Embed Size (px)
Citation preview
Network Management Tools
ifConfig (UNIX)• Used to assign/read an address to/of an interface• Option -a is to display all interfaces• Notice two interface loop-back (lo0) and Ethernet (hme0)
[/home/staff/ycchen]ifconfig -aifconfig -alo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232 inet 127.0.0.1 netmask ff000000hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500 inet 163.22.20.16 netmask ffffff00 broadcast 163.22.20.255
ifconfig le0 downifconfig le0 163.22.20.16 netmask 255.255.255.0 broadcast 163.22.20.255
ipconfig (Windows) ipconfig (internet protocol
configuration)
/? help/all 顯示完整設定資訊/release 釋放 IPv4 位址/release6 釋放 IPv6 位址/renew 更新 IPv4 位址/renew6 更新 Pv6 位址/flushdns 清除 DNS 解析快取/registerdns 重新整理 DHCP 租用並重新登錄 DNS/displaydns 顯示 DNS 解析快取內容
ipconfig /? ipconfig /?
ipconfig
無線區域網路介面卡 無線網路連線 :
連線特定 DNS 尾碼 . . . . . . . . : 連結 - 本機 IPv6 位址 . . . . . . . : fe80::19e4:8b36:e72b:2cf%11 IPv4 位址 . . . . . . . . . . . . : 192.168.0.107 子網路遮罩 . . . . . . . . . . . .: 255.255.255.0 預設閘道 . . . . . . . . . . . . .: 192.168.0.1
ipconfig /all無線區域網路介面卡 無線網路連線 :
連線特定 DNS 尾碼 . . . . . . . . : 描述 . . . . . . . . . . . . . . .: Atheros AR5BWB225 Wireless Network Adapter 實體位址 . . . . . . . . . . . . .: 74-DE-2B-CB-49-0C DHCP 已啟用 . . . . . . . . . . . : 是 自動設定啟用 . . . . . . . . . . .: 是 連結 - 本機 IPv6 位址 . . . . . . . : fe80::19e4:8b36:e72b:2cf%11( 偏好選項 ) IPv4 位址 . . . . . . . . . . . . : 192.168.0.107( 偏好選項 ) 子網路遮罩 . . . . . . . . . . . .: 255.255.255.0 租用取得 . . . . . . . . . . . . .: 2013 年 4 月 5 日 下午 07:58:09 租用到期 . . . . . . . . . . . . .: 2013 年 4 月 6 日 下午 07:59:14 預設閘道 . . . . . . . . . . . . .: 192.168.0.1 DHCP 伺服器 . . . . . . . . . . . : 192.168.0.1 DHCPv6 IAID . . . . . . . . . . . : 292871723 DHCPv6 用戶端 DUID. . . . . . . . : 00-01-00-01-17-23-19-FF-74-DE-2B-CB-49-0C DNS 伺服器 . . . . . . . . . . . .: 192.168.0.1 NetBIOS over Tcpip . . . . . . . .: 啟用
手動設定 IP 位址
© 2011 Pearson Education, Inc. Publishing as Prentice
Hall 9
NAT - Network Address Translation
http://www.whatismyip.com/
Address Resolution Protocol
RFC 826 To map network addresses to the
hardware addresses used by a data link protocol
To translate IP addresses to Ethernet MAC addresses
Use data-link broadcast ARP Request, ARP Reply
ARP AnnouncementGratuitous ARP
ARP Spoofing (ARP Poisoning)
Send fake, or 'spoofed', ARP messages to an Ethernet LAN.
Generally, to associate the attacker's MAC address with the IP address of another node (such as the default gateway).
Passive sniffing, Man-in-the-middle attack, Denial-of-service attack
http://www.oxid.it/downloads/apr-intro.swf
C:\>arp -aInterface: 10.10.34.169 --- 0x2 Internet Address Physical Address Type 10.10.34.231 00-12-cf-28-cd-20 dynamic 10.10.34.234 00-12-cf-29-c6-80 dynamic 10.10.34.235 00-12-cf-28-1e-20 dynamic 10.10.34.254 00-08-e3-dd-b3-1f dynamic
arp -aarp -d 10.10.34.235arp -d *arp –s 157.55.85.212 00-aa-00-62-c6-09
C:\>arp -s 10.10.34.235 00-12-cf-28-1e-20
C:\>arp –a
Interface: 10.10.34.169 --- 0x2 Internet Address Physical Address Type 10.10.34.235 00-12-cf-28-1e-20 static 10.10.34.254 00-08-e3-dd-b3-1f dynamic
ARP Cache Default cache time-outs: Two-minute (unused entries)
Ten-minute (used entries)
Routing information
route print
route -4 print
route -6 print
route add 163.22.16.0 mask 255.255.255.0 192.168.0.254 metric
100 if 11
route add 163.22.16.0 mask 255.255.255.0 192.168.0.254 metric
100
route change 163.22.16.0 mask 255.255.255.0 192.168.0.254
metric 130
route delete 163.22.16.0
netstat -r
領域名稱系統 (DNS)
提供主機名稱與 IP 位址之轉換 www.im.ncnu.edu.tw 163.22.20.16 由 DNS 伺服器提供 RR-DNS (Round Robin DNS)
www.yahoo.com: (8 台伺服器 ) 66.218.71.90, 66.218.71.80, 66.218.71.95, …
DDNS (Dynamic DNS) 主機名稱 浮動 IP 位址
ipconfig /displaydnsipconfig /displaydnsipconfig /flushdnsipconfig /flushdnsnslookupnslookup
C:\>nslookupDefault Server: academic.ncnu.edu.twAddress: 163.22.2.1
> www.cnn.comServer: academic.ncnu.edu.twAddress: 163.22.2.1
Non-authoritative answer:Name: www.cnn.comAddresses: 64.236.29.120, 64.236.91.21, 64.236.16.20, 64.236.16.52 64.236.16.84, 64.236.24.12, 64.236.24.20, 64.236.24.28
> 163.22.20.16Server: academic.ncnu.edu.twAddress: 163.22.2.1
Name: euler.im.ncnu.edu.twAddress: 163.22.20.16Aliases: 16.20.22.163.in-addr.arpa
>
nslookup
• An interactive program for querying InternetDomain Name System servers
• Converts a hostname into an IP address and vice versa querying DNS
• Useful to identify the subnet a host or node belongs to
• Lists contents of a domain, displaying DNS record
DNS Lookup
Ping
Most basic tool for internet management
Based on ICMP ECHO_REQUEST message
Available on all TCP/IP stacks
Useful for measuring • Connectivity
• Packet Loss
• Round Trip Time
Can do auto-discovery of TCP/IP equipped stations on single segment
pingUsage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] destination-list
Options: -t Ping the specified host until stopped. To see statistics and continue - type Control-Break; To stop - type Control-C. -a Resolve addresses to hostnames. -n count Number of echo requests to send. -l size Send buffer size. -f Set Don't Fragment flag in packet. -i TTL Time To Live. -v TOS Type Of Service. -r count Record route for count hops. -s count Timestamp for count hops. -j host-list Loose source route along host-list. -k host-list Strict source route along host-list. -w timeout Timeout in milliseconds to wait for each reply.
ExampleC:\>ping -n 10 -l 256 www.im.ncnu.edu.tw
Pinging euler.im.ncnu.edu.tw [163.22.20.16] with 256 bytes of data:
Reply from 163.22.20.16: bytes=256 time=1ms TTL=253Reply from 163.22.20.16: bytes=256 time=1ms TTL=253Reply from 163.22.20.16: bytes=256 time=1ms TTL=253Reply from 163.22.20.16: bytes=256 time=1ms TTL=253Reply from 163.22.20.16: bytes=256 time=1ms TTL=253Reply from 163.22.20.16: bytes=256 time=1ms TTL=253Reply from 163.22.20.16: bytes=256 time=1ms TTL=253Reply from 163.22.20.16: bytes=256 time=1ms TTL=253Reply from 163.22.20.16: bytes=256 time=1ms TTL=253Reply from 163.22.20.16: bytes=256 time=1ms TTL=253
Ping statistics for 163.22.20.16: Packets: Sent = 10, Received = 10, Lost = 0 (0% loss0% loss),Approximate round trip timesround trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms
traceroute/tracert
Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name
Options:
-d Do not resolve addresses to hostnames.
-h maximum_hops Maximum number of hops to search for target.
-j host-list Loose source route along host-list.
-w timeout Wait timeout milliseconds for each reply.
tracert www.hinet.net
C:\>tracert www.facebook.com
在上限 30 個躍點上追蹤 star.c10r.facebook.com [31.13.82.1] 的路由 :
1 8 ms 8 ms 8 ms h254.s98.ts.hinet.net [168.95.98.254] 2 8 ms 8 ms 8 ms 168.95.220.98 3 9 ms 8 ms 8 ms NTNK-3101.hinet.net [220.128.21.110] 4 11 ms 11 ms 11 ms tchn-3011.hinet.net [220.128.16.98] 5 16 ms 14 ms 14 ms TPDT-3011.hinet.net [220.128.16.6] 6 11 ms 12 ms 11 ms r4103-s2.tp.hinet.net [220.128.7.29] 7 12 ms 13 ms 12 ms r4003-s2.tp.hinet.net [220.128.7.229] 8 96 ms 96 ms 96 ms 211-72-233-77.HINET-IP.hinet.net [211.72.233.77] 9 97 ms 97 ms 97 ms ae-5.r00.tokyjp03.jp.bb.gin.ntt.net [129.250.5.29] 10 97 ms 98 ms 97 ms ae-0.facebook.tokyjp03.jp.bb.gin.ntt.net [61.213.145.74] 11 97 ms 97 ms 97 ms po126.msw01.01.nrt1.tfbnw.net [31.13.27.221] 12 99 ms 99 ms 99 ms edge-star-ecmp-01-nrt1.facebook.com [31.13.82.1]
http://www.visualroute.com/
netstatC:\>netstat -n -aActive Connections Proto Local Address Foreign Address State TCP 0.0.0.0:21 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1234 0.0.0.0:0 LISTENING TCP 0.0.0.0:1235 0.0.0.0:0 LISTENING TCP 0.0.0.0:1236 0.0.0.0:0 LISTENING TCP 163.31.153.68:1234 163.22.3.4:80 ESTABLISHED TCP 163.31.153.68:1235 163.22.4.67:80 ESTABLISHED TCP 163.31.153.68:1236 163.22.4.67:80 SYN_SENT UDP 0.0.0.0:135 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:38037 *:* UDP 127.0.0.1:1230 *:* UDP 163.31.153.68:500 *:*
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s
option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto
may be TCP or UDP. If used with the -s option to display
per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for TCP, UDP and IP; the -p option may be used to specify
a subset of the default.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.
TCP Connection Monitoringnetstat –p TCP
netstat –b –p TCP
netstat -e
Network Management Tools
• SNMP command tools
• MIB Walk
• MIB Browser
SNMP Command Tools
• snmptest
• snmpget
• snmpgetnext
• snmpset
• snmptrap
• snmpwalk
• snmpnetstat
Network Status
• Command: snmpnetstat host community
• Useful for finding status of network connections
% snmpnetstat noc5 publicActive Internet ConnectionsProto Recv-Q Send-Q Local Address Foreign Address (state)tcp 0 0 *.* *.* CLOSEDtcp 0 0 localhost.46626 localhost.3456 ESTABLISHEDtcp 0 0 localhost.46626 localhost.3712 ESTABLISHEDtcp 0 0 localhost.46626 localhost.3968 ESTABLISHEDtcp 0 0 localhost.46626 localhost.4224 ESTABLISHEDtcp 0 0 localhost.3456 localhost.46626 ESTABLISHEDtcp 0 0 localhost.3712 localhost.46626 ESTABLISHEDtcp 0 0 localhost.3968 localhost.46626 ESTABLISHEDtcp 0 0 localhost.4224 localhost.46626 ESTABLISHEDtcp 0 0 noc5.41472 noc5.4480 ESTABLISHEDtcp 0 0 noc5.41472 noc5.4736 ESTABLISHEDtcp 0 0 noc5.4480 noc5.41472 ESTABLISHEDtcp 0 0 noc5.4736 noc5.41472 ESTABLISHED
SNMP Browser
• Command: snmpwalk host community [variablename]
• Uses Get Next Command
• Presents MIB Tree
Protocol Analyzer
• Analyzes data packets on any transmission line including LAN• Measurements made locally or remotely• ProbeProbe (data capture device) captures data and transfers to the protocol analyzer (no storage)• Data link between probe and protocol analyzer either dial-up or dedicated link or LAN• Protocol analyzer analyzes data at all protocol levels
RMON Probe
Communication between probe and analyzeris using SNMP
• Data gathered and stored for an extended period of time and analyzed later
• Used for gathering traffic statistics and used for configuration management for performance tuning
Network Monitoring with RMON Probe
Network Statistics
• Protocol Analyzers• RMON Probe / Protocol analyzer• MRTG (Multi router traffic grouper)• Home-grown program using tcpdump
Traffic Load: Source
Traffic Load: Source/Destination
Protocol Distribution
Network Monitoring
• By polling• By traps (notifications)• Failure indicated by pinging or traps• Ping frequency optimized for network load vs.
quickness of detection• trap messages: linkdown, linkUp,
coldStart, warmStart, etc.• Network topology discovered by auto-discovery
Global View
Domain View
Segment View
Node Discovery In a Network
Node Discovery Given an IP Address with its subnet
mask, find the nodes in the same network.
Two Major Approaches: Use ICMP ECHO to query all the possible
IP addresses. Use SNMP to query the ARP Cache of a
node known
Use ICMP ECHO
Eg: IP address: 163.25.147.12 Subnet mask: 255.255.255.0 All possible addresses:
163.25.147.1 ~ 163.25.147.254 For each of the above addresses, use
ICMP ECHO to inquire the address If a node replies (ICMP ECHO Reply),
then it is found.
Use SNMP
Find a node which supports SNMP The given node, default gateway, or
router Or try a node arbitrarily
Query the ipNetToMediaTableipNetToMediaTable in MIB-II IP group
ipNetToMediaIfIndex ipNetToMediaNetAddress
1 00:80:43:5F:12:9A 163.25.147.10 dynamic(3)2 00:80:51:F3:11:DE 163.25.147.11 dynamic(3)
ipNetToMediaPhysAddress ipNetToMediaType
Network Discovery
Network Discovery Find the networks to be managed with
their interconnections Given a network, find the networks
which directly connect with it. Recall that networks are connected
via routers. Major Approach
Use SNMP
Discovering Networks
163.25.147.0163.25.147.0163.25.147.0163.25.147.0
163.25.145.0163.25.145.0163.25.145.0163.25.145.0 163.25.146.0163.25.146.0
163.25.148.0163.25.148.0
192.168.12.0192.168.12.0192.168.13.0192.168.13.0
140.112.5.0140.112.5.0
140.112.8.0140.112.8.0140.112.8.0140.112.8.0 140.112.6.0140.112.6.0
A Network Discovery Algorithm
1. First use a node discovery algorithm to find all the nodes in the network.
2. For each discovered node, use SNMP to query the ipAddrTableipAddrTable of MIB-II IP group
3. Query the corresponding entries in ipRouteTableipRouteTable to verify the above addresses
ipAdEntNetMask
163.25.145.254 1 255.255.255.0 163.25.145.255 …162.25.146.254 2 255.255.255.0 163.25.146.255 …162.25.147.254 3 255.255.255.0 163.25.147.255 …
ipAdEntAddripAdEntIfIndex ipAdEntBcastAddr
ipRouteTableipRouteTable
