Scribd
Upload
85 views38 pages

Network Performance Analysis: Unix/IP Preparation Course

This document provides an overview of tools for analyzing network performance issues locally on Unix systems. It discusses using vmstat, top, and netstat to monitor processes, memory usage, I/O, CPU utilization, network connections, and more. The tools help identify potential problems like insufficient CPU or memory and diagnose issues before blaming the network. Key indicators of problems and useful options for each tool are outlined.

Uploaded by

dineshkannag
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
85 views38 pages

Network Performance Analysis: Unix/IP Preparation Course

This document provides an overview of tools for analyzing network performance issues locally on Unix systems. It discusses using vmstat, top, and netstat to monitor processes, memory usage, I/O, CPU utilization, network connections, and more. The tools help identify potential problems like insufficient CPU or memory and diagnose issues before blaming the network. Key indicators of problems and useful options for each tool are outlined.

Uploaded by

dineshkannag
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 38

Network Performance

Analysis

Unix/IP Preparation Course


July 19, 2009
Eugene, Oregon, USA

[email protected]

nsrc@summer workshop
eugene, oregon
Local analysis

As we know... Before we blame the network, let's verify
whether the problem is ours.

What can go wrong locally?
 Hardware problems
 Excessive load (CPU, memory, I/O)

What's considered 'normal'?
 Use analysis tools frequently

Become familiar with the normal state and values for your
machine.
 It is essential to maintain history

SNMP agents and databases

nsrc@summer workshop
eugene, oregon
Performance analysis in Unix
 Three main categories:
 Processes

Processes that are executing (running)

Processes that are waiting (sleeping)
 waiting their turn
 blocked
 Memory

Real

Virtual
 I/O (Input/Output)

Storage
 Network

nsrc@summer workshop
eugene, oregon
Key indicators

Insufficent CPU
 Number of processes waiting to execute is always high
 High CPU utilization (load avg.)

Insufficient memory
 Very little free memory
 Lots of swap activity (swap in, swap out)

Slow I/O
 Lots of blocked processes
 High number of block transfers

nsrc@summer workshop
eugene, oregon
Local analysis
 Luckily, in Unix there are dozens of useful tools
that give us lots of useful information about our
machine
 Some of the more well-known include:
 vmstat - tcpdump - iperf
 top - wireshark (ethereal)
 lsof - iptraf
 netstat - ntop

nsrc@summer workshop
eugene, oregon
vmstat
 Show periodic summary information about
processes, memory, pagin, I/O, CPU state, etc
vmstat <-options> <delay> <count>

# vmstat 2
# vmstat
procs 2
-----------memory---------- ---swap-- -----io---- --system-- ----cpu----
rprocs
b -----------memory----------
swpd free buff cache ---swap--
si so -----io----
bi bo --system--
in ----cpu----
cs us sy id wa
2 r 0 b209648
swpd 25552
free571332
buff2804876
cache si
0 so
0 bi
3 bo
4 in
3 cs us 11
3 15 sy 73
id wa
0
2 0 209648 25552 571332 2804876
2 0 209648 24680 571332 2804900 0 0 0 0 0 3 444 273 79356 16 16 68 0 0
4 3 3 15 11 73
1 2 0 0209648
209648 25216
24680571336
5713322804904
2804900 00 00 6 0 1234
444 439
27346735
79356161610167468 0 0
1 0 209648 25216 571336 2804904
1 0 209648 25212 571336 2804904 0 0 0 0 0 6 1234 439 46735 17
22 159 100282 16 21
10 62
74 00
1 0 209648 25212 571336 2804904
2 0 209648 25196 571348 2804912 0 0 0 0 0 0 500 270 82455 14 18 68 620 0
22 159 100282 17 21
1 2 0 0209648
209648 25192
25196571348
5713482804912
2804912 00 00 0 0 272
500 243
27077480
82455161415186968 0 0
1 0 209648 25192 571348 2804912
2 0 209648 25880 571360 2804916 0 0 0 0 0 0 272 243 77480161614156969 0 0
444 255 83619
2 2 0 0209648
209648 25872
25880571360
5713602804920
2804916 00 00 0 0 178
444 220
25590521
83619161618146669 0 0
2 0 209648 25872 571360 2804920 0 0 0 178 220 90521 16 18 66 0

nsrc@summer workshop
eugene, oregon
top
 Basic performance tool for Unix/Linux
environments
 Periodically show a list of system performance
statistics:
 CPU use
 RAM and SWAP memory usage
 Load average (cpu utilization)
 Information by process

nsrc@summer workshop
eugene, oregon
Load Average
 Average number of active processes in the last
1, 5 and 15 minutes
 A simple yet useful measurement
 Depending on the machine the acceptable range
considered to be normal can vary:
 Multi-processor machines can handle more active
processes per unit of time (than single processor
machines)

nsrc@summer workshop
eugene, oregon
top
 Information by process (most relevant
columns shown):
 PID: Process ID
 USER: user running (owner) of the process
 %CPU: Percentage of CPU utilization by the process
since the last sample
 %MEM: Percentage of physical memory (RAM) used by
the process
 TIME: Total CPU time used by the process since it was
started

nsrc@summer workshop
eugene, oregon
top
 Some useful interactive commands
 f : Add or remove columns
 F : Specify which column to order by
 < , > : Move the column on which we order
 u : Specify a specific user
 k : Specify a process to kill (stop)
 d , s : Change the display update interval

nsrc@summer workshop
eugene, oregon
netstat
 Show us information about:
 Network connections
 Routing tables
 Interface (NIC) statistics
 Multicast group members

nsrc@summer workshop
eugene, oregon
netstat
Some useful options
-n: Show addresses, ports and userids in numeric form
-r: Routing table
-s: Statistics by protocol
-i: Status of interfaces
-l: Listening sockets
--tcp, --udp: Specify the protocol
-A: Address family [inet | inet6 | unix | etc.]
-p: Show the name of each process for each port
-c: Show output/results continuously

nsrc@summer workshop
eugene, oregon
netstat
Examples:
# netstat -n --tcp -c
# netstat
Active -n --tcp
Internet connections -cservers)
(w/o
Active
Proto Internet
Recv-Q connections
Send-Q (w/o servers)
Local Address Foreign Address State
Proto Recv-Q
tcp 0 Send-Q Local Address
272 ::ffff:192.188.51.40:22 Foreign Address
::ffff:128.223.60.27:60968 State
ESTABLISHED
tcp
tcp 00 272 ::ffff:192.188.51.40:22
0 ::ffff:192.188.51.40:22 ::ffff:128.223.60.27:60968 ESTABLISHED
::ffff:128.223.60.27:53219 ESTABLISHED
tcp 0 0 ::ffff:192.188.51.40:22 ::ffff:128.223.60.27:53219 ESTABLISHED
# netstat -lnp --tcp
# netstat
Active -lnp --tcp
Internet connections (only servers)
Active
Proto Internet
Recv-Q connections
Send-Q (only servers)
Local Address Foreign Address State PID/Program name
Proto Recv-Q
tcp 0 Send-Q Local Address
0 0.0.0.0:199 Foreign Address
0.0.0.0:* State
LISTEN PID/Program name
11645/snmpd
tcp
tcp 00 0 00.0.0.0:3306
0.0.0.0:199 0.0.0.0:*
0.0.0.0:* LISTEN
LISTEN 11645/snmpd
1997/mysqld
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1997/mysqld

# netstat -ic
# netstat
Kernel -ic table
Interface
Kernel Interface
Iface MTU MettableRX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
Iface
eth0 MTU Met
1500 RX-OK RX-ERR
0 2155901 0 RX-DRP
0 RX-OVR
0 TX-OK TX-ERR
339116 0 TX-DRP
0 TX-OVR Flg
0 BMRU
loeth0 1500 0 0 2155901
16436 18200 00 00 00 339116
18200 00 00 0 0LRU
BMRU
lo
eth0 16436
1500 0 18200
0 2155905 0 0 0 0 00 18200
339117 0 0 0 0 0 LRU
0 BMRU
loeth0 1500
16436 0 0 2155905
18200 0 0 0 0 00 339117
18200 0 0 0 0 0 BMRU
0 LRU
lo
eth0 16436 0 0 2155907
1500 18200 00 00 00 18200
339120 00 00 0 0BMRU
LRU
loeth0 1500
16436 0 0 2155907
18200 0 0 0 0 00 339120
18200 0 0 0 0 0 BMRU
0 LRU
lo
eth0 16436 0 0 2155910
1500 18200 00 00 00 18200
339122 00 00 0 0BMRU
LRU
loeth0 1500
16436 0 0 2155910
18200 0 0 0 0 00 339122
18200 0 0 0 0 0 BMRU
0 LRU
lo
eth0 16436 0 0 2155913
1500 18200 00 00 00 18200
339124 00 00 0 0BMRU
LRU
eth0 1500 0 2155913 0 0 0 339124 0 0 0 BMRU

nsrc@summer workshop
eugene, oregon
netstat
Examples:
# netstat –tcp –listening --program
# netstat
Active –tcp
Internet –listening
connections --program
(only servers)
Active
Proto Internet
Recv-Q connections
Send-Q (only servers)
Local Address Foreign Address State PID/Program name
Proto Recv-Q
tcp 0 Send-Q Local Address
0 *:5001 Foreign Address
*:* State
LISTEN PID/Program name
13598/iperf
tcp
tcp 0 0 0 *:5001
0 localhost:mysql *:*
*:* LISTEN
LISTEN 13598/iperf
5586/mysqld
tcp
tcp 00 0 0*:www
localhost:mysql *:*
*:* LISTEN
LISTEN 5586/mysqld
7246/apache2
tcp
tcp 00 0 0t60-2.local:domain
*:www *:*
*:* LISTEN
LISTEN 7246/apache2
5378/named
tcp
tcp 0 0 0 t60-2.local:domain
0 t60-2.local:domain *:*
*:* LISTEN
LISTEN 5378/named
5378/named
tcp
tcp 00 0 0t60-2.local:domain
t60-2.local:domain *:*
*:* LISTEN
LISTEN 5378/named
5378/named
tcp
tcp 0 0 0 t60-2.local:domain
0 localhost:domain *:*
*:* LISTEN
LISTEN 5378/named
5378/named
tcp
tcp 00 0 0localhost:ipp
localhost:domain *:*
*:* LISTEN
LISTEN 5378/named
5522/cupsd
tcp
tcp 0 0 0 localhost:ipp
0 localhost:smtp *:*
*:* LISTEN
LISTEN 5522/cupsd
6772/exim4
tcp
tcp 00 0 0localhost:953
localhost:smtp *:*
*:* LISTEN
LISTEN 6772/exim4
5378/named
tcp
tcp 00 0 0*:https
localhost:953 *:*
*:* LISTEN
LISTEN 5378/named
7246/apache2
tcp
tcp6 0 0 0 *:https
0 [::]:ftp *:*
[::]:* LISTEN
LISTEN 7246/apache2
7185/proftpd
tcp6
tcp6 00 0 0[::]:domain
[::]:ftp [::]:*
[::]:* LISTEN
LISTEN 7185/proftpd
5378/named
tcp6
tcp6 0 0 0 [::]:domain
0 [::]:ssh [::]:*
[::]:* LISTEN
LISTEN 5378/named
5427/sshd
tcp6
tcp6 00 0 0[::]:3000
[::]:ssh [::]:*
[::]:* LISTEN
LISTEN 5427/sshd
17644/ntop
tcp6
tcp6 00 0 0ip6-localhost:953
[::]:3000 [::]:*
[::]:* LISTEN
LISTEN 17644/ntop
5378/named
tcp6
tcp6 0 0 0 ip6-localhost:953
0 [::]:3005 [::]:*
[::]:* LISTEN
LISTEN 5378/named
17644/ntop
tcp6 0 0 [::]:3005 [::]:* LISTEN 17644/ntop

nsrc@summer workshop
eugene, oregon
lsof (List Open Files)
 lsof is particularly useful because in Unix
everything is a file: unix sockets, ip sockets,
directories, etc.
 Allows you to associate open files by:
-p: PID (Process ID)
-i : A network address (protocol:port)
-u: A user

nsrc@summer workshop
eugene, oregon
lsof
 Example:
 First, using netstat -ln –tcp determine that port 6010
is open and waiting for a connection (LISTEN)

# netstat -ln --tcp


# netstat
Active -ln --tcp
Internet connections (only servers)
Active
Proto Internet
Recv-Q connections
Send-Q (only servers)
Local Address Foreign Address State
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN
tcp
tcp 00 0 0127.0.0.1:6011
127.0.0.1:6010 0.0.0.0:*
0.0.0.0:* LISTEN
LISTEN
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN

nsrc@summer workshop
eugene, oregon
lsof
Determine what process has the port (6010) open
and what other resources are being used:
# lsof -i tcp:6010
# lsof -i
COMMAND PIDtcp:6010
USER FD TYPE DEVICE SIZE NODE NAME
COMMAND10301
sshd PIDroot
USER FD TYPE 53603
6u IPv4 DEVICE SIZE TCP
NODElocalhost.localdomain:x11-ssh-offset
NAME (LISTEN)
sshd
sshd 10301root
10301 root 7u6u IPv6
IPv4 53604
53603 TCP[::1]:x11-ssh-offset
TCP localhost.localdomain:x11-ssh-offset
(LISTEN) (LISTEN)
sshd 10301 root 7u IPv6 53604 TCP [::1]:x11-ssh-offset (LISTEN)

# lsof -p 10301
# lsof -p
COMMAND PID10301
USER FD TYPE DEVICE SIZE NODE NAME
COMMAND10301
sshd PIDroot
USER cwdFD TYPE
DIR DEVICE
8,2 SIZE
4096 NODE
2 / NAME
sshd
sshd 10301root
10301 root cwd
rtd DIR
DIR 8,2
8,2 4096
4096 2 2/ /
sshd
sshd 10301 root
10301 root rtd
txt DIR
REG 8,2 379720 1422643 2/usr/sbin/sshd
8,2 4096 /
sshd
sshd 10301root
10301 root txt
mem REG
REG 8,2 32724
8,2 3797201437533
1422643/usr/lib/libwrap.so.0.7.6
/usr/sbin/sshd
sshd
sshd 10301 root
10301 root mem
mem REG
REG 8,2
8,2 32724 1437533 /usr/lib/libwrap.so.0.7.6
15088 3080329 /lib/libutil-2.4.so
sshd
sshd 10301 root
10301 root mem
mem REG
REG 8,2
8,2 15088 3080329 /lib/libutil-2.4.so
75632 1414093 /usr/lib/libz.so.1.2.3
sshd
sshd 10301root
10301 root mem
mem REG
REG 8,2 96040
8,2 756323080209
1414093/lib/libnsl-2.4.so
/usr/lib/libz.so.1.2.3
sshd
sshd 10301 root
10301 root mem
mem REG
REG 8,2 96040 3080209 /lib/libnsl-2.4.so
8,2 100208 1414578 /usr/lib/libgssapi_krb5.so.2.2
sshd
sshd 10301root
10301 root mem
mem REG
REG 8,2 11684
8,2 1002081414405
1414578/usr/lib/libkrb5support.so.0.0
/usr/lib/libgssapi_krb5.so.2.2
sshd
sshd 10301 root
10301 root mem
mem REG
REG 8,2
8,2 11684 1414405 /usr/lib/libkrb5support.so.0.0
10368 3080358 /lib/libsetrans.so.0
sshd
sshd 10301 root
10301 root mem
mem REG
REG 8,2
8,2 10368 3080358 /lib/libsetrans.so.0
7972 3080231 /lib/libcom_err.so.2.1
sshd
sshd 10301root
10301 root mem
mem REG
REG 8,2 30140
8,2 79721420233
3080231/usr/lib/libcrack.so.2.8.0
/lib/libcom_err.so.2.1
sshd
sshd 10301 root
10301 root mem
mem REG
REG 8,2
8,2 30140 1420233 /usr/lib/libcrack.so.2.8.0
11168 3080399 /lib/security/pam_succeed_if.so
sshd
... 10301 root mem REG 8,2 11168 3080399 /lib/security/pam_succeed_if.so
...

nsrc@summer workshop
eugene, oregon
lsof
What network services am I running?
# lsof -i
# lsof -i PID
COMMAND USER FD TYPE DEVICE SIZE NODE NAME
COMMAND
firefox PID
4429 USER
hervey FD
50u TYPE1875852
IPv4 DEVICE SIZE TCP
NODE192.168.179.139:56890-
NAME
firefox 4429
>128.223.60.21:www hervey 50u
(ESTABLISHED) IPv4 1875852 TCP 192.168.179.139:56890-
>128.223.60.21:www
named 5378 (ESTABLISHED)
bind 20u IPv6 13264 TCP *:domain (LISTEN)
named
named 5378
5378 bind 21u
bind 20u IPv6 13267
IPv4 13264 TCPlocalhost:domain
TCP *:domain (LISTEN) (LISTEN)
named
sshd 5378
5427 bind
root 21u
3u IPv4 13302
IPv6 13267 TCP localhost:domain
TCP *:ssh (LISTEN) (LISTEN)
sshd
cupsd 5427
5522 root
root 3u3u IPv6 13302
IPv4 1983466 TCP *:ssh (LISTEN)
TCP localhost:ipp (LISTEN)
cupsd
mysqld 5522
5586 root 10u3u
mysql IPv4 1983466
IPv4 13548 TCPlocalhost:mysql
TCP localhost:ipp (LISTEN)
(LISTEN)
mysqld
snmpd 5586
6477 mysql
snmp 10u
8u IPv4
IPv4 13548
14633 TCP localhost:mysql
UDP localhost:snmp (LISTEN)
snmpd
exim4 6477Debian-exim
6772 snmp 3u8u IPv4 14675
IPv4 14633 UDPlocalhost:smtp
TCP localhost:snmp(LISTEN)
exim4
ntpd 6772
6859 Debian-exim
ntp 16u3u IPv4
IPv4 14675
14743 TCP localhost:smtp (LISTEN)
UDP *:ntp
ntpd
ntpd 6859
6859 ntp 17u
ntp 16u IPv4 14744
IPv6 14743 UDP*:ntp
UDP *:ntp
ntpd
ntpd 6859
6859 ntp 18u
ntp 17u IPv6 14746
IPv6 14744 UDP[fe80::250:56ff:fec0:8]:ntp
UDP *:ntp
ntpd
ntpd 6859
6859 ntp
ntp 18u
19u IPv6
IPv6 14746
14747 UDP [fe80::250:56ff:fec0:8]:ntp
UDP ip6-localhost:ntp
ntpd
proftpd 6859
7185 ntp
proftpd 19u
1u IPv6 15718
IPv6 14747 UDP*:ftp
TCP ip6-localhost:ntp
(LISTEN)
proftpd
apache2 7185
7246 proftpd
www-data 3u1u IPv6
IPv4 15718
15915 TCP *:ftp (LISTEN)
TCP *:www (LISTEN)
apache2
apache2 7246
7246 www-data
www-data 4u3u IPv4 15917
IPv4 15915 TCP*:https
TCP *:www (LISTEN)
(LISTEN)
apache2
... 7246 www-data 4u IPv4 15917 TCP *:https (LISTEN)
...
iperf 13598 root 3u IPv4 1996053 TCP *:5001 (LISTEN)
iperf
apache2 13598
27088 root
www-data 3u3u IPv4 1996053
IPv4 15915 TCP*:www
TCP *:5001 (LISTEN)
(LISTEN)
apache2
apache2 27088
27088 www-data
www-data 4u3u IPv4
IPv4 15915
15917 TCP *:www (LISTEN)
TCP *:https (LISTEN)
apache2 27088 www-data 4u IPv4 15917 TCP *:https (LISTEN)

nsrc@summer workshop
eugene, oregon
tcpdump

Show received packet headers by a given
interface. Optionally filter using boolean
expressions.

Allows you to write information to a file for later
analysis.

Requires administrator (root) privileges to use
since you must configure network interfaces
(NICs) to be in “promiscuous” mode.
 Note: promiscuous mode is not very useful when
you are connected by a switch.

nsrc@summer workshop
eugene, oregon
tcpdump
Some useful options:

-i : Specify the interface (ex: -i eth0)
 -l : Make stdout line buffered (view as you capture)
 -v, -vv, -vvv: Display more information
 -n : Don't convert addresses to names (avoid DNS)
 -nn : Don't translate port numbers
 -w : Write raw packets to a file

-r : Read packets from a file created by '-w'

nsrc@summer workshop
eugene, oregon
tcpdump
Boolean expressions
 Using the 'AND', 'OR', 'NOT' operators
 Expressions consist of one, or more, primtives,
which consist of a qualifier and an ID (name or
number)

Expression ::= [NOT] <primitive> [ AND | OR | NOT <primitive> ...]

<primitive> ::= <qualifier> <name|number>

<qualifier> ::= <type> | <address> | <protocol>

<type> ::= host | net | port | port range

<address> ::= src | dst

<protocol> ::= ether | fddi | tr | wlan | ip | ip6 | arp | rarp | decnet | tcp | udp

nsrc@summer workshop
eugene, oregon
tcpdump
Examples:
 Show all HTTP traffic that originates from
192.168.1.1

# tcpdump -lnXvvv port 80 and src host 192.168.1.1


# tcpdump -lnXvvv port 80 and src host 192.168.1.1


Show all traffic originating from
192.168.1.1 except SSH
# tcpdump -lnXvvv src host 192.168.1.1 and not port 22
# tcpdump -lnXvvv src host 192.168.1.1 and not port 22

nsrc@summer workshop
eugene, oregon
wireshark

Wireshark is a graphical packet analyser based
on libpcap, the same library that tcpdump
utilizes for capturing and storing packets

The graphical interface has some advantages,
including:
 Hierarchical visualization by protocol (drill-down)
 Follow a TCP “conversation” (Follow TCP Stream)
 Colors to distinguish traffic types
 Lots of statistics, graphs, etc.

nsrc@summer workshop
eugene, oregon
wireshark
 Wireshark is what came after Ethereal.

The combination of tcpdump and wireshark can
be quite powerful. For example:

 # tcpdump -i eth1 -A -s1500 -2 dump.log port 21


 $ sudo wireshark -r dump.log

nsrc@summer workshop
eugene, oregon
wireshark

nsrc@summer workshop
eugene, oregon
iptraf

Many measurable statistics and functions
 By protocol/port
 By packet size
 Generates logs
 Utilizes DNS to translate addresses

Advantages
 Simplicity
 Menu-based (uses “curses”)
 Flexible configuration

nsrc@summer workshop
eugene, oregon
iptraf
 You can run it periodically in the background
(-B)
 It allows you, for example, to run as a cron job to
periodically analyze logs.

Generate alarms

Save in a data base

Has a great name... “Interactive Colorful IP LAN Monitor”

etc...
Example: iptraf -i eth1

nsrc@summer workshop
eugene, oregon
ntop: Network Top
 Equivalent to top, but for network information
 Information by node, network protocol, IP protocol,
statistics, graphs, etc.
 Web interface with an integrated web server
 Supports SSL
 Multiple plug-ins are available to extend its
functionality
 Creates RRD files
 NetFlow analysis

nsrc@summer workshop
eugene, oregon
ntop
 It can run as a service (daemon), with SSL:
 -d : daemon
 -W <port> : Listen on port 3005, SSL mode

ntop
ntop -d
-d -W
-W 3005
3005


To see the web interface go to:
 http://localhost:3000
 https://localhost:3005

nsrc@summer workshop
eugene, oregon
ntop

nsrc@summer workshop
eugene, oregon
ntop
Includes an option that creates a file with information about
“suspicious packets”:
-q | --create-suspicious-packets
This parameter tells ntop to create a dump file of suspicious packets.
There are many, many, things that cause a packet to be labeled as 'suspicious',
including:

Detected ICMP fragment


Detected Land Attack against host
Detected overlapping/tiny packet fragment
Detected traffic on a diagnostic port
Host performed ACK/FIN/NULL scan
Host rejected TCP session
HTTP/FTP/SMTP/SSH detected at wrong port
Malformed TCP/UDP/ICMP packet (packet too short)
Packet # %u too long
Received a ICMP protocol Unreachable from host
Sent ICMP Administratively Prohibited packet to host
Smurf packet detected for host
TCP connection with no data exchanged
TCP session reset without completing 3-way handshake
Two MAC addresses found for the same IP address
UDP data to a closed port
Unknown protocol (no HTTP/FTP/SMTP/SSH) detected (on port 80/21/25/22)
Unusual ICMP options

nsrc@summer workshop
eugene, oregon
ntop
 After you've completed a capture of packets
using the “-q” option, it's possible to analyze
suspicious packets in more detail with
wireshark:
# wireshark -r /usr/local/var/ntop/ntop-suspicious-pkts.deveth0.pcap

nsrc@summer workshop
eugene, oregon
iperf
 To measure network throughput between two
points

iperf has two modes, server and
client

Easy to use
 Great to help determine optimal TCP
parameters
 TCP window size for optimal throughput

nsrc@summer workshop
eugene, oregon
iperf
 Using UDP you can generate packet loss and
jitter reports
 You can run multiple parallel sessions using
threads
 Supports IPv6

nsrc@summer workshop
eugene, oregon
Iperf parameters
Usage: iperf [-s|-c host] [options]
Usage:iperf
iperf[-h|--help]
[-s|-c host] [options]
[-v|--version]
iperf [-h|--help] [-v|--version]
Client/Server:
Client/Server:
-f, --format [kmKM] format to report: Kbits, Mbits, KBytes, MBytes
-f,--interval
-i, --format # [kmKM] seconds
format between
to report: Kbits,bandwidth
periodic Mbits, KBytes,
reportsMBytes
-i, --interval
-l, --len #
#[KM] seconds between periodic bandwidth
length of buffer to read or write (default reports8 KB)
-l, --len
-m, --print_mss #[KM] print TCP maximum segment size (MTU - TCP/IP 8header)
length of buffer to read or write (default KB)
-m,--port
-p, --print_mss# print port
server TCP maximum
to listensegment size (MTU
on/connect to - TCP/IP header)
-p,--udp
-u, --port # server
use port tothan
UDP rather listen
TCP on/connect to
-u,--window
-w, --udp #[KM] usewindow
TCP UDP rather than TCPbuffer size)
size (socket
-w,--bind
-B, --window #[KM]
<host> TCP to
bind window sizean(socket
<host>, buffer
interface size)
or multicast address
-B, --bind
-C, --compatibility<host> bind to <host>, an interface
for use with older versions does not or multicast address
sent extra msgs
-C, --compatibility
-M, --mss # for use with older versions does
set TCP maximum segment size (MTU - 40 bytes)not sent extra msgs
-M,--nodelay
-N, --mss # setTCP
set TCPnomaximum
delay, segment
disabling size (MTU -Algorithm
Nagle's 40 bytes)
-N,--IPv6Version
-V, --nodelay setthe
Set TCPdomain
no delay, disabling Nagle's Algorithm
to IPv6
-V, --IPv6Version Set the domain to IPv6
Server specific:
Server specific:
-s, --server run in server mode
-s, --server
-U, --single_udp runininsingle
run serverthreaded
mode UDP mode
-U, --single_udp
-D, --daemon run in single
run the server as threaded
a daemon UDP mode
-D, --daemon run the server as a daemon
Client specific:
Client specific: #[KM]
-b, --bandwidth for UDP, bandwidth to send at in bits/sec
-b, --bandwidth #[KM] for UDP,1 bandwidth
(default Mbit/sec, to send at
implies -u)in bits/sec
-c, --client <host> run in client mode, connecting -u)
(default 1 Mbit/sec, implies to <host>
-c, --client
-d, --dualtest <host> Dorun in client mode,
a bidirectional connecting
test to <host>
simultaneously
-d,--num
-n, --dualtest #[KM] Do a bidirectional
number test simultaneously
of bytes to transmit (instead of -t)
-n,--tradeoff
-r, --num #[KM] Donumber of bytes totest
a bidirectional transmit (instead of -t)
individually
-r, --tradeoff
-t, --time # Do a bidirectional test individually
time in seconds to transmit for (default 10 secs)
-t,--fileinput
-F, --time #
<name> time the
input in seconds
data to tobe transmit for from
transmitted (default 10 secs)
a file
-F, --fileinput
-I, --stdin <name> input the data to be transmitted
input the data to be transmitted from stdin from a file
-I,--listenport
-L, --stdin # input
port to the data bidirectional
recieve to be transmitted testsfrom
backstdin
on
-L,--parallel
-P, --listenport# # port to
number of recieve
parallelbidirectional
client threads tests back on
to run
-P,--ttl
-T, --parallel # # number of parallel
time-to-live, client threads
for multicast (defaultto1)run
-T, --ttl # time-to-live, for multicast (default 1)

nsrc@summer workshop
eugene, oregon
iperf - TCP
$ iperf -s
$ iperf -s
------------------------------------------------------------
------------------------------------------------------------
Server listening on TCP port 5001
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
------------------------------------------------------------
[ 4] local 128.223.157.19 port 5001 connected with 201.249.107.39
[ 4] local 128.223.157.19 port 5001 connected with 201.249.107.39
port 39601
port 39601
[ 4] 0.0-11.9 sec 608 KBytes 419 Kbits/sec
[ 4] 0.0-11.9 sec 608 KBytes 419 Kbits/sec
------------------------------------------------------------
------------------------------------------------------------
# iperf -c nsrc.org
# iperf -c nsrc.org
------------------------------------------------------------
------------------------------------------------------------
Client connecting to nsrc.org, TCP port 5001
Client connecting to nsrc.org, TCP port 5001
TCP window size: 16.0 KByte (default)
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
------------------------------------------------------------
[ 3] local 192.168.1.170 port 39601 connected with 128.223.157.19
[ 3] local 192.168.1.170 port 39601 connected with 128.223.157.19
port 5001
port 5001
[ 3] 0.0-10.3 sec 608 KBytes 485 Kbits/sec
[ 3] 0.0-10.3 sec 608 KBytes 485 Kbits/sec

nsrc@summer workshop
eugene, oregon
Iperf - UDP
# iperf -c host1 -u -b100M
# iperf -c host1 -u -b100M
------------------------------------------------------------
------------------------------------------------------------
Client connecting to nsdb, UDP port 5001
Client connecting to nsdb, UDP port 5001
Sending 1470 byte datagrams
Sending 1470 byte datagrams
UDP buffer size: 106 KByte (default)
UDP buffer size: 106 KByte (default)
------------------------------------------------------------
------------------------------------------------------------
[ 3] local 128.223.60.27 port 39606 connected with 128.223.250.135 port 5001
[ 3] local 128.223.60.27 port 39606 connected with 128.223.250.135 port 5001
[ 3] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec
[ 3] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec
[ 3] Sent 81377 datagrams
[ 3] Sent 81377 datagrams
[ 3] Server Report:
[ 3] Server Report:
[ 3] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec 0.184 ms 1/81378 (0.0012%)
[ 3] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec 0.184 ms 1/81378 (0.0012%)
$ iperf -s -u -i 1
$ iperf -s -u -i 1
------------------------------------------------------------
------------------------------------------------------------
Server listening on UDP port 5001
Server listening on UDP port 5001
Receiving 1470 byte datagrams
Receiving 1470 byte datagrams
UDP buffer size: 108 KByte (default)
UDP buffer size: 108 KByte (default)
------------------------------------------------------------
------------------------------------------------------------
[ 3] local 128.223.250.135 port 5001 connected with 128.223.60.27 port 39606
[ 3] local 128.223.250.135 port 5001 connected with 128.223.60.27 port 39606
[ 3] 0.0- 1.0 sec 11.4 MBytes 95.4 Mbits/sec 0.184 ms 0/ 8112 (0%)
[ 3] 0.0- 1.0 sec 11.4 MBytes 95.4 Mbits/sec 0.184 ms 0/ 8112 (0%)
[ 3] 1.0- 2.0 sec 11.4 MBytes 95.7 Mbits/sec 0.177 ms 0/ 8141 (0%)
[ 3] 1.0- 2.0 sec 11.4 MBytes 95.7 Mbits/sec 0.177 ms 0/ 8141 (0%)
[ 3] 2.0- 3.0 sec 11.4 MBytes 95.6 Mbits/sec 0.182 ms 0/ 8133 (0%)
[ 3] 2.0- 3.0 sec 11.4 MBytes 95.6 Mbits/sec 0.182 ms 0/ 8133 (0%)
...
...
[ 3] 8.0- 9.0 sec 11.4 MBytes 95.7 Mbits/sec 0.177 ms 0/ 8139 (0%)
[ 3] 8.0- 9.0 sec 11.4 MBytes 95.7 Mbits/sec 0.177 ms 0/ 8139 (0%)
[ 3] 9.0-10.0 sec 11.4 MBytes 95.7 Mbits/sec 0.180 ms 0/ 8137 (0%)
[ 3] 9.0-10.0 sec 11.4 MBytes 95.7 Mbits/sec 0.180 ms 0/ 8137 (0%)
[ 3] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec 0.184 ms 1/81378 (0.0012%)
[ 3] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec 0.184 ms 1/81378 (0.0012%)

nsrc@summer workshop
eugene, oregon
Bibliography
Monitoring Virtual Memory with vmstat
http://www.linuxjournal.com/article/8178
Ejemplo Básico de tcpdump (Español)
http://luauf.com/2008/06/21/ejemplo-basico-de-tcpdump/

nsrc@summer workshop
eugene, oregon

You might also like