perl regex script for IP traffic analysis

Perl is my language of choice for just about everything: shell scripting, windows applications using Tk, Iot, raspberry pi GPIO, and sometimes even web via CGI (an anachronism, I know).  It’s just so easy to do something really powerful with little effort.

I have been using Wireshark since it was ethereal, back in the early 2000’s when I was caught up deep into the Cisco certification racket.  Lately, I prefer the granular control of tcpdump from the command line.  One of Perl’s many great strengths is of course it’s regular expression capabilities.  One night, just for fun, I wanted to analyze my TCP/IP traffic as I was casually browsing some of my usual sites.  I ran the following command and had the output piped to a text file:

sudo tcpdump -i eth2 -n -# dst | tee dump.txt

Pretty simple.  It tells tcpdump to monitor my ethernet interface, not to resolve hostnames, number each packet, record only packets destined for my PC, and write the results in dump.txt.   You immediately see results on the screen:

tcpdump perl
tcpdump results

I wrote a very simple script off the top of my head to scan the results file, dump.txt, for IPv4 addresses, and then tell me the number of packets received from that address, the name of the organization that it originated from, and the country of origin.

The Perl regex that I came up with for finding an IP address in a text file is embarrassing simple, but very effective.

while($_ =~ /(\d+\.\d+\.\d+\.\d+)/g){
}#end while

Does it test for invalid addresses? No.  But after using this for some time,  it has never failed to find every IP address in the output of a tcpdump capture.   My script looks at each IP address and runs a whois command for each unique address.  I then use more regexes to find the organization and countries of origin.  below is a sample output.

This particular capture was very brief, and only contained 7 unique addresses.  This script, however, can work for hundreds or thousands of IP addresses.

I also used this script to parse my auth.log file on one of my internet-facing home servers.  I stupidly had my home server with port 22 open for ssh.  I was constantly  being hit with attempts to login to my server with well known usernames and passwords literally all day long.  (I changed the ssh port later and nearly all of this stopped!)  Most of these login attempts were from foreign countries, no doubt running a script.  I was first alerted to this problem by running

netstat -t

and seeing a lot of tcp connections to strange addresses that I was sure were unsolicited, and that I did not initiate.
Here is the script in it’s entirety.

#!/usr/bin/perl -w
use strict;
$| = 1;

parses tcpdump file for ip addresses

example for creating file:
sudo tcpdump -i eth0 > dump.txt


open FH, "dump.txt" or die $!;

#array for IP addresses
my @ips;
my @uips;            #unique IP address array
my $ipex_f = 0; #flag to test t/f ip exists in array

my $ln = 1;

while($_ =~ /(\d+\.\d+\.\d+\.\d+)/g){
push @ips, $1;
#print "$1\ton line $ln\n";

#reset each line
$ipex_f = 0;
my $dexist = 0;

#see if IP in array, if not push on unique IP array
foreach my $ip (@ips){
if($ip eq $1){
}#end if
}#end foreach

if($dexist == 1){
push @uips, $1;
}#end if
}#end if

}#end while

my $n_ip = @uips;
print "$n_ip IP addresses found......\n-----------------------------------------\n";
foreach my $addr (@uips){
print $addr."\n";
}#end foreach

my $n=1;
foreach my $ipa (@uips){
print "\n$n--------------------------------------------\n";
my $n_occur = 0;

foreach my $n (@ips){
if($n eq $ipa){
}#end if

print "$ipa\t$n_occur \n";
my $whois = `whois $ipa > whois.txt`;
open WT, "whois.txt" or die $!;
if($_ =~ /Organization/i){ print $_; }
if($_ =~ /Country/i){ print $_; }
}#end while
close WT;

}#end foreach

close FH;

Simple, but effective.  You could use this on ANY text document that contains IP addresses.

cisco 2801 & 2621XM load testing with iperf

I just wanted to see what would happen to the CPU of a few Cisco routers if I flooded them with traffic using iperf.  Specifically, I wondered if it was possible to ‘weaponize’ iperf by setting up multiple clients sending tons of traffic across a network to an iperf sink.

I set up an iperf server on a 10.3 FreeBSD machine like so:

iperf -s

freeBSD iperf server

As you can see, the client at sent 444MB in 60 seconds.  What was really interesting to me was the CPU load on the Cisco 2621XM router that is connected to the network……… nearly 90%!!!

From what I understand, the Cisco 2621XM router has an MPC860 processor capable of 88MIPS at 66MHz.  I would posit that is is possible to disable a router such as this with an iperf attack coming from multiple devices.  I mean, only one iperf client nearly maxed it out.

Now for the more powerful Cisco 2801.  CPU utilization hovers near 50%.

Even with multiple clients sending traffic to the iperf server, the CPU utilization never increases.  I assume this is due to the CEF (cisco express forwarding) functionality of the router, but I am not for sure.

replacing static routes with quagga rip v2 on ubuntu

I have been experimenting with the network traffic generation tool iperf in my home networking lab to load test a few Cisco routers.  I was curious what the CPU load would be on the routers with multiple PC’s sending traffic across several routed subnets.  I configured two PC’s on my workstation segment,,  as iperf clients and set up a dual-core Pentium 4 FreeBSD 10.3 machine as the iperf server that spanned  a Cisco 2801 and a Cisco 2621XM like so:

iperf load testing
iperf lab load test setup

The routers use RIP v2 routing protocol to learn all of the configured routes they have consisting of several VLSM 10.X.X.X and 192.168.X.X networks.   I was initially using static routing on my iperf client PC’s to send packets to the iperf sink PC on the network like so:

sudo route add -net gw

This got somewhat tedious after time, having to run this on multiple machines before I could do any testing.  A few years ago, I had done some experimentation with quagga.  Quagga is a software defined networking utility that can change an x-nix PC into a router that can learn IP routes using protocols like RIPv2, OSPF,  BGP,  I used RIPv2 for simplicity.

FYI: this is not a tutorial on installing or configuring quagga or iperf.  There are many tutorials out there for that.

After configuring quagga and the ripd daemon on my iperf client PC’s,  they automatically learned the routes to all the 10 and 192.168 networks in my lab with no manual configuration on my part.

To see the routes my PC learned via ripd + quagga, run the following command:

telnet localhost zebra
show ip route

Here, you can see the routes the PC learned via RIPv2 from the Cisco routers.

The following tcpdump command can view the RIPv2 packets coming from the PC’s neighboring router:

sudo tcpdump -i eth2 udp port 520 -XX -#

Now, each time I turn on my PC’s, they learn the routes in my lab automatically with no configuration on my part.

Next time, I will post the results of the CPU load on the Cisco routers using iperf testing.