How does it all come together in the day-to-day operation of a network? Here are a few examples that demonstrate common scenarios. Finding and Disabling a HostSay you have the name of a host, broken.example.com , that you know has been compromised by a malicious cracker. You want to find the host and disable its network access. [1] First you ping the host in case it has been inactive and is no longer in the forwarding table of the relevant switches. When the device responds to your ping, any switches in the switching path that do not have the host in their forwarding table will add it:
Solaris% ping broken.example.com broken.example.com is alive You use the arpfind command to determine the hardware address of the host: neo: arpfind host.example.com router.example.com 10.5.0.1 says 10.5.1.2 is 00:03:BA:09:1F:36 Having that, you then locate the host on a collection of switches: neo: locate 00:03:BA:09:1F:36 @k:northannex Found on 6@switch13.example.com Next, you may wish to see how much traffic is being generated by the host. Though this is optional, it may be of use: neo: stats 6@switch13.example.com Probing devices ... Getting first set of stats... Getting second set of stats... Port statistics: p type u lnk adm ap kbs ikbs okbs pps ipps opps ierps oerps ------------------------------------------------------------ 6 100TX 100 On 486 92 394 111 37 74 0 0 Before you turn it off, you also may wish to check how many devices are located on that port: neo: port search 6@switch13.example.com 00:03:BA:09:1F:36 In this case, it is just the one machine, so you disable it: neo: set writecom mysecret neo: port dis 6@switch13.example.com 6@switch13.example.com disabled Locating a Problem and Disabling ItNow imagine a portion of your network is undergoing an active denial of service attack, sourced from a host within your own network. How can we find the problematic host? Start with the switch connected to the router: neo: stats entry-switch.example.com Probing devices ... Getting first set of stats... Getting second set of stats... Port statistics: p type u lnk adm ap kbs ikbs okbs pps ipps opps ierps oerps ------------------------------------------------------------------ 1 100TX 100 On 20 0 20 26 0 26 0 0 2 100TX 100 On 19 0 19 26 0 26 0 0 3 100TX 10 On 20 0 20 27 0 27 0 0 4 100TX - On 0 0 0 0 0 0 0 0 5 100TX - On 0 0 0 0 0 0 0 0 6 100TX 100 On 50455 50042 413 7157 7051 106 0 0 7 100TX 10 On 19 0 19 26 0 26 0 0 8 100TX 100 On 19 0 19 26 0 26 0 0 9 100TX 100 On 19 0 19 26 0 26 0 0 10 100TX - On 0 0 0 0 0 0 0 0 11 100TX 100 On 19 0 19 26 0 26 0 0 12 100TX 100 On 19 0 19 27 0 27 0 0 13 100?X * 100 On 382 368 14 84 71 13 0 0 14 100?X * - On 0 0 0 0 0 0 0 0 15 loop 10 On 59 28 31 80 40 40 0 0 You can see that a suspiciously large amount of traffic is coming from port six, so you would then like to know what other network devices are connected to this port. There are several ways to do this. One method is to search the port for hardware addresses, then pick one of those hardware addresses and use the keyfile syntax to search for that address on the relevant network: neo: port search 6@entry-switch.example.com 00:04:76:31:E5:78 00:06:5B:48:35:09 00:60:97:4D:FE:39 00:E0:29:05:85:66 00:E0:29:86:3D:0D 00:E0:63:C7:23:CB 00:E0:63:C7:23:E3 08:00:69:0E:AF:DD neo: locate 00:04:76:31:E5:78 @k:northannex Found on 6@entry-switch.example.com Found on 5@switch4.example.com You then know that switch4.example.com is a device behind port six. Another method would be to login to the router and ask it to translate each MAC address to an IP address, one of which will be that of the device in question. Once you gather statistics on switch4.example.com, you again find one source of a significant amount of traffic and turn off the culprit just as in the previous example. Using Neo in a ScriptImagine you have a UPS and you would like to regularly track the battery capacity and input load. You might use Neo in a script like this one: #!/bin/sh ups=ups.example.com log=/home/admin/upslog while [ 1 ]; do date >> $log neo dev info power $ups egrep "CapacityLoad" >> $log echo "" >> $log sleep 1800 done This text is stored in a file and then the program is executed. More detail on writing and using scripts is presented in Chapter 10. This script runs Neo once every 30 minutes, saving the relevant information from the UPS into a logfile. Note that Neo commands are simply presented to Neo as arguments on the command line. |