APRICOT 2010: Kuala Lumpur, Malaysia LOCAL NETWORK ANALYSIS TOOLS Notes: ------ * Commands preceded with "$" imply that you should execute the command as a general user - not as root. * Commands preceded with "#" imply that you should either be root, or use sudo as a regular user. * Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>") imply that you are executing commands on remote equipment, or within another program. Exercises Local Analysis ------------------------ 1. lsof and netstat ---------------- See what services are running on your machine. You can use the presentation as a reference. Or, utilize "man lsof", "man netstat", "lsof -h" and "netstat -h" to see the available options (there are a lot!). Remember to use sudo when using lsof and netstat to give yourself necessary permissions to view everything. * Using lsof, what IPv4 services are listening on your machine? * Using netstat, what IPv4 and IPv6 services are listening on your machine? 2. tcpdump and Wireshark --------------------- To use tcpdump you need to use sudo, or be root. To use wireshark you need to open a terminal and use sudo as a normal user (i.e., userid "inst"): Use tcpdump like this: $ sudo tcpdump -i lo -A -s1500 -w /tmp/tcpdump.log Now, generate some traffic on your lo interface in another terminal. For example: $ ping localhost $ ssh localhost etc. Afterwords press CTRL-C to terminate the tcpdump session. Note: ssh generates much more "interesting" output. Now install wireshark: $ sudo apt-get install wireshark Once installed, in another terminal as a normal user ("mgmt") open wireshark like this: $ sudo wireshark -r /tmp/tcpdump.log Now you can play with the wireshark interface to start and understand how it works. Can you figure out how to follow packets by protocol? By Session? Now try something like this: $ sudo rm /tmp/tcpdump.log $ sudo tcpdump -i eth1 -A -s1500 -w /tmp/tcpdump.log In another terminal do: $ ftp limestone.uoregon.edu Connected to limestone.uoregon.edu. 220 FTP Server ready. Name (limestone.uoregon.edu:sysadmin): anonymous Password: ftp> exit End the tcpdump session in the other terminal (CTRL-C). Now view the contents of the log file: $ sudo wireshark -r /tmp/tcpdump.log Can you see your password? Sniffing unencrypted passwords on wireless lans is very easy with a tool like this. 3. Using iperf ----------- Use "man iperf" or "iperf -h" for help. First install iperf: $ sudo apt-get install iperf Ask your neighbor to run: $ iperf -s Connect to your neighbor's machine using: $ iperf -c ipNeighbor How is the throughput between your machines? Consider connecting both your PCs directly together (one cable, no switch). Use a private IP address on both machines, verify you can ping each other, then repeat the previous steps with your new connection. Has your throughput improved? If you have time continue playing with iperf options. If you have a remote PC running UNIX or Linux you might want to try installing iperf and testing your connection from the workshop lab to your remote machine. Some more things to try... * Test TCP using various window sizes (-2). * Verify TCP MSS (-m). How does this affect throughput? What is Path MTU discovery? * Test with two parallel threads (-P) and compare the totals. Is there any difference? Why? * Test with different packet sizes and the TCP_NODELAY (-N) option.