Thursday, 3 September 2009

Unix Load

In Linux, determining load is simple.

Two simple commands to get a load summary include:
The command w(ho) provides a snapshot by user of who is logged into the system. Here I am being naughty and am running this snapshot as 'root'. Ideally, I should be logging in as my account and using this to run the command (with sudo to escalate privileges).

'w' provides a user-by-user snaphot of the *NIX system load.

And next:
Uptime gives a summary of the load over time (3 points) and the system uptime.

If you really want to know, the answer is top.
Top is a command line display of the 'top' processes using the system resources on a *NIX system. The output, update rate and many other features are configurable from the commandline which can be instigated as simply as entering 'ntop'.

In addition, there is 'ps'. But this can wait for another time.

Figure: My Grandfather’s first IT equipment

Tuesday, 1 September 2009


Another answer to ARP poisoning attacks is in monitoring systems.

Yesterday I mentioned ArpFreeze. An alternative solution is Arpwatch.

Arpwatch monitors network activity for ARP/IP parings. It uses this information to create a database that can be parsed and set to alert by email on changes. This way, when an alternate ARP/IP match comes up, you will know about it. This is a common tool in the *NIX world and can be easily set to monitor server systems and selected workstations for arp poisoning attacks.

One thing to note is that these types of tools do loittle to help in DHCP environments (though they can product some useful DHCP allocation statistics).

Arpwatch is based on libpcap. It can also be sent information from captures and this can be used to report on events after the fact (e.g. forensic and incident handling). This is NOT the default behviour and this does requires some alteration in hte standard program use and behaviour.

A cludge, but the simplest means of using Arpwatch with a pcap file is to replay it. Use a loopback or otherwise null interface and send a packet capture to it. Have Arpwatch listen and there you go. A tool such as Netdude is effective for this.

Another alternative is ArpSNMP

Arpsnmp has the same database features of arpwatch. The distinction is that it uses an external agent for the collection of data, specifically, an SNMP collector. Arpfetch is a script that comes with the package and which deploys snmpwalk (from the CMU SNMP package) to collect statistics.

The ArpWatch man page is available online.

LinkIn coming days I shall be covering how to use this tool for after the event collection and processing of information...

Monday, 31 August 2009


For a small break from the recent run of PCap based programs I am going to look at ARPFreeze tonight. This is also a move from *NIX to Windows.

Some of the earlier tools I have introduced (such as Netdude and Ettercap) allow a user top test systems using arp poisoning attacks. They also allow attacker to do the same.

ARPFreeze stops these attacks dead in their tracks (then there still is a DoS, but this is more likely to be noted).

The tutorial on IronGeek is excellent, so I will point you there instead of doing a number of screenshots. What you need to know is that ARPFreeze allows you to create a static table of hosts that will remain each time the system is updated. That is, reboot and the old static values are stored (something that has been a simple part of Unix for decades).

This does require extra work. If a network card changes, you will need to change all of the static mappings. Not a big issue on a small network, but it does become tedious quickly on a large network.

What I would recomend is to use this with Group Policy and server startup setting for systems. Adding this to group policy and a centrally deployed server will make updating systems far easier.

Caveat: Remember that if you change a static system, you need to change all of the systems that access it.

Overall, a great tool if used wisely.

Sunday, 30 August 2009



What: Chaosreader is an "any-snarf" program that is designed to "fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs".

Use can be as simple as specifying a pcap format file as can be seen in the example below.
At this stage the script will create a web page linking all of the network traffic.
Where there is datya of interest, you can click through and see the details of the packet or session.
All of these features are available in tools such as Ethereal, but with a far greater footprint. Chaosreader allows you to create a simple summary of the activity in a network capture without going to the same level as a high end protocol analyser.