Network Tools

traceroute

  • Installation: yum install traceroute
  • Use ICMP ECHO for probes (default is UDP): traceroute -I google.ro
  • Do not map IP addresses to host names: traceroute -n google.ro
  • Use TCP SYN for probes: traceroute -T google.ro
  • Sets the number of probe packets per hop (default is 3): traceroute -q 5 google.ro

ss

The netstat command reads /proc files and ss takes the values from kernel space

  • Install the tool: yum install iproute
  • Display a list of open non-listening TCP sockets that have established connection: ss
  • Display listening TCP or UDP sockets: ls -lt or ss -ul
  • Display all TCP sockets: ss -ta
  • List all UDP sockets: ss -ua
  • Show process using TCP sockets: ss -pl
  • Do now try to resolve service names: ss -n
  • Try to resolve numeric address/ports: ss -r
  • Display all established connections: ss -t state established
  • Display all SSH connections: ss -o state established '( dport = :ssh or sport = :ssh )'
  • List sockets with destionation port 80 or 443: ss -nt dst :443 or dst :80
  • List sockets by destination: ss -nt dst 46.101.41.20
  • Watch after syn-sent sockets: watch -n 1 "ss -t state syn-sent"
  • Print summary statistics: ss -s

State options

established
syn-sent
syn-recv
fin-wait-1
fin-wait-2
time-wait
closed
close-wait
last-ack
closing
all - All of the above states
connected - All the states except for listen and closed
synchronized - All the connected states except for syn-sent
bucket - Show states, which are maintained as minisockets, i.e. time-wait and syn-recv.
big - Opposite to bucket state.

ip

  • Display the interfaces (similar to ifconfig): ip link show
  • Bring up the interface online (similar to ifconfig eth0 up): ip link set eth0 up
  • Display the IP address on the interface: ip addr show
  • Display ARP table (similar to arp -a): ip neigh show
  • Delete all entries from table: ip neigh flush dev eth0
  • Delete an entry from ARP table: ip neigh delete 192.168.1.4 dev eth0

tcpdump

  • Print the list of the network interfaces: tcpdump -D
  • Capture everything in a file: tcpdump -i eth0 -n -w /tmp/$(hostname)-$(date +"%Y-%m-%d-%H-%M-%S").pcap

tcptrack

tcptrack displays the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top(1) command.

  • Install on CentOS 6:
yum install ncurses-devel libpcap-devel
wget http://pkgs.fedoraproject.org/repo/pkgs/tcptrack/tcptrack-1.4.2.tar.gz/dacf71a6b5310caf1203a2171b598610/tcptrack-1.4.2.tar.gz
tar zxvf tcptrack-1.4.2.tar.gz
cd tcptrack-1.4.2
./configure
make
make install
  • Sniff packets from the specified network interface: tcptrack -i eth0
  • Show only web traffic: tcptrack -i eth0 port 80
  • Show connections from host 192.168.100.11: tcptrack -i eth0 src or dst 192.168.100.11
  • Use lipcap advanced filter: tcptrack -i eth0 'ip dst 192.168.100.11 and port (80 or 443 or 22)'

Interactive options

p - Pause/unpause display. No new connections will be added to the display, and all currently displayed connections will remain in the display.
q - Quit tcptrack.
s - Cycle through the sorting options: unsorted, sorted by rate, sorted by total bytes.

speedometer

  • Install on CentOS 6
cd /root
wget https://excess.org/speedometer/speedometer-2.8.tar.gz
tar zxvf speedometer-2.8.tar.gz
wget https://pypi.python.org/packages/source/u/urwid/urwid-1.3.1.tar.gz
tar zxvf urwid-1.3.1.tar.gz
cd urwid-1.3.1/
python setup.py build
python setup.py install or cp -r urwid /root/speedometer-2.8
  • Display RX traffic on eth0: ./speedometer.py -rx eth0
  • Display TX traffic on eth0: ./speedometer.py -tx eth0

https://excess.org/speedometer

iftop

  • Install on CentOS 6

yum install iftop --enablerepo=epel

  • Listen on named interface: iftop -i eth0
  • Display the port as well: iftop -P -i eth0
  • Do not do hostname lookups: iftop -n -i eth0
  • Show traffic flows in/out of IPv4 network: iftop -F 192.168.100.0/24 -i eth0

slurm

  • Installation on CentOS 6:
green - downloads (RX)
red - uploads (TX)
yum install cmake
wget https://github.com/mattthias/slurm/archive/upstream.zip
unzip upstream.zip
cd slurm-upstream
mkdir _build
cd _build
cmake
make
make install
  • Select network interface: slurm -i eth0
Shortcuts:
  • c - switch to classic mode
  • s - switch to split graph mode
  • l - switch to large graph mode
  • L - enable TX/RX led
  • m - switch between classic, split and large view
  • z - zero counters
  • r - redraw screen
  • q - quit slurm

tcpkill

  • Installation on CentOS 6: yum install dsniff --enablerepo=epel
  • View connections: netstat -tnpa | grep ESTABLISHED
  • Kill connection for port 22: tcpkill -i eth0 port 22
  • Kill all packets arriving from host 192.168.100.9: tcpkill host 192.168.100.9

nmap

  • Display which hosts are running on a network: nmap -n -sn 192.168.37.0/24