Dec 182009

Show the ethernet status

ethtool eth0

Force 100Mbit Full duplex

ethtool -s eth0 speed 100 duplex full

Disable auto negotiation

ethtool -s eth0 autoneg off

Blink the ethernet led

ethtool -p eth0

Display all interfaces (similar to ifconfig)

ip link show

Bring device up (or down). Same as “ifconfig eth0 up”

ip link set eth0 up

Display all IP addresses (similar to ifconfig)

ip addr show

Similar to arp -a

ip neigh show

Ping on ethernet layer


uses tcp instead of icmp to trace throught firewalls (install via sudo apt-get install tcptraceroute)

tcptraceroute -f 5

The netstat command is very versatile and can provide a limited report when used with the -i switch. This is useful for systems where mii-tool or ethtool are not available.

netstat -i


Kernel Interface table
lo 16436 0 451490 0 0 0 451490 0 0 0 LRU
venet0 1500 0 154868 0 0 0 127296 0 0 0 BOPRU
venet0:0 1500 0 - no statistics available - BOPRU
venet0:1 1500 0 - no statistics available - BOPRU
venet0:2 1500 0 - no statistics available - BOPRU
venet0:3 1500 0 - no statistics available - BOPRU

An easy way to tell if a remote server is listening on a specific TCP port is to use the telnet command. By default, telnet will try to connect on TCP port 23, but you can specify other TCP ports by typing them in after the target IP address. HTTP uses TCP port 80, HTTPS uses port 443.

Here is an example of testing server on the TCP port 22 reserved for SSH:

telnet 22
Connected to
Escape character is '^]'.

The curl utility acts like a text based Web browser in which you can select to see either the header or complete body of a Web page’s HTML code displayed on your screen.

A good start is to use the curl command with the -I flag to view just the Web page’s header and HTTP status code. By not using the -I command you will see all the Web page’s HTML code displayed on the screen. Either method can provide a good idea of your server’s performance.

curl -I
HTTP/1.1 200 OK
Date: Tue, 19 Oct 2004 05:11:22 GMT
Server: Apache/2.0.51 (Fedora)
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8

You can use wget to recursively download a Web site’s Web pages, including the entire directory structure of the Web site, to a local directory.

By not using recursion, and activating the timestamping feature (the -N switch), you view not only the HTML content of the Web site’s index page in your local directory, but also the download speed, file size and precise start and stop times for the download. This can be very helpful in providing a simple way to obtain snapshots of your server’s performance.

wget -N
=> `index.html'
Resolving done.
Connecting to[]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Last-modified header missing -- time-stamps turned off.
=> `index.html'
Connecting to[]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ < => ] 122,150 279.36K/s

23:07:22 (279.36 KB/s) - `index.html' saved [122150]


You can use nmap to determine all the TCP/IP ports on which a remote server is listening. It isn’t usually an important tool in the home environment, but it can be used in a corporate environment to detect vulnerabilities in your network, such as servers running unauthorized network applications. It is a favorite tool of malicious surfers and therefore should be used to test external as well as internal servers under your control.

Whenever you are in doubt, you can get a list of available nmap options by just entering the command without arguments at the command prompt.

-P0 Nmap first attempts to ping a host before scanning it. If the server is being protected from ping queries, then you can use this option to force it to scan anyway.
-T Defines the timing between the packets set during a port scan. Some firewalls can detect the arrival of too many non-standard packets within a predetermined time frame. This option can be used to send them from 60 seconds apart with a value of “5” also known as insane mode to 0.3 seconds with a value of “0” in paranoid mode.
-O This will try to detect the operating system of the remote server based on known responses to various types of packets.
-p Lists the TCP/IP port range to scan.
-s Defines a variety of scan methods that use either packets that comply with the TCP/IP standard or are in violation of it.

nmap -sT -T 5 -p 1-5000

Starting nmap V. 3.00 ( )
Interesting ports on (
(The 4981 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
25/tcp open smtp
139/tcp open netbios-ssn
199/tcp open smux
2105/tcp open eklogin
2301/tcp open compaqdiag
3300/tcp open unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds

Most Linux distributions contain the netcat or nc packages which can be used to create a TCP socket over which you can transfer data. The syntax can also vary between distributions so you should refer to your system’s man pages if you have any questions.

The netcat server can be easily created with the -l switch that signifies the program should listen, and not talk. The desired TCP port then follows. In this case the server is listening on TCP port 7777.

[[email protected] tmp]# nc -l 7777

The netcat client only needs to specify the server’s IP address followed by server’s the TCP listener port.

[[email protected] ~]# nc 7777

Any text typed to the console screen of the client;

[[email protected] ~]# nc 7777
This is a test of the NetCat program!
[[email protected] ~]#

will also be visible on the server’s console.

[[email protected] tmp]# nc -l 7777
This is a test of the NetCat program!
[[email protected] tmp]#

If you want to transfer a file, you only need to use some simple command line redirection. In this case, the server will output all data it receives on port 7777 to a file called FC-6-i386-disc1.iso, and the client pipes the output of the cat command to the netcat client that points to our server.

[[email protected] tmp]# nc -l 7777 > FC-6-i386-disc1.iso

[[email protected] ~]# cat /tmp/FC-6-i386-disc1.iso | nc 7777

All Linux systems have a black hole file named /dev/null which automatically discards any data written to it. If you want to test file transfers without filling your disk storage, or having the server’s disk I/O be a bottleneck, then use this as your output file instead.

[[email protected] tmp]# nc -l 7777 > /dev/null

All Linux systems also have a have a continuous random data source located at /dev/random. Instead of using a file in your tests, you can use this instead for a data stream or infinite duration.

[[email protected] ~]# cat /dev/random | nc 7777

Listening on open ports:

netstat -an | grep LISTEN

lists all Internet connections

lsof -i

displays list of open sockets (use apt-get install procinfo)


as does the socklist command

netstat -anp --udp --tcp | grep LISTEN

List active connections to/from system

netstat -tup

List listening ports from system

netstat -tupl

For status

iptables -L -n -v

Open everything

iptables -P INPUT ACCEPT



Zero the packet and byte counters in all chains

iptables -Z

Flush all chains

iptables -F

Delete all chains

iptables -X

IP Forward for routing

Check and then enable IP forward with:

Check IP forward 0=off, 1=on

nano -w /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/ip_forward

or edit /etc/sysctl.conf with:

net.ipv4.ip_forward = 1

NAT Network Address Translation

to activate NAT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Port forward 20022 to internal IP port ssh

iptables -t nat -A PREROUTING -p tcp -d --dport 20022 -j DNAT --to

Port forward of range 993-995

iptables -t nat -A PREROUTING -p tcp -d --dport 993:995 -j DNAT --to

ip route flush cache

Check NAT status

iptables -L -t nat

NOTE: You can delete a port forward with -D instead of -A.


On *nix the DNS entries are valid for all interfaces and are stored in /etc/resolv.conf.
The domain to which the host belongs is also stored in this file. A minimal configuration is:

search intern.lab

Check the system domain name with:

Same as dnsdomainname

hostname -d

Forward queries

Dig is used to test the DNS settings.
See from which server the client receives the answer (simplified answer).
in this example, we use


The router answered and the response is the A entry.
Any entry can be queried and the DNS server can be selected with @:

To test the local server

dig @ NS

Query an external server

dig @ NS MX

Get the full zone (zone transfer)

dig AXFR

The program host is also quite powerful.

Get the mail MX entry

host -t MX

Get the NS record over a TCP connection

host -t NS -T

Get everything

host -a

Reverse queries

Find the name belonging to an IP address ( This can be done with dig, host and nslookup:

dig -x



Single hosts can be configured in the file /etc/hosts instead of running named locally
to resolve the hostname queries. The format is simple, for example: google


The default ubuntu dhcp client is dhclient, however, i like dhcpcd a lot better,
and that is what i will use in my examples

apt-get install dhcpcd to install it.

Trigger a renew (does not always work)

dhcpcd -n eth0

release and shutdown

dhcpcd -k eth0

The lease with the full information is stored in:


For dhclient:

dhclient eth0

The lease with the full information is stored in:




to prepend options or force different options:

nano -w /etc/dhclient.conf

interface "eth0" {
prepend domain-name-servers;
default domain-name "";
supersede domain-name "";

Traffic analysis

Bmon is a small console bandwidth monitor and can display the
flow on different interfaces. You can install it on ubuntu with apt-get install bmon

Sniff with tcpdump (tcpdump comes with ubuntu)

tcpdump -nl -i eth0 not port ssh and src \( or\)

select to/from a single IP

tcpdump -n -i eth0 net

select traffic to/from a network

tcpdump -n -i eth0 net

Buffered output

tcpdump -l > dump && tail -f dump

Write traffic headers in binary file

tcpdump -i eth0 -w traffic.eth0

Write traffic + payload in binary file

tcpdump -i eth0 -s 0 -w traffic.eth0

Read from file (also for ethereal

tcpdump -r traffic.eth0

The two classic commands

tcpdump port 80

Check if pop or imap is secure

tcpdump host

tcpdump -i eth0 -X port \(110 or 143\)

Only catch pings

tcpdump -n -i eth0 icmp

-s 0 for full packet -A for ASCII

tcpdump -i eth0 -s 0 -A port 80 | grep GET

 Posted by at 5:49 am