study:2011inrweek3log

Step 1 Download and "install" tcpdump on UML

Get the file

On my UML host machine (Ubuntu HVM)

wget http://archive.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_4.1.1-1ubuntu2_i386.deb

Extra the file to a folder

dpkg -x tcpdump_4.1.1-1ubuntu2_i386.deb ./
cp ./sbin/tcpdump ~/uml/bin/

Copy the necessary libs

vic@vicubuntu:~/tcpdump/usr/sbin$ cp /lib/i686/cmov/libcrypto.so.0.9.8 ~/uml/lib/
vic@vicubuntu:~/uml/lib$ cp /usr/lib/libpcap.so.0.8 ./
vic@vicubuntu:~/uml/lib$ cp /lib/tls/i686/cmov/libc.so.6 ./
vic@vicubuntu:~/uml/lib$ cp /lib/tls/i686/cmov/libdl.so.2 ./
vic@vicubuntu:~/uml/lib$ cp /lib/libz.so.1 ./
vic@vicubuntu:~/uml/lib$ cp /lib/ld-linux.so.2 ./

Test on UML instance

Start the UML instance with my script

sudo ./network1 1

Within UML instance

# tcpdump
device eth0 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

It is working with the “default” configuration, next we have to make it work properly, like keep the logs in a designated folder.

Step 2 TCPDUMP options and change scripts

TCPDUMP

I use the following tcpdump options

tcpdump stp -n -i eth0 -U -s 0 -w /tmp/var/log/$hostname-`date +%H%M`.dmp

STP - only listen for STP packets as we are now focusing on layer2 topology. But I did not use it. I'd rather have the full dump and filter later by using other options.
-n - turn off name resolution.
-i eth0 - listen only on interface eth0
-U - save the packet immediately instead of waiting till the buffer is full
-s 0 - Do not slice the packet. Log the raw packet.
-w - write the log to another file instead of the stdio

Turn off protocols from sniffer port

In order not to interfere with the “normal network. We have to turn off the protocols of sniffing port.

Take out IP address by only taking it up without an IP address

ifconfig up

Turn off ARP

ifconfig -arp

Change the scripts

Host script

#!/bin/sh
 
n=$1
echo "going to create $n hosts"
screen -dmS switch uml_switch -hub -unix /home/vic/umlswitch/sw1.ctl
screen -dmS sniffer1 linux.uml rootfstype=hostfs rootflags=/home/vic/uml/ r umlid=sniffer1 hostname=sniffer1 eth0=daemon,,unix,/home/vic/umlswitch/sw1.ctl role="sniffer"
 
for i in `seq 1 $n`
do
  screen -dmS uml$i linux.uml rootfstype=hostfs rootflags=/home/vic/uml/ r umlid=uml$i hostname=uml$i eth0=daemon,,unix,/home/vic/umlswitch/sw1.ctl ip_eth0="10.0.0.$i" mask_eth0="255.255.255.0" bc_eth0="10.0.0.255"
done

Guest script

sniffer)
        echo "sniffer"
        ifconfig eth0 -arp up
        tcpdump -i eth0 -U -s 0 -w /var/log/$hostname-`date +%H%M`.dmp &
        echo "INFO: sniffer $hostname activated"
        ;;

Step 3 Rebuild the first network and start sniffing

The start script of the first network in assignment 1 plus a sniffer

network1

vic@vicubuntu:~$ sudo ./network1 2
going to create 2 hosts
vic@vicubuntu:~$ sudo screen -ls
There are screens on:
	1249.uml2	(02/14/2011 01:44:10 PM)	(Detached)
	1246.uml1	(02/14/2011 01:44:10 PM)	(Detached)
	1240.sniffer1	(02/14/2011 01:44:10 PM)	(Detached)
	1238.switch	(02/14/2011 01:44:10 PM)	(Detached)
4 Sockets in /var/run/screen/S-root.

After the execution, I have 2 hosts, 1 sniffer attached to 1 UML switch.

Error

Error 1 There is error in sniffer, the date command is not supported by busybox. I have to cp it from the host together with libs.

#copy the date binary file
cp /bin/date ~/uml/bin/
 
#ldd to get the libs
vic@vicubuntu:~/uml/bin$ ldd date
	linux-gate.so.1 =>  (0x003f7000)
	librt.so.1 => /lib/tls/i686/cmov/librt.so.1 (0x00e92000)
	libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x00269000)
	libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x0064a000)
	/lib/ld-linux.so.2 (0x00b93000)
 
#cp them to the corresponding location for UML instance 
vic@vicubuntu:~/uml/bin$ cp /lib/tls/i686/cmov/librt.so.1 ../lib/
vic@vicubuntu:~/uml/bin$ cp /lib/tls/i686/cmov/libc.so.6 ../lib/
vic@vicubuntu:~/uml/bin$ cp /lib/tls/i686/cmov/libpthread.so.0 ../lib/
vic@vicubuntu:~/uml/bin$ cp /lib/ld-linux.so.2 ../lib/

Step 4 Observation

We can use a combination of watch and tcpdump to monitor the change of the log (hence the behavior of the network)

#watch every 2 seconds by default the tcpdump result
watch 'tcpdump -xx -vv -r sniffer1-1257.dmp  | tail'
 
# display from the tcpdump with tail
Every 2.0s: tcpdump -xx -vv -r sniffer1-1257.dmp  | tail                     Mon Feb 14 14:08:37 2011
 
reading from file sniffer1-1257.dmp, link-type EN10MB (Ethernet)
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000
        0x0060:  0000
14:05:22.577904 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell 10.0.0.2, length 2
8
        0x0000:  ca6e 4beb e34b f69e e7ad e026 0806 0001
        0x0010:  0800 0604 0001 f69e e7ad e026 0a00 0002
        0x0020:  0000 0000 0000 0a00 0001
14:05:22.577906 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.0.0.1 is-at ca:6e:4b:eb:e3:4b (oui Unkn
own), length 28
        0x0000:  f69e e7ad e026 ca6e 4beb e34b 0806 0001
        0x0010:  0800 0604 0002 ca6e 4beb e34b 0a00 0001
        0x0020:  f69e e7ad e026 0a00 0002