Jan 062013
 

Someone recently asked me what some of the more useful linux networking commands are and what some of the implementations are. Here is a compiled list for some of those commands:

(click continue reading below first before using the links… long page is long)
 
1. netstat
2. ping
3. traceroute
4. mtr
5. whois
6. finger
7. iptables
8. host
9. nslookup
10. ss
11. route

In my next post, I will be going over 10 more useful linux networking commands. I will be touching on:
ifconfig, iwconfig, ethtool, arp, tcpdump, tracepath, nmap, telnet and dig

This is the command to start, restart or stop the network and is also available via the Service command option shown below:

/etc/rc.d/init.d/network start  
/etc/rc.d/init.d/network stop
/etc/rc.d/init.d/network restart

or

service network start
service network stop
service network restart

 

1. netstat – netstat displays network connections, routing tables, interface stats, masquerade connections and multicast memberships.
To list externally connected processes use:

netstat -punta

-a: Shows both listening and non-listening sockets.
-p: Shows PID of process owning socket
-u: Shows UDP connections
-t: Shows TCP connections
-n: Shows IP addresses only. Don’t resolve host names
-g: Shows multi-cast group membership info
-c: Shows Continuous mode – update info every second
-v: Shows Verbose
-e: Shows Extended information
-o: Shows network timer information
 

To list all connected processes:

netstat -nap

 
To show network statistics:

netstat -s

 
To display routing table info:

$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0

Flags:
G: route uses gateway
U: Interface is “up”
H: Only a single host is accessible (eg. loopback)
D: Entry generated by ICMP redirect message
M: Modified by ICMP redirect message

To display interface statistics:

$ netstat -i
Kernel Interface table
Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500   0     2224      0      0      0     1969      0      0      0 BMRU
lo        16436   0     1428      0      0      0     1428      0      0      0 LRU

Where:
RX-OK/TX-OK: number of packets transmitted/received error free
RX-ERR/TX-ERR: number of dammaged/error packets transmitted/received
RX-DRP/TX-DRP: number of dropped packets
RX-OVR/TX-OVR: number of packets dropped because of a buffer overrun
Flags:
B: A broadcast address has been set
L: This interface is a loopback device
M: All packets are received
N: Trailers are avoided
O: ARP is turned off for this interface
P: Point-to-point connection
R: Interface is running
U: Interface is up
 


2. ping – send ICMP ECHO_REQUEST packets to network hosts. Use Cntl-C to stop ping.

Increase Ping Time Interval: Example: Wait for 5 seconds before sending the next packet.

$ ping -i 5 IP

Decrease Ping Time Interval: Example: Wait 0.1 seconds before sending the next packet.

# ping -i 0.1 IP

 
Send X number of packets and stop

[root@host] ~ >> ping -c 5 google.com
PING google.com (74.125.225.110) 56(84) bytes of data.
64 bytes from ord08s08-in-f14.1e100.net (74.125.225.110): icmp_seq=1 ttl=57 time=12.1 ms
64 bytes from ord08s08-in-f14.1e100.net (74.125.225.110): icmp_seq=2 ttl=57 time=13.0 ms
64 bytes from ord08s08-in-f14.1e100.net (74.125.225.110): icmp_seq=3 ttl=57 time=12.3 ms
64 bytes from ord08s08-in-f14.1e100.net (74.125.225.110): icmp_seq=4 ttl=57 time=12.3 ms
64 bytes from ord08s08-in-f14.1e100.net (74.125.225.110): icmp_seq=5 ttl=57 time=11.8 ms

--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 11.877/12.330/13.000/0.396 ms

 
Ping Flood

# ping -f 74.125.225.110
PING 69.167.143.106 (69.167.143.106) 56(84) bytes of data.
.^C
--- 74.125.225.110 ping statistics ---
9838 packets transmitted, 9837 received, 0% packet loss, time 9930ms
rtt min/avg/max/mdev = 0.679/0.962/7.453/0.323 ms, ipg/ewma 1.009/0.931 ms

 
Find IP

# ping -c 1 google.com
PING google.com <strong>(74.125.225.110)</strong> 56(84) bytes of data.
64 bytes from ord08s08-in-f14.1e100.net <strong>(74.125.225.110)</strong>: icmp_req=1 ttl=59 time=12.1 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 12.150/12.150/12.150/0.000 ms

 
Record and print route of how ECHO_REQUEST sent and ECHO_REPLY received

#ping -R google.com

most hosts ignore this request


 
3. traceroute – print the route packets take to a network host.
traceroute [-d] [-F] [-I] [-n] [-v] [-x] [-f first_ttl] [-g gateway [-g gateway] | -r] [-i iface] [-m max_ttl] [-p port] [-q nqueries] [-s src_addr] [-t tos] [-w waittime ] host [packetlen]

traceroute 74.125.225.104
traceroute google.com
Tracing route to www.l.google.com [209.85.225.104]
over a maximum of 30 hops:

   1    &lt;1 ms    &lt;1 ms    &lt;1 ms  10.1.0.1
   2    35 ms    19 ms    29 ms  98.245.140.1
   3    11 ms    27 ms     9 ms  te-0-3.dnv.comcast.net [68.85.105.201]
   ...
  13    81 ms    76 ms    75 ms  209.85.241.37
  14    84 ms    91 ms    87 ms  209.85.248.102
  15    76 ms   112 ms    76 ms  iy-f104.1e100.net [209.85.225.104]

Trace complete.

 
To disable IP address and hostname mapping use the -n flag.

$ traceroute google.com -n

 
To configure the response wait time, use the ‘-w’ option which the command will take as the length of time to wait for a response. Below, the wait time is 0.1 seconds.

$ traceroute google.com -w 0.1

 
Traceroute usually defaults to 3 packets per hop. To modify this behavior, use the ‘-q’ option to configure the number of queries per hop.

$ traceroute google.com -q 5

 


 
4. mtr – a network diagnostic tool introduced in Fedora – Like traceroute except it gives more network quality and network diagnostic info. Leave running to get real time stats. Reports best and worst round trip times in milliseconds.

mtr 72.30.38.140
mtr yahoo.com

           My traceroute  [v0.71]
            example.lan                           Sun Mar 25 00:07:50 2007

                                       Packets                Pings
Hostname                            %Loss  Rcv  Snt  Last Best  Avg  Worst
 1. example.lan                        0%   11   11     1    1    1      2
 2. ae-31-51.ebr1.Chicago1.Level3.n   19%    9   11     3    1    7     14
 3. ae-1.ebr2.Chicago1.Level3.net      0%   11   11     7    1    7     14
 4. ae-2.ebr2.Washington1.Level3.ne   19%    9   11    19   18   23     31
 5. ae-1.ebr1.Washington1.Level3.ne   28%    8   11    22   18   24     30
 6. ge-3-0-0-53.gar1.Washington1.Le    0%   11   11    18   18   20     36
 7. 63.210.29.230                      0%   10   10    19   19   19     19
 8. t-3-1.bas1.re2.yahoo.com           0%   10   10    19   18   32    106
 9. p25.www.re2.yahoo.com              0%   10   10    19   18   19     19

 


 
5. whois – Lookup a domain name in the internic whois database.

whois google.com

or course, since its google, you will get some strange responses:

  Server Name: GOOGLE.COM.PEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEENIS.COM
   IP Address: 8.8.8.8
   Registrar: DOMAIN.COM, LLC
   Whois Server: whois.domain.com
   Referral URL: http://www.domain.com

 Server Name: GOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
   IP Address: 69.41.185.195
   Registrar: TUCOWS.COM CO.
   Whois Server: whois.tucows.com
   Referral URL: http://domainhelp.opensrs.net

Server Name: GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.COM
   IP Address: 80.190.192.24
   Registrar: EPAG DOMAINSERVICES GMBH
   Whois Server: whois.enterprice.net
   Referral URL: http://www.enterprice.net

heh… onward 


 

6. finger – Display information on a system user. i.e. finger user@host Uses $HOME/.plan and $HOME/.project user files.

$ finger gooduser
Login:     gooduser                      Name: (null)
Directory: /home/gooduser               Shell: /bin/bash
On since Mon Nov  1 18:45 (IST) on :0 (messages off)
On since Mon Nov  1 18:46 (IST) on pts/0 from :0.0
New mail received Fri May  7 10:33 2010 (IST)
Unread since Sat Jun  7 12:59 2008 (IST)
No Plan.

You can also use the finger -s option to view the login detail for a particular user.

$ finger -s root
Login     Name              Tty      Idle  Login Time   Office     Office Phone
root         root           *1    19d Wed 17:45
root         root           *2     3d Fri 16:53
root         root           *3        Mon 20:20
root         root           *ta    2  Tue 15:43
root         root           *tb    2  Tue 15:44

-s Display the user’s login name, real name, terminal name and write status idle time, login time, and either office location and office phone number, or the remote host.
-p Prevent the -l option of finger from displaying the contents of the .forward, .plan, .project and .pubkey files.
-m Prevent matching of user names. User is usually a login name; however, matching will also be done on the users’ real names, unless the -m option is supplied.Display the user’s login name, real name, terminal name and write status idle time, login time, and either office location and office phone number, or the remote host.
-o When used in conjunction with the -s option, the office location and office phone information is displayed instead of the name of the remote host.


 
7. iptables – Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel.
Flush

iptables -F
(or)
iptables --flush

 

Block IP

BLOCK_THIS_IP="x.x.x.x"
iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP

 

Block only TCP traffic on eth0 connection for this ip-address.

iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP
iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP

 

Prevent DoS Attack: The following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver.

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

In this example:
-m limit: uses the limit iptables extension
–limit 25/minute: This limits a maximum of 25 connection per minute. Change this value based on your specific need
–limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection has reached the limit-burst level.
 

Displaying the Status of Your Firewall

# iptables -L -n -v

 

To add line numbers use and scroll through the information

# iptables -n -L -v --line-numbers | less

 

Stop / Start / Restart the Firewall if you are using CentOS / RHEL / Fedora Linux, enter:

# service iptables stop
# service iptables start
# service iptables restart

 

You can also use the iptables command itself to stop the firewall and delete all the rules:

# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT

-F : Deleting (flushing) all the rules.
-X : Delete chain.
-t : table_name : Select table (called nat or mangle) and delete/flush rules.
-P : Set the default policy (such as DROP, REJECT, or ACCEPT).
 

Find and Delete Firewall Rules
To display line number along with other information for existing rules, enter:

# iptables -L INPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep 172.16.54.1

You will get the list of IP;s. Find the number on the left which corresponds to the rule to delete, then use specific number to delete it.

For example delete line number 4, enter:

# iptables -D INPUT 4

OR find the specific source IP 202.54.1.1 and delete it from the rules:

# iptables -D INPUT -s 202.54.1.1 -j DROP

-D : Deletes one or more rules from the selected chain
 

Insert Firewall Rules
To insert one or more rules in the chain as a specific rule number, use the following syntax. First find out line numbers:

# iptables -L INPUT -n --line-numbers

outputs:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  202.54.1.1           0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED

 
To insert rule between 1 and 2, enter:

# iptables -I INPUT 2 -s 202.54.1.2 -j DROP

 
To view updated rules, enter:

# iptables -L INPUT -n --line-numbers

 

To Save The Firewall Rules under CentOS / RHEL / Fedora Linux, enter:

# service iptables save

 

To Block an attackers IP Address, enter:

# iptables -A INPUT -s 5.6.7.8 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -j DROP

 

To block incoming all service requests on port 80, enter:

# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

 

To block an ip address for port 80 only, enter:

# iptables -A INPUT -p tcp -s 5.6.7.8 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

 

To block outgoing traffic to a particular host or domain such as facebook.com, enter:

# host -t a facebook.com
facebook.com has address 173.252.100.16

 
Note its IP address and enter the following to block all outgoing traffic to 173.252.100.16

# iptables -A OUTPUT -d 173.252.100.16 -j DROP

 

You can also drop a subnet like so:

# iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
# iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP

 

You can also use a domain name to drop traffic, enter:

# iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
# iptables -A OUTPUT -p tcp -d facebook.com -j DROP

 

To open a range of ports, use the following syntax:

#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 42000:42100 -j ACCEPT

 

To open range of IP addresses, use the following syntax:

## only accept connection to tcp port 80 (Apache) if ip is between 192.168.1.1 and 192.168.1.50 ##
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.1-192.168.1.50 -j ACCEPT

 

For more info, see the man file or use -h for a full list of flags

#man iptables
#iptables -h

 


 

 
8. host – Enter a host name and the command will return IP address. Unlike nslookup, the host command will use both /etc/hosts as well as DNS.
Example:

root@user:# host google.com
google.com has address 74.125.225.103
google.com has address 74.125.225.104
google.com has address 74.125.225.105
google.com has address 74.125.225.110
google.com has address 74.125.225.96
google.com has address 74.125.225.97
google.com has address 74.125.225.98
google.com has address 74.125.225.99
google.com has address 74.125.225.100
google.com has address 74.125.225.101
google.com has address 74.125.225.102
google.com has IPv6 address 2607:f8b0:4009:802::100e
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.

 

Locate the hosts IP via the A record:

root@host# host -t a yahoo.com
yahoo.com has address 72.30.38.140
yahoo.com has address 98.138.253.109
yahoo.com has address 98.139.183.24

 

Locate the MX records information

root@hist# host -t mx yahoo.com
yahoo.com mail is handled by 1 mta7.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta5.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta6.am0.yahoodns.net.

 

To display all information about a domains zonefile and records, you need to pass the -a (all) option:

$ host -a yahoo.com
;; ANSWER SECTION:
yahoo.com.      877 IN  NS  ns1.yahoo.com.
yahoo.com.      877 IN  NS  ns2.yahoo.com.
yahoo.com.      877 IN  NS  ns3.yahoo.com.
yahoo.com.      877 IN  NS  ns4.yahoo.com.
yahoo.com.      877 IN  NS  ns5.yahoo.com.
yahoo.com.      877 IN  NS  ns6.yahoo.com.
yahoo.com.      877 IN  NS  ns8.yahoo.com.
yahoo.com.      498 IN  MX  1 mta7.am0.yahoodns.net.
yahoo.com.      498 IN  MX  1 mta5.am0.yahoodns.net.
yahoo.com.      498 IN  MX  1 mta6.am0.yahoodns.net.
yahoo.com.      420 IN  A   98.139.183.24
yahoo.com.      420 IN  A   72.30.38.140
yahoo.com.      420 IN  A   98.138.253.109

;; AUTHORITY SECTION:
yahoo.com.      877 IN  NS  ns2.yahoo.com.
yahoo.com.      877 IN  NS  ns3.yahoo.com.
yahoo.com.      877 IN  NS  ns4.yahoo.com.
yahoo.com.      877 IN  NS  ns5.yahoo.com.
yahoo.com.      877 IN  NS  ns6.yahoo.com.
yahoo.com.      877 IN  NS  ns8.yahoo.com.
yahoo.com.      877 IN  NS  ns1.yahoo.com.

;; ADDITIONAL SECTION:
ns6.yahoo.com.      877 IN  A   202.43.223.170
ns8.yahoo.com.      877 IN  A   202.165.104.22

 

To do a recerse IP lookup

root@host# host 72.30.38.140
140.38.30.72.in-addr.arpa domain name pointer ir1.fp.vip.sp2.yahoo.com.

 


 
9. nslookup – This is a network admin tool for querying DNS to obtain domain name or IP address mapping or any other specific DNS info and also used to troubleshoot DNS related problems

root@host# nslookup yahoo.com
Server:     127.0.1.1
Address:    127.0.1.1#53

Non-authoritative answer:
Name:   yahoo.com
Address: 98.138.253.109
Name:   yahoo.com
Address: 98.139.183.24
Name:   yahoo.com
Address: 72.30.38.140

 

You can also do a reverse DNS look-up by providing the IP Address as argument to nslookup.

root@host# nslookup redhat.com ns1.redhat.com
Server:     ns1.redhat.com
Address:    209.132.186.218#53

Name:   redhat.com
Address: 209.132.183.181

 

Query for specific DNS server information using the ‘-query=’ option and an of the specific dns record types
nslookup -query= a, mx, soa, ns, text eg.

To search for the mx record for Redhat

root@host# nslookup -query=mx redhat.com
Server:     127.0.1.1
Address:    127.0.1.1#53

Non-authoritative answer:
redhat.com  mail exchanger = 5 mx1.redhat.com.
redhat.com  mail exchanger = 10 mx2.redhat.com.

Authoritative answers can be found from:
redhat.com  nameserver = ns4.redhat.com.
redhat.com  nameserver = ns1.redhat.com.
redhat.com  nameserver = ns2.redhat.com.
redhat.com  nameserver = ns3.redhat.com.
mx1.redhat.com  internet address = 209.132.183.28
mx2.redhat.com  internet address = 66.187.233.33
ns1.redhat.com  internet address = 209.132.186.218

or search for the soa record

root@host# nslookup -query=soa redhat.com
Server:     127.0.1.1
Address:    127.0.1.1#53

Non-authoritative answer:
redhat.com
    origin = ns1.redhat.com
    mail addr = noc.redhat.com
    serial = 2013010502
    refresh = 300
    retry = 180
    expire = 604800
    minimum = 14400

Authoritative answers can be found from:
redhat.com  nameserver = ns4.redhat.com.
redhat.com  nameserver = ns1.redhat.com.
redhat.com  nameserver = ns2.redhat.com.
redhat.com  nameserver = ns3.redhat.com.
ns1.redhat.com  internet address = 209.132.186.218

Basically, any dns record type can be searched for using this method
 


 

10. ss – The ss command dumps socket (network connection) statistics such as all TCP / UDP connections, current established connections per protocol (e.g., displays all established ssh connections), and displays all of the tcp sockets in various states such as ESTABLISHED or FIN-WAIT-1.

[root@host] ~ >> ss -s
Total: 111 (kernel 128)
TCP:   44 (estab 1, closed 5, orphaned 0, synrecv 0, timewait 5/0), ports 32

Transport Total     IP        IPv6
*     128       -         -        
RAW   0         0         0        
UDP   13        10        3        
TCP   39        29        10      
INET      52        39        13      
FRAG      0         0         0

Use ss to display all open network ports:

[root@host] ~ >> ss -l
Recv-Q Send-Q               Local Address:Port                   Peer Address:Port  
0      0                        127.0.0.1:6082                              *:*      
0      0                                *:infowave                           *:*      
0      0                                *:radsec                            *:*      
0      0                                *:gnunet                            *:*      
0      0                                *:eli                               *:*      
0      0                                *:mysql                             *:*      
0      0                                *:submission                           *:*      
0      0                        127.0.0.1:783                               *:*      
0      0                                *:nbx-ser                           *:*      
0      0                                *:http                              *:*      
0      0                                *:nbx-dir                           *:*      
0      0                                *:smtps                             *:*      
0      0                                *:xfer                              *:*      
0      0                                *:us-cli                            *:*      
0      0                         10.1.0.1:domain                            *:*      
0      0                                *:munin                             *:*      
0      0                   68.197.153.147:domain                            *:*      
0      0                   68.197.153.148:domain                            *:*      
0      0                        127.0.0.1:domain                            *:*      
0      0                                *:ssh                               *:*      
0      0                                *:ddi-tcp-1                         *:*      
0      0                                *:smtp                              *:*      
0      0                                *:ddi-tcp-2                         *:*      
0      0                        127.0.0.1:rndc                              *:*      
0      0                                *:https                             *:*      
0      0                                *:trellisagt                        *:*      
0      0                                *:trellissvr                        *:*      
0      0                               :::imaps                             :::*      
0      0                               :::pop3s                             :::*      
0      0                               :::submission                        :::*      
0      0                               :::pop3                              :::*      
0      0                               :::imap                              :::*      
0      0                               :::smtps                             :::*      
0      0                               :::us-cli                            :::*      
0      0                               :::ftp                               :::*      
0      0                               :::ssh                               :::*      
0      0                               :::smtp                              :::*

 

Command arguments for ss

The general format of arguments to ss are:
ss [ OPTIONS ] [ STATE-FILTER ] [ ADDRESS-FILTER ]
using common unix flag conventions.

-h – show help page
-? – the same, of course
-v, -V – print version of ss and exit
-s – print summary statistics. This option does not parse socket lists obtaining summary from various sources. It is useful when amount of sockets is so huge that parsing /proc/net/tcp is painful.
-D FILE – do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is – stdout is used.
-F FILE – read continuation of filter from FILE. Each line of FILE is interpreted like single command line option. If FILE is – stdin is used.
-r – try to resolve numeric address/ports
-n – do not try to resolve ports
-o – show some optional information, f.e. TCP timers
-i – show some infomration specific to TCP (RTO, congestion window, slow start threshould etc.)
-e – show even more optional information
-m – show extended information on memory used by the socket. It is available only with tcp_diag enabled.
-p – show list of processes owning the socket
-f FAMILY – default address family used for parsing addresses. Also this option limits listing to sockets supporting given address family. Currently the following families are supported: unix, inet, inet6, link, netlink.
-4 – alias for -f inet
-6 – alias for -f inet6
-0 – alias for -f link
-A LIST-OF-TABLES – list of socket tables to dump, separated by commas. The following identifiers are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, unix_stream, packet_raw, packet_dgram.
-x – alias for -A unix
-t – alias for -A tcp
-u – alias for -A udp
-w – alias for -A raw
-a – show sockets of all the states. By default sockets in states LISTEN, TIME-WAIT, SYN_RECV and CLOSE are skipped.
-l – show only sockets in state LISTEN
 

STATE-FILTER allows ss to construct arbitrary set of states to match entries. Its syntax is sequence of keywords state and exclude followed by identifier of state. Available identifiers are:

All standard TCP states: established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listen and closing.
* – all – for all the states
* – connected – all the states except for listen and closed
* – synchronized – all the connected states except for syn-sent
* – bucket – states, which are maintained as minisockets, i.e. time-wait and syn-recv.
* – big – opposite to bucket
 

ADDRESS_FILTER is boolean expression with operations and, or and not, which can be abbreviated in C style f.e. as &, &&.
Predicates check socket addresses, both local and remote. There are the following kinds of predicates:

* – dst ADDRESS_PATTERN – matches remote address and port
* – src ADDRESS_PATTERN – matches local address and port
* – dport RELOP PORT – compares remote port to a number
* – sport RELOP PORT – compares local port to a number
* – autobound – checks that socket is bound to an ephemeral port
* – RELOP is some of < =, >=, == etc. To make this more convinient for use in unix shell, alphabetic FORTRAN-like notations le, gt etc. are accepted as well.
 
The format and semantics of ADDRESS_PATTERN depends on address family.

* – inet – ADDRESS_PATTERN consists of IP prefix, optionally followed by colon and port. If prefix or port part is absent or replaced with *, this means wildcard match.
* – inet6 – The same as inet, only prefix refers to an IPv6 address. Unlike inet colon becomes ambiguous, so that ss allows to use scheme, like used in URLs, where address is suppounded with [ ... ].
* – unix – ADDRESS_PATTERN is shell-style wildcard.
* – packet – format looks like inet, only interface index stays instead of port and link layer protocol id instead of address.
* – netlink – format looks like inet, only socket pid stays instead of port and netlink channel instead of address.
* – PORT is syntactically ADDRESS_PATTERN with wildcard address part. Certainly, it is undefined for UNIX sockets.
 


 
11. route – The route command shows or manipulates the IP routing table
By default the route command will show the details of the kernel routing table entries.

[root@host] ~ >> route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
68.197.153.147  *               255.255.255.255 UH    0      0        0 eth0
10.2.0.2        *               255.255.255.255 UH    0      0        0 tun0
10.2.0.0        10.2.0.2        255.255.255.0   UG    0      0        0 tun0
68.197.153.0    *               255.255.252.0   U     0      0        0 eth0
168.254.0.0     *               255.255.0.0     U     0      0        0 eth0
default         10.2.0.1        0.0.0.0         UG    0      0        0 eth0

 

To add a default gateway, we can specify that the packets that are not within the network have to be forwarded to a specific Gateway address.
The following ‘route add’ command will set the default gateway as 192.168.1.1.

$ route add default gw 192.168.1.1

 

Now the route command will display the following entries.

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
default         myserver.com    0.0.0.0         UG    0      0        0 eth0

Lots more info regarding the route command can be found here

 


 
In my next post, I will be going over 10 more useful linux networking commands. I will be touching on:
ifconfig, iwconfig, ethtool, arp, whois, tcpdump, tracepath, nmap, telnet and dig

I hope you find this info useful… :)

Share This!
 Posted by at 12:25 pm

Sorry, the comment form is closed at this time.