Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 8: Investigative Tools

Published byCandice McDonald Modified over 8 years ago

Similar presentations

Presentation on theme: "Module 8: Investigative Tools"— Presentation transcript:

1 Module 8: Investigative Tools

2 INVESTIGATIVE TOOLS OVERVIEW
Ping Traceroute Iperf BWCTL NDT TCPDUMP TCPtrace Wireshark (Ethereal)

3 PING

4 HOW DOES PING WORK? Makes use of Internet Control Message Protocol (ICMP) messages Sends timed ICMP ECHO_REQUEST packets Listens for ICMP ECHO_REPLY packets Prints a line with RTT for each reply Statistical summary when finished minimum, maximum and average RTT Shows packet loss

5 PING: USEFUL PURPOSES What you might read out of ping statistics:
host reachability RTT host load routing changes (different TTLs) load balancers (constant different RTT values, same TTLs) estimate of packet loss rate rate limits (uniform loss statistics)

6 PING: DRAWBACKS AND LIMITATIONS (1)
RTT reported by PING may be too low: Tiny packets sent via ICMP (by default) ‘Real traffic’ uses different protocols No influence on transit traffic Does not include “application time” Or too high: Host busy (esp. Routers)

7 PING: DRAWBACKS AND LIMITATIONS (2)
Filtering Many devices will not respond to ping Hosts behind Firewalls / NAT Routers (filter/rate limits) A destination may in fact be reachable even though an ICMP Echo Request times out

8 TRACEROUTE: IP PATH DISCOVERY
traceroute traceroute to zaurak.dfn.de ( ), 64 hops max, 40 byte packets 1 swiEZ2-G4-7.switch.ch ( ) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch ( ) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch ( ) 5 ms 4 ms 4 ms 4 switch.rt1.gen.ch.geant2.net ( ) 4 ms 4 ms 4 ms 5 so rt1.fra.de.geant2.net ( ) 13 ms 13 ms 13 ms 6 dfn-gw.rt1.fra.de.geant2.net ( ) 13 ms 14 ms 13 ms 7 zr-pot1-te x-win.dfn.de ( ) 27 ms 28 ms 27 ms 8 xr-tub1-te2-3.x-win.dfn.de ( ) 28 ms 28 ms 28 ms 9 xr-hub1-te2-1.x-win.dfn.de ( ) 28 ms 29 ms 28 ms 10 kr-dfnbln.x-win.dfn.de ( ) 29 ms 29 ms 29 ms 11 * * * 12 * * *

9 HOW DOES TRACEROUTE WORK? (1)
Discovers forward path to destination IP address. Sends stimulus packets (either ICMP or UDP) with increasing times to live (TTL) Begins with TTL of 1 Each packet increments TTL by 1 Each router along the path should receive a packet with a TTL of 1. Responds by sending an ICMP ‘TTL exceeded’ message back to the source.

10 HOW DOES TRACEROUTE WORK? (2)
When TTL is high-enough to reach destination, a different response packet is generated ICMP ECHO or ICMP Destination unreachable – port unreachable Traceroute tool then displays the different ‘hops’ it has discovered, including: Hop address (the IP address from which the ICMP / response was sent) Round-trip times (RTT) Asterisks where responses are missing “Bang-something” (!<x>) codes where error conditions were encountered (due to filtering etc.)

11 TRACEROUTE: PURPOSE What you might read from a traceroute output:
Forward route Router response times Routing loops Router CPU load Filters Routing blackholes

12 TRACEROUTE: FORWARD ROUTE / RTT
traceroute traceroute to zaurak.dfn.de ( ), 64 hops max, 40 byte packets 1 swiEZ2-G4-7.switch.ch ( ) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch ( ) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch ( ) 5 ms 4 ms 4 ms 4 switch.rt1.gen.ch.geant2.net ( ) 4 ms 4 ms 4 ms 5 so rt1.fra.de.geant2.net ( ) 13 ms 13 ms 13 ms 6 dfn-gw.rt1.fra.de.geant2.net ( ) 13 ms 14 ms 13 ms 7 zr-pot1-te x-win.dfn.de ( ) 27 ms 28 ms 27 ms 8 xr-tub1-te2-3.x-win.dfn.de ( ) 28 ms 28 ms 28 ms 9 xr-hub1-te2-1.x-win.dfn.de ( ) 28 ms 29 ms 28 ms 10 kr-dfnbln.x-win.dfn.de ( ) 29 ms 29 ms 29 ms 11 * * * 12 * * *

13 TRACEROUTE: ROUTING LOOPS
traceroute traceroute to zaurak.dfn.de ( ), 64 hops max, 40 byte packets 1 swiEZ2-G4-7.switch.ch ( ) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch ( ) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch ( ) 5 ms 4 ms 4 ms 4 swiLS2-10GE-1-1.switch.ch ( ) 5 ms 5 ms 5 ms 5 swiCE2-10GE-1-3.switch.ch ( ) 5 ms 5 ms 5 ms 6 swiLS2-10GE-1-1.switch.ch ( ) 6 ms 6 ms 6 ms 7 swiCE2-10GE-1-3.switch.ch ( ) 6 ms 6 ms 6 ms 8 swiLS2-10GE-1-1.switch.ch ( ) 7 ms 7 ms 7 ms 9 swiCE2-10GE-1-3.switch.ch ( ) 7 ms 7 ms 7 ms 10 swiLS2-10GE-1-1.switch.ch ( ) 8 ms 8 ms 8 ms 11 swiCE2-10GE-1-3.switch.ch ( ) 8 ms 8 ms 8 ms 12 swiLS2-10GE-1-1.switch.ch ( ) 9 ms 9 ms 9 ms 13 swiCE2-10GE-1-3.switch.ch ( ) 9 ms 9 ms 9 ms ...

14 TRACEROUTE: BUSY ROUTERS
traceroute traceroute to zaurak.dfn.de ( ), 64 hops max, 40 byte packets 1 swiEZ2-G4-7.switch.ch ( ) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch ( ) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch ( ) 5 ms 4 ms 4 ms 4 switch.rt1.gen.ch.geant2.net ( ) 4 ms 4 ms 4 ms 5 so rt1.fra.de.geant2.net ( ) 13 ms 13 ms 13 ms 6 dfn-gw.rt1.fra.de.geant2.net ( ) 55 ms 58 ms 53 ms 7 zr-pot1-te x-win.dfn.de ( ) 27 ms 28 ms 27 ms 8 xr-tub1-te2-3.x-win.dfn.de ( ) 28 ms 28 ms 28 ms 9 xr-hub1-te2-1.x-win.dfn.de ( ) 28 ms 29 ms 28 ms 10 kr-dfnbln.x-win.dfn.de ( ) 29 ms 29 ms 29 ms 11 * * * 12 * * *

15 TRACEROUTE: RATE LIMITS
traceroute traceroute to zaurak.dfn.de ( ), 64 hops max, 40 byte packets 1 swiEZ2-G4-7.switch.ch ( ) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch ( ) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch ( ) 5 ms 4 ms 4 ms 4 switch.rt1.gen.ch.geant2.net ( ) 4 ms * * 5 so rt1.fra.de.geant2.net ( ) 13 ms 13 ms 13 ms 6 dfn-gw.rt1.fra.de.geant2.net ( ) 13 ms 14 ms 13 ms 7 zr-pot1-te x-win.dfn.de ( ) * 28 ms 27 ms 8 xr-tub1-te2-3.x-win.dfn.de ( ) 28 ms 28 ms 28 ms 9 xr-hub1-te2-1.x-win.dfn.de ( ) 28 ms 29 ms 28 ms 10 kr-dfnbln.x-win.dfn.de ( ) 29 ms 29 ms 29 ms 11 * * * 12 * * *

16 TRACEROUTE: FILTERING ROUTER / HOSTS
traceroute traceroute to zaurak.dfn.de ( ), 64 hops max, 40 byte packets 1 swiEZ2-G4-7.switch.ch ( ) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch ( ) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch ( ) 5 ms 4 ms 4 ms 4 * * * 5 so rt1.fra.de.geant2.net ( ) 13 ms 13 ms 13 ms 6 dfn-gw.rt1.fra.de.geant2.net ( ) 13 ms 14 ms 13 ms 7 zr-pot1-te x-win.dfn.de ( ) 27 ms 28 ms 27 ms 8 xr-tub1-te2-3.x-win.dfn.de ( ) 28 ms 28 ms 28 ms 9 xr-hub1-te2-1.x-win.dfn.de ( ) 28 ms 29 ms 28 ms 10 kr-dfnbln.x-win.dfn.de ( ) 29 ms 29 ms 29 ms 11 * * * 12 * * *

17 TRACEROUTE: ROUTING PROBLEMS
traceroute traceroute to zaurak.dfn.de ( ), 64 hops max, 40 byte packets 1 swiEZ2-G4-7.switch.ch ( ) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch ( ) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch ( ) 5 ms 4 ms 4 ms 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * *

18 TRACEROUTE: ROUTING PROBLEMS WHERE?
Packet loss can occur on the reverse path: e.g. 3->4, 4->5, 5->1 App App A 1 2 3 B 5 4

19 TRACEROUTE: LIMITATIONS (1)
Can’t see the route from the destination back to the source May be different from the inversion of the source – destination route Routes from intermediate routers back to the source may also be different Traceroute servers are used to find another network’s path back to you When you suspect a problem on the return path Often provided as Web interface See Looking Glass Servers Offer access to selected router commands

20 TRACEROUTE: LIMITATIONS (2)
traceroute traceroute to zaurak.dfn.de ( ), 64 hops max, 40 byte packets 1 swiEZ2-G4-7.switch.ch ( ) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch ( ) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch ( ) 5 ms 4 ms 4 ms 4 * * * 5 * * * Could also be just a filter on the forward path Use a different type of stimulus, e.g. TCP SYN packets to a known-open port or a filter/firewall on the reverse path that filters out the ICMP replies ask nicely, or try different source and destination

21 TRACEROUTE: LIMITATIONS (3)
Traceroute can’t go behind NATs What you see: traceroute to oreius.switch.ch ( ), 64 hops max, 40 byte packets 1 swiEZ2-G4-7.switch.ch ( ) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch ( ) 4 ms 4 ms 4 ms 3 swiCP2-G switch.ch ( ) 4 ms 4 ms 11 ms 4 oreius.switch.ch ( ) 4 ms 4 ms 4 ms In reality oreius might be behind a NAT box: 4 NAT box ( ) 5 oreius.switch.ch ( )

22 TRACEROUTE: LIMITATIONS (4)
Traceroute can’t see layer 2 devices (switches, middleboxes, firewalls) What you see: traceroute to oreius.switch.ch ( ), 64 hops max, 40 byte packets 1 swiEZ2-G4-7.switch.ch ( ) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch ( ) 4 ms 4 ms 4 ms 3 swiCP2-G switch.ch ( ) 4 ms 4 ms 11 ms 4 oreius.switch.ch ( ) 4 ms 4 ms 4 ms In reality oreius might be behind a couple of switches or a layer 2 firewall: 4 core switch 5 distribution switch 6 access switch 7 oreius.switch.ch ( )

23 TRACEROUTE: LIMITATIONS (5)
Identifying routers Traceroute shows names and addresses of incoming interfaces Addresses and names can be confusing, especially at provider boundaries Both ends of the link are numbered from one provider’s address space! It can be hard to match multiple interfaces to a router E.g. When trying to match forward and return paths Address-to-AS mapping can also be confusing

24 TRACEROUTE: DOMAIN BOUNDARIES (1)
traceroute to ( ), 30 hops max, 38 byte packets ( ) ms ms ms 2 cisco-sw.net.unesp.br ( ) ms ms ms ( ) ms ms ms ansp.br ( ) ms ms ms ansp.br ( ) ms ms ms 6 ds3-ansp.ampath.net ( ) ms ms ms 7 abilene-flr-10g.ampath.net ( ) ms ms ms 8 washng-atlang.abilene.ucaid.edu ( ) ms ms 9 abilene.rt1.fra.de.GÉANT2.net ( ) ms ms ms 10 so rt1.gen.ch.GÉANT2.net ( ) ms ms 11 swiCE2-10GE-1-1.switch.ch ( ) ms ms ms 12 swiLS2-10GE-1-3.switch.ch ( ) ms ms ms 13 swiEZ2-10GE-1-1.switch.ch ( ) ms ms ms 14 swiCS3-P1.switch.ch ( ) ms ms ms 15 swiNM1-G switch.ch ( ) ms ms ms 16 swiLM1-V610.switch.ch ( ) ms ms ms diotima.switch.ch ( ) ms ms ms

25 TRACEROUTE: DOMAIN BOUNDARIES (2)
: traceroute ping.unesp.br traceroute to ping.unesp.br ( ), 30 hops max, 40 byte packets 1 swiLM1-V4.switch.ch ( ) ms ms ms 2 swiNM1-V610.switch.ch ( ) ms ms ms 3 swiCS3-G3-3.switch.ch ( ) ms ms ms 4 swiEZ2-P1.switch.ch ( ) ms ms ms 5 swiLS2-10GE-1-1.switch.ch ( ) ms ms ms 6 swiCE2-10GE-1-3.switch.ch ( ) ms ms ms 7 switch.rt1.gen.ch.GÉANT2.net ( ) ms ms ms 8 so rt1.fra.de.GÉANT2.net ( ) ms ms ms 9 abilene-gw.rt1.fra.de.GÉANT2.net ( ) ms ms 10 atlang-washng.abilene.ucaid.edu ( ) ms ms 11 abilene-gsr-flr-10g.ampath.net ( ) ms ms 12 ansp.ampath.net ( ) ms ms ms ansp.br ( ) ms ms ms ansp.br ( ) ms ms ms ( ) ms ms ms 16 sw-cisco.net.unesp.br ( ) ms ms ms 17 ping.unesp.br ( ) ms ms ms

26 PLEASE POPULATE DNS INVERSE MAPPINGS
Generate inverse zones from forward zones This can be done automatically Especially useful for IPv6 (where hand-inverting is very hard) Include neighbour interfaces (see below) Let each end of an inter-domain link choose the name for their end That way, traceroute hops identify routers, not links (more useful)

27 PATHCHAR (PER HOP BANDWIDTH)
: ./pathchar cemp1 pathchar to cemp1.switch.ch ( ) doing 32 probes at each of 64 to 1500 by 32 0 localhost | Mb/s, us (521 us) 1 swiCS3-V400.switch.ch ( ) | Mb/s, 6 us (559 us) 2 swiEZ2-P1.switch.ch ( ) | Mb/s, ms (3.94 ms) 3 swiLS2-10GE-1-1.switch.ch ( ) | Mb/s, us (4.84 ms) 4 swiCE2-10GE-1-3.switch.ch ( ) | ?? b/s, us (4.78 ms), 15% dropped 5 cemp1-eth1.switch.ch ( ) 5 hops, rtt 4.48 ms (4.78 ms), bottleneck 49 Mb/s, pipe 29109 bytes

28 IPERF (1) iperf: Most used tool in PERT cases
Measurement of end-to-end network performance Memory-to-memory TCP or UDP data transfers iperf must be installed at both ends of the link

29 IPERF (2) What statistics does iperf measure? TCP UDP Throughput
“Receivable” Throughput Jitter Lost / total datagrams

30 IPERF TCP EXAMPLES Server:
iperf -s Server listening on TCP port 5001 TCP window size: KByte (default) [ 4] local port 5001 connected with port [ 4] sec GBytes Mbits/sec Client: iperf -c atitlan Client connecting to atitlan, TCP port 5001 TCP window size: 4.00 MByte (default) [ 3] local port connected with port 5001 [ 3] sec GBytes Mbits/sec

31 IPERF TCP EXAMPLES: SETTING WINDOW SIZE
iperf -c atitlan -w 64K Client connecting to atitlan, TCP port 5001 TCP window size: KByte (WARNING: requested 64.0 KByte) [ 3] local port connected with port 5001 [ 3] sec MBytes Mbits/sec iperf -c atitlan -w 128K Client connecting to atitlan, TCP port 5001 TCP window size: KByte (WARNING: requested KByte) [ 3] local port connected with port 5001 [ 3] sec MBytes Mbits/sec

32 IPERF TCP EXAMPLES: USING PARALLEL STEAMS
iperf -c atitlan -w 64K -P Client connecting to atitlan, TCP port 5001 TCP window size: KByte (WARNING: requested 64.0 KByte) [ 4] local port connected with port 5001 [ 3] local port connected with port 5001 [ 3] sec MBytes Mbits/sec [ 4] sec MBytes Mbits/sec [SUM] sec MBytes Mbits/sec Almost the same result as doubling the window size

33 IPERF TCP EXAMPLES: USING 4 PARALLEL STREAMS
iperf -c atitlan -w 64K -P Client connecting to atitlan, TCP port 5001 TCP window size: KByte (WARNING: requested 64.0 KByte) [ 6] local port connected with port 5001 [ 3] local port connected with port 5001 [ 4] local port connected with port 5001 [ 5] local port connected with port 5001 [ 4] sec MBytes Mbits/sec [ 6] sec MBytes Mbits/sec [ 5] sec MBytes Mbits/sec [ 3] sec MBytes Mbits/sec [SUM] sec MBytes Mbits/sec Amount per stream remains the same... No bottleneck hit yet

34 IPERF TCP EXAMPLES: USING REPORTING INTERVAL
iperf -c atitlan -i Client connecting to atitlan, TCP port 5001 TCP window size: 4.00 MByte (default) [ 3] local port connected with port 5001 [ 3] sec MBytes Mbits/sec [ 3] sec MBytes Mbits/sec [ 3] sec MBytes Mbits/sec [ 3] sec MBytes Mbits/sec [ 3] sec MBytes Mbits/sec [ 3] sec MBytes Mbits/sec [ 3] sec MBytes Mbits/sec [ 3] sec MBytes Mbits/sec [ 3] sec MBytes Mbits/sec [ 3] sec MBytes Mbits/sec [ 3] sec GBytes Mbits/sec

35 IPERF UDP EXAMPLES: CLIENT SIDE
:~ welti$ ./iperf -c ezmp3.switch.ch -u -i 1 -b 2M Client connecting to ezmp3.switch.ch, UDP port 5001 Sending 1470 byte datagrams UDP buffer size: 9.00 KByte (default) [ 3] local port connected with port 5001 [ ID] Interval Transfer Bandwidth [ 3] sec KBytes Mbits/sec [ 3] sec KBytes Mbits/sec [ 3] sec KBytes Mbits/sec [ 3] sec KBytes Mbits/sec [ 3] sec KBytes Mbits/sec [ 3] sec KBytes Mbits/sec [ 3] sec KBytes Mbits/sec [ 3] sec KBytes Mbits/sec [ 3] sec KBytes Mbits/sec [ 3] sec KBytes Mbits/sec [ 3] sec MBytes Mbits/sec [ 3] Server Report: [ 3] sec MBytes Mbits/sec ms 730/ 1702 (43%) [ 3] Sent 1702 datagrams

36 IPERF UDP EXAMPLES: SERVER SIDE
iperf -s -u -i Server listening on UDP port 5001 Receiving 1470 byte datagrams UDP buffer size: 64.0 KByte (default) [ 4] local port 5001 connected with port [ 4] sec KBytes Mbits/sec ms 0/ 91 (0%) [ 4] sec KBytes Mbits/sec ms 38/ 127 (30%) [ 4] sec KBytes Mbits/sec ms 79/ 170 (46%) [ 4] sec KBytes Mbits/sec ms 81/ 172 (47%) [ 4] sec KBytes Mbits/sec ms 78/ 168 (46%) [ 4] sec KBytes Mbits/sec ms 80/ 171 (47%) [ 4] sec KBytes Mbits/sec ms 79/ 170 (46%) [ 4] sec KBytes Mbits/sec ms 80/ 170 (47%) [ 4] sec KBytes Mbits/sec ms 80/ 171 (47%) [ 4] sec KBytes Mbits/sec ms 78/ 169 (46%) [ 4] sec MBytes Mbits/sec ms 730/ 1702 (43%)

37 IPERF: PURPOSE What iperf can tell you: Jitter for UDP packets
Achievable TCP bandwidth Depending on window size, number of streams Maximum amount, not including disk/DB/app time Packet loss rate at a certain sending speed (UDP) Increasing with sending speed? Constant? Packet loss characteristic (bursty?) Use reporting interval = 1s Jitter for UDP packets

38 EVERYDAY IPERF USAGE PERTs will typically use iperf to:
Determine whether performance problems are with the network or with the end system’s TCP stacks iperf can be used in tcp mode to measure achievable throughput for a single or multiple TCP streams Determine packet loss rate (UDP) Find “available” bandwidth iperf can be used in UDP mode to measure available bandwidth Identify the maximum UDP sending rate that results in less than 1% packet loss HOWEVER, this is usually not recommended, as this will most certainly disturb other network traffic

39 LIMITATIONS OF IPERF (1)
Trust only the results on the server side sender returns before all data is sent (still in TCP stack) Stops sending after amount of seconds only receiver can tell when transfer really finished amount of data is the same, but duration different only receiver knows lost packets (UDP)

40 LIMITATIONS OF IPERF (2)
Counter overflow in iperf reports: In some versions, iperf reports suffer from 32-bit integer overflow. This can lead to average throughput being displayed incorrectly. TCP buffer allocation: Linux allocates twice the requested amount when setting a window size with the –w option Options must be in the right order: Make sure that –s or –c are your first options

41 BANDWIDTH TEST CONTROLLER (BWCTL)
What is BWCTL? Stands for Bandwidth Test Controller Command line application that wraps iperf Includes scheduling and policy daemon Initiates and reports the results of iperf tests Developed by Internet2 Determines which tests are allowable based upon the policy restrictions configured by the system administrator.

42 WHY WAS BWCTL DEVELOPED? (1)
Iperf is often used to investigate multi-domain network performance issues. Iperf must be installed at both ends of the path you want to test. To run an iperf test without BWCTL, you will need either: A user account at each end of the path Or The NOC at each end of the path to set up the test for you

43 WHY WAS BWCTL DEVELOPED? (2)
With BWCTL installed, the NOC can create a security policy that stipulates who can run what sort of iperf tests using their hosts. You don’t need a user account on each host to run an iperf test NOC no longer has to set up each test Process is quicker and easier for the tester and the NOC BWCTL will also ensure that simultaneous tests are not run Simultaneous test traffic can distort test results

44 WHY WAS BWCTL DEVELOPED? (3)
With BWCTL installed at multiple points along a path, it should be easy for a user to run a series of iperf tests along that path. LAN A LAN B End-system A End-system B National or International LAN 1st Test 2nd test 3rd test 4th test 5th test 6th test 7th test

45 HOW DOES BWCTL WORK? (1) Under BWCTL:
Network administrators can configure hosts as iperf endpoints Hosts can be iperf clients (packet senders) or servers (packet receivers) BWCTL can contact iperf clients on different hosts to schedule and run a test

46 HOW DOES BWCTL WORK? (2) BWCTL classifies an incoming connection by:
User name and AES key combination Or IP / netmask Once the incoming connection is classified, BWCTL determines what types and intensities of tests are allowed. BWCTL ensures that conflicting tests are not run at the same time.

47 BWCTL ARCHITECTURE (SIMPLIFIED ILLUSTRATION)
client BWCTLd daemon Iperf test process Host 1 Host 2 Test stream Test request / results For more information, see

48 NETWORK DIAGNOSTIC TESTER (1)

49 NETWORK DIAGNOSTIC TESTER (2)
Network Diagnostic Tester (NDT): Web-based diagnostic tool for TCP configuration and connectivity Produced by the Web100 project ( Client-side: Java applet Server-side: Simple TCP test (similar to iperf) Gathers fine-grained TCP statistics using Web100 KIS requires patched Linux kernel on the server Analyzes these Web100 measurements and sends results to client applet

50 NETWORK DIAGNOSTIC TESTER (3)
Reports include Upstream/downstream rates achieved Probable bottlenecks (TCP buffers, network congestion) “Probable duplex mismatch” indication Lots of low-level statistics from Web100

51 NETWORK DIAGNOSTIC TESTER (4)
SWITCH’s experience of NDT: NDT is an easy-to-use tool for end-users providing interesting output Consider installing a well-connected NDT server in your network The Web100 patches didn't cause major problems for us, except they don't work with TOE (TCP Offload Engine) adapters such as some 10GE cards, and you cannot always use the latest Linux kernel version Works nicely with state-of-the art configurations (jumbo frames, SACK etc.) and helps identify problems with those features for remote users SWITCH provides a server under ndt.switch.ch

52 ACTIVITIES Case Study: Exercise: Running a UDP iperf Test
Running a TCP iperf Test Exercise: Using an NDT Server

53 STREAM ANALYSIS WITH TCPDUMP (1)
An early TCP/IP diagnostic tool run from the command line Carries out passive monitoring Intercepts (‘sniffs’) packets transmitted over a network that match a particular expression Outputs flat file containing the packet headers Files are in libpcap format You can use the –s parameter to capture the payload and higher level protocols as well as the packet headers

54 STREAM ANALYSIS WITH TCPDUMP (2)
Filtering tcpdump can filter the packet headers that it captures by matching them against an expression. Understands Boolean search operators Can use the following as arguments: Host name IP addresses Network names Protocols And others…

55 TCPDUMP FILTER EXPRESSIONS
You can append an expression to the command line to filter captured packets. This is made up of: type Can be host, net or port.host host is the default dir Can be src, dst, src or dst, src and dst Proto Stands for ‘protocol’ Common types are ether, ip, tcp, udp, arp If not protocol is given, then all protocols are considered

56 TCPDUMP FILTER EXPRESSIONS – SOME EXAMPLES (1)
Capture a single (-c 1) udp packet to file test.snoop: : tcpdump -c 1 -w test.pcap udp tcpdump: listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes 1 packets captured 3 packets received by filter 0 packets dropped by kernel Produce a binary file containing the captured packet as well as a small file header and a timestamp: : ls -l test.pcap -rw-r--r-- 1 root root :57 test.pcap : file test.pcap test.pcap: tcpdump capture file (big-endian) - version 2.4 (Ethernet, capture length 96)

57 TCPDUMP FILTER EXPRESSIONS – SOME EXAMPLES (2)
Analyze the contents of the previously created capture file: : tcpdump -r test.pcap reading from file test.pcap, link-type EN10MB (Ethernet) 18:57: :630:241:204:211:43ff:fee1:9fe > ff3e::beac.10000: UDP, length: 12 Display the same capture file in verbose mode: : tcpdump -v -r test.pcap 18:57: :630:241:204:211:43ff:fee1:9fe > ff3e::beac.10000: [udp sum ok] UDP, length: 12 (len 20, hlim 118)

58 TCPTRACE What does Tcptrace do?
Analyses TCP and UDP sessions captured with Tcpdump Provides statistics and information Supports several graphing options Useful in diagnosing problems with TCP sessions.

59 TCPTRACE USAGE Examples of Tcptrace usage: tcptrace trace.log
Shows the sessions in a tcpdump log tcptrace –o3-4 –lrW trace.log Shows detailed information about sessions 3 and 4 (including long statistics, RTT information, window information etc.)

60 EXAMPLE TCPTRACE OUTPUT
TCP connection 3: host e: elvis.tigo.cl:2199 host f: cemp1.switch.ch:2630 complete conn: yes first packet: Fri Sep 29 11:03: last packet: Fri Sep 29 11:13: elapsed time: 0:10: total packets: …. max win adv: bytes min win adv: bytes avg win adv: bytes RTT samples: 2 RTT min: ms RTT max: ms RTT avg: ms ……

61 WIRESHARK (1) Subsumes tcpdump's functionality
Features graphical user interface You can ‘drill down’ into header structure of captured packets Extensible design Abundance of protocol “dissectors” even for new / exotic protocols Includes many useful analysis tools Works under Windows (requires WinPcap) Formerly called ‘Ethereal’

62 WIRESHARK (2)

63 WIRESHARK AND TCPDUMP You can use Wireshark and tcpdump together:
Use tcpdump (possibly remotely) to capture packets to .pcap file Analyze later using Ethereal Ethereal understands many other trace file formats (Solaris snoop etc.)

64 PACKET TRACES: HINTS AND TIPS (1)
Capture enough (you can always filter later) tcpdump's default capture length is small (96 bytes) use something like -s o if you are interested in payloads Seemingly unrelated traffic can impact performance E.g. Web pages from foo.example.com may load slowly because of the images from advertisements.example.net But may have to filter aggressively when there is a lot of background traffic

65 PACKET TRACES: HINTS AND TIPS (2)
Collecting on several points can be very useful On the endpoints of the communication Near “suspicious” intermediate points (firewall) Synchronized clocks (e.g. by NTP) are very useful for matching traces Address-to-name resolution can slow display and causes traffic With tcpdump, consider using -n or tracing to file (-w file)

66 ACTIVITIES Case Study: Using TCPDUMP to Capture ICMP Packets
Using TCPDUMP and Wireshark Together Identifying the Effects of a Middlebox

67 Module 9: How Middleboxes Impact Performance

68 WHAT IS A MIDDLEBOX? What is a middlebox?
“Any intermediate device performing functions other than the normal, standard functions of an IP router on the datagram path between a source host and a destination host.” Network Working Group, RFC 3234, Middleboxes: Taxonomy and Issues. Network 1 2 Source Middlebox Destination

69 WHAT DO MIDDLEBOXES DO? Middleboxes may:
Drop, insert or modify packets. Terminate one IP packet flow and originate another. Transform or divert an IP packet flow in some way. Middleboxes are never the ultimate end-system of an application session.

70 EXAMPLES OF MIDDLEBOXES
Firewalls Network Address Translators Traffic Shapers Load Balancers

71 MIDDLEBOXES AND ‘CLASSIC’ TCP / IP
Traditionally: Networks have ceded control to the end-points of a connection. Only function carried out ‘in the middle’ was IP routing Middleboxes change this: They spread functionality throughout the network.

72 WHAT ISSUES DO MIDDLEBOXES INTRODUCE?
Challenges represented by middleboxes: Networking protocols were not designed with middleboxes in mind. We have to deal with connections that are compromised by crashed middleboxes. Middleboxes are often hidden points of failure. Middleboxes may require configuration and management. You must take middleboxes into account when diagnosing network failures or poor performance. Some key services may not operate ‘through’ middleboxes (e.g. video conferencing)

73 FIREWALLS A firewall is an agent that screens network traffic, blocking traffic that it believes to be inappropriate or dangerous. Examples: Block telnet connections from the internet Block FTP connections to the internet from internal systems not authorised to send files Act as an intermediate server handling SMTP and HTTP connections Can be divided into two categories: IP Firewalls Application Firewalls

74 FIREWALLS IN THE PATH: EXAMPLE
Backbone Network NREN A Network NREN B Campus X Network Campus Y Video conference connection Firewalls are potential obstacles to (UDP) media streams

75 IP FIREWALLS Features of an IP firewall:
Simplest form of firewall, usually contained in a router Inspects each individual packet’s IP and Transport headers. Decides whether to forward or discard based on configured policies. Examples: Disallows incoming traffic to certain port numbers Disallows traffic to certain subnets Does not alter the packets it allows through Not visible as protocol end-point By rejecting some packets, may cause connectivity problems that are difficult to identify and resolve.

76 APPLICATION FIREWALLS
Features of an application firewall: Acts as protocol end-point and relay E.g. SMTP client / server or web proxy agent May: Implement ‘safe’ subset of the protocol Perform extensive protocol validity checks Use an implementation methodology to minimise likelihood of bugs Run in an insulated ‘safe’ environment

77 PROBLEMS ASSOCIATED WITH FIREWALLS
ICMP (Internet Control Message Protocol) messages are often blocked, as they may be perceived as a security risk. Applications dependent upon them, such as PING, will return fallacious results Path discovery black holes can be created Legitimate traffic can be delayed or completely blocked

78 NETWORK ADDRESS TRANSLATORS
What does a Network Address Translator do? Dynamically assigns unique address to a host Translates appropriate address field in inbound and outbound packets Network Address Translation is often built into routers.

79 LOAD BALANCERS Motivation is typically to balance load across a pool of servers. Divert packets from intended IP destination or make the destination ambiguous. Session state? Debugging? Sometimes it works, sometimes it doesn’t

Download ppt "Module 8: Investigative Tools"

Similar presentations

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP)
Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.

Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Chapter 5 The Network Layer.

Chapter 5 The Network Layer.
© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.

© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.
Internet Bandwidth Measurement Techniques Muhammad Ali Dec 17 th 2005.

Internet Bandwidth Measurement Techniques Muhammad Ali Dec 17 th 2005.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.

1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
Prepared By E.Musa Alyaman1 Networking Theory Chapter 1.

Prepared By E.Musa Alyaman1 Networking Theory Chapter 1.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Chapter Overview TCP/IP Protocols IP Addressing.

Chapter Overview TCP/IP Protocols IP Addressing.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
1 ICMP : Internet Control Message Protocol Computer Network System Sirak Kaewjamnong.

1 ICMP : Internet Control Message Protocol Computer Network System Sirak Kaewjamnong.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.

Similar presentations

Ads by Google