[Nagiosplug-help] check_udp suitable to mimic traceroute?

[Ralph.Grothe at itdz-berlin.de]

Hi Andreas et al.,

> -----Original Message-----
> From: Andreas Ericsson [mailto:ae at op5.se]
> Sent: Wednesday, January 17, 2007 1:54 PM
> To: Grothe, Ralph
> Cc: nagiosplug-help at lists.sourceforge.net
> Subject: Re: [Nagiosplug-help] check_udp suitable to mimic
traceroute?
> 


meanwhile I was informed by a network admin whom I asked
that the suspecious packet dropping gateway is a firewall.

Searching the Net for tools I came accross tcptraceroute
whose authors claim that it can better cope with packet sinks
such as firewalls by using TCP packets targeted to a known
unfiltered port instead of ICMP or UDP packets as traditional 
traceroute.
I will give it a try...

http://michael.toren.net/code/tcptraceroute/

> > 
> > So to avoid the hassle could one use check_udp, or any other
of
> > the vanilla plug-ins,
> > to this end?
> > 
> 
> I'm afraid not. What you would have to do is modify an 
> existing plugin 
> capable of handling icmp, send a ping to a host behind the
device you 
> really want to ping, and then read the ICMP_TIMXCEED as normal 
> ICMP_ECHOREPLY packets. The only difference between the two are
in 
> icmphdr.type and icmphdr.code. The original packet is still 
> duplicated 
> on return.

That's a pitty.
I have hoped for an easy (to me) solution.
But it sounds as if this is more involved.

I will see if I can make use of CPAN's Net::PcapUtils and related
because I am lousy C coder, and a Perl API would alleviate the
task
tremendously for me.

I have also come accross a Perl firewall tester called ftester
from which I hope to find useful implementation clues in its
source.

http://dev.inversepath.com/ftester

I think I will be able to strip the relevant parts of the ICMP
header
with the Perl wrapper around libpcap.

>From the figure of an ICMP packet as presented in the RFC
the Type field must be the 1st octet and the Code field the 2nd.


> > All I know is that such a UDP datagram would probably require
the
> > TTL set to 1
> > to have the checked gateway decrement it by one and send an
ICMP
> > expiration
> > notification packet back to the sender, much like traceroute.
> > 
> 
> The value of the TTL on any outgoing packet would have to be 
> the same as 
> the number of hops required to reach the gateway, including the

> gateway-hop itself, so for this setup:
> 
> Nagios -> gw1 -> gw2 -> address-to-ping
> 
> you'd have to use TTL=1 to check gw1, TTL=2 to check gw2. 
> You'd probably 
> be best off by submitting the TTL as an argument, as it's a 
> bit tricky 
> to calculate without doing a semi-full traceroute.

Yes, I neglected that every hop is decrementing the TTL.


Besides, I think to remember having once read about a tool called
htping
that could be used to rather easily craft up all sorts of
packets?

This sadly reminds me of plans by the Ministry of Justice
overhere 
to amend our Criminal Law by making the use of so called "hacker
tools" punible
en route to "EU law harmonization".

Apart from that the politicians don't seem to understand the
difference between
hackers and crackers, I fear that such valuable admin tools may
soon be banned.

Regards

Ralph