LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue52/tag/11.html

288 lines
11 KiB
HTML
Raw Permalink Blame History

<!--startcut ======================================================= -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<META NAME="generator" CONTENT="lgazmail v1.3C.j">
<TITLE>The Answer Guy 52: Routing Mystery</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
LINK="#3366FF" VLINK="#A000A0">
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<center>
<H1><A NAME="answer">
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
border="0" align="middle">
<font color="#B03060">The Answer Guy</font>
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
border="0" align="middle">
</A></H1>
<BR>
<H4>By James T. Dennis,
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
LinuxCare,
<A HREF="http://www.linuxcare.com/">http://www.linuxcare.com/</A>
</H4>
</center>
<p><hr><p>
<!-- endcut ======================================================= -->
<!-- begin 11 -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
height="50" width="60" alt="(?) " border="0"
>Routing Mystery</H3>
<p><strong>From Faber Fedor on Mon, 06 Mar 2000
</strong></p>
<!-- ::
Routing Mystery
~~~~~~~~~~~~~~~
:: -->
<P><STRONG>
Hi there!
</STRONG></P>
<P><STRONG>
Got an interesting little problem for you. In my Linux class
(yes, the one where I distribute your subnet answer to me from a
ways back) I have four student computers on the 131.107.4.0/24
subnet. My computer is on the 131.107.2.0/24 subnet. We are not
configured to use any routers. There <EM>is</EM> a router on our
network, but it is on a different subnet.
</STRONG></P>
<P><STRONG>
Here's the interesting part: my students are able to ping and FTP
to me!!! We can't figure out how or why. Even my student who is
getting his Cisco certification doesn't know what's going on.
</STRONG></P>
<P><STRONG>
Any ideas?
</STRONG></P>
<P><STRONG>
--
Faber Fedor
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
Hmm. I can't answer the question based on the
information presented here.
</BLOCKQUOTE>
<BLOCKQUOTE>
However I can offer some suggestions and some
questions.
</BLOCKQUOTE>
<BLOCKQUOTE>
First I assume that the routing tables on the student
machines look something like:
</BLOCKQUOTE>
<pre>Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
131.107.4.0 0.0.0.0 255.255.0.0 U 0 0 12162 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 3 lo
</pre>
<BLOCKQUOTE>
... that you have no default route. If you do have a
default route that points to any router that knows how to
get to your ...2 net then there should be no question.
</BLOCKQUOTE>
<BLOCKQUOTE>
It's possible that your netmasks are a bit broader than
you need. (In my example above I set it as a class B mask).
If that's the case then you might be seeing the effects of
a proxyarp configured system that bridges the two nets.
In fact there might even be a real bridge between them --
or you might be running on a VLAN, such that the two
IP networks aren't truly on separate ethernet segments
at all.
</BLOCKQUOTE>
<BLOCKQUOTE>
Basically the different netmasks could be causing
these four systems to do ARPs and the network infrastructure
could be supporting those (by supplying the ARP replies).
</BLOCKQUOTE>
<BLOCKQUOTE>
There are other possibilities. I'd suggest drawing an
ASCII diagram of the network, labeling the routers
and hosts on each of the segments, and footnoting all
of the routing tables and <TT>ifconfig -a</TT> output for each
of them.
</BLOCKQUOTE>
<BLOCKQUOTE>
I'd also fire up copies of '<TT>tcpdump -n -vvv</TT>' at strategic
points on these segments. You can do those in separate
xterm windows, on separate VCs (virtual consoles) or using
<tt>splitvt</tt>, or the new "split" command in my favorite utility
--- '<tt>screen</tt>'.
</BLOCKQUOTE>
<BLOCKQUOTE><ul>
<li> (The '<tt>screen</tt>' utility recently added this
feature. You simply use the C-a or other
'<tt>screen</tt>' meta key with S (capital '<tt>S</tt>') to
split the screen, C-a, [Tab] to switch to
other sections, and C-a, <tt>Q</tt> to make the
current screen section take over the whole
terminal window/screen once again).
</ul></BLOCKQUOTE>
<BLOCKQUOTE>
Anyway. Using those techniques you can see what sorts
of traffic are going on on these segments. You might
want to use the following command to limit the
volume of outout a bit:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><CODE>
tcpdump -n -vvv icmp
</CODE></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
.... that limits tcpdump to looking for ICMP (internet
control message protocol) packets. I'm curious if there are
some sort of ICMP redirect packets floating around.
</BLOCKQUOTE>
<BLOCKQUOTE>
BTW tcpdump has a filtering language that allows you to
use hostnames, host numbers, negation, port numbers, and
service names, protocol names, and connectives like
"and" and "or" and direction specifiers.
</BLOCKQUOTE>
<BLOCKQUOTE>
So, if you're going to view a tcpdump output on remote
system you definitely want to exclude the traffic from
that shell/tcpdump session as it gets to your remote
terminal!
</BLOCKQUOTE>
<BLOCKQUOTE>
(Otherwise you'll flood your network with tcpdump relaying
traffic about the traffic that it just saw from the traffic
that it just relayed to you. Got it? Good!)
</BLOCKQUOTE>
<BLOCKQUOTE>
In other words, if you <tt>ssh</tt> from B to A and run <tt>tcpdump</tt>
there, the least you should to is :
</BLOCKQUOTE>
<blockquote><blockquote><code>tcpdump -i eth0 -vvv -n not src port ssh and not dst port ssh
</code></blockquote></blockquote>
<BLOCKQUOTE>
... which should get all of the traffic on that segment
except for the ssh sessions. You could be more explicit
if you wanted to type more complex filtering expressions.
</BLOCKQUOTE>
<BLOCKQUOTE>
Of course, in a busy college lab you might have to play with
much more selective filters to drown out all the traffic
that you know is unrelated to your question.
</BLOCKQUOTE>
<BLOCKQUOTE>
tcpdump is the premier tool for learning about this sort
of thing. Showing you students of this will be very
useful to their eventual careers. (Note: This sniffer
is also the most innocuous of them all. It normally only
captures headers, and it only displays payload data in
hex. So this can't be used to "accidentally" capture
people's passwords or confidential data over your
LAN segments.
</BLOCKQUOTE>
<BLOCKQUOTE>
I think it's also of some value to show them less innocuous
tools that are readily available. Show them copies of <tt>sniffit</tt>
(<A HREF="http://www.freshmeat.net/appindex/1998/07/15/900550583.html"
>http://www.freshmeat.net/appindex/1998/07/15/900550583.html</A>),
and <tt>hunt</tt>
(<A HREF="http://www.freshmeat.net/appindex/1998/12/03/912689682.html"
>http://www.freshmeat.net/appindex/1998/12/03/912689682.html</A>).
</BLOCKQUOTE>
<BLOCKQUOTE>
Those are tools that make it trivially easy to sniff a
network, steal passwords, hijack peoples telnet and rlogin
sessions, read their e-mail "over their shoulder" across the
network and generally be highly unethical.
</BLOCKQUOTE>
<BLOCKQUOTE>
Fast ethernet switches may offer some obscurity from this
problem since every data frame isn't re-broadcast across
every wire in a switched network. However, this should not
be relied upon. The only solution to sniffing problem is the
ubiquitous use of cryptography (ssh, Kerberos, SSL, etc).
</BLOCKQUOTE>
<BLOCKQUOTE>
If your students are going to be professional network
administrators and engineers --- they might as well learn
this lesson sooner than later.
</BLOCKQUOTE>
<!-- sig -->
<!-- end 11 -->
<!--startcut ======================================================= -->
<P> <hr> <P>
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
>Copyright &copy;</a> 2000, James T. Dennis
<BR>Published in <I>The Linux Gazette</I> Issue 52 April 2000</H5>
<H6 ALIGN="center">HTML transformation by
<A HREF="mailto:star@tuxtops.com">Heather Stern</a> of
Tuxtops, Inc.,
<A HREF="http://www.tuxtops.com/">http://www.tuxtops.com/</A>
</H6>
<P> <hr> <P>
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
<TABLE WIDTH="95%"><TR VALIGN="center" ALIGN="center">
<TD colspan="2" rowspan="2"><A
HREF="../lg_answer52.html"
><IMG SRC="../../gx/dennis/answernew.gif"
ALT="[ Answer Guy Current Index ]"></A>
<TD colspan="2" rowspan="2"><A
HREF="../../tag/kb.html"
><IMG SRC="../../gx/dennis/answertoc.gif"
ALT="[ Index of Past Answers ]"></A></td>
<TD WIDTH="11%"><A HREF="../lg_answer52.html#greeting"><img
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A></TD>
<TD WIDTH="11%"><A HREF="1.html">1</A></TD>
<TD WIDTH="11%"><A HREF="2.html">2</A></TD>
<TD WIDTH="11%"><A HREF="3.html">3</A></TD>
<TD WIDTH="11%"><A HREF="4.html">4</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD WIDTH="11%"><A HREF="5.html">5</A></TD>
<TD WIDTH="11%"><A HREF="6.html">6</A></TD>
<TD WIDTH="11%"><A HREF="7.html">7</A></TD>
<TD WIDTH="11%"><A HREF="8.html">8</A></TD>
<TD WIDTH="11%"><A HREF="9.html">9</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD WIDTH="10%"><A HREF="10.html">10</A></TD>
<TD WIDTH="10%"><A HREF="11.html">11</A></TD>
<TD WIDTH="10%"><A HREF="12.html">12</A></TD>
<TD WIDTH="10%"><A HREF="13.html">13</A></TD>
<TD WIDTH="11%"><A HREF="14.html">14</A></TD>
<TD WIDTH="11%"><A HREF="15.html">15</A></TD>
<TD WIDTH="11%"><A HREF="16.html">16</A></TD>
<TD WIDTH="11%"><A HREF="17.html">17</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD WIDTH="10%"><A HREF="18.html">18</A></TD>
<TD WIDTH="10%"><A HREF="19.html">19</A></TD>
<TD WIDTH="10%"><A HREF="20.html">20</A></TD>
<TD WIDTH="10%"><A HREF="21.html">21</A></TD>
<TD WIDTH="11%"><A HREF="22.html">22</A></TD>
<TD WIDTH="11%"><A HREF="23.html">23</A></TD>
<TD WIDTH="11%"><A HREF="24.html">24</A></TD>
</TR></TABLE>
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<P> <hr> <P>
<!-- begin lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<A HREF="../index.html"
><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
<A HREF="../../index.html"
><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
<A HREF="../lg_bytes52.html"
><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
<A HREF="../../faq/index.html"
><IMG SRC="../../gx/dennis/faq.gif"
ALT="[ Linux Gazette FAQ ]"></A>
<A HREF="../lg_tips52.html"
><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
<!-- end lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
</BODY></HTML>
<!--endcut ========================================================= -->
Reference in New Issue View Git Blame Copy Permalink