Network Tools
Ø ttcp
Ø lsof: list open
files
Ø tcpdump: filtering packets
Ø arp: addres resolution protocol
Ø ping: test host aliveness
Ø Applications: TCP Simultanious Open and Close
File: /etc/resolv.conf
contains the DNS of the host.
% nslookup
www.cs.odu.edu
% nslookup
odu.edu
% nslookup yahoo.com
% nslookup 128.82.224.112
ü host:
% host capella
% host odu.edu
% host 128.82.4.7
ü dig:
% dig isis.cs.odu.edu
% dig cs.odu.edu
% dig odu.edu
% dig –x
128.82.4.2 ( -x
for resolving IP addresses)
ê FindCSfastHosts: Discovering “login” hosts
at the CS department.
#! /bin/sh
sshLogin.csh #to
let you login without password
max=255
i=1
outputfile=CSFastHosts`date
'+%m%d%y_%H%M%S'`
touch $outputfile
while test $i -le $max
do
echo
"128.82.4.$i : "
host 128.82.4.$i | grep
name > answer
if test $? -eq 0 # IP
is a valid host name
then
hostname=` cat answer | cut
-d" " -f5 | cut -d"." -f1`
timeoutcmd 1 TCPConnect
$hostname 23 | grep Connected
if test $? -eq 0 # is possibly fast host
then
os=`ssh $hostname uname`
echo "128.82.4.$i ($hostname): $os"
>> $outputfile
fi
fi
i=`expr $i + 1`
done
ü To avoid typing your
password in ssh use:
sshLogin_csh
ü To test if a host runs ssh (port 22) we use: TCPConnect.c
ü To shorten the
timeout of commands like TCPConnect and ssh we use: timeoutcmd.c
ê CSlookup_sh: Discovering hosts at “some” CS departments.
Examples:
% CSlookup www unc
% CSlookup
ftp virginia
Outline:
Find the IP address of
a well-known host, e.g., if www.cs.odu.edu IP address is 128.82.4.2,
then find all hosts 128.82.4.$i
#!
/bin/sh
filename=cs.$2.Hosts`date '+%m%d%y_%H%M%S'`
rm -f $filename
touch $filename
if test $# -le 1
then
echo "Usage: cslookup.sh <ftp|www|...> <odu|unc|virginia|..>"
exit
fi
name=$1.cs.$2.edu
host $name > answer
if grep not
answer > /dev/null
then
echo "$name does not
exist"
exit
fi
host $name | grep has > answer
if grep has answer >/dev/null
then
addr=` cat
answer | awk '{print $4}'`
echo $name "IP adress is:" $addr
oldifs=$IFS
IFS='.'
set $addr
ip1=$1
ip2=$2
ip3=$3
prefix=$ip1.$ip2.$ip3
IFS=$oldifs
i=1
while test $i
-le 255
do
addr=`echo $prefix'.'$i`
host $addr
> answer
if grep
not answer >/dev/null
then
echo "$addr does not exist"
else
name=` cat answer | awk '{print $5}'`
echo "$addr
($name)"
echo "$addr
($name)" >> $filename
fi
i=`expr $i + 1`
done
fi
ê DiscoverODUhosts_sh: Discovering host names and alive (using ping) hosts at ODU.
host 128.82.$j.$i
timeoutcmd 1 ping 128.82.$j.$i | grep alive
The program
loop through all ip addresses at odu
(128.82.X.X)
It
classifies the hosts and save the results in several files:
ü
PingableHosts: ODU hosts that are alive using ping command.
ü
CSHosts: machines that belong to CS dept
e.g.:
128.82.10.2 (vpn.cs.odu.edu.)
ü
IPDerivedHosts: ODU hosts names that are derived from IP addresses.
e.g.:
128.82.11.149 (sd11-149.sd.odu.edu.)
ü
OtherHosts: ODU host names that are not derived from IP
addresses.
e.g.:
128.82.121.99 (vpn.vmasc.odu.edu.)
ü default:
it behaves as: tcp
client
ü important
options:
-s
act as server
-u use udp
instead of tcp
Examples:
ê TCP server and
clients
% sock
-s 10203
// tcp server
or
% sock
-s -F -v
10203
// tcp server
-F (fork) concurrent
-v verbose
% sock localhost
10203 // tcp client
ê UDP server and
clients
% sock
-s -u -v 10203
// udp server
% sock -u
localhost
10203 // udp client
% sock -u -v -i -n 10 -w 128 -p 2
localhost 10203
// udp client
-i source/sink
-n sends 10 packets
-w 128 byte
-p every 2 seconds
ê Destination
address
% sock -s -u -v
-E 10203
// udp server,
-E
display destination address.
% sock -u localhost 10203 // udp client
% sock -u something
10203 // udp
client
ê
Restricting
ports & address
% sock -s -u
-v -E -f 127.0.0.1.2222 10203
// udp server,
-f
forien address.
% sock -u -b 2222 localhost
10203 //
udp client
–b bind to prot
% sock -u -b 2222
something 10203 //
udp client
|
|
|
« ttcp
To test TCP and UDP performance (source
code)
Examples:
-p port Port number to
send or listen (default
2000).
-f
M Megabyts/sec
ê simple receiver
and transmitter
capella %
ttcp
–r -f M -p
10203 //tcp -r receiver
antares % ttcp
–t -f M -p
10203 capella //tcp -t transmitter
ê
sink and source
capella %
ttcp –r –s -p
10203
//tcp –r receiver -s
sink
antares
% ttcp –t –s
capella -p 10203 //tcp -t transmitter -s source
ê udp
–u Use
UDP instead of TCP:
capella % ttcp –r -u
–s -p
10203 //udp
antares
% ttcp –t -u –s capella –p 10203
ê copy tar files
Copy
directory hierarchies between systems:
-B When receiving data, output only full blocks.
capella
% ttcp
–r –B –p 10203 | tar xvpf
–
antares
% tar cf – directory | ttcp
–t -p 10203 capella
Intermediate hosts can be included by:
capella % ttcp –r –B –p 10203 |
tar xvpf
–
deneb
% ttcp –r –p 10203 | ttcp
–t -p 10203 capella
antares % tar cf – directory | ttcp –t -p 10203 deneb
«
lsof list open files
ü
netstat tells us what ports are in use
but it
does not identify which processes owning them.
ü
lsof reveals the
process owning the ports
You have to ssh to one of something machines to use lsof.
e.g:
something, somethingelse, somethingmore.
Example:
%
sock -s 12345 &
% netstat -a | grep 12345
Local Address
Remote Address State
*.12345
*.*
LISTEN
% sudo lsof | grep 12345
Password:
COMMAND
PID
USER
NAME
sock 711
cs779
TCP *:12345 (LISTEN)
%
sudo lsof | grep TCP
Shows the
owners of each TCP port.
« tcpdump
Reads
packets from a network and prints lot of information about the packets.
Useful Options:
-N Don't
print domain name
-t Don't
print a timestamp
êEx1: Capture all traffic to/from a given host:
% sudo
tcpdump host something
êEx2: Capture traffic between selected hosts:
% sudo tcpdump host something and \( somethingmore or somethingelse \)
% sudo tcpdump host something and not somethingelse
% sudo tcpdump host somethingelse and somethingmore
êEx3: Capture traffic between two networks:
% sudo tcpdump
net
128.82.4
êEx4: Capture SYN and FIN packets:
%
sudo tcpdump 'tcp [13:1]
& 3
!=0'
The TCP
header: AND byte 14 with 011.
êEx5: Monitoring long packets.
% sudo tcpdump 'ip [2:2]
> 200'
The IP header: Byte 3 and 4 (the packet length field).
êEx6: Monitoring specific protocols:
% sudo tcpdump
icmp
% sudo tcpdump
udp
% sudo tcpdump
tcp
êEx7: Monitoring specific port:
% sudo tcpdump tcp and port 80
êEx8: Monitoring group multicast protocol:
% sudo tcpdump igmp
You may use the mcastChat
example to generate mcast traffic:
% cd /home/cs779/public_html/mcastChat
% mcastChat 224.0.0.1 10123
« arp
% arp –a
Shows the current content of the ARP Cash.
% arp
-a | grep <h>
<h> is some new host name, e.g., deneb
If it is not in the cash, type:
%
sudo tcpdump arp | grep
<h>
Go to another window and type:
% telnet <h>
You
will watch all the arp
packets in the tcpdump window.
% arp
–a | grep <h>
You will find it in the cash.
« ping
Produce echo request & echo reply
% sudo tcpdump icmp
Go
to another window and type:
% ping <h>
ê
Simultaneous Open: SimulOpen.c
Most
networking applications are based on server/client model:
ü
In this model you
run the server first and then the client.
ü
The client will connect to the server and TCP
connection is established where both can send /receive.
ü
Any end can close the connection whenever it wants.
The
following is an unusual example, where both
processes are clients and a simultaneous TCP
connection between the two clients is established.
à
runs SimulOpen at host h1 (e.g., somethingmore ).
Ø create a client socket,
Ø bind it to port (h1,p1)
Ø connect to (h2, p2).
Ø if connected, continuously send “Hussein” and recv
“Wahab”
somethingmore % SimulOpen somethingmore
10111 somethingelse
10222 “Hussein”
à
runs SimulOpen at host h2 (e.g., somethingelse ).
Ø create a client socket,
Ø bind it to port (h2,p2).
Ø connect to (h1, p1).
Ø if connected, continuously send “Wahab”
and recv “Hussein”
somethingelse % SimulOpen somethingelse 10222 somethingmore 10111 “Wahab”
à
The chances you
will get simultaneous open scenario is low.
To
increase the chances, we use a shell script SimulOpen_sh
to
repeatedly run the two programs until the simultaneous open occurs.
somethingmore % SimulOpen_sh SimulOpen
somethingmore 10111 somethingelse 10222 “Hussein”
somethingelse % SimulOpen_sh SimulOpen
somethingelse 10222 somethingmore 10111 “Wahab”
à
Use tcpdump to monitor TCP segments exchanged between the two
programs.
If
there is a simultaneous open you will see the two messages exchanged,
and the tcpdump will show two independent SYN segments.
something % sudo tcpdump -i hme0 –N port 10111 and port 10222 and 'tcp[13:1]&3 !=0'
20:42:58.307253 IP somethingmore.10111 >
somethingelse.10222: [S] …..
20:42:58.931271 IP somethingelse.10222
> somethingmore.10111: [S]…..
ü
These are traditional
Server/Client programs: SimulCloseClient.c & SimulCloseServer.c
ü
As soon as the
TCP connection is established both closes the connection and each uses netstat to check for the state of the connection.
ü
If the client
detects TIME_WAIT it waits to see if the server is also in the same state.
ü
If the server is
not in the TIME_WAIT state, the client/server may repeat until this simultaneous
close state is reached.
à SimulCloseClient.c : runs at host h1.
ü
create a client
socket s1,
ü
connect to (h2, p2).
ü
if connected, immediately close s1.
ü
The program uses
the grepTimeWait_sh
to detect TIME_WAIT
state.
à SimulCloseServer.c : runs at host h2.
ü
create a server
socket,
ü
accept a connection from simcloseClient
at socket s2.
ü
if accepted, immediately close s2.
ü
The program
display if the closed socket is in TIME_WAIT state.
à If you notice that both Client and Server are in
TIME_WAIT state, stop
Otherwise the client should
connect again the server.
à Use tcpdump to monitor the exchanged segments:
ü
If simulations
close occurs, you will see two successive independent FIN segments.
ü
Also use netstat to find
out that both the client and the server are in TIME_WAIT
state.
somethingmore % SimulCloseServer
10111
somethingelse % SimulCloseClient somethingmore 10111
something % sudo tcpdump -i hme0 -N port 10111 and 'tcp[13:1]&3 !=0'
21:31:09.459720 IP somethingelse.36974
> somethingmore.10111: F 1:1(0) ack 1
21:31:09.460144 IP somethingmore.10111 > somethingelse.36974:
F 1:1(0) ack 1
21:31:09.460204 IP somethingmore.10111 >
somethingelse.36974: . ack 2
21:31:09.461639 IP somethingelse.36974
> somethingmore.10111: . ack 2