Monday, July 23, 2012

Network Engineers Favourite Free Network Tools

From sniffing to mapping and monitoring, these ten utilities perform surprisingly sophisticated tasks.


Wireshark

To be fair, Wireshark was mentioned in the original article as one of those tools that's so popular that including it in the original top 10 network tools would be essentially repeating old news. Some readers believed, however, that Wireshark is so good it deserved a mention.

Wireshark is a network protocol analyzer or sniffer and is the continuation of the well-known Ethereal project. A protocol analyzer "listens" to a network, records all of the packets seen on the connection and presents a detailed analysis of those captured packets. Properly placed, a good sniffer can provide reams of data invaluable for network troubleshooting and monitoring.

The problem is in the presentation of the information. Simply producing a text file of raw packet output is difficult to analyze. A good protocol analyzer needs to be able to take that information and present it to a network administrator in a summary format, and Wireshark does that.

Wireshark can provide deep inspection of hundreds of protocols, and more are added with each release. It can also import traces from other programs (tcpdump, Cisco IDS, Microsoft Network Monitor and Network General to name a few) so analyzing information from other sources is a breeze. It runs on Windows, Linux, Mac OS and other operating systems.

If you are going to administer a network, big or small, a protocol analyzer is a necessary tool. Wireshark fits the bill.

The Dude

Knowing that services are available on your network is a good thing, but knowing when services go down as soon as (or better yet before) your users and customers do is essential. The Dude is a network management package that excels in so many facets it must be tried to be believed that so much can be offered by a freeware tool.

After installation, like many network management packages, The Dude begins with a network discovery process. You input the IP address range or network to discover plus the type of discovery (such as ping or services). This produces a basic network map from which you may customize types of monitoring. The colour of the network device's model changes from green to orange if a service goes down and red if all connectivity is lost.

Monitoring includes simple pings, services based on TCP port number, SNMP probes and the ability to log into machines to acquire more specific data. The Dude comes with a preconfigured services set so as to not overwhelm monitoring, but it's trivial to add user-customized services. While it can do so, The Dude isn't designed for discovering services offered by machines on your network. For that you'll want Nmap, which is discussed later.

Without decent notification attributes though, network management packages lose usefulness. This isn't a problem for The Dude. In addition to the map, you can configure a variety of notification modes, from pop-up windows to e-mail messages. In one test, I manually shut off access to MySQL on my Linux Snort IDS box. The Dude popped up a flag and sent me a customized e-mail within a few seconds. You may wish to tweak probe intervals because a lot of false positives would be a distraction.

The Dude comes as a standard client/server package. You can run the client and server on one computer, or run the server on one computer and connect to it from another machine. It also offers a Web interface (http and/or https) for remote access. Various accounts can be created, from a read-only version for help-desk type operations to full administrative access for network managers.

The Dude has so many features and is so versatile that it easily can fit into just about any network monitoring environment. With the ability to nearly instantaneously inform a network administrator of problems, it can be a very cost-effective support tool that your end users will be glad you implemented.

Nmap/Zenmap

Nmap is one of those programs that has been around so long it's virtually considered a staple of a networker's bag of tools. But even though the functionality of Nmap has remained strong, it has grown beyond a Linux-based command-line tool. Today's Nmap provides quick information using a crisp graphical user interface (GUI) called Zenmap.

Nmap's function is simple: discover what ports are open on a target machine or range of target machines. Knowing what ports are open is helpful for many reasons. Not sure how many Web servers are running in your environment? Worried the firewall configuration you pushed out with Group Policy isn't effective? Then run Nmap, concentrating on those ports you assume are blocked by your firewall. Concerned that your users' machines may be running a Trojan known to listen on TCP port 25192? Then perform an Nmap scan (behind firewalls) for that port on your entire address space.

Zenmap runs common Nmap scan commands and displays the actual command-line command in a window for verification. You can also modify the command manually or run Nmap completely from the command prompt. Although Zenmap is a great interface for Nmap, it doesn't replace the need for knowing what it is you are actually scanning for.

Nmap is one of those "initial probe" tools that hackers love to use to discover vulnerabilities on a target network. Use it on your network before they do, or you may be in reactive mode when you could have been proactive.

ZipTie

Admit it. You have many devices on your network, but no easy method of storing the configurations of your routers, switches and firewalls.

Maybe you do store configurations, but it's via a cumbersome file transfer process, cut and paste, or some other time-consuming method that is not only a drain on time but may not always work the way you would like it to.

Sure, some vendors have proprietary packages to manage the configurations of their equipment, but what about configuration management in a heterogeneous environment? How many networks out there are truly composed of a single vendor's equipment? Even in a single-vendor network, wouldn't it be wonderful to manage those configurations without paying the network vendor's licensing and maintenance fees for their packages?

ZipTie is an open-source, no-cost product designed to provide multivendor network equipment configuration management. It allows for discovery of network devices, backup and restoration of configurations, and comparison of configurations among devices or over time (to track changes). As a bonus feature, it also contains several basic network design and management tools, including a subnet calculator (who doesn't need one of those?).

There is nothing magic about ZipTie. It is, at the core, a nice front end to communication protocols (SNMP, Secure Shell (SSH), Telnet, HTTP, Trivial File Transfer Protocol and so on). But it uses those, and other protocols, to discover and consolidate information on network devices. Do you manage your network devices with HTTP running on a non-standard port? No problem; just create another protocol entry and specify the desired port.

One drawback is that ZipTie only supports a small number of network vendors in its core release. However, being open source, a large and growing database of user-submitted add-on modules extends the functionality of ZipTie significantly. These add-ons provide SNMP Management Information Base (MIB) data so that ZipTie can recognize the devices.

Installing ZipTie is somewhat more complicated than installing some of the other reviewed tools. Read the prerequisites page before downloading and installing. Links are provided for the Sun Java Development Kit and Perl for the server, and Sun Java Runtime for the client. Install these first. Be sure to change the default administrator password before using it on your production network. It's not intuitive how to do so but read the documentation; it requires that a command be run at the command line interface on the server.

ZipTie does operate in a true client/server model, so you can allow one source for your configuration management and still have multiple clients manage it via the client piece. It's definitely worth looking into. If a particular module doesn't exist for one of your network devices, consider submitting a module yourself. That is after all the backbone of open source.

NetStumbler

If you manage wireless networks and have never used NetStumbler, you need to. NetStumbler is, at the core, an interface between what your 802.11 wireless card "sees" and what you see. It presents all of the wireless networks found in different formats, including individual transmitter signal strength or aggregate information grouped by Service Set Identifier channel or whether the network is secured or "open."

NetStumbler is the de facto tool for war drivers, as it easily identifies networks within range of a client. War drivers look for open wireless networks, and a corporate network that has improperly configured and/or installed wireless access points is ripe for exploitation. NetStumbler is a cheap tool for conducting surveys to find these potential network entry points.

What about strength of signal surveys? Do you have one of those "regular" help desk callers who insists that the wireless network always becomes hard to use at a certain time of day? Take a laptop with NetStumbler and let it run unattended (in a secured location, of course) on site. You'll have a real-time log of signal strength data for troubleshooting. At least you can conclusively show if there is a drop in your access point's signal -- or a drop in connectivity from interference associated with that 2:30 p.m. nuking of a burrito in the local (and leaky) microwave.

There's a reason why NetStumbler has been around for so long. It works, and it's useful. Anyone who manages a wireless network, or even those looking for a Wi-Fi hot spot, needs NetStumbler.

Nessus

Nessus has been one of the staples of a networker's bag of free tools for years. With more than 20,000 vulnerability checks (plug-ins), Nessus is a powerhouse application no network or security administrator should be without.

Like Nmap, in the early days using Nessus with the command line was rather cumbersome and the output difficult to decipher. It also ran on Linux, so a Linux server was necessary for scanning. But this isn't your father's Nessus, as it installs and runs easily on Windows with a crisp GUI interface.

After installation, scanning can commence immediately or a regular download of updated scanning variables can be configured. There are two such plug-in feeds available: the Direct feed provides plug-ins as they become available and is available for a fee, while the Registered feed is free, but the plug-ins are available seven days after they are available for the Direct feed.

Updating your scans is important, and if you don't think that changes can occur in a short period of time, think again.

I went two weeks without updating my scan information and when I ran a new scan it found more than 7MB of new information I needed to download. So don't think that the free subscription database isn't kept up to date.

If your network infrastructure permits such, Nessus can run on anyone's machine. If you don't have the infrastructure to protect against scans, and if you have public access ports, beware; finding a vulnerability can be as easy as an intruder running Nessus on your net. The same advice applies here as for Nmap: run it before the hackers do.

PuTTY

It wasn't too long ago that managing network devices via Telnet was commonplace. Telnet, that venerable terminal emulation program, was the first main link between the old hard-wired terminals of the mainframe days and a distributed networked environment. Yet Telnet, in all its glory, has one major problem that makes it unsuitable to remote access today: it's unencrypted.

Enter PuTTY, a free SSH client for Windows platforms. It provides for encrypted command-line interface access to network equipment running an SSH server. For those older devices that will only respond to Telnet, there is a Telnet option as well.

PuTTY is a small program but big on options for secure access to your network equipment and servers running an SSH daemon.

As with many other terminal emulators, PuTTY allows for logging of sessions. You can save your session settings as well. Also available with the package is a secure FTP client for transferring files encrypted and an RSA and DSA key generation utility.

PuTTY is one of those rare small freeware packages with huge benefits. It should be the first tool on your networker's USB stick (everyone has one, right?) if you have a need for secure access to network equipment or secure file transfers, as you will use it often.
And a couple of the author's favourites

Our readers had several good suggestions for tools, but to round out your tool kit, here are a few more utilities I have found to be indispensable over the years.

Active Ports

Active Ports is a small utility designed to show - in real time - what processes have what ports open on a machine. The processes are linked by program, making this a very handy tool for discovering programs using network resources that might not be obvious.

There isn't much to Active Ports. Running it produces a window showing the active (open) TCP and UDP ports on the user's system. True, you can get most of this information via the netstat command, but the difference here is easily finding the program that opened the connection.

Active Ports does what many of these tools do: take information available elsewhere and present it in a format that is easily accessible and understandable - two important considerations for a network administrator tracking problems.

Suppose you performed an analysis on your network with Wireshark because your Internet connection usage had suddenly spiked, and Wireshark showed that 95 percent of your bandwidth was used by one machine on your network listening on a specific TCP port. Or perhaps you performed a proactive Nmap scan and found that several machines on your network were listening on a specific TCP port. You would need to know what process has opened that port to be able to solve the root cause of the problems. Running Active Ports on a machine provides that valuable information instantly.

Multi Router Traffic Grapher

I have written about Multi Router Traffic Grapher (MRTG) before, but it deserves mention here because it's such a useful program and is very popular among network administrators. There are other graphic monitor programs out there, but nothing beats this old standard.

MRTG, like most of these tools, is a program that provides a useful representation of data gleaned from standard sources. The most common MIB variable that is polled is interface traffic statistics, but any MIB variable can be graphed. MRTG requires a Web server, and default displays give one day, one week and one year statistics.

The methodology is simple: poll network devices every five minutes via SNMP for the desired variable(s) and then present data via a graph in a Web page covering three basic periods of time.
Using this data for traffic usage, for example, it's trivial to establish a baseline for "normal" traffic on your network and determine when perhaps you need to throw more money at bandwidth.

MRTG takes SNMP data and displays it graphically so baselines can be recorded, trends analyzed and anomalies detected not just in traffic flow but any aspect of a network device that has an SNMP MIB attribute.

Because MRTG presents SNMP data, any such data can be graphed. It's not uncommon to graph ambient temperature, CPU utilization or number of connected clients. The bottom line, if SNMP can report it, MRTG can graph it. Of course, because the data is displayed as an HTML page, it can be accessed from anywhere on the Internet, or standard controls such as .htaccess passwords can limit access to the data to authorized personnel.

SNMP Traffic Grapher

Like its big cousin, MRTG, SNMP Traffic Grapher (STG) takes SNMP data and presents it in a graph form. But it doesn't need a back-end Web server, nor does it need to be refreshed every time statistics are updated. Think of STG as a real-time MRTG application. In fact, it was developed to be a companion to MRTG.

STG can provide timely information just when you need it most. Think of when you want to make a network change and you're worried how it will affect traffic. Maybe you're loosening restrictions and afraid the egress bandwidth will spike. Or perhaps you're activating VPN on your firewall and are worried that CPU utilization will go up.

STG, like MRTG, can graph any SNMP MIB variable, but the difference is that information is displayed in real time. That's its main strength. STG is as configurable as it needs to be; enter the MIB value, the polling time and the display output. That's all.

Like MRTG, STG displays in a graphical format any SNMP MIB variable, such as inbound and outbound traffic as shown here.

STG is invaluable not so much for trending (use MRTG for that) but for checking in real time how network changes affect performance. We often have to make changes we don't want to in the middle of the business day. Knowing how that affects performance before the end user notices problems is essential.

No comments:

Post a Comment