Linux Networking Tools
Summary
Tools that can help validate OSI Model layers 1-4
Tools
Some of these utilities (net-tools) are being replaced by newer utilities (iproute2) so we will cover both the old and new way to do things.
IFCONFIG and IP ADDR
Interface info:
- OSI Layer 1 - Physical
- Transmit (TX) and Receive (RX) Errors
- Physical State
- Interface Type
- OSI Layer 2 - Data-Link
- Media Access Control (MAC) Address
- Maximum Transmission Unit (MTU)
- OSI Layer 3 - Network
- Internet Protocol (IP) Address
- Subnet Mask
sudo ifconfig -a
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::8a51:fbff:fefe:c082 prefixlen 64 scopeid 0x20<link> ether 88:51:fb:fe:c0:82 txqueuelen 1000 (Ethernet) RX packets 1108286 bytes 888656474 (888.6 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 889259 bytes 190952692 (190.9 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 20 memory 0xd0700000-d0720000 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 604617 bytes 2055662316 (2.0 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 604617 bytes 2055662316 (2.0 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlo1: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether c8:f7:33:5d:06:9c txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
sudo ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 88:51:fb:fe:c0:82 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global noprefixroute enp0s25 valid_lft forever preferred_lft forever inet6 fe80::8a51:fbff:fefe:c082/64 scope link valid_lft forever preferred_lft forever 3: wlo1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether c8:f7:33:5d:06:9c brd ff:ff:ff:ff:ff:ff
NETSTAT and SS
Sockets and connections states
common args:
- -t TCP
- -u UDP
- -a All
- -n Numbers only
- -p Process ID
sudo netstat -tuanp |grep ":22\|PID"
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1205/sshd tcp 0 0 192.168.1.254:22 192.168.1.15:58200 ESTABLISHED 3186/sshd: tyrel [p tcp 0 0 192.168.1.254:22 192.168.1.15:58196 ESTABLISHED 2502/sshd: tyrel [p tcp 0 0 192.168.1.254:22 192.168.1.15:58198 ESTABLISHED 2504/sshd: tyrel [p tcp6 0 0 :::22 :::* LISTEN 1205/sshd
sudo ss -tuanp |grep ":22\|State"
NetidState Recv-Q Send-Q Local Address:Port Peer Address:Port tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1205,fd=3)) tcp ESTAB 0 0 192.168.1.254:22 192.168.1.15:58200 users:(("sshd",pid=3263,fd=3),("sshd",pid=3186,fd=3)) tcp ESTAB 0 0 192.168.1.254:22 192.168.1.15:58196 users:(("sshd",pid=2698,fd=3),("sshd",pid=2502,fd=3)) tcp ESTAB 0 0 192.168.1.254:22 192.168.1.15:58198 users:(("sshd",pid=2628,fd=3),("sshd",pid=2504,fd=3)) tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1205,fd=4))
Other utilities that we have not changed:
- ping
- Layer 3 verification
- ICMP Connectivity check
- Round Trip Response Time (RTT)
- Packet Loss Detection
- traceroute
- Trace the Path of the ICMP Traffic
- mtr
- Combination of Ping and Traceroute
- Modern enhancements
- nslookup
- DNS lookup Utility
- dig
- Advanced DNS lookup utility
- tcpdump
- Packet Capture Utility
- iperf
- Performance Testing
- telnet
- Layer 4 validation (TCP)
NETSTAT and ROUTE
- common args:
- -r Routing Table
- -n Numbers Only
sudo netstat -rn
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 enp0s25 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 enp0s25 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s25
sudo ip route
default via 192.168.1.1 dev enp0s25 proto static metric 100 169.254.0.0/16 dev enp0s25 scope link metric 1000 192.168.1.0/24 dev enp0s25 proto kernel scope link src 192.168.1.254 metric 100
Show a specific route
ip route get 8.8.8.8
8.8.8.8 via 192.168.9.1 dev enp0s25 src 192.168.9.16 uid 1000
ARP and IP NEIGH
Layer 2 to Layer 3 Mappings
common args:
- -a All
- -n Numbers Only
sudo arp -an
? (192.168.1.5) at <incomplete> on enp0s25 ? (192.168.1.1) at 9c:3d:cf:c5:d5:2c [ether] on enp0s25 ? (192.168.1.15) at 00:13:ef:70:15:8c [ether] on enp0s25 ? (192.168.1.6) at 44:07:0b:2e:f6:f4 [ether] on enp0s25 ? (192.168.1.49) at <incomplete> on enp0s25
sudo ip neigh
192.168.1.5 dev enp0s25 FAILED 192.168.1.1 dev enp0s25 lladdr 9c:3d:cf:c5:d5:2c REACHABLE 192.168.1.15 dev enp0s25 lladdr 00:13:ef:70:15:8c REACHABLE 192.168.1.6 dev enp0s25 lladdr 44:07:0b:2e:f6:f4 REACHABLE 192.168.1.49 dev enp0s25 FAILED
PING
- common args:
- -c Count
- -s Packet size
- default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data
- typical MTU is 1500
- useful to determine MTU across network
- -n Numbers Only
- -W timeout in seconds
- -I outbound interface
ping google.com -c 3 -s 1473 -n -W 1
PING google.com (172.217.0.174) 1473(1501) bytes of data. --- google.com ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2043ms
ping google.com -c 3 -s 1472 -n -W 1
PING google.com (172.217.0.174) 1472(1500) bytes of data. 76 bytes from 172.217.0.174: icmp_seq=1 ttl=53 (truncated) 76 bytes from 172.217.0.174: icmp_seq=2 ttl=53 (truncated) 76 bytes from 172.217.0.174: icmp_seq=3 ttl=53 (truncated) --- google.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 10.910/19.756/30.941/8.343 ms
TRACEROUTE
- common args:
- -M ICMP or UDP
- UDP port 33434 is default
- -q tries
- probes per hop
- -n Numbers Only
- -w timeout in seconds
- --resolve-hostnames
- -M ICMP or UDP
traceroute google.com -w 1
traceroute to google.com (216.58.192.46), 64 hops max 1 192.168.1.1 0.515ms 0.312ms 0.605ms 2 96.120.97.181 17.827ms 26.905ms 14.306ms 3 68.86.163.153 20.063ms 9.570ms 21.687ms 4 96.110.4.201 28.611ms 26.544ms 9.623ms 5 96.110.4.229 26.851ms 23.903ms 10.778ms 6 68.86.90.205 27.687ms 17.409ms 26.102ms 7 68.86.82.154 15.878ms 34.985ms 25.856ms 8 23.30.206.118 16.535ms 39.122ms 23.382ms 9 108.170.249.1 19.963ms 24.235ms 37.085ms 10 66.249.94.125 15.735ms 22.458ms 21.527ms 11 216.58.192.46 15.531ms 23.990ms 11.040ms
MTR (MyTraceRoute)
- common args:
- -i interval seconds
- -s packet size
- -n Numbers Only
- -Q TOS identifier
- --resolve-hostnames
- -u UDP
- -T TCP - packetsize is ignored
- -P Port
- -Z timeout seconds
- -r report
mtr google.com -rn
Start: 2020-05-11T13:41:22-0400 HOST: X-Magic Loss% Snt Last Avg Best Wrst StDev 1.|-- 192.168.1.1 0.0% 10 0.6 0.4 0.3 0.6 0.1 2.|-- 96.120.97.181 0.0% 10 34.7 20.6 12.1 37.3 8.6 3.|-- 68.86.163.153 0.0% 10 30.9 21.1 10.2 32.2 7.2 4.|-- 96.110.4.201 0.0% 10 10.0 20.1 10.0 32.6 6.1 5.|-- 96.110.4.229 0.0% 10 16.8 23.6 9.7 42.4 11.5 6.|-- 68.86.90.205 0.0% 10 12.2 20.3 11.7 34.5 7.5 7.|-- 96.110.33.162 0.0% 10 25.2 24.4 15.0 36.6 6.2 8.|-- 66.208.216.122 0.0% 10 12.1 18.3 10.1 36.4 9.7 9.|-- 216.239.59.67 0.0% 10 19.7 22.6 13.2 33.1 6.0 10.|-- 142.250.58.103 0.0% 10 27.9 24.5 11.5 37.2 9.9 11.|-- 172.217.3.78 0.0% 10 16.8 22.2 13.1 34.4 6.9
NSLOOKUP
nslookup - query name servers
nslookup [-option] [name | -] [server]
- common args:
- -type= set the record type (A/MX/SRV/NS)
nslookup google.com
Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: google.com Address: 142.250.64.174 Name: google.com Address: 2607:f8b0:4008:811::200e
nslookup google.com ns.google.com
Server: ns.google.com Address: 216.239.32.10#53 Name: google.com Address: 172.217.3.142 Name: google.com Address: 2607:f8b0:4008:812::200e
DIG
DNS lookup utility
dig [@server] [name] [type]
- common args:
- +short - reduce output
dig @ns1 google.com A +short
172.217.2.206
dig @ns1 google.com TXT +short
"globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8=" "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e" "v=spf1 include:_spf.google.com ~all" "facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95" "docusign=1b0a6754-49b1-4db5-8540-d2c12664b289"
dig @ns1 google.com MX +short
10 aspmx.l.google.com. 50 alt4.aspmx.l.google.com. 20 alt1.aspmx.l.google.com. 40 alt3.aspmx.l.google.com. 30 alt2.aspmx.l.google.com.
TCPDUMP
Packet Capture Utility - Usefull in troubleshooting and frequently used in conjunction with graphical tools like wireshark.
- common args:
- -n numbers only
- -c count
- -C file_size
- -G rotation seconds
- -i interface
- -w write to file
- -r read from file
- -W filecount
- -B buffersize
- -I monitor-mode
- sniff only
- -s snaplength
- size of header + payload to capture
- default of 262144 bytes
- expresion
- ip and not net localnet
- tcp port 80
- tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0
- connection start, finish, and reject
sudo tcpdump -n -c 10
14:41:39.746084 IP 207.38.67.49.13762 > 192.168.1.254.58456: UDP, length 182 14:41:39.746790 IP 192.168.1.254.58456 > 207.38.67.49.13762: UDP, length 182 14:41:39.765876 IP 207.38.67.49.13762 > 192.168.1.254.58456: UDP, length 182 14:41:39.767189 IP 192.168.1.254.58456 > 207.38.67.49.13762: UDP, length 182 14:41:39.785935 IP 207.38.67.49.13762 > 192.168.1.254.58456: UDP, length 182 14:41:39.792733 IP 192.168.1.254.58456 > 207.38.67.49.13762: UDP, length 182 14:41:39.803083 IP 192.168.1.254.58456 > 207.38.67.49.13762: UDP, length 182 14:41:39.806099 IP 207.38.67.49.13762 > 192.168.1.254.58456: UDP, length 182 14:41:39.822281 IP 207.38.67.49.13762 > 192.168.1.254.58456: UDP, length 182 14:41:39.828628 IP 192.168.1.254.58456 > 207.38.67.49.13762: UDP, length 182
sudo tcpdump -n -c 5 ip host google.com
14:42:53.259553 IP 192.168.1.254 > 142.250.64.238: ICMP echo request, id 11737, seq 1, length 64 14:42:53.288602 IP 142.250.64.238 > 192.168.1.254: ICMP echo reply, id 11737, seq 1, length 64 14:42:54.260802 IP 192.168.1.254 > 142.250.64.238: ICMP echo request, id 11737, seq 2, length 64 14:42:54.292087 IP 142.250.64.238 > 192.168.1.254: ICMP echo reply, id 11737, seq 2, length 64 14:42:55.262199 IP 192.168.1.254 > 142.250.64.238: ICMP echo request, id 11737, seq 3, length 64
sudo tcpdump -n -c 10 \'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0\'
15:02:51.003976 IP 207.38.67.49.443 > 192.168.1.254.34830: Flags [F.], seq 1611937874, ack 25405996, win 235, options [nop,nop,TS val 1221630784 ecr 4246875228], length 0 15:02:51.408012 IP 192.168.1.254.34830 > 207.38.67.49.443: Flags [F.], seq 1, ack 1, win 501, options [nop,nop,TS val 4246885723 ecr 1221630784], length 0 15:02:51.747385 IP 192.168.1.254.39170 > 172.217.8.68.80: Flags [S], seq 3292379840, win 64240, options [mss 1460,sackOK,TS val 957197550 ecr 0,nop,wscale 7], length 0 15:02:51.770281 IP 172.217.8.68.80 > 192.168.1.254.39170: Flags [S.], seq 2220584897, ack 3292379841, win 60192, options [mss 1380,sackOK,TS val 2418915765 ecr 957197550,nop,wscale 8], length 0 15:02:52.157654 IP 172.217.8.68.80 > 192.168.1.254.39170: Flags [F.], seq 399, ack 9351, win 315, options [nop,nop,TS val 2418916145 ecr 957197616], length 0 15:02:52.157761 IP 192.168.1.254.39170 > 172.217.8.68.80: Flags [F.], seq 9351, ack 400, win 501, options [nop,nop,TS val 957197960 ecr 2418916145], length 0 15:02:59.202767 IP 192.168.1.254.39172 > 172.217.8.68.80: Flags [S], seq 682881753, win 64240, options [mss 1460,sackOK,TS val 957205005 ecr 0,nop,wscale 7], length 0 15:02:59.221657 IP 172.217.8.68.80 > 192.168.1.254.39172: Flags [S.], seq 2174924977, ack 682881754, win 60192, options [mss 1380,sackOK,TS val 2310220241 ecr 957205005,nop,wscale 8], length 0 15:02:59.699020 IP 172.217.8.68.80 > 192.168.1.254.39172: Flags [F.], seq 399, ack 9351, win 315, options [nop,nop,TS val 2310220718 ecr 957205074], length 0 15:02:59.699288 IP 192.168.1.254.39172 > 172.217.8.68.80: Flags [F.], seq 9351, ack 400, win 501, options [nop,nop,TS val 957205502 ecr 2310220718], length 0
IPERF
Load/Stress/Throughput Testing and Perfomance Verification
server args:
- -s server
- -p port
- default 5001
- -u udp
- tcp by default
- -w tcp window
- -B bind to interface
- listen address
- -D daemon
iperf --server
------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 128 KByte (default) ------------------------------------------------------------ [ 4] local 127.0.0.1 port 5001 connected with 127.0.0.1 port 45768 [ ID] Interval Transfer Bandwidth [ 4] 0.0-10.0 sec 46.6 GBytes 40.0 Gbits/sec
client args:
- -c client
- -p port
- -u udp
- tcp by default
- -w tcp window
- -B bind to interface
- source to send traffic from
- -b bandwdith n[kmgKMG]
- -t time in seconds to test
- -n n[kmKM] number of bytes to transmit
- -P number of parallel client threads to run
iperf --client -t 10 localhost --interval 1
------------------------------------------------------------ Client connecting to localhost, TCP port 5001 TCP window size: 2.50 MByte (default) ------------------------------------------------------------ [ 3] local 127.0.0.1 port 45768 connected with 127.0.0.1 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 1.0 sec 4.90 GBytes 42.1 Gbits/sec [ 3] 1.0- 2.0 sec 4.90 GBytes 42.1 Gbits/sec [ 3] 2.0- 3.0 sec 4.23 GBytes 36.4 Gbits/sec [ 3] 3.0- 4.0 sec 4.95 GBytes 42.5 Gbits/sec [ 3] 4.0- 5.0 sec 5.19 GBytes 44.6 Gbits/sec [ 3] 5.0- 6.0 sec 5.04 GBytes 43.3 Gbits/sec [ 3] 6.0- 7.0 sec 4.65 GBytes 39.9 Gbits/sec [ 3] 7.0- 8.0 sec 4.28 GBytes 36.7 Gbits/sec [ 3] 8.0- 9.0 sec 4.66 GBytes 40.0 Gbits/sec [ 3] 9.0-10.0 sec 3.81 GBytes 32.7 Gbits/sec [ 3] 0.0-10.0 sec 46.6 GBytes 40.0 Gbits/sec