Network Tools

Ifconfig
arp
ping
route

traceroute
netcat
tcpdmp
Wireshark

Ifconfig
Network configuration and status
ifconfig status of all network interfaces
ifconfig eth0 status of ethernet 0
connection
ifconfig eth0 down shuts ethernet 0
down
ifconfig eth0 up starts ethernet 0
ifconfig eth0 172.16.13.97 assigns
IP address to ethernet 0
man ifconfig more info

ifconfig output
eth1

Link encap:Ethernet HWaddr 00:0A:B7:FE:36:DB

inet addr:140.211.110.121 Bcast:140.211.110.255 Mask:255.255.255.0
inet6 addr: fe80::20a:b7ff:fefe:36db/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5024 errors:1246 dropped:0 overruns:0 frame:1246
TX packets:446 errors:0 dropped:0 overruns:0 carrier:0
collisions:11 txqueuelen:1000
RX bytes:1329231 (1.2 MiB) TX bytes:45872 (44.7 KiB)
Interrupt:3 Base address:0x100

lo

Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:157 errors:0 dropped:0 overruns:0 frame:0
TX packets:157 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:43623 (42.6 KiB) TX bytes:43623 (42.6 KiB)

ipconfig
(Win)
Network configuration and status
ipconfig brief status of all network
interfaces
ipconfig -All complete status of all
network interfaces
ipconfig -? - more info

ipconfig
(Win)

Ipconfig
Output
(Win)

arp
Modify or extract arp cache
arp

Address
BBCisco-91.sou.edu

HWtype
ether

HWaddress
00:30:F2:C9:A0:B8

Flags Mask
C

Iface
eth0

Arp Example
Modify or extract arp cache
arp

Address
BBCisco-91.sou.edu

HWtype
ether

HWaddress
00:30:F2:C9:A0:B8

Flags Mask
C

Iface
eth0

Arp (Win)

Arp Example (Win)

ping
Sends ICMP echo request
Type = 8 echo request
0 echo reply
Code = 0
Payload - as sent by the requester
returned by the reply

Linux echo request sent after each reply until

terminated with a ctrl c
Summary statistics are calculated

ping options
Options:
-c xx
-Q x
-s xxx
-b
-t xxx

Number of requests to send

Type of service
Size of payload
Broadcast
Set ttl to xxx

Ping Example
Used to test network connections
Used to test network speeds
Used in DDoS attacks
[quirrel@somewhere]# ping 172.16.13.50 -c 5 -s 1000
PING
1008
1008
1008
1008
1008

172.16.13.50 (172.16.13.50) from 140.211.91.82 : 1000(1024) bytes of data.

bytes from 172.16.13.50: icmp_seq=1 ttl=255 time=0.459 ms
bytes from 172.16.13.50: icmp_seq=2 ttl=255 time=0.441 ms
bytes from 172.16.13.50: icmp_seq=3 ttl=255 time=0.432 ms
bytes from 172.16.13.50: icmp_seq=4 ttl=255 time=0.402 ms
bytes from 172.16.13.50: icmp_seq=5 ttl=255 time=0.388 ms

--- 172.16.13.50 ping statistics --5 packets transmitted, 5 received, 0% loss, time 4000ms
rtt min/avg/max/mdev = 0.388/0.424/0.459/0.031 ms

ping options (Win)

ping Example (Win)

route
Configure or report status of host's
routing table
route -n
Kernel IP routing table
Destination
Gateway
192.168.0.0
0.0.0.0
127.0.0.0
0.0.0.0

Genmask
255.255.255.0
255.0.0.0

Flags Metric Ref

U
0
0
U
0
0

Use Iface
0 vmnet8
0 lo

route Options(Win)

route Options(Win)
(continued)

route Example (Win)

traceroute host_name
Determines connectivity to a remote host
Uses UDP
Options

-f
-F
-I
-t
-v

set initial ttl

set don't frag bit
use echo request instead of UDP
set type of service
verbose output

traceroute Example
traceroute www.f-prot.com
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

BBCisco-91.sou.edu (140.211.91.1) 0.654 ms 0.544 ms 0.504 ms

scrubber.sou.edu (140.211.102.34) 0.416 ms 0.386 ms 0.522 ms
sou-pop.nero.net (140.211.4.1) 1.638 ms 1.598 ms 1.561 ms
corv-car2-gw.nero.net (140.211.1.25) 15.474 ms 24.891 ms corv-car2-gw.nero.net (140.211.0.185) 22.227 ms
corv-car1-gw.nero.net (207.98.64.193) 20.046 ms 20.204 ms 21.661 ms
ptld-core1-gw.nero.net (207.98.64.21) 21.631 ms 18.890 ms 31.521 ms
ptld-core2-gw.nero.net (207.98.64.177) 18.932 ms 28.446 ms 23.135 ms
ptck-core1-gw.nero.net (207.98.64.10) 19.978 ms 18.329 ms 30.266 ms
POS6-1.hsipaccess2.Seattle1.Level3.net (63.211.200.245) 26.382 ms 31.671 ms 21.383 ms
ge-4-0-1.mp1.Seattle1.level3.net (209.247.9.61) 25.033 ms 28.164 ms 28.482 ms
gig11-1.hsa1.Seattle1.level3.net (209.247.9.46) 19.209 ms 44.756 ms 22.834 ms
core1.Seattle.Teleglobe.net (209.0.227.142) 54.156 ms 62.715 ms 34.783 ms
if-13-0.core2.Sacramento.Teleglobe.net (64.86.83.193) 45.352 ms 50.686 ms 47.254 ms
if-1-0.core2.Sacramento.Teleglobe.net (64.86.83.222) 46.497 ms 62.374 ms 75.823 ms
if-9-0.core2.Chicago3.Teleglobe.net (64.86.83.137) 98.147 ms 98.298 ms 103.634 ms
if-2-0.core3.NewYork.Teleglobe.net (64.86.83.218) 97.669 ms 103.466 ms 100.087 ms
if-10-0.core1.NewYork.Teleglobe.net (66.110.8.133) 97.588 ms 103.310 ms 100.475 ms
if-5-0-0.bb6.NewYork.teleglobe.net (207.45.221.104) 179.906 ms 101.384 ms 187.031 ms
ix-1-0-1.bb6.NewYork.Teleglobe.net (207.45.205.114) 163.676 ms 162.706 ms 165.844 ms
MultiGigabit-13.backbone-hofdab1.linanet.is (62.145.129.187) 166.070 ms 164.363 ms 176.033 ms
gigabit-1-1.skulagata.linanet.is (213.220.64.7) 167.057 ms 180.174 ms 191.346 ms
customer-gigabit-1-123.skulagata.linanet.is (62.145.130.150) 171.756 ms !X * 163.602 ms !X

tracert Usage (Win)

tracert Example (Win)

host
Forward and reverse DNS lookups
host www.f-prot.com
www.f-prot.com has address 213.220.100.1
www.f-prot.com has address 213.220.100.2
www.f-prot.com has address 213.220.100.3
host 213.220.100.3
3.100.220.213.in-addr.arpa domain name pointer aula.frisk-software.com.

whois Usage (Win)

Whois IP [Address] - Also works

whois
Example
(Win)

netstat Example
Show the status of all network connections
Shows all listening ports

Netstat - linux

netstat Example

netstat (Win)

netstat Example (Win)

tcpdump

Packet sniffer
Installed with Linux
Commonly used
Often used as the data file for GUI
backends

tcpdump Syntax

Syntax:
tcpdump (options) I (interface) w (dump file)
tcpdump c 1000 i eth0 w etho.dmp

tcpdump Options

-n
-nn
-i ethn
-c xx
-e
-f file_name
-v
-vv
-vvv
-w file_name
-x
-X
-S

do not convert host addresses to names

do not convert protocols and ports to names
listen on interface eth0, eth1, eth2
exit after xx packets
print link level info
read packets from file file_name
slightly verbose
verbose
very verbose
write packets to file file_name
write packets in hex
write packets in hex and ASCII
write absolute sequence and acknowledgment numbers

tcpdump Example
16:31:47.114550 172.16.13.3.1127 > 172.16.13.50.21: S [tcp sum ok] 10580321:10580321(0) win 8192 <mss
1460,nop,nop,sackOK> (DF) (ttl 128, id 6487, len 48)
0x0000 4500 0030 1957 4000 8006 6f1b ac10 0d03
E..0.W@...o.....
0x0010 ac10 0d32 0467 0015 00a1 7161 0000 0000
...2.g....qa....
0x0020 7002 2000 7a4b 0000 0204 05b4 0101 0402
p...zK..........
16:31:47.114784 172.16.13.50.21 > 172.16.13.3.1127: S [tcp sum ok] 378086426:378086426(0) ack 10580322
win 32120 <mss 1460,nop,nop,sackOK> (DF) (ttl 64, id 4418, len 48)
0x0000 4500 0030 1142 4000 4006 b730 ac10 0d32
E..0.B@.@..0...2
0x0010 ac10 0d03 0015 0467 1689 241a 00a1 7162
.......g..$...qb
0x0020 7012 7d78 e21e 0000 0204 05b4 0101 0402
p.}x............
16:31:47.114932 172.16.13.3.1127 > 172.16.13.50.21: . [tcp sum ok] ack 378086427 win 8760 (DF) (ttl 128, id
6743, len 40)
0x0000 4500 0028 1a57 4000 8006 6e23 ac10 0d03
E..(.W@...n#....
0x0010 ac10 0d32 0467 0015 00a1 7162 1689 241b
...2.g....qb..$.
0x0020 5010 2238 6a23 0000 0000 0000 0000
P."8j#........
16:31:50.144368 172.16.13.50.21 > 172.16.13.3.1127: P 378086427:378086510(83) ack 10580322 win 32120 (DF)
[tos 0x10] (ttl 64, id 4443, len 123)
0x0000 4510 007b 115b 4000 4006 b6bc ac10 0d32
E..{.[@.@......2
0x0010 ac10 0d03 0015 0467 1689 241b 00a1 7162
.......g..$...qb
0x0020 5018 7d78 f978 0000 3232 3020 5369 7379
P.}x.x..220.Sisy
0x0030 7068 7573 2046 5450 2073 6572 7665 7220
phus.FTP.server.
0x0040 2856 6572 7369 6f6e 2077 752d 322e 362e
(Version.wu-2.6.
0x0050 3028
0(

tcpdump Output

16:32:01.569837 172.16.13.50.21 > 172.16.13.3.1127:

Time of packet
Src IP Addr.prt
Dest IP Addr.prt
F
Flgs

[tcp
ptcl

sum ok] 378086579:378086579(0) ack 10580352

chsum
Sequence#
Acknowledgment#
Beginning:Ending
Diff

win 32120 (DF)

Window
Don't Frag

[tos 0x10]
Type of service

(ttl 64, id 4449, len 40)

IP Dgram

Wireshark
User friendly GUI backend for tcpdump

netcat
Read & write UDP/TCP data
http://www.atstake.com/research/tools/

Useful to test networks and performance

netcat
Copies data across network connections.
Uses UDP or TCP.
Reliable and robust.
Used directly at the command level.
Can be driven by other programs and scripts.
Very useful in forensic capture of a live system.
Simple paradigm
On the remote collecting system open a listening port.
On current/compromised system pipe data to remote system.

Connection is closed automatically after data transfer has completed.

netcat Usage
Remote logging system:
# nc -l -p 8888 > date_started
-l listen mode
-p port number
Pipes the data from the connection to the file - date_started
Possibly compromised system:
# F:\>tools\date.exe | F:\>tools\nc.exe 192.168.1.100 8888 -w 3
-w 3 times out in 3 seconds
Uses the uncorrupted date binary from the forensics USB/CDROM.
Uses the uncorrupted nc binary from the forensics USB/CDROM.
Sends the output to 192.168.1.100 port 8888

netcat Usage
Log the start of the data collection.
(Remote)C:\>Case\nc.exe -l -p 8888 > date_started
(Corrupt)F:\>tools\date | F:\>tools\nc.exe 192.168.1.100 8888 -w 3
Get network status.
(Remote)C:\>Case\nc.exe -l -p 8888 > netstat.doc
(Corrupt)F:\>tools\netstat | F:\>tools\nc.exe 192.168.1.100 8888 -w 3

Computer Security II: Lab 2

Use traceroute to trace a connection to either www.f-prot.com or www.fsecure.com. Describe the route
and calculate some of the latencies through the major routers.
Using the host command find the owner of ftp.osuosl.org. Are there any other IP addresses that belong to
Apple.
Setup Wireshark to capture only packets to and from your workstation. Set it in capture mode. In a
terminal window connect to ftp.osuosl.org.
ftp
Open
ftp.osuosl.org
User name: password
Password:
ls
close
quit
Using the Wireshark capture function draw a diagram of the connection packets together with the
sequence and acknowledge numbers. Check the arithmetic to make sure the connections are correct.