This section discusses the packet-generation capabilities of the BSD ipfilter firewall package, the Linux kernel module packet generator, and some additional tools for heavy load testing and simulated denial-of-service (DoS) patterns. This arsenal is useful to test traffic shapers, forwarding, filtering performance, network quality of service (QoS), stateful inspection, and Network Address Translation (NAT), just to name a few. Traffic generators generally are concerned with a huge amount of output, whereas packet generators typically are used as a "scalpel" to test firewalls and protocol implementations/compliance.
CAUTION
Exercise extreme care when using these facilities in real-life networks; they are extremely powerful. Check the traffic with a sniffer; you will find what is going on pretty impressive.
The following tools have proven useful for packet and traffic creation as well as network testing. They are quite similar in nature, and it is really up to you to decide on a favorite:
Aicmpsend
Sendip
IP Sorcery (ipmagic/magic tools)
Excalibur
Hping2
Traffic (client/server)
Scapy
Example 6-6 presents aicmpsend, sendip, and ipmagic in action. You can deploy them to test security installations and protocol behavior. See the "Recommended Reading" section at the end of this chapter for download locations of these tools.
[root@callisto:~#] aicmpsend -d 192.168.1.1 ?E ICMP packet: 1 TTL=64 Sending ICMP error from 127.0.0.1 to 192.168.1.1. Data: ICMP error: Echo [root@callisto:~#] sendip -p ipv4 192.168.1.254 [root@callisto:~#] ipmagic -h Usage: ipmagic [options] IP: [-is|-id|-ih|-iv|-il|-it|-io|-id|-ip] -is: source host or address def. 127.0.0.1 -id: source destination or address def. 127.0.0.1 -ih: IP header length def. 5 -iv: IP version def. 4 -il: Time-to-Live def. 64 -it: Type-of-Service def. 0 -io: IP frag offset [(D)on't Fragment | (M)ore Fragments | (F)ragment | (N)one] -i: IP packet ID for fragmentation def. 0 -ip: IP protocol [TCP | UDP | ICMP | IP] def. TCP -iO: IP options TCP: [-ts | -td | -to | -tq | -ta | -tf | -tw | -tu] -ts: TCP source port, def. rand() -td: TCP destination port def. 80 -to: TCP data offset of header def. 5 -tq: TCP sequence number def. rand() -ta: TCP ack sequence number def. 0 -tf: TCP flags [(S)yn | (A)ck | (F)in | (P)ush | (R)st | (U)rg | (N)one] def. S -tw: TCP Window Size def. rand() -tu: TCP urg pointer def. 0 UDP: [-us | -ud | -ul] -us: UDP source port def. rand() -ud: UDP destination port def. 161 -ul: UDP length RIP: [-uR |-uRc |-uRv] -uR: Send default RIP packet to port 520 -uRc: RIP command [RQ | RS | TN | TF | SR | TQ | TS | TA | UQ | US | UA] def. RQ For a list of RIP commands run program with -h rip -uRv: RIP version [1 | 2] def. 2 Note: Entry Tables should be used with response packets[RS | TS | US] -uRa(1 | 2 | etc.): RIP Entry table Address exmp. -uRa1 -uRn(1 | 2 | etc.): RIP Entry table Netmask, exmp. -uRn2 -uRh(1 | 2 | etc.): RIP Entry table Next Hop, exmp. -uRn(num) -uRm(1 | 2 | etc.): RIP Entry table Metric -uRr(1 | 2 | etc.): RIP Entry table Route Tag -uRe: Add default RIP entry table to packet ICMP: [-ct | -cs] -ct: ICMP type def. ECHO REQUEST -cs: ICMP sub code def. 0 -ci: ICMP sequence ID def. 0 For list of ICMP Types and Subcodes run program with -h icmp. IGMP:[-gt | -gc | -ga | -gn] -gt: IGMP type [D | L | M | MT | MR | P | R1 | R2 | R3] def. M -gc: IGMP sub code for types P and D def. 0 -gm: IGMP Max. resp. Time for Queries ie. MR -ga: IGMP group address def. 0 -gn: IGMP no router alert or no internetwork Type-Of-Service [r | i | | ] For list of IGMP Types and Subcodes run program with -h igmp. OSPF:[-ov | -ot | -or | -oe | -oa | -ou] -ov: OSPF Version -ot: OSPF Type[(H)ello | (D)b Desc. | (R)equest | (U)pdate | (A)ck] -or: OSPF Router ID -oe: OSPF Area ID -oa: OSPF Auth Type[(N)one | (P)ass | (C)rypto] -ou <data>: OSPF Authentication Data -D "<data>": for datapayload -N <num packets>: send <num packets> number packets -S <verbosity>: (v)erbose, (s)hort, (t)urn off packet snoop -v: print version
The BSD ipfilter stateful firewall package comes equipped with the following tools primarily designed for firewall testing:
ipsend
ipresend
iptest
Consult the manual pages for further information. Example 6-7 and Example 6-8 present demonstrations of the BSD iptest, ipsend, and ipresend tools.
[root@castor:~#] iptest Usage: iptest [options] dest options: -d device Send out on this device -g gateway IP gateway to use if non-local dest. -m mtu fake MTU to use when sending out -p pointtest -s src source address for IP packet -1 Perform test 1 (IP header) -2 Perform test 2 (IP options) -3 Perform test 3 (ICMP) -4 Perform test 4 (UDP) -5 Perform test 5 (TCP) -6 Perform test 6 (overlapping fragments) -7 Perform test 7 (random packets) [root@castor:~#] iptest -d ed0 -g 192.168.7.254 -1 192.168.14.1 Device: ed0 Source: 192.168.7.7 Dest: 192.168.14.1 Gateway: 192.168.7.254 mtu: 1500 1.1. sending packets with ip_hl < ip_len 7 1.2. sending packets with ip_hl > ip_len 12 1.3. ip_v < 4 3 1.4. ip_v > 4 15 1.5.0 ip_len < packet size (size++, long packets) 63 1.5.1 ip_len < packet size (ip_len-, short packets) 10 1.6.0 ip_len > packet size (increase ip_len) 63 1.6.1 ip_len > packet size (size--, short packets) 10 1.7.0 Zero length fragments (ip_off = 0x2000) 1.7.1 Zero length fragments (ip_off = 0x3000) 1.7.2 Zero length fragments (ip_off = 0xa000) 1.7.3 Zero length fragments (ip_off = 0x0100) 1.8.1 63k packet + 1k fragment at offset 0x1ffe 65792 1.8.2 63k packet + 1k fragment at offset 0x1ffe skip 12800 skip 37376 skip 61952 65792 1.8.3 33k packet 33536 1.9. ip_off & 0x8000 == 0x8000 1.10.0 ip_ttl = 255 1.10.1 ip_ttl = 128 1.10.2 ip_ttl = 0
[root@castor:~#] ipsend Usage: ipsend [options] dest [flags] options: -d debug mode -i device Send out on this device -f fragflags can set IP_MF or IP_DF -g gateway IP gateway to use if non-local dest. -I code,type[,gw[,dst[,src]]] Set ICMP protocol -m mtu fake MTU to use when sending out -P protocol Set protocol by name -s src source address for IP packet -T Set TCP protocol -t port destination port -U Set UDP protocol -v verbose mode -w <window> Set the TCP window size Usage: ipsend [-dv] -L <filename> options: -d debug mode -L filename Use IP language for sending packets -v verbose mode [root@castor:~#] ipsend -i ed0 -P tcp -g 192.168.7.254 192.168.14.1 Device: ed0 Source: 192.168.7.7 Dest: 192.168.14.1 Gateway: 192.168.7.254 mtu: 1500 [root@castor:~#] ipresend Usage: ipresend [options] <-r filename |-R filename> -r filename snoop data file to resend -R filename libpcap data file to resend options: -d device Send out on this device -g gateway IP gateway to use if non-local dest. -m mtu fake MTU to use when sending out
The Linux packet generator requires compiled-in support as a kernel module (pktgen.o); it is used via a script derived from its documentation (pktgen.txt in the Linux 2.4.x kernel documentation folder). The source code of this script is also provided in Example 6-9.
#! /bin/sh modprobe pktgen function pgset() { local result echo $1 > /proc/net/pg result=`cat /proc/net/pg | fgrep "Result: OK:"` if [ "$result" = "" ]; then cat /proc/net/pg | fgrep Result: fi } function pg() { echo inject > /proc/net/pg cat /proc/net/pg } pgset "odev eth0" # set output interface pgset "dst 192.168.7.7" # set IP destination address pgset "count 40000" # set numbers of packets to send #pgset "multiskb 1" use multiple SKBs for packet generation #pgset "multiskb 0" use single SKB for all transmits #pgset "pkt_size 9014" sets packet size to 9014 #pgset "frags 5" packet will consist of 5 fragments #pgset "ipg 5000" sets artificial gap inserted between packets # to 5000 nanoseconds #pgset "dstmac 00:00:00:00:00:00" sets MAC destination address #pgset stop aborts injection
This family of tools provides network performance information and benchmarking by usually taking a client/server approach that allows collecting very accurate end-to-end information and statistics. These tools are powerful and complex; refer to the repository documentation for further details. Some interesting representatives of this family of tools are as follows:
Netperf (Network Performance Benchmarking)
NetPIPE (Network Protocol Independent Performance Evaluator)
ttcp/wsttcp (Test TCP [TTCP]; a benchmarking tool for measuring TCP and UDP performance)
NOTE
A thorough discussion of network performance measurement would dive too much into stack internals and go far beyond the scope of this book.