Network

netstat

• -p show pid

• -t tcp

• -u udp

• -l listening

• -i show network interface packet transactions

• -r show kernel ip routing

• -g show group membership information of IPV4 and IPV6

• -a all

common usage

netstat -ie  = ifconfig
netstat -lt  #show all listening tcp
netstat -r   #show routing
netstat -g   #show group membership information of IPV4 and IPV6
netstat -i   #show network interfact packet tracnsactions

[root@sf-vm-1 ~]# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.0.5.1        0.0.0.0         UG        0 0          0 eno16777984
10.0.5.0        0.0.0.0         255.255.255.0   U         0 0          0 eno16777984
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
[root@sf-vm-1 ~]# netstat -i
Kernel Interface table
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
docker0   1500        3      0      0 0             3      0      0      0 BMU
eno16777  1500 30067952      0    978 0      21248940      0      0      0 BMRU
lo       65536     7256      0      0 0          7256      0      0      0 LRU
[root@sf-vm-1 ~]# netstat -g
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ------ ---------------------
lo              1      all-systems.mcast.net
eno1677798      1      all-systems.mcast.net
docker0         1      all-systems.mcast.net
lo              1      ff02::1
lo              1      ff01::1
eno16777984     1      ff02::1:ff46:b199
eno16777984     1      ff02::1
eno16777984     1      ff01::1
docker0         1      ff02::1:ff63:217f
docker0         1      ff02::1
docker0         1      ff01::1

ss - socket statistics

ss is almost same as netstat but fater and has some specific usage

• -n, --numeric don't resolve service names

• ss -s #summary statistics

• ss -antp src :80

• ss -altp dst :80

• ss -nt -o

• ss -t4 state established

  1. established
  2. syn-sent
  3. syn-recv
  4. fin-wait-1
  5. fin-wait-2
  6. time-wait
  7. closed
  8. close-wait
  9. last-ack
  10. closing
  11. all - All of the above states
  12. connected - All the states except for listen and closed
  13. synchronized - All the connected states except for syn-sent
  14. bucket - Show states, which are maintained as minisockets, i.e. time-wait and syn-recv.
  15. big - Opposite to bucket state.

fuser

fuser 8080/tcp

fuser -k 8080/tcp

lsof

lsof -i:8080 kill -9 $(lsof -i:8080)

parameters

• -t - show only process ID

• -i - show only internet connections related process

nmap

parameter

• nmap -sP IP ping only

• nmap -sS 192.168.1.1 TCP SYN scan

• nmap -sU 192.168.1.1 UDP scan

• namp -sO 192.168.1.1 protocol scan

• namp -p 1024-2048 192.168.1.1 port range scan

• namp -p 80,25,443,110 192.168.1.1 port scan

tcpdump

parameters

• -X : Show the packet’s contents in both hex and ascii.

• -XX : Same as -X, but also shows the ethernet header.

• -D : Show the list of available interfaces

• -l : Line-readable output (for viewing as you save, or sending to other commands)

• -q : Be less verbose (more quiet) with your output.

• -t : Give human-readable timestamp output.

• -tttt : Give maximally human-readable timestamp output.

• -i eth0 : Listen on the eth0 interface.

• -vv : Verbose output (more v’s gives more output).

• -c : Only get x number of packets and then stop.

• -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.

• -S : Print absolute sequence numbers.

• -e : Get the ethernet header as well.

• -q : Show less protocol information.

• -E : Decrypt IPSEC traffic by providing an encryption key.

examples:

tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

tcpdump dst 192.168.0.2 and src net and not icmp

tcpdump net 1.2.3.0/24

tcpdump -c 1 -X icmp

tcpdump -nnvvS src 10.5.2.3 and dst port 3389

write to one PCAP file

tcpdump port 80 -w capture_file