lost and found ( for me ? )

lost and found ( for me ? )

↑ Grab this Headline Animator

Showing posts with label TCP. Show all posts
Showing posts with label TCP. Show all posts

Ubuntu 13.04 : conntrack tool

conntrack is connection tracking tools. You can track both TCP and UDP.
http://conntrack-tools.netfilter.org/manual.html
# tail -1 /etc/lsb-release ;uname -ri
DISTRIB_DESCRIPTION="Ubuntu 13.04"
3.8.0-34-generic x86_64
install conntrack via apt-get.
# apt-get install conntrack
count total number of entries.
# conntrack -C
30
flush all entries.
# conntrack -F
conntrack v1.2.1 (conntrack-tools): connection tracking table has been emptied.
dump all connections table
# conntrack -L
unknown  2 36 src=192.168.20.74 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251 dst=192.168.20.74 mark=0 use=1
tcp      6 431981 ESTABLISHED src=10.41.118.103 dst=192.168.20.75 sport=54300 dport=22 src=192.168.20.75 dst=10.41.118.103 sport=22 dport=54300 [ASSURED] mark=0 use=1
unknown  2 413 src=192.168.20.75 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251 dst=192.168.20.75 mark=0 use=1
unknown  89 593 src=192.168.10.254 dst=224.0.0.5 [UNREPLIED] src=224.0.0.5 dst=192.168.10.254 mark=0 use=1
tcp      6 299 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=58827 dport=5018 src=127.0.0.1 dst=127.0.0.1 sport=5018 dport=58827 [ASSURED] mark=0 use=1
list specific TCP
# conntrack -L -p tcp --dport 80
tcp      6 74 TIME_WAIT src=192.168.10.15 dst=173.194.38.95 sport=40552 dport=80 src=173.194.38.95 dst=192.168.10.15 sport=80 dport=40552 [ASSURED] mark=0 use=1
tcp      6 64 TIME_WAIT src=192.168.10.15 dst=173.194.38.82 sport=38108 dport=80 src=173.194.38.82 dst=192.168.10.15 sport=80 dport=38108 [ASSURED] mark=0 use=1
list established state TCP connections.
# conntrack -L -p tcp --state ESTABLISHED | head -2
conntrack v1.2.1 (conntrack-tools): 10 flow entries have been shown.
tcp      6 431962 ESTABLISHED src=10.41.118.103 dst=192.168.20.75 sport=54300 dport=22 src=192.168.20.75 dst=10.41.118.103 sport=22 dport=54300 [ASSURED] mark=0 use=1
tcp      6 431999 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=58827 dport=5018 src=127.0.0.1 dst=127.0.0.1 sport=5018 dport=58827 [ASSURED] mark=0 use=1
list specific UDP
# conntrack -L -p udp --dport 53
udp      17 28 src=192.168.10.15 dst=192.168.10.14 sport=34289 dport=53 src=192.168.10.14 dst=192.168.10.15 sport=53 dport=34289 mark=0 use=1
udp      17 21 src=192.168.10.15 dst=192.168.10.14 sport=48437 dport=53 src=192.168.10.14 dst=192.168.10.15 sport=53 dport=48437 mark=0 use=1
delete an entry
# conntrack -L -p tcp --dport 80 --sport=38122
tcp      6 27 TIME_WAIT src=192.168.10.15 dst=173.194.38.82 sport=38122 dport=80 src=173.194.38.82 dst=192.168.10.15 sport=80 dport=38122 [ASSURED] mark=0 use=1
conntrack v1.2.1 (conntrack-tools): 1 flow entries have been shown.

# conntrack -D -p tcp --dport 80 --sport=38122
tcp      6 21 TIME_WAIT src=192.168.10.15 dst=173.194.38.82 sport=38122 dport=80 src=173.194.38.82 dst=192.168.10.15 sport=80 dport=38122 [ASSURED] mark=0 use=1
conntrack v1.2.1 (conntrack-tools): 1 flow entries have been deleted.

# conntrack -L -p tcp --dport 80 --sport=38122
conntrack v1.2.1 (conntrack-tools): 0 flow entries have been shown.
#
display events
# conntrack –E
[DESTROY] udp      17 src=127.0.0.1 dst=127.0.0.1 sport=45747 dport=53 src=127.0.0.1 dst=127.0.0.1 sport=53 dport=45747 [ASSURED]
[DESTROY] udp      17 src=127.0.0.1 dst=127.0.0.1 sport=35708 dport=53 src=127.0.0.1 dst=127.0.0.1 sport=53 dport=35708 [ASSURED]
   [NEW] udp      17 30 src=192.168.10.205 dst=255.255.255.255 sport=3490 dport=3490 [UNREPLIED] src=255.255.255.255 dst=192.168.10.205 sport=3490 dport=3490

No comments:
Labels: , , ,

build querytcp on fedora 18 64bit

querytcp is a tool which can send TCP queries instead of UDP queries.
Please note that querytcp sends only TCP queries. ( tcpquery does not support TCP fallback as of now.)
# cat /etc/fedora-release
Fedora release 18 (Spherical Cow)

# uname -ri
3.9.2-200.fc18.x86_64 x86_64

# gcc --version
gcc (GCC) 4.7.2 20121109 (Red Hat 4.7.2-8)
[ build querytcp ]
build querytcp from git.
# git clone https://github.com/kfujiwara/querytcp.git
# cd querytcp/
# gcc -D_LINUX -Wall -O2 -g -lm -o querytcp querytcp.c

# ./querytcp --help
./querytcp: invalid option -- '-'
querytcp [-d datafile] [-s server_addr] [-p port] [-q num_queries] [-t timeout] [l limit] [-4] [-6] [-h]
 -d specifies the input data file (default: stdin)
 -s sets the server to query (default: 127.0.0.1)
 -p sets the port on which to query the server (default: 53)
 -q specifies the maximum number of queries outstanding (default: 120)
 -t specifies the timeout for query completion in seconds (default: 10)
 -l specifies how a limit for how long to run tests in seconds (no default)
 -e enable EDNS0
 -D set DO bit
 -r set RD bit



 -c print the number of packets with each rcode
 -v verbose: report the RCODE of each response on stdout
 -h print this usage
or
knot DNS source code includes querytcp.
so you can build tcpquery from knot DNS source code as well.
get knot DNS from https://www.knot-dns.cz/.
# tar xzvf knot-1.2.0.tar.gz
# cd knot-1.2.0/tests/
# gcc -D_LINUX -Wall -O2 -g -lm -o querytcp querytcp.c

# ./querytcp -h
dnsheader size: 12
querytcp [-d datafile] [-s server_addr] [-p port] [-q num_queries] [-t timeout] [l limit] [-4] [-6] [-h]
 -d specifies the input data file (default: stdin)
 -s sets the server to query (default: 127.0.0.1)
 -p sets the port on which to query the server (default: 53)
 -q specifies the maximum number of queries outstanding (default: 120)
 -t specifies the timeout for query completion in seconds (default: 10)
 -l specifies how a limit for how long to run tests in seconds (no default)
 -e enable EDNS0
 -D set DO bit
 -r set RD bit



 -c print the number of packets with each rcode
 -v verbose: report the RCODE of each response on stdout
 -h print this usage
In my environment ,I saw the following warning messges when compiling querytcp.
But it seems that querytcp  works well without problems as of now.
# gcc -Wall -O2 -g -lm -o querytcp querytcp.c
querytcp.c: In function ‘register_response’:
querytcp.c:231:7: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
querytcp.c:256:4: warning: format ‘%lld’ expects argument of type ‘long long int’, but argument 3 has type ‘timediff_t’ [-Wformat]
querytcp.c: In function ‘output’:
querytcp.c:276:2: warning: format ‘%lld’ expects argument of type ‘long long int’, but argument 2 has type ‘uint64_t’ [-Wformat]
querytcp.c:278:4: warning: format ‘%lld’ expects argument of type ‘long long int’, but argument 2 has type ‘uint64_t’ [-Wformat]
querytcp.c:280:4: warning: format ‘%lld’ expects argument of type ‘long long int’, but argument 2 has type ‘uint64_t’ [-Wformat]
querytcp.c:282:4: warning: format ‘%lld’ expects argument of type ‘long long int’, but argument 2 has type ‘uint64_t’ [-Wformat]
querytcp.c:284:4: warning: format ‘%lld’ expects argument of type ‘long long int’, but argument 2 has type ‘uint64_t’ [-Wformat]
querytcp.c:293:5: warning: format ‘%lld’ expects argument of type ‘long long int’, but argument 3 has type ‘uint64_t’ [-Wformat]
querytcp.c: In function ‘send_query’:
querytcp.c:416:9: warning: pointer targets in assignment differ in signedness [-Wpointer-sign]
querytcp.c:421:4: warning: pointer targets in passing argument 1 of ‘fgets’ differ in signedness [-Wpointer-sign]
In file included from querytcp.c:28:0:
/usr/include/stdio.h:624:14: note: expected ‘char * __restrict__’ but argument is of type ‘u_char *’
querytcp.c:432:5: warning: pointer targets in passing argument 1 of ‘fgets’ differ in signedness [-Wpointer-sign]
In file included from querytcp.c:28:0:
/usr/include/stdio.h:624:14: note: expected ‘char * __restrict__’ but argument is of type ‘u_char *’
querytcp.c:437:3: warning: pointer targets in passing argument 1 of ‘strtok’ differ in signedness [-Wpointer-sign]
In file included from querytcp.c:30:0:
/usr/include/string.h:344:14: note: expected ‘char * __restrict__’ but argument is of type ‘u_char *’
querytcp.c:437:9: warning: pointer targets in assignment differ in signedness [-Wpointer-sign]
querytcp.c:438:5: warning: pointer targets in assignment differ in signedness [-Wpointer-sign]
querytcp.c:441:5: warning: pointer targets in passing argument 2 of ‘strcasecmp’ differ in signedness [-Wpointer-sign]
In file included from querytcp.c:30:0:
/usr/include/string.h:532:12: note: expected ‘const char *’ but argument is of type ‘u_char *’
querytcp.c:463:3: warning: pointer targets in passing argument 1 of ‘send_query_error’ differ in signedness [-Wpointer-sign]
querytcp.c:391:6: note: expected ‘char *’ but argument is of type ‘u_char *’
querytcp.c:486:5: warning: assignment from incompatible pointer type [enabled by default]
querytcp.c:495:3: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
querytcp.c: In function ‘tcp_receive’:
querytcp.c:591:2: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
querytcp.c:609:1: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
querytcp.c: In function ‘query’:
querytcp.c:625:9: warning: variable ‘n’ set but not used [-Wunused-but-set-variable]
#
[ usage ]
# ./querytcp -d query_list.txt -s 192.168.11.160
dnsheader size: 12
resolving: 192.168.11.160:53
elapsed time: 25.453
tcp qps: 653.638
sent: 18039
answer: 16637  92.2%
error: 1402  7.8%
zeroread: 0  0.0%
timeout: 0  0.0%
response size:        45/45.000/45/0.000 bytes



# head -1 query_list.txt
www.foo.bar a

# wc -l query_list.txt
10396 query_list.txt
here is a capture data which was collected on the DNS server.
querytcp : 192.168.11.100
DNS server : 192.168.11.160
# tshark -r zzz.pcap -R '(tcp.port==54243)'
 1   0.000000 192.168.11.100 -> 192.168.11.160 TCP 74 54243 > domain [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=30311093 TSecr=0 WS=128
 2   0.000062 192.168.11.160 -> 192.168.11.100 TCP 74 domain > 54243 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=93063 TSecr=30311093 WS=8
25   0.000461 192.168.11.100 -> 192.168.11.160 TCP 66 54243 > domain [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=30311094 TSecr=93063
57   0.003279 192.168.11.100 -> 192.168.11.160 DNS 97 Standard query A www.foo.bar
58   0.003292 192.168.11.160 -> 192.168.11.100 TCP 66 domain > 54243 [ACK] Seq=1 Ack=32 Win=14480 Len=0 TSval=93064 TSecr=30311097
137   0.004579 192.168.11.160 -> 192.168.11.100 DNS 113 Standard query response A 127.0.1.1
142   0.004880 192.168.11.100 -> 192.168.11.160 TCP 66 54243 > domain [ACK] Seq=32 Ack=48 Win=14720 Len=0 TSval=30311098 TSecr=93064
148   0.005084 192.168.11.100 -> 192.168.11.160 TCP 66 54243 > domain [FIN, ACK] Seq=32 Ack=48 Win=14720 Len=0 TSval=30311099 TSecr=93064
174   0.005686 192.168.11.160 -> 192.168.11.100 TCP 66 domain > 54243 [FIN, ACK] Seq=48 Ack=33 Win=14480 Len=0 TSval=93064 TSecr=30311099
221   0.007259 192.168.11.100 -> 192.168.11.160 TCP 66 54243 > domain [ACK] Seq=33 Ack=49 Win=14720 Len=0 TSval=30311100 TSecr=93064
on the DNS server
# lsof -ni:53
COMMAND PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
unbound 885 unbound    3u  IPv4   7856      0t0  UDP *:domain
unbound 885 unbound    4u  IPv4   7857      0t0  TCP *:domain (LISTEN)
unbound 885 unbound   12u  IPv4  67523      0t0  TCP 192.168.11.160:domain->192.168.11.100:52975 (ESTABLISHED)
unbound 885 unbound   13u  IPv4  67524      0t0  TCP 192.168.11.160:domain->192.168.11.100:52976 (ESTABLISHED)
unbound 885 unbound   14u  IPv4  67525      0t0  TCP 192.168.11.160:domain->192.168.11.100:52977 (ESTABLISHED)
unbound 885 unbound   15u  IPv4  67526      0t0  TCP 192.168.11.160:domain->192.168.11.100:52978 (ESTABLISHED)
unbound 885 unbound   16u  IPv4  67527      0t0  TCP 192.168.11.160:domain->192.168.11.100:52979 (ESTABLISHED)
unbound 885 unbound   18u  IPv4  67492      0t0  TCP 192.168.11.160:domain->192.168.11.100:52905 (ESTABLISHED)
unbound 885 unbound   19u  IPv4  67493      0t0  TCP 192.168.11.160:domain->192.168.11.100:51684 (ESTABLISHED)
unbound 885 unbound   20u  IPv4  67494      0t0  TCP 192.168.11.160:domain->192.168.11.100:51735 (ESTABLISHED)
unbound 885 unbound   21u  IPv4  67495      0t0  TCP 192.168.11.160:domain->192.168.11.100:51641 (ESTABLISHED)
while sending TCP queries , I saw the following message on the DNS server.
localhost kernel: [  672.255114] TCP: Possible SYN flooding on port 53. Sending cookies.  Check SNMP counters.
disable SYN cookie
# cat /proc/sys/net/ipv4/tcp_syncookies
1
# echo 0 >  /proc/sys/net/ipv4/tcp_syncookies

# cat /proc/sys/net/ipv4/tcp_syncookies
0

No comments:
Labels: , ,

Linux : TCP Window scaling


How to check whether or not your OS supports TCP Window scaling.

# cat /proc/sys/net/ipv4/tcp_window_scaling
1

1 : enable window scale
0 : disable window scale

[ when disabling TCP window scale ]

Client ( CentOS 6.2 ) ------ web sites

OS informs Window scaling factor when sending syn packet.
# echo 0 > /proc/sys/net/ipv4/tcp_window_scaling


capture and then access to an web site.
# tshark -i eth0 port 80 -w ws_disable.pcap

# wget http://www.google.com


Here’s a syn packet sent from the client

Client -> google

the client does not add window scale option in TCP options.
  Flags: 0x02 (SYN)
       0... .... = Congestion Window Reduced (CWR): Not set
       .0.. .... = ECN-Echo: Not set
       ..0. .... = Urgent: Not set
       ...0 .... = Acknowledgement: Not set
       .... 0... = Push: Not set
       .... .0.. = Reset: Not set
       .... ..1. = Syn: Set

   Options: (16 bytes)
       Maximum segment size: 1460 bytes
       SACK permitted


[ when enabling Window scale ]

enable window scale
# echo 1 > /proc/sys/net/ipv4/tcp_window_scaling

# tshark -i eth0 port 80 -w ws_enable.pcap
# wget http://www.google.com


syn packet
The client adds window scaling factor in TCP options.
   Flags: 0x02 (SYN)
       0... .... = Congestion Window Reduced (CWR): Not set
       .0.. .... = ECN-Echo: Not set
       ..0. .... = Urgent: Not set
       ...0 .... = Acknowledgement: Not set
       .... 0... = Push: Not set
       .... .0.. = Reset: Not set
       .... ..1. = Syn: Set

   Options: (20 bytes)
       Maximum segment size: 1460 bytes
       SACK permitted
       Timestamps: TSval 807482, TSecr 0
       NOP
       Window scale: 6 (multiply by 64)  <-  2**6  =64


In this case , Window size will be 1460 * 2**6 = 93440

[ how to change window scaling factor ]

You may change scaling factor by editing the following three files. ( receive buffer )

/proc/sys/net/ipv4/tcp_rmem
/proc/sys/net/core/rmem_default
/proc/sys/net/core/rmem_max

The scaling factor range is from 0 to 14.

- scaling factor : 0

# echo "4096 65535 65535" > /proc/sys/net/ipv4/tcp_rmem
# echo 65535 > /proc/sys/net/core/rmem_default
# echo 65535 > /proc/sys/net/core/rmem_max

   Options: (20 bytes)
       Maximum segment size: 1460 bytes
       SACK permitted
       Timestamps: TSval 1516864, TSecr 0
       NOP
       Window scale: 0 (multiply by 1)


window size : 1460 * 2**0 = 1460

- scaling factor : 1

# echo 131070 > /proc/sys/net/core/rmem_max
# echo 131070 > /proc/sys/net/core/rmem_default
# echo "4096 131070 131070" > /proc/sys/net/ipv4/tcp_rmem

   Options: (20 bytes)
       Maximum segment size: 1460 bytes
       SACK permitted
       Timestamps: TSval 1665986, TSecr 0
       NOP
       Window scale: 1 (multiply by 2)


window size : 1460 * 2**1 = 2920

- scaling factor : 2

# echo "4096 196605 196605" > /proc/sys/net/ipv4/tcp_rmem
# echo 196605 > /proc/sys/net/core/rmem_default
# echo 196605 > /proc/sys/net/core/rmem_max

   Options: (20 bytes)
       Maximum segment size: 1460 bytes
       SACK permitted
       Timestamps: TSval 1892175, TSecr 0
       NOP
       Window scale: 2 (multiply by 4)


- scaling factor : 3

# echo "4096 300000 300000" > /proc/sys/net/core/rmem_default
# echo 300000 > /proc/sys/net/core/rmem_max
# echo 300000 > /proc/sys/net/core/rmem_default

   Options: (20 bytes)
       Maximum segment size: 1460 bytes
       SACK permitted
       Timestamps: TSval 3386446, TSecr 0
       NOP
       Window scale: 3 (multiply by 8)


- scaling factor : 4

# echo 1048560 > /proc/sys/net/core/rmem_default
# echo 1048560 > /proc/sys/net/core/rmem_max
# echo "4096 1048560 1048560" > /proc/sys/net/ipv4/tcp_rmem

   Options: (20 bytes)
       Maximum segment size: 1460 bytes
       SACK permitted
       Timestamps: TSval 3644467, TSecr 0
       NOP
       Window scale: 4 (multiply by 16)


- scaling factor : 5

>>> 65535*2**5
2097120

scaling factor becomes 5 ???
# echo 2097120 > /proc/sys/net/core/rmem_default
# echo 2097120 > /proc/sys/net/core/rmem_max
# echo "4096 2097120 2097120" > /proc/sys/net/ipv4/tcp_rmem

   Options: (20 bytes)
       Maximum segment size: 1460 bytes
       SACK permitted
       Timestamps: TSval 3817108, TSecr 0
       NOP
       Window scale: 5 (multiply by 32)


- scaling factor : 6

>>> 65535*2**6
4194240
# echo 4194240 > /proc/sys/net/core/rmem_default
# echo 4194240 > /proc/sys/net/core/rmem_max
# echo "4096 4194240 4194240" > /proc/sys/net/ipv4/tcp_rmem

   Options: (20 bytes)
       Maximum segment size: 1460 bytes
       SACK permitted
       Timestamps: TSval 4000584, TSecr 0
       NOP
       Window scale: 6 (multiply by 64)


- scaling factor : 7

>>> 65535*2**7
8388480
# echo 8388480 > /proc/sys/net/core/rmem_default
# echo 8388480 > /proc/sys/net/core/rmem_max
# echo "4096 8388480 8388480" > /proc/sys/net/ipv4/tcp_rmem

   Options: (20 bytes)
       Maximum segment size: 1460 bytes
       SACK permitted
       Timestamps: TSval 4338817, TSecr 0
       NOP
       Window scale: 7 (multiply by 128)


- scaling factor : 8

>>> 65535*2**8
16776960
# echo "4096 16776960 16776960" > /proc/sys/net/ipv4/tcp_rmem
# echo 16776960 > /proc/sys/net/core/rmem_default
# echo 16776960 > /proc/sys/net/core/rmem_max

   Options: (20 bytes)
       Maximum segment size: 1460 bytes
       SACK permitted
       Timestamps: TSval 4465434, TSecr 0
       NOP
       Window scale: 8 (multiply by 256)


- scaling factor : 9

>>> 65535*2**9
33553920
# echo 33553920 > /proc/sys/net/core/rmem_default
# echo 33553920 > /proc/sys/net/core/rmem_max
# echo "4096 33553920 33553920" > /proc/sys/net/ipv4/tcp_rmem

   Options: (20 bytes)
       Maximum segment size: 1460 bytes
       SACK permitted
       Timestamps: TSval 4596689, TSecr 0
       NOP
       Window scale: 9 (multiply by 512)


scale factor 10 – 14 ….. I’m tired of checking … :(

No comments:
Labels: , ,
Subscribe to: Posts (Atom)