tested on Red Hat/Centos v5,v6
This page is simply some tests and research into Networking commands on Linux. It is strictly for entertainment purposes.
We do not warrant or guarantee the accuracy or completeness of the information contained herein, and shall have no liability whatsoever arising out of, its use.
Some network/network analysis commands
• ifconfig - view and change the configuration of the network interfaces
• ip - view and change the configuration of the network interfaces
• ifup,ifdown - bring up, take down network interface
• netstat - displays network connections
• dhclient configuring one or more network interfaces
• ping command sends packets of information to the user-defined source
• dig interrogating Domain Name System (DNS)
• nslookup querying the Domain Name System (DNS)to obtain domain name
• traceroute displays the list of the routers that packet travels through to get to a remote host
• nmap - port scanning
• iptables - firewall utility built for Linux operating systems
• system-config-network command
Some network Configuration files
• hosts file
• Interface configuration files (ifcfg)
• resolv.conf file
• /etc/sysconfig/network - routing and host information file
Running ifconfig with no options will display the configuration of all active interfaces.
# ifconfig
If ifconfig it did not comes installed with your Linux distribution, add it with
yum install net-tools
show all interfaces
# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:1C:C4:66:49:A4 inet addr: 192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::21c:c4ff:fe66:49a4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5671 errors:0 dropped:0 overruns:0 frame:0 TX packets:6118 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:962881 (940.3 KiB) TX bytes:686627 (670.5 KiB) Interrupt:225 Memory:f0800000-f0810000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:316 errors:0 dropped:0 overruns:0 frame:0 TX packets:316 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:15960 (15.5 KiB) TX bytes:15960 (15.5 KiB) sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Some importants things to notice in above listing
You should have at least a loopback address and an ithernet device. You may have other devices listed as well.
to enable a disabled network interface
> ifconfig eth0 up or > ifup eth0
to disable a enabled network interface
> ifconfig eth0 down or > ifdown eth0
change maximum transmission units (MTU). This assumes that your network card and network switches can support it.
> ifconfig eth0 mtu 2500
Configure the network interface wlan1 to use the static IP address 122.140.201.66.
> ifconfig wlan1 122.140.201.66
ifup brings a network interface up, making it available to transmit and receive data.
examples:
# ifup eth0 # ifup enp63s0
ifdown takes a network interface down, placing it in a state where it cannot transmit or receive data.
Netstat (network statistics) is a command-line tool that displays network connections for the Transmission Control Protocol (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol statistics.
# netstat | moreextract from respone:
Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 52 192.168.1.5:ssh 999.999.999.999::61648 ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ] DGRAM 1338 @/org/kernel/udev/udevd unix 2 [ ] DGRAM 6575 @/org/freedesktop/hal/udev_event unix 16 [ ] DGRAM 5870 /dev/log unix 2 [ ] DGRAM 995552 ...
note: Local Address is the IP address of the Linux server
The "Foreign Address" is your Static IP address.
# netstat -rnOutput -
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
Here 192.168.1.254 the gateway, in this case is the IP of my wirelesss router.
The second column of netstat's output shows the gateway that the routing entry is pointing to. If no gateway is used, an asterisk is printed instead. Column three shows the 'generality' of the route. When given an IP-address to find a suitable route for, the kernel goes through all routing table entries, taking the bitwise AND of the address and the genmask before comparing it to the target of the route.
The fourth column displays various flags that describe the route:
G - The route uses a gateway.
U - The interface to be used is up.
H - Only a single host can be reached through the route. For example, this is the case for the loopback entry 127.0.0.1.
D - This is set if the table entry has been generated by an ICMP redirect message (see section 3.5).
M - This is set if the table entry was modified by an ICMP redi- rect message.
Some netstat switches:
a = all sockets c = update continuously e = extend, additional details n = numeric - don't resolve names, shows port nmber o = shows process id (PID) p = program - display PID/Program name for sockets l = display listening server sockets r = routing tables s = statistics t = tcp v = verbose
Examples:
List all ports
netstat -a
Show all listening tcp ports showing port number
> netstat -ltn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:9390 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:56008 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN tcp 0 0 :::42732 :::* LISTEN tcp 0 0 :::111 :::* LISTEN tcp 0 0 :::80 :::* LISTEN tcp 0 0 :::22 :::* LISTEN tcp 0 0 ::1:631 :::* LISTEN
Some processes you may find running
List all ports
netstat -a
List all tcp ports
netstat -at
List all udp ports
netstat -au
List all sockets which are in listening state
netstat -lLists all listening ports
netstat -tlnp
All open ports
netstat -plnt
statistics
netstat -anpe
See what is listening to port 80
> netstat -lnp | grep 80 tcp 0 0 :::80 :::* LIST EN 5484/httpdwhere:
see some statistics
> netstat -s Ip: 3505517 total packets received 189 with invalid addresses 0 forwarded 0 incoming packets discarded 3353729 incoming packets delivered 3441781 requests sent out 6 dropped because of missing route Icmp: 80 ICMP messages received 0 input ICMP message failed. ICMP input histogram: destination unreachable: 76 echo replies: 4 444 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 440 echo request: 4 IcmpMsg: InType0: 4 InType3: 76 OutType3: 440 OutType8: 4 Tcp: 875 active connections openings 176235 passive connection openings 1305 failed connection attempts 4162 connection resets received 1 connections established 3177924 segments received 3193518 segments send out 71896 segments retransmited 0 bad segments received. 28590 resets sent Udp: 175920 packets received 20 packets to unknown port received. 0 packet receive errors 176145 packets sent UdpLite: TcpExt: 14061 invalid SYN cookies received 1298 resets received for embryonic SYN_RECV sockets 36 ICMP packets dropped because they were out-of-window 40131 TCP sockets finished time wait in fast timer 370843 delayed acks sent 70 delayed acks further delayed because of locked socket Quick ack mode was activated 12684 times 169906 packets directly queued to recvmsg prequeue. 3686 packets directly received from backlog 61938105 packets directly received from prequeue 986573 packets header predicted 47052 packets header predicted and directly queued to user 523770 acknowledgments not containing data received 816143 predicted acknowledgments 6422 times recovered from packet loss due to SACK data TCPDSACKUndo: 343 5787 congestion windows recovered after partial ack 12519 TCP data loss events TCPLostRetransmit: 1409 3577 timeouts after SACK recovery 552 timeouts in loss state 15818 fast retransmits 1338 forward retransmits 5096 retransmits in slow start 35982 other TCP timeouts 1313 sack retransmits failed 13156 DSACKs sent for old packets 22 DSACKs sent for out of order packets 16358 DSACKs received 78 DSACKs for out of order packets received 625 connections reset due to unexpected data 136 connections reset due to early user close 502 connections aborted due to timeout TCPDSACKIgnoredOld: 5920 TCPDSACKIgnoredNoUndo: 2330 TCPSpuriousRTOs: 63 TCPSackShifted: 9984 TCPSackMerged: 25336 TCPSackShiftFallback: 20200 IpExt: InBcastPkts: 151202 InOctets: 730998212 OutOctets: 917606745 InBcastOctets: 22741553 [root@localhost ~]#
The ip command is the updated version of ifconfig as ifconfig is officialy deprecated, although still widely used. The ip command provides the ability find out which interfaces are configured on the system, query the status of a IP interface, configure the local loop-back, Ethernet and other IP, interfaces, mark the interface as up or down, configure and modify default and static routing, configure tunnel over IP, configure ARP or NDISC cache entry, and assign IP address, routes, subnet and other IP information to IP interfaces.
The ip command can be applied with several "objects" including:
Object | Abbreviated form | Purpose |
link | l | Network device. |
address | a addr | Protocol (IP or IPv6) address on a device. |
addrlabel | addrl | Label configuration for protocol address selection. |
neighbour | n neigh | ARP or NDISC cache entry. |
route | r | Routing table entry. |
rule | ru | Rule in routing policy database. |
maddress | m maddr | Multicast address. |
mroute | mr | Multicast routing cache entry. |
tunnel | t | Tunnel over IP. |
xfrm | x | Framework for IPsec protocol. |
Examples:
link: Manage and display the state of all network interfaces
> ip link show 1: lo:mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:1c:c4:66:49:a4 brd ff:ff:ff:ff:ff:ff
Display IP Addresses and property information. addr is abbreviatrion of address. You can also appreviate with a.
> ip addr show 1: lo:mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:1c:c4:66:49:a4 brd ff:ff:ff:ff:ff:ff inet 192.168.1.5/24 brd 192.168.1.255 scope global eth0 inet6 fe80::21c:c4ff:fe66:49a4/64 scope link valid_lft forever preferred_lft forever
To see IPv4 information:
ip -4 addr
To see IPv4 information:
ip -6 addr
See information regarding a specific interface? You can list information for a wireless connection with the command:
ip addr show wlan0
You can even get more specific with this command. If you only want to view IPv4 on the wlan0 interface, issue the command:
ip -4 addr show wlan0
You can even list only the running interface using:
ip link ls up
Suppose you wanted to assign a specific address to the first ethernet interface, eth0. With the ifconfig command, that would look like:
ifconfig eth0 192.1.1.1
With the ip command, this now looks like:
ip addr add 192.1.1.1 dev eth0
Note that this is only a temporary change in configuration. Bringing down and up the network will cause configuration to revert back to original configuration
You could shorten this a bit with:
ip addr add 192.1.1.1/24 dev eth0
We can see that we have added address 192.1.1.1 to eth0
> ip address show 1: lo:mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:1c:c4:66:49:a4 brd ff:ff:ff:ff:ff:ff inet 192.168.1.5/24 brd 192.168.1.255 scope global eth0 inet 192.1.1.1/24 scope global eth0 inet6 fe80::21c:c4ff:fe66:49a4/64 scope link valid_lft forever preferred_lft forever
What about deleting an address from an interface? With the ip command, you can do that as well. For example, to delete the address just assigned to eth0, issue the following command:
ip addr del 192.168.1.101/24 dev eth0
Another crucial aspect of the ip command is the ability to bring up/down an interface. To bring eth0 down, issue:
ip link set dev eth0 down
To bring eth0 back up, use:
ip link set dev eth0 up
With the ip command, you can also add and delete default gateways. This is handled like so:
ip route add default via 192.168.1.254
If you want to get really detailed on your interfaces, you can edit the transmit queue. You can set the transmit queue to a low value for slower interfaces and a higher value for faster interfaces. To do this, the command would look like:
ip link set txqueuelen 10000 dev eth0
The above command would set a high transmit queue. You can play around with this value to find what works best for your hardware.
You can also set the Maximum Transmission Unit (MTU) of your network interface with the command:
ip link set mtu 9000 dev eth0
Once you’ve made the changes, use ip a list eth0 to verify the changes have gone into effect.
With the ip command you can also manage the system’s routing tables. This is a very powerful element of the ip command, and you should use it with caution.
Suppose you want to view all routing tables. To do this, you would issue the command:
>ip r 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.5 default via 192.168.1.254 dev eth0
Now, say you want to route all traffic via the 192.168.1.254 gateway connected via eth0 network interface: To do that, issue the command:
ip route add 192.168.1.0/24 dev eth0
To delete that same route, issue:
ip route del 192.168.1.0/24 dev eth0
dhclient, provides a means for configuring one or more network interfaces using the Dynamic Host Configuration Protocol, BOOTP protocol, or if these protocols fail, by statically assigning an address.
Used by utself, dhclient releases and renews your ip address.
dhclient
The ping command sends packets of information to the user-defined source. If the packets are received, the destination device sends packets back. ping can be used to ensure that a network connection can be established and to determine timing information as to the speed of the connection.
Ping is useful to test to see if server you are logged into or remote server is connected to the internet.
The ping method does not guarantee that all systems connected to the LAN will be found. This is because some computers may be configured NOT to reply to broadcast queries. Google.com site is kind enough to allow us to use ping.
# ping google.com PING google.com (74.125.226.142) 56(84) bytes of data. 64 bytes from yyz08s14-in-f14.1e100.net (74.125.226.142): icmp_seq=1 ttl=58 time=17.3 ms 64 bytes from yyz08s14-in-f14.1e100.net (74.125.226.142): icmp_seq=2 ttl=58 time=16.2 ms 64 bytes from yyz08s14-in-f14.1e100.net (74.125.226.142): icmp_seq=3 ttl=58 time=15.9 ms 64 bytes from yyz08s14-in-f14.1e100.net (74.125.226.142): icmp_seq=4 ttl=58 time=15.4 ms Control-C to exit
What can I learn from the above?
nslookup is a network administration command-line tool available used for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or for any other specific DNS record.
> nslookup redhat.com Server: 192.168.1.254 Address: 192.168.1.254#53 Non-authoritative answer: Name: redhat.com Address: 209.132.183.105
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output.
Unless it is told to query a specific name server, dig will try each of the servers listed in /etc/resolv.conf.
example:> dig redhat.com
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6 <<>> redhat.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31303 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;redhat.com. IN A ;; ANSWER SECTION: redhat.com. 60 IN A 209.132.183.105 ;; AUTHORITY SECTION: redhat.com. 600 IN NS ns3.redhat.com. redhat.com. 600 IN NS ns1.redhat.com. redhat.com. 600 IN NS ns4.redhat.com. redhat.com. 600 IN NS ns2.redhat.com. ;; ADDITIONAL SECTION: ns1.redhat.com. 146 IN A 209.132.186.218 ns2.redhat.com. 146 IN A 209.132.183.2 ns3.redhat.com. 146 IN A 209.132.176.100 ns4.redhat.com. 146 IN A 209.132.188.218 ;; Query time: 294 msec ;; SERVER: 206.248.154.170#53(206.248.154.170) ;; WHEN: Sun Jun 14 18:01:16 2015 ;; MSG SIZE rcvd: 180
The dig command output has the following sections:
Traceroute displays the list of the routers that packet travels through to get to a remote host. Using this command you can see how packets travel through the network and where it may fail or slow down. Using this information you can determine the computer, router, switch or other network device that possibly causing network issues or failures.
# traceroute google.com traceroute to google.com (74.125.226.133), 30 hops max, 60 byte packets 1 192.168.1.254 (192.168.1.254) 1.307 ms 1.349 ms 1.698 ms 2 206.248.154.104 (206.248.154.104) 19.611 ms 20.715 ms 22.417 ms 3 72.14.212.134 (72.14.212.134) 28.774 ms 30.709 ms 31.659 ms 4 209.85.255.232 (209.85.255.232) 33.155 ms 34.592 ms 36.039 ms 5 209.85.250.7 (209.85.250.7) 38.044 ms 16.701 ms 16.682 ms 6 yyz08s14-in-f5.1e100.net (74.125.226.133) 18.592 ms 19.669 ms 21.080 ms
The nmap command line utility is used for port scanning and finding out all the ways a computer communicates with other computers on a network. You can find open ports on a server or computer and find what services are using those ports. It can even determine what operating system is running on the server and more.
Example:> nmap scanme.nmap.org Starting Nmap 6.47 ( http://nmap.org ) at 2016-04-17 18:46 EDT Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.077s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 9929/tcp open nping-echo 31337/tcp open Elite Nmap done: 1 IP address (1 host up) scanned in 5.71 seconds
# ifconfig eth0 up
# ifconfig eth0 down
iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action.
You may want to run system-config-network command directly or from the setup command to help configure network.
# system-config-network or # setup
The main purpose of this file is to resolve hostnames that cannot be resolved any other way. It can also be used to resolve hostnames on small networks with no DNS server. It is also useful in development to make your workstation believe that a certain hostname points to a test or development server instance of that hostname instead of the production (current live) instance. Regardless of the type of network the computer is on, this file should contain a line specifying the IP address of the loopback device (127.0.0.1) as localhost.localdomain.
Restart the network service to see result of changes here.
# vi /etc/hostsexample:
127.0.0.1 localhost.localdomain localhost 192.168.113.142 blog.mysite.com
Interface configuration files control the software interfaces for individual network devices. As the system boots, it uses these files to determine what interfaces to bring up and how to configure them. These files are usually named ifcfg-<name>, where <name> refers to the name of the device that the configuration file controls. One of the most common interface files is ifcfg-eth0, which controls the first Ethernet network interface card or NIC in the system. In a system with multiple NICs, there are multiple ifcfg-eth<X> files (where <X> is a unique number corresponding to a specific interface). Because each device has its own configuration file, an administrator can control how each interface functions individually.
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
sample dynamic (dhcp)
DEVICE=eth0 BOOTPROTO=dhcp HWADDR=00:1C:C4:66:49:A4 ONBOOT=yes
sample static (static IP)
DEVICE=eth0 BOOTPROTO=static HWADDR="00:1C:C4:66:49:A4" IPADDR=10.0.1.27 NETMASK=255.255.255.0 ONBOOT=yes
Below is a listing of the configurable parameters in an Ethernet interface configuration file. Only BOOTPROTO and DEVICE are mandatory.
PEERDNS="yes" DNS1=8.8.8.8 DNS2=8.8.4.4
This file specifies the IP addresses of DNS servers and the search domain. This file defines server responsible for name resolution. You can have multiple entries here.
vi /etc/resolv.confexample:
search localdomain # here 192.168.1.254 is the IP address of my Netgear Router. # I think originally it was 192.168.0.1. nameserver 192.168.1.254
This file specifies routing and host information for all network interfaces. This is the system's global network configuration file. It contains the default route and hostname. Configurations in /etc/sysconfig/network-scripts/ directory may override values here. In an initial installation this file may be empty and all values are optional.
vi /etc/sysconfig/networkexample:
# Networking should be configured NETWORKING=yes NETWORKING_IPV6=yes # if you have a hostname (eg: mysite.com), then put the Fully Qualified Domain Name (FQDN) here, # otherwise use your localhost.localdomain HOSTNAME=blog.mysite.com # the IP address of the network's gateway. GATEWAY=1.1.1.1 # Configure this option if you have multiple interfaces on the same subnet, and require one of # those interfaces to be the preferred route to the default gateway. GATEWAYDEV=ems33to see your hostname, use Linux command
hostname
Excercise 1: Set up networking with static IP using the following parameters:
IP address: 192.168.0.100 Netmask: 255.255.255.0 Hostname: node01.myblog.com Domain name: myblog.com Gateway: 192.168.0.1 DNS Server 1: 8.8.8.8 DNS Server 2: 4.4.4.4
in /etc/sysconfig/network-scripts/ifcfg-XXXX, where XXXX is your interface name, add or edit the following values:
BOOTPROTO=static NETWORKING=yes DNS1=8.8.8.8 DNS2=4.4.4.4 GATEWAY=192.168.0.1 HOSTNAME=blog.mysite.con IPADDR=192.68.0.100 NETMASK=255.255.255.0
We could have put hostname in /etc/hostname
HOSTNAME=blog.mysite.conin /etc/resolv.conf
nameserver 8.8.8.8 nameserver 4.4.4.4
restart network
systemctl restart network