Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

NETWORK CONFIGURATION

Analysis tools

  • Display network status information
    /bin/netstat

    Print network connections, routing tables, interface statistics, masquerade connections and multicast memberships depending on options used.

    Files relevent to this utility include:

    • /etc/services for service → port translation.
    • /proc/net which is the mount point for proc filesystem from which 'netstat' accesses kernel network status information.
    netstat [options]
    
    Common options:
     -r | --route                 Display the kernel routing tables.
     -g | --groups                Display multicast group membership information for IPv4 and IPv6.
     -i | --interface=iface       Display a table of all network interfaces, or the specified iface).
     -M | --masquerade            Display a list of masqueraded connections.
     -s | --statistics            Display summary statistics for each protocol.
     -v | --verbose               Verbose
     -n | --numeric               Show numerical addresses instead of trying to resolve names
     --numeric-hosts              Show numerical host addresses
     --numeric-ports              Shows numerical port numbers
     -c | --continuous            Cause netstat to print the selected information every second continuously.
     -e | --extend                Display additional information.  Use this option twice for maximum detail.
     -p | --program               Show the PID and name of the program to which each socket belongs.
     -l | --listening             Show only listening sockets.  (These are omitted by default.)
     -a | --all                   Show both listening and non-listening sockets. With the --interfaces 
                                  option show interfaces that are not marked
     -F                           Print routing information from the FIB.  (This is the default.)
     -C                           Print routing information from the route cache.
     -Z | --context               If SELinux enabled print SELinux context.
    

    See man pages for all options.

    Display network statistics for all configured interfaces

    # netstat -i
    kernel Interface table
    iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
    eth0       1500   0    15982      0      0      0    15886      0      0      0 BMRU
    eth1       1500   0        0      0      0      0       55      0      0      0 BMRU
    lo        16436   0     7699      0      0      0     7699      0      0      0 LRU
    

    Display routing table, do not resolve names

    # netstat -rn
    kernel IP routing table
    destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    192.168.0.0     0.0.0.0         255.255.255.252 U         0 0          0 eth1
    81.110.236.0    0.0.0.0         255.255.252.0   U         0 0          0 eth0
    169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth1
    0.0.0.0         81.110.236.1    0.0.0.0         UG        0 0          0 eth0
    

    Display programs using network connections

    # netstat -p
    active Internet connections (w/o servers)
    proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
    tcp        1      0 cpc1-burn3-0-0-cust31:42102 proxy3.fedoraproject.o:http CLOSE_WAIT  2426/python
    .....
    active UNIX domain sockets (w/o servers)
    proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
    unix  15     [ ]         DGRAM                    7011   2036/syslogd        /dev/log
    unix  2      [ ]         DGRAM                    1778   564/udevd           @/org/kernel/udev/udevd
    .....
    unix  3      [ ]         STREAM     CONNECTED     19604  2687/Xorg           /tmp/.X11-unix/X0
    unix  3      [ ]         STREAM     CONNECTED     19603  2877/klauncher [kde
    .....
    

    Show both IPV4 and IPV6 routing tables

    $ netstat -rn Af -46
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 wlan0
    192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan0
    Kernel IPv6 routing table
    Destination                    Next Hop                   Flag Met Ref Use If
    fe80::/64                      ::                         U    256 0     0 wlan0
    ::/0                           ::                         !n   -1  1   205 lo
    ::1/128                        ::                         Un   0   1     3 lo
    fe80::ba76:3fff:fe24:1c1/128   ::                         Un   0   1     0 lo
    ff00::/8                       ::                         U    256 0     0 wlan0
    ::/0                           ::                         !n   -1  1   205 lo
    

    Show all -a programs -p that are running as TCP -t or UDP -u) server sockets -l, do not resolve names -n

    $ sudo netstat -plantu
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      1209/dnsmasq    
    tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      767/cupsd       
    tcp        1      0 192.168.0.11:50629      91.189.92.150:80        CLOSE_WAIT  2202/http       
    .....
    

    Display TCP -t, UDP -u statistics

    $ netstat -stu
    IcmpMsg:
        InType0: 1
        OutType3: 9
        OutType8: 1
    Tcp:
        160 active connections openings
        0 passive connection openings
    .....
    Udp:
        1330 packets received
        9 packets to unknown port received.
        0 packet receive errors
    .....
    

    Display active Non-Server connections

    $ netstat -inet
    Kernel Interface table
    eth0      Link encap:Ethernet  HWaddr 20:89:84:46:c1:50  
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
    .....
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
    .....
    
    wlan0     Link encap:Ethernet  HWaddr b8:76:3f:24:01:c1  
              inet addr:192.168.0.11  Bcast:192.168.0.255  Mask:255.255.255.0
              inet6 addr: fe80::ba76:3fff:fe24:1c1/64 Scope:Link
    .....
    

    Display active IPV6 Non-Server connections

    $ netstat -A inet6
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State    
    

    Summary of tcp stats

    $ sudo netstat -ts
    IcmpMsg:
        InType0: 1
        OutType3: 9
        OutType8: 1
    Tcp:
        160 active connections openings
    .....
    
  • Dump network traffic
    /usr/sbin/tcpdump

    Command usage

    tcpdump [ options ] [ expression ]
    
    Some options:
     -A                 Print each packet (minus its link level header) in ASCII.  Handy for capturing web pages
     -c <count>         Stop capturing after count number of packets
     -d                 Dump the compiled packet-matching code in a human readable form to stdout and stop
     -ddd               Dump packet-matching code as decimal numbers (preceded with a count)
     -D                 Print the list of the network interfaces on the system and on which tcpdump can capture
     -e                 Print the link-level header on each dump line
     -i <interface>     Listen on interface.  If unspecified, searches the system interface list for the
                        lowest numbered, configured up interface (excluding loopback).  2.2 or later
                        kernels 'i any' captures on all interfaces. If the -D flag is supported, an
                        interface number as printed by that flag which can be used as the interface argument
     -l                 Make stdout line buffered.  Useful if you want to see the data while capturing it
     -L                 List the known data link types for the interface and exit
     -n                 Don't convert host addresses to names.  This can be used to avoid DNS lookups
     -nn                Don't convert protocol and port numbers to names either
     -r <file>          Read packets from file (which was created with the -w option), '-' for read from stdin
     -s <snaplen>       Capture 'snaplen' bytes of data
     -S                 Print absolute, rather than relative, TCP sequence numbers
     -t                 Don't print a timestamp on each dump line
     -tt                Print an unformatted timestamp on each dump line
     -ttt               Print a delta (in micro-seconds) between current and previous line on each dump line
     -tttt              Print a timestamp in default format proceeded by date on each dump line
     -v -vv -vvv        Verbose, more verbose, even more
     -w <file>          Write out to file
     -X                 When parsing and printing, in addition to printing the headers of each packet, print
                        the data of each packet (minus its link level header) in hex and ASCII
     -XX                When parsing and  printing, in addition to printing the headers of each packet, print
                        the data of each packet, including its link level header, in hex and ASCII
    

    Some expressions:

    not port <num, name>                                   Filter out any traffic using this port
    ip proto \\<proto>                                     Monitor this protocol
    dst <IP | Hostname>                                    Monitor traffic destined to IP/host
    src <IP | Hostname>                                    Monitor traffic originating from IP/host
    host <IP | Hostname>                                   Monitor traffic to-and-from IP/host
    host <IP | Hostname> and (&&) host <IP | Hostname>     Monitor traffic between these two hosts, both ways
    src <IP | Hostname> && dst <IP | Hostname>             Monitor traffic from src to dst (not vice versa)
    

    Display all interfaces that tcpdump can be run on

    # tcpdump -D
    1.eth0
    2.wmaster0
    3.wlan0
    4.any (Pseudo-device that captures on all interfaces)
    5.lo
    

    Old

    $ sudo tcpdump -D
    1.eth0
    2.wlan0
    3.nflog (Linux netfilter log (NFLOG) interface)
    4.nfqueue (Linux netfilter queue (NFQUEUE) interface)
    5.any (Pseudo-device that captures on all interfaces)
    6.lo
    

    Not so old

    Listen on eth0, capture 2 packets, print headers with data in hex and ascii

    # tcpdump -i 1 -X -vv -c 2
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    22:39:26.867647 IP (tos 0x0, ttl 64, id 51754, offset 0, flags [DF], proto TCP (6), \
    length 60) dnssrv.my-home.com.58642 > latrodectus.web.netline.net.uk.www: S,\
    cksum 0x3c62 (correct), 1202805808:1202805808(0) win 5840 <mss 1460,nop,nop,\
    timestamp 497178 0,nop,wscale 9>
        0x0000:  4500 003c ca2a 4000 4006 982a c0a8 0003  E..<.*@.@..*....
        0x0010:  d528 4293 e512 0050 47b1 5c30 0000 0000  .(B....PG.\0....
        0x0020:  a002 16d0 3c62 0000 0204 05b4 0101 080a  ....<b.........
        0x0030:  0007 961a 0000 0000 0103 0309            ..........
    22:39:26.868806 IP (tos 0x0, ttl 64, id 38426, offset 0, flags [DF], proto UDP (17), \
    length 72) dnssrv.my-home.com.45678 > 192.168.0.1.domain: [udp sum ok] 43178+ PTR? \
    147.66.40.213.in-addr.arpa. (44)
        0x0000:  4500 0048 961a 4000 4011 2336 c0a8 0003  E..H..@.@.#6....
        0x0010:  c0a8 0001 b26e 0035 0034 3660 a8aa 0100  .....n.5.46`....
        0x0020:  0001 0000 0000 0000 0331 3437 0236 3602  ........147.66.
        0x0030:  3430 0332 3133 0769 6e2d 6164 6472 0461  40.213.in-addr.a
        0x0040:  7270 6100 000c 0001                      rpa.....
    2 packets captured
    8 packets received by filter
    0 packets dropped by kernel
    

    List known data link types for the interface

    # tcpdump -L -i eth0
    Data link types (use option -y to set):
      DOCSIS (DOCSIS) (not supported)
      EN10MB (Ethernet)
    

    Following examples are from the documentation, man page:

    Print all packets arriving at or departing from sundown

    # tcpdump host sundown
    

    Print traffic between helios and either hot or ace

    # tcpdump host helios and \( hot or ace \)
    

    Print IP packets between ace and any host except helios

    # tcpdump ip host ace and not helios
    

    Print all ftp traffic via internet gateway snup

    # tcpdump 'gateway snup and (port ftp or ftp-data)'
    

    Print traffic neither sourced from nor destined to localhosts

    # tcpdump ip and not net localnet
    

    Print IP packets > 576 bytes sent through gateway snup

    # tcpdump 'gateway snup and ip[2:2] > 576'
    

    Print icmp packets only, dump data

    # tcpdump icmp -i eth0 -vx
    

    Print all ICMP packets that are not echo requests/replies i.e., not ping packets

    # tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
    

    Monitor all fred's traffic on eth0 except ssh traffic, capture whole packets

    # tcpdump -i eth0 -v -vv -s0 not port ssh and host fred
    

    Capture all network traffic on eth1 destined to port 80 on 10.2.3.4 and write to file /tmp/web

    # tcpdump -i eth1 -w /tmp/web -s0 dst 10.2.3.4 && dst port 80
    
  • Trace a network route
    /usr/sbin/traceroute

    Each hop has 3 latency times.

    Command usage

    traceroute[6] [options]
    
    Some options:
     -I                 Use ICMP ECHO for probes
     -T                 Use TCP SYN for probes
     -U                 Use UDP datagrams for probes (it is default). Only UDP method is allowed for
                        unprivileged users
     -d                 Enable socket level debugging (when the Linux kernel supports it)
     -F                 Set the "Don't Fragment" bit. This tells intermediate routers not to fragment
                        the packet when they find it's too big for a network hop's MTU
     -i interface
     -m max_ttl         Specifies the maximum number of hops (max time-to-live value) traceroute will
                        probe.  The default is 30
     -N squeries        Specifies the number of probe packets sent out simultaneously
     -n                 Do not try to map IP addresses to host names when displaying them
     -p port            For UDP specifies the destination port base traceroute will use
                        For ICMP tracing, specifies the initial icmp sequence value (incremented by
                        each probe too).  For TCP specifies just the (constant) destination port to
                        connect.
     -w waittime        Set the time (in seconds) to wait for a response to a probe (default 5.0 sec)
     -q nqueries        Sets the number of probe packets per hop. The default is 3
    

    Traceroute to 213.236.195.41 using ICMP packets

    # traceroute -I 213.236.195.41
    traceroute to 213.236.195.41 (213.236.195.41), 30 hops max, 40 byte packets
        g86local (192.168.0.1)  1.471 ms  1.441 ms  1.432 ms
     2  10.87.80.1 (10.87.80.1)  50.917 ms  54.216 ms  56.465 ms
     3  oldh-t2cam1-a-v128.inet.ntl.com (80.5.165.29)  57.475 ms  57.750 ms  61.145 ms
     4  62.252.192.181 (62.252.192.181)  61.425 ms  61.692 ms  64.477 ms
     5  * * *
     6  gfd-bb-b-so-200-0.inet.ntl.com (62.252.192.94)  73.906 ms  72.030 ms  73.068 ms
    .....
    

    '5 * * *' Either a lost packet or router has been configured to not respond to type of ICMP packet.

    Trace the route to a host

    # traceroute www.lpi.org
    traceroute to www.lpi.org (24.215.7.162), 30 hops max, 40 byte packets
     1  10.87.80.1 (10.87.80.1)  49.342 ms  68.865 ms  86.269 ms
     2  oldh-t2cam1-a-v128.inet.ntl.com (80.5.165.29)  95.349 ms  95.581 ms  101.614 ms
     3  62.252.192.181 (62.252.192.181)  102.059 ms  102.293 ms  113.553 ms
     4  man-bb-a-so-020-0.inet.ntl.com (213.105.175.1)  116.182 ms  116.434 ms  129.152 ms
     5  lee-bb-b-so-100-0.inet.ntl.com (62.253.185.194)  129.764 ms  131.689 ms  145.372 ms
    .....
    19  MountainCable-HAM-AAA-unused22.fibrewired.on.ca (216.185.64.22)  121.512 ms  148.872 ms  153.915 ms
    20  24.215.7.110 (24.215.7.110)  172.053 ms  172.954 ms  173.837 ms
    21  clark.lpi.org (24.215.7.162)  174.743 ms  175.170 ms  175.424 ms
    
  • Send ICMP request packets
    /bin/ping

    Send ICMP ECHO_REQUEST packets to network host(s), receive ICMO_ECHO_RESPONSE packets from network host(s).

    Command usage

    ping [options] destination
    
    Some options:
     -c <count>               Stop after sending <count> number of packets
     -f flood-char            '.' => echo request, 'backspace character (E)' => echo response
                              If no -i, interval=0. Loss of 1-2% tolerable
     -I <iface>               Set source address, either IP or device
     -i <int>                 Interval between sending echo_requests
     -l <preload>             Ping sends 'preload' number of requests without waiting for a reply
     -n                       Numeric output only, no attempt to name resolve
     -p pattern               Up to 16 "pad" bytes to fill out a packet.
     -s <pktsize>             Default=56, refers to IP payload. IP header(no options)=20, ICMP header=8 => IP
                              Payload = 56+8 = 64
     -R                       Records the route
     -r                       Bypass routing tables, send to host directly attached to an interface.
                              Needs -I <interface>
     -W <timeout>             Time to wait for a response (s) else wait 2 x rtt
     -w <deadline>            Exits after <deadline> in (s). Either <deadline> or <count>
    

    Send 3 ICMP echo request packets to host, do not resolve names

    # ping -c 3 -n 81.110.236.1
    PING 81.110.236.1 (81.110.236.1) 56(84) bytes of data.
    64 bytes from 81.110.236.1: icmp_seq=1 ttl=255 time=37.8 ms
    64 bytes from 81.110.236.1: icmp_seq=2 ttl=255 time=59.2 ms
    64 bytes from 81.110.236.1: icmp_seq=3 ttl=255 time=8.39 ms
    --- 81.110.236.1 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 1999ms
    rtt min/avg/max/mdev = 8.395/35.167/59.277/20.857 ms
    

    Send 3 ICMP echo request packets to host, resolve names if you can, report route

    # ping -c 3 -R 81.110.236.1
    PING 81.110.236.1 (81.110.236.1) 56(124) bytes of data.
    64 bytes from 81.110.236.1: icmp_seq=1 ttl=255 time=24.9 ms
    NOP
    RR:     81.110.239.82
            10.87.80.1
            10.87.80.1
            81.110.239.82
    64 bytes from 81.110.236.1: icmp_seq=2 ttl=255 time=122 ms
    NOP     (same route)
    .....
    

    Bypass routing tables

    # ping -r -I eth0 192.168.0.1
    

    Flood ping with 30 packets

    # ping -f -c 30 192.168.0.1
    PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
    .EEEEE...............
    --- 192.168.0.1 ping statistics ---
    30 packets transmitted, 6 received, +6 errors, 80% packet loss, time 228ms
    rtt min/avg/max/mdev = 1.241/1.432/1.717/0.163 ms, pipe 2, ipg/ewma 7.869/1.394 ms
    

    Set size of payload

    # ping -s 100 -c 3 192.168.0.1           (Payload = 100 bytes, 128 inc. headers)
    
  • Diagnosing data-dependent problems in a network

    Data packets should never be treated differently based on the data contained in their data portion (their payload).

    • Find a file that either can't be sent or takes much longer to transfer than other similar files.
    • Examine this file for repeated patterns, test using the repeated pattern(s) as the payload by using the '-p' option of 'ping'.
    • Observe behaviour while transmitting/receiving.

    Capture only ICMP packets plus their data

    # tcpdump icmp -i eth0 -vx
    

    Ping using different payloads

    # ping -p ff 192.168.0.1
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    13:40:42.794533 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1),       \
    length 84) 192.168.0.2 > wireless-router: ICMP echo request, id 33150, seq 1, length 64
     0x0000:  4500 0054 0000 4000 4001 b955 c0a8 0002
     0x0010:  c0a8 0001 0800 edfb 5f7e 0001 c119 7b49
     0x0020:  6821 0600 ffff ffff ffff ffff ffff ffff
     .....
    # ping -p 01ff -c 3 192.168.0.1
     .....
     0x0000:  4500 0054 b7db 0000 ff01 8279 c0a8 0001
     0x0010:  c0a8 0002 0000 3a6b d37e 0003 ce1b 7b49
     0x0020:  76c5 0200 01ff 01ff 01ff 01ff 01ff 01ff
     .....
    
  • List open files
    /usr/bin/lsof

    Command usage

    lsof [options] [names]
    

    Show all files open, number each line of output

    # lsof | nl
    

    Who, what is using /etc/passwd

    # lsof /etc/passwd
    COMMAND    PID USER   FD   TYPE DEVICE SIZE  NODE NAME
    python    6248 mark    9r   REG    8,5 1734 17763 /etc/passwd
    soffice.b 6385 mark   41r   REG    8,5 1734 17763 /etc/passwd
    

    Who and what is using device

    # lsof /dev/sda8
    

    Which PIDs are using the apache binary

    # lsof -t 'which apache2'
    

    Which files are opend by processes starting with k

    # lsof -c k
    

    List files opened by processes starting with cou excluding user ann

    # lsof -c cou -u ^ann
    

    List files opened by user apache and zahn

    # lsof -u apache,zahn
    

    List files using PID 30297

    # lsof +p 30297
    

    List all opened instances of /tmp, all files and sub dirs

    # lsof +D /tmp
    

    List all open internet sockets

    # lsof -i
    

    List all open internet sockets that use port 80

    # lsof -i :80
    

    List all open internet and Unix domain files

    # lsof -i -U
    

    List process(s) using UDP to/from www.akadia.com at port 123 (ntp)

    # lsof -iUDP@www.akadia.com:123
    

    List all deleted files, that are still opened

    # lsof +L1  L
    

    Lists all network files opened by the user www-data

    # lsof -a -i -u www-data
    

    List open internet sockets, no ports

    # lsof -i -P | grep sshd
    sshd  5125  root  3u  IPv4  14008  TCP *:22 ListEN)
    

    'sshd' bound to the 0.0.0.0 address (indicated by * preceding port number) => will accept connections from other systems.

  • TCPIP swiss army knife
    /bin/nc, netcat
    • Reads and writes data across network connections using TCP or UDP protocol.
    • 'netcat' - a symbolic link to 'nc', the two are synonymous.
    • on debian this tool is not installed by default - 'sudo apt-get install netcat netcat6' to use.
    nc [-options] hostname port[s] [ports] ...
    nc -l -p port [-options] [hostname] [port]
    
    Options:
     -c string             Specify shell commands to exec after connect, 
                           'string' is passed to /bin/sh -c for execution
     -e filename           Specify filename to exec after connect
     -g gateway            Source-routing hop point[s], up to 8
     -G num                Source-routing pointer: 4, 8, 12, ...
     -h                    Display help
     -i secs               Delay interval for lines sent, ports scanned
     -l                    Listen mode, for inbound connects
     -n                    Numeric-only IP addresses, no DNS
     -o file               Hex dump of traffic
     -p port               Local port number (port numbers can be individual
                           or ranges: lo-hi [inclusive])
     -q seconds            After EOF on stdin, wait the specified number of
                           seconds and then quit.
     -b                    Allow UDP broadcasts
     -r                    Randomise local and remote ports
     -s addr               Local source address
     -t                    Enable telnet negotiation
     -u                    UDP mode
     -v                    Verbose [use twice to be more verbose]
     -w secs               Timeout for connects and final net reads
     -z                    Zero-I/O mode [used for scanning]
     -T type               Set TOS flag, type may be one of "Minimise-Delay", 
                           "Maximise-Throughput", "Maximise-Reliability" 
                           or "Minimise-Cost"
    

    Use for chatting

    $ nc -l 3333                   (On server, set 'nc' to listen to 3333 TCP port)
    $ nc 192.168.0.1 3333          (On the client,  connect to the server and chat away)
    

    Use to transfer files

    $ cat backup.iso | nc -l 3333                    (On server)
    $ nc 192.168.0.1 3333 > backup.iso               (On client, receive backup.iso)
    

    Use a pipe-monitoring utility like pv

    $ cat backup.iso | pv -b | nc -l 3333            (On server)
    $ nc 192.168.0.1 3333 | pv -b > backup.iso       (On client)
    

    Compress files on server

    $ tar -czf - /etc/ | nc -l 3333                  (On server)
    $ nc 192.168.0.1 3333 | pv -b > mybckup.tar.gz   (On client)
    

    Use for a secure connection

    $ cat backup.iso | nc -l 3333                    (On server)
                                                     (On client, connect via an SSH tunnel)
    $ ssh -f -L 23333:127.0.0.1:3333 me@192.168.0.1 sleep 10; \
    nc 127.0.0.1 23333 | pv -b > backup.iso
    

    Use as a Port Scanner

    # nc -zvvu 192.168.0.5 20-30
    192.168.0.5: inverse host lookup failed: Unknown server error : Connection timed out
    (UNKNOWN) [192.168.0.5] 30 (?) : Connection refused
    (UNKNOWN) [192.168.0.5] 21 (fsp) open
    (UNKNOWN) [192.168.0.5] 20 (?) open
    ..... 
    

    Connecting to a webserver

    # netcat webserver.co.uk 80       (Connect to a webserver)
    GET /                             (Get the default web page)
    .....
    
    # netcat apache 80                (Connect to a web server)
    gdhgas                            (Type gibberish)
    .....                             (Some servers return server and other info)
    

    Manually retrieve mail

    # netcat mail.company.com 110
    .....
    USER <uname>                      (Typed command)
    +ok
    PASS <password>                   (Typed command)
    +ok ready
    LIST                              (Typed command)
    + ok 4 messages (31227)
    .....
    RETR 1                            (Typed command)
    .....                             (Type RETR 3 to read the 3rd. mail)
    QUIT
    
  • Trace system calls
    /usr/bin/strace
    • Trace system calls, see exactly what an application is doing. See man pages.
    • commands configuration file is /etc/strace.conf and or ~/.strace.conf
    strace [options] cmd [args]
    
    Common options:
     -f                     Traces child processes
     -o <output file>
    

    Trace system calls made by ping

    # strace ping -c 3 g86local
    execve("/bin/ping", ["ping", "-c", "3", "g86local"], [/* 21 vars */]) = 0
    brk(0)                                  = 0x809000
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaaaab000
    .....
    write(1, "rtt min/avg/max/mdev = 0.399/0.7"..., 50rtt min/avg/max/mdev = 0.399/0.790/1.551/0.538 ms
    ) = 50
    exit_group(0)                           = ?
    
  • DNS lookup utility
    /usr/bin/dig

    Command usage

    dig [options] hostname
    
    Some options:
     +[no]short           Provide a terse answer. The default is to print the answer in a verbose form.
     +[no]identify        Show [or do not show] the IP address and port number that supplied the answer
                          when the +short option is enabled. If short form answers are requested, the 
                          default is not to show the source address and port number of the server that
                          provided the answer.
     +domain=somename     Set the search list to contain the single domain somename, as if specified in
                          a domain directive in /etc/resolv.conf and enable search list processing as
                          if the +search option were given.
     +[no]search          Use [do not use] the search list defined by the searchlist or domain directive
                          in resolv.conf (if any). The search list is not used by default.
     +[no]recurse         Toggle the setting of the RD (recursion desired) bit in the query. This bit is
                          set by default, which means dig normally sends recursive queries. Recursion is
                          automatically disabled when the +nssearch or +trace query options are used.
     +[no]nssearch        When this option is set, dig attempts to find the authoritative name servers 
                          for the zone containing the name being looked up and display the SOA record
                          that each name server has for the zone.
     +[no]trace           Toggle tracing of the delegation path from the root name servers for the name
                          being looked up. Tracing is disabled by default. When tracing is enabled, dig
                          makes iterative queries to resolve the name being looked up. It will follow 
                          referrals from the root servers, showing the answer from each server that was
                          used to resolve the lookup.
     +[no]cmd             Toggles the printing of the initial comment in the output identifying the 
                          version of dig and the query options that have been applied. This comment is 
                          printed by default.
     +[no]qr              Print [do not print] the query as it is sent. Default = do not print.
    

    Typical use

    $ dig @<server> <name> <type> 
                                  (or)
    $ dig hostname
    

    Get the MX records for a domain

    $ dig ntl.com MX
    .....
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
    
    ;; QUESTION SECTION:
    ;ntl.com.            IN    MX
    
    ;; ANSWER SECTION:
    ntl.com.        69101    IN    MX    10 mailrelay04.ntl.com.
    ntl.com.        69101    IN    MX    10 mailrelay01.ntl.com.
    ntl.com.        69101    IN    MX    10 mailrelay02.ntl.com.
    ntl.com.        69101    IN    MX    10 mailrelay03.ntl.com.
    .....
    

    Do a reverse lookup

    $ dig -x 193.38.119.34
    .....
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;34.119.38.193.in-addr.arpa.    IN    PTR
    
    ;; ANSWER SECTION:
    34.119.38.193.in-addr.arpa. 28800 IN    PTR    tw-smtp-04.telewest.co.uk.
    .....
    

    Multiple lookups

    An ANY query for www.isc.org, a reverse lookup of 127.0.0.1 and a query for the NS records of isc.org.

    dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
    

    A global query option of '+qr' is applied, so that 'dig' shows the initial query it made for each lookup.

    The final query has a local query option of '+noqr' which means that 'dig' will not print the initial query when it looks up the NS records for isc.org.

    Control the amount of data displayed

    $ dig www.lpi.org
    ; <<>> DiG 9.5.1-P2.1 <<>> www.lpi.org
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36480
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;www.lpi.org.           IN  A
    
    ;; ANSWER SECTION:
    www.lpi.org.        3580    IN  A   24.215.7.162
    
    ;; Query time: 9 msec
    ;; SERVER: 192.168.0.1#53(192.168.0.1)
    ;; WHEN: Fri Apr  2 17:20:02 2010
    ;; MSG SIZE  rcvd: 45
    
    $ dig +nocmd +noquestion +nocomments +nostats +qr www.lpi.org
    www.lpi.org.        3486    IN  A   24.215.7.162
    
    $ dig +identify +short www.lpi.org
    24.215.7.162 from server 192.168.0.1 in 11 ms.
    
    $ dig +short www.lpi.org
    24.215.7.162
    

    Get the address(es) for yahoo.com

    $ dig yahoo.com A +noall +answer
    
    ; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> yahoo.com A +noall +answer
    ;; global options: +cmd
    yahoo.com.      296 IN  A   98.139.183.24
    yahoo.com.      296 IN  A   206.190.36.45
    yahoo.com.      296 IN  A   98.138.253.109
    

    Get a list of yahoo's mail servers

    $ dig yahoo.com MX +noall +answer
    
    ; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> yahoo.com MX +noall +answer
    ;; global options: +cmd
    yahoo.com.      1308    IN  MX  1 mta6.am0.yahoodns.net.
    yahoo.com.      1308    IN  MX  1 mta5.am0.yahoodns.net.
    yahoo.com.      1308    IN  MX  1 mta7.am0.yahoodns.net.
    

    Get a list of DNS servers authoritative for yahoo.com

    $ dig yahoo.com NS +noall +answer
    
    ; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> yahoo.com NS +noall +answer
    ;; global options: +cmd
    yahoo.com.      63726   IN  NS  ns4.yahoo.com.
    yahoo.com.      63726   IN  NS  ns1.yahoo.com.
    yahoo.com.      63726   IN  NS  ns5.yahoo.com.
    yahoo.com.      63726   IN  NS  ns8.yahoo.com.
    yahoo.com.      63726   IN  NS  ns6.yahoo.com.
    yahoo.com.      63726   IN  NS  ns2.yahoo.com.
    yahoo.com.      63726   IN  NS  ns3.yahoo.com.
    

    Get all of the above

    # dig yahoo.com ANY +noall +answer
    

    Get a terse answer to lookup

    # dig wireless-router.my-home.com +short
    192.168.0.1
    

    Get a terse reverse lookup answer

    # dig -x 192.168.0.1 +short
    wireless-router.my-home.com.
    

    Get a long answer to lookup

    # dig +nocmd my-home.com any +multiline +noall +answer
    my-home.com. 604800 IN SOA dnssrv.my-home.com. root.dnssrv.my-home.com. (
       2          ; serial
       .....
       604800     ; minimum (1 week)
       )
    my-home.com. 604800 IN NS dnssrv.my-home.com.
    

    Grab SOA record off the domain server

    # dig my-home.com +nssearch
    SOA dnssrv.my-home.com. root.dnssrv.my-home.com. 2 604800 86400 \
    2419200 604800 from server dnssrv.my-home.com in 0 ms.
    

    Query a different name server

    # dig @ns1.google.com www.google.com
    

    Use search list in /etc/resolv.conf

    # dig dnssrv +search +short
    192.168.0.2
    # host dnssrv
    dnssrv.my-home.com has address 192.168.0.2
    

    Show zones available for transfer

    # dig my-home.com axfr
    ; <<>> DiG 9.4.2-P2 <<>> my-home.com axfr
    ;; global options:  printcmd
    .....
    my-home.com.  604800 IN NS dnssrv.my-home.com.
    dnssrv.my-home.com. 604800 IN A 192.168.0.2
    wireless-router.my-home.com. 604800 IN A 192.168.0.1
    my-home.com.  604800 IN SOA dnssrv.my-home.com. \
    root.dnssrv.my-home.com. 2 604800 86400 2419200 604800
    
    ;; Query time: 2 msec
    ;; SERVER: 192.168.0.2#53(192.168.0.2)
    .....
    

    Show ANY Resource Records

    # dig any my-home.com
    ; <<>> DiG 9.4.2-P2 <<>> any my-home.com
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37757
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;my-home.com.   IN ANY
    ;; ANSWER SECTION:
    my-home.com.  604800 IN SOA dnssrv.my-home.com. \
    root.dnssrv.my-home.com. 2 604800 86400 2419200 604800
    my-home.com.  604800 IN NS dnssrv.my-home.com.
    
    ;; ADDITIONAL SECTION:
    dnssrv.my-home.com. 604800 IN A 192.168.0.2
    
    ;; Query time: 13 msec
    ;; SERVER: 192.168.0.2#53(192.168.0.2)
    ;; WHEN: Tue Feb 10 13:07:53 2009
    ;; MSG SIZE  rcvd: 107
    

    Check authoritaive zones

    $ dig +norec
    
    ; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> +norec
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36514
    ;; flags: qr ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 9
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4000
    ;; QUESTION SECTION:
    ;.              IN  NS
    
    ;; ANSWER SECTION:
    .           329599  IN  NS  c.root-servers.net.
    .           329599  IN  NS  j.root-servers.net.
    .....
    
  • Manual DNS recursion
    • My nameserver is looking for 'prep.ai.mit.edu'.
    • 'prep.ai.mit.edu.' is not in the cache - who to ask?
    • My nameserver starts stripping off left-side parts until it gets a hit: ai.mit.edu. -> .mit.edu. -> .edu. -> no hits until it is finally left with '.' (root).
    • My nameserver knows about '.' via named.ca, root.hints, db.root ... file.

    Pick a root nameserver at random

    $ dig +norec +noques +nostats +nocmd prep.ai.mit.edu. @D.ROOT-SERVERS.NET.
    .....
    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
    
    ;; AUTHORITY SECTION:
    mit.edu.                172800  IN      NS      BITSY.mit.edu.
    .....
    
    ;; ADDITIONAL SECTION:
    BITSY.mit.edu.          172800  IN      A       18.72.0.3
    .....
    

    '+norec' means that 'dig' is asking non-recursive questions so that we get to do the recursion ourselves. This is a referral - an "Authority section", no "Answer section" - it refers us to MIT.EDU servers.

    Query MIT.EDU servers

    $ dig +norec +noques +nostats +nocmd prep.ai.mit.edu. @BITSY.mit.edu.
    .....
    ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
    
    ;; ANSWER SECTION:
    prep.ai.mit.edu.        10562   IN      A       198.186.203.77
    
    ;; AUTHORITY SECTION:
    ai.mit.edu.             21600   IN      NS      FEDEX.ai.mit.edu.
    
    ;; ADDITIONAL SECTION:
    FEDEX.ai.mit.edu.       21600   IN      A       192.148.252.43
    .....
    

    Now have the answer, the Authority Section contains names of servers you can ask next time you want to know about 'ai.mit.edu'.

  • DNS lookup utility
    /usr/bin/host

    Command usage

    host [options] hostname [server]
    
    Common options:
     -d                 Is equivalent to -v
     -l                 Lists all hosts in a domain, using AXFR
     -v                 Enables verbose output
     -w                 Specifies to wait forever for a reply
     -W                 Specifies how long to wait for a reply
     -4                 Use IPv4 query transport only
     -6                 Use IPv6 query transport only
    

    Get lookup information for a domain

    $ host ntl.com
    ntl.com has address 62.253.165.47
    ntl.com mail is handled by 10 mailrelay03.ntl.com.
    ntl.com mail is handled by 10 mailrelay04.ntl.com.
    ntl.com mail is handled by 10 mailrelay01.ntl.com.
    ntl.com mail is handled by 10 mailrelay02.ntl.com.
    

    Verbose reverse lookup

    $ host -v 62.253.165.47
    Trying "47.165.253.62.in-addr.arpa"
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50285
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;47.165.253.62.in-addr.arpa.    IN    PTR
    
    ;; ANSWER SECTION:
    47.165.253.62.in-addr.arpa. 86400 IN    PTR    mailchange.ntl.com.
    Received 76 bytes from 192.168.0.1#53 in 16 ms
    

    Lookup ANY RR for domain

    # host -a my-home.com
    Trying "my-home.com"
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4159
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;my-home.com.   IN ANY
    
    ;; ANSWER SECTION:
    my-home.com.  604800 IN SOA dnssrv.my-home.com. \
    root.dnssrv.my-home.com. 2 604800 86400 2419200 604800
    my-home.com.  604800 IN NS dnssrv.my-home.com.
    
    ;; ADDITIONAL SECTION:
    dnssrv.my-home.com. 604800 IN A 192.168.0.2
    Received 107 bytes from 192.168.0.2#53 in 5 ms
    

    Lookup ANY RR for hostname

    # host -a dnssrv
    Trying "dnssrv.my-home.com"
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45369
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;dnssrv.my-home.com.  IN ANY
    
    ;; ANSWER SECTION:
    dnssrv.my-home.com. 604800 IN A 192.168.0.2
    
    ;; AUTHORITY SECTION:
    my-home.com.  604800 IN NS dnssrv.my-home.com.
    Received 66 bytes from 192.168.0.2#53 in 5 ms
    
  • Query Internet name servers interactively
    /usr/bin/nslookup

    Command usage

    nslookup [-option] [name | -] [server]
    
    Some interactive commands:
     host [server]           Look up information for host using the current default server or using server.
                             To look up a host not in the current domain, append a period to the name.
     server domain           Change the default server to domain - server uses the current default server
     lserver domain          Change the default server to domain - lserver uses the initial server to look
                             up information about domain
     set keyword[=value]     Change state information that affects the lookups. Valid keywords are:
                             all              Prints the current values of the frequently used options to set.
                             class=value      Change the query class to one of:
                                              IN        The Internet class
                                              CH        The Chaos class
                                              HS        The Hesiod class
                                              ANY       Wildcard
                             domain=name      Sets the search list to name.
                             type=value       Change the type of the information query.
                                              (Default = A; abbreviations = q, ty)
                             [no]recurse      Tell the name server to query other servers if it does not have
                                              the information. (Default = recurse; abbreviation = [no]rec)
    

    Run nslookup interactively

    # nslookup
    > set TYPE=A                      [all | any | MX | SOA| A | NS | TXT | CNAME]
    > dnssrv
    Server:  192.168.0.2
    Address: 192.168.0.2#53
    Name: dnssrv.my-home.com
    Address: 192.168.0.2
    >
    > set all
    Default server: 192.168.0.2
    Address: 192.168.0.2#53
     Set options:
      novc   nodebug  nod2
      search  recurse
      timeout = 0  retry = 3 port = 53
      querytype = A        class = IN
      srchlist = my-home.com
    >
    > ^D
    

    A lot of the old command functionality e.g. 'finger', 'ls', 'view' ... are no longer implemented.

    Lookup a hostname

    # nslookup dnssrv
    Server:  192.168.0.2
    Address: 192.168.0.2#53
    Name: dnssrv.my-home.com
    Address: 192.168.0.2
    
  • User interface to the TELNET protocol
    /usr/bin/telnet

    Command usage

    telnet [host] [port]
    
    Common options:
     -4                 Force IPv4 address resolution.
     -6                 Force IPv6 address resolution.
     -a                 Try automatic login. 
     -d                 Sets debug toggle to TRUE
     -r                 Emulate rlogin(1). Default escape character is a tilde
     -n trfile          Opens tracefile for recording trace information
    

    Run telnet interactively

    # telnet
    telnet> ?
    Common commands:
    close               close current connection
    logout              forcibly logout remote user and close the connection
    display             display operating parameters
    open                connect to a site
    quit                exit telnet
    status              print status information
    z                   suspend telnet
    !                   invoke a subshell
    environ             change environment variables ('environ ?' for more)
    ?                   print help information
    telnet> q
    

    Use as a diagnostic tool to test tcp connectivity

    # telnet localhost <port>
    
    # telnet <remote host> <port>
    
  • Trace path to a network host
    /usr/bin/tracepath
    • 'tracepath', 'tracepath6' traces path to a network host discovering MTU along this path.
    • It uses UDP port or some random port.
    • Similar to traceroute, only does not not require superuser privileges and has no fancy options.

    Command usage

    tracepath [-n] [-l pktlen] destination [port]
    
    Options:
     -n                 Do not look up host names.  Only print IP addresses numerically.
     -l                 Sets the initial packet length to 'pktlen'.  Default 65536 for 
                        tracepath, 128000 for tracepath6.
    

    Trace a path

    $ tracepath www.lpi.org
     1:  send failed
         Resume: pmtu 65535
    
    $ tracepath www.lpi.org
     1:  192.168.2.2 (192.168.2.2)                              0.104ms pmtu 1500
     .....
     4:  manc-core-1b-ae1-0.network.virginmedia.net (195.182.175.89)  10.178ms asymm  5 
     5:  manc-bb-1b-as0-0.network.virginmedia.net (212.43.163.66)  11.019ms asymm  6 
     6:  popl-bb-1a-as4-0.network.virginmedia.net (212.43.162.85)  15.062ms asymm  7 
     .....
    13:  colo-4500.mountaincable.net (24.102.5.9)             136.342ms 
    14:  clark.lpi.org (24.215.7.162)                         138.051ms reached
         Resume: pmtu 1500 hops 14 back 51
    

    In the first invocation I had it blocked by my firewall.

    Firewall log - /var/log/messages

    Mar 21 15:19:48 ub-desktop kernel: [10297.120478] DROP OuDEFIN= OUT=eth0 \
    SRC=192.168.0.3 DST=24.215.7.162 LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 \
    DF PROTO=UDP SPT=53296 DPT=44444 LEN=65515
    

    Record of firewall's tracepath block/drop.

  • File transfer protocol interactive program
    /usr/bin/ftp

    Establish an interactive FTP connection with a host to transfer binary or text files.

    Command usage

    ftp [options] [host [port]]
    
    Common options:
     -p              Use passive mode for data transfers
     -i              Turns off interactive prompting during multiple file transfers
     -v              Verbose - show all responses from the remote server, report 
                     data transfer stats
     -d              Enables debugging
    

    Run ftp interactively

    # ftp
    ftp>
    Commonly used commands:
    !       mdir    dir      mget      put       mkdir    pwd    
    status  exit    quit     ascii     mode      get      ls
    help    user    chmod    lcd       open      restart  close
    prompt  rmdir   verbose  passive   mput
    ftp> q
    

    A tidied up version of the command's output.

  • Query the whois database for a target
    /usr/bin/whois

    Client for the whois directory service, query the whois database for a target.

    Command usage

    [f]whois target[@server]
    

    Display information about domain

    # whois linuxdoc.org
    [Querying whois.publicinterestregistry.net]
    [whois.publicinterestregistry.net]
    NOTICE: Access to .ORG WHOIS information is provided to assist persons in
    .....
    Domain ID:D3766980-LROR
    Domain Name:LINUXDOC.ORG
    Created On:20-Feb-1999 05:00:00 UTC
    .....