ngrep
パケットに含まれるテキストデータの内容を基にキャプチャしたい
場合などに利用出来るngrepについて。

ngrepのインストール

[root@colinux ~]# yum install ngrep
fedora 100% |=========================| 2.1 kB 00:00
updates 100% |=========================| 2.3 kB 00:00
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
–> Running transaction check
—> Package ngrep.i386 0:1.45-1.fc7 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
ngrep i386 1.45-1.fc7 fedora 28 k

Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 28 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): ngrep-1.45-1.fc7.i 100% |=========================| 28 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: ngrep ######################### [1/1]

Installed: ngrep.i386 0:1.45-1.fc7
Complete!

ngrep

パスが通ってないようなので、必要であればパスを通しておく。

[root@colinux ~]# ngrep
bash: ngrep: command not found
[root@colinux ~]#

[root@colinux etc]# whereis ngrep
ngrep: /usr/sbin/ngrep /usr/share/man/man8/ngrep.8.gz
[root@colinux etc]#

[root@colinux etc]# vi /etc/profile.d/sbin.sh
if ! echo ${PATH} | /bin/grep -q /usr/sbin ; then
        PATH=/usr/sbin:${PATH}
fi

[root@colinux etc]# chmod 644 /etc/profile.d/sbin.sh

パスが通ったのでヘルプを見てコマンド確認。
ngrep help

先ずは、以下のコマンドでMYSQLのPORT:3306へのアクセスを確認してみる。
ngrep -W byline -q port 3306
ngrep session check

暗号化されていなければ、実行されたSQLの詳細やデータなどが良く分かる。
show tables details

tcpdumpなどでも分かるが、こちらはDefaultでGrepなので使いやすいかもしれません。

TAR BALLの場合
ダウンロード

[aws_user@192.168.11.36 tmp]$ wget 'http://sourceforge.jp/frs/g_redir.php?m=jaist&f=%2Fngrep%2Fngrep%2F1.45%2Fngrep-1.45.tar.bz2'
[aws_user@192.168.11.36 tmp]$ ls -l
total 13992
-rw-rw-r-- 1 aws_user aws_user 10363484 Nov  1 09:03 clustrix-common-v4.0-526.x86_64.rpm
-rw-rw-r-- 1 aws_user aws_user  3402668 Nov  1 09:03 clustrix-devnode-v4.0-8097.x86_64.rpm
-rw-rw-r-- 1 aws_user aws_user      234 Aug  8 18:55 fizzbuzz.c
-rwxrwxr-x 1 aws_user aws_user     5229 Aug  8 18:55 fizzbuzz.out
-rwxr-xr-x 1 aws_user aws_user      214 Aug  8 18:29 fizzbuzz.pl
-rw-rw-r-- 1 aws_user aws_user    18645 Aug 17 11:55 index.html
-rw-rw-r-- 1 aws_user aws_user    19142 Nov 12 15:23 index.html.1
-rw-rw-r-- 1 aws_user aws_user   463361 Nov 28  2006 ngrep-1.45.tar.bz2
-rw-rw-r-- 1 aws_user aws_user     3354 Nov  1 09:08 README.txt
drwxrwxr-x 2 aws_user aws_user     4096 Aug 10 08:25 wget
[aws_user@192.168.11.36 tmp]$ tar xvf ngrep-1.45.tar.bz2
ngrep-1.45/
ngrep-1.45/win32/
ngrep-1.45/win32/ngrep.sln
ngrep-1.45/win32/ngrep.vcproj
ngrep-1.45/win32/support/
ngrep-1.45/win32/support/getopt.c
ngrep-1.45/win32/support/getopt.h
ngrep-1.45/win32/support/inet_ntop.c
ngrep-1.45/win32/support/inet_ntop.h

... 省略

ngrep-1.45/pcre-5.0/libpcre.def
ngrep-1.45/pcre-5.0/libpcreposix.def
ngrep-1.45/pcre-5.0/RunTest.in
ngrep-1.45/pcre-5.0/configure
ngrep-1.45/pcre-5.0/install-sh
ngrep-1.45/pcre-5.0/mkinstalldirs
ngrep-1.45/pcre-5.0/config.guess
ngrep-1.45/pcre-5.0/config.sub
ngrep-1.45/pcre-5.0/ltmain.sh
[aws_user@192.168.11.36 tmp]$ ls -l
total 13996
-rw-rw-r-- 1 aws_user aws_user 10363484 Nov  1 09:03 clustrix-common-v4.0-526.x86_64.rpm
-rw-rw-r-- 1 aws_user aws_user  3402668 Nov  1 09:03 clustrix-devnode-v4.0-8097.x86_64.rpm
-rw-rw-r-- 1 aws_user aws_user      234 Aug  8 18:55 fizzbuzz.c
-rwxrwxr-x 1 aws_user aws_user     5229 Aug  8 18:55 fizzbuzz.out
-rwxr-xr-x 1 aws_user aws_user      214 Aug  8 18:29 fizzbuzz.pl
-rw-rw-r-- 1 aws_user aws_user    18645 Aug 17 11:55 index.html
-rw-rw-r-- 1 aws_user aws_user    19142 Nov 12 15:23 index.html.1
drwxr-xr-x 7 aws_user aws_user     4096 Nov 28  2006 ngrep-1.45
-rw-rw-r-- 1 aws_user aws_user   463361 Nov 28  2006 ngrep-1.45.tar.bz2
-rw-rw-r-- 1 aws_user aws_user     3354 Nov  1 09:08 README.txt
drwxrwxr-x 2 aws_user aws_user     4096 Aug 10 08:25 wget
[aws_user@192.168.11.36 tmp]$ cd ngrep-1.45
[aws_user@192.168.11.36 ngrep-1.45]$ ls -l
total 340
-rw-r--r-- 1 aws_user aws_user  44208 Oct 18  2006 config.guess
-rw-r--r-- 1 aws_user aws_user    854 Nov 28  2006 config.h.in
-rw-r--r-- 1 aws_user aws_user  32560 Oct 18  2006 config.sub
-rwxr-xr-x 1 aws_user aws_user 155425 Nov 15  2006 configure
-rw-r--r-- 1 aws_user aws_user   9916 Nov 15  2006 configure.in
drwxr-xr-x 2 aws_user aws_user   4096 Nov 28  2006 doc
-rwxr-xr-x 1 aws_user aws_user   5598 Sep 26  2004 install-sh
-rw-r--r-- 1 aws_user aws_user   1840 Nov 16  2006 LICENSE.txt
-rw-r--r-- 1 aws_user aws_user   2986 Nov 28  2006 Makefile.in
-rw-r--r-- 1 aws_user aws_user  15480 Nov 28  2006 ngrep.8
-rw-r--r-- 1 aws_user aws_user  36033 Nov 28  2006 ngrep.c
-rw-r--r-- 1 aws_user aws_user   2700 Nov 28  2006 ngrep.h
drwxr-xr-x 2 aws_user aws_user   4096 Nov 15  2006 pcre-5.0
drwxr-xr-x 4 aws_user aws_user   4096 Nov 28  2006 regex-0.12
drwxr-xr-x 2 aws_user aws_user   4096 Sep 26  2004 scripts
drwxr-xr-x 3 aws_user aws_user   4096 Nov 16  2006 win32

CONFIGURE~INSTALLまで

[aws_user@192.168.11.36 ngrep-1.45]$ ./configure

Configuring System ...

checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
checking for gcc... gcc
checking for gcc option to accept ISO C89... none needed

...省略

configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
[aws_user@192.168.11.36 ngrep-1.45]$ make
make  -C regex-0.12 regex.o
make[1]: Entering directory `/home/aws_user/tmp/ngrep-1.45/regex-0.12'
gcc -g  -DSTDC_HEADERS=1 -DHAVE_STRING_H=1 -DHAVE_ALLOCA_H=1 -DHAVE_ALLOCA=1  -I. -I. -c regex.c
make[1]: Leaving directory `/home/aws_user/tmp/ngrep-1.45/regex-0.12'
gcc -g -O2 -DLINUX -DHAVE_CONFIG_H  -D_BSD_SOURCE=1 -D__FAVOR_BSD=1  -I. -I/usr/include  -g -c ngrep.c
gcc -g -O2 -DLINUX -DHAVE_CONFIG_H  -D_BSD_SOURCE=1 -D__FAVOR_BSD=1  -L/usr/lib -s -o ngrep ngrep.o  regex-0.12/regex.o -lpcap
[aws_user@192.168.11.36 ngrep-1.45]$ sudo -s
[sudo] password for aws_user:
[root@192.168.11.36 ngrep-1.45]# make install
./install-sh -c -m 0755 ngrep  //usr/local/bin/ngrep
./install-sh -c -m 0644 ngrep.8 //usr/local/share/man/man8/ngrep.8
[root@192.168.11.36 ngrep-1.45]# 

実行してみる。

[root@192.168.11.36 ngrep-1.45]# ngrep -W byline -q port 80
interface: eth0 (192.168.11.0/255.255.255.0)
filter: (ip) and ( port 80 )

T 192.168.11.101:12814 -> 192.168.11.36:80 [AP]
GET /nagios/ HTTP/1.1.
Via: 1.1 TMG03.
Accept-Encoding:gzip.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3.
Host: 192.168.11.36.
Keep-Alive: 115.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8.
Accept-Language: ja,en-us;q=0.7,en;q=0.3.
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7.
Connection: Keep-Alive.
.


T 192.168.11.36:80 -> 192.168.11.101:12814 [AP]
HTTP/1.1 401 Authorization Required.
Date: Mon, 12 Nov 2012 06:59:18 GMT.
Server: Apache.
WWW-Authenticate: Basic realm="Nagios Access".
Content-Length: 401.
Connection: close.
Content-Type: text/html; charset=iso-8859-1.
.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>


T 192.168.11.101:13132 -> 192.168.11.36:80 [AP]
GET /favicon.ico HTTP/1.1.
Via: 1.1 TMG03.
Accept-Encoding:gzip.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3.
Host: 192.168.11.36.
Keep-Alive: 115.
Accept: image/png,image/*;q=0.8,*/*;q=0.5.
Accept-Language: ja,en-us;q=0.7,en;q=0.3.
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7.
Connection: Keep-Alive.
.


T 192.168.11.36:80 -> 192.168.11.101:13132 [AP]
HTTP/1.1 404 Not Found.
Date: Mon, 12 Nov 2012 06:59:22 GMT.
Server: Apache.
Content-Length: 209.
Connection: close.
Content-Type: text/html; charset=iso-8859-1.
.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.ico was not found on this server.</p>
</body></html>

[root@192.168.11.36 ngrep-1.45]#

参考サイト

ngrepでパケットをキャプチャしてgrep
通信内容をわかりやすくキャプチャできるngrep
Network Grepで手軽なパケットキャプチャ
bash の環境設定


サーバーを含むシステムの高速化やビックデータ時代の到来に伴い、
分散処理に注目が集まっている様子。

10年前にHPCCが盛り上がった時にはあまり身近に感じなかったが、
HadoopやMongodbのようにオープンサースで気軽に分散処理出来る
システムが導入出来るようになり、ここ2~3年で再び注目を集めている。
忘れがちだったのだが、ネットワークがボトルネックになる可能性も高いので
システム導入の時点できちんとスケールアウトも含めて設計しておく必要がある。

HPCユーザーが知っておきたいTCP/IPの話
ESnet: http://fasterdata.es.net/
———————————————————-
To make better use of its accumulated knowledge, ESnet has developed this Fasterdata Knowledge Base.
The knowledge base provides provides proven, operationally-sound methods for troubleshooting and
solving performance issues. Our solutions fall into five categories:

Network Architecture, including the Science DMZ model
Host Tuning
Network Tuning
Data Transfer Tools
Network Performance Testing
———————————————————-
上記HPCの資料によるとここら辺もきちんとカスタマイズしておいた方が良さそう。
色々なツールもあるので調査したい場合にインストールして現状把握してみても良いかと思います。
nuttcpなどは再送処理なども見つける事が出来るようです。

■Data Transfer Tools
http://fasterdata.es.net/data-transfer-tools/

■Network Troubleshooting Tools
http://fasterdata.es.net/performance-testing/network-troubleshooting-tools/

■Phil Dykstra’s nuttcp quick start guide
http://wcisd.hpc.mil/nuttcp/Nuttcp-HOWTO.html

例)scamperでMTU含めてネットワークパス確認。
———————————————————————-
http://fasterdata.es.net/performance-testing/network-troubleshooting-tools/scamper/

To install scamper:
wget http://www.wand.net.nz/scamper/scamper-cvs-20110421.tar.gz
tar xvzf scamper-cvs-20110421.tar.gz
./configure; make; make install

[root@ip-xxx-xxx-xxx-xxx1 scamper-cvs-20110421]# ./configure; make; make install
checking for a BSD-compatible install… /usr/bin/install -c
checking whether build environment is sane… yes
checking for a thread-safe mkdir -p… /bin/mkdir -p
checking for gawk… gawk
checking whether make sets $(MAKE)… yes
checking build system type… x86_64-unknown-linux-gnu
checking host system type… x86_64-unknown-linux-gnu
checking how to print strings… printf
checking for style of include used by make… GNU
checking for gcc… gcc
checking whether the C compiler works… yes

[root@ip-xxx-xxx-xxx-xxx1 scamper-cvs-20110421]# dig yahoo.co.jp

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.15.amzn1 <<>> yahoo.co.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24120 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;yahoo.co.jp. IN A ;; ANSWER SECTION: yahoo.co.jp. 287 IN A 203.216.243.240 yahoo.co.jp. 287 IN A 124.83.187.140 ;; Query time: 1 msec ;; SERVER: 172.16.0.23#53(172.16.0.23) ;; WHEN: Sun May 27 08:24:32 2012 ;; MSG SIZE rcvd: 61 [root@ip-xxx-xxx-xxx-xxx1 scamper-cvs-20110421]# [root@ip-xxx-xxx-xxx-xxx1 scamper-cvs-20110421]# /usr/local/bin/scamper -c "trace -M" -i 124.83.187.140 traceroute from 10.157.37.241 to 124.83.187.140 1 10.157.36.2 4.163 ms [mtu: 1500] 2 10.1.22.9 0.378 ms [mtu: 1500] 3 175.41.192.21 0.397 ms [mtu: 1500] 4 27.0.0.165 0.321 ms [mtu: 1500] 5 27.0.0.205 7.595 ms [mtu: 1500] 6 27.0.0.188 10.107 ms [mtu: 1500] 7 61.200.80.201 7.698 ms [mtu: 1500] 8 61.200.80.134 7.857 ms [mtu: 1500] 9 61.200.82.138 7.942 ms [mtu: 1500] 10 124.83.128.26 12.923 ms [mtu: 1500] 11 124.83.128.146 9.725 ms [mtu: 1500] 12 124.83.128.146 9.852 ms !X [mtu: 1500] [root@ip-xxx-xxx-xxx-xxx1 scamper-cvs-20110421]#

その他、サーバー側のNICメモリー設定も環境毎に最適化出来る様子。

[root@colinux ~]# /sbin/sysctl -a | grep mem
net.ipv4.udp_wmem_min = 4096
net.ipv4.udp_rmem_min = 4096
net.ipv4.udp_mem = 2324160 3098880 4648320
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_mem = 196608 262144 393216
net.ipv4.igmp_max_memberships = 20
net.core.optmem_max = 20480
net.core.rmem_default = 129024
net.core.wmem_default = 129024
net.core.rmem_max = 131071
net.core.wmem_max = 131071
vm.lowmem_reserve_ratio = 256 256 32
vm.overcommit_memory = 0
[root@colinux ~]#

[root@ip-xxx-xxx-xxx-xxx ec2-user]# /sbin/sysctl -a | grep mem
vm.overcommit_memory = 0
vm.lowmem_reserve_ratio = 256 256 32
net.core.wmem_max = 131071
net.core.rmem_max = 131071
net.core.wmem_default = 229376
net.core.rmem_default = 229376
net.core.optmem_max = 20480
net.ipv4.igmp_max_memberships = 20
net.ipv4.tcp_mem = 14679 19574 29358
net.ipv4.tcp_wmem = 4096 16384 626368
net.ipv4.tcp_rmem = 4096 87380 626368
net.ipv4.udp_mem = 14679 19574 29358
net.ipv4.udp_rmem_min = 4096
net.ipv4.udp_wmem_min = 4096
[root@ip-xxx-xxx-xxx-xxx ec2-user]#

補足:
Windowsに関しては、Windows2008からいくつか注意しておくべき事がありそうです。

TCP 受信ウィンドウの自動調整機能が機能しない正しくで Windows Server 2008 R2

All the TCP/IP ports that are in a TIME_WAIT status are not closed after 497 days

Scalable Networking Pack をご存知ですか?


━ Wireshark ━
http://www.wireshark.org/
WiresharkはEtherealとして広く利用されてきた、Packet Captureツールです。
パケットキャプチャーしてネットワーク解析したい時に便利です。
ダウンロードは以下のサイトから
http://www.wireshark.org/download.html

━ STONE ━
http://www.gcd.org/sengoku/stone/
特定のネットワーク接続が分かっていて、詳しく調査したい場合はstoneが便利。
たとえば、アプリケーションの動作確認や接続コマンドを接続先に負荷を
かけずに調査したりする事が出来ます。(Repeaterとして利用)

ダウンロードは以下のサイトから
* stone version 2.3e
http://www.gcd.org/sengoku/stone/stone-2.3e.tar.gz
* stone version 2.3e for WindowsXP
http://www.gcd.org/sengoku/stone/stonexp-2.3e.zip

stone1