Chapter 5
Networking Tools

File: Steve/Courses/2014/s2/its332/tools.tex, r3455

This lab will introduce you to important software tools for managing computer networks. It will also give you an opportunity to become familiar with the ICT Networking Laboratory room, e.g. the computers, operating systems and network equipment. The software tools you learn in this lab will be used in the remaining labs in the course.

5.1 Operating Systems and Tool Interfaces

When configuring and managing a computer network, or diagnosing problems in a network, you need to use the correct tools for the task. Most often these tools are software applications. There are various tools available on most computers that can be used to support common networking tasks including:

The tools that can be used to manage the network vary on different operating systems. For example, Microsoft Windows has different programs than Unix variants such as Ubuntu and Apple MAC OS. (And indeed, the programs may be different between versions: Windows 7 may be different from Windows Vista, and Ubuntu Linux different from RedHat Linux). Combined with this, many operating systems will have two different interfaces to the same tool: a graphical user interface (GUI) and a command line (text) interface.

Although the programs may be different (including interface and options), the majority of them provide similar level of functionality. Therefore once you learn the functionality using one tool, it will not be too hard for you to perform the same functionality in another operating system.

For our lab classes, we will use Ubuntu Linux, for the reasons outlined in Chapter 2. We will show examples and expect you to use the command line interface on most occasions. This is because once you know the command line interface, it is very easy to perform the same operations in the GUI (however, vice versa is not true: if you learn the GUI, it may be hard to understand the options of the command line interface). Also note that some network equipment is managed by a command line interface: e.g. you may log on to a router or switch and set the configuration via the command line interface only.

5.2 Viewing Network Interface Information

Your computer connects to the LAN via one of its Network Interface Cards (NIC) (see Appendix B for details). In the Networking Lab, each computer has three Fast Ethernet NICs, and by default one of the NICs is connected to a Fast Ethernet switch (in the switching cabinet in the corner of the room). Almost all operating systems allow the user to view information about the current NIC connection, including:

Operating systems often allow administrator users to modify some of the above information as well. The main command to view and edit the network interface information is ifconfig.

To view the information for all interfaces:

$ ifconfig

The operating system assigns names to each interface, such as eth0 for on Ethernet NIC and eth1 for another. As the name/number assigned to an interface is automatic, you cannot assume the same scheme is used in different computers, nor can you assume it will be the same each time you start the same computer.

The special loopback interface (which isn’t a real physical interface, but a virtual interface implemented in software inside the OS) is often given the name lo.

To view the details of a specific interface, such as eth0:

$ ifconfig eth0

5.3 Viewing Ethernet Interface Details

ifconfig shows summary information for your different network interfaces. If you want to see more details of your Ethernet (wired LAN) interfaces you can use ethtool. This shows information such as data rates supported, current data rate in use and whether the link is up or not. It also allows you to set parameters, such as whether or not the NIC will perform some operations that normally would be performed by the OS.

To view information about a specific Ethernet interface, such as eth0:

$ ethtool eth0

Some of the values to look at if your link is not working as expected include: Link Detected, Speed and Duplex. If the link is not detected it suggests the cable is not plugged in correctly or there is a problem with the hardware. If the link is detected but the speed and duplex are not as expected (e.g. they are 10 Mb/s and Half-Duplex) it may mean a problem with the cable or NIC.

Normally the default values are appropriate. However you may manually set values using the -s option:

$ sudo ethtool -s eth0 speed 100 duplex full

But note that other settings may impact on whether or not your desired settings are used (for example, with Auto-negotation turned on, the link speed will be negotiated by the two end points).

Sometimes operations on packets that are typically performed by the operating system, such as checking checksums and segmenting packets, are offloaded to the NIC. The reason is that the NIC can perform these operations much faster than the OS, increasing the data transfer performance. However when such offloading is performed it may create confusion for students when capturing packets: conceptually we think the operating system segments packets and we would see the individual segments in Wireshark; but with offloading the segments are not seen because they are performed in the NIC hardware (which tcpdump/Wireshark cannot see). Therefore it may be beneficial to turn off such features in a lab.

To view the offloaded features:

$ ethtool -k eth0

To turn offloading features on/off:

$ sudo ethtool -K eth0 gso off

See the man page for ethtool to see the list of features and their short names (e.g. gso means generic-segmentation-offload).

5.4 Testing Network Connectivity

A basic task for diagnosing the connectivity of a network is to test whether one computer can communicate with another. This is normally performed using the Internet Control Message Protocol (ICMP). A user application that implements ICMP for testing connectivity is ping.

ping sends a message from your computer to some destination computer, which then immediately responds. ping measures the time it takes from sending the message, to when the response is received. That is, the delay to the destination and back, i.e. the round trip time (RTT).

The simplest way to use ping is to specify the destination as the first parameter:

$ ping DESTINATION

where DESTINATION is the IP address or domain name of the computer you want to test connectivity with.

You can stop the ping by pressing Ctrl-C, or you can limit the number of messages sent by ping to COUNT messages using the -c parameter:

$ ping -c COUNT DESTINATION

There are other useful options for ping: read the manual!

5.4.1 ping at SIIT

ping is a very simple, but useful tool to diagnosing network problems. However, ping (and more generally, ICMP messages) can be used to cause problems in a network. For example, a malicious user may perform a security attack on a network by sending many ICMP messages to a router (making the router too busy to handle normal traffic, thereby restricting use of the network). Therefore, some organisations decide to not allow ICMP messages into and/or out of a network. SIIT does this: from inside the lab you cannot ping a computer outside on the Internet (e.g. try to ping http://www.google.com/). This is done for good reasons by the SIIT Network Administrators, however makes it difficult to demonstrate ping and other ICMP-based tools in this lab!

In addition to a network administrator blocking ICMP from leaving the network, some organisations may block ICMP from entering a network, and more specifically, block a particular computer from responding to ICMP messages. For example, the web server www.fakewebserver.com may be configured to not respond to ICMP messages, therefore your ping to such a domain would get no response.

Luckily for us, there are free web sites that allow us to use ping from the website to any computer that responds to ICMP messages. Note that when using these websites the source of the ICMP message is not your computer, but is the web server of the site or a router/server selected from the site.

There is an excellent list of free web-based ping (and other) tools at: http://www.bgp4.net/wiki/doku.php?id=tools:ipv4_ping. Several you should try include:

5.5 Testing a Route

Another useful network connectivity test is to determine the path (or route) that a message takes. That is, what routers does the message pass via on the way to the destination. As with ping, ICMP messages are sent to determine this. An application that implements this in Ubuntu is tracepath1 . Like ping, an ICMP message is sent to the destination and returned, but with tracepath the set of routers along the way also send a response to the source.

The tracepath application can be used by giving a destination IP address or domain name as a parameter:

$ tracepath DESTINATION

As tracepath uses ICMP, it suffers the same drawbacks on SIIT’s network as ping. In some cases, you may get a no reply message from a router. But again, you can use the free web-based applications in Section 5.4.1 to demonstrate tracepath (often referred to as traceroute).

5.6 Converting Between Domain Names and IP Addresses

We know that the Domain Name Service (DNS) is used for mapping domain names (user-friendly addresses) into IP addresses (computer-readable addreses). It is also possible to do the opposite, often referred to as reverse DNS: map IP addresses to the corresponding domain name.

There are several tools for using DNS (or reverse DNS) in Ubuntu, all using slightly different approaches, and producing different output. In this lab we will use nslookup2 . The basic use of the tools work in the same way: give a domain name as a parameter, and the corresponding IP address will be returned; or give an IP address as a parameter, and the corresponding domain name will be returned.

$ nslookup DOMAIN   # returns IP address 
$ nslookup IPADDRESS # returns domain name

By default, nslookup will try to first use your local DNS server to retrieve the information. How do you know what your local DNS server is? On Ubuntu, the IP address of one or more local DNS servers are stored in the file resolv.conf under the directory /etc/. Consider the output of the following resolv.conf file:

$ cat /etc/resolv.conf 
nameserver 10.10.10.9 
nameserver 192.168.20.103

There are two local DNS servers configured: 10.10.10.9 and 192.168.20.103. Requests will be sent to the first DNS server, and if no response, then the second will be tried.

If you want to retrieve the information from a specific DNS server (such as ns.siit.tu.ac.th or ns1.sprintlink.net) then you need to give an additional option:

$ nslookup DOMAIN DNSSERVER

Note that Linux typically uses (at least) two naming services: the common Internet naming service DNS, as well as a simple file that lists a set of names and corresponding addresses. This is called the hosts file. See Section 5.10 for further information.

5.7 Viewing the Routing Table

IP uses routing table to determine where to send datagrams. This applies to end hosts (like PCs), as well as routers, however a routing table on a host is typically quite simple, since all packets are often sent to a local (default) router.

You can view your routing table using the route command:

$ route -n

The -n option means the output will contain the numerical IP addresses (rather than the default domain names).

By default, route shows the main routing table. However, the operating system also maintains a cache of routing entries, which are based on where previous packets have been sent. When IP has a packet to send, it first checks the routing cache for an entry, and then (if no entry exists in the cache) uses the main routing table. You can view the routing cache using the -C option:

$ route -n -C

The routing cache shows the Gateway used for particular Source and Destination pairs.

In a later lab (Chapter 7) we will use route to modify the routing tables (like adding a new route).

5.8 Converting IP Addresses to Hardware Addresses

Remember that IP addresses are logical addresses. For a computer to send data to another computer on the same LAN/WAN they must use hardware (or MAC) addresses. For example, if computer A wants to send an IP datagram to computer B (on the same network as A) with IP address 192.168.1.3, then computer A must know the hardware address of computer B. Hence, the Address Resolution Protocol (ARP) is used to find the corresponding hardware addresses for a given IP address.

Although we don’t yet cover in detail how ARP works, we can view the information ARP has in your computer using the application arp. Running arp will return a table (called the ARP table or ARP cache) of IP addresses and corresponding hardware addresses that your computer currently knows about:

$ arp -n

ARP automatically updates the table with new entries for you. However, you can also use arp to delete entries from your ARP table and manually add new entries.

5.9 Network Statistics

A tool that allows you to view many different network statistics is netstat. For example, you can view interface statistics (similar to ifconfig), routing table statistics (same as route), connection statistics and TCP/IP packet statistics. Lets look at how to view the last two.

First, you can view the active TCP connections:

$ netstat -n -t

You can also view summary TCP/IP statistics:

$ netstat -s

5.10 Viewing More Network Information: Useful Files

Some additional networking information about your computer can be found in various files on your computer. An important directory that contains a lot of configuration details for your operating system is the /etc directory. Some useful files include:

/etc/hosts
Set a list of local domain names and corresponding IP addresses. Used in addition to DNS. Normally this would be used to give a name to your computer, as well as other computers on your network.
/etc/resolv.conf
Indicates the local DNS server for this computer.
/etc/network/interfaces
Stores information about your computers’ network interfaces.
/etc/services
List of port numbers and corresponding servers

5.11 Automatic IP Address Configuration

5.11.1 How Does DHCP Work?

When an operating system is installed on a computer and the computer first setup (by, for example, the network administrator), the IP address and other relevant network information (such as DNS servers, subnet mask) can be manually entered. In Ubuntu, commands like ifconfig can be used to do this.

But with manual configuration, if any network information changes, the network administrator must then go to each computer to make the changes. With the SIIT Bangkadi network of 300 or more computers, the task of manually configuring each computer if, for example, the DNS server IP address changes, would be enormous!

Therefore, in practice there are ways to automatically configure a computers network information. The most used method is called Dynamic Host Configuration Protocol or DHCP. The basic process using DHCP is as follows:

  1. One computer on the network is configured as a DHCP Server. This contains information about the possible IP addresses that can be allocated to other computers, and the DNS servers to be used. Usually, the DHCP Server is a router on the network.
  2. All the hosts in the network are configured to use a DHCP Client. When the computers are first setup by the network administrator, no information about IP address, DNS server is given.
  3. When a host boots, the DHCP Client broadcasts a request for an IP address. In other words the host sends a message to everyone else on the network saying: “I need an IP address (and other information)”.
  4. The DHCP Server is the only computer that responds: the DHCP Server selects an IP address for the host and sends it, including the network DNS server, subnet mask etc. to the host.
  5. The DHCP Client configures its network interface using the information sent to it by the DHCP Server. The host now has an IP address.

The information assigned to the host by the DHCP Server has a lifetime. This is called a lease—for example, the host “leases” an IP address for 1 day. Before the lease expires, the DHCP Client will typically renew the lease. In this way, if a change of configuration information (such as DNS server) is needed, the network adminsitrator simply modifies the DHCP Server—the DHCP Clients in each host will retrieve the updated information from the DHCP Server.

Many computers now use DHCP to obtain an IP address, so the computer user does not need to worry about configuring their own IP address. For example, when you connect to the SIIT network with your laptop, typically you do not configure an IP address—DHCP is used.

5.11.2 Viewing Interface Information

By default, DHCP is used on the PCs in the Network Lab. We saw in Section 5.2 how to view the current network interface configuration using ifconfig (that is, the IP address after DHCP has obtained it). However the file /etc/network/interfaces indicates whether a dynamic (DHCP) IP address should be used, or some static (configured by the user) IP address should be used when the computer starts.

The format of a DHCP configured interface in /etc/network/interfaces is:

auto INTERFACE 
iface INTERFACE inet dhcp

The interface labels (eth0, eth1, eth2, ) may vary across computers and even when you reboot. That is, now one network card may be referred to by eth0 and after re-booting the same card may be referred to by eth1.

To disable the use of DHCP and use static addresses, you can edit the file and change the iface section:

iface INTERFACE inet static 
      addressIPADDRESS 
      netmaskSUBNETMASK

5.11.3 Viewing DHCP Information

Now lets look at some DHCP information. The current DHCP leases are stored in /var/lib/dhcp/dhclient.X.lease where X is the interface identifier (e.g. eth2 or eth3). Note that the lease file may contain more than one entry—the last entry is the lease currently in use.

One way to refresh a leased IP address is to refresh the interface. Another is to use dhclient, where you can optionally specifiy the interface to renew/refresh th lease for:

$ dhclient

5.11.4 Setting a Static IP Address

We may not always want to use a dynamic (DHCP assigned) IP address. In the lab, the best way to assign a static IP address is using ifconfig. We saw before that ifconfig can be used for viewing interface configuration information—it can also be used for setting interface configuration information. An example to set the IP address 10.20.30.40 (with subnet mask 255.0.0.0) to interface eth1 is:

$ ifconfig eth1 10.20.30.40 netmask 255.0.0.0

You can also use ifconfig to enable/disable interfaces by adding up/down to the end of the command (in Linux terminology this is referred to as “bring an interface up or down”). For example, to turn off/disable/bring down the interface:

$ ifconfig eth1 down

And to turn on the interface (add setting a different IP address at the same time):

$ ifconfig eth1 10.20.30.41 netmask 255.0.0.0 up

5.12 Tasks

Task 5.1. View the configuration details, including addresses, of your computers network interfaces.

Task 5.2. Test the network connectivity between your computer and several other computers: another PC in the lab; the SIIT webserver; external web servers.

Task 5.3. Using one of the publicly available websites for ping/traceroute, test the connectivity to several external websites.

Task 5.4. Trace the path between several pairs of source/destination nodes.

Task 5.5. Find the IP addresses of several web servers (domains), using several different DNS servers.

Task 5.6. Try a reverse DNS lookup.

Task 5.7. View your routing table and routing cache.

Task 5.8. View your ARP cache. Find the hardware address of another computer in the lab using ARP.

Task 5.9. View the active TCP connections that your computer has, especially after you visited a website.

Task 5.10. View and browse through the summary network statistics.

Task 5.11. View the DHCP lease information for your computer, and see how it changes as you renew/refresh the lease.