Interop: 12 killer (and free) tools for network engineers
“There are commercial tools that do most of these functions,” says Mike Pennacchi, owner and lead network analyst at Network Protocol Specialists. “If you don’t have any budget, this gives you the tools without spending a lot of money.”
While most of the software he mentioned can be downloaded for free, using it in a live network sometimes requires investing in peripheral hardware to make the tools easier to use. For-profit vendors sell licenses for their proprietary versions that offer added features as well as support.
Pennacchi says it’s possible as well to customize the tools for specific purposes and still save. So users can add filters to some so they seek out just malformed packets, for example, or export data to a complementary app that can sort and display data graphically. “You can build discovery tools or you can go buy them,” he says. “We’re working around some tools we can buy.”
A few of the tools – notably ARPSpoof, Wireshark, nmap, TCPTraceroute and AirCrack – can be used by bad guys to perform reconnaissance and probe for weaknesses in preparation for attacks. But they also have value for legitimate purposes, Pennacchi says.
+ MORE FROM INTEROP: Hot products at Interop 2016 +
There are more such tools, but this is the list Pennacchi singled out as must-have:
iperf – This multiplatform tool measures throughput, packet loss and jitter, and supports both UDP and TCP packets to determine quality of connections between devices on a network. Support for UDP makes it valuable for testing the suitability of a link for VoIP. It can graph the data it gathers to see how network conditions vary over time.
Wireshark – This software captures and analyzes packets to find malformed frames, mis-ordered packets and the like. Users can write rules to capture only certain protocols such as wireless, TCP or http to troubleshoot slow server response time, for example. Filters can cut through the chaff to find only the bad packets that might be the root of trouble.
TCPTraceroute – This tool traces paths through networks using TCP rather than ICMP. It’s good for finding what’s blocking traffic in transit, such as firewalls configured to block the ports the traffic needs to use. He says he once used it to spot a device that was spoofing the endpoint an application was trying to reach because the response was coming in impossibly fast given the distance between the actual endpoints.
fprobe – Listening to specified interfaces and gathering NetFlow data about traffic going through is the primary purpose of fprobe. Pennacchi says it can be used to detect traffic types that don’t belong on the network and may be sucking up bandwidth, such as Netflix in a corporate environment. He says he’s installed fprobe on a Raspberry Pi to gather the data.
nfdump – Flow information gathered by fprobe can be exported to nfdump, which stores it in a file system that it can read and use to display the data based on protocols and rank top users. This can be used to address time-of-day congestion issues, for example.
Nmap – This is a powerful tool for network, device and service discovery useful for network scanning and for performing security audits. It can scan for the 1,000 ports most likely to be open and determine, for example, whether they are. It can scan devices by subnet and deliver valuable information such as what type of traffic devices are putting out. In doing its work, Nmap goes to each device and queries it, requiring a SYN packet in response -- so he says it is a noisy activity that might affect network performance. In addition to discovering what devices are on the network, Nmap can scan for services that are active and perform pointer-record lookups and reverse DNS lookups which may help ID what kind of device it has found.
Cacti – It gathers and graphs SNMP values over time, giving a picture of device utilization. More than just that, Pennacchi has used it to gather temperature data about the storeroom at his office to graph it over time.
Smokeping – This tool measures latency and packet loss that can be analyzed over time to reveal changes in latency that can be used for troubleshooting or network planning. It does this by firing off Ping packets at regular intervals and recording the response times. Spikes that show up on graphs of the data gathered indicate when response-time troubles arise and can help narrow down investigations into their causes.
OpenNMS – This tool, which monitors devices and services, issues alerts when they go down and can write availability reports on devices. Pennacchi says it scales well in large networks to create availability reports useful to network executives.
AirCrack – It could be used for hacking, but AirCrack can also reveal who’s using the wireless network and can be used to troubleshoot issues. Pennacchi also calls it a great tool for discovering nearby wireless networks and clients using them.
ARPSpoof – Hackers use ARPSpoof to send spoofed ARP requests in an attempt to pair MAC and IP addresses of networked devices. But Pennacchi says it can also be used to create man-in-the-middle monitoring of device activity without having to install a device on, say, the span port of a router or switch.
Snort – This is a well-known intrusion detection ID tool that can be used to live-monitor networks, but it can also be used to apply rules to a set of trace files captured. It can be paired with logging tools like ElasticSearch and LogStash, and the gathered data can be analyzed, with rules set to look for specific conditions and send alerts.
cURL – Basically this tool moves data to and from servers and proves useful in measuring the response time of Web sites.
Elasticsearch – This is a search server that Pennacchi pairs with Logstash and Kibana (ELK) to gather log data and create dashboards. Elasicsearch provides the search capabilities and Kibana visualizes the data to create the dashboards.