Title: | Network Monitoring, Debugging and Intrusion Detection |
Date: | 28th September 2000 |
Time: | 14:00 - 16:00 |
Venue: | Seminar Room 833, HSH Engineering Building |
Abstract:
This seminar shows you some common tools and methods to monitor and degbug your network equipment, says finding the host which crashes your host IP, plotting your host network traffic, finding a network path throughput. Some Network Intrusion Detection System (NIDS) will be discussed too.
Seminar Outline
Looks at the Ierrs, Oerrs and Collis netstat -i Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis Queue le0 1500 ethernet grsun1 653637 20 116339 1 1478 0 lo0 1536 127.0.0.0 localhost 193 0 193 0 0 0 the Ierrs/Ipkts and Oerrs/Opkts should be < 0.025 % Large Ierrs => the interface just discards the packet => there may be fautly hardware on the network (Faulty hardware can be anything from another computer system that is generating packets improperly to a bad connector or terminator) => or your system cannot receive packets fastenough Large Oerrs => your system's network infterface is faulty. => something wrong the CPU and the ethernet cable => the problem should be local not from outsiders (we can do a loop back testing for the ethernet interface "test net" at the o.k. prompt ) Collisions are normal events and don't indicate hardware problems. However, if Collis/Opkts > 10 % constanly => network overloaded We may use the snoop, tcpdump, tcptop, and protocol analyser to trace the source of the network traffic (e.g the broadcast messages or NFS packets) Here is the Baisc Performance_Tuning Guidelines
ttcp -t -s -n65535 -l 8192 ntec5 ttcp-t: buflen=8192, nbuf=65535, align=16384/0, port=5001 tcp -> ntec5 ttcp-t: socket ttcp-t: connect ttcp-t: 536862720 bytes in 56.61 real seconds = 9260.74 KB/sec +++ ttcp-t: 65535 I/O calls, msec/call = 0.88, calls/sec = 1157.59 ttcp-t: 0.2user 13.2sys 0:56real 23% 0i+0d 0maxrss 0+2pf 0+0csw ftp> bin 200 Type set to I. ftp> get very_large_file /dev/null local: /dev/null remote: very_large_file 200 PORT command successful. 150 Opening BINARY mode data connection for very_large_file (29491200 bytes). 226 Transfer complete. 29491200 bytes received in 3.1 seconds (9.2e+03 Kbytes/s)
csh> ping ntec5 PING ntec5.ie.cuhk.edu.hk (137.189.99.85) from 137.189.99.81 : 56(84) bytes of data. 64 bytes from 137.189.99.85: icmp_seq=0 ttl=255 time=0.2 ms 64 bytes from 137.189.99.85: icmp_seq=1 ttl=255 time=0.1 ms 64 bytes from 137.189.99.85: icmp_seq=2 ttl=255 time=0.1 ms 64 bytes from 137.189.99.85: icmp_seq=3 ttl=255 time=0.1 ms 64 bytes from 137.189.99.85: icmp_seq=4 ttl=255 time=0.1 ms 64 bytes from 137.189.99.85: icmp_seq=5 ttl=255 time=0.1 ms 64 bytes from 137.189.99.85: icmp_seq=6 ttl=255 time=0.1 ms csh> arp ntec5 ntec5 (137.189.99.85) at 0:d0:9:27:66:18 csh> traceroute www.cuhk.edu.hk traceroute to spring.csc.cuhk.edu.hk (137.189.6.37), 30 hops max, 40 byte packets 1 router-99 (137.189.99.254) 1 ms 1 ms 1 ms 2 137.189.200.250 (137.189.200.250) 2 ms 2 ms 1 ms 3 csc0g03brb.net.cuhk.edu.hk (137.189.192.253) 2 ms 2 ms 2 ms 4 spring.csc.cuhk.edu.hk (137.189.6.37) 2 ms * 2 ms csh> traceroute www.ust.hk traceroute to www.ust.hk (143.89.14.34), 30 hops max, 40 byte packets 1 router-99 (137.189.99.254) 1 ms 1 ms 1 ms 2 137.189.200.250 (137.189.200.250) 2 ms 2 ms 2 ms 3 a4-0.rs1.hkix.net (202.40.161.254) 2 ms 5 ms 2 ms 4 harnet-yck-atm.hkix.net (202.40.161.245) 4 ms 4 ms 4 ms 5 192.245.196.74 (192.245.196.74) 5 ms 12 ms 6 ms 6 cis7k6-fw.ust.hk (202.40.138.125) 6 ms 6 ms 6 ms 7 www.ust.hk (143.89.14.34) 6 ms * 8 ms
csh> tcpdump -e broadcast 07:19:28.958674 eth0 B 0:10:4b:a:a9:68 Broadcast arp 60: arp who-has ieugp12.ie.cuhk.edu.hk tell ieugp1.ie.cuhk.edu.hk 07:19:29.073106 eth0 B 0:10:4b:a:a9:68 Broadcast arp 60: arp who-has ieugp8.ie.cuhk.edu.hk tell ieugp1.ie.cuhk.edu.hk 07:19:29.252125 eth0 B 0:10:4b:a:a9:68 Broadcast arp 60: arp who-has ieugp13.ie.cuhk.edu.hk tell ieugp1.ie.cuhk.edu.hk 07:19:29.385745 eth0 B 0:c0:4f:7a:3d:c5 Broadcast arp 60: arp who-has ielabpc.ie.cuhk.edu.hk tell ielabnt0.ie.cuhk.edu.hk 07:19:29.392456 eth0 B 0:60:97:67:13:6e Broadcast 8137 110: 07:19:29.427844 eth0 B 0:10:4b:a:a9:68 Broadcast arp 60: arp who-has ieugp3.ie.cuhk.edu.hk tell ieugp1.ie.cuhk.edu.hk 07:19:29.639623 eth0 B 0:e0:4f:61:a8:80 Broadcast 8137 494: 07:19:29.695659 eth0 B 0:e0:4f:61:a8:80 Broadcast 8137 494: 07:19:29.751534 eth0 B 0:e0:4f:61:a8:80 Broadcast 8137 494:
Sys Admin Journal August 2000 issue (http://www.sysadminmag.com/archive/0908/) has introduced the nocol (Network Operations Center On-Line) network monitor utility. nocol (http://www.netplex-tech.com/software/nocol/) is a light weighted network monitor utility that help you to monitor your network live (says update the status in every 5 mins) see the sample at http://www.athena.hkntec.net/nocol/Critical.html http://www.athena.hkntec.net/nocol/Info.html Besides ICMP-PING monitoring, you may also configure any open network port services, such as ftp, sendmail or wwww. See the sample portmon-confg file below. Besides logging, nocol can also send you alert via e-mail when a host reaches a critical or error status. It also has keepalive_monitors script to make sure your monitor agents are always up. Examples of noclogd-confg portmon-confg ippingmon-confg