Since 1995, I have been promoting the idea of a “Bootup Baseline”. The exercise is very straightforward, you power on a device and capture all the packets generated.
I want to take a moment to explain what we will not cover. As you look at the packets you will see several types of traffic:
Unicast to the bootup device. This is what we want to focus on
Broadcast or Multicast from other hosts. We will ignore these for the most part.
Flooded traffic. These are unicast packets that are addressed to other hosts that are on your switch port. This is good to note and possibly take aside to determine why it is happening and of its ‘normal’.
The traffic gathered is there for only two reasons; either the host transmitted them, or the devices on the network sent them back to the booting host.
The most important step in this process is to document how you captured the data. There are many ways to capture packets from a booting device, but the most popular are:
SPAN or port mirroring. Since we are not concerned with capturing errors or timings, this works well. The most convenient if you have proper access to the switch.
TAPS. In my opinion this is the best way but it requires you to be physically close to the device and you have to break the connection to that device.
10/100 Hub serves the same purpose as a TAP but no full duplex, fibre or 1 Gb support. We are only interested in the details of the traffic and not timings this works in a pinch. Ensure that the switch port connected to the hub is properly configured to support half duplex.
Wireless devices brings another set of challenges but typically the analyst will simply span the access point switch port to his analyzer. Another technique would be to turn your laptop into an access point or hotspot and capture from that laptop. I will write a separate article on how to do this.
When documenting the bootup, you can use anything from notepad, PowerPoint, Visio, or Wireshark. Wireshark is my favorite option since I can make all the setup notes in Wireshark’s “File Capture Properties” dialog box. As long as the notes are text they will always be with the trace file. You can even specify if there is an accompanying diagram’s filename.
Lately I have discovered the following issues performing a bootup baseline:
Over 12 MB of group policies being applied to the ‘standard’ build
Computers upgrading software even though it is already current
A DHCP server offering an IP MTU option of 512 bytes
Login scripts that are still trying to install drivers from windows 2000 and NT
Roaming profiles copying well over 1 GB of temporary files upon login
Antivirus software constantly trying to check for signature file updates since the client hasn’t authenticated to the proxy server
Standard builds are connecting to the IT server because the initial build was mapped to it.
I will have future articles documenting some of these findings in the near future but the goal of the article is to get you thinking about what your computers are doing when it boots up.