LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Trying to reverse engineer our network :) (https://www.linuxquestions.org/questions/linux-networking-3/trying-to-reverse-engineer-our-network-158061/)

8webguy8 03-15-2004 02:35 PM

Trying to reverse engineer our network :)
 
I am trying to figure out how our network is setup. It was setup by a company that is no longer in business and before I worked here. I don't know much about setting up a network but intend to learn. I took some pictures, and many of you hot-shots can probably look at the pictures and say, "Oh, yeah..thats..blah do de bleh.." :)

This is what I know about our network. 30+ computers, 1 dual 733mhz server(crap), 3 dlink hubs, 1 watchguard soho box, 1 cisco 1700 and a buttload of wires. Not to mention the server rack which is in one of the pictures.

Basically this is what is up. That server is a good 3+ years old, running Novell version like -1, and is ready for retirement. I want to replace it with a blazin linux fileserver and need to figure out what I have now, and where is the best place to end up. I'm just learning linux, but I catch on quick. And I'm doing a dummy install with a pretty fast computer at my desk, so I can practice till perfect :). It is running RH9 and Samba. Below is a link to the images of our current setup. What do I need to know, and what do I need to get and do to upgrade this server? Every computer in the office runs through this computer to save files and I guess connect to the internet through the cisco router, which is hooked to a fraction T1 @ 512kb.

And BTW, to reference the images. The 3 cables I have my finger on are coming from the servers network cards. Which are in one of the pictures.

If there is anything more you wish to know, shoot, and I'll fire back.

http://www.ifae.com/server

webG

Mara 03-15-2004 03:02 PM

There are programs that can scan the network for you, but I don't remember a name for now..
But you can do it manually. 'ping' and 'traceroute' will become your closest friends. Strart from checking if your network uses DHCP or static IPs. Make sure all machines are configured in the same way. Then you need to write down IPs of all machines, if they're static. From the pictures you provided you have probably 2 subnets (so machines can have 192.168.1.X and 192.168.2.X, for example). Look if it fits the IPs you have. Machines that are close to each other have probably similar IPs.
Also check which IP (IPs) has the server.
When you have this, use ping and traceroute to find where are them machines logically. For all machines do: ping the machine. Note if you can ping it or not. If you can, traceroute it. Chek how many hoops it takes to get to it. If there's only one hop printed, the machines are in the same subnet as you.
When you have server IPs and you can divide the machines into subnets and there's nothing strange, you can probably upgrade the server. But I'd use an extra machine, install Samba and so on and try to plug it instead of the old server. Then you can plug and unplug until everything's correct.

Bebo 03-15-2004 03:12 PM

You can use nmap to scan your network. (Was this what you were thinking about, Mara?)

8webguy8 03-15-2004 03:22 PM

thanks for your replies. Very helpful. I forgot to mention that our network uses DHCP and all the clients pull their ip from that. 4 Mac OS 9 clients, 1 OS X, and the rest XP Pro. I used an ip scanner to scan our network and almost all of our addresses appear on the 192.168.137.* subnet. However one popped up under 192.168.1.* and another under 192.168.2.* and our router is 192.168.137.1. I am doing a full ip scan of 192.168.*.* right now see if there are any other weird IP's popping up.

I am quite familiar with ping and tracert..lol. Troubleshooting windows internet. And when I do a traceroute using to the router I get no hops. Just right response from the router. Or should I be tracing the ip of the server? I'd think that I wouldn't get any hops to their either. I could be wrong and I will try that as well just to know for sure.

[EDIT]
Completed the scan I mentioned above yielded a few hundred active ips. From 192.168.1.* to 192.168.255.*. So I'm thinking that these are active on the internet and not our internal network. Correct me if I'm wrong. If these are responding internally then I am really confused.

So now I need to know, where do I go next? How hard is it to learn how to get these to work together? I'll probably mess around with it over the weekend, but do I need to have 3 network cables running out of the computer? I thought the cisco router controlled all the internet connections? And the soho box was the firewall?
[/EDIT]

jschiwal 03-16-2004 12:22 AM

One quick thing that you could do, is from each XP computer, run the command
ipconfig.

This will give you the IP address of that computer, and information on the Gateway, DNS and DHCP server IP addresses.
The servers will probably have static IP address, and may be listed in the
/WINDOWS/SYSTEM32/DRIVERS/ETC/HOSTS & LMHOST files.

MS3FGX 03-16-2004 12:55 AM

Well, first off, why did you bother to do an IP scan if you are using DHCP? You could have just checked the IP leases on the server.

And no, anything in the 192.168.x.x range is internal, that is not an internet IP.

Well, at any rate, all you have to do is figure out what services the current is offering to the clients and it's IP address. Then setup a Linux machine running compatible services, and assign it the server's IP (after unplugging the cat5 from the NIC of the server).

Though, no offense, you have a lot of work ahead of you if your networking knowledge consists of ping and tracert. There is a reason they have professional Network Administrators (which is what I am, by the way, so I have done what you are talking about before for clients) come in and do this sort of thing.

MS3FGX 03-16-2004 01:14 AM

Is the web address you posted the address to the current server running there?

If so, you have your work cut out for you. It is running multiple services, it also appears to be Linux...though you said it was Novell...

8webguy8 03-16-2004 09:11 AM

Thanks for the replies. Very informative. The thing is I don't want it to have the same services. I don't want to use novell anymore. I'd like to figure out a way to use a simple (greatly exagerated) linux system, with samba for our users to connect to. All we do around here is save files to the server...and...well..and nothing else. Thats it. So if there are other services, why are they there? I'm going to do some further testing this weekend when no one is in the office to get a better understanding of what is happening with our internal network. When I did that IP scan, I got hundreds of replies from many different addresses, and that is just not right with 30+ computers. And the reason I didn't check anything on the server is because I didn't set it up and I don't have the priveleges to run any commands. No one here does. The company that set it up no longer exists.

And I understand that I have a bunch of work ahead of me, and that alone is not going to deter me. This is something I would like to learn and basically I have the time and the resources to learn it so,..why not learn?

The question that I am basically asking is what do I need to learn? Samba, DHCP..and what? I appreciate your candor, it really helps put the whole project in context. And yes the address I posted is the address of the server, each client has a novell client, so perhaps it is linux running Novell. I wish I knew.

I'm not a complete dunce, halfwit..yes, but not complete. I'm a perl programmer/website designer and I pretty much do everything technical in this office, only by learning while doing, or before doing, or after doing :).

A couple question that might help clear some of the fog is, who is assigning the IP's? The cisco router or the server? Why does it have three NICs? What do I need to learn to implement a linux fileserver to interface with win32 systems?

Thanks for your time, much appreciated.

webG

Mara 03-16-2004 04:48 PM

Quote:

And when I do a traceroute using to the router I get no hops. Just right response from the router. Or should I be tracing the ip of the server? I'd think that I wouldn't get any hops to their either. I could be wrong and I will try that as well just to know for sure.
All the IPs you got from the scan. Those from the subnet your machine's in will give you one hop, those in different subnet - two or more.

Quote:

So now I need to know, where do I go next? How hard is it to learn how to get these to work together? I'll probably mess around with it over the weekend, but do I need to have 3 network cables running out of the computer? I thought the cisco router controlled all the internet connections? And the soho box was the firewall?
The machines are probably divided into 3 subnets. And probably there's a reason. Different services they use, limited access to resources, maybe? Cisco has probably something to do with Internet access. Look if you can trace that part 'by wires'.

Quote:

When I did that IP scan, I got hundreds of replies from many different addresses, and that is just not right with 30+ computers.
So at the weekend, turn all machines on, then make the scan again. Note that part of the result may be because of your Net connection (private class or your ISP). So, it may be good to unplug the connection for the scan.

Quote:

The question that I am basically asking is what do I need to learn? Samba, DHCP..and what?
Probably networking (TCP/IP), troubleshoing tools (nmap, tcpdump, ettercap and many more), services: Samba, DHCP, probably WWW, FTP and so on.

Quote:

A couple question that might help clear some of the fog is, who is assigning the IP's? The cisco router or the server?
Good question. One of the two. Look for router's manual to see if it can assign addresses (and for a way to get in). You can also learn from tcpdump output (all 'normal' machines off, only your up with ettercap running, turn one of the machines in the same network on and ettercap will show you what machine it's connecting to).

Quote:

Why does it have three NICs?
One NIC probably to router, 2 for 2 disserent subnets.

Quote:

What do I need to learn to implement a linux fileserver to interface with win32 systems?
Samba manual ("Using Samba") in HTML format is included when you install it. It's a good read and explains many things.

MS3FGX 03-16-2004 05:18 PM

Well, time for some more candor. :D

You are thinking in very close-minded terms as to what your server is doing. You aren't just saving files to it.

As far as I can tell, it is doing the following things:

1. Serving your web site (Apache)
2. Running an FTP server (I tried to get in to see what was in it, but it wouldn't allow anonymous access) (PROFTP)
3. Handling both incoming and outgoing mail
4. Running an IRC server (What are you using that for?)
5. It also appears to be running BlackICE (firewall)

So, it is a mail, web, FTP, IRC server, and a firewall for your network.

Since it is running firewall software, the 3 NICs are not for different subnets (that would be unnecessary anyway). They are:

1. Internet connection (from Cisco router most likely)
2. Filtered connection for your LAN (this one probably goes to the D-Link stack)
3. DMZ (???)

I'm not sure about the DMZ, since you only have one server. You are going to need to trace that last cat5 line to see where it goes. It could be a second subnet, but I would find that unlikely due to the fact that you hardly have enough machines to justify a second NIC for a different subnet. I have one network running 2 subnets with around 150 total clients all on one NIC.

I should also note that there is no BlackICE for Linux or Novell (a Linux version is in BETA I hear though), so your server can't really be running BlackICE, but is most likely running a similar firewall software.

Your server is also most likely serving up the DHCP leases. To test this, go to one of the Windows XP clients and type ipconfig /all which will list:

DHCP Server..........:x.x.x.x

And again, everything I can find points to this server running Linux 2.4.x.

I’m not sure why you got so many active IP addresses when you did the scan. It is possible that you have networked hardware (printers and such) but that is a large discrepancy between how many machines you have and how many IP addresses are active.

adm1329 03-16-2004 07:46 PM

MS3FGX said it didn't look like a Novell server in the picture, but actually it does. That appears to be the Norton Antivirus Corporate Edition screen. If so you're server is also running virus protection which when the virus definitions are updated will update the definitions on the client machines as long as the client is installed.

MS3FGX 03-17-2004 12:43 AM

When I say "look" I don't mean literally, I mean from a networking standpoint.

Protocols used, program's its running, etc.

8webguy8 03-17-2004 08:46 AM

Mara, thanks for the extremely helpful post. Lets me know that there is very little that I haven't considered already. All of the computers do the same things here.. save files to the server (in contrast to ms3fgx's post which I will reply to later in this post).

1st Quote : I haven't tracerouted them all, but I was the one who setup all the machines. They all use dhcp and have a novell client which allows them to mount the novell network shared drives. Nothing fancy there. And the mac's were just plug and play, recognized the network immediately and didn't do anything else..they use a different server.

2nd Quote : All of the machines are under the *.*.137.* subnet when I go to each computer and lookup the ip address. So I still have no clue where the other IP's are coming from. I'll do a traceroute on them to see where it goes later today.

3rd Quote : That is part of my game plan for this weekend. I tried to get everyone to take Friday off so I would have a little more time..but no luck..lol

4th Quote : I have a book on TCP/IP, hadn't considered the tools but thanks for the heads up I will get the lowdown on those immediately. I've been reading about Samba and have it setup and semi-configured on my redhat machine. Learn by doing. I know alot about WWW and FTP, though neither of those services are (rather should) be offered on our server.

5th Quote : I really think that it is the cisco router giving everyone their IPs. If so that will make things easier on me. I setup our last router (not this one) and it was a pain in the *** to learn. But now I know more about it.

6th Quote : I will further pinpoint that fact this weekend when I disable elements.

7th Quote : Already all over Samba..lol

MS3FGX, thanks again for your post - and for probing my server :D

I can explain some of the things that you encountered. Contrary to what you ran into we are just saving files to it. Port 80 on our firewall is actually an interface to our soho box, port 21 is actually forwarded to our Macintosh FTP server, our mail is offsite with our website, god only knows why it would be running an IRC server, and the firewall is actually our soho box, if it has blackice it was from 3+ years ago and hasn't been utilized. And I was thinking about having it serve our website, I've setup apache before but don't think i will without another server.

All three of those cables go directly to the router. One of the pictures shows my finger next to those three lines.

And I know that our previous installation was just one nic and everyone was on one subnet. Don't know why our configuration would change considering the only thing that is different is the router. And the router goes right into the soho box and the soho right into the hub.

I will do the ipconfig /all thing in a bit to see what I can come up with. Like I said before you could be right about what OS is running on it, when I kicked it, it didn't say anything. And the IP addresses are still a mystery - but I know our network is way overactive. And we do have a few networked printers with their own IPs..when i say a few..I literally mean 3.

Again, thank you very much for your helpful post. Nothing like hearing it from the mouths (err fingers) of people who have gone through this. I guess I am off to read some more manuals.. ;)

And adm1329 that is novell corp onscreen, but it just protects itself, the corps on our machines are actually managed way off site..which is very uncool. Cause if they lose their connection our machines don't get updated. So that is one of the things I look forward to fixing.

webG


All times are GMT -5. The time now is 05:20 PM.