Thursday 26 May 2011

How to check TCP ports reachability ?

As we know already - permit/deny our interested traffic based on port numbers using Extended ACL, I get into the topic straightway.

Remote host reachability test can be done using ICMP echo reply.

But, How can we do the port based reachability test?

We can use extended telnet command to check port based reachability of remote host as well as localhost.

I believe, you might have confused, why we need to check local host?

All network applications are working on TCP/UDP ports. It means, the server-client communications, server-server communications are basically happening on TCP/UDP ports.

So, basically the required ports of remote-host should be reachable for the local-host. Hence, in secured communication we are having lot of hardware/software firewalls in the network, we need to open the specific ports need for the application.

The remote-host port reachability can be verified by the following extended telnet command.

telnet <remote-host interface IP> <port-number>

e.g., telnet 192.168.1.2 443

To sort out remote host - local Antivirus Software port blocking can detected by the following method.

Some applications need two-way communication. So, the port should be reachable from remote to local as well.

The local-host port reachability can be verified by the following extended telnet command.

telnet <local-host interface IP> <port number>

e.g., telnet 192.168.1.1 21





Posted by at No comments:

Sunday 15 May 2011

How to find Top talkers in the L3 traffic?


What is the purpose of finding Top Talkers?
To sort out the source/destination IP which is generating higher traffic or utilising higher bandwidth, during the time of bandwidth choking. 
(Ex. DOS attacks, abnormal higher bandwidth utilisation by applications, etc..)

How to find Top Talkers?

Step 1: change the terminal length value to 0

Step 2: start the logging process in your ssh/telnet client like putty, secure crt, applications.

Step 3: Enter "show ip cache flow" command. (It can be altered for getting interested traffic flow alone - Eg., show ip cache flow | include "IP address")

Step 4: Stop logging.

Step 5: Copy the output of this command from log file and paste it in a new Excel sheet.

Step 6: Select whole data column -> the whole column where the data is pasted

Step 7: Click Text to Columns under data tab

Step 8: Select Fixed Width and click next

Step 9: Click next, next, and finish. (now the data will be split into columns.

Step 10: Select first row and click filter under data tab

Step 11: Select Pkts menu and click "sort Largest to Smallest"

Step 12: Now the Top Talker List is ready.

Step 13: Based on this list, we can proceed with blocking of whole IP or blocking of particular port consuming higher bandwidth, and also we can proceed further with troubleshooting of security features in firewall and can enable shun command in firewall to avoid cpu utilization also.


More about show ip cache flow

CISCO Reference:

show ip cache flow
To display a summary of the NetFlow switching statistics, use the show ip cache flow command in EXEC mode.
show ip cache [prefix mask] [type number] [verboseflow

Syntax Description

prefix mask
(Optional) Displays only the entries in the cache that match the prefix and mask combination.
type number
(Optional) Displays only the entries in the cache that match the interface type and number combination.
verbose
(Optional) Displays additional information

Command Modes

EXEC

Command History

Release
Modification
11.1
This command was introduced.
11.1 CA
The information display for the command was updated.

Usage Guidelines

On platforms running Distributed Cisco Express Forwarding (dCEF), NetFlow cache information is maintained on each line card or Versatile Interface Processor. To display this information on a distributed platform by use of the show ip cache flow command, you must enter the command at a line card prompt.
Displaying NetFlow Cache Information on a Distributed Cisco 7500 Series Platform
To display NetFlow cache information using the show ip cache flow command on a Cisco 7500 series router that is running dCEF, enter the following sequence of commands:
Router# if-con slot-number

LC-slot-number# show ip cache [prefix mask] [type number] [verbose] flow
Displaying NetFlow Cache Information on a Distributed Cisco 12000 Series Platform
To display NetFlow cache information using the show ip cache flow command on a Cisco 12000 Series Internet router, you enter the following sequence of commands:
Router# attach slot-number

LC-slot-number# show ip cache [prefix mask] [type number] [verbose] flow

Examples

The following is an example display of a main cache using the show ip cache flow command:
Router# show ip cache flow 

IP packet size distribution (230151 total packets):

1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

.999 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

   512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
The output above shows the percentage distribution of packets by size range. In this display, 99.9 percent of the packets fall in the size range from 1 to 32 bytes.
IP Flow Switching Cache, 4456448 bytes

65509 active, 27 inactive, 820628747 added

955454490 ager polls, 0 flow alloc failures

Exporting flows to 1.1.15.1 (2057)

820563238 flows exported in 34485239 udp datagrams, 0 failed

last clearing of statistics 00:00:03

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

TCP-BGP             71      0.0         1    49      0.0       2.5      15.8

UDP-other           17      0.0         1   328      0.0       0.0      15.7

ICMP             18966      6.7        10    28     72.9       0.1      22.9

Total:           19054      6.7        10    28     72.9       0.1      22.9

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

Et1/1          52.52.52.1      Fd4/0          42.42.42.1      01 55  10    3748 

0000 /8  50                    0000 /8  40    202.120.130.2          28    17.8

Et1/2          52.52.52.1      Fd4/0          42.42.42.1      01 CC  10    3568 

0000 /8  50                    0000 /8  40    202.120.130.2          28    17.8

Et1/2          10.1.3.2        Fd4/0          42.42.42.1      01 C0  10    1124 

0000 /0  0                     0000 /8  40    202.120.130.2          28    17.8

Et1/2          11.1.3.2        Fd4/0          42.42.42.1      01 C0  10    1157 

0000 /0  0                     0000 /8  40    202.120.130.2          28    17.7

Et1/2          14.1.3.2        Fd4/0          42.42.42.1      01 C0  10    1149 

0000 /0  0                     0000 /8  40    202.120.130.2          28    17.8

Et1/2          15.1.3.2        Fd4/0          42.42.42.1      01 C0  10    1127 

0000 /0  0                     0000 /8  40    202.120.130.2          28    17.7

Et1/2          12.1.3.2        Fd4/0          42.42.42.1      01 C0  10    1204 

0000 /0  0                     0000 /8  40    202.120.130.2          28    17.8

Et1/2          13.1.3.2        Fd4/0          42.42.42.1      01 C0  10    1159 

0000 /0  0                     0000 /8  40    202.120.130.2          28    17.8

Et1/2          18.1.3.2        Fd4/0          42.42.42.1      01 C0  10    1223 

0000 /0  0                     0000 /8  40    202.120.130.2          28    17.8

Et1/2          19.1.3.2        Fd4/0          42.42.42.1      01 C0  10    1264 

0000 /0  0                     0000 /8  40    202.120.130.2          28    17.8

Et1/2          16.1.3.2        Fd4/0          42.42.42.1      01 C0  10    1170 

0000 /0  0                     0000 /8  40    202.120.130.2          28    17.8

Et1/2          17.1.3.2        Fd4/0          42.42.42.1      01 C0  10    1167 

0000 /0  0                     0000 /8  40    202.120.130.2          28    17.8

Et1/2          22.1.3.2        Fd4/0          42.42.42.1      01 C0  10    1193 

0000 /0  0                     0000 /8  40    202.120.130.2          28    17.8

Et1/2          23.1.3.2        Fd4/0          42.42.42.1      01 C0  10    1212 

0000 /0  0                     0000 /8  40    202.120.130.2          28    17.7

Et1/1          50.50.50.1      Local          31.31.31.1      06 C0  18       2 

00B3 /32 0                     2AF8 /32 0     0.0.0.0                49    10.1
The following shows sample output from the show ip cache prefix mask flow command:
Router# show ip cache 10.0.0.1 256.0.0.0 flow

IP packet size distribution (25 total packets):

1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

.000 .000 .000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
The output above shows the percentage distribution of packets by size range. In this display, 100 percent of the packets fall in the128 byte range.
IP Flow Switching Cache, 4456704 bytes

1 active, 65535 inactive, 5 added

68 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

last clearing of statistics never

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

ICMP                 4      0.0         5   100      0.0       0.0      15.2

Total:               4      0.0         5   100      0.0       0.0      15.2

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

Et1/2         10.0.0.2        Local         10.0.0.1        01 0000 0800     5
The following shows sample output from the show ip cache type number flow command:
Router# show ip cache e1/2 flow

IP packet size distribution (30 total packets):

1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

.000 .000 .000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes

1 active, 65535 inactive, 6 added

85 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

last clearing of statistics never

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

ICMP                 5      0.0         5   100      0.0       0.0      15.1

Total:               5      0.0         5   100      0.0       0.0      15.1

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

Et1/2         10.0.0.2        Local         10.0.0.1        01 0000 0800     5
Table 22 describes the significant fields shown in the flow switching cache lines of the displays.
  
Table 22 show ip cache flow Field Descriptions in Flow Switching Cache Display 
Field
Description
bytes
Number of bytes of memory used by the NetFlow cache.
active
Number of active flows in the NetFlow cache at the time this command was entered.
inactive
Number of flow buffers that are allocated in the NetFlow cache, but are not currently assigned to a specific flow at the time this command is entered.
added
Number of flows created since the start of the summary period.
ager polls
Number of times the NetFlow code looked at the cache to cause entries to expire (used by Cisco for diagnostics only).
flow alloc failures
Number of times the NetFlow code tried to allocate a flow but could not.
Exporting flows
IP address and User Datagram Protocol (UDP) port number of the workstation to which flows are exported.
flows exported in udp datagrams
Total number of flows exported and the total number of UDP datagrams used to export the flows to the workstation.
failed
Number of flows that could not be exported by the router because of output interface limitations.
last clearing of statistics
Standard time output (hh:mm:ss) since the clear ip flow stats EXEC command was executed. This time output changes to hours and days after the time exceeds 24 hours.

   
Table 23 describes the significant fields shown in the activity by protocol lines of the display.

Table 23 show ip cache flow Field Descriptions in Activity By Protocol Display 
Field
Description
Protocol
IP protocol and the "well known" port number as described in RFC 1340.
Total Flows
Number of flows for this protocol since the last time statistics were cleared.
Flows/Sec
Average number of flows for this protocol seen per second; equal to total flows/number of seconds for this summary period.
Packets/Flow
Average number of packets observed for the flows seen for this protocol. Equal to total packets for this protocol or number of flows for this protocol for this summary period.
Bytes/Pkt
Average number of bytes observed for the packets seen for this protocol (total bytes for this protocol or the total number of packet for this protocol for this summary period).
Packets/Sec
Average number of packets for this protocol per second (total packets for this protocol) or the total number of seconds for this summary period.
Active(Sec)/Flow
Sum of all the seconds from the first packet to the last packet of an expired flow (for example, TCP FIN, timeout, and so on) in seconds or total flows for this protocol for this summary period.
Idle(Sec)/Flow
Sum of all the seconds from the last packet seen in each nonexpired flow for this protocol until the time at which this command was entered, in seconds or total flows for this protocol for this summary period.


Table 24 describes the significant fields in the NetFlow record lines of the displays:
Table 24 show ip cache flow Field Descriptions in NetFlow Record Display 
Field
Description
SrcIf
Interface on which the packet was received.
SrcIPaddress
IP address of the device which transmitted the packet.
DstIf
Interface from which the packet was transmitted.
DstIPaddress
IP address of the destination device.
Pr
IP protocol "well-known" port number as described in RFC 1340, displayed in hexadecimal format.
SrcP
IP port from which the packet is transmitted, displayed in hexadecimal format.
DstP
IP port where the packet is to be delivered, displayed in hexadecimal format.
Pkts
Number of packets switched through this flow.

The following shows sample output from the show ip cache verbose flow command for interface e1/2 on 10.0.0.1 255.0.0.0:
Router# show ip cache 10.0.0.1 255.0.0.0 e1/2 verbose flow 

IP packet size distribution (35 total packets):

1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

.000 .000 .000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
The output above show the percentage distribution of packets by size range. In this display,100 percent of the packets fall in the 138 byte size range.
IP Flow Switching Cache, 4456704 bytes

1 active, 65535 inactive, 7 added

99 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

last clearing of statistics never

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

ICMP                 6      0.0         5   100      0.0       0.0      15.2

Total:               6      0.0         5   100      0.0       0.0      15.2

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

Et1/2          10.0.0.2        Local          10.0.0.1        01 00  10       5 

0000 /8  0                     0800 /8  0     0.0.0.0               100     0.0
Table 25 describes the significant fields in the NetFlow record lines of the display.
Table 25 show ip cache verbose flow Field Descriptions in NetFlow Record Display 
Field
Description
SrcIf
Interface on which the packet was received.
Port Msk AS
Source Border Gateway Protocol (BGP) autonomous system. This is always set to 0 in MPLS flows.
SrcIPaddress
IP address of the device which transmitted the packet.
DstIf
Interface from which the packet was transmitted.
Port Msk AS
Destination BGP autonomous system. This is always set to 0 in MPLS flows.
DstIPaddress
IP address of the destination device.
NextHop
Specifies the BGP next hop address. This is always set to 0 in MPLS flows.
Pr
IP protocol well-known port number as described in RFC 1340, displayed in hexadecimal format.
B/Pk
Average number of bytes observed for the packets seen for this protocol (total bytes for this protocol or the total number of flows for this protocol for this summary period).
TOS
Type of service.
Flgs
TCP flags (result of bitwise OR of TCP flags from all packets in the flow).
Active
Number of active flows in the NetFlow cache at the time this command was entered.
Pkts
Number of packets switched through this flow.

Related Commands

Command
Description
clear ip flow stats
Clears the NetFlow switching statistics.
ip route-cache
Configures the router to export the flow cache entry to a workstation when a flow expires.



Comments welcome @ narendren.s@gmail.com
Posted by at 1 comment:
Subscribe to: Posts (Atom)