In this tutorial we describe some useful Linux networking tools.
To list all open sockets, use:
tcpdump is a command tool for printing network traffic on standard output and/or file. tcpdump is used as:
tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ] [ -C file_size ] [ -G rotate_seconds ] [ -F file ] [ -i interface ] [ -m module ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [[http://www.tcpdump.org/tcpdump_man.html | tcpdump]]. (date of access 30.12.2012.)
Common usage of this tool:
tcpdump -nSs 0 -i eth0
with following options included:
If you want to see packet content both in hex and ASCII format, use -X option:
tcpdump -nXSs 0 -i eth0
If you don't want to enter promiscuous mode, use -p option (in promiscuous mode, the tool captures all traffic going trough the interface regardless of packet's destination, while with -p option it captures only traffic destined to the interface specified with -i option)
tcpdump can capture only specific traffic defined with boolean expression. Through this option it can be defined to capture traffic with specific protocol and/or specific port and/or specific source and/or specific destination… With the following command, the tool captures only tcp messages from the host 192.168.1.1 destined to the network 192.168.1.0/24, i.e destined tothe hosts 192.168.1.1, 192.168.1.2 … 192.168.1.255 :
tcpdump -nSs 0 -i eth0 tcp src host 192.168.1.1 dst net 192.168.1.0/24
To dump network traffic to a file use -w option:
tcpdump -nSs 0 -i wlan0 -w capture.cap
To display stored traffic use -r option followed by the saved file name:
tcpdump -nSs 0 -i wlan0 -r capture.cap
More examples can be found in tcpdump (date of access 30.12.2012)
If it's required to exchange packets between different network interfaces (NICs) on the same computer system, there are two very useful Linux kernel utilities: ip_forward and bridge. With these kernel utilities, you are not required to write additional code to exchange packets between different network interfaces.
If ip_forward option is enabled in the Linux kernel, network interfaces will transmit received packets destined to another interfaces. For example, let say we have a most common network configuration with a wireless and a ethernet interface. Furthermore, wifi address is 192.168.1.2 with subnet mask 255.255.255.0 and eth address is 192.168.2.2. with mask 255.255.255.0. If wifi receives any packet destined to network 192.168.2.0/24, i.e. destined to eth local network, it is forwarded to the eth interface. Similar, if eth receives any packet destined to 192.168.1.0/24 network, it is forwarded to the wifi interface.
To check if ip_forward is enabled, use the following command (sudo privileges might be required):
$ sysctl net.ipv4.ip_forward
To temporarily enable ip_forward type:
$ sysctl -w net.ipv4.ip_forward=1
To achieve that if_forward is enabled when computer restarts, change the following line in /etc/network/options file (tested on Ubuntu):
Bridge with ip_forward enabled is another kernel utility that enables packet exchange between multiple interfaces on same computer. This utility enables computer's multiple ethernet interfaces to work on the same subnet. In bridge mode eth0 and eth1 interfaces both have the same bridge address, for example 192.168.1.2 with subnet 255.255.255.0. For kernel newer than 2.6.33 it is possible to bridge only ethernet interfaces, i.e. you cannot bridge wifi and eth interface or two wifi interfaces.
There are two reasons why wifi interfaces cannot be bridged. First, most wifi drivers don't support bridging as they disable device visibility connected on the same wifi network. As a result, when bridge utility tries to scan for devices connected to the wifi interface, driver blocks its request. Second, if wifi interface works in managed (infrastructured) mode, according to 802.x standard, there is a “spot” missing in packet's header for one additional address needed for bridge functioning.
When you have two eth interfaces working in a bridge mode, devices connected to one interface transparently see any device connected to the other interface, i.e. it seems that they are connected on the same local network. To make this possible, bridge utility works between level 2 and 3 in a standard OSI model, i.e. basically it works with devices macs rather than with IP addresses.
Bridge must be enabled in kernel options: set networking→802.1d Ethernet Bridging to either yes or module. Afterwards, install bridge-utils module. To check if module is installed check for bridge in folder /proc/modules. If the module is installed, try suing console command brctl. You should see something like this ( bridge tool, date of access 30.12.2012):
brctl commands: addbr <bridge> add bridge delbr <bridge> delete bridge addif <bridge> <device> add interface to bridge delif <bridge> <device> delete interface from bridge setageing <bridge> <time> set ageing time setbridgeprio <bridge> <prio> set bridge priority setfd <bridge> <time> set bridge forward delay sethello <bridge> <time> set hello time setmaxage <bridge> <time> set max message age setpathcost <bridge> <port> <cost> set path cost setportprio <bridge> <port> <prio> set port priority show show a list of bridges showmacs <bridge> show a list of mac addrs showstp <bridge> show bridge stp info stp <bridge> <state> turn stp on/off
To be able to put two or more eth interafaces in the bridge mode, it is required that they are enabled with unset network addresses and masks. As mentioned earlier ip_forward option must be enabled to succesfully exchange packets between them. To set up bridge, enter the following commands:
$ brctl addbr br0 // creates bridge, for example br0 $ brctl addif br0 eth0 // adds first interface $ brctl addif br0 eth1 // adds second interface $ ifconfig br0 192.168.1.2 netmask 255.255.255.0 up // sets up bridge with address and subnet mask
To check interface's mode type:
$ brctl showstp <bridge_name>
To check devices connected to interfaces type:
$ brctl showmacs <bridge_name>
You should see something like this:
port no mac addr is local? ageing timer 1 00:00:4c:9f:0b:ae no 17.84 1 00:00:4c:9f:0b:d2 yes 0.00 2 00:00:4c:9f:0b:d3 yes 0.00 1 00:02:55:1a:35:09 no 53.84 1 00:02:55:1a:82:87 no 11.53 ...
To delete bridge, first remove every bridge interface:
$ brtcl delif br0 eth0 $ brtcl delif br0 eth1 $ brctl delbr br0
It is possible to have multiple and redundant bridges. In that case it is useful to enable Spanning Tree Protocol (SPT) which takes care of packet exchange between devices and ensures packets always take shortest path and avoid cyclic routes. More details on SPT can be found in the following link: bridge (date of access 30.12.2012).
From Wikipedia: “iptables are tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.
iptables require elevated privileges to operate and must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man pages which can be opened using man iptables when installed. It can also be found in /sbin/iptables, but since iptables is more like a service rather than an “essential binary”, the preferred location remains /usr/sbin.”
iptables utility has many possibilities: dropping traffic that matches expressions, routing packets to differents ports and addresses, changing source addresses, opening and blocking ports…
When computer receives packets it passes through the following chains of rules:
As it can be seen there are several levels of filtering, including several tables on each level. Tables actually contain chains of rules. There are three tables: MANGLE, FILTER and NAT.
Table rules have some actions depending on table and filter level. Actions are called targets.
With MANGLE table you can only change packet header, so valid targets are TOS (type of service), TTL (time to live) and MARK. MANGLE table can be included on any level: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING.
For example ( iptable examples, date of access 30.12.2012):
$ iptables -t mangle -A OUTPUT ... -j TOS --set-tos <tos>
FILTER table is the default table and here the actual filtering should be done. It can be included on following levels: INPUT, FORWARD, OUTPUT. Common actions (targets) for this table are ACCEPT, REJECT and DROP. Difference between last two is that after REJECT an error message is send back.
Examples of usage:
$ iptables -A INPUT -s 192.168.1.10 -j DROP // block traffic from 192.168.1.10 $ iptables -A OUTPUT -d <domain> -j DROP // block specific domain, for example www.facebook.com $ iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT // accept ping request only from certain network
NAT (Network Address Translation) is used for changing host and destination address and/or ports. It can be included on following levels: PREROUTING, OUTPUT and POSTROUTING. Actions are DNAT, SNAT, REDIRECT and MASQUERADE.
The following example routes all traffic that comes to the port 442 to 22. This means that the incoming ssh connection can come from both port 22 and 422 (http://www.thegeekstuff.com/2011/06/iptables-rules-examples/):
$ iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to-destination 192.168.102.37:22
$ iptables -t nat -A PREROUTING -s 192.168.1.10 -d 192.168.1.15 -j DNAT --to-destination 192.168.1.11 // redirect every traffic from host 192.168.1.10 // initialy destined to 192.168.1.15 to host 192.168.1.11 $ iptabels -t nat -A POSTROUTING -o eth0 -s 192.168.1.10 -j MASQUERADE // change every packet on interface eth0 that has source // address 192.168.1.10 to its own address (eth0 address)
To list iptables rules enter:
$ iptables -L
To list only specific table rule enter:
$ iptables -L -t nat
To delete all rules, specific table or specific chain:
$ iptables --flush $ iptables --flush -t nat $ iptables --flush OUTPUT
The console app wavemon is a very nice (mentioned here).
$ sudo apt-get install wavemon
You can also just monitor the /proc/net/wireless file as described here. Note that link quality is given as a value between 0 and 70.
$ watch -n 1 cat /proc/net/wireless
Use IPerf to obtain information about your network bandwidth.
Here's a IPerf tutorial explaining some useful options.