User Tools

Site Tools


Linux networking tools

In this tutorial we describe some useful Linux networking tools.


To list all open sockets, use:

  $ sockstat


tcpdump is a command tool for printing network traffic on standard output and/or file. tcpdump is used as:

tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ] [ -C file_size ] [ -G rotate_seconds ] [ -F file ] [ -i interface ] [ -m module ] 
        [ -M       secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] 
        [[ | tcpdump]]. (date of access 30.12.2012.)

Common usage of this tool:

tcpdump -nSs 0 -i eth0

with following options included:

  • n : display but don't resolve host or port names
  • S : print absolute sequence numbers
  • s 0 : define snaplength, value 0 - capture everything
  • i eth0 : define interface to capture traffic from, common interfaces are eth0, wlan0, eth1, wlan1… If you don't know which interfaces are available, use ifconfig tool.

If you want to see packet content both in hex and ASCII format, use -X option:

tcpdump -nXSs 0 -i eth0

If you don't want to enter promiscuous mode, use -p option (in promiscuous mode, the tool captures all traffic going trough the interface regardless of packet's destination, while with -p option it captures only traffic destined to the interface specified with -i option)

tcpdump can capture only specific traffic defined with boolean expression. Through this option it can be defined to capture traffic with specific protocol and/or specific port and/or specific source and/or specific destination… With the following command, the tool captures only tcp messages from the host destined to the network, i.e destined tothe hosts, … :

tcpdump -nSs 0 -i eth0 tcp src host dst net

To dump network traffic to a file use -w option:

tcpdump -nSs 0 -i wlan0 -w capture.cap

To display stored traffic use -r option followed by the saved file name:

tcpdump -nSs 0 -i wlan0 -r capture.cap

More examples can be found in tcpdump (date of access 30.12.2012)


If it's required to exchange packets between different network interfaces (NICs) on the same computer system, there are two very useful Linux kernel utilities: ip_forward and bridge. With these kernel utilities, you are not required to write additional code to exchange packets between different network interfaces.

If ip_forward option is enabled in the Linux kernel, network interfaces will transmit received packets destined to another interfaces. For example, let say we have a most common network configuration with a wireless and a ethernet interface. Furthermore, wifi address is with subnet mask and eth address is with mask If wifi receives any packet destined to network, i.e. destined to eth local network, it is forwarded to the eth interface. Similar, if eth receives any packet destined to network, it is forwarded to the wifi interface.

To check if ip_forward is enabled, use the following command (sudo privileges might be required):

$ sysctl net.ipv4.ip_forward

To temporarily enable ip_forward type:

$ sysctl -w net.ipv4.ip_forward=1

To achieve that if_forward is enabled when computer restarts, change the following line in /etc/network/options file (tested on Ubuntu):

ip_forward 1


Bridge with ip_forward enabled is another kernel utility that enables packet exchange between multiple interfaces on same computer. This utility enables computer's multiple ethernet interfaces to work on the same subnet. In bridge mode eth0 and eth1 interfaces both have the same bridge address, for example with subnet For kernel newer than 2.6.33 it is possible to bridge only ethernet interfaces, i.e. you cannot bridge wifi and eth interface or two wifi interfaces.

There are two reasons why wifi interfaces cannot be bridged. First, most wifi drivers don't support bridging as they disable device visibility connected on the same wifi network. As a result, when bridge utility tries to scan for devices connected to the wifi interface, driver blocks its request. Second, if wifi interface works in managed (infrastructured) mode, according to 802.x standard, there is a “spot” missing in packet's header for one additional address needed for bridge functioning.

When you have two eth interfaces working in a bridge mode, devices connected to one interface transparently see any device connected to the other interface, i.e. it seems that they are connected on the same local network. To make this possible, bridge utility works between level 2 and 3 in a standard OSI model, i.e. basically it works with devices macs rather than with IP addresses.

Bridge must be enabled in kernel options: set networking→802.1d Ethernet Bridging to either yes or module. Afterwards, install bridge-utils module. To check if module is installed check for bridge in folder /proc/modules. If the module is installed, try suing console command brctl. You should see something like this ( bridge tool, date of access 30.12.2012):

      addbr           <bridge>                add bridge
      delbr           <bridge>                delete bridge
      addif           <bridge> <device>       add interface to bridge
      delif           <bridge> <device>       delete interface from bridge
      setageing       <bridge> <time>         set ageing time
      setbridgeprio   <bridge> <prio>         set bridge priority
      setfd           <bridge> <time>         set bridge forward delay
      sethello        <bridge> <time>         set hello time
      setmaxage       <bridge> <time>         set max message age
      setpathcost     <bridge> <port> <cost>  set path cost
      setportprio     <bridge> <port> <prio>  set port priority
      show                                    show a list of bridges
      showmacs        <bridge>                show a list of mac addrs
      showstp         <bridge>                show bridge stp info
      stp             <bridge> <state>        turn stp on/off

To be able to put two or more eth interafaces in the bridge mode, it is required that they are enabled with unset network addresses and masks. As mentioned earlier ip_forward option must be enabled to succesfully exchange packets between them. To set up bridge, enter the following commands:

$ brctl addbr br0 						// creates bridge, for example br0
$ brctl addif br0 eth0 					// adds first interface
$ brctl addif br0 eth1					// adds second interface
$ ifconfig br0 netmask up 		// sets up bridge with address and subnet mask

To check interface's mode type:

$ brctl showstp <bridge_name>

To check devices connected to interfaces type:

$ brctl showmacs <bridge_name>

You should see something like this:

 port no 	mac addr                is local?       ageing timer
 1     	00:00:4c:9f:0b:ae       no                17.84
 1    	        00:00:4c:9f:0b:d2       yes                0.00
 2     	00:00:4c:9f:0b:d3       yes                0.00
 1     	00:02:55:1a:35:09       no                53.84
 1     	00:02:55:1a:82:87       no                11.53

To delete bridge, first remove every bridge interface:

$ brtcl delif br0 eth0
$ brtcl delif br0 eth1
$ brctl delbr br0

It is possible to have multiple and redundant bridges. In that case it is useful to enable Spanning Tree Protocol (SPT) which takes care of packet exchange between devices and ensures packets always take shortest path and avoid cyclic routes. More details on SPT can be found in the following link: bridge (date of access 30.12.2012).


From Wikipedia: “iptables are tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.

iptables require elevated privileges to operate and must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man pages which can be opened using man iptables when installed. It can also be found in /sbin/iptables, but since iptables is more like a service rather than an “essential binary”, the preferred location remains /usr/sbin.”

iptables utility has many possibilities: dropping traffic that matches expressions, routing packets to differents ports and addresses, changing source addresses, opening and blocking ports…

When computer receives packets it passes through the following chains of rules:

As it can be seen there are several levels of filtering, including several tables on each level. Tables actually contain chains of rules. There are three tables: MANGLE, FILTER and NAT.

Table rules have some actions depending on table and filter level. Actions are called targets.

With MANGLE table you can only change packet header, so valid targets are TOS (type of service), TTL (time to live) and MARK. MANGLE table can be included on any level: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING.

For example ( iptable examples, date of access 30.12.2012):

$ iptables -t mangle -A OUTPUT ... -j TOS --set-tos <tos>

FILTER table is the default table and here the actual filtering should be done. It can be included on following levels: INPUT, FORWARD, OUTPUT. Common actions (targets) for this table are ACCEPT, REJECT and DROP. Difference between last two is that after REJECT an error message is send back.

Examples of usage:

$ iptables -A INPUT -s -j DROP	                                        // block traffic from
$ iptables -A OUTPUT -d <domain> -j DROP							// block specific domain, for example
$ iptables -A INPUT -s -p icmp --icmp-type echo-request -j ACCEPT		// accept ping request only from certain network

NAT (Network Address Translation) is used for changing host and destination address and/or ports. It can be included on following levels: PREROUTING, OUTPUT and POSTROUTING. Actions are DNAT, SNAT, REDIRECT and MASQUERADE.

The following example routes all traffic that comes to the port 442 to 22. This means that the incoming ssh connection can come from both port 22 and 422 (

$ iptables -t nat -A PREROUTING -p tcp -d --dport 422 -j DNAT --to-destination

More examples:

$ iptables -t nat -A PREROUTING -s -d -j DNAT --to-destination   // redirect every traffic from host
                                                                                                   // initialy destined to to host
$ iptabels -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE				    // change every packet on interface eth0 that has source
                                                                                                   // address to its own address (eth0 address)

To list iptables rules enter:

$ iptables -L

To list only specific table rule enter:

$ iptables -L -t nat

To delete all rules, specific table or specific chain:

$ iptables --flush
$ iptables --flush -t nat
$ iptables --flush OUTPUT


Measuring wireless signal strength

The console app wavemon is a very nice (mentioned here).

$ sudo apt-get install wavemon

You can also just monitor the /proc/net/wireless file as described here. Note that link quality is given as a value between 0 and 70.

$ watch -n 1 cat /proc/net/wireless

Measuring network throughput

Use IPerf to obtain information about your network bandwidth.

Here's a IPerf tutorial explaining some useful options.

Wireless general

software/network.txt · Last modified: 2017/05/12 09:29 (external edit)