| 1 | APRICOT 2010: Kuala Lumpur, Malaysia |
|---|
| 2 | |
|---|
| 3 | LOCAL NETWORK ANALYSIS TOOLS |
|---|
| 4 | |
|---|
| 5 | Notes: |
|---|
| 6 | ------ |
|---|
| 7 | * Commands preceded with "$" imply that you should execute the command as |
|---|
| 8 | a general user - not as root. |
|---|
| 9 | * Commands preceded with "#" imply that you should either be root, or use |
|---|
| 10 | sudo as a regular user. |
|---|
| 11 | * Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>") |
|---|
| 12 | imply that you are executing commands on remote equipment, or within |
|---|
| 13 | another program. |
|---|
| 14 | |
|---|
| 15 | Exercises Local Analysis |
|---|
| 16 | ------------------------ |
|---|
| 17 | |
|---|
| 18 | 1. lsof and netstat |
|---|
| 19 | ---------------- |
|---|
| 20 | |
|---|
| 21 | See what services are running on your machine. You can use the |
|---|
| 22 | presentation as a reference. |
|---|
| 23 | |
|---|
| 24 | Or, utilize "man lsof", "man netstat", "lsof -h" and "netstat -h" to see |
|---|
| 25 | the available options (there are a lot!). Remember to use |
|---|
| 26 | sudo when using lsof and netstat to give yourself necessary permissions |
|---|
| 27 | to view everything. |
|---|
| 28 | |
|---|
| 29 | * Using lsof, what IPv4 services are listening on your machine? |
|---|
| 30 | |
|---|
| 31 | * Using netstat, what IPv4 and IPv6 services are listening on your machine? |
|---|
| 32 | |
|---|
| 33 | |
|---|
| 34 | 2. tcpdump and Wireshark |
|---|
| 35 | --------------------- |
|---|
| 36 | |
|---|
| 37 | To use tcpdump you need to use sudo, or be root. To use wireshark you need |
|---|
| 38 | to open a terminal and use sudo as a normal user (i.e., userid "inst"): |
|---|
| 39 | |
|---|
| 40 | Use tcpdump like this: |
|---|
| 41 | |
|---|
| 42 | $ sudo tcpdump -i lo -A -s1500 -w /tmp/tcpdump.log |
|---|
| 43 | |
|---|
| 44 | Now, generate some traffic on your lo interface in another terminal. |
|---|
| 45 | |
|---|
| 46 | For example: |
|---|
| 47 | |
|---|
| 48 | $ ping localhost |
|---|
| 49 | $ ssh localhost |
|---|
| 50 | |
|---|
| 51 | etc. Afterwords press CTRL-C to terminate the tcpdump session. |
|---|
| 52 | |
|---|
| 53 | Note: ssh generates much more "interesting" output. |
|---|
| 54 | |
|---|
| 55 | Now install wireshark: |
|---|
| 56 | |
|---|
| 57 | $ sudo apt-get install wireshark |
|---|
| 58 | |
|---|
| 59 | Once installed, in another terminal as a normal user ("mgmt") open |
|---|
| 60 | wireshark like this: |
|---|
| 61 | |
|---|
| 62 | $ sudo wireshark -r /tmp/tcpdump.log |
|---|
| 63 | |
|---|
| 64 | Now you can play with the wireshark interface to start and understand |
|---|
| 65 | how it works. Can you figure out how to follow packets by protocol? |
|---|
| 66 | By Session? |
|---|
| 67 | |
|---|
| 68 | Now try something like this: |
|---|
| 69 | |
|---|
| 70 | $ sudo rm /tmp/tcpdump.log |
|---|
| 71 | $ sudo tcpdump -i eth1 -A -s1500 -w /tmp/tcpdump.log |
|---|
| 72 | |
|---|
| 73 | In another terminal do: |
|---|
| 74 | |
|---|
| 75 | $ ftp limestone.uoregon.edu |
|---|
| 76 | |
|---|
| 77 | Connected to limestone.uoregon.edu. |
|---|
| 78 | 220 FTP Server ready. |
|---|
| 79 | Name (limestone.uoregon.edu:sysadmin): anonymous |
|---|
| 80 | Password: <anything you want> |
|---|
| 81 | ftp> exit |
|---|
| 82 | |
|---|
| 83 | End the tcpdump session in the other terminal (CTRL-C). Now view the |
|---|
| 84 | contents of the log file: |
|---|
| 85 | |
|---|
| 86 | $ sudo wireshark -r /tmp/tcpdump.log |
|---|
| 87 | |
|---|
| 88 | Can you see your password? Sniffing unencrypted passwords on wireless |
|---|
| 89 | lans is very easy with a tool like this. |
|---|
| 90 | |
|---|
| 91 | |
|---|
| 92 | 3. Using iperf |
|---|
| 93 | ----------- |
|---|
| 94 | |
|---|
| 95 | Use "man iperf" or "iperf -h" for help. |
|---|
| 96 | |
|---|
| 97 | First install iperf: |
|---|
| 98 | |
|---|
| 99 | $ sudo apt-get install iperf |
|---|
| 100 | |
|---|
| 101 | Ask your neighbor to run: |
|---|
| 102 | |
|---|
| 103 | $ iperf -s |
|---|
| 104 | |
|---|
| 105 | Connect to your neighbor's machine using: |
|---|
| 106 | |
|---|
| 107 | $ iperf -c ipNeighbor |
|---|
| 108 | |
|---|
| 109 | How is the throughput between your machines? |
|---|
| 110 | |
|---|
| 111 | Consider connecting both your PCs directly together (one cable, |
|---|
| 112 | no switch). Use a private IP address on both machines, verify |
|---|
| 113 | you can ping each other, then repeat the previous steps with |
|---|
| 114 | your new connection. Has your throughput improved? |
|---|
| 115 | |
|---|
| 116 | If you have time continue playing with iperf options. If you have a |
|---|
| 117 | remote PC running UNIX or Linux you might want to try installing iperf |
|---|
| 118 | and testing your connection from the workshop lab to your remote |
|---|
| 119 | machine. |
|---|
| 120 | |
|---|
| 121 | Some more things to try... |
|---|
| 122 | |
|---|
| 123 | * Test TCP using various window sizes (-2). |
|---|
| 124 | |
|---|
| 125 | * Verify TCP MSS (-m). How does this affect throughput? What is |
|---|
| 126 | Path MTU discovery? |
|---|
| 127 | |
|---|
| 128 | * Test with two parallel threads (-P) and compare the totals. Is |
|---|
| 129 | there any difference? Why? |
|---|
| 130 | |
|---|
| 131 | * Test with different packet sizes and the TCP_NODELAY (-N) option. |
|---|
| 132 | |
|---|
