The ifconfig and netstat commands are incredibly useful, but there are many other commands that can help you see what’s up with you network on Linux systems. Today’s post explores some very handy commands for examining network connections.
The ip command shows a lot of the same kind of information that you’ll get when you use ifconfig. Some of the information is in a different format – e.g., “192.168.0.6/24” instead of “inet addr:192.168.0.6 Bcast:192.168.0.255” and ifconfig is better for packet counts, but the ip command has many useful options.
First, here’s the ip a command listing information on all network interfaces.
$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:1e:4f:c8:43:fc brd ff:ff:ff:ff:ff:ff inet 192.168.0.6/24 brd 192.168.0.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::21e:4fff:fec8:43fc/64 scope link valid_lft forever preferred_lft forever
If you want only to see a simple list of network interfaces, you can limit its output with grep.
$ ip a | grep inet inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host inet 192.168.0.6/24 brd 192.168.0.255 scope global eth0 inet6 fe80::21e:4fff:fec8:43fc/64 scope link
You can get a glimpse of your default route using a command like this:
$ ip route show default via 192.168.0.1 dev eth0 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.6
In this output, you can see that the default gateway is 192.168.0.1 through eth0 and that the local network is the fairly standard 192.168.0.0/24.
You can also use the ip command to bring network interfaces up and shut them down.
$ sudo ip link set eth1 up $ sudo ip link set eth1 down
Another very useful tool for examining networks is ethtool. This command provides a lot of descriptive data on network interfaces.
$ ethtool eth0 Settings for eth0: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supported pause frame use: No Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised pause frame use: No Advertised auto-negotiation: Yes Speed: 100Mb/s Duplex: Full Port: Twisted Pair PHYAD: 1 Transceiver: internal Auto-negotiation: on MDI-X: on (auto) Cannot get wake-on-lan settings: Operation not permitted Current message level: 0x00000007 (7) drv probe link Link detected: yes
You can also use the ethtool command to examine ethernet driver settings.
$ ethtool -i eth0 driver: e1000e version: 3.2.6-k firmware-version: 1.4-0 expansion-rom-version: bus-info: 0000:00:19.0 supports-statistics: yes supports-test: yes supports-eeprom-access: yes supports-register-dump: yes supports-priv-flags: no
This autonegotiation details can be displayed with a command like this:
$ ethtool -a eth0 Pause parameters for eth0: Autonegotiate: on RX: on TX: on
The traceroute command displays routing pathways. It works by using the TTL (time to live) field in the packet header in a series of packets to capture the path that packets take and how long they take to get from one hop to the next. Traceroute’s output helps to gauge the health of network connections, since some routes might take much longer to reach the eventual destination.
$ sudo traceroute world.std.com traceroute to world.std.com (126.96.36.199), 30 hops max, 60 byte packets 1 192.168.0.1 (192.168.0.1) 3.691 ms 3.678 ms 3.665 ms 2 10.224.64.1 (10.224.64.1) 26.273 ms 27.354 ms 28.574 ms 3 10.20.0.33 (10.20.0.33) 28.293 ms 30.625 ms 33.959 ms 4 10.20.0.226 (10.20.0.226) 36.807 ms 37.868 ms 37.857 ms 5 188.8.131.52 (184.108.40.206) 38.256 ms 39.091 ms 40.429 ms 6 ash-b1-link.telia.net (220.127.116.11) 41.612 ms 28.214 ms 29.573 ms 7 xe-1-3-1.er1.iad10.us.zip.zayo.com (18.104.22.168) 30.429 ms 27.915 ms 29.065 ms 8 ae6.cr1.dca2.us.zip.zayo.com (22.214.171.124) 31.353 ms 32.413 ms 33.821 ms 9 ae27.cs1.dca2.us.eth.zayo.com (126.96.36.199) 43.474 ms 44.519 ms 46.037 ms 10 ae4.cs1.lga5.us.eth.zayo.com (188.8.131.52) 48.107 ms 48.960 ms 50.024 ms 11 ae8.mpr3.bos2.us.zip.zayo.com (184.108.40.206) 51.626 ms 51.200 ms 39.283 ms 12 220.127.116.11.t495-rtr.towerstream.com (18.104.22.168) 40.233 ms 41.295 ms 39.651 ms 13 22.214.171.124 (126.96.36.199) 44.955 ms 46.210 ms 55.673 ms 14 188.8.131.52 (184.108.40.206) 56.076 ms 56.064 ms 56.052 ms 15 world.std.com (220.127.116.11) 63.440 ms 63.886 ms 63.870 ms
The tcptraceroute command does basically the same thing as traceroute except that it is able to bypass the most common firewall filters. As the command’s man page explains, tcptraceroute sends out TCP SYN packets instead of UDP or ICMP ECHO packets, thus making it less susceptible to being blocked.
The tcpdump command allows you to capture network packets for later analysis. With the -D option, it lists available interfaces.
$ tcpdump -D 1.eth0 [Up, Running] 2.any (Pseudo-device that captures on all interfaces) [Up, Running] 3.lo [Up, Running, Loopback] 4.nflog (Linux netfilter log (NFLOG) interface) 5.nfqueue (Linux netfilter queue (NFQUEUE) interface) 6.usbmon1 (USB bus number 1) 7.usbmon2 (USB bus number 2) 8.usbmon3 (USB bus number 3) 9.usbmon4 (USB bus number 4) 10.usbmon5 (USB bus number 5) 11.usbmon6 (USB bus number 6) 12.usbmon7 (USB bus number 7)
The -v (verbose) option controls how much detail you will see — more v’s, more details, but more than three v’s doesn’t add anything more.
$ sudo tcpdump -vv host 192.168.0.32 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 20:26:31.321816 IP (tos 0x10, ttl 64, id 22411, offset 0, flags [DF], proto TCP (6), length 184) 192.168.0.6.ssh > 192.168.0.32.57294: Flags [P.], cksum 0x8221 (incorrect -> 0x0254), seq 3891093411:3891093555, ack 2388988308, win 329, length 144 20:26:31.321984 IP (tos 0x10, ttl 64, id 22412, offset 0, flags [DF], proto TCP (6), length 200) 192.168.0.6.ssh > 192.168.0.32.57294: Flags [P.], cksum 0x8231 (incorrect -> 0x3db0), seq 144:304, ack 1, win 329, length 160 20:26:31.323791 IP (tos 0x0, ttl 128, id 20259, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.32.57294 > 192.168.0.6.ssh: Flags [.], cksum 0x643d (correct), seq 1, ack 304, win 385, length 0 20:26:31.383954 IP (tos 0x10, ttl 64, id 22413, offset 0, flags [DF], proto TCP (6), length 248) ...
Expect to see a lot of output when you run commands like this one.
This command captures 11 packets from a specific host and over eth0. The -w option identifies the file that will contain the capture packets. In this example command, we’ve only asked to capture 11 packets.
$ sudo tcpdump -c 11 -i eth0 src 192.168.0.32 -w packets.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 11 packets captured 11 packets received by filter 0 packets dropped by kernel
The arp command maps IPv4 addresses to hardware addresses. The information provided can also be used to identify the systems to some extent, since the network adaptors in use can tell you something about the systems using them. The second MAC address below, starting with f8:8e:85, is easily identified as a Comtrend router.
$ arp -a ? (192.168.0.12) at b0:c0:90:3f:10:15 [ether] on eth0 ? (192.168.0.1) at f8:8e:85:35:7f:b9 [ether] on eth0
The first line above shows the MAC address for the network adaptor on the system itself. This network adaptor appears to have been manufactured by Chicony Electronics in Taiwan. You can look up MAC address associations fairly easily on the web with tools such as this one from Wireshark — https://www.wireshark.org/tools/oui-lookup.html