Network Monitoring, Debugging and Intrusion Detection

The URL of this document is
http://home.ie.cuhk.edu.hk/~shlam/ssem/mon/

Title:	Network Monitoring, Debugging and Intrusion Detection
Date:	28th September 2000
Time:	14:00 - 16:00
Venue:	Seminar Room 833, HSH Engineering Building

Abstract:

This seminar shows you some common tools and methods to monitor and degbug your network equipment, says finding the host which crashes your host IP, plotting your host network traffic, finding a network path throughput. Some Network Intrusion Detection System (NIDS) will be discussed too.

Seminar Outline

Part I Network Monitoring and Debugging

Tools to monitor and trouble shoot your network Segment
- netstat, ifconfig and /proc/net/dev
- ttcp and ftp
- ping,arp,traceroute
- tcpdump
- NOCOL (Network Operations Center On-Line)
- SNMP (Simple Network Management Protocol)
- Rlab Networking Monitor Web Page
Firewall Stress Test Result

Part II Intrusion Detection System

Build your own Network Intrusion Detection System (NIDS) by tcpdump
iplog (TCP/IP traffic logger) and snort (The Lightweight Network Intrusion Detection System)

References

Part III Q&A, Discussion and Suggestion

Part I Network Monitoring and Debugging

Tools to monitor and debug your network

Use "netstat -i" "ifconfig -a" or "cat /proc/net/dev"


Looks at the Ierrs,  Oerrs and Collis

netstat -i
Name  Mtu  Net/Dest      Address        Ipkts  Ierrs Opkts Oerrs Collis Queue
le0   1500 ethernet      grsun1         653637  20  116339  1    1478   0
lo0   1536 127.0.0.0     localhost      193     0    193    0    0      0


the Ierrs/Ipkts and Oerrs/Opkts should be < 0.025 % 


Large Ierrs => the interface just discards the packet

            => there may be fautly hardware on the network
                (Faulty hardware can be anything from another
                computer system that is generating packets 
                improperly to a bad connector or terminator)

            => or your system cannot receive packets fastenough


Large Oerrs => your system's network infterface is faulty.

            => something wrong the CPU and the ethernet cable

            => the problem should be local not from outsiders
                (we can do a loop back testing for the
                 ethernet interface
                 "test net" at the o.k. prompt )



Collisions are normal events and don't indicate hardware
problems. However, if  Collis/Opkts > 10 % constanly 
 => network overloaded

         We may use the snoop, tcpdump, tcptop, and
protocol analyser to trace the source of the network traffic
(e.g the broadcast messages or NFS packets)


Here is the  Baisc Performance_Tuning Guidelines

ttcp, ftp
e.g.

 
		ttcp -t -s -n65535 -l 8192 ntec5
		ttcp-t: buflen=8192, nbuf=65535, align=16384/0, port=5001  tcp  -> ntec5
		ttcp-t: socket
		ttcp-t: connect
		ttcp-t: 536862720 bytes in 56.61 real seconds = 9260.74 KB/sec +++
		ttcp-t: 65535 I/O calls, msec/call = 0.88, calls/sec = 1157.59
		ttcp-t: 0.2user 13.2sys 0:56real 23% 0i+0d 0maxrss 0+2pf 0+0csw


		ftp> bin
		200 Type set to I.
		ftp> get very_large_file /dev/null
		local: /dev/null remote: very_large_file
		200 PORT command successful.
		150 Opening BINARY mode data connection for very_large_file (29491200 bytes).
		226 Transfer complete.
		29491200 bytes received in 3.1 seconds (9.2e+03 Kbytes/s)

ping, arp, traceroute
e.g.

csh> ping ntec5
PING ntec5.ie.cuhk.edu.hk (137.189.99.85) from 137.189.99.81 : 56(84) bytes of data.
64 bytes from 137.189.99.85: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 137.189.99.85: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 137.189.99.85: icmp_seq=2 ttl=255 time=0.1 ms
64 bytes from 137.189.99.85: icmp_seq=3 ttl=255 time=0.1 ms
64 bytes from 137.189.99.85: icmp_seq=4 ttl=255 time=0.1 ms
64 bytes from 137.189.99.85: icmp_seq=5 ttl=255 time=0.1 ms
64 bytes from 137.189.99.85: icmp_seq=6 ttl=255 time=0.1 ms

csh>  arp ntec5
ntec5 (137.189.99.85) at 0:d0:9:27:66:18


csh>  traceroute www.cuhk.edu.hk
traceroute to spring.csc.cuhk.edu.hk (137.189.6.37), 30 hops max, 40 byte packets
 1  router-99 (137.189.99.254)  1 ms  1 ms  1 ms
 2  137.189.200.250 (137.189.200.250)  2 ms  2 ms  1 ms
 3  csc0g03brb.net.cuhk.edu.hk (137.189.192.253)  2 ms  2 ms  2 ms
 4  spring.csc.cuhk.edu.hk (137.189.6.37)  2 ms *  2 ms


csh>  traceroute www.ust.hk
traceroute to www.ust.hk (143.89.14.34), 30 hops max, 40 byte packets
 1  router-99 (137.189.99.254)  1 ms  1 ms  1 ms
 2  137.189.200.250 (137.189.200.250)  2 ms  2 ms  2 ms
 3  a4-0.rs1.hkix.net (202.40.161.254)  2 ms  5 ms  2 ms
 4  harnet-yck-atm.hkix.net (202.40.161.245)  4 ms  4 ms  4 ms
 5  192.245.196.74 (192.245.196.74)  5 ms  12 ms  6 ms
 6  cis7k6-fw.ust.hk (202.40.138.125)  6 ms  6 ms  6 ms
 7  www.ust.hk (143.89.14.34)  6 ms *  8 ms

tcpdump
e.g.


csh> tcpdump -e broadcast

07:19:28.958674 eth0 B 0:10:4b:a:a9:68 Broadcast arp 60: arp who-has ieugp12.ie.cuhk.edu.hk tell ieugp1.ie.cuhk.edu.hk
07:19:29.073106 eth0 B 0:10:4b:a:a9:68 Broadcast arp 60: arp who-has ieugp8.ie.cuhk.edu.hk tell ieugp1.ie.cuhk.edu.hk
07:19:29.252125 eth0 B 0:10:4b:a:a9:68 Broadcast arp 60: arp who-has ieugp13.ie.cuhk.edu.hk tell ieugp1.ie.cuhk.edu.hk
07:19:29.385745 eth0 B 0:c0:4f:7a:3d:c5 Broadcast arp 60: arp who-has ielabpc.ie.cuhk.edu.hk tell ielabnt0.ie.cuhk.edu.hk
07:19:29.392456 eth0 B 0:60:97:67:13:6e Broadcast 8137 110: 
07:19:29.427844 eth0 B 0:10:4b:a:a9:68 Broadcast arp 60: arp who-has ieugp3.ie.cuhk.edu.hk tell ieugp1.ie.cuhk.edu.hk
07:19:29.639623 eth0 B 0:e0:4f:61:a8:80 Broadcast 8137 494: 
07:19:29.695659 eth0 B 0:e0:4f:61:a8:80 Broadcast 8137 494: 
07:19:29.751534 eth0 B 0:e0:4f:61:a8:80 Broadcast 8137 494:

Use NOCOL (Network Operations Center On-Line) to monitor network live

   Sys Admin Journal August 2000 issue (http://www.sysadminmag.com/archive/0908/)
   has introduced the nocol (Network Operations Center On-Line) network
   monitor utility. 
   
   nocol (http://www.netplex-tech.com/software/nocol/) is a light weighted 
   network monitor utility that help you to monitor your network live 
   (says update the status in every 5 mins)

   see the sample at
   http://www.athena.hkntec.net/nocol/Critical.html
   http://www.athena.hkntec.net/nocol/Info.html

   Besides ICMP-PING monitoring, you may also configure any open network port
   services, such as ftp, sendmail or wwww. See the sample portmon-confg file
   below. 

   Besides logging, nocol can also send you alert via e-mail when a host reaches
   a critical or error status.

   It also has keepalive_monitors script to make sure your monitor agents are
   always up.

   Examples of
    noclogd-confg
    portmon-confg
    ippingmon-confg

SNMP (Simple Network Management Protocol)
- A sample snmpd.conf file
- Examples of getting information from a network device
Rlab Networking Monitor web page
- Monitoring your switch port traffic and status
- Finding the ones who crash your host IP
- Check your host open ports inside and outside the firewall
- and more ...

Firewall Stress Test Result

Part II Intrusion Detection System

Building your own NIDS by using tcpdump

Monitoring the TCP/UTP connections of your host
e.g. tcpdump -e -x -l host ntec1 | tcpdump-data-filter.pl
Building the network connection log
e.g. tcpdump -w tcpdump.log
Detecting port scanning activity

Network Monitoring, Debugging and Intrusion Detection

Part I Network Monitoring and Debugging

Tools to monitor and debug your network

Firewall Stress Test Result

Part II Intrusion Detection System

Building your own NIDS by using tcpdump

iplog (TCP/IP traffic logger) and snort (The Lightweight Network Intrusion Detection System)

References

iplog (TCP/IP traffic logger) and
snort (The Lightweight Network Intrusion Detection System)