Chapter 12 NM Tools and Systems

Transcript Chapter 12 NM Tools and Systems

Network Management Tools

ifConfig (UNIX)

• Used to assign/read an address to/of an interface • Option -a is to display all interfaces • Notice two interface loop-back (lo0) and Ethernet (hme0) [/home/staff/ycchen] mtu 8232 hme0: TICAST> mtu 1500 ifconfig -a lo0: flags=849 inet 127.0.0.1 netmask ff000000 flags=863

ifconfig le0 down ifconfig le0 163.22.20.16 netmask 255.255.255.0 broadcast 163.22.20.255

ipconfig (Windows)



ipconfig (internet protocol configuration)

ipconfig /? /? /all /release /release6 /renew /renew6 /flushdns /registerdns /displaydns help

顯示完整設定資訊釋放

IPv4

位址釋放

IPv6

位址更新

IPv4

位址更新

Pv6

位址清除

DNS

解析快取重新整理

DHCP

租用並重新登錄顯示

DNS

解析快取內容

DNS

ipconfig

無線區域網路介面卡無線網路連線 : 連線特定連結本機 DNS 尾碼 IPv6 位址 . . . . . . . . : IPv4 位址 . . . . . . . : fe80::19e4:8b36:e72b:2cf%11 . . . . . . . . . . . . : 192.168.0.107

子網路遮罩 . . . . . . . . . . . .: 255.255.255.0

預設閘道 . . . . . . . . . . . . .: 192.168.0.1

ipconfig /all

無線區域網路介面卡無線網路連線 : 連線特定描述 . . . . . . . . . . . . . . .: Atheros AR5BWB225 Wireless Network Adapter 實體位址 DHCP 已啟用自動設定啟用連結本機 IPv4 位址子網路遮罩租用取得 . . . . . . . . . . . .: 255.255.255.0

. . . . . . . . . . . . .: 2013 年 4 月 5 日下午租用到期預設閘道 DHCP 伺服器 DHCPv6 DNS 尾碼 . . . . . . . . : . . . . . . . . . . . . .: 74-DE-2B-CB-49-0C . . . . . . . . . . . : 是 . . . . . . . . . . .: IPv6 用戶端 DNS 伺服器位址是 . . . . . . . : fe80::19e4:8b36:e72b:2cf%11( . . . . . . . . . . . . : 192.168.0.107( 偏好選項 . . . . . . . . . . . . .: 2013 年 4 月 6 日下午 . . . . . . . . . . . . .: 192.168.0.1

. . . . . . . . . . . : 192.168.0.1

DHCPv6 IAID . . . . . . . . . . . : 292871723  ) 07:58:09 07:59:14  偏好選項 ) DUID. . . . . . . . : 00-01-00-01-17-23-19-FF-74-DE-2B-CB-49-0C . . . . . . . . . . . .: 192.168.0.1

NetBIOS over Tcpip . . . . . . . .: 啟用  

手動設定

位址

NAT - Network Address Translation

http://www.whatismyip.com/

Address Resolution Protocol

    

RFC 826 To map network addresses to the hardware addresses used by a data link protocol To translate IP addresses to Ethernet MAC addresses Use data-link broadcast ARP Request, ARP Reply

ARP Announcement

Gratuitous ARP

ARP Spoofing (ARP Poisoning)

    Send fake, or 'spoofed', ARP messages to an Ethernet LAN.

Generally, to associate the attacker's MAC address with the IP address of another node (such as the default gateway).

Passive sniffing, Man-in-the-middle attack, Denial-of-service attack http://www.oxid.it/downloads/apr-intro.swf

ARP Cache

Default cache time-outs : Two-minute (unused entries) Ten-minute (used entries) arp -a arp -d 10.10.34.235

arp -d * arp –s 157.55.85.212 00-aa-00-62-c6-09 C:\>arp -a Interface: 10.10.34.169 --- 0x2 Internet Address Physical Address Type 10.10.34.231 00-12-cf-28-cd-20 dynamic 10.10.34.234 00-12-cf-29-c6-80 dynamic 10.10.34.235 00-12-cf-28-1e-20 dynamic 10.10.34.254 00-08-e3-dd-b3-1f dynamic C:\>arp -s 10.10.34.235 00-12-cf-28-1e-20 C:\>arp –a Interface: 10.10.34.169 --- 0x2 Internet Address Physical Address Type 10.10.34.235 00-12-cf-28-1e-20 static 10.10.34.254 00-08-e3-dd-b3-1f dynamic

Routing information

route print route -4 print route -6 print route add 163.22.16.0 mask 255.255.255.0 192.168.0.254 metric 100 if 11 route add 163.22.16.0 mask 255.255.255.0 192.168.0.254 metric 100 route change 163.22.16.0 mask 255.255.255.0 192.168.0.254 metric 130 route delete 163.22.16.0

netstat -r

領域名稱系統

(DNS)

 提供主機名稱與 IP 位址之轉換  www.im.ncnu.edu.tw 163.22.20.16

由 DNS 伺服器提供  RR-DNS (Round Robin DNS)   www.yahoo.com: (8 台伺服器 ) 66.218.71.90, 66.218.71.80, 66.218.71.95, …  DDNS (Dynamic DNS)  主機名稱浮動 IP 位址

ipconfig /displaydns ipconfig /flushdns nslookup C:\>nslookup Default Server: academic.ncnu.edu.tw

Address: 163.22.2.1

> www.cnn.com

Server: academic.ncnu.edu.tw

Address: 163.22.2.1

Non-authoritative answer: Name: www.cnn.com

Addresses: 64.236.29.120, 64.236.91.21, 64.236.16.20, 64.236.16.52

64.236.16.84, 64.236.24.12, 64.236.24.20, 64.236.24.28

> 163.22.20.16

Server: academic.ncnu.edu.tw

Address: 163.22.2.1

Name: euler.im.ncnu.edu.tw

Address: 163.22.20.16

Aliases: 16.20.22.163.in-addr.arpa

nslookup

• An interactive program for querying Internet Domain Name System servers • Converts a hostname into an IP address and vice versa querying DNS • Useful to identify the subnet a host or node belongs to • Lists contents of a domain, displaying DNS record

DNS Lookup

Ping

 Most basic tool for internet management  Based on ICMP ECHO_REQUEST message  Available on all TCP/IP stacks  Useful for measuring • • • Connectivity Packet Loss Round Trip Time  Can do auto-discovery of TCP/IP equipped stations on single segment

ping

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] destination-list Options: -t -a -n count -l size -f -i TTL -v TOS -r count -s count -j host-list -k host-list -w timeout Ping the specified host until stopped.

To see statistics and continue - type Control-Break; To stop - type Control-C.

Resolve addresses to hostnames.

Number of echo requests to send.

Send buffer size.

Set Don't Fragment flag in packet.

Time To Live.

Type Of Service.

Record route for count hops.

Timestamp for count hops.

Loose source route along host-list.

Strict source route along host-list.

Timeout in milliseconds to wait for each reply.

Example

C:\>ping -n 10 -l 256 www.im.ncnu.edu.tw

Pinging euler.im.ncnu.edu.tw [163.22.20.16] with 256 bytes of data: Reply from 163.22.20.16: bytes=256 time=1ms TTL=253 Reply from 163.22.20.16: bytes=256 time=1ms TTL=253 Reply from 163.22.20.16: bytes=256 time=1ms TTL=253 Reply from 163.22.20.16: bytes=256 time=1ms TTL=253 Reply from 163.22.20.16: bytes=256 time=1ms TTL=253 Reply from 163.22.20.16: bytes=256 time=1ms TTL=253 Reply from 163.22.20.16: bytes=256 time=1ms TTL=253 Reply from 163.22.20.16: bytes=256 time=1ms TTL=253 Reply from 163.22.20.16: bytes=256 time=1ms TTL=253 Reply from 163.22.20.16: bytes=256 time=1ms TTL=253 Ping statistics for 163.22.20.16: Packets: Sent = 10, Received = 10, Lost = 0 (

0% loss

), Approximate

round trip times

in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms

traceroute/tracert

tracert www.hinet.net

Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name Options: -d Do not resolve addresses to hostnames.

-h maximum_hops Maximum number of hops to search for target.

-j host-list -w timeout Loose source route along host-list.

Wait timeout milliseconds for each reply.

C:\>tracert www.facebook.com

在上限追蹤 30 個躍點上 star.c10r.facebook.com [31.13.82.1] 的路由 : 1 8 ms 2 8 ms 3 9 ms 4 11 ms 5 16 ms 6 11 ms 7 12 ms 8 96 ms 9 97 ms 10 97 ms 11 97 ms 12 99 ms 8 ms 8 ms 8 ms 11 ms 14 ms 12 ms 13 ms 96 ms 97 ms 98 ms 97 ms 99 ms 8 ms h254.s98.ts.hinet.net [168.95.98.254] 8 ms 168.95.220.98

8 ms NTNK-3101.hinet.net [220.128.21.110] 11 ms tchn-3011.hinet.net [220.128.16.98] 14 ms TPDT-3011.hinet.net [220.128.16.6] 11 ms r4103-s2.tp.hinet.net [220.128.7.29] 12 ms r4003-s2.tp.hinet.net [220.128.7.229] 96 ms 211-72-233-77.HINET-IP.hinet.net [211.72.233.77] 97 ms ae-5.r00.tokyjp03.jp.bb.gin.ntt.net [129.250.5.29] 97 ms ae-0.facebook.tokyjp03.jp.bb.gin.ntt.net [61.213.145.74] 97 ms po126.msw01.01.nrt1.tfbnw.net [31.13.27.221] 99 ms edge-star-ecmp-01-nrt1.facebook.com [31.13.82.1]

http://www.visualroute.com/

netstat

C:\>netstat -n -a Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:21 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1234 0.0.0.0:0 LISTENING TCP 0.0.0.0:1235 0.0.0.0:0 LISTENING TCP 0.0.0.0:1236 0.0.0.0:0 LISTENING TCP 163.31.153.68:1234 163.22.3.4:80 ESTABLISHED TCP 163.31.153.68:1235 163.22.4.67:80 ESTABLISHED TCP 163.31.153.68:1236 163.22.4.67:80 SYN_SENT UDP 0.0.0.0:135 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:38037 *:* UDP 127.0.0.1:1230 *:* UDP 163.31.153.68:500 *:*

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval] -a Displays all connections and listening ports.

-e Displays Ethernet statistics. This may be combined with the -s option.

-n Displays addresses and port numbers in numerical form.

-p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP.

-r Displays the routing table.

-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.

interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.

TCP Connection Monitoring

netstat –p TCP

netstat –b –p TCP

netstat -e

Network Management Tools

• SNMP command tools • MIB Walk • MIB Browser

SNMP Command Tools

• snmptest • snmpget • snmpgetnext • snmpset • snmptrap • snmpwalk • snmpnetstat

Network Status

• Command: snmpnetstat host community • Useful for finding status of network connections % snmpnetstat noc5 public Active Internet Connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 *.* *.* CLOSED tcp 0 0 localhost.46626 localhost.3456 ESTABLISHED tcp 0 0 localhost.46626 localhost.3712 ESTABLISHED tcp 0 0 localhost.46626 localhost.3968 ESTABLISHED tcp 0 0 localhost.46626 localhost.4224 ESTABLISHED tcp 0 0 localhost.3456 localhost.46626 ESTABLISHED tcp 0 0 localhost.3712 localhost.46626 ESTABLISHED tcp 0 0 localhost.3968 localhost.46626 ESTABLISHED tcp 0 0 localhost.4224 localhost.46626 ESTABLISHED tcp 0 0 noc5.41472 noc5.4480 ESTABLISHED tcp 0 0 noc5.41472 noc5.4736 ESTABLISHED tcp 0 0 noc5.4480 noc5.41472 ESTABLISHED tcp 0 0 noc5.4736 noc5.41472 ESTABLISHED

SNMP Browser

• Command: snmpwalk host community [variable name] • Uses Get Next Command • Presents MIB Tree

Protocol Analyzer

PROTOCOL ANALYZER Data Capture Device Raw data transferred on Modem / WAN or LAN Link • Analyzes data packets on any transmission • line including LAN • Measurements made locally or remotely

Probe

(data capture device) captures data and LAN transfers to the protocol analyzer (no storage) • Data link between probe and protocol analyzer either dial-up or dedicated link or LAN • Protocol analyzer analyzes data at all protocol levels

RMON Probe

PROTOCOL ANALYZER SNMP Traffic Router BACKBONE NETWORK Router SNMP Traffic RMON Probe  Communication between probe and analyzer is using SNMP • Data gathered and stored for an extended period of time and analyzed later • Used for gathering traffic statistics and used for configuration management for performance tuning LAN

Network Monitoring with RMON Probe

FDDI LAN Router Protocol Analyzer Ethernet Probe Ethernet LAN Router Backbone Network Router Backbone FDDI Probe Token Ring LAN Token Ring Probe

Figure 12.15 Monitoring of Total Network with Individual RMON Probes

Probe

Network Statistics

• Protocol Analyzers • RMON Probe / Protocol analyzer • MRTG (Multi router traffic grouper) • Home-grown program using

tcpdump

Traffic Load: Source

Host 1 Host 2 Host 3 Host 4 Host 5 Host 6 Host 7 Host 8 Host 9 Host 10 0

HostTopN

100 200

Giga Octets

300

Figure 8.5 HostTop-10 Output Octets

400

Traffic Load: Source/Destination

Protocol Distribution

Network Monitoring

• By polling • By traps (notifications) • Failure indicated by pinging or traps • Ping frequency optimized for network load vs.

quickness of detection • trap messages:

linkdown, linkUp, coldStart, warmStart, etc.

• Network topology discovered by auto-discovery

Global View

Domain View

Segment View

Node Discovery In a Network

 

Node Discovery

 Given an IP Address with its subnet mask, find the nodes in the same network.

Two Major Approaches:

  Use ICMP ECHO to query all the possible IP addresses.

Use SNMP to query the ARP Cache of a node known

Use ICMP ECHO

   

Eg: IP address: 163.25.147.12

Subnet mask: 255.255.255.0

All possible addresses:

 163.25.147.1 ~ 163.25.147.254

For each of the above addresses, use ICMP ECHO to inquire the address If a node replies (ICMP ECHO Reply), then it is found.

Use SNMP

 

Find a node which supports SNMP

  The given node, default gateway, or router Or try a node arbitrarily

Query the group ipNetToMediaTable

ipNetToMediaPhysAddress

in MIB-II IP

ipNetToMediaType ipNetToMediaIfIndex ipNetToMediaNetAddress 1 2 00:80:43:5F:12:9A 00:80:51:F3:11:DE 163.25.147.10

dynamic(3) 163.25.147.11 dynamic(3)

Network Discovery

   

Network Discovery

 Find the networks to be managed with their interconnections

Given a network, find the networks which directly connect with it.

Recall that networks are connected via routers.

Major Approach

 Use SNMP

Discovering Networks

140.112.8.0

140.112.6.0

163.25.145.0 163.25.146.0

163.25.148.0

163.25.147.0

140.112.5.0

192.168.13.0

192.168.12.0

A Network Discovery Algorithm

1. First use a node discovery algorithm to find all the nodes in the network.

2. For each discovered node, use SNMP to query the ipAddrTable of MIB-II IP group ipAdEntAddr ipAdEntIfIndex ipAdEntNetMask ipAdEntBcastAddr 163.25.145.254

162.25.146.254

162.25.147.254

1 255.255.255.0

2 255.255.255.0

3 255.255.255.0

163.25.145.255 … 163.25.146.255 … 163.25.147.255 … 3. Query the corresponding entries in ipRouteTable to verify the above addresses

Chapter 12 NM Tools and Systems

Transcript Chapter 12 NM Tools and Systems

Network Management Tools

ifConfig (UNIX)

ipconfig (Windows)

ipconfig (internet protocol configuration)

ipconfig

ipconfig /all

NAT - Network Address Translation

http://www.whatismyip.com/

Address Resolution Protocol

RFC 826 To map network addresses to the hardware addresses used by a data link protocol To translate IP addresses to Ethernet MAC addresses Use data-link broadcast ARP Request, ARP Reply

ARP Announcement

ARP Spoofing (ARP Poisoning)

ARP Cache

Routing information

領域名稱系統

(DNS)

nslookup

DNS Lookup

Ping

ping

Example

traceroute/tracert

netstat

TCP Connection Monitoring

netstat –b –p TCP

netstat -e

Network Management Tools

SNMP Command Tools

Network Status

SNMP Browser

Protocol Analyzer

RMON Probe

Network Monitoring with RMON Probe

Network Statistics

Protocol Distribution

Network Monitoring

Segment View

Node Discovery In a Network

Node Discovery

Two Major Approaches:

Use ICMP ECHO

Eg: IP address: 163.25.147.12

Subnet mask: 255.255.255.0

All possible addresses:

For each of the above addresses, use ICMP ECHO to inquire the address If a node replies (ICMP ECHO Reply), then it is found.

Use SNMP

Find a node which supports SNMP

Query the group ipNetToMediaTable

in MIB-II IP

Network Discovery

Network Discovery

Given a network, find the networks which directly connect with it.

Recall that networks are connected via routers.

Major Approach

Discovering Networks

A Network Discovery Algorithm

ipRouteTable

Directory