NETWORK ESSENTIALS LAB
LINUX NETWORKING COMMANDS
COMMAND: hostname
hostname
Tells the user the host name of the computer they are logged into. Note: may be called host.
$hostname
c2machine
COMMAND: finger
finger
- What does the finger command do?
- command familiarity
- finger <username>@<hostname>
- finger <username>@ <IPAddress>
- Can you understand the structure of the output of the finger command?
- When should you use the ping command?
- Mapping of the flow of communication with the Layers for this command
finger [options] users
Display data about one or more users, including information listed in the files .plan and .project in each user’s home directory. You can specify each user either as a login name (exact match) or as a first or last name (display information on all matching names). Networked environments recognize arguments of the form user@host and @host.
Options
-l
Force long format (default): everything included by the -s option, as well as home directory, home phone, login shell, mail status, .plan, .project, and .forward.
-m
Suppress matching of users’ “real” names.
-p
Omit .plan and .project files from display.
-s
Show short format: login name, real name, terminal name, write status, idle time, office location, and office phone number.
$finger
Login: user1 Name: user1
Directory: /home/user1 Shell: /bin/bash
On since Sat Jun 2 14:27 (IST) on pts/0 from lt312-shiva.raughs.com
10 minutes 16 seconds idle
On since Sat Jun 2 14:47 (IST) on pts/1 from lt312-shiva.raughs.com
8 minutes 25 seconds idle
On since Sat Jun 2 14:47 (IST) on pts/2 from lt312-shiva.raughs.com
No mail.
No Plan.
COMMAND: finger
$finger@tbyte
finger: cannot create socket / connect host
COMMAND: nslookup
nslookup
- What does the nslookup command do?
- command familiarity
- nslookup <hostname>
- finger <IPAddress>
- Can you understand the structure of the output of the nslookup command?
- When should you use the nslookup command?
10. Mapping of the flow of communication with the Layers for this command
TCP/IP command. Query Internet domain nameservers. nslookup is deprecated; its functionality is replaced by the dig and host commands. nslookup may not be included in some distributions.
nslookup is a program used to manually query DNS servers.
An example query:
$ nslookup -sil wiki.linuxquestions.org
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: wiki.linuxquestions.org
Address: 209.152.163.16
Server and Answer describe the server asked. Name is the host we have asked about and Address is its IP address
Note that I have used the -sil flag, because it supresses the message that nslookup is obsolete.
dig is a similar program.
COMMAND: nslookup internet
$nslookup internet
Server: 172.22.192.2
Address: 172.22.192.2#53
Name: internet.raughs.com
Address: 172.22.218.218
COMMAND: nslookup tbyte
$nslookup tbyte
Server: 172.22.192.2
Address: 172.22.192.2#53
Name: internet.raughs.com
Address: 172.22.218.218
COMMAND: nslookup www.yahoo.com
$nslookup www.yahoo.com
Server: 172.22.192.25
Address: 172.22.192.25#53
Non-authoritative answer:
www.yahoo.com canonical name = www.yahoo-ht3.akadns.net.
Name: www.yahoo-ht3.akadns.net
Address: 87.248.113.14
COMMAND: ifconfig
ifconfig = Interface Configuration. The UNIX command for configuring a network interface. Usually given in the form of “ifconfig interface name -options
ifconfig eth0 192.168.0.1 netmask 255.255.255.0
Just typing ifconfig will show information of all the currently configured network interfaces.
Uses for ifconfig
- ifconfig
- What does the ifconfig command do?
- command familiarity
- ifconfig
- Can you understand the structure of the output of the ifconfig command?
- When should you use the ifconfig command?
- Mapping of the flow of communication with the Layers for this command?
Discovering your MAC address
You can generally find your MAC address with ifconfig
# /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:90:F5:03:4B:69
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::290:f5ff:fe03:4b69/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:911573 errors:0 dropped:0 overruns:0 frame:0
TX packets:656393 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:604721438 (576.7 Mb) TX bytes:58964684 (56.2 Mb)
Interrupt:10 Base address:0xf000
The entry “HWaddr” on the first line tells the hardware address for your network card.
Changing the address
In Linux the MAC address can be changed with most network card drivers. This can be useful in cases where there is security based on MAC addresses and you get a new network card. Example to change it:
# ifconfig eth0 hw ether 00:00:00:00:00:00
This just changes it in the software drivers, not the actual MAC address on the hardware (so it has to be done after every boot). Some on-board network cards allow the address to be changed in the BIOS.
$ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:43:C8:DE:41
inet addr:172.22.68.24 Bcast:172.22.79.255 Mask:255.255.240.0
inet6 addr: fe80::211:43ff:fec8:de41/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13512679 errors:0 dropped:0 overruns:0 frame:0
TX packets:150255 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1741448933 (1.6 GiB) TX bytes:19378299 (18.4 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:76356 errors:0 dropped:0 overruns:0 frame:0
TX packets:76356 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4262484 (4.0 MiB) TX bytes:4262484 (4.0 MiB)
ifconfig [interface] ifconfig [interface address_family parameters addresses]
TCP/IP command. Assign an address to a network interface and/or configure network interface parameters. ifconfig is typically used at boot time to define the network address of each interface on a machine. It may be used at a later time to redefine an interface’s address or other parameters. Without arguments, ifconfig displays the current configuration for a network interface. Used with a single interface argument, ifconfig displays that particular interface’s current configuration. Note that interfaces are numbered starting at zero: eth0, eth1, eth2, and so forth. In most cases, eth0 will be the primary PCI Ethernet interface, and wireless network interfaces will begin with ath0 or wlan0.
Arguments
interface
String of the form name unit: for example, en0.
address_family
Since an interface may receive transmissions in differing protocols, each of which may require separate naming schemes, you can specify the address_family to change the interpretation of the remaining parameters. You may specify inet (for TCP/IP, the default), ax25 (AX.25 Packet Radio), ddp (Appletalk Phase 2), or ipx (Novell).
parameters
The following parameters may be set with ifconfig:
add address/prefixlength
Add an IPv6 address and prefix length.
address address
Assign the specified IP address to the interface.
allmulti/-allmulti
Enable/disable sending of incoming frames to the kernel’s network layer.
arp/-arp
Enable/disable use of the Address Resolution Protocol in mapping between network-level addresses and link-level addresses.
broadcast [address]
(inet only) Specify address to use to represent broadcasts to the network. Default is the address with a host part of all ones (i.e., x.y.z.255 for a class C network).
debug/-debug
Enable/disable driver-dependent debugging code.
del address/prefixlength
Delete an IPv6 address and prefix length.
down
Mark an interface “down” (unresponsive).
hw class address
Set the interface’s hardware class and address. class may be ether (Ethernet), ax25 (AX.25 Packet Radio), or ARCnet.
io_addr addr
I/O memory start address for device.
irq addr
Set the device’s interrupt line.
metric n
Set routing metric of the interface to n. Default is 0.
mem_start addr
Shared memory start address for device.
media type
Set media type. Common values are 10base2, 10baseT, and AUI. If auto is specified, ifconfig will attempt to autosense the media type.
mtu n
Set the interface’s Maximum Transfer Unit (MTU).
multicast
Set the multicast flag.
netmask mask
(inet only) Specify how much of the address to reserve for subdividing networks into subnetworks. mask can be specified as a single hexadecimal number with a leading 0x, with a dot notation Internet address, or with a pseudo-network name listed in the network table /etc/networks.
pointopoint/-pointopoint [address]
Enable/disable point-to-point interfacing, so that the connection between the two machines is dedicated.
promisc/-promisc
Enable/disable promiscuous mode. Promiscuous mode allows the device to receive all packets on the network.
txqueuelen n
Specify the transmit queue length.
tunnel addr
Create an IPv6-in-IPv4 (SIT) device, tunneling to IPv4 address addr.
up
Mark an interface “up” (ready to send and receive).
addresses
Each address is either a hostname present in the hostname database (/etc/hosts), or an Internet address expressed in the Internet standard dot notation.
Examples
To list all interfaces:
ifconfig -a
To add a second IP address to wlan0:
ifconfig wlan0:1 192.168.2.41 netmask 255.255.255.0
To change the hardware address (MAC address) assigned to eth0 (useful when setting up a router for a DSL or cable modem):
ifconfig eth0 hw ether 01:02:03:04:05:06
COMMAND: ifconfig -a
$ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:11:43:C8:DE:41
inet addr:172.22.68.24 Bcast:172.22.79.255 Mask:255.255.240.0
inet6 addr: fe80::211:43ff:fec8:de41/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13512679 errors:0 dropped:0 overruns:0 frame:0
TX packets:150255 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1741448933 (1.6 GiB) TX bytes:19378299 (18.4 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:76356 errors:0 dropped:0 overruns:0 frame:0
TX packets:76356 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4262484 (4.0 MiB) TX bytes:4262484 (4.0 MiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
COMMAND: route
route
- What does the route command do?
- command familiarity
- route
- Can you understand the structure of the output of the route command?
- When should you use the route command?
10. Mapping of the flow of communication with the Layers for this command?
route is the command to view and edit the routing table. With route you can see what is the routing for IP-packets coming from a network interface for a specified destination is. A default gateway may be listed for non-routable packets.
Show your routing table:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 10.0.0.138 0.0.0.0 UG 0 0 0 eth1
Options
-n show numerical addresses instead of hostnames
Adding a route
Gateway
Typical pc
For a pc with typical network access, to add a gateway issue
route add default gw 192.168.1.1
(where 192.168.1.1 is the address of your gateway)
Adding a network
To tell your Linux to send packages for the network 192.168.0.0/24 to the network device eth3:
route add -net 192.168.0.0 netmask 255.255.255.0 eth3
The same with a default gateway of 192.168.0.1:
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1 eth3
$route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.22.64.0 * 255.255.240.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 172.22.64.1 0.0.0.0 UG 0 0 0 eth0
COMMAND: arp
arp
11. What does the arp command do?
12. command familiarity
- arp
- arp –a
- arp –N <MACAddress>
13. Can you understand the structure of the output of the arp command?
14. When should you use the arp command?
Mapping of the flow of communication with the Layers for this command?
arp [options]
TCP/IP command. Clear, add to, or dump the kernel’s Address Resolution Protocol (ARP) cache (/proc/net/arp). ARP is used to translate protocol addresses to hardware interface addresses. Modifying your ARP cache can change which interfaces handle specific requests. ARP cache entries may be marked with the following flags: C (complete), M (permanent), and P (publish). While arp can create a proxy for a single system, subnet proxies are now handled by the arp kernel module, arp(7). See the “Linux 2.4 or later Advanced Routing HOWTO” for details.
Options
host option arguments may be given as either a hostname or an IP address. With the -D option, they may also be given as a hardware interface address (e.g., eth0, eth1).
-a [hosts] , –display [hosts]
Display entries for hosts or, if none are specified, all entries.
-d host [pub] , –delete host [pub]
Remove the specified host’s entry. To delete a proxy entry, add the pub argument and specify the interface associated with the proxy using -i.
-D, –use-device
Use the hardware address associated with the specified interface. This may be used with -s when creating a proxy entry.
-f file, –file file
Read entries from file and add them.
-H type, –hw-type type, -t type
Search for type entries when examining the ARP cache. type is usually ether (Ethernet), which is the default, but may be ax25 (AX.25 packet radio), arcnet (ARCnet), pronet (PROnet), or netrom (NET/ROM).
-i interface, –device interface
Select an interface. If you are dumping the ARP cache, this option will cause the command to display only the entries using that interface. When setting entries, this will cause the interface to be associated with that entry. If you do not use this option when setting an entry, the kernel will guess.
-n, –numeric
Display host IP addresses instead of their domain names.
-s host hardware-address [netmask mask] [pub] , –set host hardware-address [pub]
Add a permanent entry for host at hardware-address. A hardware-address for type ether hardware is 6 hexadecimal bytes, colon-separated. The pub argument can be used to set the publish flag, creating a proxy entry.
-v, –verbose
Verbose mode.
Examples
Display entry for host eris:
arp -a eris
Set a permanent cache entry for host illuminati, whose hardware address you know:
arp -s illuminati 00:05:23:73:e6:cf
Set an ARP proxy for host fnord using the eth0 interface’s hardware address:
arp -Ds fnord eth0 pub
Remove the fnord ARP proxy:
arp -i eth0 -d fnord pub
$arp
Address HWtype HWaddress Flags Mask Iface
172.22.64.1 ether 00:00:0C:07:AC:01 C eth0
172.22.64.2 ether 00:16:9C:42:A4:00 C eth0
172.22.64.3 ether 00:16:9C:41:24:00 C eth0
172.22.66.145 ether 00:0F:1F:6C:6F:ED C eth0
lt312-shiva.raughs.co ether 00:17:08:43:E7:A6 C eth0
COMMAND: arp internet
$arp internet
internet (172.22.218.218) — no entry
COMMAND: traceroute internet
traceroute
15. What does the traceroute command do?
16. command familiarity
- traceroute <IPAddress>
17. Can you understand the structure of the output of the traceroute command?
18. When should you use the traceroute command?
19. Mapping of the flow of communication with the Layers for this command?
traceroute will show the route of a packet. It attempts to list the series of hosts through which your packets travel on their way to a given destination. Also have a look at xtraceroute (one of several graphical equivalents of this program).
Command syntax:
traceroute machine_name_or_ip |
traceroute [options] host [packetsize]
TCP/IP command. Trace route taken by packets to reach network host. traceroute attempts tracing by launching UDP probe packets with a small TTL (time-to-live), then listening for an ICMP “time exceeded” reply from a gateway. host is the destination hostname or the IP number of the host to reach. packetsize is the packet size in bytes of the probe datagram. Default is 40 bytes.
Traceroute is a program for determining the path that packets take to reach another Internet host. It works by sending packets with short time-to-live (TTL) values, and seeing which hosts send back error messages. For example, a packet with a TTL of 1 will die at the first host along the route, and that host (if it is standards-compliant) will transmit an error packet back.
Traceroute is useful for debugging networking problems. If you aren’t sure why you can’t reach a particular computer, use traceroute and see where packet traffic stops, or starts to show high round-trip times.
Options
-d
Turn on socket-level debugging.
-f n
Set the initial time-to-live to n hops.
-F
Set the “don’t fragment” bit.
-g addr
Enable the IP LSRR (Loose Source Record Route) option in addition to the TTL tests, to ask how someone at IP address addr can reach a particular target.
-i interface
Specify the network interface for getting the source IP address for outgoing probe packets. Useful with a multi-homed host. Also see the -s option.
-I
Use ICMP ECHO requests instead of UDP datagrams.
-m max_ttl
Set maximum time-to-live used in outgoing probe packets to max-ttl hops. Default is 30.
-n
Show numerical addresses; do not look up hostnames. (Useful if DNS is not functioning properly.)
-p port
Set base UDP port number used for probe packets to port. Default is (decimal) 33434.
-q n
Set number of probe packets for each time-to-live setting to the value n. Default is 3.
-r
Bypass normal routing tables and send directly to a host on an attached network.
-s src_addr
Use src_addr as the IP address that will serve as the source address in outgoing probe packets.
-t tos
Set the type-of-service in probe packets to tos (default 0). The value must be a decimal integer in the range 0 to 255.
-v
Verbose; received ICMP packets (other than TIME_EXCEEDED and PORT_UNREACHABLE) will be listed.
-w wait
Set time to wait for a response to an outgoing probe packet to wait seconds (default is 5).
-x
Toggle IP checksums, usually to turn them off. IP checksums are always calculated if -I is specified.
-z msecs
Set the delay between probes, in milliseconds. The default is 0.
$traceroute internet
traceroute to internet (172.22.218.218), 30 hops max, 40 byte packets
1 172.22.64.1 (172.22.64.1) 0.232 ms 0.227 ms 0.227 ms
2 mtwfortress01.raughs.com (172.22.252.33) 0.250 ms mtwfortress02.raughs.com (172.22.252.34) 0.425 ms 0.373 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
COMMAND: traceroute tbyte
$traceroute tbyte
traceroute to internet (172.22.218.218), 30 hops max, 40 byte packets
1 172.22.64.1 (172.22.64.1) 0.264 ms 0.228 ms 0.225 ms
2 mtwfortress01.raughs.com (172.22.252.33) 0.214 ms mtwfortress02.raughs.com (172.22.252.34) 0.343 ms 0.408 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
COMMAND: traceroute www.google.com
$traceroute www.google.com
traceroute to internet (172.22.218.218), 30 hops max, 40 byte packets
1 172.22.64.1 (172.22.64.1) 0.259 ms 0.232 ms 0.229 ms
2 mtwfortress01.raughs.com (172.22.252.33) 0.270 ms mtwfortress02.raughs.com (172.22.252.34) 0.358 ms 0.296 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
COMMAND: tcpdump
tcpdump
20. What does the tcpdump command do?
21. command familiarity
- tcpdump <Ethernet_Interface>
22. Can you understand the structure of the output of the tcpdump command?
23. When should you use the tcpdump command?
Mapping of the flow of communication with the Layers for this command?
tcpdump
This is a sniffer, a program that captures packets off a network interface and interprets them for you. It understands all basic internet protocols, and can be used to save entire packets for later inspection.
tcpdump [options] [expression]
System administration command. Dump headers and packets of network traffic that match expression. The command continues to capture packets until it receives a SIGTERM or SIGINT signal (usually generated by typing the interrupt character control-C). When finished, it will generate a report on traffic captured, received, or dropped by the kernel.
Expressions
Create matching expressions using the following primitives followed by an ID or name.
direction
A qualifier indicating whether to match source or destination information. Accepted values are src, dst, src or dst, and src and dst. When not specified, the expression will match either source or destination traffic.
protocol
A qualifier restricting matches to a particular kind of packet. Accepted values are: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp, and udp. If not specified, the match defaults to any appropriate protocol matching type.
type
A qualifier indicating what kind of thing the ID or name references, such as a part of a hostname (host), IP address (net) or port (port). When not specified, the match defaults to host.
Options
-A
Print packets in ASCII text.
-c n
Exit after receiving n packets.
-C n
When saving to a file, do not write files larger than n million bytes. Open a new file with the same basename appended by a number. Start with the number 1.
-d, -dd, -ddd
Compile and dump the packet-matching code for the given expression, then exit. Use the second form to dump it as a C programming fragment. Use the third form to dump the code in decimal.
-D
Print a list of the available interfaces, then exit.
-e
Print the link-level header on each line.
-F file
Read expression from the specified file.
-i interface
Listen on the specified interface. If not specified, tcpdump will listen on the lowest-numbered interface available, other than the loopback interface. Use any to listen to all available interfaces.
-l
Line buffer standard out.
-L
Print the data link types for an interface, then exit.
-n, -nn
Print IP addresses instead of converting them to hostnames. Use the second form to leave protocols and port numbers in numeric form, as well.
-N
Print hostnames instead of fully qualified domain names.
-q
Abbreviate output, printing less protocol information.
-r file
Read packets from the specified file. (You can create such a file with the -w option.)
-s n
Read n bytes of data from each packet. (The default is 68.)
-S
Print absolute TCP sequence numbers.
-T n
Read n bytes of data from each packet. (The default is 68.)
-t, -tt, -ttt, -tttt
Change display of timestamp. Use the first form to omit the timestamp from each line. Use the second form to print an unformatted timestamp. Use the third form to print the time in seconds between the current and the previous dump line. The final form prints the date before the timestamp on each dump line.
-u
Print undecoded NFS handles.
-v, -vv, -vvv
Increase the verbosity of the printout. Each additional v increases the detail of the information printed.
-w file
Write the raw packet information to file without parsing or printing it. Specify - to write to standard output.
-x,-xx
Print packets in hex. Use the second form to print the packet’s link level header in hex as well.
-X,-XX
Print packets in hex and ASCII text. Use the second form to print the packet’s link level header in hex and ASCII as well.
-Z user
Drop root privileges and change to the specified user. Use the primary group of the specified user.
Examples
Place full packets into a file named tcpdump.cap for later analysis:
tcpdump -v -w tcpdump.cap -xX -s 0
Read all packet headers received on the eth0 interface, except for arp and SSH packets:
tcpdump -i eth0 not arp and not port ssh
$tcpdump -v host 172.22.64.24
16:13:01.946600 IP (tos 0×10, ttl 64, id 59471, offset 0, flags [DF], proto: TCP (6), length: 49) DT2305.raughs.com.telnet > lt312-shiva.raughs.com.indx-dds: P, cksum 0xd9c5 (correct), 2149200107:2149200116(9) ack 2889977666 win 5840
16:13:01.947170 IP (tos 0×0, ttl 64, id 23937, offset 0, flags [DF], proto: UDP (17), length: 71) DT2305.raughs.com.35115 > mtw01dc01.raughs.com.domain: 11684+ PTR? 66.66.22.172.in-addr.arpa. (43)
16:13:01.947432 IP (tos 0×0, ttl 127, id 13549, offset 0, flags [none], proto: UDP (17), length: 109) mtw01dc01.raughs.com.domain > DT2305.raughs.com.35115: 11684* 1/0/0 66.66.22.172.in-addr.arpa. (81)
16:13:01.947642 IP (tos 0×0, ttl 64, id 23937, offset 0, flags [DF], proto: UDP (17), length: 71) DT2305.raughs.com.35115 > mtw01dc01.raughs.com.domain: 56976+ PTR? 2.192.22.172.in-addr.arpa. (43)
16:13:01.947871 IP (tos 0×0, ttl 127, id 13550, offset 0, flags [none], proto: UDP (17), length: 107) mtw01dc01.raughs.com.domain > DT2305.raughs.com.35115: 56976* 1/0/0 2.192.22.172.in-addr.arpa. (79)
16:13:02.131388 IP (tos 0×0, ttl 128, id 55336, offset 0, flags [DF], proto: TCP (6), length: 40) lt312-shiva.raughs.com.indx-dds > DT2305.raughs.com.telnet: ., cksum 0xe09c (correct), ack 9 win 64112
16:13:02.131420 IP (tos 0×10, ttl 64, id 59472, offset 0, flags [DF], proto: TCP (6), length: 111) DT2305.raughs.com.telnet > lt312-shiva.raughs.com.indx-dds: P 9:80(71) ack 1 win 5840
16:13:02.350141 IP (tos 0×0, ttl 128, id 55337, offset 0, flags [DF], proto: TCP (6), length: 40) lt312-shiva.raughs.com.indx-dds > DT2305.raughs.com.telnet: ., cksum 0xdac6 (correct), ack 80 win 65535
16:13:06.947138 arp who-has 172.22.64.1 tell DT2305.raughs.com
16:13:06.947323 IP (tos 0×0, ttl 64, id 25187, offset 0, flags [DF], proto: UDP (17), length: 70) DT2305.raughs.com.35115 > mtw01dc01.raughs.com.domain: 54283+ PTR? 1.64.22.172.in-addr.arpa. (42)
16:13:06.947545 arp reply 172.22.64.1 is-at 00:00:0c:07:ac:01 (oui Cisco)
16:13:06.947638 IP (tos 0×0, ttl 127, id 14163, offset 0, flags [none], proto: UDP (17), length: 161) mtw01dc01.raughs.com.domain > DT2305.raughs.com.35115: 54283 NXDomain* 0/1/0 (133)
16:13:27.938034 IP (tos 0×0, ttl 128, id 55339, offset 0, flags [DF], proto: TCP (6), length: 41) lt312-shiva.raughs.com.indx-dds > DT2305.raughs.com.telnet: P, cksum 0xd7bd (correct), 1:2(1) ack 80 win 65535
16:13:27.938211 IP (tos 0×10, ttl 64, id 59473, offset 0, flags [DF], proto: TCP (6), length: 42) DT2305.raughs.com.telnet > lt312-shiva.raughs.com.indx-dds: P, cksum 0xc3f8 (correct), 80:82(2) ack 2 win 5840 [telnet DMARK]
——————————————————————————–
COMMAND: tcpdump
$tcpdump -v host 172.22.64.24 and 172.22.66.66
16:14:21.758115 IP (tos 0×0, ttl 128, id 55623, offset 0, flags [DF], proto: TCP (6), length: 40) lt312-shiva.raughs.com.indx-dds > DT2305.raughs.com.telnet: ., cksum 0xc139 (correct), ack 2149207914 win 64128
16:14:21.759034 IP (tos 0×10, ttl 64, id 59643, offset 0, flags [DF], proto: TCP (6), length: 120) DT2305.raughs.com.telnet > lt312-shiva.raughs.com.indx-dds: P 1:81(80) ack 0 win 5840
16:14:21.976812 IP (tos 0×0, ttl 128, id 55624, offset 0, flags [DF], proto: TCP (6), length: 40) lt312-shiva.raughs.com.indx-dds > DT2305.raughs.com.telnet: ., cksum 0xbb6a (correct), ack 81 win 65535
16:14:41.787890 IP (tos 0×0, ttl 128, id 55630, offset 0, flags [DF], proto: TCP (6), length: 41) lt312-shiva.raughs.com.indx-dds > DT2305.raughs.com.telnet: P, cksum 0xb861 (correct), 0:1(1) ack 81 win 65535
16:14:41.788057 IP (tos 0×10, ttl 64, id 59644, offset 0, flags [DF], proto: TCP (6), length: 42) DT2305.raughs.com.telnet > lt312-shiva.raughs.com.indx-dds: P, cksum 0xa49c (correct), 81:83(2) ack 1 win 5840 [telnet DMARK]
—————————————————————————-
COMMAND: tcpdump
$tcpdump -v ip host 172.22.64.24 and 172.22.66.66
16:16:48.979968 IP (tos 0×0, ttl 128, id 56223, offset 0, flags [DF], proto: TCP (6), length: 40) lt312-shiva.raughs.com.indx-dds > DT2305.raughs.com.telnet: ., cksum 0×5f05 (correct), ack 2149231438 win 64958
16:16:48.981075 IP (tos 0×10, ttl 64, id 60085, offset 0, flags [DF], proto: TCP (6), length: 120) DT2305.raughs.com.telnet > lt312-shiva.raughs.com.indx-dds: P 1:81(80) ack 0 win 5840
16:16:49.198640 IP (tos 0×0, ttl 128, id 56224, offset 0, flags [DF], proto: TCP (6), length: 40) lt312-shiva.raughs.com.indx-dds > DT2305.raughs.com.telnet: ., cksum 0×5f05 (correct), ack 81 win 64878
16:17:38.207505 IP (tos 0×0, ttl 128, id 56228, offset 0, flags [DF], proto: TCP (6), length: 41) lt312-shiva.raughs.com.indx-dds > DT2305.raughs.com.telnet: P, cksum 0×5bfc (correct), 0:1(1) ack 81 win 64878
16:17:38.207684 IP (tos 0×10, ttl 64, id 60086, offset 0, flags [DF], proto: TCP (6), length: 42) DT2305.raughs.com.telnet > lt312-shiva.raughs.com.indx-dds: P, cksum 0×45a6 (correct), 81:83(2) ack 1 win 5840 [telnet DMARK]
——————————————————————————
COMMAND: nmap -v tbyte
nmap
24. What does the nmap command do?
25. command familiarity
- nmap <IPAddress>
26. Can you understand the structure of the output of the nmap command?
27. When should you use the nmap command?
28. Mapping of the flow of communication with the Layers for this command?
nmap
“ network exploration tool and security scanner”. nmap is a very advanced network tool used to query machines (local or remote) as to whether they are up and what ports are open on these machines.
A simple usage example:
nmap machine_name |
This would query your own machine as to what ports it keeps open. nmap is a very powerful tool, documentation is available on the nmap site as well as the information in the manual page.
$nmap –v tbyte
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2007-06-02 16:25 IST
Initiating ARP Ping Scan against 172.22.66.145 [1 port] at 16:25
The ARP Ping Scan took 0.03s to scan 1 total hosts.
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan against 172.22.66.145 [1672 ports] at 16:25
Discovered open port 22/tcp on 172.22.66.145
Discovered open port 21/tcp on 172.22.66.145
Discovered open port 80/tcp on 172.22.66.145
Discovered open port 23/tcp on 172.22.66.145
Discovered open port 139/tcp on 172.22.66.145
Discovered open port 6000/tcp on 172.22.66.145
Discovered open port 5802/tcp on 172.22.66.145
Discovered open port 111/tcp on 172.22.66.145
Discovered open port 5902/tcp on 172.22.66.145
Discovered open port 445/tcp on 172.22.66.145
Discovered open port 6002/tcp on 172.22.66.145
The SYN Stealth Scan took 0.11s to scan 1672 total ports.
Host 172.22.66.145 appears to be up … good.
Interesting ports on 172.22.66.145:
(The 1661 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5802/tcp open vnc-http-2
5902/tcp open vnc-2
6000/tcp open X11
6002/tcp open X11:2
MAC Address: 00:0F:1F:6C:6F:ED (WW Pcba Test)
Nmap finished: 1 IP address (1 host up) scanned in 0.477 seconds
Raw packets sent: 1673 (66.9KB) | Rcvd: 1673 (77KB)
COMMAND: nmap
$nmap -sS -O tbyte.raughs.com/24
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2007-06-02 16:26 IST
Initiating ARP Ping Scan against 256 hosts [1 port/host] at 16:26
The ARP Ping Scan took 0.64s to scan 256 total hosts.
DNS resolution of 178 IPs took 13.00s. Mode: Async [#: 2, OK: 148, NX: 26, DR: 4, SF: 0, TR: 315, CN: 0]
Initiating SYN Stealth Scan against 5 hosts [1672 ports/host] at 16:26
Discovered open port 3389/tcp on 172.22.66.9
Discovered open port 3389/tcp on 172.22.66.3
Discovered open port 3389/tcp on 172.22.66.5
Discovered open port 3389/tcp on 172.22.66.7
Discovered open port 135/tcp on 172.22.66.3
Discovered open port 135/tcp on 172.22.66.5
Discovered open port 135/tcp on 172.22.66.7
Discovered open port 5900/tcp on 172.22.66.3
Discovered open port 5900/tcp on 172.22.66.7
Discovered open port 139/tcp on 172.22.66.3
Discovered open port 139/tcp on 172.22.66.5
Discovered open port 139/tcp on 172.22.66.7
Discovered open port 445/tcp on 172.22.66.3
Discovered open port 445/tcp on 172.22.66.5
Discovered open port 445/tcp on 172.22.66.7
Discovered open port 5800/tcp on 172.22.66.3
Discovered open port 5800/tcp on 172.22.66.7
Completed SYN Stealth Scan against 172.22.66.7 in 2.36s (4 hosts left)
Discovered open port 5001/tcp on 172.22.66.3
Completed SYN Stealth Scan against 172.22.66.3 in 8.82s (3 hosts left)
Completed SYN Stealth Scan against 172.22.66.5 in 9.58s (2 hosts left)
Discovered open port 139/tcp on 172.22.66.9
Discovered open port 139/tcp on 172.22.66.4
Discovered open port 445/tcp on 172.22.66.9
Discovered open port 445/tcp on 172.22.66.4
Completed SYN Stealth Scan against 172.22.66.9 in 27.97s (1 host left)
The SYN Stealth Scan took 32.45s to scan 8360 total ports.
For OSScan assuming port 135 is open, 1 is closed, and neither are firewalled
Host dt2778-rajeev.raughs.com (172.22.66.3) appears to be up … good.
Interesting ports on dt2778-rajeev.raughs.com (172.22.66.3):
(The 1665 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
5001/tcp open commplex-link
5800/tcp open vnc-http
5900/tcp open vnc
MAC Address: 00:14:C2:0B:CA:25 (Hewlett Packard)
Device type: general purpose
Running: Microsoft Windows 2003/.NET|NT/2K/XP
OS details: Microsoft Windows 2003 Server or XP SP2
TCP Sequence Prediction: random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Incremental
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
For OSScan assuming port 139 is open, 43002 is closed, and neither are firewalled
Host dt4921-qualcomm.raughs.com (172.22.66.4) appears to be up … good.
Interesting ports on dt4921-qualcomm.raughs.com (172.22.66.4):
(The 1670 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0F:FE:8A:F0:C9 (G-pro Computer)
Device type: general purpose
Running: Microsoft Windows 2003/.NET|NT/2K/XP
OS details: Microsoft Windows 2003 Server or XP SP2, Microsoft Windows 2000 SP4 or XP SP1
TCP Sequence Prediction: random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Incremental
For OSScan assuming port 135 is open, 1 is closed, and neither are firewalled
Host 172.22.66.5 appears to be up … good.
Interesting ports on 172.22.66.5:
(The 1668 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
MAC Address: 00:13:72:A3:BF:93 (Dell)
Device type: general purpose
Running: Microsoft Windows 2003/.NET|NT/2K/XP
OS details: Microsoft Windows 2003 Server or XP SP2
TCP Sequence Prediction: random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Incremental
For OSScan assuming port 135 is open, 1 is closed, and neither are firewalled
….
_______________________________________________________________
COMMAND ping
ping
29. What does the ping command do?
30. command familiarity
- ping <hostname>
- ping <IPAddress>
31. Can you understand the structure of the output of the ping command?
32. When should you use the ping command?
5 Mapping of the flow of communication with the Layers for this command
ping
The ping command (named after the sound of an active sonar system) sends echo requests to the host you specify on the command line, and lists the responses received their round trip time.
You simply use ping as:
ping ip_or_host_name |
Note to stop ping (otherwise it goes forever) use CTRL-C (break).
|
|
Please note | |
Using ping/smbmount/ssh or other UNIX system programs with a computer name rather than IP address will only work if you have the computer listed in your /etc/hosts file. Here is an example:
This line says that their is a computer called “new” with IP address 192.168.1.100. Now that it exists in the /etc/hosts file I don’t have to type the IP address anymore, just the name “new”. |
___________________________________________________________________
COMMAND dig
- dig
- What does the dig command do?
- command familiarity
- dig <hostname>
- dig <IPAddress>
- Can you understand the structure of the output of the dig command?
- When should you use the dig command?
- Mapping of the flow of communication with the Layers for this command?
dig [@server] [options] [name] [type] [class] [query-options] dig @server name type dig -h
The dig command is used to query DNS servers; it is more flexible than the deprecated nslookup command. When invoked with just the -h option, it displays a list of options for the command. If you use it without any options or arguments, it will search for the root server. The standard arguments are:
server
The server to query. If no server is supplied, dig will check the nameservers listed in /etc/resolv.conf. The address may be an IPv4 dotted address or an IPv6 colon-delimited address. It may also be a hostname, which dig will resolve (through the nameservers in /etc/resolv.conf).
name
The domain name to look up.
type
The type of query to perform, such as A, ANY, MX, SIG, and so forth. The default is A, but you may use any valid BIND9 query type.
Options
You may use the following option flags with dig:
-b address
Set the source IP address for the query.
-c class
Set the class of query. The default value is IN (internet), but you can choose HS for Hesiod or CH for CHAOSNET.
-f filename
Operate in batch mode, performing the queries in the file you specify.
-p portnumber
Choose the port number for the query. The default value is the standard DNS port, 53.
-t type
Set the type of query, as with the query argument. The default value is A, but you may use any valid BIND9 query.
-x addr
Use the -x flag for reverse lookups, specifying an IPv4 or IPv6 address. You do not need the name, class, or type arguments if you use the -x flag.
-k filename
Specify a TSIG keyfile; used for signed transactions. You can also use the -y key, although this is less secure.
-y keyname: keyvalue
Enter the actual key name and value when conducting a signed transaction. Because the key and value can be seen in the output of ps, this is not recommended for use on multiuser systems; use -k instead.
Query options
There are a large number of query options for dig. Each query option is preceded by +, and many have an opposite version beginning with no. For example, the tcp flag is passed as +tcp, and negated with +notcp. Because there are so many options, only a few are discussed here. For greater detail, see the dig manpage.
+tcp, +notcp
Use (or do not use) the TCP protocol instead of the default UDP.
+domain>=searchdomain
Perform a search in the domain specified; this is equivalent to using the +search option and having “searchdomain” as the sole entry in the search list or domain directive of /etc/resolv.conf.
+search, +nosearch
Use (or do not use) the search list provided in /etc/resolv.conf. The default is not to use the search list.
+time=t
Timeout for queries, in seconds. The default is 5, and the minimum is 1.
+tries=n
The number of times to retry UDP queries. The default is 3, and the minimum is 1.
________________________________________________________________
- ifup
- What does the ifup command do?
- command familiarity
- ifup <EthernetInterface_Number>
- Can you understand the structure of the output of the ifup command?
- When should you use the ifup command?
- Mapping of the flow of communication with the Layers for this command?
ifup
Use ifup device-name to bring an interface up by following a script (which will contain your default networking settings). Simply type ifup and you will get help on using the script.
For example typing:
ifup eth0 |
Will bring eth0 up if it is currently down.
- ifdown
- What does the ifdown command do?
- command familiarity
- ifdown <EthernetInterface_Number>
- Can you understand the structure of the output of the ifdown command?
- When should you use the ifdown command?
- Mapping of the flow of communication with the Layers for this command?
ifdown
Use ifdown device-name to bring an interface down using a script (which will contain your default network settings). Simply type ifdown and you will get help on using the script.
For example typing:
ifdown eth0 |
Will bring eth0 down if it is currently up.
__________________________________________________________________________
- ifcfg
- What does the ifcfg command do?
- command familiarity
- ifcfg <EthernetInterface_Number>
- Can you understand the structure of the output of the ifcfg command?
- When should you use the ifcfg command?
- Mapping of the flow of communication with the Layers for this command?
ifcfg
Use ifcfg to configure a particular interface. Simply type ifcfg to get help on using this script.
For example, to change eth0 from 192.168.0.1 to 192.168.0.2 you could do:
ifcfg eth0 del 192.168.0.1 ifcfg eth0 add 192.168.0.2 |
The first command takes eth0 down and removes that stored IP address and the second one brings it back up with the new address.
_____________________________________________________________________________
- ip
- What does the ip command do?
- command familiarity
- ip
- Can you understand the structure of the output of the ip command?
- When should you use the ip command?
- Mapping of the flow of communication with the Layers for this command?
ip is a command that supersedes several older networking commands
ip addr - ifconfig
ip route - route
ip neigh - arp
______________________________________________________________
COMMAND tracepath
tracepath
- What does the traceroute command do?
- command familiarity
- traceroute <IPAddress>
- Can you understand the structure of the output of the traceroute command?
- When should you use the traceroute command?
10. Mapping of the flow of communication with the Layers for this command?
tracepath
tracepath performs a very simlar function to traceroute the main difference is that tracepath doesn’t take complicated options.
Command syntax:
tracepath machine_name_or_ip |
_____________________________________________________________
Question and answers:
telnet
What is
- telnet?
- telnet service
- telnet daemon
- telnet port number
Command familiarity
- telnet <hostname>
- telnet <IPAddress>
- vi /etc/hosts
- What does the /etc/hosts file contain?
- Can you locate and list the important information in this file?
- When should you edit this file?
- When is this file accessed by a program running in the system?
- What is the brief structure of contents of this file?
- vi /etc/passwd
- What does the /etc/passwd file contain?
- When should you edit this file?
- What is the brief structure of the contents of this file?
- vi /etc/services
- What does the /etc/services file contain?
- Can you locate and list the important information in this file?
- When should you edit this file?
- When is this file accessed by a program running in the system?
- What is the brief structure of contents of this file?
- cd /etc/init.d
- What does this directory contain?
- When are files in this directory used by the system?
