Module 8: Investigative Devices.


131 views
Uploaded on:
Description
Module 8: Investigative Instruments INVESTIGATIVE Devices Diagram Ping Traceroute Iperf BWCTL NDT TCPDUMP TCPtrace Wireshark (Ethereal) PING HOW DOES PING WORK? Makes utilization of Web Control Message Convention (ICMP) messages Sends timed ICMP ECHO_REQUEST parcels
Transcripts
Slide 1

Module 8: Investigative Tools

Slide 2

INVESTIGATIVE TOOLS OVERVIEW Ping Traceroute Iperf BWCTL NDT TCPDUMP TCPtrace Wireshark (Ethereal)

Slide 3

PING

Slide 4

HOW DOES PING WORK? Makes utilization of Internet Control Message Protocol (ICMP) messages Sends timed ICMP ECHO_REQUEST bundles Listens for ICMP ECHO_REPLY parcels Prints a line with RTT for every answer Statistical outline when completed least, most extreme and normal RTT Shows bundle misfortune

Slide 5

PING: USEFUL PURPOSES What you may read out of ping insights: host reachability RTT host burden directing changes (diverse TTLs) load balancers (steady distinctive RTT values, same TTLs) evaluation of parcel misfortune rate points of confinement (uniform misfortune measurements)

Slide 6

Ping so as to pine: DRAWBACKS AND LIMITATIONS (1) RTT reported may be too low: Tiny parcels sent by means of ICMP (as a matter of course) ‘Real traffic’ utilizes distinctive conventions No impact on travel movement Does exclude “application time” Or too high: Host occupied (esp. Switches)

Slide 7

PING: DRAWBACKS AND LIMITATIONS (2) Filtering Many gadgets won\'t react to ping Hosts behind Firewalls/NAT Routers (channel/rate restricts) A destination might truth be told be reachable despite the fact that an ICMP Echo Request times out

Slide 8

TRACEROUTE: IP PATH DISCOVERY root@ezmp3:/home/welti# traceroute www.dfn.de traceroute to zaurak.dfn.de (192.76.176.2), 64 bounces max, 40 byte bundles 1 swiEZ2-G4-7.switch.ch (130.59.35.85) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch (130.59.37.1) 5 ms 4 ms 4 ms 4 switch.rt1.gen.ch.geant2.net (62.40.124.21) 4 ms 4 ms 4 ms 5 so-7-2-0.rt1.fra.de.geant2.net (62.40.112.22) 13 ms 13 ms 13 ms 6 dfn-gw.rt1.fra.de.geant2.net (62.40.124.34) 13 ms 14 ms 13 ms 7 zr-pot1-te0-7-0-2.x-win.dfn.de (188.1.145.138) 27 ms 28 ms 27 ms 8 xr-tub1-te2-3.x-win.dfn.de (188.1.144.222) 28 ms 28 ms 28 ms 9 xr-hub1-te2-1.x-win.dfn.de (188.1.144.13) 28 ms 29 ms 28 ms 10 kr-dfnbln.x-win.dfn.de (188.1.230.162) 29 ms 29 ms 29 ms 11 * 12 *

Slide 9

HOW DOES TRACEROUTE WORK? (1) Traceroute Discovers forward way to destination IP address. Sends jolt parcels (either ICMP or UDP) with expanding times to live (TTL) Begins with TTL of 1 Each bundle increases TTL by 1 Each switch along the way ought to get a parcel with a TTL of 1. Reacts by sending an ICMP ‘TTL exceeded’ message back to the source.

Slide 10

HOW DOES TRACEROUTE WORK? (2) When TTL is sufficiently high to achieve destination, an alternate reaction parcel is created ICMP ECHO or ICMP Destination inaccessible – port inaccessible Traceroute apparatus then shows the diverse ‘hops’ it has found, including: Hop address (the IP address from which the ICMP/reaction was sent) Round-outing times (RTT) Asterisks where reactions are missing “Bang-something” (!<x>) codes where slip conditions were experienced (because of separating and so forth.)

Slide 11

TRACEROUTE: PURPOSE What you may read from a traceroute yield: Forward course Router reaction times Routing circles Router CPU burden Filters Routing blackholes

Slide 12

TRACEROUTE: FORWARD ROUTE/RTT root@ezmp3:/home/welti# traceroute www.dfn.de traceroute to zaurak.dfn.de (192.76.176.2), 64 bounces max, 40 byte bundles 1 swiEZ2-G4-7.switch.ch (130.59.35.85) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch (130.59.37.1) 5 ms 4 ms 4 ms 4 switch.rt1.gen.ch.geant2.net (62.40.124.21) 4 ms 4 ms 4 ms 5 so-7-2-0.rt1.fra.de.geant2.net (62.40.112.22) 13 ms 13 ms 13 ms 6 dfn-gw.rt1.fra.de.geant2.net (62.40.124.34) 13 ms 14 ms 13 ms 7 zr-pot1-te0-7-0-2.x-win.dfn.de (188.1.145.138) 27 ms 28 ms 27 ms 8 xr-tub1-te2-3.x-win.dfn.de (188.1.144.222) 28 ms 28 ms 28 ms 9 xr-hub1-te2-1.x-win.dfn.de (188.1.144.13) 28 ms 29 ms 28 ms 10 kr-dfnbln.x-win.dfn.de (188.1.230.162) 29 ms 29 ms 29 ms 11 * 12 *

Slide 13

TRACEROUTE: ROUTING LOOPS root@ezmp3:/home/welti# traceroute www.dfn.de traceroute to zaurak.dfn.de (192.76.176.2), 64 jumps max, 40 byte bundles 1 swiEZ2-G4-7.switch.ch (130.59.35.85) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch (130.59.37.1) 5 ms 4 ms 4 ms 4 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 5 ms 5 ms 5 ms 5 swiCE2-10GE-1-3.switch.ch (130.59.37.1) 5 ms 5 ms 5 ms 6 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 6 ms 6 ms 6 ms 7 swiCE2-10GE-1-3.switch.ch (130.59.37.1) 6 ms 6 ms 6 ms 8 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 7 ms 7 ms 7 ms 9 swiCE2-10GE-1-3.switch.ch (130.59.37.1) 7 ms 7 ms 7 ms 10 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 8 ms 8 ms 8 ms 11 swiCE2-10GE-1-3.switch.ch (130.59.37.1) 8 ms 8 ms 8 ms 12 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 9 ms 9 ms 9 ms 13 swiCE2-10GE-1-3.switch.ch (130.59.37.1) 9 ms 9 ms 9 ms ...

Slide 14

TRACEROUTE: BUSY ROUTERS root@ezmp3:/home/welti# traceroute www.dfn.de traceroute to zaurak.dfn.de (192.76.176.2), 64 bounces max, 40 byte parcels 1 swiEZ2-G4-7.switch.ch (130.59.35.85) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch (130.59.37.1) 5 ms 4 ms 4 ms 4 switch.rt1.gen.ch.geant2.net (62.40.124.21) 4 ms 4 ms 4 ms 5 so-7-2-0.rt1.fra.de.geant2.net (62.40.112.22) 13 ms 13 ms 13 ms 6 dfn-gw.rt1.fra.de.geant2.net (62.40.124.34) 55 ms 58 ms 53 ms 7 zr-pot1-te0-7-0-2.x-win.dfn.de (188.1.145.138) 27 ms 28 ms 27 ms 8 xr-tub1-te2-3.x-win.dfn.de (188.1.144.222) 28 ms 28 ms 28 ms 9 xr-hub1-te2-1.x-win.dfn.de (188.1.144.13) 28 ms 29 ms 28 ms 10 kr-dfnbln.x-win.dfn.de (188.1.230.162) 29 ms 29 ms 29 ms 11 * 12 *

Slide 15

TRACEROUTE: RATE LIMITS root@ezmp3:/home/welti# traceroute www.dfn.de traceroute to zaurak.dfn.de (192.76.176.2), 64 jumps max, 40 byte bundles 1 swiEZ2-G4-7.switch.ch (130.59.35.85) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch (130.59.37.1) 5 ms 4 ms 4 ms 4 switch.rt1.gen.ch.geant2.net (62.40.124.21) 4 ms * 5 so-7-2-0.rt1.fra.de.geant2.net (62.40.112.22) 13 ms 13 ms 13 ms 6 dfn-gw.rt1.fra.de.geant2.net (62.40.124.34) 13 ms 14 ms 13 ms 7 zr-pot1-te0-7-0-2.x-win.dfn.de (188.1.145.138) * 28 ms 27 ms 8 xr-tub1-te2-3.x-win.dfn.de (188.1.144.222) 28 ms 28 ms 28 ms 9 xr-hub1-te2-1.x-win.dfn.de (188.1.144.13) 28 ms 29 ms 28 ms 10 kr-dfnbln.x-win.dfn.de (188.1.230.162) 29 ms 29 ms 29 ms 11 * 12 *

Slide 16

TRACEROUTE: FILTERING ROUTER/HOSTS root@ezmp3:/home/welti# traceroute www.dfn.de traceroute to zaurak.dfn.de (192.76.176.2), 64 jumps max, 40 byte parcels 1 swiEZ2-G4-7.switch.ch (130.59.35.85) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch (130.59.37.1) 5 ms 4 ms 4 ms 4 * 5 so-7-2-0.rt1.fra.de.geant2.net (62.40.112.22) 13 ms 13 ms 13 ms 6 dfn-gw.rt1.fra.de.geant2.net (62.40.124.34) 13 ms 14 ms 13 ms 7 zr-pot1-te0-7-0-2.x-win.dfn.de (188.1.145.138) 27 ms 28 ms 27 ms 8 xr-tub1-te2-3.x-win.dfn.de (188.1.144.222) 28 ms 28 ms 28 ms 9 xr-hub1-te2-1.x-win.dfn.de (188.1.144.13) 28 ms 29 ms 28 ms 10 kr-dfnbln.x-win.dfn.de (188.1.230.162) 29 ms 29 ms 29 ms 11 * 12 *

Slide 17

TRACEROUTE: ROUTING PROBLEMS root@ezmp3:/home/welti# traceroute www.dfn.de traceroute to zaurak.dfn.de (192.76.176.2), 64 bounces max, 40 byte bundles 1 swiEZ2-G4-7.switch.ch (130.59.35.85) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch (130.59.37.1) 5 ms 4 ms 4 ms 4 * 5 * 6 * 7 * 8 * 9 * 10 * 11 * 12 *

Slide 18

TRACEROUTE: ROUTING PROBLEMS WHERE? Parcel misfortune can happen on the converse way: e.g. 3->4, 4->5, 5->1 App A 1 2 3 B 5 4

Slide 19

TRACEROUTE: LIMITATIONS (1) Can’t see the course from the destination back to the source May be not quite the same as the source\'s reversal – destination course Routes from middle of the road switches back to the source might likewise be distinctive Traceroute servers are utilized to discover another network’s way back to you When you think an issue on the arrival way Often gave as Web interface See www.traceroute.org Looking Glass Servers Offer access to chose switch orders

Slide 20

TRACEROUTE: LIMITATIONS (2) root@ezmp3:/home/welti# traceroute www.dfn.de traceroute to zaurak.dfn.de (192.76.176.2), 64 jumps max, 40 byte bundles 1 swiEZ2-G4-7.switch.ch (130.59.35.85) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 4 ms 4 ms 4 ms 3 swiCE2-10GE-1-3.switch.ch (130.59.37.1) 5 ms 4 ms 4 ms 4 * 5 * Could likewise be only a channel on the forward way Use an alternate kind of boost, e.g. TCP SYN parcels to a known-open port or a channel/firewall on the converse way that sift through the ICMP answers ask pleasantly, or attempt distinctive source and destination

Slide 21

TRACEROUTE: LIMITATIONS (3) Traceroute can’t go behind NATs What you see: traceroute to oreius.switch.ch (130.59.138.34), 64 bounces max, 40 byte bundles 1 swiEZ2-G4-7.switch.ch (130.59.35.85) 0 ms 0 ms 0 ms 2 swiLS2-10GE-1-1.switch.ch (130.59.36.205) 4 ms 4 ms 4 ms 3 swiCP2-G1-0-28.switch.ch (130.59.36.14) 4 ms 4 ms 11 ms 4 oreius.switch.ch (130.59.138.34) 4 ms 4 ms 4 ms as a general rule oreius may be behind a NAT box: 4 NAT box (130.59.138.34) 5 oreius.switch.ch (192.168.0.34)

Slide 22

TRACEROUTE: LIMITATIONS (4) Traceroute can’t see layer 2 gadgets (switches, middleboxes, firewalls) What you see: traceroute to oreius.switch.ch (130.59.138.34), 64 jumps max, 40 byte parcels 1 swiEZ2-G4-7.switch.ch (

Recommended
View more...