4.5 Examples of Use

How does it all come together in the day-to-day operation of a network? Here are a few examples that demonstrate common scenarios.

Finding and Disabling a Host

Say you have the name of a host, broken.example.com , that you know has been compromised by a malicious cracker. You want to find the host and disable its network access. ^[1] First you ping the host in case it has been inactive and is no longer in the forwarding table of the relevant switches. When the device responds to your ping, any switches in the switching path that do not have the host in their forwarding table will add it:

^[1] This is one reason it is highly recommended you have only one machine attached to each managed port on the leaf switches in your network. If several machines were connected behind an unmanaged switch, you might be forced to disable network access to all of them.

 Solaris% ping broken.example.com   broken.example.com is alive 

You use the arpfind command to determine the hardware address of the host:

 neo: arpfind host.example.com router.example.com   10.5.0.1 says 10.5.1.2 is 00:03:BA:09:1F:36 

Having that, you then locate the host on a collection of switches:

 neo: locate 00:03:BA:09:1F:36 @k:northannex   Found on 6@switch13.example.com 

Next, you may wish to see how much traffic is being generated by the host. Though this is optional, it may be of use:

 neo: stats 6@switch13.example.com   Probing devices ...   Getting first set of stats...   Getting second set of stats...   Port statistics:   p type  u lnk adm ap kbs ikbs okbs pps ipps opps ierps oerps   ------------------------------------------------------------   6 100TX   100  On    486   92  394 111   37   74     0     0 

Before you turn it off, you also may wish to check how many devices are located on that port:

 neo: port search 6@switch13.example.com   00:03:BA:09:1F:36 

In this case, it is just the one machine, so you disable it:

 neo: set writecom mysecret   neo: port dis 6@switch13.example.com   6@switch13.example.com disabled 

Locating a Problem and Disabling It

Now imagine a portion of your network is undergoing an active denial of service attack, sourced from a host within your own network. How can we find the problematic host? Start with the switch connected to the router:

 neo: stats entry-switch.example.com   Probing devices ...   Getting first set of stats...   Getting second set of stats...   Port statistics:    p  type  u lnk adm ap kbs  ikbs  okbs   pps ipps opps ierps oerps   ------------------------------------------------------------------    1 100TX    100  On     20     0    20   26    0    26     0    0    2 100TX    100  On     19     0    19   26    0    26     0    0    3 100TX     10  On     20     0    20   27    0    27     0    0    4 100TX      -  On      0     0     0    0    0     0     0    0    5 100TX      -  On      0     0     0    0    0     0     0    0    6 100TX    100  On  50455 50042   413 7157 7051   106     0    0    7 100TX     10  On     19     0    19   26    0    26     0    0    8 100TX    100  On     19     0    19   26    0    26     0    0    9 100TX    100  On     19     0    19   26    0    26     0    0   10 100TX      -  On      0     0     0    0    0     0     0    0   11 100TX    100  On     19     0    19   26    0    26     0    0   12 100TX    100  On     19     0    19   27    0    27     0    0   13 100?X  * 100  On    382   368    14   84   71    13     0    0   14 100?X  *   -  On      0     0     0    0    0     0     0    0   15 loop      10  On     59    28    31   80   40    40     0    0 

You can see that a suspiciously large amount of traffic is coming from port six, so you would then like to know what other network devices are connected to this port. There are several ways to do this. One method is to search the port for hardware addresses, then pick one of those hardware addresses and use the keyfile syntax to search for that address on the relevant network:

 neo: port search 6@entry-switch.example.com   00:04:76:31:E5:78   00:06:5B:48:35:09   00:60:97:4D:FE:39   00:E0:29:05:85:66   00:E0:29:86:3D:0D   00:E0:63:C7:23:CB   00:E0:63:C7:23:E3   08:00:69:0E:AF:DD   neo: locate 00:04:76:31:E5:78 @k:northannex   Found on 6@entry-switch.example.com   Found on 5@switch4.example.com 

You then know that switch4.example.com is a device behind port six. Another method would be to login to the router and ask it to translate each MAC address to an IP address, one of which will be that of the device in question.

Once you gather statistics on switch4.example.com, you again find one source of a significant amount of traffic and turn off the culprit just as in the previous example.

Using Neo in a Script

Imagine you have a UPS and you would like to regularly track the battery capacity and input load. You might use Neo in a script like this one:

 #!/bin/sh   ups=ups.example.com   log=/home/admin/upslog   while [ 1 ]; do      date >> $log      neo dev info power $ups  egrep "CapacityLoad" >> $log      echo "" >> $log      sleep 1800   done 

This text is stored in a file and then the program is executed. More detail on writing and using scripts is presented in Chapter 10. This script runs Neo once every 30 minutes, saving the relevant information from the UPS into a logfile. Note that Neo commands are simply presented to Neo as arguments on the command line.