Among the most useful tools for a network engineer's toolbox are those that combine ping, DNS lookup, and traceroute capabilities. This section introduces three of them (mtr, PingPlotter, and VisualRoute).
mtr is a command-line tool for real-time path surveillance and statistics. PingPlotter and VisualRoute are commercial graphical tools available as trial downloads that add a great deal of statistics and correlation analysis to the ping and traceroute tools and allow probing over an extended period of time. Figures 6-9 through 6-11 provide example screenshots of these tools. VisualRoute is a product of Visualware Inc. (http://www.visualware.com), and PingPlotter is a product of Nessoft, LLC (http://www.nessoft.com).
DNS Auditing Tools
DNS consists of two parts: a resolver (the client part) and Internet name server hierarchies. Consult the manual pages for operation details as well as the man page for resolver(3) or resolv.conf(5). The most widespread package is the Berkeley Internet Name Domain (BIND) toolset; however, there are alternatives and new approaches for securing name server communications and signing/hashing information exchange (DNSsec). Discussion of these tools goes beyond the scope of this book. We will use them in a limited way when discussing DNS round-robin (DNS RR) as a load-balancing approach. The standard query tools are nslookup, dig, and host (see Example 6-4).
Example 6-4. DNS Toolbox—dig, nslookup, and host
[root@callisto:~#] dig www.cisco.com
; <<>> DiG 9.2.2 <<>> www.cisco.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61084 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.cisco.com. IN A ;; ANSWER SECTION: www.cisco.com. 36356 IN A 198.133.219.25 ;; AUTHORITY SECTION: cisco.com. 38430 IN NS ns1.cisco.com. cisco.com. 38430 IN NS ns2.cisco.com. ;; Query time: 9 msec ;; SERVER: 195.34.133.10#53(195.34.133.10) ;; WHEN: Sat Jan 31 10:31:42 2004 ;; MSG SIZE rcvd: 83 [root@callisto:~#] nslookup www.cisco.com Note: nslookup is deprecated and may be removed from future releases. Consider using the `dig' or `host' programs instead. Run nslookup with the `-sil[ent]' option to prevent this message from appearing. Server: 195.34.133.10 Address: 195.34.133.10#53 Non-authoritative answer: Name: www.cisco.com Address: 198.133.219.25 [root@callisto:~#] host www.cisco.com www.cisco.com has address 198.133.219.25 In addition, it is worth mentioning another useful tool, dnstracer; Example 6-5 shows it in use. Example 6-5. dnstracer Example Output [root@callisto:~#] dnstracer -s . www.cisco.com -o Tracing to www.cisco.com via A.ROOT-SERVERS.NET, timeout 15 seconds A.ROOT-SERVERS.NET [.] (198.41.0.4) |\___ M.GTLD-SERVERS.NET [com] (192.55.83.30) | |\___ NS2.cisco.com [cisco.com] (192.135.250.69) Got authoritative answer | \___ NS1.cisco.com [cisco.com] (128.107.241.185) Got authoritative answer |\___ E.GTLD-SERVERS.NET [com] (192.12.94.30) | |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached) | \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached) |\___ K.GTLD-SERVERS.NET [com] (192.52.178.30) | |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached) | \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached) |\___ J.GTLD-SERVERS.NET [com] (192.48.79.30) | |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached) | \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached) |\___ F.GTLD-SERVERS.NET [com] (192.35.51.30) | |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached) | \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached) |\___ L.GTLD-SERVERS.NET [com] (192.41.162.30) | |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached) | \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached) |\___ D.GTLD-SERVERS.NET [com] (192.31.80.30) | |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached) | \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached) |\___ B.GTLD-SERVERS.NET [com] (192.33.14.30) | |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached) | \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached) |\___ I.GTLD-SERVERS.NET [com] (192.43.172.30) | |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached) | \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached) |\___ C.GTLD-SERVERS.NET [com] (192.26.92.30) | |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached) | \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached) |\___ H.GTLD-SERVERS.NET [com] (192.54.112.30) | |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached) | \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached) |\___ G.GTLD-SERVERS.NET [com] (192.42.93.30) | |\___ ns2.cisco.com [cisco.com] (192.135.250.69) (cached) | \___ ns1.cisco.com [cisco.com] (128.107.241.185) (cached) \___ A.GTLD-SERVERS.NET [com] (192.5.6.30) |\___ ns2.cisco.com [cisco.com] (192.135.250.69) (cached) \___ ns1.cisco.com [cisco.com] (128.107.241.185) (cached) NS1.cisco.com (128.107.241.185) www.cisco.com -> 198.133.219.25
NS2.cisco.com (192.135.250.69) www.cisco.com -> 198.133.219.25
Traffic and Packet Generators
This section discusses the packet-generation capabilities of the BSD ipfilter firewall package, the Linux kernel module packet generator, and some additional tools for heavy load testing and simulated denial-of-service (DoS) patterns. This arsenal is useful to test traffic shapers, forwarding, filtering performance, network quality of service (QoS), stateful inspection, and Network Address Translation (NAT), just to name a few. Traffic generators generally are concerned with a huge amount of output, whereas packet generators typically are used as a "scalpel" to test firewalls and protocol implementations/compliance.
CAUTION
Exercise extreme care when using these facilities in real-life networks; they are extremely powerful. Check the traffic with a sniffer; you will find what is going on pretty impressive.
What You Need in a Small Toolbox
The following tools have proven useful for packet and traffic creation as well as network testing. They are quite similar in nature, and it is really up to you to decide on a favorite:
Aicmpsend
Sendip
IP Sorcery (ipmagic/magic tools)
Excalibur
Hping2
Traffic (client/server)
Scapy
Example 6-6 presents aicmpsend, sendip, and ipmagic in action. You can deploy them to test security installations and protocol behavior. See the "Recommended Reading" section at the end of this chapter for download locations of these tools.
Example 6-6. Selection of Packet-Generator Tools
[root@callisto:~#] aicmpsend -d 192.168.1.1 –E
ICMP packet: 1 TTL=64
Sending ICMP error from 127.0.0.1 to 192.168.1.1.
Data:
ICMP error: Echo
[root@callisto:~#] sendip -p ipv4 192.168.1.254
[root@callisto:~#] ipmagic -h
Usage: ipmagic [options]
IP: [-is|-id|-ih|-iv|-il|-it|-io|-id|-ip]
-is: source host or address def. 127.0.0.1
-id: source destination or address def. 127.0.0.1
-ih: IP header length def. 5
-iv: IP version def. 4
-il: Time-to-Live def. 64
-it: Type-of-Service def. 0
-io: IP frag offset [(D)on't Fragment | (M)ore Fragments | (F)ragment | (N)one]
-i: IP packet ID for fragmentation def. 0
-ip: IP protocol [TCP | UDP | ICMP | IP] def. TCP
-iO: IP options
TCP: [-ts | -td | -to | -tq | -ta | -tf | -tw | -tu]
-ts: TCP source port, def. rand()
-td: TCP destination port def. 80
-to: TCP data offset of header def. 5
-tq: TCP sequence number def. rand()
-ta: TCP ack sequence number def. 0
-tf: TCP flags [(S)yn | (A)ck | (F)in | (P)ush | (R)st | (U)rg | (N)one] def. S
-tw: TCP Window Size def. rand()
-tu: TCP urg pointer def. 0
UDP: [-us | -ud | -ul]
-us: UDP source port def. rand()
-ud: UDP destination port def. 161
-ul: UDP length
RIP: [-uR |-uRc |-uRv]
-uR: Send default RIP packet to port 520
-uRc: RIP command [RQ | RS | TN | TF | SR | TQ | TS | TA | UQ | US | UA] def. RQ
For a list of RIP commands run program with -h rip
-uRv: RIP version [1 | 2] def. 2
Note: Entry Tables should be used with response packets[RS | TS | US]
-uRa(1 | 2 | etc.): RIP Entry table Address exmp. -uRa1
-uRn(1 | 2 | etc.): RIP Entry table Netmask, exmp. -uRn2
-uRh(1 | 2 | etc.): RIP Entry table Next Hop, exmp. -uRn(num)
-uRm(1 | 2 | etc.): RIP Entry table Metric
-uRr(1 | 2 | etc.): RIP Entry table Route Tag
-uRe: Add default RIP entry table to packet
ICMP: [-ct | -cs]
-ct: ICMP type def. ECHO REQUEST
-cs: ICMP sub code def. 0
-ci: ICMP sequence ID def. 0
For list of ICMP Types and Subcodes run program with -h icmp.
IGMP:[-gt | -gc | -ga | -gn]
-gt: IGMP type [D | L | M | MT | MR | P | R1 | R2 | R3] def. M
-gc: IGMP sub code for types P and D def. 0
-gm: IGMP Max. resp. Time for Queries ie. MR
-ga: IGMP group address def. 0
-gn: IGMP no router alert or no internetwork Type-Of-Service [r | i | | ]
For list of IGMP Types and Subcodes run program with -h igmp.
OSPF:[-ov | -ot | -or | -oe | -oa | -ou]
-ov: OSPF Version
-ot: OSPF Type[(H)ello | (D)b Desc. | (R)equest | (U)pdate | (A)ck]
-or: OSPF Router ID
-oe: OSPF Area ID
-oa: OSPF Auth Type[(N)one | (P)ass | (C)rypto]
-ou : OSPF Authentication Data
-D "": for datapayload
-N
-S
-v: print version
The BSD ipfilter Traffic Generator
The BSD ipfilter stateful firewall package comes equipped with the following tools primarily designed for firewall testing:
ipsend
ipresend
iptest
Consult the manual pages for further information. Example 6-7 and Example 6-8 present demonstrations of the BSD iptest, ipsend, and ipresend tools.
Example 6-7. BSD ipfilter Ancillary Tools in Action
[root@castor:~#] iptest
Usage: iptest [options] dest
options:
-d device Send out on this device
-g gateway IP gateway to use if non-local dest.
-m mtu fake MTU to use when sending out
-p pointtest
-s src source address for IP packet
-1 Perform test 1 (IP header)
-2 Perform test 2 (IP options)
-3 Perform test 3 (ICMP)
-4 Perform test 4 (UDP)
-5 Perform test 5 (TCP)
-6 Perform test 6 (overlapping fragments)
-7 Perform test 7 (random packets)
[root@castor:~#] iptest -d ed0 -g 192.168.7.254 -1 192.168.14.1
Device: ed0
Source: 192.168.7.7
Dest: 192.168.14.1
Gateway: 192.168.7.254
mtu: 1500
1.1. sending packets with ip_hl < ip_len 7 1.2. sending packets with ip_hl > ip_len
12
1.3. ip_v < 4 3 1.4. ip_v > 4
15
1.5.0 ip_len < packet size (size++, long packets) 63 1.5.1 ip_len < packet size (ip_len-, short packets) 10 1.6.0 ip_len > packet size (increase ip_len)
63
1.6.1 ip_len > packet size (size--, short packets)
10
1.7.0 Zero length fragments (ip_off = 0x2000)
1.7.1 Zero length fragments (ip_off = 0x3000)
1.7.2 Zero length fragments (ip_off = 0xa000)
1.7.3 Zero length fragments (ip_off = 0x0100)
1.8.1 63k packet + 1k fragment at offset 0x1ffe
65792
1.8.2 63k packet + 1k fragment at offset 0x1ffe
skip 12800
skip 37376
skip 61952
65792
1.8.3 33k packet
33536
1.9. ip_off & 0x8000 == 0x8000
1.10.0 ip_ttl = 255
1.10.1 ip_ttl = 128
1.10.2 ip_ttl = 0
Example 6-8. Example Use of the ipsend Utility
[root@castor:~#] ipsend
Usage: ipsend [options] dest [flags]
options:
-d debug mode
-i device Send out on this device
-f fragflags can set IP_MF or IP_DF
-g gateway IP gateway to use if non-local dest.
-I code,type[,gw[,dst[,src]]] Set ICMP protocol
-m mtu fake MTU to use when sending out
-P protocol Set protocol by name
-s src source address for IP packet
-T Set TCP protocol
-t port destination port
-U Set UDP protocol
-v verbose mode
-w
Usage: ipsend [-dv] -L
options:
-d debug mode
-L filename Use IP language for sending packets
-v verbose mode
[root@castor:~#] ipsend -i ed0 -P tcp -g 192.168.7.254 192.168.14.1
Device: ed0
Source: 192.168.7.7
Dest: 192.168.14.1
Gateway: 192.168.7.254
mtu: 1500
[root@castor:~#] ipresend
Usage: ipresend [options] <-r filename |-R filename>
-r filename snoop data file to resend
-R filename libpcap data file to resend
options:
-d device Send out on this device
-g gateway IP gateway to use if non-local dest.
-m mtu fake MTU to use when sending out
The Linux Kernel Packet Generator
The Linux packet generator requires compiled-in support as a kernel module (pktgen.o); it is used via a script derived from its documentation (pktgen.txt in the Linux 2.4.x kernel documentation folder). The source code of this script is also provided in Example 6-9.
Example 6-9. Script That Interacts with the Linux Kernel Packet-Generator Module
#! /bin/sh
modprobe pktgen
function pgset() {
local result
echo $1 > /proc/net/pg
result=`cat /proc/net/pg | fgrep "Result: OK:"`
if [ "$result" = "" ]; then
cat /proc/net/pg | fgrep Result:
fi
}
function pg() {
echo inject > /proc/net/pg
cat /proc/net/pg
}
pgset "odev eth0" # set output interface
pgset "dst 192.168.7.7" # set IP destination address
pgset "count 40000" # set numbers of packets to send
#pgset "multiskb 1" use multiple SKBs for packet generation
#pgset "multiskb 0" use single SKB for all transmits
#pgset "pkt_size 9014" sets packet size to 9014
#pgset "frags 5" packet will consist of 5 fragments
#pgset "ipg 5000" sets artificial gap inserted between packets
# to 5000 nanoseconds
#pgset "dstmac 00:00:00:00:00:00" sets MAC destination address
#pgset stop aborts injection
Performance-Testing and Network-Benchmarking Tools
This family of tools provides network performance information and benchmarking by usually taking a client/server approach that allows collecting very accurate end-to-end information and statistics. These tools are powerful and complex; refer to the repository documentation for further details. Some interesting representatives of this family of tools are as follows:
Netperf (Network Performance Benchmarking)
NetPIPE (Network Protocol Independent Performance Evaluator)
ttcp/wsttcp (Test TCP [TTCP]; a benchmarking tool for measuring TCP and UDP performance)
NOTE
A thorough discussion of network performance measurement would dive too much into stack internals and go far beyond the scope of this book.
If You Enjoyed This Post Please Take a Second To Share It.
You Might Also Like
Stay Connected With Free Updates
 |
 |
 |
|
Subscribe via Email
|
