CPSC 441, Fall 2014
Lab 2: Basic Network Utilities
This lab introduces some basic network monitoring/analysis tools. There are a few exercises along the way. You should write up answers to the exercises and turn them in next Friday. (You should try out each tool, whether it is needed for an exercise or not!)
Some Basic Command-Line Utilities
Start with a few of the most basic command line tools. These commands are available on Unix, including Mac OS and Linux (and the first two, at least, are also for Windows). Some parameters or options might differ on different operating systems. Remember that you can use man <command> to get information about a command and its options.
- ping — The command ping <host> sends a series of packets and expects to receieve a response to each packet. When a return packet is received, ping reports the round trip time (the time between sending the packet and receiving the response). Some routers and firewalls block ping requests, so you might get no reponse at all. Ping can be used to check whether a computer is up and running, to measure network delay time, and to check for dropped packets indicating network congestion. Note that <host> can be either a domain name or an IP address. By default, ping will send a packet every second indefinitely; stop it with Control-C.
- nslookup — The command nslookup <host> will do a DNS query to find and report the IP address (or addresses) for a domain name or the domain name corresponding to an IP address. To do this, it contacts a "DNS server." Default DNS servers are part of a computer's network configuration. (For a static IP address in Linux, they are configured in the file /etc/network/interfaces that you encountered in the last lab.) You can specify a different DNS server to be used by nslokup by adding the server name or IP address to the command: nslookup <host> <server>
- ifconfig — You used ifconfig in the previous lab. When used with no parameters, ifconfig reports some information about the computer's network interfaces. This usually includes lo which stands for localhost; it can be used for communication between programs running on the same computer. Linux often has an interface named eth0, which is the first ethernet card. The information is different on Mac OS and Linux, but includes the IP or "inet" address and ethernet or "hardware" address for an ethernet card. On Linux, you get the number of packets received (RX) and sent (TX), as well as the number of bytes transmitted and received. (A better place to monitor network bytes on our Linux computers is in the GUI program System Monitor, in the "Resources" tab.)
- netstat — The netstat command gives information about network connections. I often use netstat -t -n which lists currently open TCP connections (that's the "-t" option) by IP address rather than domain name (that's the "-n" option). Add the option "-l" (lower case ell) to list listening sockets, that is sockets that have been opened by server programs to wait for connection requests from clients: netstat -t -n -l. (On Mac, use netstat -p tcp to list tcp connections, and add "-a" to include listening sockets in the list.)
- telnet — Telnet is an old program for remote login. It's not used so much for that any more, since it has no security features. But basically, all it does is open a connection to a server and allow server and client to send lines of plain text to each other. It can be used to check that it's possible to connect to a server and, if the server communicates in plain text, even to interact with the server by hand. Since the Web uses a plain text protocol, you can use telnet to connect to a web client and play the part of the web web browser. I will suggest that you to do this with your own web server when you write it, but you might want to try it now. When you use telnet in this way, you need to specify both the host and the port number to which you want to connect: telent <host> <port>. For example, to connect to the web server on math.hws.edu: telent math.hws.edu 80
Exercise 1: Experiment with ping to find the round trip times to a variety of destinations. Write up any interesting observations, including in particular how the round trip time compares to the physical distance. Here are few places from which I was able to get replies: math.hws.edu, www.hws.edu, www.cornell.edu, berkeley.edu, www.uchicago.edu, www.ox.ac.uk (England), www.u-tokyo.ac.jp (Japan).
Traceroute is discussed in the textbook (pages 42–43). The command traceroute <host> will show routers encountered by packets on their way from your computer to a the specified <host>. For each n = 1, 2, 3, ..., traceroute sends a packet with "time-to-live" (ttl) equal to n. Every time a router forwards a packet, it decreases the ttl of the packet by one. If the ttl drops to zero, the router discards the packet and sends an error message back to the sender of the packet. (Again, as with ping, the packets might be blocked or might not even be sent, so that the error messages will never be received.) The sender gets the identity of the router from the source of the error message. Traceroute will send packets until n reaches some set upper bound or until a packet actually gets through to the destination. It actually does this three times for each n. In this way, it identifies routers that are one step, two steps, three steps, ... away from the source computer. A packet for which no response is received is indicated in the output as a *.
Traceroute is installed on the computers in Lansing 310. It was not installed in your virtual server last week, but you can install it with the command sudo apt-get install traceroute
Exercise 2: (Very short.) Use traceroute to trace the route from your cslab computer to math.hws.edu and to www.hws.edu. Explain the difference in the results.
Exercise 3: Two packets sent from the same source to the same destination do not necessarily follow the same path through the net. Experiment with some sources that are fairly far away. Can you find cases where packets sent to the same destination follow different paths? How likely does it seem to be? What about when the packets are sent at very different times? Save some of the outputs from traceroute. (You can copy them from the Terminal window by highlighting and right-clicking, then paste into a text editor.) Come back sometime next week, try the same destinations again, and compare the results with the results from today. Report your observations.
The whois command can give detailed information about domain names and IP addresses. It is installed on the computers in Lansing. Whois can tell you what organization owns or is responsible for the name or address and where to contact them. It often includes a list of domain name servers for the organization.
When using whois to look up a domain name, use the simple two-part network name, not an individual computer name (for example, whois hws.edu not whois math.hws.edu).
Exercise 4: (Short.) Use whois to investigate a well-known web site such as google.com or amazon.com, and write a couple of sentences about what you find out.
Exercise 5: (Should be short.) Because of NAT, the domain name math.hws.edu has a different IP address outside of HWS than it does on campus. Using information in this lab and working on a cslab computer, find the outside IP address for math.hws.edu. Explain how you did it.
A geolocation service tries to tell, approximately, where a given IP address is located physically. They can't be completely accurate—but they probably get at least the country right most of the time.
I have not installed a geolocation program on our computers, but you can access one on the command line using the curl command, which can send HTTP requests and display the response. The following command uses curl to contact a public web service that will look up an IP address for you: curl ipinfo.io/<IP-address> (I got this from http://www.maketecheasier.com/ip-address-geolocation-lookups-linux/.) For a specific example:
(As you can see, you get back more than just the location.)
Exercise 6: Find a few IP addresses that are connected to the web server on math.hws.edu right now, and determine where those IP addresses are located. (I'm expecting that there will be several; if not, try again in a few minutes or sometime later.) Find one that is far from Geneva, NY. Explain how you did it.
On the Web
A lot of network information can be accessed on web sites that provide various network tools for free. Here's one site that has links for DNS lookup, whois, and geolocation: http://www.topwebhosts.org/. You can find more by googling.
I will also mention that many web browsers—including Chrome, Firefox, and Safari—can show you a lot of information about their network activity. For example, you can see exactly what files have been retrieved as part of a page, and you can see the HTTP request and response headers for each file. I hope to demonstrate this in class.