Titolo presentazione Piattaforme Software per la Rete sottotitolo Network Administration Milano, XX mese 20XX A.A. 2016/17, Alessandro Barenghi
Outline 1) Introduction and Netkit-NG 2) Link-Layer Management 3) Network-Layer Management 4) Monitor traffic 2/30
Introduction and Netkit-NG
Netkit-NG The Netkit-NG tool provides a simple and fast way to emulate one faithfully on a single host It employs User Mode Linux (UML) to run lightweight virtual machines It emulates L2 collision domains You can emulate an entire network on your machine with minimal effort Easy to install, go to https://netkit-ng.github.io/ and follow the instructions 4/30
Netkit-NG Start virtual machines The command vstart starts a VM and sets the network cards on a specific collision domain e.g. vstart my_vm eth0=0 --mem=128 To stop a virtual machine: : gracefully shutdown vhalt vcrash : kill the virtual machine The command vlist lists all running VMs 5/30
ISO/OSI vs TCP/IP 7 Application 6 Presentation 5 Session 4 Transport Transport 3 Network Internet 2 Data Link 1 Physical Application Network Access 6/30
Linux network management Network management is instrinsically split between userspace and kernelspace (the network stack resides in kernelspace in Linux, your management tools don t) Common old tools: ifconfig route They use the old and limited ioctl system call We will see the new tools of IPROUTE2 suite, that uses the Netlink interface 7/30
A few words on Netlink... Special IPC used for transferring information between kernel and userspace processes Based on standard C socket API Custom tools for communication with the kernel facilities can be written simply in C 8/30
The `ip` command Syntax: ip [options] object command... We will deal only with Ethernet addresses. IP supports also other technologies (e.g. DSL) 9/30
Application 7 6 Presentation 5 Session 4 3 Transport Transport Network Internet 2 Data Link 1 Physical Network Access Link Layer Management Application
Device names in Linux Traditional naming scheme: eth0, eth1,, wlan0, The udev subsystem binds each name to a MAC address May cause problems in some situations Recent versions of systemd introduced the predictable network interface device names: PCI devices: [prefix]p[bus]s[slot] [prefix] = en Ethernet, wl Wireless Example: enp2s0 11/30
Link-Layer addresses List all devices and show their L2 addresses: Change your current MAC address with something else: ip link set <device> address <MAC address> Enable/Disable the ARP protocol: ip link show ip link set <device> arp [on off] Enable/Disable the network interface: ip link set <device> [up down] 12/30
ARP tables Management How to... Add a line to the ARP table: ip neigh add <IP Address> lladdr <MAC address> dev <device> Update a line in the ARP table: ip neigh change <IP Address> lladdr <MAC address> dev <device> Print the ARP table: ip neigh show The NUD (Neighbour Unreachability Detection) can be also set by hand using the nud <nud> parameter 13/30
ARP NUDs State permanent noarp reachable Meaning Entry always valid added by the system administrator. Entry valid until the lifetime expiration. No attempts to validate it. Entry valid until the lifetime expiration. Reachable. stale Entry valid but the reachable timer has expired. none Temporary value during initialization. incomplete Entry has never been validated (yet). delay Entry validation was delayed waiting the upper protocol. probe Entry is currently being probed. failed Entry not valid (max number of probing reached). 14/30
ARP NUDs State machine none incomplete reachable Response received permanent noarp probe Reachability timeout expires Packet received Delay timeout occurs stale Packet sent delay 15/30
Application 7 6 Presentation 5 Session 4 3 Transport Transport Network Internet 2 Data Link 1 Physical Network Access Network Layer Management Application
IP addresses (1/2) Probably the most common task you ll be performing How to List the IP addresses: ip addr show Add an IP address*: ip addr add <IP Address>/<netmask> dev <device> Remove an IP address: ip addr del <IP Address>/<netmask> dev <device> * An interface can be bound to more than a single address without the need to create an alias, as it happens in the old `ifconfig` command 17/30
IP addresses (2/2) By default, the broadcast address is set to 0.0.0.0 (aka 255.255.255.255) To change it, you can use the broadcast <IP address> option Remove a class of addresses from any interface: ip addr flush to <IP address>/<netmask> e.g. ip addr flush to 192.168.0.0/16 will remove any 192.168.x.x address 18/30
Routing (1/3) Route table management is still performed via the ip tool The IP Routing table perfoms exactly as you have seen in the previous courses: The address with the logest matching prefix is selected If two addresses with the same prefix are matched, the one with the matching TOS is selected If the both address prefix and TOS match, the first route is selected As always, the default route is specified as the 0.0.0.0/0 address 19/30
Routing (2/3) How to... Add a route : ip route add <address>/<netmask> via <gateway> Remove a route: ip route del <address>/<netmask> via <gateway> Enforce packets to go out of a specific interface: dev <interface> Wipe all routes of a specific interface: ip route flush dev <interface> 20/30
Routing (3/3) Where my packets are going?! As usual, to show all registered routes: ip route get <address>[/<netmask>] ip route show To create a NAT routes*: ip route add nat <address> via <router> * we will see NAT in next lesson 21/30
Application 7 6 Presentation 5 Session 4 3 Transport Transport Network Internet 2 Data Link 1 Physical Network Access Transport Layer Management Application
Linux Traffic Control Configurations on trasport layer, basically for traffic control, can be managed via the tc tool Three main components: qdisc: the scheduler of network queues class: used to create an hierarchical tree-structure in qdisc filter: matching rules for classes We won t see in details traffic control 23/30
Network Monitoring
Network Monitoring Network monitoring means capture network traffic, measure network bandwidth or monitor connection statuses Why network monitoring? Monitor the network usage in terms of bandwidth and connections Debug ill behaved configurations or programs Steal unencrypted information 25/30
Host Network Status The Socket Stats tool ss replaces the old netstat Invoking the tool without parameters lists all the open sockets on the platform By default the known ports are listed with the service name instead of the port number Use -n to enforce numbers By default it shows only the connected sockets Use -l to show the listening sockets To restrict by protocol: -4 To print extensive info: -i -6 -t -u 26/30
Live traffic analysis Several tools available to analyze traffic Most of them rely on libpcap We will see: A traffic dumper and inspector: tcpdump (wireshark as the corresponding GUI tool) A dissection tool: ngrep 27/30
The `tcpdump` tool Provides a way to collect packets from one (or more) interface (not just tcp ) tcpdump The default behaviour of the tool is to print out on screen a description of the packets flowing Some useful options: -i <dev> : restrict the sniffing to one interface -w <file>: -v : show extra info -X : show packet content -XX save packets to file : show ethernet header and content 28/30
Wireshark Wireshark is a GUI program that performs the same task of `tcpdump` Just install it and play 29/30
Ngrep The idea is similar to grep tool, but it works with network packets Common usage: ngrep -d <dev> <pattern> The option -K kills (i.e. sends a RST packet) to the tcp connections matching the expression. 30/30