I have observed a different behaviour between netcat and telnet when connecting to the public route server bgp-view.tvnetwork.hu and issuing the command show ip bgp.
Using Telnet the output (which is normally some tens of thousands lines long) is truncated and in order to view it all you have to press space or enter to continue (like the man pages). When I connect with netcat it just starts dumping all the output and after the first few hundred lines it hangs. Even if I state explicitly that I want to pause after the first 100 lines using the command terminal length 100 netcat doesn't change behaviour.
Do you have any idea why this happens and how it can be resolved?
My OS is ubuntu 10.4 and the route server runs Quagga (version 0.99.5). With other type of routers (cisco or juniper) that problem doesn't appear.
Thank you.
ps. I wanted to tag the question as route-server but I cannot create new tags :(
EDIT:
The problem is that netcat doesn't negotiate window size (see my answer bellow). Netcat's -t parameter is used to negotiate telnet options but it replies with negations (DON'T or WON'T) so the question is how to make netcat to negotiate telnet options. Maybe I'll post a new question for this matter.
I found a similar discrepancy with SSH 1.5, on juniper routers. When I was implementing a network topology tool, I had to use two different SSH libraries in Java to get things to work. I never completely diagnosed the problem, but it looked like there was an issue with how one of my libraries was handshaking, as opposed to how the ssh server on the router was expecting things to be done. For this case, my connections were just being dropped. I had to use four libraries to support three protocols : telnet, ssh 1.5 and ssh 2.0.
I would not be surprised at all if this is a router specific issue. Unfortunately, I don't have any useful suggestions for you other than to try a different library or program to accomplish your goals. If you feel like troubleshooting the actual issue, you could watch the packets go through.
Thanks,
-Brian-
OK, mystery solved with wireshark.
The problem was the negotiation of telnet options.
The server requests from the telnet client "Do Negotiate About Window Size" but the client wasn't negotiating and even with the -t option netcat replies "Won't Negotiate About Window Size".
I created a java telnet client with the apache commons library to negotiate about the window size using the WindowSizeOptionHandler() constructor and it works fine. Now I just have to find how to do it with netcat.
Related
By terminal I am able to SSH multiple times to connect to the server:
(client--->gateway--->server1---->server2---)
But now to do it through JSch library of Java, how to go about it?
First tried portforwarding, but on terminal I am not doing that (not setting -R -L parameters in ssh).
Then I came across question How to SSH to a server behind another SSH server using JSch?, but I don't understand how to create tcp tunnel!
Port-forwarding is the best way to go.
You do not do port forwarding in the terminal, as you connect to the second section manually by typing the ssh command. While you can automate that using JSch, it is not really a reliable way to try to simulate a human being. If you want to replace the first ssh (terminal) step with JSch, for the same reason you do not want to use ssh for the second step. The accepted answer in the question you link to also discourages you from trying that. While when everything goes ok, it might work. But once any problem steps in, your will have troubles dealing with it automatically. For example, you can hardly automate host key verification for the second server.
The SSH tunnel is port forwarding. But maybe the mentioned ProxySSH (which does not seem to exists anymore) did internally without opening a local port, but used the "port forwarding" channel directly by the second session. But that's a way too complicated to implement. Stick with simple port forwarding.
For a complete example, see:
JSch multiple tunnels/jumphosts
I normally use MOBAXterm to SSH into my work pc, but when I use my gf's internet connection, it works for only a little while before giving me the above error message.
It also happens when I ssh into other external machines and it also happens when I use putty. I already implemented all the in-build steps MOBAXterm offers that could potentially fix this problem.
My suspicion is that it's related to the internet connection cutting out temporarily, but I don't see why that should be such an issue.
Any advice would be appreciated.
Two possibilities here, the nefarious and the irritating. If you know how to sniff traffic, a pcap dump of the session dying would be extremely useful. Grab it using the stable version of Wireshark.
The nefarious possibility
Traffic shaping. SSH can be used to tunnel VPN traffic. If the ISP is difficult about it (more likely if they're a big ISP) they could happily send RSTs to long-lived sessions.
The irritating possibility
Sketchy home router. If the NAT table is too full, the router's memory is overloaded, or there's a bug in the firmware, the NAT table could drop sessions which would cause what you describe.
Solutions
Try mosh. It uses SSH for session setup, then its own protocol over UDP for the actual session. It's UDP-based so there's no TCP connection to RST, and mosh is designed to survive a nuclear strike. It doesn't even care if your IP address changes mid session.
The problem is likely to be solved using mosh - even if it's the home router, mosh's session continuity will mask the NAT table resetting.
If you want to replace the home router (for example if the same thing is happening to other protocols), and you can get the authentication details for the Internet connection, try swapping it out for another one - preferably a recent high-end SOHO model.
If the connection presents as Ethernet (for example a cable modem, like Virgin) then my standard known-good is the TP-Link Archer C7.
If the connection is DSL-based (copper phone line, or BT fibre), you'll also want a 1-port VDSL (for fibre) or ADSL/ADSL2+ (for copper) modem capable of bridge mode. You'll need this in addition to the Ethernet router.
For VDSL, I'd probably recommend the ZyXEL VMG1312-B. For ADSL/ADSL2+ I'd suggest the ZyXEL P660-R.
I have an interesting scenario. I've searched every where, and I have bits and pieces of information, however, I don't have the full picture, and it's driving me nuts.
I also want to mention I'm no where near sysadmin status, however, I can get around my infrastructure with enough to get the job done.
I've got 3 end points. I've got a device inside a network (endpoint#1), that's setup a reverse tunnel to one of my servers (endpoint#2). I've got another server that has to send requests (endpoint#3) to the device (endpoint#1) through the connection server (endpoint#2).
I'm currently able to sustain connections between endpoint#1 and endpoint#2, and send requests from endpoint#2 to endpoint#1 without issue, however, I need endpoint#3 to be able to talk to endpoint#1 through endpoint#2.
I've tried searching for port forwarding scenarios and reverse tunnel scenarios, however, whatever it is that I'm doing is not allowing network traffic through.
How can I set up http traffic to GET/POST from endpoint#3 to endpoint#2 and pass through to endpoint#1 through the specified reverse tunnel (on it's specified port)? HELP!
Found the answer. It's using roughly the same syntax that I'm using on SSH to setup the remote server, however, it's adding the binding ip address (interal ip address of the network that it's on) and using GatewayPorts clientspecified in the sshd_config (although, I'm not 100% I needed this - it is an option I set though).
On endpoint#1:
- ssh -R [endpoint#2.internal.ip.address]:[port]:[localhost]:[port-to-map-to-on-endpoint#1] user#endpoint#2
On endpoint#3:
- curl -X POST -d {data} http://endpoint#2.internal.ip.address/path/to/resource
This will then allow the call on endpoint#3 to be passed through to endpoint#1.
We have a Win Server 2008 box being hosted (dedicated) for us.
I need to connect to one of it's DB's from a server in our LAN.
What started out as a "sure, I'll just throw that together for you real quick" project has turned into a week-long hair-pulling pile of WTF :)
I am able to RDP into that server without fail or issue.
When I tried to connect to the DB, I got a generic "could not connect" error, so I went hunting.
Telnet attemtps and pings time out.
Since then, we have tried endless variations of firewall settings (including wide open), and still ... no go.
In addition to our firewall, the hosting provider also has a firewall layer.
We turned on all logging, and we don't even see any connection attempts at our FW.
We then had the hosting provider turn on all logging, and they don't see any connection attempts either!
Hrmmmph
I'm at a complete loss.
Any suggestions?
BTW, while I'm comfortable enough with all this to explore and make changes, my experience with firewalls and stuff is fairly limited, so don't hesitate to dumb it down ;)
It is hard to give just one answer to this question, because the interim results of the problem analysis lead to different steps that you need to do next. It will more likely be a step by step help with tracing down the problem.
Do not trust any firewall setting (esp. not any that someone else did, and again esp. not if you don't know him), unless you tested it. Firewall settings are tricky and even experienced professionals get them wrong now and then.
In the guide below, I will write <win2008server> in commands where you have to put the name or IP of the windows 2008 server to which you want to connect. On the other side, I will use the expression "office PC" when I mean your workstation PC in the office from where you are trying to connect to the win2008server.
STEP 1: Checking the Endpoints
1.) Can you telnet to the RDP port?
On your office PC, try this on a command prompt:
telnet <win2008server> 3389
This is to make sure that DNS name resulution works for telnet, as well as network hardware and routing. It should, because you can use RDP to establish this connection. However, anything can get in between, like the telnet command being in any way configured nonstandard or being replaced for whatever reason on a company pc (sysadmins have strange ideas at times...).
2.) Can you telnet locally on the win2008server to the database?
When logged in using RDP on the win2008server, open a command prompt on the server and issue the command
telnet <win2008server> <database port>
That means you are trying to connect from the server to itself. This is to make sure the database port is open on the server.
STEP 2: Checking the Firewalls of the Endpoints
If for 1.) and 2.), your answer is yes it works, you have to test if either the remote side can not be reached or your location can not connect to the internet on the port you are testing (database port). You do this by replacing the respective other side with any other host on the internet for which you know it's reachable or can reach other servers. Typically, you google for a port checker ;)
3.) Check if the win2008server can be reached from another location than yours:
3.1.) Check if the RDP port of the win2008server can be reached from a third party location:
Google for port checker and take the first result (e.g. http://www.yougetsignal.com/tools/open-ports/ ). Type in the name or IP address of the win2008server and the RDP port, usually 3389 . Click on "check" and wait for the success or the timeout.
3.2.) Check if the database port of the win2008server can be reached from a third party location:
Do the same as in 3.1.), just with the database port instead of the RDP port.
4.) Check if you can connect to an outside server on the database port:
For this to work, you need to know a server or create one, which is somewhere outside on the internet, and which listens on the database port. You typically do this by keeping your private PC at home run and accessible through RDP or SSH, and there you open a server and configure your private internet router to forward the connection correctly.
Another way to do this test is webspace with SSH access. Many webspace providers nowadays allow for an SSH login (usually any webspace at $4/month and above).
Let's assume you have SSH access to any such third party place. You can use nc (netcat) there to open a server socket on the database port with this command:
nc -l <database port>
If it's your private PC at home, you usually have to also configure your private router and set up a dynamic DNS name for your internet access for the whole story to work out. You do not have this extra work with a webspace based SSH login. However, there you can not test ports below 1024 because you do not have the privileges. Good luck with this ;)
After you got this, try connecting to the port that you opened:
4.1.) From your office PC with
telnet <third party location> <database port>
4.2.) If 4.1.) does not work, also try with the port checker, because you might have gotten something wrong with setting up the server. Look at 3.) for this, and use the <third party location> and <database port> with the port checker (fourth party check).
STEP 3: Blaming ;)
At least one of the things should have failed by now and you can start calling people and letting them know about your tests and the results. You should be able to combine the results logically, but never start with that. Think about how to convey the information. Start out with your findings and then let them have a moment for their own conclusion. It can be difficult to tell someone in another company or department that their firewall isn't configured correctly. They might deny this even in the presence of proof. Be patient. Explain your findings again. Hint at the conclusion. This can be the trickiest part of the whole problem solution.
I have to say that today I had the same problem.
My solution was just to edit secpol.msc and disable all the FW profiles; then, run services.msc and also disable Windows Firewall service.
After this server was pingable for me.
Well I decided to try make a proxy checker, like Charion or Elite proxy checker. These programs accept large lists of proxies in the IP:PORT format, ping them tell you the response time
see the screenshot of Elite Proxy Checker, im trying to make a simplified version of this program. http://i52.tinypic.com/a57slh.jpg
I investigated and made my checker using Ping.SendAsync(ip, timeout, ip) method.
It was only afterwards that I discovered that you can only Ping IP's using this method, not the ports as well.
Ive spent a few hours trying to find the correct class/methods in order to be able to ping ports, reading different forum posts from experts they say its impossible to ping ports only IPS, can only use sockets to try open a connection with the port.
However, I have seen programs that people have coded in VB.NET that ping in the IP:PORT format, ie lets you choose timeout, tells timeout, etc.
My question is , what classes methods should I be using to do this ?
Im pretty sure its not sockets... theyve got to be pinging the individual ports as well somehow.
Any help would be appreciated.
Cheers,
(I code for a hobby, im not a pro, so sorry if I make glaring errors)
Have a look at tcpping, here is the Windows version:
http://www.elifulkerson.com/projects/tcping.php