Unleash Networks Blog

A little personal note.

I have been walking around with a grin on my face for the past few hours. The reason : We now count one of the divisions of Cisco Systems as a customer of Unbrowse SNMP Power Features. 

Yay !!

Even though this is not the biggest sale in terms of $$, I am honoured by the validation and acceptance of our one-year old infant product Unbrowse SNMP by a company I admire much. Truly one of those moments that makes entrepreneurship worthwhile.

Thanks a lot guys and welcome aboard.

 

 

We have to take a small detour into Linux land and leave the comforts of the Visual Studio family. The reason : we are developing a small yet powerful remote analysis station for the upcoming release of Unsniff that can run on a commodity appliance. (Details later)

So, I cleaned out a box (AMD x2 64-bit, Fedora 7) and decided to find me the IDE I wanted. The candidates were :

1. KDevelop
2. Anjuta
3. Eclipse
4. OpenLDev

Eclipse
First, lets write off Eclipse. There were some posts on the internet claiming that if you replaced the Linux JVM with a new one from Sun, things would be faster. Call me irrational but I cannot accept any latency while coding.
KDevelop
This won the best Linux IDE award organized by Linux New Media. So, I installed this one. It was quite impressive. The only problem was that it crashed when you typed something in the editor. I tried turning Word Complete off in both Settings->Configure KDevelop and Project->Options->C++. It still crashed. I had no energy to carry on given that Code Completion was one of my main requirements.

Anjuta
This one seems good, but I was simply unable to install it. I installed all the dependencies by hand, but I simply could not find these two packages
No package ‘gdl-1.0’ found
No package ‘gdl-gnome-1.0’ found

I will probably revisit Anjuta later. I was also quite amazed to find that its lead developer happens to be an Indian by the name of Naba Kumar. This would certainly make him the biggest Indian contributor to open source. Sidenote : Why dont we ever hear about these guys in the tech media ?

OpenLDev
After running out of steam, this was a desperate attempt to find something. This installed fine, but the functionality was very minimal. The editor was also the stock gEdit.

I know I could probably get any of the above working if I spent time scrounging the internet for help. I decided instead to beef up vi to make it suitable for C++ development.

How to use vi for C++ development

Here are some tips to soup up your vi for C++ development. I hope someone will find this useful.

1. First update to the latest vim. As root type “yum update vim”

2. Enable code folding, add these lines in your $HOME/.vimrc

set fmr={,}
set fdm=marker
Now vi will fold your C++ code as shown in the screenshot, you can use the keystroke zR (to open all folds) or zM (to close them all). Use help for other options.

3. Map a key to switch between C++ source (the CPP) and the Header (the H) file.

Add the following line to $HOME/.vimrc

map :p:s,.h$,.X123X,:s,.cpp$,.h,:s,.X123X$,.cpp,

Now you can simply press F4 to toggle between the header and source file.

4. Install an excellent set of scripts called C.VIM available from

This script adds a TON of features such as automatic comment blocks, blockquote templates, and much more. This only works with gVim the graphical version of vim.

5. Use vim tabbed editing.

Yes, you can open files in new tabs even in the terminal mode of vim. Do do so, use

:tabe filename.h

To switch between tabs, press Ctrl+Page Dn / Up

6. Use sessions to save all your tabs and file editing positions.

It will save you a ton of time while resuming work the next day. To use this feature :

Type :mks! whenever you want to save the current state of open windows, cursor positions, etc.This will save your current vim session, including all tab windows into a file called Session.vim. Next time you start type vim -S Session.vim. Voila, you are back to exactly where you left off.

To faciliate this I aliased the session command via:

alias svi=’vim -S Session.vim’

7. Using code completion. Vim has support for code completion.

Although not as good as VS (especially with Visual Assist – which we use for Windows Development) – this is very fast and almost good enough. To use this :

Type part of a word and press Ctrl+P. You will be presented a list of options, keep typing or select one of the options.’

So, for now we will continue to use vi for C++ development. Until we have some spare time to investigate Anjuta or get KDevelop to stop crashing.

 

[tags] vi, vim, C++, KDevelop, Anjuta [/tags]

 

Finally, we got some spare time to analyze a few traces available on the LBL-ICSI project website. We would like to extend a big thank you to these guys for making such a valuable resource publicly available.

The traces are available at http://bro-ids.org/enterprise-traces/hdr-traces05/

Tao Security has analyzed them at http://taosecurity.blogspot.com/2007/05/lbnlicsi-enterprise-tracing-project.html

This is a huge collection of 11GB of traces. Ideally, I would have liked to swallow in the whole set – but bandwidth and time issues stopped me. I picked a few traces –

• The first one (~6MB) lbl-internal.20041004-1303.port001.dump.anon
• A certain “port 16” on Dec 15 04 (~23MB)  lbl-internal.20041215-0711.port016.dump.anon
• A “port 16” on Oct 04 04 (~11MB)  lbl-internal.20041004-1438.port016.dump.anon

First thing to note is that these traces have their payloads stripped, only the first 54 bytes are captured. This precludes some of the advanced features like PDU, Stream, and User Objects, from working.  Secondly, we are better off doing “traffic analysis” rather than “protocol analysis” on this huge glob of data.

Ok enough talking, lets start.

Lets get our tools ready. There are open source tools (pretty good ones too) such as capinfos , ntop , Wireshark can draw some IO graphs. You are welcome to try those, but we are going to put Unsniff R 1.5 Beta to the task here.

Before we begin, lets first convert Unsniff into a traffic monitor. We dont have full packet data anyway, so it makes sense cut the “protocol analysis” fat and in the process gain some speed and save memory. You can easily load several million packets into Unsniff in this mode.

• Go to Tools->Customize->Advanced
• Scroll down to the Advanced Capture item and set the “Do not store any packets” option to True.

Let look at the first trace output (Import the file and switch to the Traffic tab)

A real quick tour of the screen; the dashboard is completely configurable (via an XML file in the installation/Cfg directory) – the whole thing updates in “real time” but we dont care because we are just importing existing captures. In the above configuration, we see top hosts, subnets, protocols, mac-pairs, and total bandwidth.  Lets see what the capture tell us :

Subnets

Ok, so its seems like 128.3.47.0, followed by 128.3.193.0 are the two most active subnets in this time period. Is this interesting information ? Probably, but since we dont know much about those subnets – lets move on.

Protocols

Whats going on here ?

We see that the capture is 91.19% netbios-ssn. What is that ? We know from experience that it is nothing but Microsoft SMB. Unfortunately, Unsniff was not able to label it as “SMB” because the packets were truncated before the SMB header began. Ok, it seems we have a Microsoft shop here. ‘0’ (the second item) means non IP protocols (we ought to elaborate that).

Lets move to the other traces

Trace from port 16 – Dec 15 04 (23MB)  lbl-internal.20041215-0711.port016.dump.anon

This one contains about a 350,000 packets 

First the bandwidth strip. It seems like we have a lightly loaded, bursty link here.

The subnets and other charts dont seem to be too interesting, so lets go straight to the protocols.

We again have netbios-ssn (which we are sure is SMB), followed by HTTP and ncp (Novell). We can also see something on port 11001. Perhaps, that would be something to investigate further. From my experience, this is a fairly typical enterprise setup (except I havent seen much of Novell NCP )

Ok next,

Trace from port 16 – Oct 04 04 (11MB)  lbl-internal.20041004-1438.port016.dump.anon

About 170K packets 

So what kind of port is this ? Lets look at the bandwidth chart.

We have a sustained usage of about 3 Mbps, sometimes peaking upto 14Mbps. Allright, lets see what applications are running on that port.

Whoa ! Didnt expect terabase and c1222-acse.  So, we look turn to google and find that “ANSI C12.22 is used in the electric energy industry“ and terabase provides “high speed search engine and database solutions”

There are worms reported for port 4000 (the terabase port), but we dont know for sure without looking at the full data. Perhaps the network admin knows from experience whether these constitute legitimate traffic, but from a security standpoint we may have reached a dead end. Experts like Richard Bejtlich have been making a strong case for capturing the maximum amount of data that your resources can handle.

Interesting stuff indeed.

Note : These features are available only in the Unsniff Network Analyzer R1.5 Beta. If you would like to join the few who are participating – please send email to

 

[tags] network analysis, enterprise network analysis, unsniff [/tags]