221 bsd2 siggen siggen sig0: nullsig : 0 sig1: md5 : 0EpNJLBbf7JJgh1yUdAPgZ sig2: snefru : 25I3DS:thJ3N:16UchVdNR sig3: crc32 : 0jeUpK sig4: crc16 : 00056o sig5: md4 : 02x6dNiYw7GwjSssW7IeLW sig6: md2 : 30s7ugrC1gLhk129Zo1BXW sig7: sha : EWed2qYLHGcK.i7P7bVDO2mtKvr sig8: haval : 1cqs7t9CwipMcuWPM3eRF1 sig9: nullsig : 0 You can use an optional argument to limit which checksums you want. For example, the option -13 will calculate just the first and third checksums, the MD5 digest and the 32-bit CRC checksum. I certainly wouldnt recommend that you install tripwire just for troubleshooting. But if you have installed it as a security tool, something I would strongly recommend, then dont forget that you can use it for these other purposes. Incidentally, with some systems, such as OpenBSD, integrity checking is an integral part of the system.

11.5 Microsoft Windows

When documenting problems with Windows, the usual approach is to open a word processing file and copy and paste as needed. Unfortunately, some tools, such as Event Viewer, will not allow copying. If this is the case, you should look to see if there is a Save option. With Event Viewer, you can save the messages to a text file and then copy and paste as needed. If this is not possible, you can always get a screen dump. Unfortunately, the way to do this seems to change with every version of Windows. Typically, if an individual window is selected, only that window is captured. If a window is not selected, the screen is copied. For Windows 95 and NT, Shift- PrintScreen or Ctrl-PrintScreen will capture the contents of the screen, while Alt-PrintScreen will capture just the current window. For Windows 98, use Alt-PrintScreen. The screen is copied on the systems clipboard. It can be viewed with ClipBook Viewer. While it is included with the basic Windows distribution, ClipBook Viewer may not be installed on all systems. You may need to go to your distribution disks to install it. With Windows NT, be sure to select Clipboard on the Windows menu. Unfortunately, this gives a bitmapped copy of the screen that is difficult to manipulate, but it is better than nothing. As previously noted, vnc is available for Windows. The viewer is a very small program—an executable will fit on a floppy so it is very easy to take with you. There are a number of implementations of ssh for Windows. You might look at Metro State College of Denvers mssh, Simon Tathams putty, or Robert OCallahans ttssh extensions to Takashi Teranishis teraterm communications program. If these dont meet your need, there are a number of similar programs available over the Web. Although I have not used them, there are numerous commercial, shareware, and freeware versions of syslog for Windows. Your best bet is to search the Web for such tools. You might look at http:www.loop-back.comsyslog.htm or search for kiwis_syslogd.exe. TE AM FL Y Team-Fly ® 222 ntpd can be compiled for Windows NT. Binaries, however, dont seem to be generally available. If you just want to occasionally set your clock, you might also consider cyberkit. cyberkit was described in Chapter 6 . Go to the Time tab, fill in the address of your time server, select the radio button SNTP, make sure the Synchronize Local Clock checkbox is selected, and click on the Go button. The output will look something like this: Time - Thursday, December 28, 2000 09:02:59 Generated by CyberKit Version 2.5 Copyright © 1996-2000 by Luc Neijens Time Server: ntp.netlab.lander.edu Protocol: SNTP Protocol Synchronize Local Clock: Yes Leap Indicator 0, NTP Version 1, Mode 4 Stratum Level 1 Primary reference, e.g. radio clock Poll Interval 6 64 seconds, Precision -8 3.90625 ms Root Delay 0.00 ms, Root Dispersion 0.00 ms Reference Identifier GPS Time server clock was last synchronized on Thursday, December 28, 2000 09:02:38 Server Date Time: Thursday, December 28, 2000 09:02:38 Delta Running slow: 1.590 ms Round Trip Time 29 ms Local clock synchronized with time server The last line is the one of interest. It indicates that synchronization was successful. The help system includes directions for creating a shortcut that you can click on to automatically update your clock. Go to the index and look under tips and tricks for adding cyberkit to the startup menu and under command-line parameters for time client parameters. A commercial version of tripwire is available for Windows NT. 223

Chapter 12. Troubleshooting Strategies

While many of the tools described in this book are extremely powerful, no one tool does everything. If you have been downloading and installing these tools as you have read this book, you now have an extensive, versatile set of tools. When faced with a problem, you should be equipped to select the best tool or tools for the particular job, augmenting your selection with other tools as needed. This chapter outlines several strategies that show how these tools can be used together. When troubleshooting, your approach should be to look first at the specific task and then select the most appropriate tools based on the task. I do not describe the details of using the tools or show output in this chapter. You should already be familiar with these from the previous chapters. Rather, this chapter focuses on the selection of tools and the overall strategy you should take in using them. If you feel confident in your troubleshooting skills, you may want to skip this chapter.

12.1 Generic Troubleshooting

Any troubleshooting task is basically a series of steps. The actual steps you take will vary from problem to problem. Later steps in the process may depend on the results from earlier steps. Still, it is worth thinking about and mapping out the steps since doing this will help you remain focused and avoid needless steps. In watching others troubleshoot, I have been astonished at how often people perform tests with no goal in mind. Often the test has no relation to the problem at hand. It is just something easy to do. When your car wont start, what is the point of checking the air pressure of the tires? For truly difficult problems, you will need to become formal and systematic. A somewhat general, standard series of steps you can go through follows, along with a running example. Keep in mind, this set of steps is only a starting point. 1. Document. Before you do anything else, start documenting what you are doing. This is a real test of willpower and self-discipline. It is extremely difficult to force yourself to sit down and write a problem description or take careful notes when your system is down or crackers are running rampant through your system. [1] This is not just you; everyone has this problem. But it is an essential step for several reasons. [1] Compromised hosts are a special problem requiring special responses. Documentation can be absolutely essential, particularly if you are contemplating legal action or have liability concerns. Documentation used in legal actions has special requirements. For more information you might look at Simson Garfinkel and Gene Spaffords Practical UNIX Internet Security or visit http:www.cert.orgnavrecovering.html . Depending on your circumstances, management may require a written report. Even if this isnt the usual practice, if an outage becomes prolonged or if there are other consequences, it might become necessary. This is particularly true if there are some legal consequences of the problem. An accurate log can be essential in such cases. If you have a complex problem, you are likely to forget at some point what you have actually done. This often means starting over. It can be particularly frustrating if you appear to have