Day 1 Labs

About This Presentation

Title:

Day 1 Labs

Description:

Install your viruswall or firewall server to scan and filter spam mails and virus mails ... Configure your SMTP outgoing server pointed to your viruswall server ... – PowerPoint PPT presentation

Number of Views:61

Avg rating:3.0/5.0

Slides: 92

Provided by: shl8

Category:

more less

Transcript and Presenter's Notes

Title: Day 1 Labs

1
Day 1 Labs

Lab 1 DNS and Mail server Setup
Lab 2 Building Public Key Infrastructure (PKI)
Lab 3 Network Monitoring and Debugging

2
Lab 1 DNS and Mail

Domain Name System (DNS)
for translating hostnames into Internet addresses
A distributed database
The database is pictured as an inverted tree
Each node can be the root of a new subtree
Each of these subtrees represents a partition of
the overall database domain in DNS
Each domain can further divided into additional
partitions, called subdomains in DNS

3
Lab1 DNS and MailAn example of ie.cuhk.edu.hk
domain
hk
org
edu
gov
net
com
cuhk
hku
ust
cse
ee
ie
se
acae
4
Lab1 DNS and MailTop-Level Domains

com
Commercial organizations, such as Hewlett-Packard
(hp.com), Sun Microsystems (sun.com), and IBM
(ibm.com)
edu
Educational organizations, such as U.C. Berkeley
(berkeley.edu) and Purdue University (purdue.edu)
gov
Government organizations, such as NASA (nasa.gov)
and the National Science Foundation (nsf.gov)

5
Lab1 DNS and Mail Top-Level Domains

mil
Military organizations, such as the U.S. Army
(army.mil) and Navy (navy.mil)
net
Networking organizations, such as NSFNET
(nsf.net)
org
Noncommercial organizations, such as the
Electronic Frontier Foundation (eff.org)

6
Lab1 DNS and Mail Resolution of
girigiri.gbrmpa.gov.au on the Internet
7
Lab1 DNS and Mail addr.arpa domain tree
8
Lab1 DNS and Mail DNS Records

SOA Start Of Authority
Serial, Refresh, Retry, Expire, TTL
NS Name Server
A Name to Address mapping
PRT Address to name mapping
CNAME Canonical name (for aliases)
MX Mail eXchange

9
Lab1 DNS and Mail DNS Records

SOA Start Of Authority
Serial
The serial number applies to all the data within
the zone. When a slave name server contacts a
master server for zone data, it first asks for
the serial number on the data. If the slave's
serial number is lower than the master server's,
the slave's zone data are out of date. In this
case, the slave pulls a new copy of the zone.

10
Lab1 DNS and Mail DNS Records

SOA Start Of Authority
Refresh
The refresh interval tells the slave how often
to check that its data are up to date. Most users
will tolerate a delay of half of a working day
for things like name server data to propagate
when they are waiting for their new workstation
to be operational.

11
Lab1 DNS and Mail DNS Records

SOA Start Of Authority
Retry
If the slave fails to reach the master name
server(s) after the refresh period (the host(s)
could be down), then it starts trying to connect
every retry seconds. Normally, the retry interval
is shorter than the refresh interval, but it
doesn't have to be.

12
Lab1 DNS and Mail DNS Records

SOA Start Of Authority
Expire
If the slave fails to contact the master
server(s) for expire seconds, the slave expires
its data. Expiring the data means the slave stops
giving out answers about the data because the
data are too old to be valid. The expiration time
should always be much larger than the retry and
refresh intervals if the expire time is smaller
than the refresh interval, your slaves will
expire their data before trying to load new data.

13
Lab1 DNS and Mail DNS Records

SOA Start Of Authority
TTL (Time To Live)
This value applies to all the resource records
in the zone file. The name server supplies this
TTL in query responses, allowing other servers to
cache the data for the TTL interval. If your data
don't change much, you might consider using a
minimum TTL of several days. One week is about
the longest value that makes sense. A value as
short as one hour can be used, but it is not
recommended because of the amount of DNS traffic
it causes.

14
Lab1 DNS and Mail DNS Records

SOA Start Of Authority
What values you choose for your SOA record will
depend upon the needs of your site. In general,
longer times cause less load on your systems and
lengthen the propagation of changes shorter
times increase the load on your systems and speed
up the propagation of changes.

15
Lab1 DNS and Mail DNS Records

SOA Start Of Authority
RFC 1537 recommends the following values for
top-level domain servers
86400 Refresh 24 hours
7200 Retry 2 hours
2592000 Expire 30 days
345600 Minimum TTL 4 days

16
Lab1 DNS and Mail Send Mail and Anti-spam

Configure a mail (e.g MX record, sendmail.cf)
Use of virtual host table and aliases
Use access file for anti-spamming
Trace the source of the spam mail (e.g nslookup,
whois query)

17
Lab1 DNS and Mail Mail aliases

Configure /etc/aliases file. E.G.
abuse root
info user_at_ie.cuhk.edu.hk
group1 user1,user2
Mails sent to abuse will be forwarded to root
account mails sent to info will be forwarded to
info account mails sent to group1 will be
forwarded to user1 and user2 accounts.
Type "newaliases" to update the aliases.db

18
Lab1 DNS and Mail Virtual Hosting with sendmail

DNS Configuration
Choose an available domain name, says
yourdomain.com
Establish two machines as primary and secondary
name servers for your domain
Configure MX records for your domain, e.g.
yourdomain.com. MX 10 yourmailserver.yourdomain
.com.

19
Lab1 DNS and Mail Virtual Hosting with sendmail

Sendmail Configuration
Compile and install sendmail software
Configure the mc file E.G.
FEATURE(virtusertable',hash -o
/etc/mail/virtusertable')
Generate the sendmail.cf file from the mc file

20
Lab1 DNS and Mail Virtual Hosting with sendmail

Sendmail Configuration
Configure the virtual table users E.G.
jane_at_yourdomain.com jdoe_at_othercompany.com
_at_yourdomain.com jschmoe
Configure the sendamil.cw to accept mails for
your domain, youdomainc.com.
Update the virtual table and start the sendmail

21
Lab1 DNS and Mail Anti-spamming with sendmail

Sendmail Configuration
Compile and install sendmail software
Configure the mc file E.G.
FEATURE(access_db')
Generate the sendmail.cf file from the mc file

22
Lab1 DNS and Mail Anti-spamming with sendmail

Sendmail Configuration
Configure the access file E.G.
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
192.168.36.26 RELAY
spam_at_spam.com 550 You are banned from this site
Update the access.db and start the sendmail

23
Lab1 DNS and Mail Trace the source of the spam
mail

Examine mail header
Query tools nslookup and whois queries
To check out the DNS records and the domain
registration information of the spam site.
Reporting spam to spam.com

24
Lab1 DNS and Mail Examine mail header

From chris.ip_at_tvb.com.hk Tue Jan 22 112648 2002
Received from viruswall.ie.cuhk.edu.hk
(viruswall 137.189.96.52)
by eng.ie.cuhk.edu.hk (8.11.6/8.11.6)
with ESMTP id g0M3QmH14402
for ltshlamgt Tue, 22 Jan 2002 112648
0800 (HKT)
Received from smtp02.hk.linkage.net
(smtp02.hk.linkage.net 202.76.4.21)
by viruswall.ie.cuhk.edu.hk
(8.12.1/8.12.1) with ESMTP id g0M3Qlkm008158
for ltshlam_at_ie.cuhk.edu.hkgt Tue, 22 Jan
2002 112647 0800 (HKT)

25
Lab1 DNS and Mail Examine mail header

Received from exchange2.tvb.com.hk
(pc036.tvb.com.hk 202.76.104.36)
by smtp02.hk.linkage.net (8.11.6/8.11.6)
with ESMTP id g0M3Vik25192
for ltshlam_at_ie.cuhk.edu.hkgt Tue, 22 Jan
2002 113145 0800 (HKT)
Received by pc036.tvb.com.hk with Internet Mail
Service (5.5.2653.19)
id ltC04BZFB6gt Tue, 22 Jan 2002 112329
0800
Path pc036.tvb.com.hk -gt exchange2.tvb.com.hk -gt
smtp02.hk.linkage.net -gt viruswall.ie.cuhk.edu.hk
-gt eng.ie.cuhk.edu.hk

26
Lab1 DNS and Mail nslookup and whois
queryquery of tvb.com.hk NS records

cshgt nslookup -queryns tvb.com.hk
Server fortress.fox.hkntec.net
Address 192.168.128.230
Non-authoritative answer
tvb.com.hk nameserver ns2.hk.linkage.net
tvb.com.hk nameserver ns1.tvb.com
tvb.com.hk nameserver ns2.tvb.com
tvb.com.hk nameserver ns1.hk.linkage.net
Authoritative answers can be found from
ns2.hk.linkage.net internet address
202.76.4.2
ns1.hk.linkage.net internet address
202.76.4.1
.

27
Lab1 DNS and Mail nslookup and whois
queryquery of tvb.com.hk SOA records

cshgt nslookup -querysoa tvb.com.hk
tvb.com.hk
origin ns1.tvb.com
mail addr dcs.staff.tvb.com
serial 2001101003
refresh 1800 (30M)
retry 600 (10M)
expire 604800 (1W)
minimum ttl 1800 (30M)

28
Lab1 DNS and Mail nslookup and whois
queryquery of tvb.com.hk MX records

cshgtnslookup -querymx tvb.com.hk
Non-authoritative answer
tvb.com.hk preference 10, mail exchanger
mail.tvb.com.hk
tvb.com.hk preference 20, mail exchanger
relay.hk.linkage.net
tvb.com.hk preference 30, mail exchanger
relay.us.linkage.net
Authoritative answers can be found from
tvb.com.hk nameserver ns1.tvb.com
tvb.com.hk nameserver ns2.tvb.com
tvb.com.hk nameserver ns1.hk.linkage.net
tvb.com.hk nameserver ns2.hk.linkage.net
mail.tvb.com.hk internet address 202.76.104.36
ns1.tvb.com internet address 152.101.96.22
.

29
Lab1 DNS and Mail nslookup and whois
queryquery of reverse mapping of IP
202.76.104.36

cshgtnslookup 202.76.104.36
Server fortress.fox.hkntec.net
Address 192.168.128.230
Name pc036.tvb.com.hk
Address 202.76.104.36

30
Lab1 DNS and Mail nslookup and whois
queryquery of tvb.com.hk whois information

cshgt whois tvb.com.hk_at_whois.hkdnr.net.hk
whois.hkdnr.net.hk
Registrant
Television Broadcasts Ltd
19/F, Leightion Ctr.
77 Leighton Rd.
HK
Domain Name TVB.COM.HK
Record last updated on 27-JUN-96.
Record expired on .
Record created on 22-APR-96.
Contract Type Unknown.
..

31
Lab1 DNS and Mail nslookup and whois
queryquery of pc036.tvb.com.hk IP
202.76.104.36 whois information

cshgt whois 202.76.104.36_at_whois.apnic.net
whois.apnic.net
inetnum 202.76.104.0 - 202.76.104.255
netname TVB-HK
descr TVB Co Ltd
descr Hong Kong
country HK
admin-c PN29-AP
tech-c PN29-AP
mnt-by MAINT-HK-PSINET
changed hostinfo_at_psinet.com.hk 20010612
source APNIC
..

32
Lab1 DNS and Mail nslookup and whois
queryList of common whois servers

whois.apnic.net (Asia-Pacific Region) whois.hkdnr
.net.hk (domain under .hk) whois.arin.net
(American Registry for Internet
Numbers) whois.ripe.net whois.networksolutions.co
m (domain under .com.org.net) whois.internic.net
whois.nic.mil whois.nic.gov http//www.allwhoi
s.com/ (other region whois servers)
33
Lab1 DNS and Mail Anti-spamming and anti-virus

Install your viruswall or firewall server to scan
and filter spam mails and virus mails
Configure your DNS MX record pointed to your
viruswall server
Configure your SMTP outgoing server pointed to
your viruswall server
Configure your viruswall server to forward mails
to your back end mail server after scanned
Update your viruswall server virus definition
frequently

34
Lab1 DNS and Mail Using viruswall to filter
incoming mail
35
Lab1 DNS and Mail Using viruswall to filter
incoming mail
When virus/worm is detected, viruswall will
filter out the virus/worm part of the mail and
send warning message to both sender and
recipient. EG. Sender will receive Subject
Virus Alert The mail message (file
worm_myparty) you sent to shlam contains a virus.
(on viruswall) Recipient will receive -----------
------- Virus Warning Message (on
viruswall) Found virus WORM_MYPARTY.A in file
worm_myparty The uncleanable file worm_myparty
is moved to /etc/iscan/virus/virJOBtCaGlz. ------
--------------------------------------------------
- Sending you a Worm party testing -------------
----- Virus Warning Message (on
viruswall) worm_myparty is removed from here
because it contains a virus.
36
Lab 2 Public Key Infrastructure (PKI)

Asymmetric cryptography vs symmetric cryptography
Digital Signature
Certificate
Certification Authority (CA)
Secure Sockets Layer (SSL) protocol

37
Lab 2 PKI

Asymmetric cryptography vs symmetric cryptography
Symmetric cryptography
traditional form of cryptography
a single key is used for both encryption and
decryption
the sender and receiver share a key
Asymmetric cryptography (public key cryptography)
uses two mathematically related keys
a message encrypted by one key can only be
decrypted by the other key
receive secure messages by simply publishing one
key (the public key) and keeping the other secret
(the private key)

38
Lab 2 PKI

Asymmetric cryptography vs symmetric cryptography

39
Lab 2 PKI

Digital Signature
The digital signature of a document is a piece of
information based on both the document and the
signer's private key
It is created by encrypting a digest of the
message, and other information (such as a
sequence number) with the sender's private key
Anyone may decrypt the signature using the public
key and then compare the digest of the message
If the digests are matched, the signature is only
good for that message. It also ensures the
integrity of the message since no one can change
the digest and still sign it

40
Lab 2 PKI Digital Signature
41
Lab 2 PKI

A public-key infrastructure (PKI) consists of
protocols, services, and standards supporting
applications of public-key cryptography.
PKI consists of
Certificates
Certificate Authorities (CA)
Certificate Revocation Lists (CRL)
Repositories to store public-keys for people

42
Lab 2 PKI
Certificates Certificates are digital documents
attesting to the binding of a public key to an
individual or other entity. They allow
verification of the claim that a specific public
key does in fact belong to a specific individual.
It also includes identification information as to
who the own of the certificate is, as well as a
signature by a CA validating that the data hasn't
been forged. Certificates help prevent someone
from using a phony key to impersonate someone
else. In their simplest form, certificates
contain a public key and a name. As commonly
used, a certificate also contains an expiration
date, the name of the certifying authority that
issued the certificate, a serial number, and
perhaps other information.
43
Lab 2 PKI
Certificate Authorities (CA) Certificates are
issued by a Certificate Authority, who usually
will sign the certificate as well as provide some
revocation facilities. Certificate Revocation
Lists (CRLs) If the private-key is compromised
(i.e. inadvertently made public), then the
certificate containing that key needs to be
"revoked". That essentially means the CA who
assigned the certificate posts the certificate on
its website. This allows people to publicly check
this fact. Repositories (e.g. LDAP directories)
So that public-keys for people can be found.
44
Lab 2 PKI
SSL The Secure Sockets Layer (SSL) protocol,
originally developed by Netscape, has become the
universal standard on the Web for authenticating
Web sites to Web browser users, and for
encrypting communications between browser users
and Web servers. Because SSL is built into all
major browsers and Web servers, simply installing
a digital certificate, or Server ID, enables SSL
capabilities.
45
Lab 2 PKI

How SSL works
A customer contacts your site and accesses a
secured URL a page secured by a Server ID
(indicated by a URL that begins with "https"
instead of just "http" or by a message from the
browser).
Your server responds, automatically sending the
customer your site's digital certificate, which
authenticates your site.
Your customer's Web browser generates a unique
"session key" to encrypt all communications with
the site.
The user's browser encrypts the session key
itself with the site's public key so only the
site can read the session key.
A secure session is now established. It all takes
only seconds and requires no action by the user.
Depending on the browser, the user may see a key
icon becoming whole or a padlock closing,
indicating that the session is secure.

46
Lab2 PKI How SSL work
47
Lab2 PKIPKI Lab

Set up a Secure Web server
Build your CA Server
Sign a server cert and user cert
Set up Client Authentication and Access Control

48
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Traffic analysis by tcpdump
Tools for traffic analysis
Simple Network Management Protocol (SNMP)
Multi Router Traffic Grapher (MRTG)

49
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
ifconfig
It provides information about the basic
configuration of the interface. It is useful for
detecting bad IP addresses, incorrect subnet
masks, and improper broadcast addresses
E.G.
cshgt ifconfig -a
eth0 Link encapEthernet HWaddr
00D00928F9F9
inet addr192.168.64.23 Bcast192.168.64.255
Mask255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU1500 Metric1
RX packets10113996 errors231 dropped0
overruns0 frame231
TX packets2575002 errors0 dropped0 overruns0
carrier0
collisions0 txqueuelen100
Interrupt3 Base address0xc000

50
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Check for the error packets and collision values
The Input errors/Input packet ratio and Output
errors/Output packet ratio should be lt 0.025
Large Input errs gt the interface just discards
the packet
there may be faulty hardware on the network
(Faulty hardware can be anything from another
computer system that is generating packets
improperly to a bad connector or terminator)
or your system cannot receive packets fast enough

51
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Check for the error packets and collision values
Large Output errs gt your system's network
interface is faulty
something wrong the CPU and the ethernet cable
the problem should be local not from outsiders
Collisions are normal events and don't indicate
hardware problems. However, if Collision/Output
packets gt 10 constantly gt network overloaded

52
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Check for the error packets and collision values
Besides "ifconfig -a", "netstat -i" and "cat
/proc/net/dev" can also show the Input and Output
packet statistics
e.g
ntec23/tmpgt netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK
TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 10153378 231 0
0 2588097 0 0 0
BRU
lo 3924 0 14174 0 0
0 14174 0 0
0 LRU

53
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Measure the throughput between two points
ttcp
At the receive side, ttcp -r -s
At the send side, ttcp -t -s receive_side_host_na
me
For example, ntec94/rootgt ttcp -t -s ntec93
ttcp-t buflen8192, nbuf2048, align16384/0,
port5001 tcp -gt ntec93
ttcp-t socket
ttcp-t connect
ttcp-t 16777216 bytes in 2.05 real seconds
7978.76 KB/sec
ttcp-t 2048 I/O calls, msec/call 1.03,
calls/sec 997.35

54
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Measure the throughput between two points
ftp
You can use ftp to get a very large file to
local /dev/null so that your ftp transfer rate
will not be affected by your host disk I/O
E.G.
ftpgt get pkg.tar /dev/null
local /dev/null remote pkg.tar
200 PORT command successful.
150 Opening BINARY mode data connection for
pkg.tar (63006720 bytes).
226 Transfer complete.
63006720 bytes received in 6.7 seconds (9.2e03
Kbytes/s)

55
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Check the routing table by using netstat
The routing decisions are quite simple
If the destination host is on the local network,
the data is delivered to the destination host.
If the destination host is on a remote network,
the data is forwarded to a local gateway.
You can display the routing table's contents with
the netstat -ner command.

56
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Check the routing table by using netstat
E.G.
csh gt netstat -ren
Kernel IP routing table
Destination Gateway Genmask
Flags Metric Ref Use Iface
192.168.20.11 0.0.0.0 255.255.255.255 UH
0 0 0 eth0
192.168.20.0 0.0.0.0 255.255.255.0
U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0
U 0 0 0 lo
0.0.0.0 192.168.20.254 0.0.0.0
UG 0 0 0 eth0

57
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Address Resolution by using arp
The physical networks that underlay the TCP/IP
network do not understand IP addressing. Physical
networks have their own addressing schemes. One
task of the network access protocols is to map IP
addresses to physical network addresses.
The most common example of this network access
layer function is the translation of IP addresses
to Ethernet addresses. The protocol that performs
this function is Address Resolution Protocol
(ARP),

58
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Address Resolution by using arp
The ARP software maintains a table of
translations between IP addresses and Ethernet
addresses. This table is built dynamically. When
ARP receives a request to translate an IP
address, it checks for the address in its table.
If the address is found, it returns the Ethernet
address to the requesting software. If the
address is not found in the table, ARP broadcasts
a packet to every host on the Ethernet. The
packet contains the IP address for which an
Ethernet address is sought. If a receiving host
identifies the IP address as its own, it responds
by sending its Ethernet address back to the
requesting host. The response is then cached in
the ARP table.

59
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Address Resolution by using arp
The arp command displays the contents of the ARP
table. To display the entire ARP table in cache,
use the arp -a command.
e.g.
ntec23/tmpgt /sbin/arp -a
router.arm.hkntec.net (192.168.64.254) at
00B0D011CB4B ether on eth0
castle (192.168.64.230) at 00B0D0220A28
ether on eth0
athena (192.168.64.232) at 0001023A9325
ether on eth0

60
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Testing Basic Connectivity by ping
The ping command tests whether a remote host can
be reached from your computer. If ping shows that
packets can travel to the remote system and back,
the user's problem is probably in the upper
layers. If packets can't make the round trip,
lower protocol layers are probably at fault.
If your ping fails, or the user's ping fails,
pay close attention to any error messages. The
error messages displayed by ping are helpful
guides for planning further testing.

61
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Testing Basic Connectivity by ping
Common ping error messages
Unknown host
The remote host's name cannot be resolved by
name service into an IP address. The name servers
could be at fault (either your local server or
the remote system's server), the name could be
incorrect, or something could be wrong with the
network between your system and the remote name
server. If you know the remote host's IP address,
try to ping that. If you can reach the host using
its IP address, the problem is with name service.

62
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Testing Basic Connectivity by ping
Common ping error messages
Network unreachable
The local system does not have a route to the
remote system. If the numeric IP address was used
on the ping command line, re-enter the ping
command using the hostname. This eliminates the
possibility that the IP address was entered
incorrectly, or that you were given the wrong
address. If a routing protocol is being used,
make sure it is running and check the routing
table with netstat.

63
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Testing Basic Connectivity by ping
Common ping error messages
No answer
The remote system did not respond. Some network
utilities may refer this message as "100 packet
loss" , "Connection timed out" or "cannot
connect." All of these errors mean the same
thing. The local system has a route to the remote
system, but it receives no response from the
remote system to any of the packets it sends.

64
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Testing Basic Connectivity by ping
Common ping error messages
No answer
There are many possible causes of this problem.
The remote host may be down.
Either the local or the remote host may be
configured incorrectly.
A gateway or circuit between the local host and
the remote host may be down.
The remote host may have routing problems.
Only additional testing can isolate the cause of
the problem. Carefully check the local
configuration using netstat and ifconfig. Check
the route to the remote system with traceroute.

65
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Tracing Routes using traceroute
If the local routing table is correct, the
problem may be occurring some distance away from
the local host. Remote routing problems can cause
the "no answer" error message, as well as the
"network unreachable" error message. But the
"network unreachable" message does not always
signify a routing problem. It can mean that the
remote network cannot be reached because
something is down between the local host and the
remote destination. traceroute is the program
that can help you locate these problems.
traceroute traces the route of UDP packets from
the local host to a remote host. It prints the
name (if it can be determined) and IP address of
each gateway along the route to the remote host.

66
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Tracing Routes using traceroute
traceroute uses two techniques, small ttl
(time-to-live) values and an invalid port number,
to trace packets to their destination. traceroute
sends out UDP packets with small ttl values to
detect the intermediate gateways. The ttl values
start at 1 and increase in increments of 1 for
each group of three UDP packets sent. When a
gateway receives a packet, it decrements the ttl.
If the ttl is then 0, the packet is not forwarded
and an ICMP "Time Exceeded" message is returned
to the source of the packet. traceroute displays
one line of output for each gateway from which it
receives a "Time Exceeded" message.

67
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Tracing Routes using traceroute
When the destination host receives a packet from
traceroute, it returns an ICMP "Unreachable Port"
message. This happens because traceroute
intentionally uses an invalid port number (33434)
to force this error. When traceroute receives the
"Unreachable Port" message, it knows that it has
reached the destination host, and it terminates
the trace. So, traceroute is able to develop a
list of the gateways, starting at one hop away
and increasing one hop at a time until the remote
host is reached.
traceroute sends out three packets at each ttl
value. If no response is received to a packet,
traceroute prints an asterisk (). If a response
is received, traceroute displays the name and
address of the gateway that responded, and the
packet's round-trip time in milliseconds.

68
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Tracing Routes using traceroute
E.G.
ntec1-20/tmpgt nslookup www.i-cable.com
Non-authoritative answer
Name www.i-cable.com
Address 210.80.60.12
ntec1-20/tmpgt traceroute www.i-cable.com
traceroute to www.i-cable.com (210.80.60.12), 30
hops max, 38 byte packets
1 router-20.hkntec.net (192.168.20.254) 0.515
ms 0.389 ms 0.413 ms
2 router-250.hkntec.net (192.168.250.254)
0.822 ms 0.456 ms 0.503 ms
3 router99.ie.cuhk.edu.hk (137.189.99.254)
1.204 ms 4.987 ms 1.307 ms
4 137.189.200.250 (137.189.200.250) 8.217 ms
30.299 ms 1.276 ms
5 vpn.cuhk.edu.hk (137.189.192.238) 2.278 ms
2.332 ms 2.032 ms
6 i-cable2-PVC.hkix.net (202.40.161.155) 3.684
ms 3.628 ms 4.716 ms
7 flute.i-cable.com (210.80.60.12) 4.792 ms
4.839 ms

69
Lab3 Network Monitoring and Debugging

Flow of traceroute packets

70
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Checking network connection by netstat
e.g.
ntec23/tmpgt netstat -tu
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address
Foreign Address State
tcp 0 0 ntec23646
castle988 TIME_WAIT
tcp 0 0 ntec23643
castle988 TIME_WAIT
tcp 0 0 ntec23www
router2294 TIME_WAIT
tcp 0 0 ntec23www
router2293 TIME_WAIT
tcp 0 0 ntec23641
castle988 TIME_WAIT
tcp 0 0 ntec23www
router.2293 TIME_WAIT
tcp 0 0 ntec23637
castle988 TIME_WAIT
tcp 0 0 ntec232907
ntec93domain TIME_WAIT
tcp 0 0 ntec232906
ntec93domain TIME_WAIT
tcp 0 0 ntec23ftp
ntec43446 ESTABLISHED
tcp 0 1216 ntec23ssh
ntec41018 ESTABLISHED

71
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Checking network connection by netstat
netstat OUTPUT
Proto
The protocol (tcp, udp, raw) used by the
socket.
Recv-Q
The count of bytes not copied by the user
program connected to this socket.
Send-Q
The count of bytes not acknoledged by the
remote host.
Local Address
The local address (local hostname) and
port number of the socket. Unless the -n
switch is given, the socket address is
resolved to its canonical hostname, and the port
number is translated into the corresponding
service name.
Foreign Address
The remote address (remote hostname) and
port number of he socket. As with the
local addressport, the -n switch turns off
hostname and service name resolution.

72
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Checking network connection by netstat
netstat OUTPUT
State
ESTABLISHED
The socket has an established
connection.
SYN_SENT
The socket is actively attempting
to establish a connection.
SYN_RECV
A connection request has been
received from the network.
FIN_WAIT1
The socket is closed, and the
connection is shutting down.
FIN_WAIT2
Connection is closed, and the
socket is waiting for a shutdown from the remote
end.
TIME_WAIT
The socket is waiting after close
to handle packets still in the network.

73
Lab3 Network Monitoring and Debugging

Network trouble shoot tools
Checking network connection by netstat
netstat OUTPUT
State
CLOSED
The socket is not being used.
CLOSE_WAIT
The remote end has shut down,
waiting for the socket to close.
LAST_ACK
The remote end shut down, and the
socket is closed. Waiting for acknowledgement.
LISTEN
The socket is listening for incoming
connections. Those sockets are only displayed if
the -a,--listening switch is set.
CLOSING
Both sockets are shut down but we
still don't have all our data sent.
UNKNOWN
The state of the socket is unknown.

74
Lab3 Network Monitoring and Debugging
75
Lab3 Network Monitoring and Debugging
Traffic analysis by using tcpdump tcpdump is a
very powerful and easy to use tool for protocol
packet capture. It captures packets from an
Ethernet in promiscuous mode, and displays their
contents. Numerous options exist to filter the
output down to only those packets of interest.
76
Lab3 Network Monitoring and Debugging
Traffic analysis by using tcpdump Here are some
basic examples tcpdump dump all packets
tcpdump -e dump the packet header too
tcpdump -ex dump the packet header and the
packet content in hex tcpdump -exa dump the
packet header and the packet content in hex and
ascii tcpdump -c 500 dump 500 packets and
exit
77
Lab3 Network Monitoring and Debugging
Traffic analysis by using tcpdump Here are some
basic examples tcpdump -c 500 -w dump.log
dump 500 packets and write it to dump.log file
tcpdump -r dump.log read the packets
from dump.log rather than the network interface
tcpdump tcp dump tcp packets only tcpdump udp
Dump udp packets only tcpdump -ex broadcast
dump broadcast packets only with packet header
and content
78
Lab3 Network Monitoring and Debugging
Traffic analysis by using tcpdump Here are some
basic examples tcpdump -exs 500 dump packets
header and content with packet length up to 500
bytes. The defualt display packet length is 64
tcpdump greater 512 dump packets whose packet
length greater than 512 tcpdump less 512 dump
packets whose packet length lesser than 512
tcpdump host ntec23 dump packets from and to
ntec23 host only tcpdump port 21 dump ftp
packets only
79
Lab3 Network Monitoring and Debugging
Traffic analysis by using tcpdump The output of
tcpdump is protocol dependent. The most three
common protocols are ARP, TCP and UDP ARP csh gt
tcpdump arp tcpdump listening on
eth0 152628.340765 arp who-has
router-20.hkntec.net tell ntec10-20 152628.34078
0 arp reply router-20.hkntec.net is-at
03fdfa301c 152639.019795 arp who-has
router-20.hkntec.net tell ntec4-20 152639.029743
arp reply router-20.hkntec.net is-at
03fdfa301c 152645.499830 arp who-has
router-20.hkntec.net tell ntec7-20
80
Lab3 Network Monitoring and Debugging
Traffic analysis by using tcpdump The output of
tcpdump is protocol dependent. The most three
common protocols are ARP, TCP and UDP TCP csh gt
tcpdump tcp port finger tcpdump listening on
eth0 153005.772726 ntec2.ie.cuhk.edu.hk.1693 gt
ntec3-20.finger S 111695275111695275(0) win
32120 ltmss 1460,sackOK,timestamp 508816181tcpgt
(DF) 153005.772730 ntec3-20.finger gt
ntec2.ie.cuhk.edu.hk.1693 S 18448808671844880867
(0) ack 111695276 win 32120 ltmss
1460,sackOK,timestamp 588729366tcpgt
(DF) 153005.772850 ntec2.ie.cuhk.edu.hk.1693 gt
ntec3-20.finger . ack 1 win 32120
ltnop,nop,timestamp 508816181 588729366gt
(DF) 153005.773817 ntec2.ie.cuhk.edu.hk.1693 gt
ntec3-20.finger P 13(2) ack 1 win 32120
ltnop,nop,timestamp 508816181 588729366gt
(DF) 153005.773820 ntec3-20.finger gt
ntec2.ie.cuhk.edu.hk.1693 . ack 3 win 32120
ltnop,nop,timestamp 588729366 508816181gt
(DF) 153005.840632 ntec3-20.finger gt
ntec2.ie.cuhk.edu.hk.1693 P 120(19) ack 3 win
32120 ltnop,nop,timestamp 588729373 508816181gt
(DF) 153005.840638 ntec3-20.finger gt
ntec2.ie.cuhk.edu.hk.1693 F 2020(0) ack 3 win
32120 ltnop,nop,timestamp 588729373 508816181gt
(DF) 153005.840642 ntec2.ie.cuhk.edu.hk.1693 gt
ntec3-20.finger . ack 20 win 32101
ltnop,nop,timestamp 508816188 588729373gt
(DF) 153005.840645 ntec2.ie.cuhk.edu.hk.1693 gt
ntec3-20.finger . ack 21 win 32100
ltnop,nop,timestamp 508816188 588729373gt
(DF) 153005.840687 ntec2.ie.cuhk.edu.hk.1693 gt
ntec3-20.finger F 33(0) ack 21 win 32120
ltnop,nop,timestamp 508816188 588729373gt
(DF) 153005.840688 ntec3-20.finger gt
ntec2.ie.cuhk.edu.hk.1693 . ack 4 win 32120
ltnop,nop,timestamp 588729373 508816188gt (DF)
81
Lab3 Network Monitoring and Debugging
Traffic analysis by using tcpdump The output of
tcpdump is protocol dependent. The most three
common protocols are ARP, TCP and UDP TCP The
general format of a tcp protocol line is src gt
dst flags data-seqno ack window urgent options
Src and dst are the source and destination IP
addresses and ports. Flags are some combination
of S (SYN), F (FIN), P (PUSH) or R (RST) or a
single .' (no flags).
82
Lab3 Network Monitoring and Debugging
Traffic analysis by using tcpdump The output of
tcpdump is protocol dependent. The most three
common protocols are ARP, TCP and UDP UDP cshgt
tcpdump udp tcpdump listening on
eth0 153341.300667 ntec1-20.syslog gt
ntec16-36.syslog udp 44 153341.301376
ntec1-20.syslog gt ntec16-36.syslog udp
49 153341.313577 ntec1-20.699 gt fortress.989
udp 92 153341.314269 fortress.989 gt
ntec1-20.699 udp 68 153342.900653
ntec3-20.649 gt fortress.989 udp
56 153342.901399 ntec1-20.700 gt fortress.989
udp 92 153342.899936 fortress.989 gt
ntec3-20.649 udp 28 153342.900232
fortress.989 gt ntec1-20.700 udp 64
83
Lab3 Network Monitoring and Debugging
More tools for traffic analysis IPTraf --- An IP
Network Statistics Utility
84
Lab3 Network Monitoring and Debugging
More tools for traffic analysis ethereal ---
Interactively browse network traffic
85
Lab3 Network Monitoring and Debugging
SNMP In brief, SNMP, the Simple Network
Management Protocol, is a protocol designed to
give a user the capability to remotely manage a
computer network by polling and setting terminal
values and monitoring network events. SNMP
composes of 3 elements the MIB, the manager, and
the agent. SNMP composes of 3 elements the
MIB, the manager, and the agent.
86
Lab3 Network Monitoring and Debugging
SNMP Managment information bases (MIBs) are a
collection of definitions, which define the
properties of the managed object within the
device to be managed. Every managed device keeps
a database of values for each of the definitions
written in the MIB. It is not the actual database
itself - it is implementation dependant. Latest
Internet MIB is given in RFC 1213 sometimes
called the MIB-II. The agent runs off of each
node on the network. Many UNIX software vendors
include this with their terminal software. It
collects network and terminal information as
specified in the MIB. The manager is located on
the host computer on the network. It's main role
is to poll the agents for certain requested
information. Again, there are lots of shareware
managers available. For example, on PC, there is
NetGuard and is freely available. On UNIX network
managers range from the simple and free to the
very complex and expensive, like HP's OpenView or
SunNet Manager.
87
Lab3 Network Monitoring and Debugging
SNMP MIB (Management Information Base) Structure
All managed objects in the SNMP environment are
arranged in a hierarchical or tree structure. The
leaf objects of the tree are the actual managed
objects, each of which represents some resource,
activity, or related information that is to be
managed. The tree structure itself defines a
grouping of objects into logically related sets.
88
Lab3 Network Monitoring and Debugging
MIBII
89
Lab3 Network Monitoring and Debugging
SNMP
The object ID No. .1.3.6.1.2.1.2.2.1.11.2 Is
corresponding to .iso.org.dod.internet.mgmt.mib2.
interfaces.ifTable.ifEntry.ifInUcastPkts.2
90
Lab3 Network Monitoring and Debugging
MRTG The Multi Router Traffic Grapher (MRTG) is a
tool to monitor the traffic load on
network-links. MRTG generates HTML pages
containing GIF images which provide a LIVE visual
representation of this traffic. MRTG is based on
Perl and C and works under UNIX and Windows NT.
E.G. The follow MRTG graph shows a peak traffic
at 1600
91
Lab3 Network Monitoring and Debugging
MRTG Using external Program to collect data
Besides using SNMP to collect data, MRTG can
allow you to use some external program to do the
data gathering. The external command must return
4 lines of output Line 1 current state of the
first variable, normally 'incoming bytes count'
Line 2 current state of the second variable,
normally 'outgoing bytes count' Line 3 string
(in any human readable format), telling the
uptime of the target. Line 4 string, telling
the name of the target. Depending on the type of
data your script returns you might want to use
the 'gauge' or 'absolute' arguments for the
Options keyword.

Write a Comment

User Comments (0)