=== Step 1 Download and "install" tcpdump on UML ===

== Get the file ==
On my UML host machine (Ubuntu HVM)
<code bash>
wget http://archive.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_4.1.1-1ubuntu2_i386.deb
</code>

== Extra the file to a folder ==
<code bash>
dpkg -x tcpdump_4.1.1-1ubuntu2_i386.deb ./
cp ./sbin/tcpdump ~/uml/bin/
</code>

== Copy the necessary libs ==
<code bash>
vic@vicubuntu:~/tcpdump/usr/sbin$ cp /lib/i686/cmov/libcrypto.so.0.9.8 ~/uml/lib/
vic@vicubuntu:~/uml/lib$ cp /usr/lib/libpcap.so.0.8 ./
vic@vicubuntu:~/uml/lib$ cp /lib/tls/i686/cmov/libc.so.6 ./
vic@vicubuntu:~/uml/lib$ cp /lib/tls/i686/cmov/libdl.so.2 ./
vic@vicubuntu:~/uml/lib$ cp /lib/libz.so.1 ./
vic@vicubuntu:~/uml/lib$ cp /lib/ld-linux.so.2 ./

</code>

== Test on UML instance ==
Start the UML instance with my script 
<code bash>
sudo ./network1 1
</code>

Within UML instance 
<code sh>
# tcpdump
device eth0 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

</code>
It is working with the "default" configuration, next we have to make it work properly, like keep the logs in a designated folder.


=== Step 2 TCPDUMP options and change scripts ===

== TCPDUMP ==
I use the following tcpdump options
<code bash>
tcpdump stp -n -i eth0 -U -s 0 -w /tmp/var/log/$hostname-`date +%H%M`.dmp
</code>
  * STP - only listen for STP packets as we are now focusing on layer2 topology. But I did not use it. I'd rather have the full dump and filter later by using other options.
  * // -n // - turn off name resolution. 
  * // -i eth0 // - listen only on interface eth0
  * // -U // - save the packet immediately instead of waiting till the buffer is full
  * // -s 0 // - Do not slice the packet. Log the raw packet.
  * // -w // - write the log to another file instead of the stdio

== Turn off protocols from sniffer port ==
In order not to interfere with the // "normal // network. We have to turn off the protocols of sniffing port.

// Take out IP address by only taking it up without an IP address//
<code bash>
ifconfig up
</code>

// Turn off ARP //
<code bash>
ifconfig -arp
</code>

== Change the scripts ==
Host script
<code bash>
#!/bin/sh
 
n=$1
echo "going to create $n hosts"
screen -dmS switch uml_switch -hub -unix /home/vic/umlswitch/sw1.ctl
screen -dmS sniffer1 linux.uml rootfstype=hostfs rootflags=/home/vic/uml/ r umlid=sniffer1 hostname=sniffer1 eth0=daemon,,unix,/home/vic/umlswitch/sw1.ctl role="sniffer"
 
for i in `seq 1 $n`
do
  screen -dmS uml$i linux.uml rootfstype=hostfs rootflags=/home/vic/uml/ r umlid=uml$i hostname=uml$i eth0=daemon,,unix,/home/vic/umlswitch/sw1.ctl ip_eth0="10.0.0.$i" mask_eth0="255.255.255.0" bc_eth0="10.0.0.255"
done

</code>

Guest script
<code bash>
sniffer)
        echo "sniffer"
        ifconfig eth0 -arp up
        tcpdump -i eth0 -U -s 0 -w /var/log/$hostname-`date +%H%M`.dmp &
        echo "INFO: sniffer $hostname activated"
        ;;
</code>

=== Step 3 Rebuild the first network and start sniffing ===
The start script of the first network in assignment 1 plus a sniffer

// network1 //
<code bash>
vic@vicubuntu:~$ sudo ./network1 2
going to create 2 hosts
vic@vicubuntu:~$ sudo screen -ls
There are screens on:
	1249.uml2	(02/14/2011 01:44:10 PM)	(Detached)
	1246.uml1	(02/14/2011 01:44:10 PM)	(Detached)
	1240.sniffer1	(02/14/2011 01:44:10 PM)	(Detached)
	1238.switch	(02/14/2011 01:44:10 PM)	(Detached)
4 Sockets in /var/run/screen/S-root.

</code>

After the execution, I have 2 hosts, 1 sniffer attached to 1 UML switch. 

== Error ==

** Error 1 **
There is error in sniffer, the // date // command is not supported by busybox. I have to // cp // it from the host together with libs.
<code bash>
#copy the date binary file
cp /bin/date ~/uml/bin/

#ldd to get the libs
vic@vicubuntu:~/uml/bin$ ldd date
	linux-gate.so.1 =>  (0x003f7000)
	librt.so.1 => /lib/tls/i686/cmov/librt.so.1 (0x00e92000)
	libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x00269000)
	libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x0064a000)
	/lib/ld-linux.so.2 (0x00b93000)

#cp them to the corresponding location for UML instance 
vic@vicubuntu:~/uml/bin$ cp /lib/tls/i686/cmov/librt.so.1 ../lib/
vic@vicubuntu:~/uml/bin$ cp /lib/tls/i686/cmov/libc.so.6 ../lib/
vic@vicubuntu:~/uml/bin$ cp /lib/tls/i686/cmov/libpthread.so.0 ../lib/
vic@vicubuntu:~/uml/bin$ cp /lib/ld-linux.so.2 ../lib/

</code>

=== Step 4 Observation ===
We can use a combination of // watch // and // tcpdump // to monitor the change of the log (hence the behavior of the network)
<code bash>
#watch every 2 seconds by default the tcpdump result
watch 'tcpdump -xx -vv -r sniffer1-1257.dmp  | tail'

# display from the tcpdump with tail
Every 2.0s: tcpdump -xx -vv -r sniffer1-1257.dmp  | tail                     Mon Feb 14 14:08:37 2011

reading from file sniffer1-1257.dmp, link-type EN10MB (Ethernet)
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000
        0x0060:  0000
14:05:22.577904 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell 10.0.0.2, length 2
8
        0x0000:  ca6e 4beb e34b f69e e7ad e026 0806 0001
        0x0010:  0800 0604 0001 f69e e7ad e026 0a00 0002
        0x0020:  0000 0000 0000 0a00 0001
14:05:22.577906 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.0.0.1 is-at ca:6e:4b:eb:e3:4b (oui Unkn
own), length 28
        0x0000:  f69e e7ad e026 ca6e 4beb e34b 0806 0001
        0x0010:  0800 0604 0002 ca6e 4beb e34b 0a00 0001
        0x0020:  f69e e7ad e026 0a00 0002
</code>