Assignments of day 4 in week #1

Network Traffic Analysis

Last Updated : Monday, 03-Jun-2002 11:08:02 HKT
  1. Measure traffic throughput between two points

    1. By ftp You can use ftp to get a very large file to local /dev/null so that your ftp tranfer rate will not be affected by your host disk I/O e.g. 
      
    ntec93:/tmp> ftp ntec94
    Connected to ntec94.
    220 ntec94 FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
    530 Please login with USER and PASS.
    530 Please login with USER and PASS.
    KERBEROS_V4 rejected as an authentication type
    Name (ntec94:root): user1
    331 Password required for user1.
    Password:
    230 User user1 logged in.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> cd /tmp
    250 CWD command successful.
    ftp> bin
    200 Type set to I.
    ftp> get pkg.tar /dev/null
    local: /dev/null remote: pkg.tar
    200 PORT command successful.
    150 Opening BINARY mode data connection for pkg.tar (41922560 bytes).
    226 Transfer complete.
    41922560 bytes received in 5.3 seconds (7.7e+03 Kbytes/s)

    2. By ttcp

      You may just use the ttcp to measure network throughput between two points.

      The location of the ttcp is at /usr/local2/bin/ttcp

      At the receive side, 

              ttcp -r -s
      At the send side, 
              ttcp -t -s receive_side_host_name
      For example, 
      ntec94:/root> ttcp -t -s ntec93
ttcp-t: buflen=8192, nbuf=2048, align=16384/0, port=5001  tcp  -> ntec93
ttcp-t: socket
ttcp-t: connect
ttcp-t: 16777216 bytes in 2.05 real seconds = 7978.76 KB/sec +++
ttcp-t: 2048 I/O calls, msec/call = 1.03, calls/sec = 997.35
ttcp-t: 0.0user 0.4sys 0:02real 22% 0i+0d 0maxrss 0+2pf 0+0csw
      We can define the buffer length and number of buffer too. 
      ntec94:/root> ttcp -t -s -n 2048 -l 65535 ntec93
ttcp-t: buflen=65535, nbuf=2048, align=16384/0, port=5001  tcp  -> ntec93
ttcp-t: socket
ttcp-t: connect
ttcp-t: 134215680 bytes in 16.03 real seconds = 8177.26 KB/sec +++
ttcp-t: 2048 I/O calls, msec/call = 8.01, calls/sec = 127.77
ttcp-t: 0.0user 2.3sys 0:16real 14% 0i+0d 0maxrss 0+16pf 0+0csw
      Do several ftp and ttcp testing with your partner hosts and post the results on your web pages.

  2. Measure Network Traffic on a network

    1. Install the IPtraf package
      2. Download the lastest version of IPtraf from http://iptraf.seul.org/ and install it on your host

    2. Run the IPtraf to measure the network traffic on your network interface eth0 while doing some ftp or ttcp network throughput testing.

    3. Compare the data you get from IPtraf, ftp or ttcp testing and post them on your web pages.

  3. Traffic analysis by using tcpdump and ethereal

    1. TCPDUMP tcpdump is a very powerful and easy to use tool for protocol packet capture. It captures packets from an Ethernet in promiscuous mode, and displays their contents. Numerous options exist to filter the output down to only those packets of interest.

      Here are some basic examples:

      tcpdump dump all packets
      tcpdump -e dump the packet header too
      tcpdump -ex dump the packet header and the packet content in hex
      tcpdump -exa dump the packet header and the packet content in hex and ascii
      tcpdump -c 500 dump 500 packets and exit
      tcpdump -c 500 -w dump.log dump 500 packets and write it to dump.log file
      tcpdump -r dump.log read the packets from dump.log rather than the network interface
      tcpdump tcp dump tcp packets only
      tcpdump udp dump udp packets only
      tcpdump -ex broadcast dump broadcast packets only with packet header and content
      tcpdump -exs 500 dump packets header and content with packet length up to 500 bytes.
      The defualt display packet length is 64
      tcpdump greater 512 dump packets whose packet length greater than 512
      tcpdump less 512 dump packets whose packet length lesser than 512
      tcpdump host ntec23 dump packets from and to ntec23 host only
      tcpdump port 21 dump ftp packets only

      tcpdump has many filter funtions to dump packets that you are interested in. For more infomration, please "man tcpdump". If you want to dump the content in the better ascii code, you may try "tcpdump -xl|tcpf" where tcpf is located at /usr/local2/bin/tcpf.

      As you access your host through remote rlogin, please exclude the gateway host that you use to login your host. (e.g. tcpdump host not ntec4)

      Please use the tcpdump at /usr/local2/bin/tcpdump which is more updated than /usr/sbin/tcpdump

      The output of tcpdump is protocol dependent. Let's discuss the most three common protocols.

      ARP

      e.g.
csh> tcpdump -e arp

11:37:13.054714 0:50:56:49:0:63 Broadcast arp 60: arp who-has ntec3-36 tell ntec1-36
11:37:13.051355 0:50:56:49:0:62 0:50:56:49:0:63 arp 60: arp reply ntec3-36 is-at 0:50:56:49:0:62
      The first field is time stamp (11:37:13.054714)

      The second field is the hardware addrress of the source hosts

      The third field is the hardware addrress of the destination hosts

      The first line ntec1-36 broadcast the arp to ask for ntec3-36 hardware address. While the hardware address of ntec1-36 is 0:50:56:49:0:63

      The second line ntec3-36 (with the hardware address 0:d0:9:28:f9:f9) tell ntec1-36 its hardware address 0:50:56:49:0:62

      TCP

      csh> tcpdump -c 500 -w dump.log dump 500 packets to dump.log file csh> tcpdump -r dump.log tcp port finger print finger tcp packets from the dump.log file 13:14:56.142688 ntec24.1049 > ntec23.finger: S 3558267034:3558267034(0) win 32120 <mss 1460,sackOK,timestamp 17588762 0,nop,wscale 0> (DF) 13:14:56.142768 ntec23.finger > ntec24.1049: S 3556473435:3556473435(0) ack 3558267035 win 30660 <mss 1460,sackOK,timestamp 197636202 17588762,nop,wscale 0> (DF) 13:14:56.142904 ntec24.1049 > ntec23.finger: . 1:1(0) ack 1 win 32120 <nop,nop,timestamp 17588762 197636202> (DF) 13:14:56.142961 ntec24.1049 > ntec23.finger: P 1:3(2) ack 1 win 32120 <nop,nop,timestamp 17588762 197636202> (DF) 13:14:56.143001 ntec23.finger > ntec24.1049: . 1:1(0) ack 3 win 30660 <nop,nop,timestamp 197636202 17588762> (DF) 13:14:56.307305 ntec23.finger > ntec24.1049: P 1:239(238) ack 3 win 31856 <nop,nop,timestamp 197636219 17588762> (DF) 13:14:56.307471 ntec24.1049 > ntec23.finger: . 3:3(0) ack 239 win 31882 <nop,nop,timestamp 17588779 197636219> (DF) 13:14:56.307627 ntec23.finger > ntec24.1049: F 239:239(0) ack 3 win 31856 <nop,nop,timestamp 197636219 17588779> (DF) 13:14:56.307738 ntec24.1049 > ntec23.finger: . 3:3(0) ack 240 win 31881 <nop,nop,timestamp 17588779 197636219> (DF) 13:14:56.307873 ntec24.1049 > ntec23.finger: F 3:3(0) ack 240 win 32120 <nop,nop,timestamp 17588779 197636219> (DF) 13:14:56.307904 ntec23.finger > ntec24.1049: . 240:240(0) ack 4 win 31856 <nop,nop,timestamp 197636219 17588779> (DF) Line no. Description 1 ntec24 client 1049 port sent a SYN packet to ntec23 finger port 2 ntec23 finger port sent SYN and ACK packet to ntec24 client 1049 port 3 ntec24.1049 sent a ACK packet to ntec23.finger port Three way handshake is completed. Note, it starts the data sequence to 4 ntec24.1049 sent 2 bytes data to ntec23.finger with the PUSH flag 5 ntec23.finger sent ACK to ntec24.1049 6 ntec23.finger sent 238 bytes to ntec24.1049 7 ntec24.1049 sent ACK to ntec23.finger 8 ntec23.finger sent FIN to ntec24.1049 9 ntec24.1049 sent ACK to ntec23.finger 10 ntec24.1049 sent FIN to ntec23.finger 11 ntec23.finger sent ACK to ntec24.1049 The general format of a tcp protocol line is:

      src > dst: flags data-seqno ack window urgent options

      Src and dst are the source and destination IP addresses and ports.
      E.G. In the first packet, "ntec24.1049 > ntec23.finger" means the client port 1049 at ntec24 is sending a SYN packet to ntec23 at the finger port

      Flags are some combination of S (SYN), F (FIN), P (PUSH) or R (RST) or a single `.' (no flags).

      Data-seqno describes the portion of sequence space covered by the data in this packet. The notation is `first:last(nbytes)' which means `sequence numbers first up to but not including last which is nbytes bytes of user data

      Ack is sequence number of the next data expected the other direction on this connection.

      Window is the number of bytes of receive buffer space available the other direction on this connection.

      Urg indicates there is `urgent' data in the packet.

      Options are tcp options enclosed in angle brackets
      (e.g.,< mss 1024 >).

      The (DF) at the end stands for don't fragement flag

      Src, dst and flags are always present. The other fields depend on the contents of the packet's tcp protocol header and are output only if appropriate.

      TCP Header Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TCP Header Format Note that one tick mark represents one bit position. For more detail of TCP specification, please refer RFC 793

      UDP

      csh> tcpdump udp dump udp packets only 14:19:49.190269 ntec23.961 > castle.985: udp 56 14:19:49.190430 castle.985 > ntec23.961: udp 28 ntec23.961 sent 56 bytes data to castle.985 and castle.985 sent back 28 bytes data to ntec23.961 example of DNS query packet --------------------------- 14:19:59.461091 ntec23.1058 > castle.domain: 11899+ PTR? 26.6.189.137.in-addr.arpa. (43) ntec23.1058 ask castle.domain for the PTR 26.6.189.137.in-addr.arp DNS query with the qurey length 43 bytes. 11899 is the query id and PRT is the qurey type. examples of DNS response packet -------------------------------- 14:19:59.461390 castle.domain > ntec23.1058: 11899 1/3/3 PTR hp735f.csc.cuhk.edu.hk. (203) castle.domain answer ntec23.1058 query with the anwser "hp735f.csc.cuhk.edu.hk" and data length 203 bytes. castle.domain responds to query id 11899 with 1 answer record, 3 name server records and 3 authority records. csh> nslookup > set type=ptr > 26.6.189.137.in-addr.arpa. 26.6.189.137.in-addr.arpa name = hp735f.csc.cuhk.edu.hk 6.189.137.in-addr.arpa nameserver = ns1.cuhk.edu.hk 6.189.137.in-addr.arpa nameserver = ns2.cuhk.edu.hk 6.189.137.in-addr.arpa nameserver = ns3.cuhk.edu.hk ns1.cuhk.edu.hk internet address = 137.189.6.1 ns2.cuhk.edu.hk internet address = 137.189.6.21 ns3.cuhk.edu.hk internet address = 202.45.188.19 14:40:53.090601 ntec23.1058 > castle.domain: 37555+ A? abc1111.com. (29) 14:40:53.270866 castle.domain > ntec23.1058: 37555 NXDomain* 0/1/0 (109) The query of abc1111.com gives non-existen domain (NXDomain) examples of NFS request and replies -------------------------------------- 14:55:58.734442 ntec23.2187610268 > castle.nfs: 116 lookup fh Unknown/1 "md5.1" 14:55:58.734700 castle.nfs > ntec23.2187610268: reply ok 128 lookup fh Unknown/1 14:55:58.735030 ntec23.2204387484 > castle.nfs: 116 read fh Unknown/1 1024 bytes @ 0 14:55:58.735388 castle.nfs > ntec23.2204387484: reply ok 824 read Line no. Description 1 ntec23 with the id 2187610268 lookup the md5.1 file from castle.nfs. The query byte is 116 fh Unknown/1 supposed to be the file handler information 2 castle.nfs reply OK with 128 byte data 3 ntec23 with the id 2204387484 now read 1024 bytes from the file md5.1 (supposed specified by the file handler information). 4 castle.nfs reply the answer with 824 bytes read For more detail of NFS specification, you may read RFC 1813

      Assignment

      1. Please update your tcpdump by cp /usr/local2/bin/tcpdump /usr/sbin/tcpdump

      2. Capture network package to a file by tcpdump. E.g. tcpdump -w dumpfile

      3. Login your partner host from gateway

      4. At your partner host try to send some network package to your host by
        • ping -c 3 your_host
        • finger @your_host
        • ftp your_host
        • echo hello |mail root@your_host
        • telnet your_host
          After telnet back to your host make some ls command (e.g. ls /usr/local2/bin)

      5. Terminate your tcpdump program in step 2.

      6. Now extract the packets from the dumpfile and post the result on your host web pages with annotation. E.g. 
        
tcpdump -er dumpfile broadcast >> dump.html

tcpdump -r dumpfile host your_partner_host and port finger >> dump.html

tcpdump -r dumpfile host your_partner_host and port ftp >> dump.html

tcpdump -r dumpfile host your_partner_host and port telnet >> dump.html

tcpdump -r dumpfile port 53 >> dump.html

tcpdump -r dumpfile udp and port 2049 >> dump.html

tcpdump -r dumpfile port smtp >>  dump.html
  4. Traffic Analysis by snort and ethereal

    1. Capture 1000 packets by tcpdump

      Use tcpdump to capture 1000 packets and save it to a file. E.g. 
       tcpdump -s 1600 -c 1000 -w 1000dump

    2. After the capture, use snort to get the statistics information of the capture packets

       /usr/local2/bin/snort -qvr 1000dump | tail -50

    3. Use ethereal to analyse the capture packets
      1. Download and install the ethereal from http://www.ethereal.com/
      2. Use ethereal to read the dumpfile. Play around the function of the ethereal tool. You may install the ethereal on your PC and then download the dumpfile to your PC. Or you can set the Xwin display back to your desktop host.
      3. Review the statistics information under the tool menu

  5. Compare the statistics information got from snort and ethereal. Post them on your host web pages.

References: