288 lines
11 KiB
HTML
288 lines
11 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html>
|
|
<head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.3C.j">
|
|
<TITLE>The Answer Guy 52: Routing Mystery</TITLE>
|
|
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
|
|
LINK="#3366FF" VLINK="#A000A0">
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<center>
|
|
<H1><A NAME="answer">
|
|
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
|
|
border="0" align="middle">
|
|
<font color="#B03060">The Answer Guy</font>
|
|
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
|
|
border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4>By James T. Dennis,
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
|
|
LinuxCare,
|
|
<A HREF="http://www.linuxcare.com/">http://www.linuxcare.com/</A>
|
|
</H4>
|
|
</center>
|
|
|
|
<p><hr><p>
|
|
<!-- endcut ======================================================= -->
|
|
<!-- begin 11 -->
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
|
|
height="50" width="60" alt="(?) " border="0"
|
|
>Routing Mystery</H3>
|
|
|
|
|
|
<p><strong>From Faber Fedor on Mon, 06 Mar 2000
|
|
</strong></p>
|
|
<!-- ::
|
|
Routing Mystery
|
|
~~~~~~~~~~~~~~~
|
|
:: -->
|
|
<P><STRONG>
|
|
Hi there!
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Got an interesting little problem for you. In my Linux class
|
|
(yes, the one where I distribute your subnet answer to me from a
|
|
ways back) I have four student computers on the 131.107.4.0/24
|
|
subnet. My computer is on the 131.107.2.0/24 subnet. We are not
|
|
configured to use any routers. There <EM>is</EM> a router on our
|
|
network, but it is on a different subnet.
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Here's the interesting part: my students are able to ping and FTP
|
|
to me!!! We can't figure out how or why. Even my student who is
|
|
getting his Cisco certification doesn't know what's going on.
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Any ideas?
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
--
|
|
Faber Fedor
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
Hmm. I can't answer the question based on the
|
|
information presented here.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
However I can offer some suggestions and some
|
|
questions.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
First I assume that the routing tables on the student
|
|
machines look something like:
|
|
</BLOCKQUOTE>
|
|
|
|
<pre>Kernel IP routing table
|
|
Destination Gateway Genmask Flags Metric Ref Use Iface
|
|
131.107.4.0 0.0.0.0 255.255.0.0 U 0 0 12162 eth0
|
|
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 3 lo
|
|
</pre>
|
|
<BLOCKQUOTE>
|
|
... that you have no default route. If you do have a
|
|
default route that points to any router that knows how to
|
|
get to your ...2 net then there should be no question.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
It's possible that your netmasks are a bit broader than
|
|
you need. (In my example above I set it as a class B mask).
|
|
If that's the case then you might be seeing the effects of
|
|
a proxyarp configured system that bridges the two nets.
|
|
In fact there might even be a real bridge between them --
|
|
or you might be running on a VLAN, such that the two
|
|
IP networks aren't truly on separate ethernet segments
|
|
at all.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Basically the different netmasks could be causing
|
|
these four systems to do ARPs and the network infrastructure
|
|
could be supporting those (by supplying the ARP replies).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
There are other possibilities. I'd suggest drawing an
|
|
ASCII diagram of the network, labeling the routers
|
|
and hosts on each of the segments, and footnoting all
|
|
of the routing tables and <TT>ifconfig -a</TT> output for each
|
|
of them.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I'd also fire up copies of '<TT>tcpdump -n -vvv</TT>' at strategic
|
|
points on these segments. You can do those in separate
|
|
xterm windows, on separate VCs (virtual consoles) or using
|
|
<tt>splitvt</tt>, or the new "split" command in my favorite utility
|
|
--- '<tt>screen</tt>'.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><ul>
|
|
<li> (The '<tt>screen</tt>' utility recently added this
|
|
feature. You simply use the C-a or other
|
|
'<tt>screen</tt>' meta key with S (capital '<tt>S</tt>') to
|
|
split the screen, C-a, [Tab] to switch to
|
|
other sections, and C-a, <tt>Q</tt> to make the
|
|
current screen section take over the whole
|
|
terminal window/screen once again).
|
|
</ul></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Anyway. Using those techniques you can see what sorts
|
|
of traffic are going on on these segments. You might
|
|
want to use the following command to limit the
|
|
volume of outout a bit:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><CODE>
|
|
tcpdump -n -vvv icmp
|
|
</CODE></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
.... that limits tcpdump to looking for ICMP (internet
|
|
control message protocol) packets. I'm curious if there are
|
|
some sort of ICMP redirect packets floating around.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
BTW tcpdump has a filtering language that allows you to
|
|
use hostnames, host numbers, negation, port numbers, and
|
|
service names, protocol names, and connectives like
|
|
"and" and "or" and direction specifiers.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
So, if you're going to view a tcpdump output on remote
|
|
system you definitely want to exclude the traffic from
|
|
that shell/tcpdump session as it gets to your remote
|
|
terminal!
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
(Otherwise you'll flood your network with tcpdump relaying
|
|
traffic about the traffic that it just saw from the traffic
|
|
that it just relayed to you. Got it? Good!)
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
In other words, if you <tt>ssh</tt> from B to A and run <tt>tcpdump</tt>
|
|
there, the least you should to is :
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><blockquote><code>tcpdump -i eth0 -vvv -n not src port ssh and not dst port ssh
|
|
</code></blockquote></blockquote>
|
|
<BLOCKQUOTE>
|
|
... which should get all of the traffic on that segment
|
|
except for the ssh sessions. You could be more explicit
|
|
if you wanted to type more complex filtering expressions.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Of course, in a busy college lab you might have to play with
|
|
much more selective filters to drown out all the traffic
|
|
that you know is unrelated to your question.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
tcpdump is the premier tool for learning about this sort
|
|
of thing. Showing you students of this will be very
|
|
useful to their eventual careers. (Note: This sniffer
|
|
is also the most innocuous of them all. It normally only
|
|
captures headers, and it only displays payload data in
|
|
hex. So this can't be used to "accidentally" capture
|
|
people's passwords or confidential data over your
|
|
LAN segments.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I think it's also of some value to show them less innocuous
|
|
tools that are readily available. Show them copies of <tt>sniffit</tt>
|
|
(<A HREF="http://www.freshmeat.net/appindex/1998/07/15/900550583.html"
|
|
>http://www.freshmeat.net/appindex/1998/07/15/900550583.html</A>),
|
|
and <tt>hunt</tt>
|
|
(<A HREF="http://www.freshmeat.net/appindex/1998/12/03/912689682.html"
|
|
>http://www.freshmeat.net/appindex/1998/12/03/912689682.html</A>).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Those are tools that make it trivially easy to sniff a
|
|
network, steal passwords, hijack peoples telnet and rlogin
|
|
sessions, read their e-mail "over their shoulder" across the
|
|
network and generally be highly unethical.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Fast ethernet switches may offer some obscurity from this
|
|
problem since every data frame isn't re-broadcast across
|
|
every wire in a switched network. However, this should not
|
|
be relied upon. The only solution to sniffing problem is the
|
|
ubiquitous use of cryptography (ssh, Kerberos, SSL, etc).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
If your students are going to be professional network
|
|
administrators and engineers --- they might as well learn
|
|
this lesson sooner than later.
|
|
</BLOCKQUOTE>
|
|
|
|
<!-- sig -->
|
|
|
|
|
|
<!-- end 11 -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr> <P>
|
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 2000, James T. Dennis
|
|
<BR>Published in <I>The Linux Gazette</I> Issue 52 April 2000</H5>
|
|
<H6 ALIGN="center">HTML transformation by
|
|
<A HREF="mailto:star@tuxtops.com">Heather Stern</a> of
|
|
Tuxtops, Inc.,
|
|
<A HREF="http://www.tuxtops.com/">http://www.tuxtops.com/</A>
|
|
</H6>
|
|
<P> <hr> <P>
|
|
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<TABLE WIDTH="95%"><TR VALIGN="center" ALIGN="center">
|
|
<TD colspan="2" rowspan="2"><A
|
|
HREF="../lg_answer52.html"
|
|
><IMG SRC="../../gx/dennis/answernew.gif"
|
|
ALT="[ Answer Guy Current Index ]"></A>
|
|
<TD colspan="2" rowspan="2"><A
|
|
HREF="../../tag/kb.html"
|
|
><IMG SRC="../../gx/dennis/answertoc.gif"
|
|
ALT="[ Index of Past Answers ]"></A></td>
|
|
<TD WIDTH="11%"><A HREF="../lg_answer52.html#greeting"><img
|
|
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A></TD>
|
|
<TD WIDTH="11%"><A HREF="1.html">1</A></TD>
|
|
<TD WIDTH="11%"><A HREF="2.html">2</A></TD>
|
|
<TD WIDTH="11%"><A HREF="3.html">3</A></TD>
|
|
<TD WIDTH="11%"><A HREF="4.html">4</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD WIDTH="11%"><A HREF="5.html">5</A></TD>
|
|
<TD WIDTH="11%"><A HREF="6.html">6</A></TD>
|
|
<TD WIDTH="11%"><A HREF="7.html">7</A></TD>
|
|
<TD WIDTH="11%"><A HREF="8.html">8</A></TD>
|
|
<TD WIDTH="11%"><A HREF="9.html">9</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD WIDTH="10%"><A HREF="10.html">10</A></TD>
|
|
<TD WIDTH="10%"><A HREF="11.html">11</A></TD>
|
|
<TD WIDTH="10%"><A HREF="12.html">12</A></TD>
|
|
<TD WIDTH="10%"><A HREF="13.html">13</A></TD>
|
|
<TD WIDTH="11%"><A HREF="14.html">14</A></TD>
|
|
<TD WIDTH="11%"><A HREF="15.html">15</A></TD>
|
|
<TD WIDTH="11%"><A HREF="16.html">16</A></TD>
|
|
<TD WIDTH="11%"><A HREF="17.html">17</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD WIDTH="10%"><A HREF="18.html">18</A></TD>
|
|
<TD WIDTH="10%"><A HREF="19.html">19</A></TD>
|
|
<TD WIDTH="10%"><A HREF="20.html">20</A></TD>
|
|
<TD WIDTH="10%"><A HREF="21.html">21</A></TD>
|
|
<TD WIDTH="11%"><A HREF="22.html">22</A></TD>
|
|
<TD WIDTH="11%"><A HREF="23.html">23</A></TD>
|
|
<TD WIDTH="11%"><A HREF="24.html">24</A></TD>
|
|
</TR></TABLE>
|
|
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<P> <hr> <P>
|
|
<!-- begin lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<A HREF="../index.html"
|
|
><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
|
|
<A HREF="../../index.html"
|
|
><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
|
|
<A HREF="../lg_bytes52.html"
|
|
><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
|
|
<A HREF="../../faq/index.html"
|
|
><IMG SRC="../../gx/dennis/faq.gif"
|
|
ALT="[ Linux Gazette FAQ ]"></A>
|
|
<A HREF="../lg_tips52.html"
|
|
><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
|
|
<!-- end lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</BODY></HTML>
|
|
<!--endcut ========================================================= -->
|