Step 1 Download and "install" tcpdump on UML
Get the file
On my UML host machine (Ubuntu HVM)
wget http://archive.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_4.1.1-1ubuntu2_i386.deb
Extra the file to a folder
dpkg -x tcpdump_4.1.1-1ubuntu2_i386.deb ./ cp ./sbin/tcpdump ~/uml/bin/
Copy the necessary libs
vic@vicubuntu:~/tcpdump/usr/sbin$ cp /lib/i686/cmov/libcrypto.so.0.9.8 ~/uml/lib/ vic@vicubuntu:~/uml/lib$ cp /usr/lib/libpcap.so.0.8 ./ vic@vicubuntu:~/uml/lib$ cp /lib/tls/i686/cmov/libc.so.6 ./ vic@vicubuntu:~/uml/lib$ cp /lib/tls/i686/cmov/libdl.so.2 ./ vic@vicubuntu:~/uml/lib$ cp /lib/libz.so.1 ./ vic@vicubuntu:~/uml/lib$ cp /lib/ld-linux.so.2 ./
Test on UML instance
Start the UML instance with my script
sudo ./network1 1
Within UML instance
# tcpdump device eth0 entered promiscuous mode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
It is working with the “default” configuration, next we have to make it work properly, like keep the logs in a designated folder.
Step 2 TCPDUMP options and change scripts
TCPDUMP
I use the following tcpdump options
tcpdump stp -n -i eth0 -U -s 0 -w /tmp/var/log/$hostname-`date +%H%M`.dmp
- STP - only listen for STP packets as we are now focusing on layer2 topology. But I did not use it. I'd rather have the full dump and filter later by using other options.
- -n - turn off name resolution.
- -i eth0 - listen only on interface eth0
- -U - save the packet immediately instead of waiting till the buffer is full
- -s 0 - Do not slice the packet. Log the raw packet.
- -w - write the log to another file instead of the stdio
Turn off protocols from sniffer port
In order not to interfere with the “normal network. We have to turn off the protocols of sniffing port.
Take out IP address by only taking it up without an IP address
ifconfig up
Turn off ARP
ifconfig -arp
Change the scripts
Host script
#!/bin/sh n=$1 echo "going to create $n hosts" screen -dmS switch uml_switch -hub -unix /home/vic/umlswitch/sw1.ctl screen -dmS sniffer1 linux.uml rootfstype=hostfs rootflags=/home/vic/uml/ r umlid=sniffer1 hostname=sniffer1 eth0=daemon,,unix,/home/vic/umlswitch/sw1.ctl role="sniffer" for i in `seq 1 $n` do screen -dmS uml$i linux.uml rootfstype=hostfs rootflags=/home/vic/uml/ r umlid=uml$i hostname=uml$i eth0=daemon,,unix,/home/vic/umlswitch/sw1.ctl ip_eth0="10.0.0.$i" mask_eth0="255.255.255.0" bc_eth0="10.0.0.255" done
Guest script
sniffer) echo "sniffer" ifconfig eth0 -arp up tcpdump -i eth0 -U -s 0 -w /var/log/$hostname-`date +%H%M`.dmp & echo "INFO: sniffer $hostname activated" ;;
Step 3 Rebuild the first network and start sniffing
The start script of the first network in assignment 1 plus a sniffer
network1
vic@vicubuntu:~$ sudo ./network1 2 going to create 2 hosts vic@vicubuntu:~$ sudo screen -ls There are screens on: 1249.uml2 (02/14/2011 01:44:10 PM) (Detached) 1246.uml1 (02/14/2011 01:44:10 PM) (Detached) 1240.sniffer1 (02/14/2011 01:44:10 PM) (Detached) 1238.switch (02/14/2011 01:44:10 PM) (Detached) 4 Sockets in /var/run/screen/S-root.
After the execution, I have 2 hosts, 1 sniffer attached to 1 UML switch.
Error
Error 1 There is error in sniffer, the date command is not supported by busybox. I have to cp it from the host together with libs.
#copy the date binary file cp /bin/date ~/uml/bin/ #ldd to get the libs vic@vicubuntu:~/uml/bin$ ldd date linux-gate.so.1 => (0x003f7000) librt.so.1 => /lib/tls/i686/cmov/librt.so.1 (0x00e92000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x00269000) libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x0064a000) /lib/ld-linux.so.2 (0x00b93000) #cp them to the corresponding location for UML instance vic@vicubuntu:~/uml/bin$ cp /lib/tls/i686/cmov/librt.so.1 ../lib/ vic@vicubuntu:~/uml/bin$ cp /lib/tls/i686/cmov/libc.so.6 ../lib/ vic@vicubuntu:~/uml/bin$ cp /lib/tls/i686/cmov/libpthread.so.0 ../lib/ vic@vicubuntu:~/uml/bin$ cp /lib/ld-linux.so.2 ../lib/
Step 4 Observation
We can use a combination of watch and tcpdump to monitor the change of the log (hence the behavior of the network)
#watch every 2 seconds by default the tcpdump result watch 'tcpdump -xx -vv -r sniffer1-1257.dmp | tail' # display from the tcpdump with tail Every 2.0s: tcpdump -xx -vv -r sniffer1-1257.dmp | tail Mon Feb 14 14:08:37 2011 reading from file sniffer1-1257.dmp, link-type EN10MB (Ethernet) 0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 0x0060: 0000 14:05:22.577904 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell 10.0.0.2, length 2 8 0x0000: ca6e 4beb e34b f69e e7ad e026 0806 0001 0x0010: 0800 0604 0001 f69e e7ad e026 0a00 0002 0x0020: 0000 0000 0000 0a00 0001 14:05:22.577906 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.0.0.1 is-at ca:6e:4b:eb:e3:4b (oui Unkn own), length 28 0x0000: f69e e7ad e026 ca6e 4beb e34b 0806 0001 0x0010: 0800 0604 0002 ca6e 4beb e34b 0a00 0001 0x0020: f69e e7ad e026 0a00 0002
