4/18/05
Red Hat Linux Network Management Tools
Core System Utilities and Tools
> arp, ifconfig, netstat, ping, tcpdump, traceroute
Additional System Utilities and Tools
> arpwatch, ethereal, fping, nmap, xtraceroute
*** Chap 2
MIB Browsers are great for probing an agent for specific information or learning the structure and format of new MIBs
1.3.6
1.3.6.1.1.2 dod.internet.mgmt
1.3.6.1.1.4.1.2.2 dod.internet.mgmt.private.enterprises.cisco
1.3.6.1.1.4.1.2.42 dod.internet.mgmt.private.enterprises.sun
Using a packet capture tool, the entire SNMP packet could be decoded
SNMPv1 specifies collection of MIB objects known as MIB-II
SNMPv1 problems:
1) lacks robust security - limit set operations
2) slow
3) agents play on single, simplistic role of accepting commands
SNMPv2:
1) expanded data types, 64bit counters
2) fast - getbulk PDU
3) more efficient row creation and deletion
SNMPv3:
1) security model based on DES, MD5
2) defined view based access control model
SNMPv1 message format
3 pieces - Version, Comm Name, SNMP PDU
PDUs can be one of five different types
1) getrequest
2) getnextrequest
3) setrequest
4) getresponse
5) trap
SNMP v2 defines
1) getbulkrequest
2) inform request
GetRequest(sysDescr, sysUpTime)
Get Request message format
5 pieces
PDU type, Request ID, 0, 0, Variable Bindings
RMON monitor
this device collects network performance and packet contents for later analysis and reporting
GetResponse - eache of the SNMP operations, with exception of trap receives a getResponse. Includes following fields:
PDU type, Request ID, Error Status, Error Index, Var Bindings
Trap fields
PDU Type
Enterprise
Agent Addr
Generic Trap - one of predefined traps
Specific Trap - usually zero, unless generic=6
Time Stamp
Var bindings
predefined traps
coldstart(0)
warmstart(1)
linkdown(2)
linkup(3)
authfailure(4)
egpneighborlost(5)
enterprisespecifiec(6)
SNMPv1 response codes
toobig - retn by agent, if response would be too big
nosuchname- bad set request
badvalue
read-only
generror - PDU fails for reason other than the above
tranmission of SNNP message
1) basic PDU constructed
2) protocol layer formats message
3) entire message encoded using ASN.1
*** Chap3
ICMP error message types
Echo request/reply
dest unreachable
source quench
redirect
time exceeded
ARP, OUI codes
http://standards.ieee.org/regauth/oui/oui.txt
netstat -t # display currectly established connections
Table 4.8 Linux agent MIB objects that map to netstat output
RX-OK IfInUcastPkts + ifInNUcastPkts
RX-ERR IfInErrors
RX_DRP IfInDiscards
TX-OK IfOutUcastPkts + ifOutNUcastPkts
TX-ERR IfOutErrors
TX-DRP If
ping -f # flood
tcpdump
promiscuous mode used by RMON probes
ethereal - GUI based
tcpdump -d le1 -x 0 tcp and port 21
-x hex dump of network frames, displays link-level header info such as source and dest
traceroute display codes
* No response to probe packets
! TTL in the received packet set to 1
!H Dest host is unreachable
!N Dest net is unreachable
!P Dest proto is unreach
!S source route option has failed, should not happen
!F fragmentation needed for probe packet, should not happen
!X blocked to admin down
!N> ICMP error, where N is that number
traceroute on multi-homed, selects first interface it encounters
traceroute , by default uses UDP 33434
traceroute -I use ICMP protocol
Chap 4
Arpwatch, one of most useful options -i, controls interface
- net station, excellent way to know when new stuff hooked to network
- changed Ethernet address, new Ethernet card
- flip flop - most seen addresses
- new activity
Ethereal
Fping
Nmap by default, scan from 0-1024
-O flag, for fingerprinting
-sS TCP SYN, scan TCP ports using half-open
-sF FIN, stealth fin,
nmap-os-fingerprints, /usr/local/lib/nmap
-sU - UDP scan
-sT TCP scan
-sP ping sweep
nmap -p 161 -sU -o results 10.0.0.0/24
Xtraceroute - lattitude, longitutde
### CHAP 6 - Overview of MIB II
at group - mapping from net addr to phys addr
dot3 group - low level datalink medium for each of the defined interfaces
### Chap 7 - Using SNMP Agents
Linux, UCD agent, supports SNMP v1, v2, v3
getbulk, get-inform
and USM, user security model
agent: snmpd
Sun, agent snmpdx provides master/subagent
Linux agent
supports MIB-II, SNMPv2, SMUX MIB, host resource MIB, UCD-SNMP Mibs
located in /usr/local/share/snmp/mibs
- monitor disk-space usage
-monitor system processes
-monitor system load
-invoke UNIX commands
-monitor agent information and status
-provide access to key MIB Objects
### Chap 8 - SNMP Tools
monitoring admin functions
- SNMP system heartbeat, get-request, sysUpTime
- system up/down messages, traps
- protocol statistics, MIBII, IP, ICMP, TCP, SNMP
-interface performance measurements, MIB II-
-system process activity, UCD agent
-routing,
-performance statistics
commands
- snmpdelta
- snmpget -d # cool, HEX/Ascii dump
- snmpgetnext
- snmpnetstat
- snmpset
- snmpstatus
- snmptable
- snmptest
- snmptraslate # cool
- snmptrap
- snmptrapd
- snmpwalk
- snmpbulkwalk # cool
- tkmib # cool
-m/-M specified MIBs that should be loaded
snmpdelta - very useful in tracking networking errors
snmpdelta -R remote-gw public ifInDiscards.1
snmpset
- disabling/enabling network IF
- updating device, ie. sysContact
- resetting traffic counters
- restarting agent
- modifying some config pararm
snmptranslate system.sysDescr
.1.3.6.1.2.1.1.1
-d # dump all info from RFC1213-MIB.txt
snmpbulkwalk -v 2c cisco-gw1 public
snmpconf - provides ability to configure devices using snmpset
tkMib - front end to snmpget, getnext, walk, snmptable
[root@localhost ~]# tkmib
ERROR: You don't have the SNMP perl module installed. Please obtain this by
getting the latest source release of the net-snmp toolkit from
http://www.net-snmp.org/download/ . The perl module is contained in
the perl/SNMP directory. See the INSTALL file there for
instructions.
ERROR: You don't have the Tk module installed. You should be able to
install this by running (as root):
perl -MCPAN -e 'install Tk'
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment