LUG-talk-Oct-09/0000755000175000017500000000000011262772324011561 5ustar timtimLUG-talk-Oct-09/README0000644000175000017500000000243511262772324012445 0ustar timtimThese are the slides and demostration scripts used for the KWLUG talk titled "But I don't want to look at the sourcecode!" given by me, Tim Laurence, on October 5th 2009. Feel free to share and use this. To view the presentation slides you will need "tpp"(text presentation program) installed. On Ubuntu there is a package for this; apt-get install tpp. After you have done that you may view it be typing "tpp talk.tpp". To advance slides you use the space bar. The demo code is shown in a "less" window so you must hit "q" to quit most demos. Some demos (tcpdump) don't exit automaticly so you may have to hit "ctrl+c" to stop the program and then hit q to quit less. Some other demos(wireshark and top) couldn't work within tpp and were performed manually in another terminal window. talk.tpp is best viewed in a linux terminal. I found x-windows terminal programs did not render my slides as well. Running the demos under a root account works better. I would like to thank the people who had helpful suggestions of some other tools to solve these types of problems. "nm" looks like is could be useful but I have no unstripped binaries. "htop" rocks my world. Everyone should check it out. If you have any questions about the content or suggestions don't hesitate to contact me at timdaman@gmail.com LUG-talk-Oct-09/topDemo0000744000175000017500000000006711261770452013116 0ustar timtim#!/bin/bash top clear echo "End of Demo" read -sn 1 x LUG-talk-Oct-09/talk.tpp0000644000175000017500000001401511262265621013237 0ustar timtim--heading But I Don't Want to Look at the Sourcecode! --bgcolor blue --author Tim Laurence --date today --center TimDaMan@gmail.com --newpage --heading Introduction --- Trained as a programer --- Work as a Systems Administrator --- Not a great programmer --- Integration Work --- My time at IBM --newpage --heading Outline * The edges of software * What we can find out before we run a program? * What is happening with the files? * What is happening on the network? * Misc.. --newpage The Edges of Software --heading The Edges of Software --newpage --heading The Edges of Software You go to the Dr. * Dr. will ask questions * May poke at you * You may make requests of the Dr. --- --horline Your personal space ends where your doctors starts and vice-versa * The Dr. can inspect you but you cannot inspect the Dr. * Dr. follows diagnostic protocols --- * Dr. could look inside but often uses much simpler techniques --newpage User space and Kernel Space --heading User space and Kernel Space * User space and Kernel space * All hardware access is done in kernel space * Almost all programs run in user space * Privilege rings * We can look inside programs * System calls..... --newpage System calls --heading System calls Q: What is a system call? --- A: It is the way programs ask the kernel to do something --##newpage --##heading How do system calls work? --##- --##* Load data into registers --##- --##* Execute interrupt/sysenter/syscall --##- --##* Kernel wakes up and reads registers --##--- --##* Kernel processes data in registers --##--- --##* Kernel updates registers with results --##--- --##* Kernel sleeps and executes next instruction --##--newpage --##myProgram --##newpage --##myProgram --saves request-->CPU registers --##newpage --##myProgram -->executes interrupt and goes to sleep .... --##- --##... and the kernel wakes up --##newpage --##kernel <-- reads CPU registers --##- --##processes the request... --##- --##stores the results... --##- --##and updates the CPU registers to reflect those results --##newpage --##kernel --> goes to sleep and starts myProgram on the next instruction... --##- --##myProgram wakes up on the next intruction and checks registers to get results of it's request --##--newpage What are you so obsessed with system calls Tim? --##--heading What are you so obsessed with system calls Tim? --newpage It is all about the kernel --heading It is all about the kernel --- * This is were we are going to get most of our information --- * Well established/documented interfaces --- * Many tools that can display that data in usable ways --newpage What Can we Find Out Before We Run a Program? --heading What Can We Find Out Before We Run a Program? --- --boldon --center The tools --boldoff --center ldd --center strings --center man --newpage ldd ldd * ldd gives you a list of libraries a program will load upon execution * That's all! * So why do we care? --- --horline * Libraries may be missing or incompatible * Libraries can be broken too * Helps figure what need if you going to move a program --- --horline Demo Time --- --exec ./lddDemo --newpage strings --boldon --center strings --boldoff * Real simple, what human readable text is in a file? * These can be the name of configuration files or message strings --- --horline Demo Time --- --exec ./stringsDemo --newpage man --heading man * Yes, that man! * RTFM * Often oddles of information at the bottom --- --horline --exec ./manDemo --newpage One more hint --heading One more hint Don't forget /usr/share/doc/ProgramName --newpage What is happening with the files? --heading What is Happening With the Files? --- --boldon --center The Tools --boldoff --center lsof --center inotify --newpage lsof --heading lsof * LiSt of Open Files * What files are opened by whom * Almost everything is a file * Limited in that only tells us what is open right now --- --horline lsof Demo --- --exec ./lsofDemo --newpage inotify --heading inotify * In begining there was polling * Then came inotify * Two commands; inotifywait; inotifywatch * inotifywait watches for activity * inotifywatch collects statistical information * Limited to tell us when something changes --- --horline --exec ./inotifyDemo --newpage What is Happening On the Network? --heading What is Happening On the Network? --- --boldon --center The Tools --boldoff --center netstat --center tcpdump/wireshark --newpage netstat --heading netstat * All sorts of information about the networking subsystem of Linux * Only concerned with who is listening, talking, waiting * Limited in that it only describes a point in time --- --horline netstat Demo --- --exec ./netstatDemo --newpage What is packet sniffer --heading What is a packet sniffer? --newpage tcpdump/wireshark --heading tcpdump/wireshark * tcpdump works on the command line * wireshark is a xwindows program. It gives you much more detail more easily * wireshark is a superset of tcpdump. Knowing tcpdump will make it easier to use * I usually use tcpdump --- --horline tcpdump Demo --- --exec ./tcpdumpDemo wireshark Demo --newpage Other network tools --heading Other Network Tools * ssldump * openssl s_client -connect ip:port --newpage Misc... --heading Misc... --- --boldon --center The Tools --boldoff --center strace --center top --center apparmor --newpage strace --heading strace * The most revealing of this talk * Every system call as it happens * More often too much info than too little --- --horline strace Demo --- --exec ./straceDemo --newpage top --heading top * Can give you all sorts of performance info * Most people don't know how to change it to suit their needs * Reverse sort, sort by memory, PID, etc... --- --horline top Demo --newpage apparmor --heading apparmor * AppArmor is a security tool * It can used to create good audits of a program * Dual use tool --- --horline apparmor Demo --- --newpage /proc proc Demo --- --exec ./procDemo --newpage Questions --huge Questions? --newpage Thank you for comming. --header But I Don't Want to Look at the Sourcecode! --beginslidetop --huge Thank You For Coming --endslidetop --center Tim Laurence --center TimDaMan@gmail.com LUG-talk-Oct-09/procDemo0000744000175000017500000000124211262265343013252 0ustar timtim#!/bin/bash ( echo "$ ls /proc" ; ls -x /proc) | less clear cd /proc/self ( echo "$ cd /proc/self" ; cd /proc/self ; echo "$ ls" ; ls -x ) | less clear ( echo "Find the current working directory of a process" ;echo "$ ls -l cwd"; ls -l /proc/self/cwd ) | less clear ( echo "See the enironmental varibles of a process"; echo "$ cat environ"; cat /proc/$PPID/environ ) | less clear ( echo "Which binary is running?"; echo "$ ls -l exe"; ls -l /proc/self/exe ) | less clear ( echo "If you have a memory adress for the error you can find out what is there"; echo "$ cat maps"; cat /proc/self/maps ) | less -S clear echo "and much much more..." echo "End of Demo" read -sn 1 x LUG-talk-Oct-09/tcpdumpDemo0000744000175000017500000000070411262206025013755 0ustar timtim#!/bin/bash (sleep 5; ping -c 50 -i .2 www.kernel.org > /dev/null 2>&1) & clear ( echo "$ (sleep 5; ping -c 50 -i .2 www.kernel.org) &" ; echo "$ tcpdump -i wlan0 icmp"; tcpdump -i wlan0 icmp ) 2>&1 | less -S (sleep 5; ping -c 50 -i .2 www.kernel.org > /dev/null 2>&1) & clear ( echo "$ (sleep 5; ping -c 50 -i .2 www.kernel.org) &" ; echo "$ tcpdump -n -i wlan0 icmp"; tcpdump -n -i wlan0 icmp ) 2>&1 | less -S clear echo "End of Demo" read -sn 1 x LUG-talk-Oct-09/inotifyDemo0000744000175000017500000000036711261754704014002 0ustar timtim#!/bin/bash rm /tmp/delme (while true do sleep 5 touch /tmp/delme done) & clear (echo "$ (while true; do sleep 5;touch /tmp/delme; done) &"; echo "$ inotifywait -m /tmp ;" ; inotifywait -m /tmp ) 2>&1 | less clear echo "End of Demo" read -sn 1 x LUG-talk-Oct-09/straceDemo0000744000175000017500000000313411261770254013573 0ustar timtim#!/bin/bash clear (echo "Get a summary of what a program did and how much runtime it spent doing it. A simple form of profiling" echo "$ strace -c echo hello" strace -c echo hello ) 2>&1 | less -S clear ( echo "Now a normal trace with all the details" echo "$ strace echo hello" strace echo hello ) 2>&1 | less -S clear ( echo "We run into problems when we run a program that runs another program" echo "$ strace sh -c /bin/date 2>&1" strace sh -c /bin/date 2>&1 ) 2>&1 | less -S clear echo "The date doesn't seem to be anywhere in there" | less -S ( echo "We can follow a processes children too" echo "$ strace -f sh -c /bin/date 2>&1" strace -f sh -c /bin/date 2>&1 ) 2>&1 | less -S clear echo "OK, but still TMI!" | less -S ( echo "We can use filters with strace -e" echo "This one on shows file system activity. You could use it in place of inotify" echo "$ strace -e trace=file id " strace -e trace=file id ) 2>&1 | less -S clear echo "Ick, why all those errors!" | less -S clear ( echo "We can filter on process managment too" echo "$ strace -e trace=process sh -c /bin/date" strace -e trace=process sh -c /bin/date ) 2>&1 | less -S clear ( echo "or even network activity like tcpdump does" echo "$ strace -e trace=network ping -c 1 127.0.0.1" strace -e trace=network ping -c 1 127.0.0.1 ) 2>&1 | less -S clear ( echo "You can even attach to a process already running with -> strace -p PID <-" echo "If you are attaching to a process when you type ctrl+c it will kill strace but not the target" echo "You can combine this and all the other options as you please" ) | less -S clear echo "End of Demo" read -sn 1 x LUG-talk-Oct-09/manDemo0000744000175000017500000000010211261742730013053 0ustar timtim#!/bin/bash clear man man clear echo "End of Demo" read -sn 1 x LUG-talk-Oct-09/netstatDemo0000744000175000017500000000057011262002106013756 0ustar timtim#!/bin/bash clear ( echo "Everything going on networking wise" ; echo "$ netstat -ap -n" ; netstat -ap -n ) 2>&1 | less -S clear ( echo "Only listening sockets using pretty names" ; echo "$ netstat -l"; netstat -l ) 2>&1 | less -S clear ( echo "Only network sockets" ; echo "$ netstat --inet -nap"; netstat --inet -nap ) 2>&1 | less -S clear echo "End of Demo" read -sn 1 x LUG-talk-Oct-09/lddDemo0000744000175000017500000000034211261742440013047 0ustar timtim#!/bin/bash clear (echo "$ ldd /bin/cat"; ldd /bin/cat) | less clear ( echo "$ ldd /bin/grep"; ldd /bin/grep ) | less clear (echo "$ ldd /usr/sbin/tcpdump"; ldd /usr/sbin/tcpdump ) | less clear echo "End of Demo" read -sn 1 x LUG-talk-Oct-09/lsofDemo0000744000175000017500000000113111262003037013235 0ustar timtim#!/bin/bash clear ( echo "See all open files"; echo "$ lsof" ; lsof ) 2> /dev/null | less -S clear ( echo "See files open by processes with names that start with ?"; echo "$ lsof -c syslogd"; lsof -c syslogd) 2> /dev/null | less -S clear (echo "See list of file open by a PID(s)"; echo "$ lsof -p 1"; lsof -p 1 ) 2> /dev/null | less -S clear ( echo "See file open in a directory"; echo "$ lsof +D /etc" ; lsof +D /etc ) 2> /dev/null | less -S clear (echo "List who has a file or file on a device open"; echo "$ lsof /proc" ; lsof /proc ) 2> /dev/null | less -S clear echo "End of Demo" #read -sn 1 x LUG-talk-Oct-09/stringsDemo0000744000175000017500000000033211261742455014002 0ustar timtim#!/bin/bash clear (echo "$ strings /usr/sbin/cron"; strings /usr/sbin/cron) | less clear (echo "$ strings /usr/sbin/cron | grep \"/\"" ; strings /usr/sbin/cron | grep "/" ) | less clear echo "End of Demo" read -sn 1 x LUG-talk-Oct-09/README~0000644000175000017500000000241111262772130012630 0ustar timtimThese are the slides and demostration scripts used for the KWLUG talk titled "But I don't want to look at the sourcecode!" given by me, Tim Laurence, on October 5th 2009. Feel free to share and use this. To view the presentation slides you will need "tpp"(text presentation program) installed. On Ubuntu there is a package for this; apt-get install tpp. After you have done that you may view it be typing "tpp talk.tpp". To advance slides you use the space bar. The demo code is shown in a "less" window so you must hit "q" to quit most demos. Some demos (tcpdump) don't exit automaticly so you may have to hit "ctrl+c" to stop the program and then hit q to quit less. Some other demos(wiresharke and top) couldn't work within tpp and were performed manually in another terminal window. This is best view in a linux terminal. I found x-windows terminal programs did not render my slides as well. Running the demos under a root account works better. I would like to thank the people who had helpful suggestions of some other tools to solve these types of problems. "nm" looks like is could be useful but I have no unstripped binaries. "htop" rocks my world. Everyone should check it out. If you have any questions about the content don't hesitate to contact me at timdaman@gmail.com