Notes:
- Commands preceded with “$” imply that you should execute the command as a general user - not as root.
- Commands preceded with “#” imply that you should be working as root.
- Commands with more specific command lines (e.g. “GW-RTR>” or “mysql>”)
imply that you are executing commands on remote equipment, or within another program. - If a command line ends with “" this indicates that the command continues on the next line and you should treat this as a single line.
Exercises Part I
- Log in to your PC/VM or open a terminal window as the sysadm user.
Network Performance Metrics
ping
ping is a program that sends ICMP echo request packets to target hosts and waits for an ICMP response from the host. Depending on the operating system on which you are using ping you may see the minimum, maximum, and the mean
round-trip times, and sometimes the standard deviation of the mean for the ICMP responses from the target host. For more details see: http://en.wikipedia.org/wiki/Ping
Blocking ping is generally a bad idea.
With all this in mind, try using ping in a few different ways:
$ ping localhost
Press ctrl-c to stop the process. Here is typical output from the above command:
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.006 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.006 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.006 ms
64 bytes from localhost (127.0.0.1): icmp_seq=5 ttl=64 time=0.006 ms
64 bytes from localhost (127.0.0.1): icmp_seq=6 ttl=64 time=0.009 ms
64 bytes from localhost (127.0.0.1): icmp_seq=7 ttl=64 time=0.007 ms
^C
--- localhost ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 5994ms
rtt min/avg/max/mdev = 0.006/0.008/0.020/0.005 ms
Question: why did the first ICMP response take 20ms while the remaining
responses were much quicker? This is a type of delay. What kind is it?
traceroute
You may have used traceroute before, but have you really looked at what it is doing? If not, read this: http://en.wikipedia.org/wiki/Traceroute
You may need to install the traceroute command first. To do this do:
$ sudo apt-get install traceroute
Once installed try:
$ traceroute nsrc.org
Here’s sample output from traceroute to nsrc.org (lines wrapped due to length):
traceroute to nsrc.org (128.223.157.19), 64 hops max, 52 byte packets
1 gw.ws.nsrc.org (10.10.0.254) 1.490 ms 1.069 ms 1.055 ms
2 192.248.5.2 (192.248.5.2) 2.741 ms 2.450 ms 3.182 ms
3 192.248.1.126 (192.248.1.126) 2.473 ms 2.497 ms 2.618 ms
4 mb-t3-01-v4.bb.tein3.net (202.179.249.93) 26.324 ms 28.049 ms 27.403 ms
5 sg-so-06-v4.bb.tein3.net (202.179.249.81) 103.321 ms 91.072 ms 91.674 ms
6 jp-pop-sg-v4.bb.tein3.net (202.179.249.50) 168.948 ms 168.712 ms 168.903 ms
7 tpr5-ge0-0-0-4.jp.apan.net (203.181.248.250) 172.789 ms 170.367 ms 188.689 ms
8 losa-tokyo-tp2.transpac2.net (192.203.116.145) 579.586 ms 284.736 ms 284.202 ms
9 abilene-1-lo-jmb-702.lsanca.pacificwave.net (207.231.240.131) 303.736 ms
284.884 ms 530.854 ms
10 vl-101.xe-0-0-0.core0-gw.pdx.oregon-gigapop.net (198.32.165.65) 328.082 ms
305.800 ms 533.644 ms
11 vl-105.uonet9-gw.eug.oregon-gigapop.net (198.32.165.92) 336.680 ms 617.267 ms
495.685 ms
12 vl-3.uonet2-gw.uoregon.edu (128.223.3.2) 310.552 ms 421.638 ms 612.399 ms
13 nsrc.org (128.223.157.19) 309.548 ms 612.151 ms 611.505 ms
Do you understand what each item means? If not, see the Wikipedia page and type:
$ man traceroute
for more information. What does it mean if you see lines like this?
15 * * *
16 * * *
17 * * *
Again, read “man traceroute” for details.
As you can see traceroute can be used to determine where problems are taking place between two endpoints on a network.
Try running traceroute again to the same host (nsrc.org). It will likely take considerably less time.
mtr
The mtr tool combines ping and traceroute in to a single, dynamically updating display.
Before using mtr you may need to first install it:
$ sudo apt-get install mtr
Now give it a try:
$ mtr nsrc.org
The output of the command looks different on different Linux and UNIX flavors, but in general you’ll see a summary of packet loss to each node on the path to the remote target host, number of ICMP echo request packets sent, last rtt (round-trip-time) to the host, average, best and worst rtt as well as the standard deviation of rtt’s.
By showing the percent loss of packets in this format it makes it much easier to see where you may be having network issues.
ping with variable packet size
By default, ping sends out IP datagrams of size 84 bytes:
- 20 bytes IP header
- 8 bytes ICMP header
- 56 bytes data padding
However, you can send out larger packets using the -s option. Using -s 1472
will give you a 1500-byte IP datagram, which is the maximum for most networks before fragmentation takes place (MTU = Maximum Transmission
Unit)
This simple mechanism can be used to debug all sorts of problems, and even distinguish between transmission delay and propagation delay.
For this exercise, first determine your default gateway, which is the first hop in a traceroute, or use netstat -rn
for destination 0.0.0.0
Send 20 standard pings to that address:
$ ping -c20 10.10.0.254
Make a note of the minimum round-trip time seen (t1).
Now send 20 maximum-sized pings:
$ ping -c20 -s1472 10.10.0.254
Again, make a note of the minimum round-trip time seen (t2).
The propagation delay is the same in both cases, so the larger round-trip time must be due to transmission delay.
You can now estimate the transmission delay and hence the bandwidth of the link.
increase in transmission time = t2 - t1
increase in bits sent = (1500-84) * 8 * 2 = 22656
(multiply by 2 because the round-trip time involves sending the packet twice)
Divide the bits by time to get an estimate of bits per second. Remember to convert milliseconds to seconds first.
Example:
t2 = 1.71
t1 = 1.14
t2-t1 = 0.57
0.57 ms = 0.00057 sec
22656 bits / 0.00057 sec = 39747368.42 bps
You could then convert this to Kbps, Mbps, etc.
By doing this for subsequent hops, it’s possible to estimate the bandwidth on each hop, even those remote from you. There is a tool available which does this automatically - it’s called “pathchar” but you have to build it from source. A few OS-specific binaries are available at:
ftp://ftp.ee.lbl.gov/pathchar/
The web page, including documentation is available here:
http://www.caida.org/tools/utilities/others/pathchar/
Exercises Part II
=================
Network Analysis
lsof and netstat
See what services are running on your machine. You can use the presentation as a reference.
Or, utilize “man lsof”, “man netstat”, “lsof -h” and “netstat -h” to see the available options (there are a lot!). Remember to use sudo when using lsof and netstat to give yourself necessary permissions to view everything.
You may need to install lsof. To do this type:
$ sudo apt-get install lsof
- Using lsof, what IPv4 services are listening on your machine?
- Using netstat, what IPv4 and IPv6 services are listening on your machine?
tcpdump and tshark
First we need to install both these programs:
$ sudo apt-get install tcpdump tshark
Use tcpdump like this:
$ sudo tcpdump -i lo -A -s1500 -w /tmp/tcpdump.log
Now, generate some traffic on your lo interface in another terminal.
For example:
$ ping localhost
$ ssh localhost
etc. Afterwords press CTRL-C to terminate the tcpdump session.
Note: ssh generates much more “interesting” output. Now let’s read the output from tcpdump using tshark:
$ sudo tshark -r /tmp/tcpdump.log | less
What do you see? Can you follow the SSH session you initiated earlier?
Next we’ll use ftp. First we need to install an ftp client:
$ sudo apt-get install ftp
Now try something like this:
$ sudo rm /tmp/tcpdump.log
$ sudo tcpdump -i eth0 -A -s1500 -w /tmp/tcpdump.log
In another terminal do:
$ ftp limestone.uoregon.edu
Connected to limestone.uoregon.edu.
220 FTP Server ready.
Name (limestone.uoregon.edu:sysadmin): anonymous
Password:
ftp> exit
End the tcpdump session in the other terminal (CTRL-C). Now view the contents of the log file:
$ sudo tshark -r /tmp/tcpdump.log | less
Can you see your password? If you have a lot of traffic on your network, then the tcpdump.log file may be fairly large. You can search for your FTP session by typing:
"/FTP"
in the output screen. Since you piped your shark command output to the “less” command using the “/“ to search for strings works. Now press the “n” key for “n”ext to follow the FTP session. You should see a line with the string:
"FTP Request: PASS PasswordYouTypedIn"
Sniffing unencrypted passwords on wireless lans is very easy with a tool like this.
Rememer to clean up after yourself:
$ rm /tmp/tcpdump.log
Using iperf
First we need to install iperf:
$ sudo apt-get install iperf
Use “man iperf” or “iperf -h” for help.
Ask your neighbor to run:
$ iperf -s
Connect to your neighbor’s machine using:
$ iperf -c ipNeighbor
How much throughput is there between your machines? You can repeat this exercise with any remote machine where iperf is installed and you have an account. This is a quick way to see what bandwidth looks like between two points.
To stop the iperf server where you ran “iperf -s” press CTRL-c.
If you have time continue playing with iperf options. If you have a remote PC running UNIX or Linux you might want to try installing iperf and testing your connection from the workshop lab to your remote machine.
Some more things to try…
Test TCP using various window sizes (-2).
Verify TCP MSS (-m). How does this affect throughput? What is Path MTU discovery?
Test with two parallel threads (-P) and compare the totals. Is there any difference? Why?
Test with different packet sizes and the TCP_NODELAY (-N) option.