Previous Section
 < Day Day Up > 
Next Section


Monitoring Your Network: ping, netstat, tcpdump, and Ethereal

With the ping program, you can check to see if you can actually access another host on your network. The ping program sends a request to the host for a reply. The host then sends a reply back, and it is displayed on your screen. The ping program continually sends such a request until you stop it with a break command, CTRL-C. You see one reply after another scroll by on your screen until you stop the program. If ping cannot access a host, it issues a message saying the host is unreachable. If ping fails, this may be an indication that your network connection is not working. It may be only the particular interface, a basic configuration problem, or a bad physical connection. ping uses the Internet Control Message Protocol (ICMP), discussed in Chapter 19. Networks may block these protocols as a security measure, also preventing ping from working. A ping failure may simply indicate a security precaution on the part of the queried network.

To use ping, enter ping and the name of the host.

$ ping ftp.redhat.com

Ethereal

Ethereal is a network protocol analyzer that lets you capture packets transmitted across your network, selecting and examining those from protocols you want to check. You can examine packets from a particular transmissions, displaying the data in readable formats. The Ethereal interface displays three panes: a listing of current packets, the protocol tree for the currently selected packet, a display of the selected packets contents. The first pane categorizes entries by time, source, destination, and protocol. There are button headers for each. To sort a set of entries by a particular category, click its header. For example, group entries by protocol, click the Protocol button; for destinations, use the Destination button.

Capture Options

To start Ethereal, you select the Start entry from the Capture menu. This opens an options window where you can select the network interface to watch. Here you can also select options such as the file to hold your captured information in and a size limit for the capture, along with a filter to screen packets. With the promiscuous mode selected, you can see all network traffic passing through that device, whereas with it off, you will see only those packets destined for that device.

  • The Capture Files option lets you select a file to save your capture in. If no file is selected, then data is simply displayed in the Ethereal window. If you want to keep a continuous running snapshot of your network traffic, you can use ring buffers. These are a series of files that are used to save captured data. When they fill up, the capture begins saving again to the first file, and so on.

  • Display options control whether packets are displayed in real time on the Ethereal window.

  • Capture limits let you set a limit for the capture either by packets, size, or time.

  • Name resolution enables the display of host and domain names instead of IP addresses, if possible.

Ethereal Filters

A filter lets you select packets that match specified criteria, such as packets from a particular host. Criteria are specified using expressions supported by the Packet Capture Library and implemented by tcpdump. Ethereal filters use similar expressions as those used by the tcpdump command. Check the tcpdump Man page for detailed descriptions.

An expression consists of an ID, such as the name or number of host, and a qualifier. Qualifiers come in three types: type, direction, and protocol. The type can reference the host, network, or port. The type qualifiers are host, net, and port. Direction selects either source or destination packets, or both. The source qualifier is src, and the destination, dst. With no destination qualifier, both directions are selected. Protocol lets you specify packets for a certain protocol. Protocols are represented using their lowercase names, such as icmp for ICMP. For example, the expression to list all packets coming in from a particular host would be src host hostname, where hostname is the source host. The following example will display all packets from the 192.168.0.3 host.

src host 192.168.0.3

Using just host will check for all packets going out as well as coming in for that host. The port qualifier will check for packets passing through a particular port. To check for a particular protocol, you use the protocol name. For example, to check for all ICMP packets you would use the expression

icmp

There are also several special qualifiers that let you further control your selection. The gateway qualifier lets you detect packets passing through a gateway. The broadcast and multi-cast qualifiers detects packets broadcast to a network. The greater and less qualifiers can be applied to numbers such as ports or IP addresses.

You can combine expressions into a single complex Boolean expression using and, or, or not. This lets you create a more refined filter. For example, to capture only the ICMP packets coming in from host 192.168.0.2, you can use

src host 192.168.0.3 and icmp

To create or select filters, click the Filter button in the options window when you first start a capture. This opens a Capture Filter window with a listing of filters you have already created. Boxes for the filter name and filter string are displayed below. To create a new filter, enter the name you want to give it in the Filter Name box. Then in the Filter String box, enter the filter expression, like icmp. Then click New. Your new filter will appear in the list. To change a filter, select it and change its expression in the Filter String box, then click Change.

tcpdump

Like Ethereal, tcpdump will capture network packets, saving them in a file where you can examine them. tcpdump operates entirely from the command line. You will have to open a terminal window to run it. Using various options, you can refine your capture, specifying the kinds of packets you want. tcpdump uses a set of options to specify actions you want to take, which include limiting the size of the capture, deciding which file to save it to, and choosing any filter you want to apply to it. Check the tcpdump Man page for a complete listing.

  • The -i option lets you specify an interface to listen to.

  • With the -c option, you can limit the number of packets to capture.

  • Packets will be output to the standard output by default. To save them to a file, you can us the -w option.

  • You can later read a packet file using the -r option and apply a filter expression to it.

tcpdump takes as its argument a filter expression that you can use to refine your capture. Ethereal uses the same filter expressions as tcpdump (see the filters discussion in Ethereal).

netstat

The netstat program provides real-time information on the status of your network connections, as well as network statistics and the routing table. The netstat command has several options you can use to bring up different sorts of information about your network:

# netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (State) User
tcp 0 0 turtle.mytrek.com:01 pango1.mytrain.com.:ftp ESTABLISHED dylan
Active UNIX domain sockets
Proto RefCnt Flags Type State Path
unix 1 [ ACC ] SOCK_STREAM LISTENING /dev/printer
unix 2 [ ] SOCK_STREAM CONNECTED /dev/log
unix 1 [ ACC ] SOCK_STREAM LISTENING /dev/nwapi
unix 2 [ ] SOCK_STREAM CONNECTED /dev/log
unix 2 [ ] SOCK_STREAM CONNECTED
unix 1 [ ACC ] SOCK_STREAM LISTENING /dev/log

The netstat command with no options lists the network connections on your system. First, active TCP connections are listed, and then the active domain sockets are listed. The domain sockets contain processes used to set up communications among your system and other systems. You can use netstat with the -r option to display the routing table, and netstat with the -i option displays the uses of the different network interfaces.



Previous Section
 < Day Day Up > 
Next Section
This HTML Help has been published using the chm2web software.