1 VINEGAR-IP - INSTRUCTIONS
3 This is a tool for IP transparency testing. It allows you to send a
4 wide variety of `interesting' packets from one nominated machine to
5 another, and then examine what arrived to see if there are any
8 Up to 3 hosts are involved: one to do the test dataset generation and
9 analysis, as well as of course the sender and receiver.
14 * On the machine you generate and analyse the test data
15 This Makefile and corresponding scripts
17 Tcl (as /usr/bin/tclsh)
18 Perl (as /usr/bin/perl)
19 OpenSSL (as `openssl' on PATH)
20 tcpdump for converting trace files only, no root privilege
21 GNU diff to look at the output
22 Lots of CPU ! (the generation script is rather slow)
24 * On the sending machine
25 tcpreplay (http://www.subterrain.net/tools/tcpreplay/,
26 or from Debian testing 3.5.2002. I used 1.0.1-1.1)
27 and root privilege to run it
29 * On the receiving machine
30 tcpdump for packet capture, and root privilege to run it
31 The `on-dest.sh' script that this Makefile creates
33 It will be much better if the source and destination machines do not
34 have any other traffic. If they do the tests may disrupt it, and
35 it'll get in the way of your analysis too.
40 1. Generate the test data.
42 You /must/ change SOURCE and DEST (or override them on
43 the `make' command line, if you prefer); they must be
44 <IPv4-address>/<ethernet-address>
45 You may also change PARTS, PERPART or MTU if you like.
46 * Say `make -j2 all'. This will generate the test data sets.
47 This will take a while. Vary the -j for your system.
48 If you want to do a quick test first, you can say
49 `make few' first, instead.
50 * Copy send-1.pcap and send-all.pcap to the sending machine.
51 * Copy on-dest.sh to the to the receiving machine.
53 2. Run the first, small test
54 * On the receiving machine, say, as root,
57 * On the sending machine, say, as root,
58 tcpreplay -m 1 <send-1.pcap
59 The -m 1 option makes tcpreplay send the packets at one a
60 second (they are generated as if they were captured at one
61 a second); this avoids flooding the network, which causes
62 congestion, packet loss and maybe other randomness.
63 This will take (by default) 100 seconds.
64 * When it has finished, kill on-dest.sh. Copy the
65 file recv-1.pcap back to your analysis machine, and
66 there say `make analyse' (or `make anal' if you prefer).
67 * This will generate `recv-1.log' and `recv-1.diff'.
68 Read the diff and see if it's by and large working.
69 See below for information about interpreting the various files.
72 Do the same as step 2, but instead of `1', say `all'
77 Those made by `make generate':
78 send-X.pcap `pcap' format raw test data files
79 (feed this to tcpreplay -m 1)
80 send-X.log tcpdump's interpretation of the test data
81 with line numbers added
82 send-X.why The generator's explanations (ha ha) of
84 on-dest.sh Script for running tcpdump on the destination
85 You really want to be paying attention to the ones where
86 X is `1' and `all'. The others, 2 onwards, are all in
87 `all' and it'll be easier to take them all at once.
89 Those supposedly captured at the destination
90 recv-X.pcap `pcap' format raw received packets
92 Those made during the analysis:
93 recv-X.log tcpdump's interpretation of the received packets
94 recv-X.diff difference between send-*.log and recv-*.log
97 INTERPRETATION OF THE TEXT FILES - EXAMPLE
99 Here is an example of a diff you might see:
102 453e 001c f194 0000 ff02 17bf ac12 2d23
103 ac12 2d06 1029 36f1 7daa 3b3b 0000 0000
104 0000 0000 0000 0000 0000 0000 0000
106 - 172.18.45.35 > 172.18.45.6: icmp: type-#75 (DF) [tos 0xe7] (ttl 255, id 30130)
107 - 45e7 0023 75b2 4000 ff01 52f2 ac12 2d23
108 - ac12 2d06 4b8c 34ba 4844 ce2d 1bde 5caf
109 - 0ab9 e600 0000 0000 0000 0000 0000
112 172.18.45.35.21814 > 172.18.45.6.21814: udp 12 (ttl 255, id 26421)
113 4500 0028 6735 0000 ff11 a241 ac12 2d23
115 This means that a packet which was sent, was not received. You can
116 see the actual hex contents, and tcpdump's interpretation, in the
117 lines marked with `-'. The changed numbers at the left are just the
118 packet numbers. You can use the numbers marked with `-' to find the
119 corresponding packet in the other files. Ignore the numbers marked
120 with `+', they aren't useful. In this case, it's packet 5 that's
121 missing. So, we can look in send-1.why or send-rest.why, as
122 appropriate, and see this:
124 1 5 tos=0xe7 id=30130 df (!any) proto=icmp[1] \
125 (any) type=75 (junk) l=11 code=140
126 45e7002375b24000ff0152f2ac122d23ac122d064b8c34ba4844ce2d1bde5caf0ab9e6
128 In send-all.why, these are prepended by another line number, which is
129 the one you should use, so it would look like this:
131 5 1 5 tos=0xe7 id=30130 df (!any) proto=icmp[1] \
132 (any) type=75 (junk) l=11 code=140
133 45e7002375b24000ff0152f2ac122d23ac122d064b8c34ba4844ce2d\
136 (The other two numbers are the batch and line within the batch.
137 I have wrapped this here with \ and some indentation for ease of
140 You can see the hex dump of the packet, which is the same as the one
141 in the tcpdump output, except that the tcpdump one has some extra
142 padding with zeroes to bring it to the minimum ethernet frame size.
143 You can also see some notes that the generator made:
145 tos=0xe7 id=30130 The IP TOS and ID
146 df The Don't Fragment flag was set (there would
147 be `frag' here if it was fragmented)
148 (!any) It picked a known next layer up [`(!any)']
149 proto=icmp[1] and the one it picked was protocol 1, icmp
150 (any) type=75 It picked an unknown next layer up, icmp type no.75
151 (junk) l=11 and gave it 11 bytes of junk payload
152 code=140 and an icmp code value of 140
155 Some more examples from send-*.why and send-*.log files:
157 17 2 7 tos=0x14 id=56320 !df (!any) proto=tcp[6] source_port=37365 \
158 dest_port=52759 (connect) seq=0xab57703f ack=0x6c55ec70 \
159 window=0xdd21 !p u urg=0xce6c (noopt) (!optxpad) !unexpdata \
162 172.18.45.35.37365 > 172.18.45.6.52759: S 2874634303:2874634303(0) \
163 win 56609 urg 52844 [tos 0x14] (ttl 255, id 56320)
165 This is a TCP SYN packet with urgent data, . However, it has been
166 generated with an invalid checksum: the checksum in the packet has
167 been XOR'd with 0x9a18.
169 59 6 9 tos=0x2f id=15886 !df (!any) proto=tcp[6] source_port=52650 \
170 dest_port=37162 (data) seq=0xec912ceb ack=0x8cd28874 \
171 window=1 !p !u urg=0xe427 (badopt) l=30 l=12
173 172.18.45.35.52650 > 172.18.45.6.37162: . 3968937195:3968937207(12) \
174 ack 2362607732 win 1 <[bad opt]> [tos 0x2f] (ttl 255, id 15886)
176 More TCP. This time it's a data packet. The urgent flag isn't set
177 (though the urgent pointer value is nonzero), and it has 30 bytes of
178 invalid option data and 12 bytes of actual data.
180 134 7 14 tos=0x4e id=12035 df (!any) proto=ip[4] \
181 source=206.78.180.32 dest=252.75.191.229 \
182 tos=0x94 id=14197 df (!any) proto=udp[17] (reply) \
183 port=remailck[50] port=20463 (resp-auth) auth=0xabcf
185 172.18.45.35 > 172.18.45.6: 206.78.180.32.50 > 252.75.191.229.20463: \
186 udp 12 (DF) [tos 0x94] (ttl 255, id 14197) (DF) \
187 [tos 0x4e] (ttl 255, id 12035)
189 IPv4 tunnelling. The outer packet has TOS 4e and ID 12035. Both The
190 inner packet is a reply from a UDP service `(reply)' from a well-known
191 port to a random port. The packet is according to the RFC1339 mail
192 check service on port 50, requesting authorisation from the client;
193 the server's authorisations' supported bitmap is allegedly 0xabcf.
195 15 1 15 tos=0x5b id=61344 df (!any) proto=udp[17] (random) \
196 port=20500 port=11701 l=2
198 172.18.45.35.20500 > 172.18.45.6.11701: udp 2 (DF) [tos 0x5b] \
201 This is a generic UDP packet from one random port (20500 in this case)
202 to another (11701). It has 2 bytes of data.
204 59 3 19 tos=0xa0 id=36385 !df (!any) proto=udp[17] (servers) \
205 port=dhcpserv[67] (!any) op=reply[2] (!any) htype=ethernet[1] \
206 hops=88 xid=0xd31e0dfe secs=149 flags=0x80 \
207 ciaddr=70.114.113.11 yiaddr=38.225.152.221 \
208 siaddr=98.91.71.52 giaddr=128.20.46.24 \
209 sname="yc3g27vvukig44qsx8lpud4e1.dbxxidju2ok3kipebqkd.pd2x\
210 89rdmrfz1dr" file="/o.h22gsn7s44yq2llx.v_-a+s_f421_iijnroam\
211 krpm7b674t7w.y3lfw8immrjaqpsu7.a.x.nev+j3hi/" (nocsum)
213 This is a UDP packet between well-known ports `(servers)'; the
214 generator only generates such packets with identical source and
215 destination ports, in this case the DHCP server port. (Usually DHCP
216 servers would talk to clients, not to each oehter.) There is a DHCP
217 packet whose details you can see. `(nocsum)' indicates that the UDP
218 checksum field in the UDP header is set to 0, indicating that no
219 checksum is to be performed.
222 # This file is part of vinegar-ip, tools for IP transparency testing.
223 # vinegar-ip is Copyright (C) 2002 Ian Jackson
225 # This program is free software; you can redistribute it and/or modify
226 # it under the terms of the GNU General Public License as published by
227 # the Free Software Foundation; either version 2, or (at your option)
230 # This program is distributed in the hope that it will be useful,
231 # but WITHOUT ANY WARRANTY; without even the implied warranty of
232 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
233 # GNU General Public License for more details.
235 # You should have received a copy of the GNU General Public License
236 # along with this program; if not, write to the Free Software Foundation,
237 # Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.