Tools. Caution. What tcpdump can do for you? What Tcpdump can do for you. Network Analyzer



Similar documents
INDEX. KretchmarBook 2003/9/5 10:27 page 231 #243

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

An overview of traffic analysis using NetFlow

Introduction to Analyzer and the ARP protocol

Network Monitoring and Traffic Analysis

Network Monitoring and Management NetFlow Overview

Introduction to Netflow

PANDORA FMS NETWORK DEVICE MONITORING

PANDORA FMS NETWORK DEVICES MONITORING

Introduction to Network Security Lab 1 - Wireshark

Linux MDS Firewall Supplement

WhatsUp Gold v11 Features Overview

Introduction to Cisco IOS Flexible NetFlow

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Lab VI Capturing and monitoring the network traffic

KretchmarBook 2003/8/29 19:05 page 39 #51

nfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH

Unix System Administration

Network Security. Network Packet Analysis

TEIN2 Measurement and Monitoring Workshop Netflow.

Transport and Network Layer

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Network Management & Monitoring

Introduction to Passive Network Traffic Monitoring

Packet Sniffer Detection with AntiSniff

Integrated Traffic Monitoring

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

NetFlow/IPFIX Various Thoughts

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

co Characterizing and Tracing Packet Floods Using Cisco R

Tue Apr 19 11:03:19 PDT 2005 by Andrew Gristina thanks to Luca Deri and the ntop team

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Flow Analysis Versus Packet Analysis. What Should You Choose?

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Network Security: Workshop

Introduction to Network Monitoring and Management

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

HTGR- Netflow. or, how to know what your network really did without going broke

Communications and Networking

A Research Study on Packet Sniffing Tool TCPDUMP

Features Overview Guide About new features in WhatsUp Gold v14

Integrated Traffic Monitoring

NSC E

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Chapter 28 Denial of Service (DoS) Attack Prevention

WhatsUp Gold v11 Features Overview

Firewall Firewall August, 2003

Firewalls. Ahmad Almulhem March 10, 2012

There are numerous ways to access monitors:

Configuring Health Monitoring

Modern snoop lab lite version

Netflow Overview. PacNOG 6 Nadi, Fiji

Practical Network Forensics

WHITE PAPER September CA Nimsoft For Network Monitoring

Technical Support Information Belkin internal use only

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Application Monitoring using SNMPc 7.0

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

architecture: what the pieces are and how they fit together names and addresses: what's your name and number?

Network Monitoring. By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative

Cisco IOS Flexible NetFlow Command Reference

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Scrutinizer. Getting Started Guide. A message from Plixer International:

Using IPM to Measure Network Performance

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

Host Discovery with nmap

EXPLORER. TFT Filter CONFIGURATION

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Linux MPS Firewall Supplement

Network Monitoring with SNMP

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

Network Traffic Analysis

Configuring Logging. Information About Logging CHAPTER

EKT 332/4 COMPUTER NETWORK

Exercise 7 Network Forensics

Monitoring Cisco IOS Firewall Inspection Activity with Multi- Router Traffic Grapher (MRTG)

6.0. Getting Started Guide

A message from Plixer International:

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

CS5008: Internet Computing

NMS300 Network Management System

Cisco IOS Flexible NetFlow Technology

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Lab Diagramming External Traffic Flows

Configuring Flexible NetFlow

Network Management & Monitoring Overview

Research on Errors of Utilized Bandwidth Measured by NetFlow

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Network Monitoring and Management Introduction to Networking Monitoring and Management

SolarWinds Certified Professional. Exam Preparation Guide

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Transcription:

Network Analyzer Network troubleshooting Monitoring bandwidth usage Defend against the security threats Programming troubleshooting Learn/Examine Network protocol Tools Tcpdump WireShark Snoop nmap Snort Eavesdrop SpyNet CommView Ettercap http://ettercap.sourceforge.net Introduction 1-1 Introduction 1-2 TCPDUMP Refer to book Open Source Network Administration Online sample chapter: http://www.phptr.com/articles/article.asp?p=170902&seqnum=4 Some tools are not based directly on the data being transmitted on a network, but information related to that data. For example, network bandwidth values System logs on network equipment Sometimes needs to examine the packets themselves. Diagnose some particularly tricky network problems Widely used open source tool for directly analyzing packets: tcpdump http://www.tcpdump.org/ Introduction 1-3 Caution Before you use tcpdump or other analyzer: Will be able to see some private data Consult/research Legal implication first Respect the privacy of other users Introduction 1-4 What Tcpdump can do for you View the entire data portion of an Ethernet frame or other link layer protocol An IP packet An ARP packet Or any protocol at a higher layer than Ethernet. Very useful Tcpdump is to a network administrator like a microscope to a biologist. Give a very clear picture of a specific part of your network Can be used when the problem is simply that something is not working properly. What tcpdump can do for you? Case1 : Web browser can not load pages from a server it hangs. Problem with client? Server? Or between? Run tcpdump while loading Watch every stage to see the following DNS query HTTP request to server Server respond Case 2: help debug denial of service attacks. Tcp show the source address, destination address, type of traffic, etc. Check the packet contents to learn more about the nature of the attack. Introduction 1-5 Introduction 1-6 1

Limitations of Tcpdump Installing Tcpdump Limited by network hardware For example Ethernet card will discard packets with an invalid checksum. Tcpdump is not helpful for detecting this kind of broken packet on your network need specialized hardware. Tcpdump is showing you only what the data is, not what it ought to be -- has no ability to report IP address is forged in the packet Already installed? /usr/sbin/tcpdump /usr/local/bin/tcpdump Download software from http://www.tcpdump.org/ Download source code from ftp://ftp.ee.lbl.gove/tcpdump.tar.z Introduction 1-7 Introduction 1-8 Running as root Enable promiscuous mode How? Capture packets that are not addressed to the interface itself Possible degraded performance Command line options -n : By default tcpdump performs DNS query to lookup hostname associated with an IP address and uses the hostname in the output. Look nicer, cause performance problem. Use n to disable it. Introduction 1-9 More command line options -s snaplen Capture the first 68 bytes by default, enough to grab the header, not the entire packet. See more data by setting snaplen to be long. For ethernet, how long we can set snaplen? -x Print the packet contents in hexadecimal notation. -v and vv Print more info about protocols -q Print less info -i interface Which one to listen on Introduction 1-10 More command line options Filters -e Include Ethernet header -l Force tcpdump output to be line buffered. #tcpdump l tee tcpdump.out -w file and r Store the data in binary format and then play back as it were being read from the wire using r Following the command line options is the expression to dictate exactly which packets should be captured and which should be ignored. Primitive src, dst # tcpdump src client.example.com and dst server.example.com Only those packet from src and to dst host # tcpdump host client.example.com Can be combined with and, or and not with parentheses. # tcpdump host client and not (port telnet or port domain) Introduction 1-11 Introduction 1-12 2

Some Primitives Primitive Function src addr Source IP address matches addr dst addr Destination IP address matches addr host addr Source or destination IP address matches addr ether <src/dst/host> addr Ethernet address matches addr [src/dst] net net IP address is on network net net net Source or destination IP addr is on network net net net mask mask As above but network range defined by mask [src/dst] port port Port is port less octets Packet size is less then or equal to octets greater octets Packet size is greater than or equal to octets icmp Packet is an ICMP packet tcp Packet is an TCP packet udp Packet is an udp packet ip Packet is an IP packet arp Packet is an ARP packet broadcast Packet is addresses to a broadcast Introduction address 1-13 Examples Use option and primitive, put together a number of useful tcpdump command line. Display quick info on all traffic to/from a host #tcpdump q host broken.example.com View entire packet for all bootp traffic # tcpdump xs 1500 port bootps or port bootpc To gather ssh connections and leave tcpdump running for a long time to client.example.com # tcpdump nxs 1500 w tcpdump.data port 22 and host client Introduction 1-14 Understanding the output Viewing Packet Data See manpage UDP Time source > destination: udp datalen TCP Time source > dest flag sequence [ack ack] win window [urgent] [options] Introduction 1-15 -x print out entire packets in hexadecimal. Use an additional program to print character representations of each byte. #!/usr/bin/perl # This code is hereby placed in the public domain by its author, # Marc Horowitz. If you use it, it would be polite if you left # my name on it, but there's no requirement. $ = 1; while(<>) { if (/^\s/) { ($nospc = $_) =~ s/\s+//g; ($spc = $nospc) =~ s/(...)/$1 /g; ($bin = pack("h*",$nospc)) =~ tr/\000-\037\177-\377/./; printf("%16s%-45s%s\n","",$spc,$bin); } else { print; } } Introduction 1-16 Linux# tcpdump -xls 1500./tcpdump-data-filter.pl tcpdump: listening on eth0 20:11:35.686269 host.example.com.53454 > c.gtld-servers.net.dom... 4500 003d 9f2a 4000 ff11 add6 0a12 0064 E..=.*@...d c01a 5c1e d0ce 0035 0029 3674 8930 0000..\...5.)6t.0.. 0001 0000 0000 0000 0364 6e73 0765 7861...dns.exa 6d70 6c65 0363 6f6d 0000 0100 01 mple.com... 20:11:35.740531 host.example.com.34243 > web.example.com.80: P... 4500 03f4 a6f9 4000 4006 5641 0a12 0064 E...@.@.VA...d 0a07 154d 85c3 0050 f0b0 2504 41bc a72f...m...p..%.a../ 5018 60f4 3db0 0000 4745 5420 2f20 4854 P.'.=...GET / HT 5450 2f31 2e30 0d0a 486f 7374 3a20 7765 TP/1.0..Host: we... Seeing It All Before modern network switch, is was easy to view all of the traffic on an Ethernet network. On a switched network, what? which means tcpdump will be able to view only: Traffic destined to your host Traffic originated from you host Broadcast traffic Small random amounts of traffic for other hosts. Introduction 1-17 Introduction 1-18 3

Possible ways Possible ways Connect the host in question and your monitoring host to a true repeater. Configure network hardware to forward the packets you are interested in to a port you can monitor them from. Not all hardware support. Cisco switch is capable of doing so. Introduction 1-19 Introduction 1-20 Debugging with Tcpdump Packet flooding Linux# tcpdump -n 17:36:16.265220 10.255.255.27.1221 > 10.18.0.100.9995: udp 1168 (DF) 17:36:16.269171 10.255.255.27.1221 > 10.18.0.100.9995: udp 1168 (DF) 17:36:16.273130 10.255.255.23.1221 > 10.18.0.100.9995: udp 1168 (DF) 17:36:16.285228 10.255.255.27.1221 > 10.18.0.100.9995: udp 1168 (DF) 17:36:16.302173 10.255.255.27.1221 > 10.18.0.100.9995: udp 1168 (DF) 17:36:16.319372 10.255.255.27.1221 > 10.18.0.100.9995: udp 1168 (DF) 17:36:16.334600 10.7.15.65.7000 > 10.18.1.140.7001: rx ack (66) (DF) 17:36:16.334975 10.7.15.65.7000 > 10.18.1.140.7001: rx data (36) (DF) 17:36:16.336606 10.255.255.27.1221 > 10.18.0.100.9995: udp 1168 (DF) 17:36:16.336623 10.7.1.70.7000 > 10.18.1.140.7001: rx ack (66) (DF) 17:36:16.336939 10.7.1.70.7000 > 10.18.1.140.7001: rx data (36) (DF) 17:36:16.352253 10.255.255.27.1221 > 10.18.0.100.9995: udp 1168 (DF) 17:36:16.356199 10.255.255.27.1221 > 10.18.0.100.9995: udp 1168 (DF) 17:36:16.396921 10.255.255.27.1221 > 10.18.0.100.9995: udp 1168 (DF) Debugging with Tcpdump Webbrowser hangs Step 1. Start tcpdump to monitor port 80 #tcpdump host client.example.com and port 80 No traffic, so web server is not a problem Step 2. Start tcpdump for all #tcpdump host client.example.com Only DNS request, no response. Linux# tcpdump -xls 1500 host client./tcpdump-data-filter.pl 18:14:12.842409 brokenclient.example.com.55313 > dns.example.co... 4500 0048 058b 4000 ff11 9d80 0a12 0064 E..H..@...d 0a05 061e d811 0035 0034 8a44 e4ca 0010...5.4.D... 0001 0000 0000 0001 0377 7777 0765 7861...www.exa 6d70 6c65 0363 6f6d 0000 0f00 0100 0029 mple.com...) 0800 0000 8000 0000 Introduction 1-21 Introduction 1-22 Graphs Amount of traffic sent INTO from an interface Spike One of Network Administrator s important tasks: Monitor bandwidth, network usage Current status Trends Pictures http://www.switch.ch/network/operation/statis tics/geant2.html Amount of traffic sent OUT from an interface Introduction 1-23 Introduction 1-24 4

MRTG How MRTG works MRTG stands for Multi Router Traffic Grapher Produce web pages that display graphs of bandwidth use on network links on daily, weekly, monthly and yearly scales. Rely on SNMP MRTG is based on Perl and C and works under UNIX and Windows NT. Free software released under GNU General Public License. Send SNMP requests regularly Like every 5 minutes Store the response in a specialized data format Summarize the data and create PNG files (Portable Network Graphics) The PNG files Can be included in the web page/other applications Create html files Introduction 1-25 Introduction 1-26 What MRTG can help you Do What MRTG can Help you do View the normal traffic pattern studying the trend Plan capacity needs for future Quickly determine abnormal traffic load Use graphs of history Sudden change might count for an operational problem? A denial-of-service attack MRTG is most often used to collect data from router interfaces Can Also collect traffic data from switches or servers It can be configured to collect any statistical data that a device makes available via SNMP. Introduction 1-27 Introduction 1-28 Installing MRTG Configuring MRTG Available at http://www.mrtg.org It requires: Perl 5.005 or greater The GD library The PNG library The zlib library MRTG comes with its own SNMP implementation. Follow the doc to http://oss.oetiker.ch/mrtg/doc/mrtg-unixguide.en.html Configuration File Read only by the user who is running the process Should not be public readable Include the community names for your devices Specify where to put data Under a Web Server Publicly readable Introduction 1-29 Introduction 1-30 5

Configuring MRTG Use utility cfgmaker with lots of options to create the configuration file Global options Snmp options Monitored device and community name Use IP as directory name in data area. Example: Creates a config file for router.place.xyz: the router has the community name public. Interfaces get identified by their IP number. The config file gets redirected to mrtg.conf. # cfgmaker --global "WorkDir: /var/www/htdocs/mrtg" \ --global "Options[_]: growright,bits" \ --ifref=ip \ public@router.place.xyz > mrtg.cfg Generating Data Generating initial data Run mrtg command with the configuration file on the command line View view the data http:/ /mrtg Setting up regular data gathering Crontab to run mrtg utility (recommended) Run mrtg as a daemon with options Require change to the configuration file to ass RunAsDaemon Yes Use indexmaker program to organize the PNG file and HTML file Introduction 1-31 Introduction 1-32 More about MRTG Do not trust it blindly. Does data make sense? Bugs? Counter overflow problem? Missing data? Could not retrieve or store data for a short period time Data value will be flat because it uses the data from previous interval Maintaining MRTG Requires some maintenance Every time moving a network or router interface, make sure the change is reflected in the MRTG configuration NETFLOW NETFLOW Available on some routers, such as Cisco, Juniper. Collecting data source and destination IP addresses Source and destination protocol port numbers Number of packets transmitted Number of bytes transmitted, View the data on the router Forward the data to another host Introduction 1-33 Introduction 1-34 What NetFlow can help you do Image your network is hit by a denial of service attack. You noticed degraded network connectivity MRTG show dramatic rise in traffic levels Interface counter on router indicate a very high rate of traffic Turning on NetFlow on the router Examine the traffic in realtime Notice a large number of connections from a single host, all the sequentially increasing IP addresses inside your network scanning? Block the traffic at the border router? How NetFlow works Based on the idea of a flow of network traffic. Flow is one full network conversation from the start to the end. Every flow has a unique set of properties: Source IP address Destination IP address Source port Destination port IP protocol number Type of service field Input Interface For example, one tcp connection to a web page is a flow Scanning destination IP addresses will generate many flows. Introduction 1-35 Introduction 1-36 6

NetFlow Flow is unidirectional. Routers report flows for traffic that enters an interface, not traffic that leaves an interface How to determine what constitutes one sessions worth of traffic and when a particular flow ends? For TCP is relatively easy. The session begins with a TCP SYN, and ends with a TCP FIN. For UDP, ICMP, etc, it is more difficult. The router must use heuristics to decide when the flow is complete. Introduction 1-37 NetFlow Router has limited memory for holding data It removes flows from cache occasionally Router will expire flow if The end of a tcp connection is found No traffic has been present in the flow for 15 seconds The flow has been running for over 30 minutes The table of flows in the router is filled. One real flow could become multiple flows due to router expiration policy. Introduction 1-38 Exporting NetFlow Data Routers can export NetFlow data To a server, called flow collector, then to be processed by administrator As UDP packets to an IP address Data may be lost Only one IP address. Flow collector has to forward to other flow collector if you wish. Router address is not in the packets after forwarded again unless some other mechanism is used NetFlow Versions Version 1, each flow contains: Source and destination IP address Source and destination port address Next hop router address Input and output interface number Number of packets and bytes sent sysuptime when flow began and ended IP protocol number and type of service Logical OR of all TCP flags seen. Introduction 1-39 Introduction 1-40 NetFlow Version 5 Include AS numbers Sequence numbers, which allows checking for lost packets. Version 7 On Cisco Catalyst 5000, require a special NetFlow Feature Card to perform NetFlow accounting Version 8 Router-based NetFlow aggregation Reduce the data send to collectors Version 9 Template-based scheme for reporting flows Introduction 1-41 Installing Flow-tools OSU Flow-tools is available form http://www.net.ohio-state.edu/software Download Extract Build Install Configuring NetFlow on the router Enable NetFlow on some interfaces Configure router to export flows Introduction 1-42 7

Using Flow-tools Using Flow-tools Capturing Flows Flow-capture: receive and store Flow-receive: receive and send to standard output. Source/destination and port number can be used as criteria to receive the NetFlow info. For example #flow-receive 0/0/9995 flow-print 0/0/9995 has the format of localip/remoteip/port Note: this is related to communication of sending and collecting flows, not the addresses contained within the flows. Introduction 1-43 Flow-capture By default: Create a new file every 15 minutes Create a nested directory structures so that each year, month and day of files has a separate directory Never remote files Compress files Default settings can be changed from command line Set up a maximum size that data files may be use in total Change the directory hierarchical structure File rotation rate Compression rate Remote client Introduction 1-44 Using Flow-tools Using Flow-tools Viewing the flow data Flow-print ASCII Predefined reporting format available Flow-report Perform some statistical analysis Produce the data in a way to be able to feed other tool Require a configuration file Flow-stat Does not require a configuration file, has predefined formats Similar to flow-report Flow-dscan Attempts to detect unusual network traffic like port scanning and host scanning. Introduction 1-45 Manipulating Flow Data Flow-cat and flow-merge Flow-split Flow-expire Flow-header Flow-fanout Introduction 1-46 Other Netflow tools Service Monitoring Netflow Commercial software packages http://www.cisco.com/en/us/prod/iosswrel/ps6537/ps 6555/ps6601/networking_solutions_products_genericco ntent0900aecd805ff728.html Video time Scrutinizer http://www.youtube.com/watch?v=yzl_dowmg60 http://www.youtube.com/watch?v=kry6rpatjry&nr=1 http://www.youtube.com/watch?v=jjntjmfcdtm&featu re=related Network administrators has to deal with something that spontaneously stops working. Network link fails Web server refuses connections Switch stop passing traffic Network administrators need to be notified of failures when they occur. How? Introduction 1-47 Introduction 1-48 8

Service Monitoring Monitoring or polling software Send out probes at regular intervals to test Network connectivity Ping switch, router, hosts Service functionality Attempt to retrieve web page Make snmp request Perform other service level testing Has to be intelligent to report the root problem. For example Polling server switch A switch B - many many hosts If switch B fails, should Network Administrator receive message regarding each hosts connected to switch B? Should not degrade performance too much polling intervals Introduction 1-49 Service Monitoring What Service Monitoring Can Help you do? Give you early warning of failures Proactive management, not fire fighting Fix a problem before it becomes an even larger problem For example,» If the redundancy part failed without being noticed, what will happen when the primary part fails? Help you determine where is your network a problem resides. Depends on user report and waits for user to complain is too late sometime. It is always in your best interest to know about problems before either your customers or your superiors do. Introduction 1-50 Open source software Available at http://www.sysmon.org Simple program, easy to configure and get running Does not have many advanced features Works for a small to medium-sized network Nagios Available at http://www.nagios.org/ Is a better tool for large networks Complicated program Includes advanced functionalities. Installing Where to place the server? Use a stable server In a stable place, near the network core you don t put sysmon on a-tend-to-fail place. How to install Download, unpack and build the software Using Create a configuration file Control daemon Introduction 1-51 Introduction 1-52 Configuring Configuration is made up a list of objects to be monitored. IP address of the device to be tested The kind of test that should be performed Any objects the device depends on For example: Object router1 { ip 192.0.2.5 ; type ping; desc Router1 ; dep server contact admin@example.com }; Introduction 1-53 Setting the IP address Really contain either hostname or IP If ipaddress, then sysmon is not depend on DNS If many pieces to be monitored, using host name is easier Setting the Test Type Ping standard ping test Pop3 working POP3 server username,passwprd Tcp generic listening TCP port port Udp generic listening UDP port port Radius working Radius server username,password,secret nntp listening news server Smtp listening mail server Imap listening IMAP server X500 listening x500 directory server www listening web server url, urltext Introduction 1-54 9

Example Obejct web-server { ip www.example.com; type www; desc Main Web Server ; dep Router1 ; url http://www.example.com/; urltext <TITLE> ; contact admin@example.com; } Specifying Dependencies Object server1 { ip server1.example.com type ping; desc Server 1 ; dep Router1-servernet ; dep Router2-servernet ; contact admin@example.com; }; Introduction 1-55 Introduction 1-56 Using the spawn options Email is not always the best way to notify an administrator of a critical problem. Email is not guaranteed to be a timely service What if mail system itself is unavailable? Send a direct message to a page or cell phone is better. does not have its own support for sending pages Use spawn allows to hook a program to execute with arguments. User the replacement variables to create as detailed as you would like:» %m local host name» %s service» %p port number (numeric)» %T current Time hh:mm:ss Introduction 1-57 Global options The status file daemon periodically writes a file with the status of services that is is monitoring. Configurable parameters: File type: html or text» Change the color scheme for html format Write time interval View both up and down services Configure the header of mail to include From subject Introduction 1-58 More global options Test queuing options control how processes service tests and notifications. How many tests a service must fail before a notification message is sent. Numfailures How long it waits to start another test after the previous one finishes. Queuetime How many test can run simultaneously Maxqueued How frequently should repeated messages been sent pageinterval Using variables If some value, like email address, is used many times, define a variable for it and reference it using $var Using Includes Break the configuration down info smaller files One for web servers One for ping tests Maintaining Keep configuration accurate toughest Otherwise, it became useless for new changes or cried wolf for old failures Introduction 1-59 Introduction 1-60 10

Nagios Open source : http://www.nagios.org Major advantages Escalation Email when failed first time Page if happened again Configuration templates Only configure the difference Monitoring time periods During work hour Scheduled down time do you want to be paged in the middle of night when somebody else is upgrading a piece of equipment? Modular test plugins Each plugin is simply an external program that test a service It is easy to write your own tests to complement the suite of tests Introduction 1-61 Nagios Passive tests Some information can not be sent to the monitoring server by means of the server requesting of the data SNMP traps Host and contact groups Easier to change configuration for a large, similar set of devices all at once. Flap detection Test repeated fails and succeeds flapping Automatically disable notification until the flapping has stopped. Optional dependencies Introduction 1-62 Nagios Downside Much more complicated program than Take a significant amount of time to install and configure can be setup in an afternoon Nagios may take several days or longer Quick start guide: http://nagios.sourceforge.net/docs/3_0/quicks tart-fedora.html Summary Package Analyzer TCPDUMP Wireshark Bandwidth Grapher MRTG Router Traffic monitoring NETFLOW Service Monitoring SYSMON Nagios Introduction 1-63 Introduction 1-64 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information