.  Go back to the Personal Configurations Settings menu, where you now should be able to see an Access Point selected.  Now press the Options button, and then choose to activate this Access Point.  Now you should be able to start Opera Mini, and all other internet based applications.

• Nm-cids and packet flow

  Hi,
  I have some questions regarding the ids module. A router is connected to the internet and is using the software firewall. There is also a NM-CIDS in the router.
  1) What is the sequence when a packet arrives from the internet?
  Is it internet -> firewall -> ids?
  2) Does the command "ids-service module monitoring" imply that traffic is sent to the IDS inbound and outbound?
  3) The event viewer in the IDM shows a lot of events. Does it mean that the firewall is not dropping the packets? Is the IDM the only place to monitor the events or can they be sent to a syslog server?
  4) In case there is an event, what can the module do to block the attack since it is not in line?
  Thank you,
  Best regards,
  Pascal

  1) If there is no encryption then the packet is copied to the NM-CIDS after all router features (including firewall as well as NAT/PAT) have been done. I am about 90% sure on this. There is the possibility of a few features being done after the copy that I may not know about.
  If NAT has been done then the packet itself will have the translated ips, however, the packet has an additional headers that tells the NM-CIDS wha the untranslated IPs are, and the analysis and alerting is done with the untranslated ips from the additional header.
  When there is encryption involved, then incoming decryption is done with all other router features before copying to the NM-CIDS. But the outgoing encryption is the one feature done on the packet After it is copied to the NM-CIDS. This way the NM-CIDS always gets copies of unencrypted packets.
  2) The command on an interface implies that all traffic coming in as well as traffic going out will be copied to the Nm-CIDS.
  3) If IDM shows alerts, then I am pretty sure this means that they are making it through the firewall features (not being dropped) and making it to the other network.
  I recommend using IEV for monitoring the alerts if you have a small number of sensors.
  If you have a large number of sensors then I would recommend CS-MARS for monitoring.
  IEV files:
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev
  NOTE: There is not a User Guide specifically for the latest version. To get a basic understanding look at the User Guide for the older version 4.x IEV:
  http://www.cisco.com/en/US/docs/security/ips/4.0/configuration/guide/idm/swchap6.html
  NOTE: Syslog is not supported for IPS events.
  4) The NM-CIDS does support the Blocking feature. With the Blocking features the NM-CIDS is able to telnet back into the router and create an ACL. The ACL can then deny the IP Address of the attacker.
  It can not deny the actual packet that triggered the signature, but the ACL can deny additional packets coming from that attacker/source address.
  To read more on the Blocking feature:
  http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517a6.html

• Packet flow between clients.

  Hi,
  Lync Server 2013.
  Our small organization consists of VPN branches spread within the city. All tunnels are connected to central office. There are all servers including Lync. Tunnel bandwidth is limited.
  What's happening when two lync clients within one VPN branch start to communicate. Does it make point-to-point connection as Skype do? If one client sends file to another within one branch it seems like it goes through Lync
  Server, according to speed. And what happens if there is video call or even conference? We plan to deploy mediation server, so bandwidth is very important. How to force traffic go directly client to client?

  Hi,
  With branch offices, did you deploy SBA/SBS for them or just several users login?
  When these two users are internal , they will attempt peer to peer A/v, file transfer (not through FE Server). 
  Because they can successfully connect to each other, they utilize peer to peer media.
  However, if there is any desktop/application share during the peer to peer conversion, it will trigger an immediate escalation from an existing P2P session up to an MCU session
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support