Debugging the Network


In my own experience, configuring networks to use proxies or encryption doesn't always work right the first time. Between typographical errors and missed steps, it might take a few tries to get it right. You are probably going to need a network sniffer to diagnose bad connections and make sure the good connections are working right. (There's no point in setting up an IPsec tunnel only to discover later that all traffic is transmitted in plain text, or to configure a proxy and find that your critical applications are not using it.)

You can use a couple of different tools to diagnose network issues. They range in complexity from "pretty pictures" to hard-core packet analysis. The main tools that I use are EtherApe, Snort, and Ethereal.

Packet sniffers are only as good as the network that they are connected to. If your network adaptor is located on an isolated network (or behind a network switch), then you are not going to see many packets. In contrast, if you are connected to a busy network then you will see lots of packets.

Note 

Sniffers can only capture packets that reach the network adaptor. The range is limited by physical connectivity. There is no way for a remote packet sniffer to capture packets on your local network.

Using EtherApe

EtherApe is a simple packet sniffer that graphically displays all network connections. This is a great tool if you just want to know where the connections are going, without the details found in every packet.

To use EtherApe, you just need to install it and run it.

 sudo apt-get install etherape sudo etherape 

The graphical display shows a large black field with every node heard on the network represented by dots (see Figure 11-4). Lines between nodes show connections, and line thickness represents the amount of traffic. Lines are color-coded based on protocols and listed in the protocol key on the left side. You can also hover your mouse over any of the lines and see the protocol's name at the bottom of the window.

image from book
Figure 11-4: EtherApe capturing packets

EtherApe can be a quick way to identify that a proxy or secure tunnel is being used. For example, if all of your network connections should pass through a proxy or VPN, then the only connections should go to one host. Similarly, ports map to protocols. If connections are supposed to use a specific port, then you can make sure that the specific port is being used. Also, if you are using IPsec and the packet should be encrypted, then you should see an unknown protocol being displayed.

Using Ethereal

Although EtherApe can give you a very quick view of what is happening, it does not allow you to tell what traffic is being transmitted. For example, if everything should use a proxy and EtherApe shows some traffic outside of the proxy's connection, then you need some way to debug it. Ethereal (also known as Wireshark) is absolutely the most powerful packet analyzer I've ever come across. Not only can it collect and display packets, but it can also disassemble the packet fields and decode most protocols. If something should be encrypted, then you can confirm that the packet contents are encrypted. If some packets are unexpected, then you can capture the packets and analyze them and investigate what is really going on.

Running Ethereal is almost as easy as running EtherApe:

  1. Install the Ethereal package.

     sudo apt-get install ethereal 
  2. Run Ethereal.

     sudo ethereal 

    The Ethereal user interface allows you to capture packets or analyze packets, but capturing and analyzing are usually done in two separate steps.

  3. Capture some packets by selecting Capture image from book Interfaces from the menu. This will display a list of available interfaces. From this popup window, you can click the Capture button for the appropriate interface.

  4. As packets are being captured, a capture status window is available. It shows the number of each packet type collected. When you are done capturing packets, you can click Stop. This moves you from the collection phase to the analysis phase.

  5. The analysis window is divided into three segments (see Figure 11-5). The top shows each packet that was collected in the order that it was collected. You can click any packet to reveal the contents in the lower two window sections. The middle section shows the decoded components and the lower section shows the raw packet. You can click any part of the decoded section and the raw bytes in the lower section will be highlighted. Similarly, you can click any of the raw bytes to see what the decoded bytes mean.

image from book
Figure 11-5: The Ethereal packet analyzer

Although Ethereal is relatively easy to use, it has some very complex packet filtering options. Some functions have a very steep learning curve. If you have a need to use Ethereal for anything other than basic capture-and-analysis, then you probably should get a book dedicated to Ethereal; there are plenty of available resources. Another source for more information is the Ethereal web site http://www.wireshark.org.

image from book
Sharks and Lawyers

If you start digging into resources dedicated to Ethereal, then it won't take long until you see a product named Wireshark. Wireshark is Ethereal. Due to some legal wrangling, the creators of Ethereal are no longer permitted to use that name. Although the new name is Wireshark, you will still see the program called Ethereal; Ubuntu still delivers the ethereal package. In the future, the package may be renamed as well as the executable, but for now, Wireshark stands for Ethereal.

image from book

Using Snort and Tcpdump

Ethereal and EtherApe are very useful if you have a graphical workstation. However, if you are using a command-line terminal, remote login, or the Ubuntu Server installation, then you really need a command-line tool. The two most common are Tcpdump and Snort.

Tcpdump comes standard on Ubuntu systems. It allows you to capture packets and apply simple packet filters. For example, to capture all UDP packets, you can use: sudo tcpdump udp. If you want to capture all packets, use sudo tcpdump.

Each packet that is captured displays a line on the console. For example:

 14:32:28.958743 IP ubuntu.roach.lan.32966 > dns.roach.lan.domain:  31917+ A? cow.rats. (26) 14:32:28.959476 IP ubuntu.roach.lan.32967 > dns.roach.lan.domain:  35645+ PTR? 251.1.1.10.in-addr.arpa. (41) 14:32:28.960760 IP dns.roach.lan.domain > ubuntu.roach.lan.32967:  35645* 1/1/0 PTR[|domain] 14:32:28.960929 IP ubuntu.roach.lan.32967 > dns.roach.lan.domain:  33818+ PTR? 5.1.1.10.in-addr.arpa. (39) 14:32:28.961467 IP dns.roach.lan.domain > ubuntu.roach.lan.32967:  33818* 1/1/0 PTR[|domain] 14:32:28.997905 IP dns.roach.lan.domain > ubuntu.roach.lan.32966:  31917 NXDomain 0/1/0 (101) 

Each line includes a timestamp, the protocol, source and destination addresses with ports, and some of the decoded packet flags. Tcpdump can be configured to write packets to a file and the file can be later used by Ethereal for analysis.

Snort (sudo apt-get install snort) is an alternative to Tcpdump. Just as Ethereal is more complex than EtherApe, Snort is more complex than Tcpdump. Using Snort, you can capture packets, display contents, trigger rules and alerts, and even create your own plug-in filters. As with Ethereal, if you need to use Snort for anything more complicated that displaying packets with basic filters (for example, sudo snort -v udp), then I strongly recommend the Snort homepage (http://www.snort.org) as a resource. There are also plenty of books on basic and advanced Snort configurations.

Tip 

When Snort is installed, it enables the Snort Intrusion Detection System (IDS). This IDS (covered in Chapter 12) generates one e-mail per day, summarizing the possible network attacks that were detected. If you want to disable the IDS, you can remove the S20snort and K20snort initialization scripts from the /etc/rc*.d/ directories.



Hacking Ubuntu
Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)
ISBN: 047010872X
EAN: 2147483647
Year: 2004
Pages: 124
Authors: Neal Krawetz

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net