Continuous Trace Rount for Google Comand Prompt
Traceroute Command
Scanning
James Broad , Andrew Bindner , in Hacking with Kali, 2014
Traceroute
Traceroute uses ICMP's Ping command to find out how many different devices are between the computer initiating the traceroute and the target. This command works by manipulating the packets time to live value or TTL. The TTL is the number of times the packet can be rebroadcast by the next host encountered on the network or hops. The command will start with a TTL value of 1 indicating the packet can only go as far as the next device between the initiator and the target. The receiving device will send back an ICMP type 11, code 0 packet (time exceeded), and the packet is logged. The sender increases the TTL by 1 and sends the next series of packets. The packets will reach their expected time to live at the next hop along the network; which in turn, causes the receiving router to send another time exceeded reply. This continues until the target is reached, and all hops along the way have been recorded, creating a listing of all devices between the initiating computer and the target. This can be helpful for a penetration tester when determining what devices are on a network. Windows platforms have a default TTL of 128, Linux platforms start with a TTL of 64, and Cisco networking devices have a whopPing TTL of 255.
The traceroute command in Windows is tracert . On a Linux system, like Kali, the command is traceroute . A typical tracert on a Windows machine would look like the following.
-
tracert www.google.com
-
Tracing route to www.google.com [74.125.227.179]
-
over a maximum of 30 hops:
-
1 1 ms <1 ms 1 ms 192.168.1.1
-
2 7 ms 6 ms 6 ms 10.10.1.2
-
3 7 ms 8 ms 7 ms 10.10.1.45
-
4 9 ms 8 ms 8 ms 10.10.25.45
-
5 9 ms 10 ms 9 ms 10.10.85.99
-
6 11 ms 51 ms 10 ms 10.10.64.2
-
7 11 ms 10 ms 10 ms 10.10.5.88
-
8 11 ms 10 ms 11 ms 216.239.46.248
-
9 12 ms 12 ms 12 ms 72.14.236.98
-
10 18 ms 18 ms 18 ms 66.249.95.231
-
11 25 ms 24 ms 24 ms 216.239.48.4
-
12 48 ms 46 ms 46 ms 72.14.237.213
-
13 50 ms 50 ms 50 ms 72.14.237.214
-
14 48 ms 48 ms 48 ms 64.233.174.137
-
15 47 ms 47 ms 46 ms dfw06s32-in-f19.1e100.net [74.125.227.179]
-
-
Trace complete.
Many of the scanning tools on Kali make use of protocols like TCP, UDP, and ICMP to map out target networks. The result of successful scanning phase is a listing of hosts, IP addresses, operating systems, and services. Some scanning tools can also uncover vulnerabilities and user details. These details will greatly enhance the exploitation phase as attacks in this phase can be better targeted at specific hosts, technologies, or vulnerabilities.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9780124077492000082
Domain 4: Communication and Network Security (Designing and Protecting Network Security)
Eric Conrad , ... Joshua Feldman , in CISSP Study Guide (Third Edition), 2016
Traceroute
The traceroute command uses ICMP Time Exceeded messages to trace a network route. As discussed during IP, the Time to Live field is used to avoid routing loops: every time a packet passes through a router, the router decrements the TTL field. If the TTL reaches zero, the router drops the packet and sends an ICMP Time Exceeded message to the original sender.
Traceroute takes advantage of this TTL feature in a clever way. Assume a client is four hops away from a server: the client's traceroute client sends a packet to the server with a TTL of 1. The router A decrements the TTL to 0, drops the packet, and sends an ICMP Time Exceeded message to the client. Router A is now identified.
The client then sends a packet with a TTL of 2 to the server. Router A decrements the TTL to 1 and passes the packet to router B. Router B decrements the TTL to 0, drops it, and sends an ICMP Time Exceeded message to the client. Router B is now identified. This process continues until the server is reached, as shown in Figure 5.10, identifying all routers along the route.
Most traceroute clients (such as UNIX and Cisco) send UDP packets outbound. The outbound packets will be dropped, so the protocol does not matter. The Windows tracert client sends ICMP packets outbound; Figure 5.11 shows Windows tracert output for a route to www.syngress.com. Both client types usually send three packets for each hop (the three "ms" columns in the Figure 5.11 output).
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9780128024379000059
Performance Tuning
Kelly C. Bourne , in Application Administrators Handbook, 2014
17.2.4.2 traceroute
The UNIX/Linux traceroute command (tracert on a Windows computer) identifies the route a packet takes between your computer and the destination computer specified in the command. As a rule, you have very little or no control on how a packet gets from point A to point B. What traceroute offers beyond the ping command is that it lists every hop along the path between the two computers. This can help you identify if communications are taking too many hops in the wrong direction or whether certain nodes are out of commission. Figure 17.11 shows the output from a traceroute command.
As with many troubleshooting and tuning operations, it is a good idea to use the traceroute command when the network is functioning properly. This will give you a good idea of what the route, the number of hops taken, and the overall times are like when conditions are normal. This will provide you with a basis for comparison so when things aren't working properly you'll recognize the difference.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9780123985453000170
Network Troubleshooting
Naomi J. Alpern , Robert J. Shimonski , in Eleventh Hour Network+, 2010
Troubleshooting the Network Layer
When troubleshooting the network layer, you'll be most concerned with routers and TCP/IP addressing.
- ■
-
Troubleshooting routers
- ■
-
Check for configuration errors or misconfiguration issues on each router
- ■
-
Check for a routing loop by using the tracert or traceroute command
- ■
-
Verify that a route exists to the destination network
- ■
-
Check for connectivity issues between the source and destination networks, where either a router or a network link that's required has failed or gone offline.
- ■
-
Troubleshooting TCP/IP addressing
- ■
-
Use the ipconfig command to verify that the IP address, subnet mask and default gateway, and other settings have been configuredcorrectly
- ■
-
Use the route command to verify that the default gateway and other routing table entries are correct for an individual PC.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9781597494281000096
Network Reporting and Troubleshooting
Eric Seagren , in Secure Your Network for Free, 2007
Tracetcp
Oftentimes, the ability to know the path that network traffic is traversing is key to troubleshooting connectivity issues. In most cases you can determine this by using the traceroute utility (tracert on Windows systems). When you execute the traceroute command ICMP (Internet Control Message Protocol) is used to transmit packets to the destination with a Time to Live (TTL) value of 1, and this increases for each hop. When everything goes smoothly, each hop has to reduce the TTL by one, and when it becomes zero, the packet is dropped, and a message is sent to the receiver. The problem that often arises is that ICMP is often partially or completely filtered out by intervening routers or firewalls. In this case, you need a way to accomplish the same thing with a protocol that has a higher chance of success.
In these cases, a TCP traceroute can be a life saver. It will effectively do the same thing, by manipulating the TTL values, but it uses a TCP packet and allows a user-configurable port, which almost every firewall and router will allow if it is a well-chosen port. As an example, if you picked a popular Web site and tried a trace route, you may get several instances of "request timed out," which indicates that the hop is not responding. In most cases this means that ICMP is being filtered by a firewall. If you instead use a TCP-based traceroute utility and specify a destination port of 80, you may get better results. A good TCP-based traceroute utility for Windows is tracetcp from http://tracetcp.sourceforge.net/. For Linux, a very robust utility is LFT, which stands for "layer four traceroute," which can be downloaded from http://pwhois.org/lft/.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9781597491235500091
Configuring Cisco Routers
Dale Liu , ... Luigi DiGrande , in Cisco CCNA/CCENT Exam 640-802, 640-822, 640-816 Preparation Kit, 2009
Troubleshooting Routers
Hopefully, once you set up a router, you won't have any more problems with it. But usually, this is not the case. Sometimes, you will have problems during the initial setup or after the router has been running for a while. It's important that you understand that some of the methods can help you in troubleshooting common problems.
Troubleshooting Connection Problems
Routers are basically used to connect multiple networks. Sometimes the router itself may be online but you will experience connection problems. The router may not be able to communicate with various networks or devices. Cisco offers a few User Exec level commands to troubleshoot these connection issues.
- ■
-
PING – You can use the PING command to send test packets to a particular device. If you get a response back, you know there is a physical connection between the two devices. If no response is returned, this could indicate a problem with the physical connection.
- ■
-
Traceroute – The traceroute command is used to determine the path between two connections. Often a connection to another device will have to go through multiple routers. The traceroute command will return the names or IP addresses of all the routers between two devices. This also allows you to see where a packet may be misguided.
Solving Boot Problems
A less common, but more serious set of problems revolve around booting the router. If the router does not boot properly, it is basically useless. It is critical that administrators understand what can be done if their router does not boot properly. Therefore, it's also critical that you understand this for the exam.
The Configuration Register
Cisco devices contain what is called a configuration register, which is a 16-bit register that controls router behavior. You can use this to control the terminal baud rate and control broadcast addresses. But, what we are most concerned with is the fact that changing the value of the configuration can alter how the router boots. This can be a very useful tool in solving boot problems.
The first thing you need to know is how to enter read-only memory (ROM) Monitor mode, which allows you to manually manipulate files and the configuration on the router without fully booting the router. You can enter ROM Monitor mode by pressing Ctrl-Break as the router is booting, or setting the configuration to 2100. To do this, enter the following command:
If you are truly in ROM Monitor mode, the IOS prompt will appear as rommon 1> on new routers, but just > on older routers. Once you are in ROM Monitor mode, you can begin manipulating the router files and router configuration.
There are several other useful configuration register settings. Table 4.1 includes a listing of some of the most commonly used ones.
Setting | Meaning |
---|---|
0x2101 | Load IOS from ROM |
0x2100 | Boot to ROM Monitor mode |
0x2102 | Default setting |
0x2142 | Ignore config in NVRAM on boot |
Booting to a Different IOS Image
In some situations, your router may not boot properly because of the IOS. The IOS could have become corrupt for some reason. Or there may have been a problem trying to upgrade your IOS image. To help with this problem, Cisco devices will allow you to boot using a different OS. Two common options to boot include using a different IOS image located in flash or using an IOS image on a TFTP server.
To boot from a different IOS located in flash, type the following in ROM Monitor mode:
Boot system flash ios-image-name
To boot from an IOS image located on a TFTP server, type the following in ROM Monitor mode:
Boot system tftp ios-image-name tfp-server-address
Resetting the Router Password
Occasionally you may run into a situation where you will have to reset the password of your router. This may be because you have forgotten the password, or the password was changed by someone else and you do not know the new password. As long as you have physical access to the router, you can reset its password. It's very easy to do, although it does require a number of steps.
EXERCISE 4.3
Resetting Your Router Password
Here we will be resetting your router password. We will first bypass your startup configuration and then make the changes.
- 1.
-
Connect to your router via the console cable.
- 2.
-
Power off your router.
- 3.
-
Power your router back on.
- 4.
-
Use Ctrl-Break to interrupt the boot sequence. You are now in ROM monitor mode.
- 5.
-
Type confreg 0x2142 at the prompt. This turns on bit 6, which will cause the NVRAM config to be ignored.
- 6.
-
Reload the router.
- 7.
-
Enter privileged mode.
- 8.
-
Enter Global Configuration mode.
- 9.
-
Copy the startup config to the running config, using
copy start run
- 10.
-
Change the router passwords.
- 11.
-
Type confreg 0x2102 to change the configuration register back to normal.
- 12.
-
Save the current configuration to NVRAM.
- 13.
-
Reload the router.
Firmware Upgrade
The firmware running on your Cisco device is the Cisco IOS. There will come a time when you will need to upgrade this firmware. This may be necessary in order to get bug fixes or to enable new router features.
The Cisco IOS is basically a file that gets loaded at device initialization. If you want to upgrade your IOS, you simply have to replace this file with a newer file. Cisco developed the Cisco IFS (Cisco IOS File System), to help you manage files on your router. You can use the Cisco IFS to copy the new IOS image to your router.
EXERCISE 4.4
Upgrade Your Router Firmware
Here we will be upgrading your router firmware. This requires us to access the flash memory in your router.
- 1.
-
At the IOS prompt, type dir . This will list out the contents of your flash memory.
- 2.
-
Type copy tftp://<ipaddress>//ios-image-name flash:/ios-image-name
- 3.
-
Confirm the source filename. Press Enter.
- 4.
-
Confirm the destination filename. Press Enter.
- 5.
-
Type sh file information flash:ios-image-name to verify the new image was copied and is runnable.
- 6.
-
Reload the router.
CONFIGURING AND IMPLEMENTING…
Deleting the current IOS image
Flash memory on your Cisco router is limited. Sometimes, to copy a new IOS to your router, you have to delete the current IOS from flash. This is done using the delete command. Type delete flash:IOS-Image-Name at the IOS prompt.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9781597493062000087
ISE CLI
Andy Richter , Jeremy Wood , in Practical Deployment of Cisco Identity Services Engine (ISE), 2016
Other tools
One of the more basic but helpful commands is "nslookup." DNS resolution is important for ISE so you can use this to check for normal A/PTR records but also for SRV records for something like AD by running "nslookup _ldap._tcp.lab.local querytype SRV." You have multiple DNS servers configured; you can also append "name-server 〈ip〉" to the end of the "nslookup" to target specific servers so that you can pinpoint if one of them is returning incorrect information and causing random problems. The "ping" and "traceroute" commands are also useful for ensuring you can correctly connect between nodes.
This next one might be a bit confusing and it's the "patch" command, which is used to install patch releases onto ISE. The confusing part here is that you should not use this command from the CLI unless you have very good reason to. The proper way to patch nodes is through the web UI, where you can upload the patch and ISE takes care of copying the code out to the nodes, installing the patch, and then rebooting the nodes in a sequential order so that your cluster stays in a functioning state while it's happening. The CLI "patch" command on the other hand only applies the patch to the one node you are currently on, a nonideal situation in most cases. If you are installing a patch, you probably want it everywhere. So when will you use this command? You can use this if you have to rebuild a node from scratch and need to bring it up to the same patch level as the rest of the cluster before you join it back. You might also want to use this if you want deterministic control over which nodes get a patch applied and when. The web UI will make sure that you never have all of your PSNs down at the same time but if you are a global company you will probably want to make sure that your PSNs are offline during maintenance windows for specific time zones. In that case you will need to manually install patches.
Telnet is provided by the CLI as well and while normally you should stay away from anything cleartext for running commands "telnet" here will actually give us a simple way to check (some) connectivity between nodes or even to other services such as AD. This image shows us some results.
You can see we are running the commands "telnet 〈host〉 port 〈port〉" in order to do this. In the first attempt we connect to port 80 which has an Apache web server listening and we can see that telnet connected and basically waited for us. Depending on the remote port you are testing it may act different but what's important here is the fact it did connect, which means we have established from our ISE node to the remote node/server the path is clear. The next two connections show the other possible (common) outcomes when testing ports with telnet. In both cases the ports can't connect so we know something is wrong; in the first case there is nothing listening on the port used. If you were running this test against another ISE node, you might get that error if the ISE services hadn't started yet. In the second attempt we used iptables to replicate what you would see with a host behind a firewall/ACL; you will notice the connection wasn't refused but rather telnet gave up connecting after a period of time.
It's normally not recommended but the commands under the "tech" commands can be helpful for people who have *nix experience and are familiar with top/iostat/vmstat. The nice thing about these commands is that the restricted shell just passes the output back to you without formatting/changing it so you get a more "raw" view of what's going on. The only command here you should probably avoid is "tech dumptcp" which outputs packets from a selected interface. In reality it's just running tcpdump but you can control only how many packets, if any, are captured before the command exits. Without any ability to filter packets you will, on anything other than a small lab deployment, be overrun with packets for clients or just normal traffic and miss what you are looking for. If there is a need to debug network communication, it's best to work with TAC and get the root patch installed so you have direct access to tcpdump.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9780128044575000171
Understanding the Methods and Mindset of the Attacker
Dale Liu , in Cisco Router and Switch Forensics, 2009
Nmap
Nmap is a network scanning tool that is gaining in popularity in computer defense and security. Just about everyone who performs network vulnerability assessments or plays a role in computer/IT security has not only heard of Nmap, but also has used it in one form or another. What used to be a scanning application used only within a command-line environment is now incorporated into other network scanning tools and has graphical front ends for ease of use.
Nmap is an open source product, but it was developed through the efforts of Gordon "Fyodor" Lyon, who wrote the original form of this network mapper. Nmap has since revolutionized the world of network security and computer defense. One of its major features is its ability to be customized for a variety of purposes and tasks. For instance, it can scan in one configuration one moment, and then, with a few simple keystrokes, you can customize it to work in an entirely different mode. Although Nmap has a ton of features, it has a bit of a learning curve for people who have had little experience with network scanning and reconnaissance. The original version of Nmap was command-line interface (CLI) driven, so you had to type in the commands, switches, and flags to start a scanning event. But Nmap was ported out to other platforms, including Microsoft Windows, and a GUI version became available.
If CLI entry of commands isn't for you, you have a few options. If you are working on a Windows PC, Nmap is available with a GUI front end that requires that you simply fill in some blanks and check some options to set up the application.
If you are running a Linux system, you may want to look into the NmapFE or Zenmap package (I am referring to .rpm packages for Fedora Linux fans and .deb packages for those using Knoppix or Ubuntu/Kubuntu). It's the same point-and-click process as the Windows version, but within the Linux environment.
As just noted, Nmap is capable of performing several tricks, but it takes some effort to learn how to use all of its features. Some of its features include a choice of scanning method, timing options, name resolution, spoofing and decoy functions, and various output methods. Figure 7.2 shows several runs of Nmap on a range of network addresses.
Before we discuss some of the scanning mode selections that you can make with Nmap, you should make sure you understand basic networking fundamentals such as TCP flags, connection versus connectionless protocols, and other technical terms. You may want to consult the document on Cisco's Web site at http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Internet-Protocols.html for a refresher. I also recommend you look at this IT Security Basics article that is maintained in the SANS Reading Room. It covers good security information especially on the subject of DOS and MitM attacks: http://www.sans.org/reading_room/whitepapers/basics/information_security_primer_443?show=443.php&cat=basics.
Nmap can scan both hosts and networks in a variety of ways. You can configure certain controls, such as speed and aggressiveness, via CLI or through a front end. For instance, Nmap incorporates six different timing templates. You refer to the templates using the –T switch, and they work to govern the flow of Nmap packets down range to their target. The range goes from five minutes per probe packet (T0) to five milliseconds (T5) per probe packet, so you have a great deal of control over how quickly a scan is kicked off and how much noise it makes to the intrusion detection system/intrusion prevention systems (IDS/IPS) keeping watch over the network. This is to allow someone who wants to run his scan slowly so that he can avoid detection. This flexibility sets them apart from the crazies among us who like to saturate the network with our Nmap probes. Scanning the network too quickly also makes those crazies liable to be detected much quicker as a direct result.
Nmap is also capable of scanning hosts in a number of ways to meet certain requirements and circumstances. Nmap can scan its target hosts using Transmission Control Protocol (TCP) packets, User Datagram Protocol (UDP) packets, IP packets, and other configurations. When it comes to TCP probe packets, Nmap can form the packets with specific TCP flags set, such as the SYN, RST, ACK, FIN, URG, and PSH, in whatever configuration suits your fancy. The reason for this is that some firewalls or access control lists (ACLs) are set to inspect the contents of the flags and make their decision to pass, drop, or reject based on certain criteria. One particular Nmap scan configuration is called XMAS because the FIN, PSH, and URG flags are set (brightly lit, like a Christmas tree), and this may or may not escape packet inspection. Some IDSs will key in on this as they may have a configured detection signature that triggers on seeing this combination; this is called an NMAP XMAS-Tree scan. But this, too, can be avoided by setting a flag override.
Once when I was at a former work site, I was informed (and disappointed to learn) that the network security staff decided to limit the rest of the staff's ability to troubleshoot network connectivity by blocking Internet Control Message Protocol (ICMP) ping traffic in and out of the routers throughout the campus network. So, one day the traceroutes would no longer work as the policy was enforced. However, on a particularly hot day, I discovered that when I second-naturedly typed in a traceroute command on an Apple Mac running OS 10, I found that it was working across the subnets and all over the network. As it turns out, the security admin had overlooked the fact that Windows systems use UDP packets for their tracert command, but OS 10 pushes out ICMP packets, and they were being overlooked. My colleagues and I became highly interested in what else we could pass.
The moral of this story is to ensure that your policy works as expected in all forms, from soup to nuts. If you fail to completely battle-test your new ACL or your firewall rule, someone like your boss is going ruin your day and you may have some difficult questions to answer in the event of a horrendous compromise.
Another important feature of Nmap is its ability to scan ports and tell you all sorts of things about the host that maintains them. Nmap can not only scan any of the 65,536 ports on a host, but it can also derive certain information from them. Remember that ports are usually in one of several states: open (accepting connections), closed (as in closed for business), and filtered (which may be another way of saying "firewalled"). In some cases, a port may be reported as unfiltered, meaning that Nmap cannot determine whether it is filtered, and is not completely sure it is open to make connections. Not only can Nmap report on this, but it can easily go further and determine what type of operating system controls the network services on the target hosts. Different operating systems have different responses to certain network events, and by closely examining the subtle timing differences and responses returned to its probes, an Nmap process can make a decent, intelligent determination of the operating system it is probing. Nmap can go even further and perform service detection on ports. How many times have you heard someone say that he was going to hide network service by putting it on a non-standard, not-so-well-known port in an effort the reduce attacks to his system? Well, Nmap is capable of detecting whether someone has tried this by setting a Secure Shell (SSH) server to run on port 53 as it knows the differences between SSH and domain name system (DNS) servers.
Tons of techs I run into are thrilled with Nmap's OS detection feature (available by invoking the –O switch). Well, Nmap also offers a service fingerprinting feature (available by invoking the –sV switch). This can help to confirm the OS detection results as well as give you insight into the precise services that are running on the system.
Nmap is also known for its output and reporting features. The software can give you its scan results in a variety of ways. As you saw in Figure 7.2, each port status appears on a line by itself, and usually that is okay for a visual display. But when you are scanning dozens to thousands of hosts, you will not want to look at this information line by line when you can run the results through a text-searching tool to categorize the results. Toward that end, Nmap is able to also dump its results to an XML-formatted file, or to a file you can search using a grep command (or whatever you like that is capable of running regular expression searches/filtering). Nmap also offers the option of putting the results in all three formats if you want, and all you have to do is provide a base filename in the command before you kick off the scan.
Notes from the Underground…
So, Do You Really Think You Know Who Is Scanning You?
Are you interested in knowing how good penetration testers keep their addresses hidden for as long as possible? It's a matter of hiding among the other IP addresses which are present, and spoofing an IP address. Two cool ways that you can obfuscate your IP address as the source of scanning activity involve using the decoys function and spoofing your Media Access Control (MAC) address.
Here we have chosen to designate a few extra decoys along with our scan to make the scans appear as though they are coming from a number of systems, rather than just ours. (Remember the age-old rule of safety in numbers!)
Here is an example of this technique sending ACK flags to port 80 at Captain Insaneo-speed:
-
#nmap –n –PA –p 80 –T5 –D 10.1.1.1,10.1.2.1,66.1.2.6,ME,202.3.192.1 <target>
As far as MAC address spoofing is concerned, today it is easy to spoof the source MAC address of the interface Nmap is using, and you don't even have to look it up. Say, for instance, that you visit an art studio with an Alienware system as your vulnerability assessment computer, and all your targets are Macintosh systems. If you run an Nmap scan without making a change to obscure your system's identity, your system is going to stick out like a sore thumb. So, you conjure up some "lucky charms" and use a particular MAC address vendor—and throw the security officer for a loop as he goes around looking for an HP Compaq system. Here is the Nmap command you would pass in this case:
-
#nmap –n –PA –p 870 –T5 –spoof-mac HP <target>
If you wanted him to think that a Linksys router was involved, try this:
-
#nmap –n –PA –p 870 –T5 –spoof-mac Linksys <target>
Good times!
Although we talked about only a handful of features, Nmap has numerous others that we don't have the space to cover. Suffice it to say that Nmap has made a huge impact on computer security and system administration and most likely will continue to do so as it continues to be developed through open source participation from around the world.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9781597494182000077
UNIX Tools
Kelly C. Bourne , in Application Administrators Handbook, 2014
24.10 Connectivity
More than likely your application server doesn't exist in a vacuum. The application might consist of multiple servers, e.g., a web server, a report server, etc. The application might be in a load-balanced environment. It might utilize a cluster to improve either performance or availability. The database very likely resides on a separate, dedicated server.
If any of the above situations exist in your environment, then you're going to be dealing with multiple servers. Multiple servers means that you'll have to understand how to communications between those servers occurs. The tools or commands listed in this section can provide insight into communications between servers or between your server and the larger world.
As an Application Administrator perhaps your most troublesome problems will be dealing with potential connectivity issues. When hunting down connectivity issues it's helpful to have a checklist of things to check and always run through them in order. After a while you'll get a feel for what's causing the issue this time. Some examples of typical connectivity-related problems include the following:
- •
-
Is the application server experiencing problems connecting to the database server?
- •
-
If the application is running on multiple servers, e.g., an application server and a reports server, are they able to connect to each other?
- •
-
Are users having problems connecting to the application server?
- •
-
Are users able to connect to the organization's network?
- •
-
Can users access the organization's network from a remote location?
- •
-
Are performance problems experienced by users being caused by the application, the database, the network, or something else?
To troubleshoot problems like the ones listed above you need to know what tools are available on your server. Every organization's environment is different, but the tools that are described in the following sections are probably available on your UNIX server. The sections are organized from the simplest check first and the most complicated checks last.
24.10.1 ping
The ping command was described in Chapter 23. It works essentially the same under Windows and UNIX. Enter "ping" and another computer's name or IP address. The format of both ping commands is shown here. Ping will determine if the destination is reachable. If ping continues to display output lines you can press Ctrl-C to kill it:
-
ping computer-name
-
ping IP-address
If you get an error message saying the ping command is not found then try entering ping as follows:
-
/usr/sbin/ping computer-name
There are two potential shortcomings to using the ping command. The first is that if you enter the name of the remote computer it's possible that your DNS (Domain Name System) server is translating the server name you entered to the wrong IP address. If an inaccurate IP address is being provided, this could be the source of your problem. To determine whether or not this might be the problem you should compare the IP address returned by a "ping computer-name" command with your documentation that identifies the IP address of the remote computer. If the IP address returned by the ping-by-name doesn't match your records, then a problem exists in the DNS area. Contact your network team and work with them while they resolve it.
You should also execute a ping command and specify the IP address of the remote computer. This will help you determine whether the remote computer can be accessed if an accurate IP address is being used.
The previous advice assumes that you have a "landscape" document or other documentation that shows the name and correct IP address for all of the organization's computers. If this documentation doesn't exist, then now would be a very good time to create it.
The second potential problem with a ping command is that some servers have been configured to ignore ping commands. This is done as a security measure to help protect them from DOS (denial of service) attacks. If you get the result "Request Timed Out" every time you ping a particular server, then this probably means it has been set to ignore ping commands.
24.10.2 Database connectivity
If your connectivity problem appears to be related to the database, then you should see if the database server can be accessed from the application server. There may be a tool on the application server that enables you to initiate a database session. For example, if the database being used is Oracle, then SQL*Plus has likely been loaded onto the application server. Open a SQL*Plus session with the database using a command like the following:
-
sqlplus username/[email protected]
If the session established, it proves that connectivity with the database server exists. If the SQL*Plus command fails, then a problem exists. The next step would be to work with the DBA team to confirm that the database engine is running. If it is, then you might need to work with the network team to verify that the application server can communicate with the database server.
24.10.3 Traceroute
If the ping-by-name and the ping-by-IP were unsuccessful, then you need to find out where along the path between your server and the destination it failed. You need to know if your computer is able to communicate with the Internet or other networks. Your organization has a device called a gateway router that acts as a gateway between your network and all other networks. Run the "traceroute" command to determine whether your communication attempts are getting out the door so to speak. If the results indicate that your traceroute attempt didn't make it past your gateway router, then you need to contact your organization's network team to resolve the problem.
traceroute, like ping, confirms whether or not connectivity to the destination computer can be established. The output from traceroute indicates how many servers or hops it takes a packet to get from your server to the destination computer. The format of the traceroute command is:
-
traceroute destination
where destination can be either a name or an IP address.
This command can be very informative if communications with another computer are extremely slow. It can tell you either that the packets are taking an excessive number of hops taken along the path or that a specific computer in the path is taking longer than expected to communicate. If either of these is the case these, the problem isn't with your server.
24.10.4 tnsping
tnsping is a utility provided by Oracle that determines if connectivity to the Oracle database server can be established. If your application uses an Oracle database, then you can use tnsping to determine if the application server can communicate with the Oracle database server. The format of the command is:
-
tnsping service-name
If you don't know the value of the service name you can find it in the tnsnames.ora file within the Oracle Client software subdirectory.
24.10.5 netstat
netstat displays the following network communications related information:
- •
-
Active ports—running netstat with the—an option displays a list of all active ports. This means a list of incoming and outgoing network connections that are currently open on the server. It also lists the process that opened each port, whether the port is open for input or output and what protocol is being used.
- •
-
Routing tables—the routing table holds the list of computers that can be directly communicated with. It might be a surprise to you, but your server isn't aware of every server on the Internet. It is aware of a few other computers which are aware of a few more computers which are aware of still more computers, etc. To view only routing table information include the –r option when calling netstat.
- •
-
Statistics by protocol can be obtained by running netstat with the –s option displays a list of statistics for each of the protocols (tcp, udp, ip, icmp, igmp) that are supported. Some of the stats that are displayed are: packets sent, packets received, connection requests, connection accepts, connections established, and timeouts.
24.10.6 ruptime
ruptime, remote uptime, shows the status of all machines on the network. It also provides information on how long each computer has been up and what its recent load level is. The formation of ruptime is as follows:
-
ruptime
24.10.7 rwho
rwho, remote who, lists who is logged onto all machines in network. Be aware that rwho isn't available on all networks due to security concerns. If you need to know who is logged into another computer and "rwho" doesn't work, then you'll have to remote to that machine and run "who" on it. The format of this command is:
-
rwho
24.10.8 nslookup
If your users or application is no longer able to connect to a server, the problem could be that the local name server has out of date or otherwise inaccurate information. The nslookup command allows you to query the Domain Name System (DNS) to gather information on domain names it contains. Using it you can learn the name and IP address of the name server that is being used. You can also obtain the IP addresses of machines that the name server is maintaining information on.
Figure 24.8 shows the results of an nslookup call to get the details on server "dr005." The nslookup command has other available parameters which can be seen on the man page for it.
24.10.9 Firewall problems
It's possible that your organization's firewall is causing the connectivity problems. It's not uncommon for a change in a firewall's configuration to cause problems connecting to a server that was working just fine yesterday. Depending on your level of expertise you could investigate this yourself or contact the organization's team that administers the firewall. A word of warning is definitely in order here: be very careful not to cause problems or make unapproved changes of the firewall. Doing so could cause extremely serious problems for you, your users, other applications, and their users.
If you're knowledge about the organization's firewall, you might consider checking the firewall configuration or its logs to see if there are any clues about the problem. Two commands that might provide some insight are:
iptables –n –L | Lists all rules configured in the firewall. If you're not familiar with firewall rules, then the output from this command will probably be undecipherable to you. |
tail –f /var/log/messages | Repeatedly lists the 10 most recently added entries in the log files located in directory /var/log/messages. |
24.10.10 Network analysis tools
There are a number of network analysis tools that can be acquired to provide detailed information on the communications between your server and other machines. Providing an in-depth description of any of them is beyond the scope of this book, but a brief description of some tools that are available is provided.
24.10.10.1 tcpdump
tcpdump is a packet analyzer that is launched from the command line. It can be used to analyze network traffic by intercepting and displaying packets that are being created or received by the computer it's running on. It runs on Linux and most UNIX-type operating systems.
24.10.10.2 Wireshark
Wireshark is an open source tool that is used for troubleshooting network problems. It runs on Linux, Windows, and many UNIX-like operating systems. You can use Wireshark to capture all packets on the network, but need to be careful that the volume of traffic being captured doesn't become overwhelming. The GUI (graphical user interface) in Wireshark makes it relatively easy to capture only the specific traffic that you're interested in.
24.10.10.3 Cheops
Cheops is an open source package that provides numerous network-related utilities. Using it you can locate, diagnose, and manage network resources. It can identify the operating systems of all hosts on the network. It provides a mapping of your network and if it's especially large you can break the overall map down into multiple views. A port scanner documents what tcp ports are being used.
24.10.11 Connectivity tools
There are a number of connectivity-related tools available in UNIX. They are described in the following sections. Application Administrators should have at least a working knowledge of connectivity tools.
24.10.11.1 Telnet
Telnet is a utility that enables you to remotely connect to another computer and open a terminal session on it. Use of telnet has diminished significantly because it isn't a secure communication method. If you want to log onto another computer using telnet the format is:
-
telnet remote_computer.domain.org
You will be prompted for an ID and password to complete the connection process. If the computer is on the same network as the computer you are logged into, then you can omit the ".domain.org" from the command.
24.10.11.2 rsh
Rrsh (remote shell) is another method of remotely connecting to another computer and running a terminal session on it. To use rsh to open a session on a remote computer, you must have an account on that computer. When the connection is established, you'll be prompted to enter your password. The format for using rsh is:
-
rsh remote_computer.domain.org
One variation of rsh is that it can be used to execute just a single command on the remote computer instead of opening a terminal session. The format for using rsh in this way is:
-
rsh –l username remote_computer.domain.org command
24.10.11.3 ssh
ssh (secure shell) is a more secure way to log onto a remote system. ssh offers similar functionality to rsh but more securely. Communicates passed between computers during an ssh session are encrypted, so they are much better protected than either telnet or rsh. The format of the ssh command to initiate a remote terminal session is:
-
ssh remote_computer.domain.org
You will be prompted for the password before the remote session is established.
24.10.11.4 PuTTY
PuTTY is an open source utility that allows you to connect with remote computers. Although it was originally written for Windows it has been ported to a number of UNIX platforms. PuTTY was described in detail in Section 23.5.4 of Chapter 23.
24.10.11.5 ftp
ftp, file transfer protocol, is a UNIX application that is used to transfer files between machines over a network. There are numerous GUI implementations of ftp, but most UNIX systems support the command line version of this tool. To initiate an ftp session enter the following command:
-
ftp remote_computer.domain.org
You will be prompted for your username and password. Once your ftp session has been established, you can use any of the following basic instructions to transfer files to or from the remote computer:
- •
-
cd—change the working directory on the remote computer
- •
-
lcd—change the working directory on your local computer
- •
-
mkdir—make a directory on the remote computer
- •
-
ls—list files in the working directory on the remote computer
- •
-
bin—sets the mode so file will be transferred in binary mode
- •
-
asc—sets the mode so files will be transferred in ASCII, i.e., characters, mode
- •
-
put—moves a file from the local computer to the remote computer
- •
-
get—retrieves a file from the remote computer to the local computer
- •
-
help—displays a list of available commands and their parameters
- •
-
quit—exit out of the ftp session
24.10.11.6 rcp
rcp, remote copy, is a UNIX command that allows you to transfer one or more files to or from a remote computer. In order to move files to or from another computer, you must already have an active account on the remote machine.
The format of a basic rcp command to copy a file to a remote computer is:
-
rcp example.txt [email protected]_computer.domain.org:
The command to copy a file from a remote computer to your local computer is:
-
rcp [email protected]_computer.domain.org:example.txt
24.10.11.7 scp
scp, secure copy, has similar syntax and functionality as rcp, but is more secure. SCP encrypts the contents of the file before transferring it. If someone is capturing and examining the packets in your file transfer they wouldn't be able to read them.
The format of a basic scp command to copy a file to a remote computer is:
-
scp example.txt [email protected]_computer.domain.org:
The command to copy a file from a remote computer to your local computer is:
-
scp [email protected]_computer.domain.org:example.txt
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9780123985453000248
Troubleshooting the Juniper Firewall
Brad Woodberg , ... Ralph Bonnell , in Configuring Juniper Networks NetScreen & SSG Firewalls, 2007
Troubleshooting Tools
The Juniper firewall has several troubleshooting tools built in to it. This section covers these tools in detail. Each has a specific purpose and should cover any troubleshooting needs you have.
Tools & Traps…
Secure Troubleshooting
One thing you want to make sure of when troubleshooting your firewall is that you don't compromise your security during the troubleshooting process. If you're using HTTP (Hypertext Transfer Protocol) or Telnet to access your firewall, someone may be able to sniff your packets while you're working to solve the problems.
The WebUI can be encrypted with SSL (Secure Sockets Layer) or tunneled through a VPN. It is recommended that this connection be secured at all times. The certificate can be self-signed by the Juniper firewall, so no certificate has to be purchased.
The command-line interface can be encrypted by using SSH (Secure Shell) to log in to your firewall. Telnet should be disabled so it cannot be used by anyone. If Telnet access is required for some reason, be sure to encrypt the packets using a VPN tunnel. Serial console access requires physical access to the firewall. You can disable all CLI access if you wish and require serial access to manage the box, but this measure might be a bit extreme.
Ping
Ping is probably the most well-known network troubleshooting utility in existence. The ping command is used to test for network connectivity. Every network operating system has a version of it preinstalled. It was written in December, 1983 by Mike Muuss for BSD Unix. The BSD Unix network stack has been ported to many operating systems, including every version of Microsoft Windows. Although the name was originally derived from a sonar analogy, it is now referred to as an acronym for Packet InterNet Groper.
The functionality is simple: send an ICMP (Internet Control Message Protocol) echo-request and wait for an ICMP echo-reply. The code shown in Figure 13.1 is an example of sending a ping to IP address 192.168.0.1, and getting four replies in return. This is a connectivity check from a Windows machine to a router.
By default, the NetScreen device will send five ICMP echo requests of 100 bytes each with a two-second timeout. Advanced settings can also be included on the command line:
You may also set all of the options manually by entering only the command ping and pressing Enter. At this point, you will be prompted for each one of the options to build the command you wish to execute, specifying target IP, the number of requests, the datagram size, and so on.
Figure 13.2 shows an example of using the ping command in ScreenOS 5.
Keep in mind that the results of the ping command may not always be accurate. Some network traffic does not pass ping traffic and could possibly change the results of the command.
You can also ping from a specific interface with the ping command ping <ipaddress> from <interfacename> (see Figure 13.3)
traceroute
The traceroute command is useful in troubleshooting multihop routing. traceroute uses the TTL (Time to Live) field of the IP protocol to get an ICMP TIME_EXCEEDED response from each gateway the packet goes through to reach the destination. Figure 13.4 shows an example of traceroute in ScreenOS.
traceroute results should also be taken with a grain of salt. Since traceroute uses TTL fields in the packets, any devices that do not respond to that field will not return valid data.
Get Session
The get session command will show all current established sessions going through the Juniper firewall. If an entry exists in the session table, the connection has passed through the routing table and the policy successfully.
Each session entry has three lines of information. The first line contains the policy rule number, which can be viewed by the get policy command. The time entry shows idle time and resets every time traffic goes through the firewall. Figure 13.5 illustrates these points.
The output from the get session command can seem a bit overwhelming at first, but it isn't really that bad once you break it down. First, the command specifies how many sessions are currently allocated (in the preceding case, it is 64 with a maximum number of 128064). This command also specifies how many sessions failed to be allocated (both regular and DI sessions) and how many multicast sessions are allocated. It also provides statistics for the memory and sessions pools. The next part of the command that you really should be concerned with is the information about the source IP address, source port, traffic direction, destination address, and destination port. The first entry in Figure 13.5 is: 218.172.211.178/18772->123.49.20.57/1024. This stands for a source address of 218.172.211.178, with a source port of 18772 going outbound to destination 123.49.20.57 port 1024. It will be using route 0, which you can verify with the get route command and compare that against the route ID value in the output. Traffic with the <- symbol designates the inbound (return) traffic. The return traffic may also show the NAT'd value of the packet, and the subsequent route which may be taken to reach the destination. You can also see which policy (in this case 320000) is being matched for this session.
Get Policy
The get policy command displays the current NetScreen policy. This command is useful as a reference to see which policy ID is assigned to each rule. Pay attention to the From and To fields. These indicate which zones each policy crosses, as shown in Figure 13.6.
Get Route
The get route command shows the current NetScreen routing table. There is a separate routing table for each virtual router. In the example in Figure 13.7, there are no routes for the untrust-vr, which is the default configuration. Make sure you differentiate which routes are static and which are added by a routing protocol.
Remember that the * next to a route designates that it is the active route in the routing table, and the ID is the value that is also referenced in other troubleshooting commands such as the get session command. This output shows you that route 12 is active over the same route (different next hop) route 13. They are both Static routes with a preference of 20, and a metric of 1. It is not immediately clear in this case why route 12 is valued higher than 13, but the reason could be because ethernet0/1 is physically down.
Get Interface
The get interface command shows detailed interface statistics. This command (shown in Figure 13.8) is useful to see which zone an interface is in and which hardware MAC (Media Access Control) address is assigned to each interface. You can also see the IP address, VLAN, and what state the interface is currently in (U for Up, D for Down.)
Get ARP
The ARP (Address Resolution Protocol) table of the Juniper firewall can be viewed by using the get arp command. This can be useful when troubleshooting OSI layer 1 and layer 2 issues. Figure 13.9 shows the ARP table of the Juniper firewall.
We can see in this example that the MAC address for 218.172.211.177 is invalid (000000000000.) It also specifies what interface this will try to learn the MAC address on, which will be whatever interface has an IP address in the same subnet as the IP address that you are ARPing for. This can be very useful to troubleshoot layer 2 issues, especially when devices are connected directly to your firewall.
TIP
Please remember that if you are replacing one network gateway device with another (such as the SSG), the MAC address will change because there will be a new hardware interface in place of the old one (assuming you are keeping the same IP address). This will mean that other devices may not recognize this new MAC address until either their ARP cache times out (often 10 minutes on most systems), or you can manually clear it, such as issuing the clear arp on the Juniper firewall, or arp –d on Windows.
Get System
The get system command gives you several important pieces of information. Use this command to get an overview of your firewall and the setting for each interface. On an unknown firewall, this should be the first command you use.
- ▪
-
Serial Number This can be used to reset the device to the factory defaults. Use the serial number as the username and password when logging in on the serial interface. Be aware that this will also wipe out any configuration changes you have made. The serial number is used to generate the license keys for your device as well.
- ▪
-
Software Version The software version of the ScreenOS device in running memory.
- ▪
-
Date and Time Returns the date and time on the NetScreen device.
- ▪
-
Total Device Resets Tracks the total number of asset recovery resets. This number counts the number of times the system has been reset to the factory defaults.
- ▪
-
User Name The username of the current user.
Debug
The debug utility in ScreenOS is a powerful troubleshooting tool that allows you to track sessions going through the Juniper firewall. The firewall has a memory buffer set aside for the debug system, and packets can be captured in this memory for inspection. The following outlines various uses of the debug system:
- Step 1.
-
Set any filters necessary for the debug. This is optional, but it might help consolidate the results. Optionally, you might also want to clear the buffer of old debugs so that you get a better snapshot.
- Step 2.
-
Issue the Debug Command.
- Step 3.
-
Issue the get db str command to get the output stored in the memory buffer from the debug.
- Step 4.
-
Stop the debug with the undebug all command which will halt any debugs. Alternatively you can keep issuing the get db str command to keep getting output from the debug.
- Step 5.
-
Clear the memory buffer with the clear db command.
WARNING
You must be mindful that issuing debug commands can increase the load on the firewall. Althought it is not as crippling as debugs on other platforms (historically,) it can cause problems if you are not careful. It is best to use flow filters, and turn the debugs off as soon as possible.
Flow Filters
A filter can also be put into place to limit what traffic gets sent to the debug buffer. The command set ffilter allows you to select the type of traffic to collect. The following filters are available:
- ▪
-
dst-ip Destination IP address
- ▪
-
dst-port Destination port
- ▪
-
ip-proto Internet protocol number
- ▪
-
src-ip Source IP address
- ▪
-
src-port Source port
If multiple filters are specified in the set ffilter command, the filter will only collect traffic that matches all of the filters specified. The set ffilter command can be executed multiple times, and traffic will be collected if it matches any of the filters. For example, to filter all tcp traffic from 192.168.0.1 to 10.1.1.1, issue the following command:
SSG550-> set ffilter src-ip 192.168.0.1 dst-ip 10.1.1.1 ip-proto 6
To view current filters, use the get ffilter command. Each filter in place has an ID number to identify it. To remove a filter, use the unset ffilter command, followed by the ID number of the filter to be deleted.
Snoop
Snoop is a full packet sniffer. The output of snoop goes into the same memory buffer that debug sends to. The biggest difference between debug and snoop is that snoop can dump the actual contents of the packets to the memory buffer. snoop output is more difficult to read than debug output and is typically used when the contents of the packets need to be analyzed. The following are the commands for using snoop:
- ▪
-
snoop Starts the snoop capture.
- ▪
-
snoop info Displays current snoop status.
- ▪
-
snoop detail Enables full packet logging. This logs the full contents of the packets.
- ▪
-
snoop off Turns off the snoop capture.
- ▪
-
snoop filter Allows you to filter what gets captured. Employs syntax similar to that used for debug filtering.
- ▪
-
clear db Clears the debug memory buffer.
- ▪
-
get dbuf stream Displays the output for analysis.
Firewall Session Analyzer (FSA)
Juniper has created a new Web-based tool called Firewall Session Analyzer (FSA) to help make sense of the torrent of information that can come from running a get session command. As discussed earlier, this command shows all current established sessions going through the NetScreen device, and this can seem a little daunting when viewed in the console.
After uploading a log of the get session command output to the FSA (located at http://tools.juniper.net/fsa/), it will generate the following seven reports.
- ▪
-
Rank based on destination IP address
- ▪
-
Rank based on destination port
- ▪
-
Rank based on source IP address
- ▪
-
Rank based on source port
- ▪
-
Rank based on protocol
- ▪
-
Rank based on Virtual System Device (VSD)
- ▪
-
Rank based on source IP with protocol and destination port information
In order to use the tool, you need to log the command output to a file on a TFTP server by using the following command.
SSG550-> get session > tftp <server ip> <filename>
You may also choose to capture the screen output to a file and upload it to the analyzer in the same manner as the file stored on the TFTP server. Once you have the log file, generating the FSA reports is simple.
- 1.
-
Go to http://tools.juniper.net/fsa/ using your Web browser.
- 2.
-
Browse to your get session .log or .txt file, first making sure the file does not exceed 10MB.
- 3.
-
Choose the version of ScreenOS the file was captured from (ScreenOS v4 or v5).
- 4.
-
Click Submit. After several seconds, your results will be viewable in a new screen.
The top 10 results for each of the seven previous reports will be viewable on one page (see Figure 13.10), at which point you can download each complete report as an individual csv file by selecting the link for the report you desire. This information will be available for you to view for one hour following the execution of the analyzer. After one hour, the information processed by the tool, and the corresponding reports, will be deleted from the Juniper site for security reasons.
Putting It All Together
When troubleshooting the Juniper firewall, use any of the previous commands necessary to resolve the issue. When a packet arrives at an interface of the firewall, the following things happen.
- 1.
-
The packet goes through a "sanity check" to make sure it isn't corrupt.
- 2.
-
A session lookup is performed. If the packet is part of an existing session, it follows the rest of the packets in the same session.
- 3.
-
The packet is routed, based on the routing table and zones.
- 4.
-
The packet is checked against the firewall policy.
- 5.
-
The ARP cache is referenced.
- 6.
-
A session is created if one does not exist, and the packet is forwarded.
Notice that the session is not created until the packet passes through the routing table and the firewall policy.
Read full chapter
URL:
https://www.sciencedirect.com/science/article/pii/B9781597491181500150
Source: https://www.sciencedirect.com/topics/computer-science/traceroute-command
0 Response to "Continuous Trace Rount for Google Comand Prompt"
Post a Comment