Networking Related

![[images/Pasted image 20250809090047.png]] # Managing Networks ## net-tools suite - old school tools that may still be installed on some distros such as RHEL - `ifconfig` shows network interfaces - `route` shows routing table - `arp` shows arp table - `ifup` to bring interface up - `ifdown` to bring interface down - `ifstatus` of interface status - `ifstat` for interface stats - `hostname` shows current machine's FQDN by default - `hostname -d` shows domain only, which pulls data from `/etc/hostname` - `ifcfg` stores a configurations for individual interface in a RHEL - `netstat` shows open connections - `netstat -tuna` shows TCP, UDP, don't resolve names, all sockets - `netstat -tuna | grep LISTEN` shows listening ports - `netstat -tunl` shows TCP, UDP, don't resolve names, listening sockets - `netstat -rn` shows default route - -r shows current routes, -n prevents DNS lookups ## iproute2 suite - new default on debian - `ip` includes functionality of `ifconfig`, `arp`, `hostname`, `route` - `ip address` or `ip a` shows network interfaces ![[images/Pasted image 20250731093225.png]]![[images/Pasted image 20250731093330.png]]![[images/Pasted image 20250731093356.png]] - similar to `ifconfig` - `ip route` shows routing table ![[images/Pasted image 20250731093111.png]] - similar to `route` - `ip neighbor` or `ip neigh` shows arp table ![[images/Pasted image 20250731093047.png]] - similar to `arp` - `ip -s link` shows link statistics ![[images/Pasted image 20250731084428.png]]![[images/Pasted image 20250731092607.png]] - -s for stats, -c for color ![[images/Pasted image 20250804183827.png]] - `ss` replaces `netstat` - shows current connections - `ss -tunl` is a common command that shows listening ports ![[images/Pasted image 20250731084457.png]] - options: - -s for summary - -c for color - -n to prevent DNS lookup - -m to show network sockets and associated memory usage - -6 for IPv6 only - -o for timer info ### config files - `/etc/sysconfig/network-scripts` network config file for red hat - stores nmcli / network mgr config files on a per network interface basis - `/etc/netplan` network config file for debian - stores nmcli / network mgr config yaml files on a per network interface basis - `/etc/hostname` for machine name ![[images/Pasted image 20250804190151.png]] - `/etc/hosts` for localhost resolution ![[images/Pasted image 20250804190202.png]] - `/etc/resolv.conf` for DNS details ![[images/Pasted image 20250804190218.png]] ## network manager - GUI network mgmt app - `nmcli` way to interact with network mgr via CLI # Name Resolution - `nsswitch` config file located in `/etc/nsswitch.conf` that tells programs how to find info - such as passwords, group info, user accounts, how to resolve a name - use `getent` to grab entries specific from portions of `/etc/nsswitch.conf` - `getent passwd user_name` ![[images/Pasted image 20250805195059.png]] - `getent group group_name` ![[images/Pasted image 20250805195049.png]] - hosts line with `files dns myhostname` listed respectively fields looks at `/etc/host` file then queries a DNS server - follows sequencing in hosts line - `/etc/resolv.conf` where programs look for which DNS server to query - created by network manager or netplan - we don't edit this file directly - `resolvectl status` shows DNS info - `resolvectl flush-caches` to clear local DNS cache - `hostnamectl` shows computer info - can be used to modify some info - `dig domain_name` queries a DNS server ![[images/Pasted image 20250731093628.png]] - `dig -x ip_address` performs reverse lookup for PTR record - `nslookup domain_name` queries a DNS server `nslookup ip_address` performs reverse lookup ![[images/Pasted image 20250731093610.png]] - `nslookup -type=MX domain_name` performs lookup for MX record - `host domain_name` shows A, AAAA, MX records ![[images/Pasted image 20250731093703.png]] - `host -v domain_name` shows verbose info for host - `whois domain_name` queries registrars for contact info ![[images/Pasted image 20250731100349.png]] - registrar acts as an intermediary who has access to TLDs and leases out associated domains # Network Monitoring Tools - `ping` performs DNS lookup if domain-name supplied and send out ICMP packets to see if a domain-name is reachable - firewalls may block ICMP traffic - options: - -c for count of ICMP packets - -f for flood - -i for interval - -r to bypass routing tables - -b to send broadcast message - -q for quiet mode - -a for audible ping - -t for defining TTL value - -v for verbose output - `traceroute` finds hops to destination using ICMP packets with specified TTL values - \*** entries means that a response wasn't provided by that hop (i.e., blocks ICMP but forwards requests) - `mtr` newer version of `traceroute` with GUI support - `mtr -t domain-name` for terminal info only - q to quit - `mtr --udp domain-name` to use UDP instead of ICMP - `mtr --tcp domain-name` to use TCP instead of ICMP - `mtr -o "L D A J" -c 20 -r 8.8.8.8` performs a router performance test over a count of 20 packets with the specified metrics ![[images/Pasted image 20250731083012.png]] - -r specifies a static report - leave off -c and -r for a continuous info in a GUI pop-up window ![[images/Pasted image 20250731083136.png]] - `netstat -tuna` for all ports - tcp, udp, numeric (dont resolve name), all sockets - `netstat -tunl` for all listening ports - tcp, udp, numeric (dont resolve name), listening server sockets - `nmap -sT 127.0.0.1` shows ports and services on localhost ![[images/Pasted image 20250731093837.png]] - `sudo nmap -O 192.168.1.*` shows OS for machines on current network segment ## Wireshark/Tshark - GUI tool that captures available packets - tshark = text version of wireshark - `sudo tshark -f "icmp"` captures icmp traffic only - `sudo tshark -i interface_name -c 5` captures 5 packets for specified interface ![[images/Pasted image 20250731093002.png]] - `tcpdump` pcap files can be imported to wireshark - able to capture packets in wireshark and review via GUI ## tcpdump - CLI tool that captures available packets - chooses default interface - uses -i flag to specify interface - usually dump into a pcap file for later review - `sudo tcpdump host xxx -G 30 -w dump.pcap` sends 30sec of captured packets to dump.pcap - can filter by specific src or dest