An Open Source Approach - National Chiao Tung...

72
2001/9/28 1 Modern Computer Networks An Open Source Approach Appendix B: Development Tools Appendix C: Network Experiment Tools Ming-Wei Wu

Transcript of An Open Source Approach - National Chiao Tung...

Page 1: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 1

Modern Computer NetworksAn Open Source Approach

Appendix B: Development ToolsAppendix C: Network Experiment Tools

Ming-Wei Wu

Page 2: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 2

OutlineI. Development Tools

1. Programming (vim, gcc, make)2. Debugging (gdb, ddd, kgdb)3. Maintaining (cvs, rpm)

II. Network Experiment Tools1. Name-Addressing (host, arp)2. Perimeter-Probing (ping, traceroute)3. Traffic-Monitoring (tcpdump, netstat)4. Benchmarking (ttcp, WebStone)5. Simulating/Emulating (ns, NIST Net)6. Hacking (nessus, ethereal, tfn2k)

III. Further readings

Page 3: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 3

Style of Introducing Each Tool

Roadmap (if possible)I. Overview:

1. Design goal2. and/or Features3. and/or Brief history

II. Operating concepts1. Protocol2. and/or Architecture

III. Hands-on1. How-To2. and/or screenshots3. and/or examples

Scenario (if possible)

Page 4: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 4

(I. Development Tools) Programming

? How to begin writing your first piece of code…? Text Editing, Visual Improved: vim

? Then compile that piece of code…? Compiling, GNU C Compiler: gcc

? Try to recompile several pieces of code smartly…? make/makefile

Page 5: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 5

(I. Development Tools, Programming) vim

? Visual Improved? The prevailing UNIX text editor? Friendly

? Easier than emacs? Way feature-rich than pico-related? gvim for windoze

? Extensible syntax dictionary? Powerful

? Almost nothing can’t be done by vim? Compile (e.g. jump to error line)? Macro (e.g. even a tic-tac-toe game)? File browser

Page 6: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 6

(I. Development Tools, Programming, vim) How-To

? 1. Getting Started with vim ? 1.1 Special characters:

? ESC, switch to command line mode? CR, return key? DEL, send an interrupt

? 1.2 Getting in & out:? vim xxx , to edit xxx? ZZ , to save and quit? q!CR , to quit without save? wq!CR, to quit with save

Page 7: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 7

(I. Development Tools, Programming, vim) How-To

? 2. Moving around? 2.1 Scrolling & paging

ctrl+D , scroll down; ctrl+U , scroll upctrl+F , page forward; ctrl+B , page backward

? 2.2 Searching, goto, and previous context/ , forward search; ? , backward search; n, next search* , next forward search (current focused string)# , next backward search (current focused string)1G , goto line 1 ; #G , goto line #; G , goto the end of filectrl+G , show state of current file'' , previous position

? 2.3 Moving around on the screenh,j,k,l , arrow keys^, beginning of the line; $, ending of the line

Page 8: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 8

(I. Development Tools, Programming) gcc

Linker(ld, the GNU linker)

Preprocessor(cpp, The C Preprocessor)

Compiler(gcc, GNU C Compiler)

Assembler(gas, the portable GNU assembler)

.c

.C

.cc

.s

.o

.a

a.out

Page 9: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 9

(I. Development Tools, Programming, gcc) How-To? -c, compile

? e.g. gcc –c test.c

? -o, specify object filename? e.g. gcc –o test test.o

? -g, compile for debug purpose, compiled size is larger than -c? e.g. gcc –g test.c

? -O, optimization? e.g. gcc –O test.c

Page 10: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 10

(I. Development Tools, Programming) make? Make, a utility that reads the makefile data base (and the last

modification time of each source file) to determine which piece of a large program needs to be recompile (updated) and issue corresponding commands.

? Makefile, a text-based data file that describes the relationships among files in a large program, and the states the commands for updating each file.

Page 11: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 11

(I. Development Tools, Programming, make) Kernel compiling? Kernel compiling

? Download the up-to-date kernel source code from Internet? Place it in /usr/src

? Unzip it using tar

? Rename it (default is “linux”) accordingly (e.g. linux-x.y.z, where x,y and z refer to the version number of linux kernel)

? Create an symbolic link linux for linux-x.y.z using ln? Change (cd) the current directory to linux

? Run kernel configuration (make menuconfig), then clean up the source tree and generate dependency files (make dep; make clean)

? Create a kernel image using bzip2 compression format (make bzImage)

Page 12: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 12

(I. Development Tools, Programming, make) Kernel compiling? Kernel compiling (cont.)

? Compile and install modules that have been enabled in the kernelconfiguration (make modules; make modules_install)

? Copy the image file from /usr/src/linux-x.y.z/arch/i386/boot/bzImage to /boot/linux-x.y.z

? Edit /etc/lilo.conf to add a new image? Run lilo -v to reconfigure the LILO boot manager with this new kernel

Page 13: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 13

(I. Development Tools) Debugging? Begin debugging your program…

? GNU Debugger: gdb

? Let’s debug in a GUI fashion? Data Display Debugger: ddd

? How about debug deep inside the kernel…? Remote Kernel GNU Debugger: kgdb

Page 14: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 14

(I. Development Tools, Debugging) Road Map

gdb

Linux kernel kgdb Linux kernel

gdb

DDD

Target host Local host

RS-232

DDD (See Appendix B.1.2.)

kgdb (See Appendix B.1.3.)

gdb (See Appendix B.1.1.) Development Tools:Debugging

1.3 Remote kernel

debugging

1.2 GUIedkernel

debugging

1.1 Source- level debugging

Page 15: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 15

(I. Development Tools, Debugging) gdbPrerequisite: gcc –g –o test test.cFirst…? gdb test /* Get in gdb with target program “test”*/help running? run /* Start debugged program */? next /* Step program */? continue /* Continue program being debugged */help breakpoints? break # /* Set breakpoint at line # */help stack? backtrace [full] /* Print backtrace of all stack frames (& full local

variables) */

Page 16: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 16

(I. Development Tools, Debugging) gdbhelp data? whatis EXP /* Print data type of expression EXP*At the end? quit /* Get out of gdb */

Page 17: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 17

(I. Development Tools, Debugging) ddd

Argument field

Source Window

Debugger Console

Status Line

Command Tool

Scroll Bar

Page 18: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 18

(I. Development Tools, Debugging) kgdb

? kgdb? a kernel patch for remote kernel debugging? source level debugger (with the help of gdb) for linux kernel? possible to place breakpoints in kernel code, step through it and

observe its variables. ? two machines are required, one is a development machine (where gdb

runs) and the other is a test machine (target kernel).? patch the following components to a kernel

? gdb stub, handles requests comming from gdb on the developementmachine.

? modifications to fault handlers, allow kernel developers to analyze unexpected faults.

? serial communication, offers an interface to gdb stub in the kernel to send and receive data/control from a serial line.

Page 19: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 19

(I. Development Tools, Debugging) kgdb

? Connecting to a debug patched kernel (refer kgdb project website for details about patching a new kernel)? On development machine:

? Set appropriate speed for serial line? e.g. stty ispeed 115200 ospeed 115200 < /dev/ttyS1

? Start gdb.? e.g. gdbmod your_image_label

? On test machine: ? Select kgdb kernel from lilo prompt. It will then wait for connection from

remote gdb.? E.g. LILO: linux gdb [gdbttyS=2] [gdbbaud=38400]

Page 20: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 20

(I. Development Tools, Debugging) kgdb

? Cont.? On developement machine:

? Connect to the test machine using gdb command "target" ? (gdb) target remote /dev/ttyS1

Remote debugging using /dev/ttyS1 breakpoint () at gdbstub.c:1153 1153 } (gdb)

? Now gdb is connected to the kernel. It is waiting for a command. Use the continue command to let the test kernel proceed.

? (gdb) c Continuing.

Page 21: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 21

(I. Development Tools) Maintaining

? Learn to program collaboratively…? Version Control - Concurrent Version System: cvs

? Hat your program? Packaging - Red Hat Package Manager: rpm

Page 22: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 22

(I. Development Tools, Maintaining) cvs

? Design concept: “copy-modify-merge”style of version control

? Short history? Dick Grune improves RCS to CVS (1986).? Brian Berliner rewrote it again using C.? Jim Kingdon made CVS to support networking.

Page 23: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 23

(I. Development Tools, Maintaining, cvs) An OSSD Process

Initiate a project

Look for any similar projects

No

Join that project

Use mailing list for announcement and bug tracing. Use OpenPGP

CVS Version Control

Yes

Accept patches and modifications (vote or dictatorship)

A personal itch

Do little document writingWrite documents and manuals

Vote for a license modelDecide a license model

Release official version in the foreseeable future

Page 24: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 24

(I. Development Tools, Maintaining, cvs) How-To

? Setup a repository (under sh and bash shells)? CVSROOT=/usr/local/cvs (or wherever you desire)? export

? Starting a new project? cvs import -m “log message”project_name vendor_tag release_tag? e.g cvs import -m “my first cvs project”myproject jrandom start

? Revisions? Check (co), e.g. cvs checkout myproject

? Update (up), e.g. cvs update project.c

? Commit (ci), e.g. cvs commit project.c

? Diff, e.g. cvs diff project.c

Page 25: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 25

(I. Development Tools, Maintaining, cvs) How-To

? History browsing? Status, e.g. cvs status project.c

? Log messages, e.g. cvs log project.c

? Release? Release (delete), e.g. cvs release –d myproject

? Refer cvs --help-commands for a list of commands.

Page 26: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 26

? Design concept: transparent software dependency

? One line means all? RPM style: rpm -Uvh nessus-1.1.2.src.rpm? Traditional tar-ball style:

1. tar zxvf nessus-libraries-1.0.9.tar.gz2. tar zxvf libnasl-1.0.9.tar.gz3. tar zxvf nessus-core-1.0.9.tar.gz4. tar zxvf nessus-plugins-1.0.9.tar.gz5. ./configure ; make && make install

(I. Development Tools, Maintaining) rpm

Page 27: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 27

(I. Development Tools, Maintaining, rpm) How-To

? rpm? -ivh, install and dump some information? -Uvh, update? -qa, list all installed rpms (query all)

? e.g. rpm -qa | grep bind-util

? -qf, query (which rpm does this) file (belongs)? rpm -qf /usr/bin/perl

? -qpi, query package information? rpm -qpi /mnt/cdrom/RedHat/RPMS/*.rpm | grep -A 12 nslookup

? -qpl, list queried package? rpm -qpl /mnt/cdrom/RedHat/RPMS/bind-8.2.2_P3-1.i386.rpm

Page 28: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 28

(II. Network Experiment Tools) Name-Addressing

? Internet’s who is who…? DNS Querying - host

? LAN’s who is who? Peer Querying - arp

Page 29: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 29

(II. Network Experiment Tools, Name-Addressing) host? Internet’s who is who…

? DNS Querying – host

? Query name server for the mapping of ? host-to-IP? or IP-to-host? even the zone information (zone transfer)

? e.g. host -l -v -t any eic.nctu.edu.tw

? another similar well-known tool: nslookup

Page 30: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 30

(II. Network Experiment Tools, Name-Addressing, host) How-To

? host [-l] [-v] [-w] [-r] [-d] [-t querytype] [-a] host [server]? -l, list a complete domain? -v, verbose? -w, waits forever for a response? -r, turn off recursion in the request? -d, turn on debugging? -t querytype, specify a particular querytype to be looked up? -a, all, it is equivalent to -v –t any

Page 31: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 31

(II. Network Experiment Tools, Name-Addressing) arp

? To manipulate the ARP table realizing LAN’s who is who? Peer Querying – arp

Page 32: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 32

(II. Network Experiment Tools, Name-Addressing, arp) Inside arp

? Some files used by arp command? /proc/net/arp, where the arp table is actually stored for referencing? /etc/hosts, where a listing of name-to-address mapping of current hosts

is stored.

? Use arp request/reply

Page 33: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 33

(II. Network Experiment Tools, Name-Addressing, arp) How-To

? arp [-v] [-n] [-i] [-H type] [-a hostname] [-d hostname] [-s hostname hw_addr]? -v, verbose? -n, displays contents without resolving hostnames? -a, display all information in the ARP cache? -d, deletes an arp entry? -s, enters (sets) an arp entry? -H, the hardware type being used; default is ether

Page 34: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 34

(II. Network Experiment Tools) Perimeter-Probing

? Ping for living…? Verifying availability: ping

? Find your way…? Determining the path – Trace Route: traceroute

Page 35: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 35

(II. Network Experiment Tools, Perimeter-Probing) ping

? Ping for living…? Verifying availability: ping, which is actually taken from a

scientific operation carried out to locate objects using sonar.? However, with the increased usage of firewall and other access

control lists, it doesn’t always hold true when you ping a particular host: no answer = the host is not alive.

? Uses ICMP echo request/reply

Page 36: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 36

(II. Network Experiment Tools, Perimeter-Probing, ping) How-To

? ping [-dfnqrvR] [-c count] [-i wait] [-s packetsize]? -f, sends the packets as fast as possible (flood)? -n, doesn’t resolve hostnames; just give IP addresses (numeric)? -q, outputs only summary lines (quiet)? -R, sets the Record Route option? -c count, stops pinging after count packets? -i wait, sets an interval of wait seconds between packets? -s packetsize, sets the number of data bytes sent to packetsize

Page 37: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 37

(II. Network Experiment Tools, Perimeter-Probing) traceroute

? Find your way…? Determining the path – Trace Route: traceroute

? Uses ICMP TTL(Time-to-Live) field? Originally, TTL is used to avoid infinite loop? Controls (time exceeded)? Initially, TTL=1

? For every time exceeds, increment TTL.? For destination unreachable, done.

? UDP port > 30,000

Page 38: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 38

(II. Network Experiment Tools, Perimeter-Probing, traceroute) How-To

? traceroute [-dFInrvx] [ -f first_ttl ] [-g gateway ] [-i iface ] [-m max_ttl ] [-p port ] [-q nqueries ] [-s src_addr ] [-t tos ] [-w waittime ] host [ packetlen ]? -f, sets the initial TTL? -F, sets the “don’t fragment” bit? -I, uses ICMP ECHO instead of UDP datagrams? -m, set the maximum TTL (default: 30 hops)? -n, print hop addresses numerically? -p, sets the base UDP port number used in probes (default: 33434)? -r, bypasses the normal routing tables and sends directly to a particular host

Page 39: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 39

(II. Network Experiment Tools) Traffic-Monitoring

? Dump data passing in and out of the interface…? tcpdump

? Observe data passing in and out of the host? Network Status: netstat

Page 40: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 40

(II. Network Experiment Tools, Traffic-Monitoring) tcpdump? Dump data passing in and out of the interface…

? Tcpdump

Cooperate with the packet capture system within kernel? Originally only with BPF (Berkeley Packet Filter)? Now with pcap (Packet Capture Library), which also includes BPF

? Examples? Collecting Ethernet frames? Observing TCP handshakes

Page 41: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 41

(II. Network Experiment Tools, Traffic-Monitoring, tcpdump)

Operating ConceptsUser space

Kernel space

Filter 1 Filter 2 Filter 3

Ethernet

Device driver 1

Device driver 2

BPF

ProtocolStack

Buffer Buffer Buffer

tcpdump

T i m e s t a m pT i m e s t a m p

Other processes

Page 42: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 42

(II. Network Experiment Tools, Traffic-Monitoring, tcpdump) How-To

? tcpdump [-v] [-n] [ -i ] [ -c count ] [-t] [ -s snaplen ] [ expression ]? -v, verbose output? -n, use IP addresses (numeric) instead of resolving hostnames ? -i, listen on interface? -c, exit after receiving count packets ? -t, don't print a timestamp on each dump line ? -s, snarf snaplen bytes of data from each packet rather than the default of 68

? expression, selects which packets will be dumped

Page 43: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 43

(II. Network Experiment Tools, Traffic-Monitoring) netstat

? Observe data passing in and out of the host? Network Status: netstat

? Another popular usage of netstat? Look for any suspicious port, probably a trojan or backdoor

? e.g. Two classic trojans: Port 12345(TCP) Netbus and Port 31337(UDP) Back office

Page 44: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 44

(II. Network Experiment Tools, Traffic-Monitoring, netstat) How-To

? netstat [-v] [-n] [-a] [-i] [-s] [-A family] [-r]? -v, Tell the user what is going on? -a, show both listening and non-listening sockets? -n, Show numerical addresses instead of trying to resolve? -i, Display a table of network interfaces? -s, Display summary statistics for each protocol? -A, Specifies the address families? -r, Display the kernel routing tables

Page 45: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 45

(II. Network Experiment Tools, Perimeter-Probing)

Sample Scenario

ethernet driverethernet driver

ethernet driver

3. IP

Ethernet

4. ARP request (broadcast)

4. ARP (arp)

5. ARP (arp)

5. ARP reply(unicast, corresponding

ethernet address)

Destination

1. ping clientDNS (host)

hostname

IP address

2. ICMP

ICMP request

IP datagram

7. ping server6. ICMP

routing table (route/netstat)BPF (tcpdump)

copy of in/out packets

Source

Page 46: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 46

(II. Network Experiment Tools) Benchmarking

? Host-to-Host throughput analysis? Test TCP: ttcp

? Web Server performance analysis? The Benchmark for Web Server: webstone

Page 47: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 47

(II. Network Experiment Tools, Benchmarking) ttcp

? Host-to-Host throughput analysis? Test TCP: ttcp, which tests network TCP and UDP throughput. A

separate use of this tool is to create network pipes for transferring user data. Cisco routers now incorporate a version of this tool,enabling you to easily evaluate network performance.

Page 48: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 48

(II. Network Experiment Tools, Benchmarking, ttcp) How-To? Start the receiver (router or remote server with discard port)

? ttcp -r [-options > out] //see ttcp --help for options? [benson@sgw ttcp]# ttcp -r

ttcp-r: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcp

ttcp-r: socket

? Start the transmitter? ttcp -t [-options] host [ < in ]

? [benson@sgw ttcp]$ ttcp -t sgw.cis.nctu.edu.tw < test

ttcp-t: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcp -> sgw.cis.nctu.w

ttcp-t: socket

ttcp-t: connect

Page 49: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 49

(II. Network Experiment Tools, Benchmarking, ttcp) How-To? Statistics output at receiver/transmitter

? Receiver side:? ttcp-r: accept from source_host

This is a ttcp test!

ttcp-r: 22 bytes in 0.00 real seconds = 13.55 KB/sec +++

ttcp-r: 2 I/O calls, msec/call = 0.81, calls/sec = 1261.83

ttcp-r: 0.0user 0.0sys 0:00real 0% 0i+0d 0maxrss 0+1pf 0+0csw

? Transmitter side:? ttcp-t: 22 bytes in 0.00 real seconds = 120.70 KB/sec +++

ttcp-t: 1 I/O calls, msec/call = 0.18, calls/sec = 5617.98

ttcp-t: 0.0user 0.0sys 0:00real 0% 0i+0d 0maxrss 0+1pf 0+0csw

? Throughput analysis

Page 50: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 50

(II. Network Experiment Tools, Benchmarking) WebStone? Web Server performance analysis

? The Benchmark for Web Server: WebStone

? Operating concepts:? How to generate large load?

? Multiple simulated Web clients (web browsers) on each client computer? Then further distributes these Web clients among Client computers.

? Who is in charge of everything?? Webmaster controls all the testing done by WebStone? Webmaster distributes the Web client software and test configuration files to the

client computers.? then starts a benchmark run and waits for the Web clients to report back the

performance they measured.? combines the performance results from all the Web clients into a single summary

report

Page 51: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 51

(II. Network Experiment Tools, Benchmarking, WebStone)

Client-Server Architecture? Several Web clients running on one client computer? Several Client computer controlled by one webmaster? Target: Web server

Page 52: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 52

(II. Network Experiment Tools, Benchmarking, WebStone) How-To? Configuration parameters? Workload configuration? Load generation? Benchmark results

? Refer on-line manual for details.

Page 53: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 53

(II. Network Experiment Tools) Simulating/Emulating? Simulating the network

? Network Simulator: ns? Pros: cheap (less real infrastructure) and quick (available modules) to

assemble, large-scale (given sufficient computing resources) and reproducible (everything is coded) test

? Cons: redo code for simulation environment, implementation and environment may considerably differ from and poorly represent the real one.

? Emulating the network? Network Emulator: NIST Net

? Pros: an intermediate solution between real one and simulated one, and any degree of network conditions in a reproducible test

? Cons: scalability would be bounded by real-time timer/computation and limited statistics for further analysis

Page 54: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 54

(II. Network Experiment Tools, Simulating) ns

? Design concept:? A collaborative simulation platform that provide common references

and test suites, which simulates packet-level, discrete events within link layer and up of both wired and wireless network conditions.

? Features:? Emulation, certain platforms (e.g. FreeBSD)? Scenario generation, generate customized simulation environment? Visualization, with aid of nam (Network Animation)? Extensibility, implemented by C++ (ns core) and OTcl (ns

configuration), a leverage between run-time and iteration time.

Page 55: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 55

(II. Network Experiment Tools, Simulating, ns) Background

? Background: ? 1989, Ns began as a variant of the REAL (Realistic and Large)

network simulator? 1995, supported by DARPA through the VINT (Virtual InterNetwork

Testbed ) project? Currently, supported by DARPA through SAMAN (Simulation

Augmented by Measurement and Analysis for Networks) and CONSER (Collaborative Simulation for Education and Research

Page 56: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 56

(II. Network Experiment Tools, Simulating, ns) Typical Steps? Build Network model

? Create (1) ns object, (2) nodes, (3) links, and then into (4) LAN (if PPP, then skip (4))

? Build traffic model? Create (1) connection: either TCP or UDP? Generate (2) traffic: e.g. FTP of TCP or CBR of UDP? (3) error model? (4) scheduler

? Tracing? Output data in nam format for analysis

Page 57: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 57

(II. Network Experiment Tools, Emulating) NIST Net? Design concept:

? A network emulator that provides simple (parameters are typed, rather than coded, by user) user entry of network parameter (e.g. delay, loss, jitter) for emulating a wide range of network typeswith a small lab setup.

? Cnistnet (Command-line interface) or Xnistnet (GUI interface)

Page 58: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 58

(II. Network Experiment Tools, Emulating) NIST Net? What does it emulate?

? Packet delay? Fixed/variable

? Packet reordering? Delay variances

? Packet loss? Packet duplication? Bandwidth limitation

Page 59: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 59

(II. Network Experiment Tools) Hacking? Searching for holes

? Exploits scanning: nessus

? Eavesdropping? Sniffing: ettercap

? Storm of lethal attacks? DDoS: TFN-style (Tribe Flood Network)

Page 60: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 60

(II. Network Experiment Tools, Hacking) nessus? Searching for holes

? Exploits (risky services/ports) scanning: nessus

? Features:? Plugin-based

? Customized security checks can be written? in C? or in NASL (Nessus’Scripting Language)

? Knowledge-based? All plugins can share their knowledge

Page 61: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 61

(II. Network Experiment Tools, Hacking, nessus)

Client-Server Architecture

? nessusd (server) is in charge of the attacks? Multi-user, with ACLs for each user

? nessus (client) is the front-end to configure the server? ciphered communication between server and client

Page 62: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 62

(II. Network Experiment Tools , Hacking) ethereal? Eavesdropping

? Sniffing, “recording”, interpret, and save for analysis all the packets being sent across the network. For example, ethereal.

Page 63: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 63

(II. Network Experiment Tools , Hacking, ethereal)

How it works?? An Ethernet-based sniffer (including tcpdump) works together with

NIC? Set NIC to a special state called promiscuous mode? Capture any packet traversing across local Ethernet segment.

? Limitation? Cannot capture packets traversing beyond routers, switches,

segmenting devices, etc.

Page 64: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 64

(II. Network Experiment Tools , Hacking, ethereal) How-To? Command-line options

? -i <interface>, sets the interface that ethereal will capture from.? -k, causes ethereal to begin capturing packets immediately upon

startup. It must be used with the xs-i option.? -s, causes ethereal to display packets as they are captured.? -c <count>, causes ethereal to capture only count packets before

stopping. It is only useful with the -k option.? -D, causes ethereal to treat the TOS field of IP as the original TOS,

not like Differentiated Services.? -f <capture filter>, allows you to set a libpcap style capture filter.

libpcap filter syntax is covered in the ngrep section of this chapter.? -n, diables name resolution, all packets will be displayed with numeric

IP addresses, TCP ports, and UDP ports.

Page 65: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 65

(II. Network Experiment Tools , Hacking, ethereal) How-To? Options (cont.)

? -r <infile>, causes ethereal to read packets in from a saved file instead of an interface. Using previous captures is covered in the section called Viewing Saved Captures.

? -R <Read Filter>, allows you to set a read filter. Read filters are discussed in the section called Filtering Packets to be Displayed.

? -t <Time Stamp Format>, changes the format of the packet timestamps. The three possible formats are:

? r relative to the first packet (the default)? a actual date and time of the packet? d relative to the previous packet

? -w <savefile>This option sets the name of the file the capture will be saved to. Working with saved captures is covered in the section called Viewing Saved Captures.

Page 66: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 66

(II. Network Experiment Tools) Hacking? DoS Attacks

? Resource starvation? TCP SYN flooding, incomplete TCP/IP handshaking, (still works)

? Lots of SYN packets (bad source IP address)? Target system queues them up until receiving ACK message (e.g. netstat -a

seeing lots of connection in a SYN_RECV state)? Eventually, uses up resources and memory

? Land attack, infinite loopback handshaking, (might works)? Similar to SYN attacks, but use the IP of the target system itself, instead of a

bad IP address

? UDP flooding, infinite non-stopping loop, (might works)? Source system uses forged packets to connect the chargen UDP service to the

echo UDP service at target system.

Page 67: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 67

(II. Network Experiment Tools) Hacking? DoS Attacks

? Bandwidth consumption? Smurf attacks, send huge number of ping requests to a system (normally

the router) with spoofed IP addresses from within the target network, (still works unless the firewall is set to deny)

? Programming flaw? Ping of death, oversized ping packet, (no longer works, will get dropped)

? e.g. ping -l 65540

? Teardrop, overlapped (incorrect offset) IP fragmentation (no longer works, new overlapping packet replaces old packet)

? refer ip_fragment.c for the countermeasure in linux

Page 68: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 68

(II. Network Experiment Tools, Hacking) TFNxK(a cocktail approach of DoS attack)

? Random protocols (from the master to the agent)? Commands are sent via TCP, UDP, ICMP, or all three at random.? Packet headers (except ICMP) are randomized

? Random attacking styles (from agent to target)? May be TCP/SYN, UDP, ICMP/PING, or BROADCAST PING (SMURF) packet flood.

? Minimum exposure (between the master and the agent)? daemon is completely silent without acknowledging any command it receives, instead

relying on the probability. (client will issue each command many times, e.g. 20)? daemon would disguise itself by altering the contents of argv[0], thereby changing the

process name on some platforms and hence masquerading as a normal process on the agent.

? The filenames of both daemon and client might be renamed as well.? False incrimination (from the master to the agent)

? The command packets may be interspersed with any number of decoy packets sent to random IP addresses.

? All packets originating from either client or daemon can be (and are, by default) spoofed.

Page 69: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 69

(II. Network Experiment Tools, Hacking) TFNxK

? Cunning communication (between the master and the agent)? Not string-based (as they are in TFN and Stacheldraht). Instead, commands are of the

form "+<id>+<data>" where <id> is a single byte denoting a particular command and <data> represents the command’s parameters.

? Commands are encrypted using a key-based CAST-256 algorithm (RFC 2612). The key is defined at compile time and is used as a password when running the TFN2K client.

? All encrypted data is Base 64 encoded before it is sent, which means the payload should be comprised entirely of ASCII printable characters, and hence the TFN2K daemon uses this fact as a sanity-test when decrypting incoming packets.

? Multiple attacks? The daemon spawns a child for each attack against a target.

Page 70: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 70

(II. Network Experiment Tools, Hacking, TFN-style)

Countermeasures? Prevention

? Use a firewall that exclusively employs application proxies.? Disallow unnecessary TCP, UDP, ICMP traffic.

? Detection? Scan for the client/daemon files by name (default is tfn and td, respectively)? Scan all executable files on a host system for particular patterns (virus scanning)? Scan the process list for the presence of suspicious daemon processes? Examine incoming traffic that contains special TFN2K signature, which is probably a bug

using the Base64 encoding that leaves a telltale fingerprint at the end of every TFN2K packet.

? Watch for a series of packets with identical payloads (since each command is issued 20 times)

Page 71: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 71

(II. Network Experiment Tools , Hacking)

Integrated Scenario? Search for holes

? Nessus scanning

? If same LAN segment, ? Ethereal sniffing

? If can’t compromised? TFN-style DDoS

Page 72: An Open Source Approach - National Chiao Tung Universityspeed.cis.nctu.edu.tw/~ydlin/course/cn/mcn_slide/1-in-1... · 2018-06-07 · 2001/9/28 10 (I. Development Tools, Programming)

2001/9/28 72

III. Further Readings1. The VIM (Vi IMproved) Home Page, http://www.vim.org/2. The GCC home page, http://gcc.gnu.org/3. GNU Make, http://www.gnu.org/software/make/make.html4. GDB, http://sources.redhat.com/gdb/5. DDD, http://www.gnu.org/manual/ddd/6. kgdb, http://kgdb.sourceforge.net/7. CVS Home, http://www.cvshome.org/8. RPM, http://www.rpm.org/9. Webstone, http://www.mindcraft.com/webstone/10. Ns-2, http://www.isi.edu/nsnam/ns/index.html11. NIST Net, http://snad.ncsl.nist.gov/itg/nistnet/usage.html12. Nessus, http://www.nessus.org/13. Ethereal, http://www.ethereal.com/14. Karl Fogel, "Open Source Development with CVS”, The Coriolis Group, 1999