Show the ethernet status
ethtool eth0
Force 100Mbit Full duplex
ethtool -s eth0 speed 100 duplex full
Disable auto negotiation
ethtool -s eth0 autoneg off
Blink the ethernet led
ethtool -p eth0
Display all interfaces (similar to ifconfig)
ip link show
Bring device up (or down). Same as “ifconfig eth0 up”
ip link set eth0 up
Display all IP addresses (similar to ifconfig)
ip addr show
Similar to arp -a
ip neigh show
Ping on ethernet layer
arping 192.168.16.254
uses tcp instead of icmp to trace throught firewalls (install via sudo apt-get install tcptraceroute)
tcptraceroute -f 5 cb.vu
The netstat command is very versatile and can provide a limited report when used with the -i switch. This is useful for systems where mii-tool or ethtool are not available.
netstat -i
#results
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
lo 16436 0 451490 0 0 0 451490 0 0 0 LRU
venet0 1500 0 154868 0 0 0 127296 0 0 0 BOPRU
venet0:0 1500 0 - no statistics available - BOPRU
venet0:1 1500 0 - no statistics available - BOPRU
venet0:2 1500 0 - no statistics available - BOPRU
venet0:3 1500 0 - no statistics available - BOPRU
An easy way to tell if a remote server is listening on a specific TCP port is to use the telnet command. By default, telnet will try to connect on TCP port 23, but you can specify other TCP ports by typing them in after the target IP address. HTTP uses TCP port 80, HTTPS uses port 443.
Here is an example of testing server 192.168.1.102 on the TCP port 22 reserved for SSH:
telnet 192.168.1.102 22
Trying 192.168.1.102...
Connected to 192.168.1.102.
Escape character is '^]'.
curl:
The curl utility acts like a text based Web browser in which you can select to see either the header or complete body of a Web page’s HTML code displayed on your screen.
A good start is to use the curl command with the -I flag to view just the Web page’s header and HTTP status code. By not using the -I command you will see all the Web page’s HTML code displayed on the screen. Either method can provide a good idea of your server’s performance.
curl -I www.linuxhomenetworking.com
HTTP/1.1 200 OK
Date: Tue, 19 Oct 2004 05:11:22 GMT
Server: Apache/2.0.51 (Fedora)
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
wget:
You can use wget to recursively download a Web site’s Web pages, including the entire directory structure of the Web site, to a local directory.
By not using recursion, and activating the timestamping feature (the -N switch), you view not only the HTML content of the Web site’s index page in your local directory, but also the download speed, file size and precise start and stop times for the download. This can be very helpful in providing a simple way to obtain snapshots of your server’s performance.
wget -N www.linuxhomenetworking.com
--23:07:22-- http://www.linuxhomenetworking.com/
=> `index.html'
Resolving www.linuxhomenetworking.com... done.
Connecting to www.linuxhomenetworking.com[65.115.71.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Last-modified header missing -- time-stamps turned off.
--23:07:22-- http://www.linuxhomenetworking.com/
=> `index.html'
Connecting to www.linuxhomenetworking.com[65.115.71.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[ < => ] 122,150 279.36K/s
23:07:22 (279.36 KB/s) - `index.html' saved [122150]
nmap:
You can use nmap to determine all the TCP/IP ports on which a remote server is listening. It isn’t usually an important tool in the home environment, but it can be used in a corporate environment to detect vulnerabilities in your network, such as servers running unauthorized network applications. It is a favorite tool of malicious surfers and therefore should be used to test external as well as internal servers under your control.
Whenever you are in doubt, you can get a list of available nmap options by just entering the command without arguments at the command prompt.
-P0 Nmap first attempts to ping a host before scanning it. If the server is being protected from ping queries, then you can use this option to force it to scan anyway.
-T Defines the timing between the packets set during a port scan. Some firewalls can detect the arrival of too many non-standard packets within a predetermined time frame. This option can be used to send them from 60 seconds apart with a value of “5” also known as insane mode to 0.3 seconds with a value of “0” in paranoid mode.
-O This will try to detect the operating system of the remote server based on known responses to various types of packets.
-p Lists the TCP/IP port range to scan.
-s Defines a variety of scan methods that use either packets that comply with the TCP/IP standard or are in violation of it.
nmap -sT -T 5 -p 1-5000 192.168.1.153
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on whoknows.my-site-int.com (192.168.1.153):
(The 4981 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
25/tcp open smtp
139/tcp open netbios-ssn
199/tcp open smux
2105/tcp open eklogin
2301/tcp open compaqdiag
3300/tcp open unknown
Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
netcat:
Most Linux distributions contain the netcat or nc packages which can be used to create a TCP socket over which you can transfer data. The syntax can also vary between distributions so you should refer to your system’s man pages if you have any questions.
The netcat server can be easily created with the -l switch that signifies the program should listen, and not talk. The desired TCP port then follows. In this case the server is listening on TCP port 7777.
[root@smallfry tmp]# nc -l 7777
The netcat client only needs to specify the server’s IP address followed by server’s the TCP listener port.
[root@bigboy ~]# nc 192.168.2.50 7777
Any text typed to the console screen of the client;
[root@bigboy ~]# nc 192.168.2.50 7777
This is a test of the NetCat program!
[root@bigboy ~]#
will also be visible on the server’s console.
[root@smallfry tmp]# nc -l 7777
This is a test of the NetCat program!
[root@smallfry tmp]#
If you want to transfer a file, you only need to use some simple command line redirection. In this case, the server will output all data it receives on port 7777 to a file called FC-6-i386-disc1.iso, and the client pipes the output of the cat command to the netcat client that points to our server.
[root@smallfry tmp]# nc -l 7777 > FC-6-i386-disc1.iso
[root@bigboy ~]# cat /tmp/FC-6-i386-disc1.iso | nc 192.168.2.50 7777
All Linux systems have a black hole file named /dev/null which automatically discards any data written to it. If you want to test file transfers without filling your disk storage, or having the server’s disk I/O be a bottleneck, then use this as your output file instead.
[root@smallfry tmp]# nc -l 7777 > /dev/null
All Linux systems also have a have a continuous random data source located at /dev/random. Instead of using a file in your tests, you can use this instead for a data stream or infinite duration.
[root@bigboy ~]# cat /dev/random | nc 192.168.2.50 7777
Listening on open ports:
netstat -an | grep LISTEN
lists all Internet connections
lsof -i
displays list of open sockets (use apt-get install procinfo)
socklist
as does the socklist command
netstat -anp --udp --tcp | grep LISTEN
List active connections to/from system
netstat -tup
List listening ports from system
netstat -tupl
For status
iptables -L -n -v
Open everything
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
Zero the packet and byte counters in all chains
iptables -Z
Flush all chains
iptables -F
Delete all chains
iptables -X
IP Forward for routing
Check and then enable IP forward with:
Check IP forward 0=off, 1=on
nano -w /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward
or edit /etc/sysctl.conf with:
net.ipv4.ip_forward = 1
NAT Network Address Translation
to activate NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Port forward 20022 to internal IP port ssh
iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 --dport 20022 -j DNAT --to 192.168.16.44:22
Port forward of range 993-995
iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 --dport 993:995 -j DNAT --to 192.168.16.254:993-995
ip route flush cache
Check NAT status
iptables -L -t nat
NOTE: You can delete a port forward with -D instead of -A.
DNS
On *nix the DNS entries are valid for all interfaces and are stored in /etc/resolv.conf.
The domain to which the host belongs is also stored in this file. A minimal configuration is:
nameserver 78.31.70.238
search mydomain.net intern.lab
domain mydomain.net
Check the system domain name with:
Same as dnsdomainname
hostname -d
Forward queries
Dig is used to test the DNS settings.
See from which server the client receives the answer (simplified answer).
in this example, we use google.com
dig google.com
google.com.267INA64.233.187.99
;; SERVER: 192.168.1.25453(192.168.1.254)
The router 192.168.1.254 answered and the response is the A entry.
Any entry can be queried and the DNS server can be selected with @:
To test the local server
dig @127.0.0.1 NS sun.com
Query an external server
dig @204.97.212.10 NS MX heise.de
Get the full zone (zone transfer)
dig AXFR @ns1.xname.org cb.vu
The program host is also quite powerful.
Get the mail MX entry
host -t MX google.com
Get the NS record over a TCP connection
host -t NS -T google.com
Get everything
host -a google.com
Reverse queries
Find the name belonging to an IP address (in-addr.arpa.). This can be done with dig, host and nslookup:
dig -x 78.31.70.238
host 78.31.70.238
nslookup 78.31.70.238
Single hosts can be configured in the file /etc/hosts instead of running named locally
to resolve the hostname queries. The format is simple, for example:
64.233.187.99 google.com google
DHCP
The default ubuntu dhcp client is dhclient, however, i like dhcpcd a lot better,
and that is what i will use in my examples
apt-get install dhcpcd to install it.
Trigger a renew (does not always work)
dhcpcd -n eth0
release and shutdown
dhcpcd -k eth0
The lease with the full information is stored in:
/var/lib/dhcpcd/dhcpcd-eth0.info
For dhclient:
dhclient eth0
The lease with the full information is stored in:
/var/db/dhclient.leases.eth0
Use
/etc/dhclient.conf
to prepend options or force different options:
nano -w /etc/dhclient.conf
interface "eth0" {
prepend domain-name-servers 127.0.0.1;
default domain-name "google.com";
supersede domain-name "google.com";
}
Traffic analysis
Bmon http://people.suug.ch/~tgr/bmon/ is a small console bandwidth monitor and can display the
flow on different interfaces. You can install it on ubuntu with apt-get install bmon
Sniff with tcpdump (tcpdump comes with ubuntu)
tcpdump -nl -i eth0 not port ssh and src \(192.168.16.121 or 192.168.16.54\)
select to/from a single IP
tcpdump -n -i eth0 net 192.168.16.121
select traffic to/from a network
tcpdump -n -i eth0 net 192.168.16.0/24
Buffered output
tcpdump -l > dump && tail -f dump
Write traffic headers in binary file
tcpdump -i eth0 -w traffic.eth0
Write traffic + payload in binary file
tcpdump -i eth0 -s 0 -w traffic.eth0
Read from file (also for ethereal
tcpdump -r traffic.eth0
The two classic commands
tcpdump port 80
Check if pop or imap is secure
tcpdump host google.com
tcpdump -i eth0 -X port \(110 or 143\)
Only catch pings
tcpdump -n -i eth0 icmp
-s 0 for full packet -A for ASCII
tcpdump -i eth0 -s 0 -A port 80 | grep GET
