Mobile Networks and Computing

1
Mobile Networks and Computing

• Network monitoring mechanisms

2
Roadmap

• Introduction
• Signal Strength measurements
• SNMP
• Syslog messages
• Transport layer traces
• Related topics

3
Network monitoring

• Information about network
• Specific devices
• Subents, VLANs
• Aggregate network
• Various network layers
• Transport, IP, MAC
• Data
• Traffic (bytes, packets), speed of ethernet
  interfaces
• Signal strength
• Client information
• Hardware info (temperatures)
• Wireless wired

4
Passive vs. Active measurements

• Active measurements
• Affect network status
• Insert traffic
• Ping, traceroute
• Passive measurements
• Do not affect network status
• Packet sniffing, signal strength measurements

5
Exploiting network measurements

• Characterization of network performance
• Performance analysis
• Protocols mechanisms
• Security
• Identify monitor malicious attacks
• Modeling
• Traffic, client arrival rate
• Performance evaluation
• Network administration

6
Wired vs. Wireless

• Wired
• Packet headers tcpdump
• Ping, traceroute
• Wireless
• SNMP
• Syslog messages
• Packet headers tcpdump
• MAC layer sniffers
• Signal Strength

7
Roadmap

• Introduction
• Signal Strength measurements
• SNMP
• Syslog messages
• Transport layer traces
• Related topics

8
Network Stumbler

• tool for Windows detecting Wireless LANs in range
  using
• 802.11a
• 802.11b
• 802.11g
• WLAN standards packet sniffer for wireless
• networks

9
Network Stumbler (cntd)
10
Network Stumbler (cntd)
11
Main Linux wireless commands

• //Bring up the wireless interface
• ifconfig eth1 up
• //Switch to Managed mode
• iwconfig eth1 mode managed
• //Scan for Wireless access points (Must be in
  Managed Mode)
• iwlist eth1 scan
• //Set static ip address on wireless interface
• ifconfig eth1 192.168.1.x
• //connect to a network (ip addr is static)
• iwconfig eth1 essid CS439

12
iwconfig
13
iwlist

• tool for Linux detecting Wireless LANs
• main argument selects category of information
• additional information displayed
• from wireless network interface
• not displayed by iwconfig

14
iwlist (cntd)

• iwlist interface scanning

• one wireless AP
• ESSID
• type of network
• signal quality

15
iwlist (cntd)

• iwlist interface frequency
• list of available frequencies in the device
• number of defined channels
• iwlist interface rate
• list the bit-rates supported by the device
• iwlist interface key
• list the encryption key sizes supported
• display all the encryption keys available in the
  device
• iwlist interface power
• list Power Management attributes and modes of the
  device
• iwlist interface txpower
• list Transmit Powers available on the device

16
iwlist (cntd)

• iwlist interface retry
• list transmit retry limits
• retry lifetime on the device
• iwlist interface ap/accesspoint/peers
• list of Access Points in range
• deprecated in favor of scanning support (above)
• most drivers don't support it
• some drivers may use this command to return a
  specific list of Peers or Access Points
• the list of Peers associated/registered with the
  card
• iwlist interface event
• list the wireless events supported by the device

17
Roadmap

• Introduction
• Signal Strength measurements
• SNMP
• Syslog messages
• Transport layer traces
• Related topics

18
Introduction to SNMP

• Simple Network Management Protocol
• Monitoring management of IP devices
• Standardization by IETF
• Wide range of devices
• Routers, switches, PCs, Access Points
• Wide range of info
• Traffic, client info
• Interface transmit rate
• Hardware info (temperature)
• Polling mechanism
• Query response
• Data representation
• Manageable Object IDs

19
SNMP architecture

• Application layer protocol
• Two basic entities
• Network Management stations
• Software module
• Agent
• Software module on SNMP compatible device
• Communication
• Traps
• UDP for message passing

20
Data representation 1/2

• Polled variables represented as objects
• Each managed object assigned an OiD
• Managed objects organized into a tree-like
  hierarchy

21
Data representation 2/2

• MIB-II Groups

22
Using SNMP

• Set of commands
• Extraction of value of a managed object
• Setting such a value
• Snmpget, snmpgetnext, snmpbulkget
• Support for various programming languages
• Java
• http//gicl.cs.drexel.edu/people/sevy/snmp/
• C
• http//www.cuddletech.com/articles/snmp/node23.htm
  l
• Perl
• http//www.cuddletech.com/articles/snmp/node18.htm
  l
• http//search.cpan.org/dtown/Net-SNMP-5.2.0/lib/N
  et/SNMP.pm

23
Simple SNMP agent

• package SNMP_util
• use BER
• use SNMP_util
• use SNMP_Session
• MIB1 ".1.3.6.1.2.1.1.4.0"
• HOST "139.91.68.17"
• (value) snmpget("public\_at_HOST","MIB1")
• if (value) print "Results MIB1 value\n"
  
• else warn "No response from host HOST\n"

24
Roadmap

• Introduction
• Signal Strength measurements
• SNMP
• Syslog messages
• Transport layer traces
• Related topics

25
Introduction to syslog

• RFC 3164
• Event driven mechanism
• IP, MAC layer info
• Architecture
• Client server
• Notifications for client to server
• UDP

26
Syslog architecture
27
Categorization severity of syslog msgs

• Categorization based on source
• Kernel
• User-level
• Mail system
• Peripherals
• Security/authorization
• Severity level
• Single integer representation
• 0 Emergency, 7Debug messages

28
Example of syslog messages

• Wireless LAN scenario
• Syslog messages generated by APs
• Client associated with AP
• Client authenticated
• Deauthenticated

29
Collecting Syslog messages

• Set the syslog server for the device
• IP address in most cases
• Configure the Syslog daemon
• /etc/syslog.conf in unix
• Edit /var/log files for messages to be written
• Run syslog daemon
• /etc/init.d/sysklogd restart
• Verify that syslogd listens on UDP 514
• Netstat na grep 514

30
Roadmap

• Introduction
• Signal Strength measurements
• SNMP
• Syslog messages
• Transport layer traces
• Related topics

31
Transport layer traces

• Collection of packets
• Usually on a LANs backbone link
• All trasport layer protocols
• TCP, UDP
• Headers only or full payload
• Packets reassembled to flows
• CAIDAs coralReef suite
• Packet processing
• Ethereal

32
Packet capturing

• Software and hardware needed
• Hardware
• Powerful PC to log packets
• High precision DAG card for high speed links
• Wiring port forwarding of router/switch ports
• Software
• Publicly available sniffers
• Snort
• Tcpdump
• coralReef

33
Using TCPDUMP to capture pkts

• Monitoring all traffic of a network adapter
• Examples
• Capture and store (-w) udp packets
• tcp w udp gt out.trc
• Capture and store (-w) udp packets from host
  139.1.2.3
• tcp w udp host 139.1.2.3gt out.trc
• Filtering pkts using expressions
• Tcpdump options filter expression

34
Roadmap

• Introduction
• Signal Strength measurements
• SNMP
• Syslog messages
• Transport layer traces
• Related topics

35
Related topics

• IP MAC address anonymization
• MAP based
• Randomization
• MAC layer sniffers
• 802.11 related topics
• P0f
• Passive OS fingerprinting tool
• Firewall presence
• NAT presence