Tuesday, November 4, 2008

Simple "nsping"

there's no need to install a separate utility to run "nsping", you have "dig" already ...

A simple network diagnostic tool to determine the health and reachability of name servers is nsping. as the name suggests you ping a name server, not with an ICMP echo request but with a (random) lookup. the time interval it takes to get a reply back is what you're after. serious lags can indicate network issues. the tool nsping is a standalone binary, and on most UN*X systems it's another package to install. however, almost everyone already has dig installed, part of the BIND package. dig is a complex name server query and diagnostic tool. one useful feature of it is that it reports the amount of time it takes to perform it's query in milliseconds ... exactly what we're after. so, let's use dig to do exactly what nsping does and trim down the answer to look like nsping. all we have to do is a random lookup and report only the query time. this simple shell hack uses the built in random number generator from ksh (i think the tool can work in bash, too) and awk to trim down the query from dig.
dig @${SERVER} -t a ${RANDOM}.${RANDOM}${RANDOM}.${RANDOM} | \
        awk '{if ($0 ~/Query/) print $4" "$5}'
put this in your path and ping a name server:
$ nsping ns.oreilly.com     
97 msec
i have used this in the past to query the root nameservers as a network connectivity monitor (with much success).
See also: man dig
"dns & bind", the book from o'reilly
"sed & awk", another book from o'reilly

[Contributed by: jose nazario]

Monday, September 15, 2008

Introduction to Named Pipes (by Andy Vaught )

One of the fundamental features that makes Linux and other Unices useful is the “pipe”. Pipes allow separate processes to communicate without having been designed explicitly to work together. This allows tools quite narrow in their function to be combined in complex ways.

A simple example of using a pipe is the command:
ls | grep x

When bash examines the command line, it finds the vertical bar character | that separates the two commands. Bash and other shells run both commands, connecting the output of the first to the input of the second. The ls program produces a list of files in the current directory, while the grep program reads the output of ls and prints only those lines containing the letter x.

The above, familiar to most Unix users, is an example of an “unnamed pipe”. The pipe exists only inside the kernel and cannot be accessed by processes that created it, in this case, the bash shell. For those who don't already know, a parent process is the first process started by a program that in turn creates separate child processes that execute the program.

The other sort of pipe is a “named” pipe, which is sometimes called a FIFO. FIFO stands for “First In, First Out” and refers to the property that the order of bytes going in is the same coming out. The “name” of a named pipe is actually a file name within the file system.
Pipes are shown by ls as any other file with a couple of differences:
% ls -l fifo1
prw-r--r-- 1 andy users 0 Jan 22 23:11 fifo1|

The p in the leftmost column indicates that fifo1 is a pipe. The rest of the permission bits control who can read or write to the pipe just like a regular file. On systems with a modern ls, the | character at the end of the file name is another clue, and on Linux systems with the color option enabled, fifo| is printed in red by default.

On older Linux systems, named pipes are created by the mknod program, usually located in the /etc directory. On more modern systems, mkfifo is a standard utility. The mkfifo program takes one or more file names as arguments for this task and creates pipes with those names. For example, to create a named pipe with the name pipe1 give the command:
mkfifo pipe

The simplest way to show how named pipes work is with an example. Suppose we've created pipe as shown above. In one virtual console1, type: (read more)

Friday, September 5, 2008

System Information

This is a linux command line reference for system information operations

uname -a

Show kernel version and system architecture

head -n1 /etc/issue
Show name and version of distribution

cat /proc/partitions
Show all partitions registered on the system

grep MemTotal /proc/meminfo
Show RAM total seen by the system

grep "model name" /proc/cpuinfo
Show CPU(s) info

lspci -tv
Show PCI info

lsusb -tv
Show USB info

mount | column -t
List mounted filesystems on the system (and align output)

Wednesday, August 27, 2008


Tcpdump is a really great tool for network security analyst, you can dump packets that flows within your networks into file for further analysis. With some filters you can capture only the interested packets, which it reduce the size of saved dump and further reduce loading and processing time of packets analysis.

This post will only covers the fundamental of tcpdump usage, bare in mind tcpdump can do much much more than what I illustrate here.

Lets start with capturing packets based on network interface, ports and protocols. Let assume I wanna capture tcp packets that flow over eth1, port 6881. The dump file with be save as test.pcap.

tcpdump -w test.pcap -i eth1 tcp port 6881

Simple right? What if at the same time I am interested on getting packets on udp port 33210 and 33220?

tcpdump -w test.pcap -i eth1 tcp port 6881 or udp \( 33210 or 33220 \)

‘\’ is an escape symbol for ‘(’ and ‘)’. Logic OR implies PLUS (+). In plain text is I want to capture tcp packets flows over port 6881 plus udp ports 33210 and 33220.

Careful with ‘and’ in tcpdump filter expression, it means intersection. Thats why I put ‘or’ instead of and within udp port 33210 and 33220. The usage of ‘and’ in tcpdump will be illustrate later.

Ok, how about reading pcap that I saved previously?

tcpdump -nnr test.pcap

The -nn is to tell tcpdump not to resolve DNS on IP and Ports, where r is read.

Adding -tttt to makes the timestamp appears more readable format.

tcpdump -ttttnnr test.pcap

How about capture based on IP ?
You need to tell tcpdump which IP you are interested in? Destination IP? or Source IP ? Let say I wanna sniff on destination IP tcp port 22, how should i write?

tcpdump -w test.pcap dst and tcp port 22

So the ‘and’ makes the intersection of destination IP and port.

By default the sniff size of packets is 96 bytes, you somehow can overload that size by specified with -s.

tcpdump -w test.pcap -s 1550 dst and tcp port 22

Some version of tcpdump allows you to define port range. You can as bellow for capturing packets based on a range of tcp port.

tcpdump tcp portrange 20-24

Bare in mind, the line above I didn’t specified -w which it won’t write to a file but i will just print the captured packets on the screen.