Network_tools

Network Tools

Ø DNS lookup utilities

Ø Stevens’s sock

Ø ttcp

Ø lsof: list open files

Ø tcpdump: filtering packets

Ø arp: addres resolution protocol

Ø ping: test host aliveness

Ø Applications: TCP Simultanious Open and Close

« DNS lookup utilities:

File: /etc/resolv.conf contains the DNS of the host.

ü nslookup:

% nslookup www.cs.odu.edu

% nslookup odu.edu

% nslookup yahoo.com

% nslookup 128.82.224.112

ü host:

% host capella

% host odu.edu

% host 128.82.4.7

ü dig:

% dig isis.cs.odu.edu

% dig cs.odu.edu

% dig odu.edu

% dig –x 128.82.4.2 ( -x for resolving IP addresses)

v Applications:

ê CSlookup_sh: Discovering hosts at “some” CS departments.

Examples:

% CSlookup www unc

% CSlookup ftp virginia

Outline:

Find the IP address of a well-known host, e.g., if www.cs.odu.edu IP address is 128.82.4.2,

then find all hosts 128.82.4.$i

#! /bin/sh
filename=cs.$2.Hosts`date`
rm -f $filename
touch $filename

if test $# -le 1
then
echo "Usage: cslookup.sh <ftp|www|...> <odu|unc|virginia|..>"
exit
fi

name=$1.cs.$2.edu

host $name > answer
if grep not answer > /dev/null
then
     echo "$name does not exist"
     exit
fi

host $name | grep has > answer
if grep has answer >/dev/null
then
     addr=` cat answer | awk '{print $4}'`
     echo $name "IP adress is:" $addr
     oldifs=$IFS
     IFS='.'

     set $addr
     ip1=$1
     ip2=$2
     ip3=$3

     prefix=$ip1.$ip2.$ip3
     IFS=$oldifs
     i=1
     while test $i -le 255
     do
        addr=`echo $prefix'.'$i`
          host $addr > answer
          if grep not answer >/dev/null
          then
                echo "$addr does not exist"
          else
                name=` cat answer | awk '{print $5}'`
                echo "$addr ($name)"
                echo "$addr ($name)" >> $filename
          fi
          i=`expr $i + 1`
     done
fi

ê DiscoverODUhosts_sh: Discovering host names and alive (using ping) hosts at ODU.

host 128.82.$j.$i

timeoutcmd 1 ping 128.82.$j.$i | grep alive

The program loop through all ip addresses at odu (128.82.X.X)

It classifies the hosts and save the results in several files:

ü PingableHosts: ODU hosts that are alive using ping command.

ü CSHosts: machines that belong to CS dept

e.g.: 128.82.10.2 (vpn.cs.odu.edu.)

ü IPDerivedHosts: ODU hosts names that are derived from IP addresses.

e.g.: 128.82.11.149 (sd11-149.sd.odu.edu.)

ü OtherHosts: ODU host names that are not derived from IP addresses.

e.g.: 128.82.121.99 (vpn.vmasc.odu.edu.)

« sock source code & man page

ü default: it behaves as: tcp client

ü important options:

-s act as server

-u use udp instead of tcp

Examples:

ê TCP server and clients

% sock -s 10203 // tcp server

% sock -s -F -v 10203 // tcp server

-F (fork) concurrent

-v verbose

% sock localhost 10203 // tcp client

ê UDP server and clients

% sock -s -u -v 10203 // udp server

% sock -u localhost 10203 // udp client

% sock -u -v -i -n 10 -w 128 -p 2 localhost 10203 // udp client

-i source/sink

-n sends 10 packets

-w 128 byte

-p every 2 seconds

ê Destination address

% sock -s -u -v -E 10203 // udp server,

-E display destination address.

% sock -u localhost 10203 // udp client

% sock -u something 10203 // udp client

ê Restricting ports & address

% sock -s -u -v -E -f 127.0.0.1.2222 10203 // udp server,

-f forien address.

% sock -u -b 2222 localhost 10203 // udp client

–b bind to prot

% sock -u -b 2222 something 10203 // udp client

« lsof list open files

ü netstat tells us what ports are in use

but it does not identify which processes owning them.

ü lsof reveals the process owning the ports

You have to ssh to one of something machines to use lsof.

e.g: something, somethingelse, somethingmore.

Example:

% sock -s 12345 &

% netstat -a | grep 12345

Local Address Remote Address State

*.12345 *.* LISTEN

% sudo lsof | grep 12345

Password:

COMMAND PID USER NAME

sock 711 cs779 TCP *:12345 (LISTEN)

% sudo lsof | grep TCP

Shows the owners of each TCP port.

« tcpdump

(www.tcpdump.org)

Reads packets from a network and prints lot of information about the packets.

Useful Options:

-N Don't print domain name

-t Don't print a timestamp

-A Print the content of each packet in ASCII

êEx1: Capture all traffic to/from a given host:

% sudo tcpdump host something

êEx2: Capture traffic between selected hosts:

% sudo tcpdump host something and $ somethingmore or somethingelse $

% sudo tcpdump host something and not somethingelse

% sudo tcpdump host somethingelse and somethingmore

êEx3: Capture traffic between two networks:

% sudo tcpdump net 128.82.4

êEx4: Capture SYN and FIN packets:

% sudo tcpdump 'tcp [13:1] & 3 !=0'

The TCP header: AND byte 14 with 011.

êEx5: Monitoring long packets.

% sudo tcpdump 'ip [2:2] > 200'

The IP header: Byte 3 and 4 (the packet length field).

êEx6: Monitoring specific protocols:

% sudo tcpdump icmp

% sudo tcpdump udp

% sudo tcpdump tcp

êEx7: Monitoring specific port:

% sudo tcpdump tcp and port 80

êEx8: Monitoring group multicast protocol:

% sudo tcpdump igmp

You may use the mcastChat example to generate mcast traffic:

% cd /home/cs779/public_html/mcastChat

% mcastChat 224.0.0.1 10123

« arp

% arp –a

Shows the current content of the ARP Cash.

% arp -a | grep <h>

<h> is some new host name, e.g., deneb

If it is not in the cash, type:

% sudo tcpdump arp | grep <h>

Go to another window and type:

% telnet <h>

You will watch all the arp packets in the tcpdump window.

% arp –a | grep <h>

You will find it in the cash.

« ping

Produce echo request & echo reply

% sudo tcpdump icmp

Go to another window and type:

% ping <h>

« Applications:

ê Simultaneous Open: SimulOpen.c

Most networking applications are based on server/client model:

ü In this model you run the server first and then the client.

ü The client will connect to the server and TCP connection is established where both can send /receive.

ü Any end can close the connection whenever it wants.

The following is an unusual example, where both processes are clients and a simultaneous TCP connection between the two clients is established.

à runs SimulOpen at host h1 (e.g., somethingmore ).

Ø create a client socket,

Ø bind it to port (h1,p1)

Ø connect to (h2, p2).

Ø if connected, continuously send “Hussein” and recv “Wahab”

somethingmore % SimulOpen somethingmore 10111 somethingelse 10222 “Hussein”

à runs SimulOpen at host h2 (e.g., somethingelse ).

Ø create a client socket,

Ø bind it to port (h2,p2).

Ø connect to (h1, p1).

Ø if connected, continuously send “Wahab” and recv “Hussein”

somethingelse % SimulOpen somethingelse 10222 somethingmore 10111 “Wahab”

à The chances you will get simultaneous open scenario is low.

To increase the chances, we use a shell script SimulOpen_sh

to repeatedly run the two programs until the simultaneous open occurs.

somethingmore % SimulOpen_sh SimulOpen somethingmore 10111 somethingelse 10222 “Hussein”

somethingelse % SimulOpen_sh SimulOpen somethingelse 10222 somethingmore 10111 “Wahab”

à Use tcpdump to monitor TCP segments exchanged between the two programs.

If there is a simultaneous open you will see the two messages exchanged,

and the tcpdump will show two independent SYN segments.

something % sudo tcpdump -i hme0 –N port 10111 and port 10222 and 'tcp[13:1]&3 !=0'

20:42:58.307253 IP somethingmore.10111 > somethingelse.10222: [S] …..

20:42:58.931271 IP somethingelse.10222 > somethingmore.10111: [S]…..

OR you can use:

somethingelse % sudo tcpdump –N port 10111 and port 10222 and 'tcp[13:1]&3 !=0'

OR you can use:

somethingmore % sudo tcpdump –N port 10111 and port 10222 and 'tcp[13:1]&3 !=0'

ê Simultaneous Close:

ü These are traditional Server/Client programs: SimulCloseClient.c & SimulCloseServer.c

ü As soon as the TCP connection is established both closes the connection and each uses netstat to check for the state of the connection.

ü If the client detects TIME_WAIT it waits to see if the server is also in the same state.

ü If the server is not in the TIME_WAIT state, the client/server may repeat until this simultaneous close state is reached.

à SimulCloseClient.c : runs at host h1.

ü create a client socket s1,

ü connect to (h2, p2).

ü if connected, immediately close s1.

ü The program uses the grepTimeWait_sh to detect TIME_WAIT state.

à SimulCloseServer.c : runs at host h2.

ü create a server socket,

ü accept a connection from simcloseClient at socket s2.

ü if accepted, immediately close s2.

ü The program display if the closed socket is in TIME_WAIT state.

à If you notice that both Client and Server are in TIME_WAIT state, stop

Otherwise the client should connect again the server.

à Use tcpdump to monitor the exchanged segments:

ü If simulations close occurs, you will see two successive independent FIN segments.

ü Also use netstat to find out that both the client and the server are in TIME_WAIT state.

somethingmore % SimulCloseServer 10111

somethingelse % SimulCloseClient somethingmore 10111

something % sudo tcpdump -i hme0 -N port 10111 and 'tcp[13:1]&3 !=0'

21:31:09.459720 IP somethingelse.36974 > somethingmore.10111: F 1:1(0) ack 1

21:31:09.460144 IP somethingmore.10111 > somethingelse.36974: F 1:1(0) ack 1

21:31:09.460204 IP somethingmore.10111 > somethingelse.36974: . ack 2

21:31:09.461639 IP somethingelse.36974 > somethingmore.10111: . ack 2

OR you can use:

somethingelse % sudo tcpdump -N port 10111 and 'tcp[13:1]&3 !=0'

OR you can use:

somethingmore % sudo tcpdump -N port 10111 and 'tcp[13:1]&3 !=0'