December 23, 2003

Network administration from a Linux desktop

Author: Chris Gulker

What started as a problem on my LAN turned into an opportunity to learn about the Linux tools for managing a network, many of which are built-in and just waiting to go to work in most Linux desktop distros.

It was also fortuitous that a copy of "Open Source Network Administration" by James M. Kretchmar had shown up in my mailbox. The book, and some Web pages offered by experienced network administrators, helped me both figure out what was wrong and learn more about the machines that make up my home LAN as well as the tools for managing the network.

About 90 minutes with the book gave me a good overview of Linux' network tools and what they do. SNMP commands allow monitoring and control of network devices, such as routers. Neo is a "wrapper" program that makes it easier to work with SNMP. tcpdump is a packet analyzer that lets you see the actual packet traffic on your network. There also monitoring programs -- Sysmon, Nagios, and MRTG -- which can run on your desktop or on a server and which can alert you to problems and allow a graphical view of network traffic.

Kretchmar, a network engineer at MIT is the author of Neo which is a kind of wrapper for all of the SNMP -- Simple Network Management Protocol -- routines built in to Linux and *NIX. Neo can talk to devices that "speak" SNMP and allows an admin to stop, start, monitor, and administer SNMP devices more easily than typing successive lower-level SNMP commands. My DSL modem/router turned out to be an SNMP device, and I could monitor its statistics by using Neo's netstat command -- a good first step in troubleshooting mysterious network slowdowns that we'd been seeing lately.

But the raw stats and port status of my router weren't the answer. Enter tcpdump, which provides a look at raw packets as they course over the network. Kretchmar cautions that tcpdump allows a peek at data that people may consider private and offers cautions about certain legal complications. But since is this my LAN, I just fired it up from the command line. You run tcpdump as root, in which case tcpdump will attempt to set your NIC card to "promiscuous" mode, which shows all packets on your network segment, and not just packets meant for the machine running tcpdump.

The Neo screen.

tcpdump is also limited by switched hubs, since they direct only the traffic meant for a given device to that device's port. With a little practice and reading up on protocols, I could see packets that represented http, dns, pop3, et al. on the private side of my LAN. tcpdump has two command-line options, -v and -vv, which print more and even more information, respectively. By connecting a machine running tcpdump to the unswitched hub built in to the dsl/modem router, I was able to view every packet coming and going from the Internet to my network.

Kretchmar also covers monitoring tools that can help automate detection of failed servers and processes. Sysmon is a program that will ping or make appropriate requests to http, pop3, and other kinds of servers to make sure they're up and operating OK (I wish I'd had it while I was trying to debug my email server problems). Sysmon can email or, using other programs, page or otherwise notify you when something on your network isn't working right. Another monitoring program, Nagios, has much more sophisticated capabilities but appeared to be more than I needed on my simple network.

MRTG, the Multi Router Traffic Grapher, creates graphical charts of bandwidth usage and any other SNMP variable by reading router traffic counters and creating colorful PNG graphics which it embeds in Web pages. Very handy if you've got limited bandwidth and want to manage it better, MRTG can also tip you off about things such as DDoS attacks by charting sudden spikes in demand; you can then use tcpdump to take a look at the packets.

Other good tools include ping, a staple which I don't need to say much about, and traceroute, which shows the paths packets take from your machine to a target on the network. More useful on networks bigger than mine, I thought.

In the end, tcpdump, running on a machine connected to my dsl modem's built-in hub spotted the problem. The dsl router, which is a "very old" model according to my ISP's support people, gets hung up looking for a machine that's no longer on the network, broadcasting a "who has?" arp request stream as fast as it can for several seconds, which chews up most of its 10MB bandwidth.

ISP says buy a new router, but just maybe I can use my newfound tools to figure out why my router has started doing this, and fix it.

Chris Gulker, a Silicon Valley-based freelance technology writer, has authored more than 130 articles and columns since 1998. He shares an office with 7 computers that mostly work, an Australian Shepherd, and a small gray cat with an attitude.

Click Here!