| 1 | APRICOT 2010: Kuala Lumpur, Malaysia |
|---|
| 2 | |
|---|
| 3 | LOCAL NETWORK ANALYSIS TOOLS |
|---|
| 4 | |
|---|
| 5 | Notes: |
|---|
| 6 | ------ |
|---|
| 7 | * Commands preceded with "$" imply that you should execute the command as |
|---|
| 8 | a general user - not as root. |
|---|
| 9 | * Commands preceded with "#" imply that you should be working as root. |
|---|
| 10 | * Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>") |
|---|
| 11 | imply that you are executing commands on remote equipment, or within |
|---|
| 12 | another program. |
|---|
| 13 | |
|---|
| 14 | Exercises |
|---|
| 15 | --------- |
|---|
| 16 | |
|---|
| 17 | 1. lsof and netstat |
|---|
| 18 | ---------------- |
|---|
| 19 | |
|---|
| 20 | See what services are running on your machine. You can use the |
|---|
| 21 | presentation as a reference. |
|---|
| 22 | |
|---|
| 23 | Or, utilize "man lsof", "man netstat", "lsof -h" and "netstat -h" to see |
|---|
| 24 | the available options (there are a lot!). Remember to use |
|---|
| 25 | sudo when using lsof and netstat to give yourself necessary permissions |
|---|
| 26 | to view everything. |
|---|
| 27 | |
|---|
| 28 | * Using lsof, what IPv4 services are listening on your machine? |
|---|
| 29 | |
|---|
| 30 | * Using netstat, what IPv4 and IPv6 services are listening on your machine? |
|---|
| 31 | |
|---|
| 32 | |
|---|
| 33 | 2. tcpdump and Wireshark |
|---|
| 34 | --------------------- |
|---|
| 35 | |
|---|
| 36 | To use tcpdump you need to use sudo, or be root. To use wireshark you need |
|---|
| 37 | to open a terminal and use sudo as a normal user (i.e., userid "inst"): |
|---|
| 38 | |
|---|
| 39 | Use tcpdump like this: |
|---|
| 40 | |
|---|
| 41 | $ sudo tcpdump -i lo -A -s1500 -w /tmp/tcpdump.log |
|---|
| 42 | |
|---|
| 43 | Now, generate some traffic on your lo interface in another terminal. |
|---|
| 44 | |
|---|
| 45 | For example: |
|---|
| 46 | |
|---|
| 47 | $ ping localhost |
|---|
| 48 | $ ssh localhost |
|---|
| 49 | |
|---|
| 50 | etc. Afterwords press CTRL-C to terminate the tcpdump session. |
|---|
| 51 | |
|---|
| 52 | Note: ssh generates much more "interesting" output. |
|---|
| 53 | |
|---|
| 54 | Now install wireshark: |
|---|
| 55 | |
|---|
| 56 | $ sudo apt-get install wireshark |
|---|
| 57 | |
|---|
| 58 | Once installed, in another terminal as a normal user ("inst") open |
|---|
| 59 | wireshark like this: |
|---|
| 60 | |
|---|
| 61 | $ sudo wireshark -r /tmp/tcpdump.log |
|---|
| 62 | |
|---|
| 63 | Now you can play with the wireshark interface to start and understand |
|---|
| 64 | how it works. Can you figure out how to follow packets by protocol? |
|---|
| 65 | By Session? |
|---|
| 66 | |
|---|
| 67 | Now try something like this (note the "eth1"): |
|---|
| 68 | |
|---|
| 69 | $ sudo rm /tmp/tcpdump.log |
|---|
| 70 | $ sudo tcpdump -i eth0 -A -s1500 -w /tmp/tcpdump.log |
|---|
| 71 | |
|---|
| 72 | In another terminal do: |
|---|
| 73 | |
|---|
| 74 | $ ftp limestone.uoregon.edu |
|---|
| 75 | |
|---|
| 76 | Connected to limestone.uoregon.edu. |
|---|
| 77 | 220 FTP Server ready. |
|---|
| 78 | Name (limestone.uoregon.edu:sysadmin): anonymous |
|---|
| 79 | Password: <anything you want> |
|---|
| 80 | ftp> exit |
|---|
| 81 | |
|---|
| 82 | End the tcpdump session in the other terminal (CTRL-C). Now view the |
|---|
| 83 | contents of the log file: |
|---|
| 84 | |
|---|
| 85 | $ sudo wireshark -r /tmp/tcpdump.log |
|---|
| 86 | |
|---|
| 87 | Can you see your password? Sniffing unencrypted passwords on wireless |
|---|
| 88 | lans is very easy with a tool like this. |
|---|
| 89 | |
|---|
| 90 | |
|---|
| 91 | 3. Using iperf |
|---|
| 92 | ----------- |
|---|
| 93 | |
|---|
| 94 | Use "man iperf" or "iperf -h" for help. |
|---|
| 95 | |
|---|
| 96 | First install iperf: |
|---|
| 97 | |
|---|
| 98 | $ sudo apt-get install iperf |
|---|
| 99 | |
|---|
| 100 | Ask your neighbor to run: |
|---|
| 101 | |
|---|
| 102 | $ iperf -s |
|---|
| 103 | |
|---|
| 104 | Connect to your neighbor's machine using: |
|---|
| 105 | |
|---|
| 106 | $ iperf -c ipNeighbor |
|---|
| 107 | |
|---|
| 108 | How is the throughput between your machines? |
|---|
| 109 | |
|---|
| 110 | Consider connecting both your PCs directly together (one cable, |
|---|
| 111 | no switch). Use a private IP address on both machines, verify |
|---|
| 112 | you can ping each other, then repeat the previous steps with |
|---|
| 113 | your new connection. Has your throughput improved? |
|---|
| 114 | |
|---|
| 115 | If you have time continue playing with iperf options. If you have a |
|---|
| 116 | remote PC running UNIX or Linux you might want to try installing iperf |
|---|
| 117 | and testing your connection from the workshop lab to your remote |
|---|
| 118 | machine. |
|---|
| 119 | |
|---|
| 120 | Some more things to try... |
|---|
| 121 | |
|---|
| 122 | * Test TCP using various window sizes (-2). |
|---|
| 123 | |
|---|
| 124 | * Verify TCP MSS (-m). How does this affect throughput? What is |
|---|
| 125 | Path MTU discovery? |
|---|
| 126 | |
|---|
| 127 | * Test with two parallel threads (-P) and compare the totals. Is |
|---|
| 128 | there any difference? Why? |
|---|
| 129 | |
|---|
| 130 | * Test with different packet sizes and the TCP_NODELAY (-N) option. |
|---|
| 131 | |
|---|
