In this article we will show how to install and use the network monitoring software called My Looking Glass, or mylg. It is fairly early in mylg development but it already supports lots of great features like for example packet analyzer, web dashboard, port scanning and many more. We will install it on Ubuntu 16.04 LTS.
What mylg can diagnose in network
1) Real time trace route (support IPv4 and IPv6 networks)
2) Dig command enhanced
3) TCP/IP packet analyzer
4) Enhanced HTTP Ping and Dump
5) Port scanning commands
6) Peer information
7) Network LAN Discovery
8) Collect ASN, IP/CIDR information
9) DNS lookup information
How to install mylg
The mylg software is written in Go programming language. It also requires libcap as a dependency.
sudo apt-get install libpcap-dev golang
Next we need to get mylg deb package
wget http://mylg.io/dl/linux/mylg.amd64.deb
And then install it
sudo dpkg -i mylg.amd64.deb
Next we already can start it and welcome screen will greet us
mylg
With that, the install part is over. We move to using it.
Using mylg packet analyzer
Mylg contains powerful packet analyzing functionality that relies on libcap and which is somewhat comparable to Wireshark. So that will be first feature we will test. To get packet captured and analyzed we will use dump command.
dump -c 7
It should capture and analyze up to 7 packets. We got 6. As I have active SSH connection with KVM Ubuntu instance that is running mylg, it will capture communication between VM and host. Here is what I got:
Notice that protocols are colored, and your own host where mylg runs is bold. To get more specific output you can use berkeley packet filter syntax, and long list of modifiers. For example, to get only udp packets. You can type
local> dump -c 3 udp
Interface: ens3, capture size: 6144 bytes
13:03:04.351 IPv4/UDP 192.168.122.1:17500(db-lsp-disc) > 192.168.122.255:17500(db-lsp-disc) , len: 145
13:03:04.355 IPv4/UDP miki-Standard-PC-i440FX-PIIX-1996.:40595 > 192.168.122.1:53(domain) , len: 0
13:03:04.355 IPv4/UDP 192.168.122.1:53(domain) > miki-Standard-PC-i440FX-PIIX-1996.:40595 , len: 0
To get only packets from one host you can type that host's hosname or ip address like this:
local> dump -c 1 host miki-Standard-PC-i440FX-PIIX-1996.
Interface: ens3, capture size: 6144 bytes
13:02:22.067 IPv4/UDP miki-Standard-PC-i440FX-PIIX-1996.:37228 > 192.168.122.1:53(domain) , len: 0
The commands are in bold letters. Some syntax which you can use to get information you need:
host hostname
src host hostname
dst host hostname
and, not, or support in the syntax
tcp, udp, icmp, icmp6, ip, ipv6
How to perform Trace routes
The mylg supports traceroute comparably to most other network monitoring tools but it adds a little extra with realtime support. Lets trace google with basic trace command:
local> trace google.com
trace route to google.com (216.58.214.206), 30 hops max
1 192.168.122.1 0.092 ms 0.097 ms 0.061 ms
2 192.168.1.1 1.886 ms 1.195 ms 1.652 ms
3 212.200.180.146 [ASN 8400/TELEKOM-AS] 10.282 ms 13.892 ms 8.344 ms
4 212.200.180.123 [ASN 8400/TELEKOM-AS] 8.929 ms 8.749 ms 8.287 ms
5 212.200.7.74 [ASN 8400/TELEKOM-AS] 12.248 ms 19.486 ms 11.621 ms
6 212.200.7.79 [ASN 8400/TELEKOM-AS] 10.686 ms 11.148 ms 10.833 ms
7 79.101.96.177 [ASN 8400/TELEKOM-AS] 22.842 ms 22.434 ms 25.806 ms
8 209.85.243.181 [ASN 15169/GOOGLE] 22.145 ms 23.683 ms 23.397 ms
9 66.249.94.113 [ASN 15169/GOOGLE] 21.702 ms 22.207 ms 21.780 ms
10 bud02s23-in-f14.1e100.net. (216.58.214.216) [ASN 15169/GOOGLE] 22.946 ms 23.247 ms 22.676 ms
You can see that my ISP is Telekom, and latency of routes it uses. If you needt to capture the report, the trace command can run realtime for you for 10 packets capture, and make report.
local> trace bing.com -r -R
──[ myLG ]── traceroute to bing.com (204.79.197.200)
Host ASN Holder Sent Lost% Last Avg Best Wrst
192.168.122.1 10 0.0 0.18 0.17 0.08 0.20
192.168.1.1 10 0.0 1.32 1.42 1.06 2.34
212.200.180.146 8400 TELEKOM 10 0.0 16.09 14.18 8.49 21.78
212.200.180.128 8400 TELEKOM 10 0.0 24.93 16.90 8.05 24.93
212.200.7.84 8400 TELEKOM 10 0.0 12.36 12.21 11.44 13.23
212.200.7.79 8400 TELEKOM 10 0.0 12.07 16.81 10.30 32.09
212.200.5.119 8400 TELEKOM 10 0.0 23.25 25.45 23.25 53.53
ams-ix-1.microsoft.com. 1200 AMS 10 0.0 51.46 51.44 51.03 52.97
104.44.80.25 8075 MICROSOFT 10 0.0 61.44 61.78 61.44 63.82
??? 10 100.0
??? 10 100.0
??? 10 100.0
a-0001.a-msedge.net. 8068 MICROSOFT 10 0.0 60.04 59.95 59.41 61.26
If you need more than 10 packet sample, use -c counter with number.
How to use dig command
With dig command you can perform a DNS query and get IP address, nameserver, mail exchange and text annotations. It also has trace option which will give information about routes taken.
dig bing.com +trace
Without trace option
dig bing.com
How to probe sites with HTTP ping
Mylg hping command is used to probe some host or site similar to ping command, but instead ICMP which ping uses, hping uses HTTP protocol. It shows response time, version of HTTP protocol, code that it returns (staus HTTP code) and roundup time. When used without counter (the -c option with number) it pings 5 times. We will use now request two times.
local> hping bing.com -c 2
HPING bing.com (204.79.197.200), Method: HEAD, DNSLookup: 32.0384 ms
HTTP Response seq=0, proto=HTTP/1.1, status=405, time=130.057 ms
HTTP Response seq=1, proto=HTTP/1.1, status=405, time=129.607 ms--- bing.com HTTP ping statistics ---
2 requests transmitted, 2 replies received, 0% requests failed
HTTP Round-trip min/avg/max = 129.61/129.83/130.06 ms
HTTP Code [405] responses : [████████████████████] 100.00%
local>
The hping also have a -trace option, which will give us additional info about how much it took it to read first byte and how long connection lasted.
local> hping bing.com -c 2 -trace
HPING bing.com (204.79.197.200), Method: HEAD, DNSLookup: 53.2580 ms
HTTP Response seq=0, proto=HTTP/1.1, status=405, time=129.112 ms, connection=61.990 ms, first byte read=67.022 ms
HTTP Response seq=1, proto=HTTP/1.1, status=405, time=128.614 ms, connection=61.797 ms, first byte read=66.740 ms--- bing.com HTTP ping statistics ---
2 requests transmitted, 2 replies received, 0% requests failed
HTTP Round-trip min/avg/max = 128.61/128.86/129.11 ms
HTTP Code [405] responses : [████████████████████] 100.00%
Lan discovery and RIPE NCC query
To discover hosts on your local network you just need to use simple disc command. But since I am using KVM instance in NAT mode there are none:
local> disc
please wait . .
Network LAN Discovery
+----+-----+------+-----------+-------------------+
| IP | MAC | HOST | INTERFACE | ORGANIZATION NAME |
+----+-----+------+-----------+-------------------+
+----+-----+------+-----------+-------------------+
0 host(s) has been found
Next lets try RIPE database querying. RIPE is European organization and a open online forum that is maintains database of public ip addresses and phone numbers. Mylg whois command queries that database. You only need to type IP address, ASN or CIDR.
So lets see who stands behind ip addres 8.8.8.8
local> whois 8.8.8.8
+------------+-------+--------------------------+
| PREFIX | ASN | HOLDER |
+------------+-------+--------------------------+
| 8.8.8.0/24 | 15169 | GOOGLE - Google Inc., US |
+------------+-------+--------------------------+
Who would expect, Google DNS servers are operated by Google.
local> whois 605
VHS-CHIL - Vanguard Health Management, Inc., US
+--------------------+-----------+
| LOCATION | COVERED % |
+--------------------+-----------+
| United States - IL | 100.0000 |
+--------------------+-----------+
Ok, I have no idea who this is, but I guess I need help managing my health as I managed to catch a cold the other day.
How to perform Port scanning
Mylg scan command can help you scan any ports on a given host. It accepts hostname or ip address. Lets scan yahoo.
local> scan www.bing.com
+----------+------+--------+-------------+
| PROTOCOL | PORT | STATUS | DESCRIPTION |
+----------+------+--------+-------------+
| TCP | 443 | Open | |
| TCP | 80 | Open | |
+----------+------+--------+-------------+
Scan done: 2 opened port(s) found in 2.007 seconds
Next lets scan the VM where mylg is running
local> scan localhost
+----------+------+--------+-------------+
| PROTOCOL | PORT | STATUS | DESCRIPTION |
+----------+------+--------+-------------+
| TCP | 22 | Open | |
+----------+------+--------+-------------+
Scan done: 1 opened port(s) found in 0.013 seconds
Only ssh port is open. This simple scan command is extremely useful for various set of reasons. For example, if you have connectivity problem you want to scan your server or localhost to see if firewall is blocking what it shouldn't block. Or if you want to say... hack someone, you also need to know which ports are open. That is why I scanned Bing :)
Conclusion
We have installed mylg and gone trough the most useful commands. Most of those functionality and commands are not unique to mylg, other software of similar role also have it. But mylg development team tries, and I think succeeds, to put it's own twist and added usability to the commands that we expect from this kind of software. This is all for this article, thank you for reading.
The post Mylg - A Command Line Network Monitoring Tool for Linux Systems appeared first on LinOxide.