Time Management for System Administrators

saves me from needing to count: $ cat /tmp/x | awk '{ print $NF }' 192.168.1.110 192.168.1.10 192.168.1.92 ...

Why isn't it $LF? That would be too easy. No, seriously, the NF means 'number of fields.' Thus, $NF means the field that is NFth fields in from the left. Whatever. Just remember that in awk you can type $NF when you want the last field on a line. $ sudo tcpdump -l -n arp | egrep 'arp who-has' | head -100 | awk '{ print $NF }'

So, now we get output that is a series of IP addresses. Test it and see.

(Really! Test it and see. I'll wait.)

Now, we want to count how many times each IP address appears in our list. There is an idiom that I use all the time for just this purpose: sort | uniq -c

This sorts the data, then runs uniq, which usually eliminates duplicates from a sorted list (well, technically it removes any adjacent duplicate lines...sorting the list just assures us that the same ones are all adjacent). The -c flag counts how many repetitions were seen and prepends the number to each line. The output looks like this: ... 11 192.168.1.111 7 192.168.1.230 30 192.168.1.254 8 192.168.1.56 21 192.168.1.91 ...

We're almost there! Now we have a count of how many times each host sent an ARP. The last thing we need to do is sort that list so we know who the most talkative hosts were. To do that, we sort the list numerically by adding | sort -n to the end: $ sudo tcpdump -l -n arp | egrep 'arp who-has' | head -100 | awk '{ print $NF }' |sort | uniq -c | sort -n

When we run that, we will see the sorted list. It will take a while to run on a network that isn't very busy. On a LAN with 50 computers, this took nearly an hour to run when not a lot of people were around. However, that was after the machine with the spyware was eliminated. Before that, it only took a few minutes to collect 100 ARP packets.

On your home LAN with only one or two machines, this command may take days to run. Hosts are required to cache the ARP info they gather, so after a machine is running for a while, it should be very rare that it outputs an ARP if the only machine it talks to (on the local LAN) is your router.

However, on a network with 100 or so hosts, this will find suspect machines very quickly.

We now have a very simple tool we can use during a worm attack. This doesn't replace a multi-thousand-dollar Intrusion Detection System or a good antivirus/antispyware/antiworm system, but it sure can help you pinpoint a problem when it is happening. Best of all, it's free, and you learned something about shell programming.

If you'd like to hone your shell programming skills, here are some mini projects you can try:

tcpdump outputs some informational messages to stderr. Is there a way to stop it from outputting those messages? If not, how could we get cleaner-looking output?

Turn this one-line command into a shell script. Put this in your bin directory so you can use it in the future.

Take the shell script and expand it so that you can specify which NIC to sniff or other options you find useful.

tcpdump can be programmed to only gather ARP 'who-has' packets, so you can eliminate the grep command. Learn enough about tcpdump to do this.

tcpdump has the ability to replace the functionality of head -100. Learn enough about tcpdump to do this. Is it the exact same thing as head -100? Is it better or worse?

awk is a complete programming language. Eliminate the 'grep' as well as the 'head' arguments using awk. Why do you think I chose to do it in three processes instead of just letting awk do it all?

Using Microsoft Excel to Avoid Writing a GUI