Open Source IP Testing Tool?

winter@ES asks: "I'm looking for some "IP impairment" software for Linux. What I'd like is the ability to write some scripts that filtered/routed all traffic flowing through a box, with rules like 'For all traffic going to IP x.x.x.x, delay all frames by 400 miliseconds; reorder every 5th frame, and drop every 3rd frame.' There are remarkably few hardware/software solutions out there that I've been able to find to do this kind of thing, and the solutions that do exist are mostly targeted at backbone ATM-based networks. Anyone know of a nice open source tool for simulating poor network conditions?"

Just hire a few gnomes

[Anonymous Coward]

And get them to route your traffic

We used to do this

[michael_cain]

Up until we were bought by AT&T, MediaOne Labs distributed the source code for a Linux tool that did much of this. It wasn't actually open source, because we didn't allow people to redistribute the code or program. Making modifications for your own use was fine. That limitation was a compromise that I reached with the company lawyers, who don't understand "just give it away".

The software was capable of imposing rate limits on packet streams to or from a host (emulate many of the effects of dialup or DSL or whatever kind of access you were interested in), could drop packets at random, could insert variable network delays. Some of the impairments could be applied to a multicast stream being bridged across two interfaces. The software could deal with multiple interfaces. It was also capable of some address substitutions on packets. Such address translation is sometimes necessary in order to get unmodified client/server software to behave in the proper fashion on a test network. There were some simple GUI front- and back-ends that went with the main emulation engine that provided manual control of several of the settings, and stripchart recordings of packet and data rates. The stripcharts were very useful in demonstration situations so that, for example, people could "see" what a rate limit did.

I am in the process of working with our "new" intellectual property lawyers to try and get permission to restart distribution. This is complicated by the fact that MediaOne Labs is now part of AT&T Labs, but may be moved to AT&T Broadband as part of AT&T's announced divestiture. It's not clear who has jurisdiction.

In the meantime, you may be able to use NISTNet, a tool developed by NIST (a US government organization) or DummyNet, a similar capability written by someone in Italy. IIRC, NISTNet is a Linux tool and DummyNet is a FreeBSD tool. I believe that both of them require kernel modifications. My tool (NETSIM) uses Ethernet-level sockets and runs entirely in user space, which was an advantage in my situation.

Michael Cain
AT&T Labs - Broadband
mcain@broadband.att.com

Dummynet does this

[elbuddha]

Dummynet is part of FreeBSD. It does exactly what you are asking for:

dummynet is a system facility that permits the control of traffic going through the various network interfaces, by applying bandwidth and queue size limitations, and simulating delays and losses.

Check out the man page:
http://www.freebsd.org/cgi/man.cgi?query=dummynet& apropos=0&sektion=0&manpath=FreeBSD+4.2-RELEASE&fo rmat=html [freebsd.org]

I want one as well.

[shippo]

I test financial trading systems, all of which reside on remote systems across a private network.

Some of my tests involve simulating various fail conditions, and these tests need to be improved. Currently I terminate my process abruptly, or have my process ignore all messages for a set period of time - neither test is enough. Adding random line noise would be an extra test.

Re:Just hire a few gnomes

[Anonymous Coward]

no no no. Gnome is only a GUI.. you must be one of those Winblowz people who think that the GUI is the operating system.

Doesn't Windows already do this?

[dougmc]

For all traffic going to IP x.x.x.x, delay all frames by 400 miliseconds; reorder every 5th frame, and drop every 3rd frame.'

Isn't that the sort of thing that Windows does automatically when you use it as a router?

:)

What about IP Chains

[Chacham]

Can't IP Chains do that? I know it can certainly filter the from here or to there packets. But, I thought you could also have it filter through your own functions. If so, that could drop what you need. I just haven't used IP chains in a few months.

Re:Doesn't Windows already do this?

[isotope23]

Normally windoze will reorder every 18th frame, and drop every 16th one. Unless there is a new version (i.e. windoze 2000) in which case it reorders every 5th and drops every 3rd....... All this so that wonderful "windows x.x is more fun AND reliable" blurb when you upgrade is true...... come on bill needs to make another billion somehow!

NetFilter

[DrZaius]

Hey,

Take a look at NetFilter/Iptables. It is the new firewall code for linux 2.4.

It is supposed to be an extensible framework that modules for various types of filtering can be written for. For example, you can filter outgoing messages by uid.

Using this, it shouldn't be too difficult to write a library to do this.

Re:We used to do this

[Cato]

In your discussions with lawyers, you might want to raise the precedent set by another part of AT&T Labs - the UK arm, originally Olivetti-Oracle Research Labs, distributes OmniORB and VNC, which are either LGPLed or GPLed. I use both these products quite a lot and it's fair to say they generate some goodwill towards the lab. Details at http://www.uk.research.att.com/.

Re:We used to do this

[DaveHowe]

A *lot* of goodwill for the lab. VNC must have saved me personally at least 200 hours of travel this year for PC suppport, given we run a WAN spread fairly widely across england - not mentioning the savings on buying in a commercial solution and having to meter each install for licencing purposes.

OmniOrb I have barely played with - not being a Corba developer (or any sort of developer these days) but it seems a good, stable implimentation and if we ever need to support Corba on my network, will be my first choice.
--

Firewall

[Beowulf_Boy]

couldn't this be written into some kind of a firewall script?
I'm not an expert (actually only 15)
but couldn't it be set up to drop access at random or periodically not alow access to certain ranges of addresses.
Also, just run the firewall in a old 8086 with a 1-megabit network card or something