Friday, February 13, 2009

Simple TCP UDP Continous Monitoring/Logging


Hi, was in a clients today and was thinking of a way to quickly do a port "ping" every once in a while to poll data into a simple log file. So i came up with a quick and dirty way. You need the following tools to make an easy to use network udp/tcp port probe and easy logging on any Windows machine:

Tools:
  • Nmap (woot!) worlds best port scanner, hands down - http://nmap.org/dist/nmap-4.76-setup.exe
  • System scheduler - Free scheduling for Windows (didn't like the AT or scheduler from Windows) - http://www.splinterware.com/download/wincron.zip
  • Create a CMD/BAT batch file - this file will be executed by the System Scheduler application to run every X time.

Install items 1 and 2.

Scenario - I want to monitor my Asterisk SIP server (or port) and IAX server  (or port). I want to poll text output based on the date every minute (its better to use date as the log file can be quite grusomely big). So at every new date, it will create a new file.

Game plan:
Use nmap to poll a particular IP and port using a script. Repeat that line for each other port you want to monitor. This case i am monitoring UDP ports 5060 which is SIP and 4569 which is IAX. Use System Scheduler to run this batch file every minute. There simple no?

As for the creation of "log" files, we will tweak a little the date variables to form to human understandable format before declaring the variable inside the batch file.

NMAP:
You should first know what NMap can do and its switches. I suggest run the ZenMAP (Nmap gui) and select the options there. The command line of the actual Nmap action will also be displayed. 

I would suggest to create a new profile for scanning, but simply, to scan for a particular TCP/UDP port execute this command at the command prompt (and also to test a little)

nmap -p 5060 -sU 192.168.1.32

The above command, you can change the value 5060 to your desired UDP port, if you want to scan a TCP port, enter the switch -sT (which does a TCP connect method scan) and quite literally, -sU denotes a standard UDP scan. Then enter your own IP address of course :).

Append the NMAP output to text file corresponding a date:
Now comes the fun bit. Lets output the result of that scan into a text and keep that text growing and name that text based on the date.

nmap -p 5060 -sU 192.168.1.32 >> %yymmdd%_nmap.txt

The above command send the output to a file that could be called 090212_nmap.txt and the next file after midnight called 090213_nmap.txt. The >> means to append to the file and not create a new one. You can just use one > but then you will have multiple files each time this thing runs.

The date variable:
Now, obviously the variable %yymmdd% is not a system default, so we need to make our own variables and here's how (add the following above your batch file to be executed each time the batch file runs)

set yymmdd=%date:~12,2%%date:~4,2%%date:~7,2%

The above variables takes the system date (%date) and converts it to a regular date format as seen above in the file name.

And the whole scipt would look like this:
@echo off
set yymmdd=%date:~12,2%%date:~4,2%%date:~7,2%
nmap -p 5060 -sU 192.168.1.32 >> %yymmdd%_nmap.txt
nmap -p 4569 -sU 192.168.1.32 >> %yymmdd%_nmap.txt
ECHO ------------------------------------------------------------------------------------------ >> %yymmdd%_nmap.txt

The line at the bottom (------) is to simply separate from one output to the other (pretification).

So there you go, now just copy the above script part (in smaller text), open notepad.exe, paste those exact lines in notepad and save the file like nmap_voip_ports.cmd (you can use CMD or BAT extensions, CMD runs faster..) 

Now use System Scheduler to run the nmap_voip_ports.cmd  every which ever polling interval you like. In my example, i do it in 1 minute. (Sorry please google how to use System Scheduler)

Here's some output examples from the file auto generated called 090212_nmap.txt. As you can see, the ports 5060 and 4569 UDPs are respective alive! Yay.

Enjoy.



Starting Nmap 4.76 ( http://nmap.org ) at 2009-02-12 23:40 Malay Peninsula Standard Time
Interesting ports on 192.168.1.32:
PORT     STATE         SERVICE
5060/udp open|filtered sip
MAC Address: 00:15:17:92:XX:XX (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 1.20 seconds

Starting Nmap 4.76 ( http://nmap.org ) at 2009-02-12 23:40 Malay Peninsula Standard Time
Interesting ports on 192.168.1.32:
PORT     STATE         SERVICE
4569/udp open|filtered unknown
MAC Address: 00:15:17:92:XX:XX (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds
------------------------------------------------------------------------------------------ 

Starting Nmap 4.76 ( http://nmap.org ) at 2009-02-12 23:41 Malay Peninsula Standard Time
Interesting ports on 192.168.1.32:
PORT     STATE         SERVICE
5060/udp open|filtered sip
MAC Address: 00:15:17:92:XX:XX (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds

Starting Nmap 4.76 ( http://nmap.org ) at 2009-02-12 23:41 Malay Peninsula Standard Time
Interesting ports on 192.168.1.32:
PORT     STATE         SERVICE
4569/udp open|filtered unknown
MAC Address: 00:15:17:92:XX:XX (Intel Corporate)

3 comments:

CyberNorris said...

Thanks for this. However Nmap has output options already built in. There is no reason to use the Windows '>>' method for sending the output to a file. The XML output can come in very handy.

I have expanded a bit on your example.

set yymmdd=%date:~10,4%%date:~4,2%%date:~7,2%
set hhmm=%time:~0,2%%time:~3,2%
nmap x.x.x.x -oA nmaptest-%yymmdd%

This gives me the results in all three major Nmap output files named nmaptest-20100408-1208

Thus if I need to run something frequently it has both date and time in the filename. I also prefer 4-digits for the year.

Cheers!

CyberNorris said...

I messed that up a bit... let's try again...

set yymmdd=%date:~10,4%%date:~4,2%%date:~7,2%
set hhmm=%time:~0,2%%time:~3,2%
nmap x.x.x.x -oA nmaptest-%yymmdd% %hhmm%

outputs all three major Nmap output files named nmaptest-20100408-1208

There is also an append option for output in Nmap so to follow more onto your example:

set yymmdd=%date:~10,4%%date:~4,2%%date:~7,2%
nmap x.x.x.x -oA nmaptest-%yymmdd% --append_output

The Windows system would output all three major Nmap output files named nmaptest-20100408 and running it again would append the information to the existing files.

CyberNorris said...

Another followup ... Nmap has the date and time variables already built into the program.

The individual arguments are %H, %M, %S, %m, %d, %y, and %Y. %T is the same as %H%M%S, %R is the same as %H%M, and %D is the same as %m%d%y.

See this page for specifics:
http://nmap.org/book/man-output.html

In a Windows .bat or .cmd file an extra % must be inserted to negate the Windows use of the character as a variable marker.

So the command would be:

nmap x.x.x.x -oA nmaptest-%%D --append_output

With no need to set any variables, it's much cleaner. Other than the extra % required, it's also portable to other OS platforms.