Tracing with Tools

1. Explain What a GUI-based traceroute tool is:

GUI is Graphic User Interface. This is what an end user uses every day to work on their computer. A traceroute is a tool used to follow the path which data takes to get from destination to destination. It is like me leaving home at 555 South Home Street, and going to the store on 312 W. Store Street. The tool detects how many routers the data takes to get to the final destination.

2. Why a technician would use a GUI traceroute tool:

Let’s say that I am working on my PC at work and I feel that it is running slower than dirt movement on a calm day. I call the IT person a traceroute can be used to find if my data is going directly to its destination, or taking a slow boat through China or some other unauthorized destination. If the data path normally takes 6 hops, and now it is taking 7 or 8, there is unauthorized activity on the line.

A hop in computer lingo is defined as data passing through a router.

3. How a technician would or should use a GUI traceroute tool:

This diagram was taken from Gregg, Michael. The Network Security Test Lab: A Step-by-step Guide. Print. Chapter 4; pg. 145; and drawn on Visio.

My understanding of this concept is the data packet is sent from IP 192.168.1.20 (home); looking for 192.168.1.52. It travels to Router 1 which is not the final destination, sends a signal to “home” says no, goes to router 2 – no not here, back to home – with a no. Goes out to each designated router, and back home until it reaches the final destination. A technician can use this software to follow data paths and look for leaks, or data which has been directed to stray by some wayward individual that may be looking to disrupt your business. In other words, to an unauthorized destination.

4. Let’s compare three traceroute tools. How they are alike or different:

NeoTracePro: "Trace Your Steps with NeoTrace - TechRepublic." TechRepublic. Web. 10 Feb. 2016. <http://www.techrepublic.com/article/trace-your-steps-with-neotrace/>.

NeoTrace by NeoWorx, is a simple-to-use networking tool that lets you find information about and troubleshoot network connections.

Overview: NeoTrace acts as a GUI for a few of the primary network troubleshooting commands like traceroute (or Windows’ tracert command), ping, telnet, and whois. It displays a graphical representation of the route (and any inline issues) from your local machine to a remote location. NeoTrace sends out ICMP *packets to the specified location. These packets can travel only a limited distance, which causes the packets to expire prematurely and return to NeoTrace. NeoTrace then takes the returned packets, examines them, and pieces together the route a normal packet would travel to the specified location. By this point, NeoTrace has collected information on of all of the IP addresses:

the nodes that returned the packets,

when the packets expired,

and the total round-trip time of each packet.

With this information, NeoTrace assembles the names of the individual nodes, their locations, and the registrants of each node.

*The Internet Control Message Protocol (ICMP) is one of the main protocols of the Internet Protocol Suite. It is used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached.

NeoTrace produces a map looking somewhat like a flight vector map. This map shows the geographical image of the area where the network is located.

Failures: To run NeoTrace, one enters the destination URL into the location bar which causes NeoTrace to start sending out ICMP packets and collecting its data.

Following is the authors example:

The packets bounce off IP address 12.123.198.2 in St. Louis (node 5 of 16), then to IP address 12.122.5.221 in Chicago (node 8 of 16); from there, the information starts to break down. At the tenth node (IP address 209.1.169.173), both the location and the network are unknown (although the registrant is known). The 14th node gives up the IP address (64.14.80.154) and the network, but now both the location and the registrant are unknown. Once we get to node 15, the only information we have is the IP address (64.28.66.204). Finally, at our destination, node 16, we can see the IP address (64.28.67.81), the network (Exodus communications, Inc., Boston), and the registrant (VA Linux Systems), but no location.

Interestingly enough, if you run the whois command (by right-clicking the desired location and selecting External Applications | View Whois In Web Browser), you will see a question mark indicating an invalid IP address and that the information has been obtained either directly from the registrant or a registrar of the domain name other than Network Solutions. Switch the map view to Node View and you see that the destination shows a Response Time of None. On the Timing tab, you see that four packets were sent with 100 percent loss. We can now determine that the problem with the IP address is, in fact, the final destination.

The author gives a list of useful tools:

He suggests that selecting the Show Map Of Location tool in NeoTrace (found in the right mouse menu); a new browser will open and a map of the area of the node will appear. MapBlast serves up these maps. One can view the geo location by clicking Show Satellite Photo of Location. Right-click on the desired node and select External Applications | Show Satellite Photo Of Location; a new browser window will open to the Terraserver pages to display a satellite image of the location. You can also copy node information to the clipboard for later viewing. Simply select the desired node, click the Copy/Paste icon in the Info pane, and then paste the information into a text editor. Issues: The most common issue will be getting NeoTrace through a firewall. If you have to pierce through a firewall, three rules must be added to the firewall. Those rules must allow the following ICMP packet types through:

• RECV Echo Reply

• RECV Time To Live Expired

• SEND Echo Request

You will also need to make sure that both ping and tracert are allowed through the firewall.

You may also have to deal with platform compatibility. The NeoTrace application will only run natively on Windows 9x/NT/2000/XP. To run NeoTrace on the Macintosh platform, you have to run the application in a Virtual PC instance of Windows 98. There is no current plan for porting to Linux/UNIX/BSD, but I did successfully run NeoTrace in a Windows 2000 instance of VMware. (There’s always a way around issues when you’re using Linux.)

The full-blown version, NeoTrace Pro, is available from the NeoWorx Web site for $29.99 (for individual licenses). NeoWorx has a separate price scheme for multiple licenses that goes as low as $6 per user for 500-999 users.

2. VisualRoute:

VisualRoute Features from the website:

"VisualRoute - Traceroute and Reverse Trace - Traceroute and Network Diagnostic Tools." VisualRoute - Traceroute and Reverse Trace - Traceroute and Network Diagnostic Tools. Web. 10 Feb. 2016. <http://www.visualroute.com/>.

Traceroute Key diagnostic data such as packet loss and response times are displayed in an easy to understand traceroute table. Hop by hop analysis makes it easy to pin point problem areas.

Reverse trace (remote agents) One of the most powerful features of VisualRoute (SupportPro edition) is the ability to create remote agents. Remote agents allow the user to perform a reverse trace between two locations without actually being present in either location.

Reverse DNS Use VisualRoute to perform a reverse DNS lookup. This allows the user to uncover the IP address behind a domain name, such as www.visualware.com.

Ping plotting Plot response times for any domain/IP address over a period of time. The data is displayed in an easy to read graph and data can be accessed historically.

Historical data Past data can be easily accessed using VisualRoute. This allows the user to easily compare previous data which in turn makes it quicker to locate network problems.

Continuous traceroute Traceroutes performed over a period of time make it easy to monitor performance degradation that can occur over large time spans.

IP Location Reporting The physical geographical locations of network servers and routers is key information for understanding routing problems, viewing the actual route path on global map provides an instant of picture of routing efficiency and distances.

VisualRoute Features and Benefits

Graphical View of Traceroute provides key data in an easily digestible way. Results from several essential network diagnostic tools are integrated into an overall connectivity report, providing a graphical view of connection performance report including packet loss and latency for each network hop. Drill-down detail is easily visible with a mouse over any network hop.

IP Location Reporting The physical geographical locations of network servers and routers is key information for understanding routing problems, viewing the actual route path on global map provides an instant of picture of routing efficiency and distances.

Whois Lookups, Network Provider Reporting Get instant lookups of domain information from worldwide databases, so you can see the registered 'owner' of an IP address or domain. See the contact information for the company providing Internet access for each hop of a network route, so you can easily report network problems.

OmniPath™ Multiple Path Discovery Get real-time views of all possible routes to a destination and easily compare the performance of different routes. The common use of load-balancers creates multiple paths that data packets may travel between the source and destination.

NetVu™ Multiple Route Topology Graph See a high-level view of all network routes for open trace reports, enabling easily identification of network nodes that are common to multiple routes, and network routes that have multiple path options due to load balancers or router configurations.

Application Port Testing, Port Probing, DNS Performance Testing Trace specific application ports to test if your critical applications are up and responding as expected. VisualRoute measures and reports on DNS (domain name service) response time, which can have a significant effect on connectivity performance.

Traceroute Tests from Visualware Servers Test from Visualware servers in Washington and London to test connectivity to your servers or network devices. This capability provides additional testing points to help identify network routes and network providers causing poor performance.

Continuous Connection Testing with Report History Continuous network testing from the VisualRoute desktop to another network location supports automated cycling of connectivity tests to monitor performance degradation that may occur over long periods of time.

Reverse Traces from Remote Desktops Help Resolve Customer Connectivity Problems The SupportPro Edition enables support staff to test connectivity in both directions: to/from the VisualRoute desktop and to/from remote systems. This capability provides visibility to connectivity problems that occur in one direction only, such as from the customer location to your server -- problems that are otherwise very difficult to pinpoint.

IPv6 Compatibility IPv6 is the next generation of the Internet Protocol, the system by which data is transferred across the Internet. VisualRoute 2009 enables traces to IPv6 addresses, including IPv6 domain and network provider lookups.

3. Hping is our last traceroute utility:

Amazingly enough, I went to the manual page for this information. I’m feeling like “Compare that man”, (very poor imitation of Cheech Marin). Love that funny guy. I digressed, sorry.

Discription:

hping2 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies. hping2 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols. Using hping2 you are able to perform at least the following stuff:

- Test firewall rules - Advanced port scanning - Test net performance using different protocols, packet size, TOS (type of service) and fragmentation. - Path MTU discovery - Transferring files between even really fascist firewall rules. - Traceroute-like under different protocols. - Firewalk-like usage. - Remote OS fingerprinting. - TCP/IP stack auditing. - A lot of others.

It's also a good didactic tool to learn TCP/IP. hping2 is developed and maintained by antirez@invece.org and is licensed under GPL version 2.

Development is open so you can send me patches, suggestion and affronts without inhibitions.

FYI:

Time to live (TTL) or hop limit is a mechanism that limits the lifespan or lifetime of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded.

To recommend the tool I think may work best, I would have to download each one to my machine. Now you may think this a cope out, but I’m working on my machine at home, and I refuse to download anymore of this stuff and risk messing up my brand new computer. I know that we will be working on this in class, and I can and probably will get back to this blog and let you know for sure which was best. However, between the three, since I was able to find more info about the VisualRoute, and didn’t have to hunt and peck to find it, I probably would pick it. I’ve found in the past if the information is easily available, the seller is usually more interested in your satisfaction than anything else. Remember… always good customer service.

Thank you for your visit, may be back with the results of the experiments from class. For all you Inquisitive readers out there; knock your socks off and try these tools. You may find them to be a whole lot of fun.