DON BOSCO INSTITUTE OF TECHNOLOGY, MUMBAI

Practical 4

Aim: To use Network traffic monitoring and routing tools (commands) and
interpret the findings

1] bing
2] tcpdump
3] netstat
4] arp
5] traceroute
6] top
7] bmon

Software used : Linux based platform

1] bing
The command line program bing measures bandwidth between two point to
point locations. This is an excellent tool for testing throughput or interfaces.
install bing:

$ sudo apt-get install bing

The syntax is:
$ sudo bing [host1] [host2]
bing works by sending an ICMP echo request and measuring the delay of the echo
reply.
dbit@tejas-23:~$ sudo apt-get install bing
[sudo] password for dbit:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
gir1.2-json-1.0 gir1.2-timezonemap-1.0 gir1.2-xkl-1.0
Use 'apt-get autoremove' to remove them.
The following NEW packages will be installed:
bing
0 upgraded, 1 newly installed, 0 to remove and 694 not upgraded.
Need to get 28.0 kB of archives.
After this operation, 98.3 kB of additional disk space will be used.
Get:1 http://in.archive.ubuntu.com/ubuntu/ trusty/universe bing i386 1.1.3-2 [28.0 kB]
Fetched 28.0 kB in 0s (0 B/s)
Selecting previously unselected package bing.
(Reading database ... 197272 files and directories currently installed.)

NMT PRACTICAL: 4 FOR AY 20-21 EVEN SEM

Preparing to unpack .../archives/bing_1.1.3-2_i386.deb ...
Unpacking bing (1.1.3-2) ...
Processing triggers for man-db (2.6.7.1-1) ...
Setting up bing (1.1.3-2) ...

dbit@tejas-23:~$ sudo bing localhost 10.0.1.1

BING localhost (127.0.0.1) and 10.0.1.1 (10.0.1.1)
44 and 108 data bytes (1024 bits)
10.0.1.1: 8.063Mbps 0.127ms 0.124023us/bit
10.0.1.1: 6.282Mbps 0.163ms 0.159180us/bit
10.0.1.1: 8.904Mbps 0.115ms 0.112305us/bit
10.0.1.1: 8.463Mbps 0.121ms 0.118164us/bit
10.0.1.1: 8.258Mbps 0.124ms 0.121094us/bit
10.0.1.1: 8.605Mbps 0.119ms 0.116211us/bit
10.0.1.1: 8.752Mbps 0.117ms 0.114258us/bit
10.0.1.1: 8.678Mbps 0.118ms 0.115234us/bit
10.0.1.1: 8.605Mbps 0.119ms 0.116211us/bit
10.0.1.1: 24.976Mbps 0.041ms 0.040039us/bit
10.0.1.1: 21.787Mbps 0.047ms 0.045898us/bit
10.0.1.1: 21.333Mbps 0.048ms 0.046875us/bit
10.0.1.1: 21.787Mbps 0.047ms 0.045898us/bit
10.0.1.1: 22.261Mbps 0.046ms 0.044922us/bit
^C
--- localhost statistics ---
bytes out in dup loss rtt (ms): min avg max std dev
44 10372 10372 0% 0.005 0.011 0.045 0.002
108 10372 10372 0% 0.004 0.010 0.031 0.001

--- 10.0.1.1 statistics ---

bytes out in dup loss rtt (ms): min avg max std dev
44 10372 10372 0% 0.122 0.140 0.667 0.025
108 10371 10371 0% 0.168 0.270 1.677 0.030

--- estimated link characteristics ---

host bandwidth ms
warning: rtt big localhost 0.004ms < rtt small localhost 0.005ms
10.0.1.1 22.261Mbps 0.117

2] tcpdump
tcpdump command is also called as packet analyzer.
tcpdump command will work on most flavors of unix operating system. tcpdump allows us to save
the packets that are captured, so that we can use it for future analysis. The saved file can be viewed
by the same tcpdump command. We can also use open source software like wireshark to read the
tcpdump pcap files.

Capture packets from a particular ethernet interface using tcpdump -i

tcpdump is a most powerful and widely used command-line packets sniffer or
package analyzer tool which is used to capture or filter TCP/IP packets that received
or transferred over a network on a specific interface. It is available under most of the
Linux/Unix based operating systems. tcpdump also gives us a option to save captured
packets in a file for future analysis. It saves the file in a pcap format, that can be
viewed by tcpdump command or a open source GUI based tool called Wireshark
(Network Protocol Analyzier) that reads tcpdump pcap format files.

extc@standby4:~$ sudo tcpdump -i eth0

[sudo] password for extc:

Sorry, try again.

[sudo] password for extc:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

11:44:14.333900 IP DESKTOP-26IE48B.local.54991 > 10.0.7.255.6646: UDP,

length 170

11:44:14.334586 IP standby4.local.30781 > newipcop.lan.dbit.in.domain: 36122+

PTR? 255.7.0.10.in-addr.arpa. (41)

11:44:14.337723 IP newipcop.lan.dbit.in.domain > standby4.local.30781: 36122

NXDomain 0/1/0 (118)

11:44:14.347485 ARP, Request who-has cad4-4.local tell 10.0.3.206, length 46

11:44:14.355837 ARP, Request who-has 10.0.3.161 tell 10.0.7.115, length 46

11:44:14.356639 ARP, Request who-has 10.0.3.161 tell NPIAB71DA.local, length 46

11:44:14.386430 IP 10.0.2.166.netbios-ns > 10.0.7.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST

11:44:14.438424 IP 10.0.4.127.55388 > 239.255.255.250.1900: UDP, length 137

11:44:14.445753 IP6 fe80::a2d3:c1ff:fe83:a56f > ff02::1:fff8:f5e8: ICMP6, neighbor

solicitation, who has fe80::7562:27ea:e3f8:f5e8, length 32

11:44:14.450216 IP6 fe80::7271:bcff:fe5b:fd89.mdns > ff02::fb.mdns: 0 PTR (QM)?

255.7.0.10.in-addr.arpa. (41)

11:44:14.450272 IP standby4.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?

255.7.0.10.in-addr.arpa. (41)

11:44:14.450547 IP6 fe80::c588:a517:d947:c391.mdns > ff02::fb.mdns: 0*- [0q]

0/0/0 (12)

11:44:14.450665 IP 10.0.1.8.mdns > 224.0.0.251.mdns: 0*- [0q] 0/0/0 (12)

11:44:14.450708 IP6 fe80::941c:6906:3fd0:e7dc.mdns > ff02::fb.mdns: 0*- [0q]

0/0/0 (12)

11:44:14.450752 IP6 fe80::c4c2:f0ad:fbff:8705.mdns > ff02::fb.mdns: 0*- [0q] 0/0/0

(12)

11:44:14.450843 IP 10.0.7.202.mdns > 224.0.0.251.mdns: 0*- [0q] 0/0/0 (12)

^C11:44:14.450884 IP 10.0.3.232.mdns > 224.0.0.251.mdns: 0*- [0q] 0/0/0 (12)

17 packets captured

7170 packets received by filter

7123 packets dropped by kernel

3] netstat

netstat (network statistics) is a command line tool for monitoring network

connections both incoming and outgoing as well as viewing routing tables, interface
statistics etc. netstat is available on all Unix-like Operating Systems and also
available on Windows OS as well. It is very useful in terms of network
troubleshooting and performance measurement. netstat is one of the most basic
network service debugging tools, telling you what ports are open and whether any
programs are listening on ports.

3.1] netstat -a

List out all connections

The first and most simple command is to list out all the current connections. Simply run the netstat
command with the a option.
$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 enlightened:domain *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 enlightened.local:54750 li240-5.members.li:http ESTABLISHED
tcp 0 0 enlightened.local:49980 del01s07-in-f14.1:https ESTABLISHED
tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN
udp 0 0 enlightened:domain *:*
udp 0 0 *:bootpc *:*
udp 0 0 enlightened.local:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*
udp 0 0 *:58570 *:*
udp 0 0 *:mdns *:*
udp 0 0 *:49459 *:*
udp6 0 0 fe80::216:36ff:fef8:ntp [::]:*
udp6 0 0 ip6-localhost:ntp [::]:*
udp6 0 0 [::]:ntp [::]:*
udp6 0 0 [::]:mdns [::]:*
udp6 0 0 [::]:63811 [::]:*
udp6 0 0 [::]:54952 [::]:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 12403 @/tmp/dbus-IDgfj3UGXX
unix 2 [ ACC ] STREAM LISTENING 40202 @/dbus-vfs-
daemon/socket-6nUC6CCx

The above command shows all connections from different protocols like tcp, udp and
unix sockets. However this is not quite useful. Administrators often want to pick out
specific connections based on protocols or port numbers for example.
3.2] netstat -at

List only TCP or UDP connections

To list out only tcp connections use the t options.
extc@standby4:~$ netstat -at

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 localhost:domain *:* LISTEN

tcp 0 0 localhost:ipp *:* LISTEN

tcp 0 0 standby4.local:41994 10.0.1.149:8060 TIME_WAIT

tcp 1 0 standby4.local:41873 10.0.1.149:8060 CLOSE_WAIT

tcp 0 0 standby4.local:41993 10.0.1.149:8060 TIME_WAIT

tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN

Similarly to list out only udp connections use the u option.

extc@standby4:~$ netstat -au

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

udp 0 0 *:53757 *:*

udp 0 0 localhost:domain *:*

udp 0 0 *:bootpc *:*

udp 0 0 *:mdns *:*

udp6 0 0 [::]:mdns [::]:*

udp6 0 0 [::]:40250 [::]:*

3.3] netstat -i

Showing Network Interface Transactions

Showing network interface packet transactions including both transferring and receiving packets
with MTU size.

extc@standby4:~$ netstat -i

Kernel Interface table

Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR

Flg eth0 1500 0 469101 0 00 63440 0 0 0 BMRU

lo 65536 0 1923 0 00 1923 0 0 0 LRU

we see that all the network information related to individual interfaces was displayed in the output.
The RX and TX columns are described as follows :

RX-OK : Correct packets received on this interface.

RX-ERR : Incorrect packets received on this interface
RX-DRP : Packets that were dropped at this interface.
RX-OVR : Packets that this interface was unable to receive.

Similar definition is for the TX columns that describe the transmitted packets
3.4] Print statistics
The netstat command can also print out network statistics like total number of packets received and
transmitted by protocol type and so on.
To list out statistics of all packet types

extc@standby4:~$ netstat -s

Ip:

286804 total packets received

0 forwarded

0 incoming packets discarded

224755 incoming packets delivered

65931 requests sent out

Icmp:

45 ICMP messages received

41 input ICMP message
failed. ICMP input histogram:
destination unreachable: 4
0 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:

IcmpMsg:
InType3: 4
InType9: 41

Tcp:
2695 active connections openings
0 passive connection openings
 4 failed connection attempts
1 connection resets received
0 connections established
77757 segments received
62716 segments send out
0 segments retransmited
0 bad segments received.
24 resets sent

Udp:
22025 packets received
0 packets to unknown port received.
0 packet receive errors
3213 packets sent

UdpLite:
TcpExt:

2012 TCP sockets finished time wait in fast

timer 748 delayed acks sent
1 delayed acks further delayed because of locked socket
59533 packet headers predicted
5448 acknowledgments not containing data payload received
3283 predicted acknowledgments
11 connections reset due to unexpected data
1 connections reset due to early user close

TCPRcvCoalesce: 4971
TCPOFOQueue: 221
IpExt:

InNoRoutes: 2
InMcastPkts: 14268
OutMcastPkts: 93
InBcastPkts: 129612
 OutBcastPkts: 7
InOctets: 118459338
OutOctets: 11223188
InMcastOctets: 3891519
OutMcastOctets: 10694
InBcastOctets: 20682035
OutBcastOctets: 328

3.5] Display kernel routing information

The kernel routing information can be printed with the r option. It is the same output as given by the
route command. We also use the n option to disable the hostname lookup.
extc@standby4:~$ netstat -rn

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

0.0.0.0 10.0.1.1 0.0.0.0 UG 00 0 eth0

10.0.0.0 0.0.0.0 255.255.248.0 U 00 0 eth0

169.254.0.0 0.0.0.0 255.255.0.0 U 00 0 eth0

4] arp

arp-scan is a commandline utility for linux that can be used to scan the network
of a certain interface for alive hosts. It shows the ip address and mac addresses
of all the hosts/nodes found.
dbit@tejas-21:~$ arp
Address HWtype HWaddress Flags Mask Iface
10.0.3.248 ether 50:46:5d:de:28:4e C eth0
10.0.3.185 ether d4:3d:7e:aa:40:18 C eth0
10.0.5.180 ether 8c:89:a5:23:56:46 C eth0
dbitwin ether 00:13:3b:0e:01:0b C eth0
10.0.3.246 ether 00:13:3b:0e:01:7b C eth0
newipcop.lan.dbit.in ether 00:10:b5:12:cf:1e C eth0
10.0.4.128 ether d8:cb:8a:46:1c:16 C eth0
10.0.2.211 ether 44:37:e6:e4:9f:63 C eth0
dbitlin ether 00:09:6b:98:48:cd C eth0
10.0.3.184 ether d4:3d:7e:aa:43:f6 C eth0
10.0.2.202 ether 44:37:e6:e4:68:a5 C eth0

5] traceroute
Traceroute is a command which can show you the path a packet of information
takes from your computer to one you specify. It will list all the routers it passes
through until it reaches its destination, or fails to and is discarded. In addition to
this, it will tell you how long each 'hop' from router to router takes.

extc@standby4:~$ traceroute

Usage:

traceroute [ -46dFITnreAUV ] [ -f first_ttl ] [ -g gate,... ] [ -i device ] [ -m max_ttl ] [

-N squeries ] [ -p port ] [ -t tos ] [ -l flow_label ] [ -w waittime ] [ -q nqueries ] [ -s
src_addr ] [ -z sendwait ] [ --fwmark=num ] host [ packetlen ]

Options:

-4 Use IPv4

-6 Use IPv6

-d --debug Enable socket level debugging

-F --dont-fragment Do not fragment packets

-f first_ttl --first=first_ttl

Start from the first_ttl hop (instead from 1)

-g gate,... --gateway=gate,...

Route packets through the specified gateway

(maximum 8 for IPv4 and 127 for IPv6)

-I --icmp Use ICMP ECHO for tracerouting

-T --tcp Use TCP SYN for tracerouting (default port is 80)

-i device --interface=device

Specify a network interface to operate with

-m max_ttl --max-hops=max_ttl

Set the max number of hops (max TTL to

be reached). Default is 30

-N squeries --sim-queries=squeries

Set the number of probes to be tried

simultaneously (default is 16)

-n Do not resolve IP addresses to their domain names

-p port --port=port Set the destination port to use. It is either

initial udp port value for "default" method

(incremented by each probe, default is 33434), or

 initial seq for "icmp" (incremented as well,

default from 1), or some constant destination

port for other methods (with default of 80 for

"tcp", 53 for "udp", etc.)

-t tos --tos=tos Set the TOS (IPv4 type of service) or TC

(IPv6 traffic class) value for outgoing packets

-l flow_label --flowlabel=flow_label

Use specified flow_label for IPv6 packets

-w waittime --wait=waittime

Set the number of seconds to wait for response to

a probe (default is 5.0). Non-integer (float

point) values allowed too

-q nqueries --queries=nqueries

Set the number of probes per each hop. Default is

-r Bypass the normal routing and send directly to a

 host on an attached network

-s src_addr --source=src_addr

Use source src_addr for outgoing packets

-z sendwait --sendwait=sendwait

Minimal time interval between probes (default 0).

If the value is more than 10, then it specifies a

number in milliseconds, else it is a number of

seconds (float point values allowed too)

-e --extensions Show ICMP extensions (if present), including MPLS

-A --as-path-lookups Perform AS path lookups in routing registries and

print results directly after the corresponding

addresses

-M name --module=name Use specified module (either builtin or external)

for traceroute operations. Most methods have

their shortcuts (`-I' means `-M icmp' etc.)

-O OPTS,... --options=OPTS,...

Use module-specific option OPTS for the

 traceroute module. Several OPTS allowed,

separated by comma. If OPTS is "help", print info

about available options

--sport=num Use source port num for outgoing packets. Implies

`-N 1'

--fwmark=num Set firewall mark for outgoing packets

-U --udp Use UDP to particular port for

tracerouting (instead of increasing the port per

each probe), default port is 53

-UL Use UDPLITE for tracerouting (default dest port

is 53)

-P prot --protocol=prot Use raw packet of protocol prot for tracerouting

--mtu Discover MTU along the path being traced. Implies

`-F -N 1'

--back Guess the number of hops in the backward path and

print if it differs
 -V --version Print version info and exit

--help Read this help and exit

Arguments:

+ host The host to traceroute to

packetlen The full packet length (default is the length of an IP

header plus 40). Can be ignored or increased to a minimal

allowed value

6] TOP
Linux Top command is a performance monitoring program which is used frequently by many
system administrators to monitor Linux performance and it is available under many Linux/Unix
like operating systems. The top command used to dipslay all the running and active real-time
processes in ordered list and updates it regularly. It display CPU usage, Memory usage, Swap
Memory, Cache Size, Buffer Size, Process PID, User, Commands and much more. It also shows
high memory and cpu utilization of a running processess. The top command is much userful for
system administrator to monitor and take correct action when required.
Top command displays all the running process in the system ordered by certain columns.
This displays the information real-time.

extc@standby4:~$ top

top - 15:35:44 up 6:41, 2 users, load average: 0.08, 0.27, 0.29

Tasks: 164 total, 3 running, 161 sleeping, 0 stopped, 0 zombie

Cpu(s): 6.5%us, 1.0%sy, 0.0%ni, 91.5%id, 0.8%wa, 0.0%hi, 0.2%si, 0.0%st

Mem: 2024696k total, 1888932k used, 135764k free, 72636k buffers

Swap: 8509436k total, 4336k used, 8505100k free, 1136008k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

2352 extc 20 0 834m 261m 48m S 7 13.2 11:54.24 firefox

3962 extc 20 0 94608 16m 10m S 3 0.8 0:01.46 gnome-terminal

1075 root 20 0 176m 69m 53m R 2 3.5 1:54.13 Xorg

2007 extc 20 0 339m 64m 26m S 2 3.3 1:49.49 compiz

1021 root 20 0 3600 652 508 S 0 0.0 0:02.09 irqbalance

3950 extc 20 0 84460 15m 10m S 0 0.8 0:05.42 gnome-nettool

4378 extc 20 0 2848 1184 884 R 0 0.1 0:00.20 top

1 root 20 0 3668 2052 1316 S 0 0.1 0:00.67 init

2 root 20 0 0 0 0S 0 0.0 0:00.00 kthreadd

3 root 20 0 0 0 0S 0 0.0 0:06.01 ksoftirqd/0

4 root 20 0 0 0 0S 0 0.0 0:01.84 kworker/0:0

5 root 0 -20 0 0 0S 0 0.0 0:00.00 kworker/0:0H

7 root RT 0 0 0 0S 0 0.0 0:00.00 migration/0

8 root 20 0 0 0 0S 0 0.0 0:00.00 rcu_bh

9 root 20 0 0 0 0S 0 0.0 0:00.65 rcu_sched

10 root RT 0 0 0 0 S 0 0.0 0:00.05 watchdog/0

11 root RT 0 0 0 0 S 0 0.0 0:00.05 watchdog/1

12 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/1

13 root 20 0 0 0 0S 0 0.0 0:04.59 ksoftirqd/1

15 root 0 -20 0 0 0 S 0 0.0 0:00.00 kworker/1:0H

16 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper

17 root 20 0 0 0 0S 0 0.0 0:00.00 kdevtmpfs

18 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns

19 root 0 -20 0 0 0 S 0 0.0 0:00.00 writeback

 20 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd

21 root 0 -20 0 0 0 S 0 0.0 0:00.00 bioset

22 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto

23 root 0 -20 0 0 0 S 0 0.0 0:00.00 kworker/u9:0

24 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd

25 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff

26 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd

27 root 0 -20 0 0 0 S 0 0.0 0:00.00 md

28 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq

29 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:1

30 root 20 0 0 0 0 S 0 0.0 0:00.23 kworker/1:1

31 root 20 0 0 0 0 S 0 0.0 0:00.00 khungtaskd

32 root 20 0 0 0 0 S 0 0.0 0:00.31 kswapd0

33 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd

34 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged

7] bmon
bmon is a simple yet powerful, text-based network monitoring and debugging tool for Unix-like
systems, which captures networking related statistics and displays them visually in a human friendly
format. It is a reliable and effective real-time bandwidth monitor and rate estimator.
It can read input using an assortment of input modules and presents output in various output modes,
including an interactive curses user interface as well as a programmable text output for scripting
purposes.
$ sudo apt-get install bmon

Interface: lo at standby4 bmon 2.0.1

# Interface RX Rate RX # TX Rate TX #

────────────────────────────────────────────────────────────────────────────────

standby4 (source: local)

0 lo 0.00B 0 0.00B 0

1 eth1 18.76KiB 71 0.00B 0

──────────────────── Press g to enable graphical statistics ────────────────────

──────────────────── Press d to enable detailed statistics ─────────────────────

^ prev interface, v next interface, <- prev node, -> next node, ? help

CONCLUSIONS