Friday, October 28, 2011

Advanced Linux Networking Tools

Some of the more common tools for advanced networking include: tcpdump, netstat, wireshark, and tshark.

A previous article covered Basic Linux Networking Tools.

Discover Switch Information

Now for the advanced stuff. We use tcpdump, and write it to a file pkt.cap. Then we use tshark to read the file.

How to check the router to which the linux host is connected.

# tcpdump -nvi eth0 -c 1 -s 1500 -w pkt.cap ether proto 0xaa and ether dst 01:00:0c:cc:cc:cc and ether\[20\] \=\= 0x20 and ether\[21\] \=\= 0x00
# tshark -V -r pkt.cap

# tcpdump -nvi eth0 -c 1 -s 1500 -w pkt.cap ether proto 0xaa and ether dst 01:00:0c:cc:cc:cc and ether\[20\] \=\= 0x20 and ether\[21\] \=\= 0x00;tshark -V -r pkt.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
1 packets captured
1 packets received by filter
0 packets dropped by kernel
Running as user "root" and group "root". This could be dangerous.
Frame 1 (416 bytes on wire, 416 bytes captured)
 Arrival Time: Aug 26, 2011 12:49:00.909559000
 [Time delta from previous captured frame: 0.000000000 seconds]
 [Time delta from previous displayed frame: 0.000000000 seconds]
 [Time since reference or first frame: 0.000000000 seconds]
 Frame Number: 1
 Frame Length: 416 bytes
 Capture Length: 416 bytes
 [Frame is marked: False]
 [Protocols in frame: eth:llc:cdp:data]
IEEE 802.3 Ethernet
 Destination: CDP/VTP/DTP/PAgP/UDLD (01:00:0c:cc:cc:cc)
     Address: CDP/VTP/DTP/PAgP/UDLD (01:00:0c:cc:cc:cc)
     .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
     .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
 Source: 00:27:0c:b0:5d:87 (00:27:0c:b0:5d:87)
     Address: 00:27:0c:b0:5d:87 (00:27:0c:b0:5d:87)
     .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
     .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
 Length: 402
Logical-Link Control
 DSAP: SNAP (0xaa)
 IG Bit: Individual
 SSAP: SNAP (0xaa)
 CR Bit: Command
 Control field: U, func=UI (0x03)
     000. 00.. = Command: Unnumbered Information (0x00)
     .... ..11 = Frame type: Unnumbered frame (0x03)
 Organization Code: Cisco (0x00000c)
 PID: CDP (0x2000)
Cisco Discovery Protocol
 Version: 2
 TTL: 180 seconds
 Checksum: 0xde0a [correct]
     [Good: True]
     [Bad : False]
 Device ID: example-lab-switch.example.com
     Type: Device ID (0x0001)
     Length: 33
     Device ID: example-lab-switch.example.com
 Software Version
     Type: Software version (0x0005)
     Length: 190
     Software Version: Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)
                       Copyright (c) 1986-2009 by Cisco Systems, Inc.
                       Compiled Mon 09-Mar-09 18:10 by gereddy
 Platform: cisco WS-C2960G-24TC-L
     Type: Platform (0x0006)
     Length: 26
     Platform: cisco WS-C2960G-24TC-L
 Addresses
     Type: Addresses (0x0002)
     Length: 17
     Number of addresses: 1
     IP address: 10.10.5.7
         Protocol type: NLPID
         Protocol length: 1
         Protocol: IP
         Address length: 4
         IP address: 10.10.5.7
 Port ID: GigabitEthernet0/7
     Type: Port ID (0x0003)
     Length: 22
     Sent through Interface: GigabitEthernet0/7
 Capabilities
     Type: Capabilities (0x0004)
     Length: 8
     Capabilities: 0x00000028
         .... .... .... .... .... .... .... ...0 = Not a Router
         .... .... .... .... .... .... .... ..0. = Not a Transparent Bridge
         .... .... .... .... .... .... .... .0.. = Not a Source Route Bridge
         .... .... .... .... .... .... .... 1... = Is  a Switch
         .... .... .... .... .... .... ...0 .... = Not a Host
         .... .... .... .... .... .... ..1. .... = Is  IGMP capable
         .... .... .... .... .... .... .0.. .... = Not a Repeater
 Protocol Hello: Cluster Management
     Type: Protocol Hello (0x0008)
     Length: 36
     OUI: 0x00000C (Cisco)
     Protocol ID: 0x0112 (Cluster Management)
     Cluster Master IP: 0.0.0.0
     UNKNOWN (IP?): 0xFFFFFFFF (255.255.255.255)
     Version?: 0x01
     Sub Version?: 0x02
     Status?: 0x21
     UNKNOWN: 0xFF
     Cluster Commander MAC: 00:00:00:00:00:00
     Switch's MAC: 00:27:0c:b0:5d:80
     UNKNOWN: 0xFF
     Management VLAN: 0
 VTP Management Domain:
     Type: VTP Management Domain (0x0009)
     Length: 4
     VTP Management Domain:
 Native VLAN: 205
     Type: Native VLAN (0x000a)
     Length: 6
     Native VLAN: 205
 Duplex: Full
     Type: Duplex (0x000b)
     Length: 5
     Duplex: Full
 Trust Bitmap: 0x00
     Type: Trust Bitmap (0x0012)
     Length: 5
     Trust Bitmap: 00
 Untrusted port CoS: 0x00
     Type: Untrusted Port CoS (0x0013)
     Length: 5
     Untrusted port CoS: 00
 Management Addresses
     Type: Management Address (0x0016)
     Length: 17
     Number of addresses: 1
     IP address: 10.10.5.7
         Protocol type: NLPID
         Protocol length: 1
         Protocol: IP
         Address length: 4
         IP address: 10.10.5.7
 Power Available: 0 mW, 4294967295 mW
     Type: Power Available (0x001a)
     Length: 16
     Request-ID: 0
     Management-ID: 1
     Power Available: 0 mW
     Power Available: 4294967295 mW


Netstat

Another valuable tool is netstat

netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

To find out what port a service, such as sshd is listening on, use something like this:


# netstat -alp |grep ssh

tcp        0      0 *:ssh                       *:*                         LISTEN      3002/sshd        

unix  2      [ ACC ]     STREAM     LISTENING     27251  4387/ssh-agent      /tmp/ssh-tOqWgf4348/agent.4348


Note that some of these commands require root, or sudo. If you are not logged in as root, use sudo in front of the command. Also, most of the utilities are found in /sbin, or /usr/sbin.



Network Drivers

Another advanced topic is network drivers. The last time I checked, http://tldp.org/HOWTO/Ethernet-HOWTO.html discussed /etc/modules.conf, but in newer versions of redhat variants the file has changed to /etc/modprobe.conf or /etc/modprobe.d/modprobe.conf.dist. Any of those files should have basically the same information:

alias eth0 module_name
options module_name option1=value1 option2=value2 ...

It may look something like this:

alias eth0 e1000

or

alias eth0 tg3

depending on the type of network card or module that is installed on the system.

Other Advanced Networking Topics

There are more topics to be covered, such as how to configure multiple NICs, how to use network configuration utilities, other tools, such as nmap, and configuration for other linux distributions.

For more advanced networking tips, check out http://tldp.org/HOWTO/Adv-Routing-HOWTO

For more basic networking info, see this article: http://systemnotesorg.blogspot.com/2011/08/basic-linux-networking-tools.html
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)