monitoring udp connections

[umbletech]

Hi All

Got a SMB client who uses a realtime app - they're in the transport industry. This app goes haywire periodically and costs them a lot of $. It has two parts a gateway PC that talks to their trucks and a dispatch pc that has a link to one of their biggest clients.

Gateway pc goes to one dsl line snapgear pro firewall/dlink 500 dls modem/router
Dispatch pc goes to another dls line linksys WRT54G (they're using that as a firewall only) and cisco 801 modem/router

Now unfortunately the two isps are related so an issue at one can take out both links. I'm moving one of the lines over to another ISP as fast as I can but its tricky coz its a 24/7 operation.

I was after at minimum a ping utility for udp. I've seen one on the web but can't find it.

The vendor is pointing the finger at the linksys saying its not dealing with the udp traffic. His explanation is that a firewall opens a port for udp traffic in this case 4240 and if traffic is going back and forth keeps it open. Some firewalls interpret this as an attack and keep closing the port.

So ideally I'm looking for something that will allow me to keep making logged udp connections through those lines.

The other thing I guess is just monitoring the status of the adsl connection. I could just run a ping -t to a logfile pointed at google. But I was hoping for something a little more sophisticated.


Much TIA all.

 

[umbletech]

I found hping2 but I'm a windows guy and it seems to be nix only. Anyone got any ideas?

 

[pansophic]

There are variants of KNOPPIX that contain hping2. Just download it, boot to the CD and run hping2. You can use a thumb drive for data storage, or the hard disk if one of the drives is formatted FAT32.

It is pretty painless, even if you are a "Windows guy."

Try downloading Penguin Sleuth Kit or Feather Linux:

http://luge.cc.emory.edu/psl.html

http://featherlinux.berlios.de/

pansophic

 

[umbletech]

Thanks Pansophic

That gives me another option. Does knoppix let you write it to a log?

Trouble is I don't have a space PC onsite

Ideally I want something with an endpoint that I could install on this server (course if it runs off an .exe even better). Similar to Ixia's Qcheck which I use for throughput testing but unfortunately qcheck doesn't do repeat tests and isn't scriptable.

 

[pansophic]

If you are just trying to test for the UDP port being open, you may just want to create an AT job using NMAP. I know that NMAP is unreliable for UDP, but you could use WinDump to collect any possible return packets. Both could log, potentially with a date/time stamp so that you could synchronize responses.

Not nearly as good as hping, and a lot more labor, but it should work.

Yes, KNOPPIX would let you write the output to a log. With any *nix command, you can either redirect '>' or pipe to tee '| tee' any output to STDOUT and write it to a file. You can also redirect STDERR to a file using '2>' followed by the filename.

For nmap, try the following command as a starting point. You'll want to run this lots of times manually to see what the different options give you, so that you can make it accurate for your application. There are many other options for nmap, and some may prove to be more useful than what I have written down, but without seeing what is going on, it is hard to tell.

nmap -sU -PS 80 -oA test --append_output -p 4240 -n --host_timeout 90000 <host_ip>

Options:
-sU -- use UDP scanning
-PS 80 -- Use a SYN ping to port(s). I chose 80, use whatever makes sense, or none at all (-P0 is don't ping)
-oA test -- Write out the results in all available formats (human readable, XML and grepable) with 'test' as the base filename
--append_output -- Don't overwrite the log files, append to them
-p 4240 -- Use destination port 4240
-n -- Don't do name resolution on the IP address
--host_timeout 90000 - Don't let the scan run forever. Timeout after 90 seconds

You may want to specify the source port if your application uses a fixed source port, use '--source_port <port>' as a command-line option.

You may also want to specify a packet trace '--packet_trace' to see if it gives you any additional useful information.

You can find a copy of nmap for Windows out on the net. I think that SysInternals did the port and called it nmapNT. Also, you can find Ethereal out at

http://www.ethereal.com.

Don't forget to post the answer if you find it. I'm sure that many of us would be interested.


pansophic

 

[umbletech]

Thx pansophic

eEye.com has a port. I found a windows version of hping
at

http://wiki.hping.org/86

but it doesn't seem to work with xp sp2 - anyone know of an update?

 

[pansophic]

Did you download and install Cygwin? You will need the Cygwin environment to make this application work. Cygwin provides many of the Linux libraries (actually GNU libraries) so that a lot of Linux apps can be easily ported to Windows.

I believe that you can find links to it at

http://www.gnu.org.

pansophic

 

[umbletech]

mmm...I think kevin johnson said his msi on that site did all that - I'm getting the 1004 error which people on that site said was an sp2 thing. I'll try cygwin when i get a chance - thx.

 

[umbletech]

whoops forgot to say - I found a nix util that would be perfect uplog - but couldn't find a port. Anyone know of one?

 

[pansophic]

uplog may work, but it is sending request to UDP port 7 (echo) not to the specific port that you are trying to use. May not be as useful, however modifying the source code to reach the desired port is probably not prohibitive.

Don't be so afraid of Linux. Find an old machine around somewhere that no one else wants. A PII is probably fine. And if this problem is actually costing them money, a spare PC is EXTREMELY cheap insurance. As you can see, there are many applications on Linux that would have solved your problem already.


pansophic

 

[umbletech]

Just as an aside for the community - if you want to test port connection before you've dropped the server in - run up iis on your lappie and change the port it listens on. Hope that saves somebody some googling.