Friday, October 28, 2011

Advanced Linux Networking Tools

Some of the more common tools for advanced networking include: tcpdump, netstat, wireshark, and tshark.

A previous article covered Basic Linux Networking Tools.

Discover Switch Information

Now for the advanced stuff. We use tcpdump, and write it to a file pkt.cap. Then we use tshark to read the file.

How to check the router to which the linux host is connected.

# tcpdump -nvi eth0 -c 1 -s 1500 -w pkt.cap ether proto 0xaa and ether dst 01:00:0c:cc:cc:cc and ether\[20\] \=\= 0x20 and ether\[21\] \=\= 0x00
# tshark -V -r pkt.cap

# tcpdump -nvi eth0 -c 1 -s 1500 -w pkt.cap ether proto 0xaa and ether dst 01:00:0c:cc:cc:cc and ether\[20\] \=\= 0x20 and ether\[21\] \=\= 0x00;tshark -V -r pkt.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
1 packets captured
1 packets received by filter
0 packets dropped by kernel
Running as user "root" and group "root". This could be dangerous.
Frame 1 (416 bytes on wire, 416 bytes captured)
Arrival Time: Aug 26, 2011 12:49:00.909559000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 416 bytes
Capture Length: 416 bytes
[Frame is marked: False]
[Protocols in frame: eth:llc:cdp:data]
IEEE 802.3 Ethernet
Destination: CDP/VTP/DTP/PAgP/UDLD (01:00:0c:cc:cc:cc)
Address: CDP/VTP/DTP/PAgP/UDLD (01:00:0c:cc:cc:cc)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:27:0c:b0:5d:87 (00:27:0c:b0:5d:87)
Address: 00:27:0c:b0:5d:87 (00:27:0c:b0:5d:87)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Length: 402
Logical-Link Control
DSAP: SNAP (0xaa)
IG Bit: Individual
SSAP: SNAP (0xaa)
CR Bit: Command
Control field: U, func=UI (0x03)
000. 00.. = Command: Unnumbered Information (0x00)
.... ..11 = Frame type: Unnumbered frame (0x03)
Organization Code: Cisco (0x00000c)
PID: CDP (0x2000)
Cisco Discovery Protocol
Version: 2
TTL: 180 seconds
Checksum: 0xde0a [correct]
[Good: True]
[Bad : False]
Device ID: example-lab-switch.example.com
Type: Device ID (0x0001)
Length: 33
Device ID: example-lab-switch.example.com
Software Version
Type: Software version (0x0005)
Length: 190
Software Version: Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 09-Mar-09 18:10 by gereddy
Platform: cisco WS-C2960G-24TC-L
Type: Platform (0x0006)
Length: 26
Platform: cisco WS-C2960G-24TC-L
Addresses
Type: Addresses (0x0002)
Length: 17
Number of addresses: 1
IP address: 10.10.5.7
Protocol type: NLPID
Protocol length: 1
Protocol: IP
Address length: 4
IP address: 10.10.5.7
Port ID: GigabitEthernet0/7
Type: Port ID (0x0003)
Length: 22
Sent through Interface: GigabitEthernet0/7
Capabilities
Type: Capabilities (0x0004)
Length: 8
Capabilities: 0x00000028
.... .... .... .... .... .... .... ...0 = Not a Router
.... .... .... .... .... .... .... ..0. = Not a Transparent Bridge
.... .... .... .... .... .... .... .0.. = Not a Source Route Bridge
.... .... .... .... .... .... .... 1... = Is a Switch
.... .... .... .... .... .... ...0 .... = Not a Host
.... .... .... .... .... .... ..1. .... = Is IGMP capable
.... .... .... .... .... .... .0.. .... = Not a Repeater
Protocol Hello: Cluster Management
Type: Protocol Hello (0x0008)
Length: 36
OUI: 0x00000C (Cisco)
Protocol ID: 0x0112 (Cluster Management)
Cluster Master IP: 0.0.0.0
UNKNOWN (IP?): 0xFFFFFFFF (255.255.255.255)
Version?: 0x01
Sub Version?: 0x02
Status?: 0x21
UNKNOWN: 0xFF
Cluster Commander MAC: 00:00:00:00:00:00
Switch's MAC: 00:27:0c:b0:5d:80
UNKNOWN: 0xFF
Management VLAN: 0
VTP Management Domain:
Type: VTP Management Domain (0x0009)
Length: 4
VTP Management Domain:
Native VLAN: 205
Type: Native VLAN (0x000a)
Length: 6
Native VLAN: 205
Duplex: Full
Type: Duplex (0x000b)
Length: 5
Duplex: Full
Trust Bitmap: 0x00
Type: Trust Bitmap (0x0012)
Length: 5
Trust Bitmap: 00
Untrusted port CoS: 0x00
Type: Untrusted Port CoS (0x0013)
Length: 5
Untrusted port CoS: 00
Management Addresses
Type: Management Address (0x0016)
Length: 17
Number of addresses: 1
IP address: 10.10.5.7
Protocol type: NLPID
Protocol length: 1
Protocol: IP
Address length: 4
IP address: 10.10.5.7
Power Available: 0 mW, 4294967295 mW
Type: Power Available (0x001a)
Length: 16
Request-ID: 0
Management-ID: 1
Power Available: 0 mW
Power Available: 4294967295 mW


Netstat

Another valuable tool is netstat

netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

To find out what port a service, such as sshd is listening on, use something like this:


# netstat -alp |grep ssh

tcp 0 0 *:ssh *:* LISTEN 3002/sshd

unix 2 [ ACC ] STREAM LISTENING 27251 4387/ssh-agent /tmp/ssh-tOqWgf4348/agent.4348


Note that some of these commands require root, or sudo. If you are not logged in as root, use sudo in front of the command. Also, most of the utilities are found in /sbin, or /usr/sbin.



Network Drivers

Another advanced topic is network drivers. The last time I checked, http://tldp.org/HOWTO/Ethernet-HOWTO.html discussed /etc/modules.conf, but in newer versions of redhat variants the file has changed to /etc/modprobe.conf or /etc/modprobe.d/modprobe.conf.dist. Any of those files should have basically the same information:

alias eth0 module_name
options module_name option1=value1 option2=value2 ...

It may look something like this:

alias eth0 e1000

or

alias eth0 tg3

depending on the type of network card or module that is installed on the system.

Other Advanced Networking Topics

There are more topics to be covered, such as how to configure multiple NICs, how to use network configuration utilities, other tools, such as nmap, and configuration for other linux distributions.

For more advanced networking tips, check out http://tldp.org/HOWTO/Adv-Routing-HOWTO

For more basic networking info, see this article: http://systemnotesorg.blogspot.com/2011/08/basic-linux-networking-tools.html

Thursday, October 27, 2011

Free AntiVirus and AntiSpyware Software


Computers running Windows seem to have virus and spyware problems quite often. When fixing other peoples computers, I have found these free options to be very useful.

Free Windows Anti Virus Software

ClamWin Free Antivirus
http://www.clamwin.com

ClamWin is a Free Antivirus program for Microsoft Windows 7 / Vista / XP / Me / 2000 / 98 and Windows Server 2008 and 2003.

avast! Free Antivirus
http://www.avast.com


Free Anti-Adware / Anti-Spyware Information


Some of this Windows software is offered as a free version, with an option to upgrade. Generally, the free version is enough to clean any problems, but has to be run manually.

Ad-Aware – check for updates, and run occasionally
http://www.lavasoftusa.com

Spy Bot Search and Destroy
http://www.safer-networking.org

Malwarebytes
http://www.malwarebytes.org

Malwarebyes Anti-Malware is often the best tool to remove fake anti-virus software.

Super Anti Spyware
http://www.superantispyware.com

Super Anti Spyware: Remove spyware, NOT just the easy ones!



More adware stuff here: http://www.cexx.org

I have found this site to be an excellent resource, with information on computer security: http://www.selectrealsecurity.com


Behavioral Advertising Opt Out

Have you noticed that certain types of ads appear after you visited a particular website? That is called Behavioral Advertising, and is usually done by storing cookies on your computer.


The Network Advertising Initiative has to offer the ability to opt-out. Go to their website, and select opt out.

http://www.networkadvertising.org

You may be surprised at how many active cookies you have.

Another place to opt out:
http://tellapart.com/other/faqs

I am not a big fan of the opt-out idea, as it has to potential to give information to precisely the people you don't want to give it to.  It's like calling a telemarketing company and saying, "Here's my phone number, please don't call me."  The scammers can still use the do not call list to pretend they are a charity.  I would rather not be on a list.  By the way, there is an article on how to defeat telemarketers on the systemnotes.org blog.

Web Browser Security

Browsers also have options to clear the cache, and history, but you may not want to clear all history and cookies, since they can make browsing your favorites sites easier. You may have to opt out again after clearing cookies.

Check for the latest Add-ons or Plugins for your browser.  For example, in Firefox, select Add-ons, and search for some of these terms:  "Do Not Track", privacy, block, security, ad, virus, etc.  There are lots of good options available.

Other Notes

People generally think of viruses when a computer starts acting strange, or starts running slower, but there are all kinds of bad programs known as malware. These include worms, trojans, rootkits, rouges, dialers, spyware, viruses, etc. It may be useful to search the internet on those terms when attempting to clean a computer. Your computer may be used to store someone else's illegally copied files.

There are plenty of other software options, but many do not offer a fully functional free version. Free trials are not as good, in my opinion. Some of the major anti-virus publishers offer free scanning tools as well, so it can be helpful to check their sites for the latest offers.

Remember, when all else fails, you can always re-install Windows. Or better yet, upgrade to Linux :-).

Sysadmin Notes:  Systems Administrators are usually familiar with resources for securing systems and networks they are responsible for, but software is updated frequently, so it is good to have sources to check for updates.  One of my favorite sources for Open Source software has been sourceforge.net, but use caution, since anyone can upload software.

Security Software Resources

http://insecure.org - nmap, and network security

Be careful with this site, as malware seems to show up occasionally:
http://sourceforge.net/directory/security-utilities

For example:
I'm not sure about the next one, since McAfee SiteAdvisor gave a warning that it may be a dangerous site:  YAC - Yet Another Cleaner http://www.yac.mx

"YAC: The World's Fastest & Lightest PC Cleaner
Fast, Easy to use PC cleaning software.  Clean junk files, privacy files, potential adware, and malicious plugins."


Tuesday, September 6, 2011

CPAN on Windows

When trying to install Catalyst on Windows, I noticed some differences between Windows XP and Windows 7 64-bit installation of ActiveState perl. Namely, that dmake, and gcc would not install on the 64-bit version of Windows.

Here are some of the problems I had.


On Windows XP


C:\Documents and Settings\scottm>cpan
gcc.exe: Extraneous argument to `--' option
gcc.exe: No input files specified.
Set up gcc environment -

It looks like you don't have a C compiler and make utility installed. Trying
to install dmake and the MinGW gcc compiler using the Perl Package Manager.
This may take a a few minutes...

Downloading ActiveState Package Repository packlist...done
Updating ActiveState Package Repository database...done
Syncing site PPM database with .packlists...done
Downloading MinGW-5.1.4.1...done
Downloading dmake-4.11.20080107...done
Unpacking MinGW-5.1.4.1...done
Unpacking dmake-4.11.20080107...done
Generating HTML for MinGW-5.1.4.1...done
Generating HTML for dmake-4.11.20080107...done
Updating files in site area...done
1070 files installed

Please use the `dmake` program to run commands from a Makefile!


cpan shell -- CPAN exploration and modules installation (v1.9456)
Enter 'h' for help.


cpan>

On Windows 7

C:\Users\scottm>cpan

It looks like you don't have a C compiler and make utility installed. Trying
to install dmake and the MinGW gcc compiler using the Perl Package Manager.
This may take a a few minutes...

ppm.bat install failed: Can't find any package that provides MinGW

It looks like the installation of dmake and MinGW has failed. You will not be
able to run Makefile commands or compile C extension code. Please check your
internet connection and your proxy settings!


cpan shell -- CPAN exploration and modules installation (v1.9456)
Enter 'h' for help.


cpan> exit
Lockfile removed.

C:\Users\scottm>perl -v

This is perl 5, version 12, subversion 3 (v5.12.3) built for MSWin32-x64-multi-t
hread
(with 9 registered patches, see perl -V for more detail)

Copyright 1987-2010, Larry Wall

Binary build 1204 [294330] provided by ActiveState http://www.ActiveState.com
Built Feb 9 2011 14:23:34


As much as I would like to get catalyst working, I did not have the patience to get all the dependencies intalled in both linux and Windows. I ended up giving up for now, and started playing with Joomla and Drupal instead.

Friday, August 26, 2011

Basic Linux Networking Tools

Verify Network Connection

Most people, who have been around redhat linux for a while, know how to check the IP address, and MAC address using ifconfig. Next, they would typically use route -n (or netstat -r) to find the gateway, and then ping it to verify a connection. Then maybe check duplex and speed using ethtool.

Check the IP Address

# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:15:17:C1:54:D4
inet addr:10.10.5.67 Bcast:10.10.5.255 Mask:255.255.255.0
inet6 addr: fe80::215:17ff:fec1:54d4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:342967 errors:0 dropped:0 overruns:0 frame:0
TX packets:353260 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:64963573 (61.9 MiB) TX bytes:262444897 (250.2 MiB)
Memory:b8820000-b8840000


Discover the Gateway Address

Then, it is common to check the default route with route -n, or netstat -nr.

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
239.0.0.0 192.168.1.1 255.255.255.0 UG 0 0 0 eth2
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
10.10.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
0.0.0.0 10.10.5.1 0.0.0.0 UG 0 0 0 eth0


Then to verify the connection, look for the default gateway, and try to ping the router. Note that the default gateway has the Destination listed as 0.0.0.0. The Gateway is listed in the next column. In this example we use 10.10.5.1. The default gateway is also the router for the subnet we are connected to, so we should be able to ping it.

# ping 10.10.5.1
PING 10.10.5.1 (10.10.5.1) 56(84) bytes of data.
64 bytes from 10.10.5.1: icmp_seq=1 ttl=255 time=0.765 ms
64 bytes from 10.10.5.1: icmp_seq=2 ttl=255 time=0.649 ms
64 bytes from 10.10.5.1: icmp_seq=3 ttl=255 time=5.27 ms
64 bytes from 10.10.5.1: icmp_seq=4 ttl=255 time=0.738 ms
64 bytes from 10.10.5.1: icmp_seq=5 ttl=255 time=0.732 ms
64 bytes from 10.10.5.1: icmp_seq=6 ttl=255 time=0.542 ms
^C
--- 10.10.5.1 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5144ms
rtt min/avg/max/mdev = 0.542/1.450/5.276/1.712 m



Check Network Mode and Speed

An easy way to verify the network connection speed is to use ethtool.

# ethtool eth0
Settings for eth0:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: pumbag
Wake-on: g
Current message level: 0x00000001 (1)
Link detected: yes


Notice that this is a way to verify that the connection is indeed using 1Gb Ethernet, and Full Duplex.

Configure the Network

Beyond these basic checks, there are files to configure, and services to start, if changes are needed.

Redhat has the command: system-config-network, but it may not put exactly what you want in the configuration files -- especially if there is more than one network interface.

Configure as a DHCP Client


/etc/sysconfig/network
NETWORKING=yes
HOSTNAME=abc-01

/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
DHCP_HOSTNAME=abc-01


Configure With a Static IP Address


cat /etc/sysconfig/network
NETWORKING=yes
FORWARD_IPV4=no
HOSTNAME=abc-01
GATEWAY=10.1.2.1
GATEWAYDEV=eth0

cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT="yes"
BOOTPROTO="none"
NETWORK=10.1.2.0
NETMASK=255.255.255.0
IPADDR=10.1.2.75


Notice that the hostname is set in a different place depending on whether the host is a DHCP client, or not. For static hosts, an entry is also added to /etc/hosts.

/etc/hosts
10.10.1.75 abc-01.example.com abc-01


After modifying these files, run:

service network restart

Other Troubleshooting Tools

Traceroute

Another utility used to verify network connectivity is traceroute. People often use traceroute with a well known site, e.g.

traceroute google.com

This will show the number of hops, or routers, as well as how many milliseconds it takes to reach each one.

If the hostname does not resolve, then it is time to troubleshoot DNS.

DNS Troubleshooting
The nameserver information is stored in /etc/resolv.conf, which looks something like this:

search example.com
nameserver 10.10.5.6
nameserver 10.10.7.8


nslookup

Another important command to help troubleshoot DNS is nslookup. In newer versions of linux, it has been replaced with the "host" and "dig" commands, but nslookup continues to work on some linux systems, and also works in Windows.


arp

Arp is used to map physical address (MAC address) to network address (IP address). Sometimes it is useful to find the MAC address of hosts on the network. To do that, simply ping a host, and then immediately run arp -a. We do this because the arp cache is temporary, and will only contain entries for hosts is has communicated with recently.