Operating system Linux is installed mostly on servers, within, for which a network management is very important. For basic Linux knowledge belongs also the networking, that contains network configuration, network monitoring and network troubleshooting. Linux offers professional command line tools to handle network management. In this guide we will introduce you to some of them.
Linux distributions allow many preinstalled network tools and also popular tools, that has to be installed (e.g. traceroute or nmap). In this guide we will focus on pre-installed tools that are available immediately after the OS is installed.
Ping tool
One of the simplest site tools is ping (Packet InterNet Groper). Ping serves for checking the functionality of connection between two network interfaces in the computer network based on TCP/IP protocol.
With this we can verify the connection between computer we are currently logged in and web server of the Active24 company.
ping active24.cz
After you sent lets say 10 IP packets we press shortcut Ctrl + C to end the ping tool. After its termination the ping, we can see the statistics where we can learn about how many IP packets were sent and how many were received and how many milliseconds did the operation take. The more IP packets were acknowledged by the other side (ideally 100%), the more stable the connection is.
More about the tool can be learned from the official source:
man ping
ping -h
Tracepath tool
If the ping tool displays lost packets (meaning the other side did not received them), it is useful to use the tool tracepath, to determine where the connection was not successful. We can learned which packed was not received and thus we can determine the problem for better solution.
With this we can find the path by which we have sent the ping above:
tracepath active24.cz
It lists the servers (nodes), by which the packet traveled to our server and time in miliseconds it took to reach each. If the number of milisecond will be too large, or if a connection has not been established (marked as “no reply”), it can indicate a problem, that we can address now.
More about this tool can be learned from the official source:
man tracepath
tracepath
IP tool
It is a complex tool, that replaces its older predecessors ifconfig, route, arp, iptunnel, nameif, ifrename, ipmaddr či netstat and is preinstalled in most of the Linux distributions. Thanks to the ip (Internet Protocol) tool we can display and change the existing network settings.
For all server products of the Active24 it is not allowed to change the network configuration.
Syntax isip setting object command, while thanks to the settings you can display the statistics (-s) and as an object (a or addr the abbreviation of address) we can show IP address protocol of separate network devices as follows:
ip -s a show
If we would have omitted non-essential setting -s (so the command would be ip a show), we would display all devices with basic details about IP protocol. With the setting -s we have also displayed the statistics about packets. Object a can be replaced with the longer version addr or with the whole word address and result will be the same. And at the end is command show, that defines that we need to display the IP protocol addresses of the separate network devices.
Except the command show object address (or shorter versions addr or a) it is possible to use other commands, that would allow us to change configuration of IP address (like add or del). The whole list of commands for object address (or shorter versions addr or a) can be obtained after command:
ip a help
Objekt link (shortly l) displays and manages separate network devices – first line. Object route (shortly r) is also used to manage a routing table (second line). MAC address of the devices can be managed via object neighbor (short version neigh or n) – third line.
ip l show
ip r list
ip n show
If you need to gain more knowledge about above mentioned objects link, route or neighbor, you can exchange the command show or list at the end with help:
ip l help
ip r help
ip n help
Better overview about the settings, objects and commands can be obtained for the whole tool ip after using command:
man ip
ip help
ss tool
Similarly as with ip, tool ss (Socket Statistics) replaces its predecessor netstat. Netstat as well as ss display active connections, but newer ss is able to list more detailed information and it works faster. If we run the command ss, only established connection will appear:
ss
We can use switch -a (for -all) to display the listening connection as well:
ss -a
We can filter by the type whether it is TCP (switch -t), or UDP (switch -u) connection. We can also filter only IPv4 (switch -4) or IPv6 (switch -6). All filters can be combined even with the switch -a:
ss -at
ss -au
ss -a4
ss -a6
Very important is that you can filter by the port as well. With that we can display only connections via SSH protocol – by the port number (first line) or by the service name (second line):
ss -at '( dport = :22 or sport = :22 )'
ss -at '( dport = :ssh or sport = :ssh )'
We can also learn what connection (or if any) has been established from a specific address to our computer:
ss dst IP_adress
We change the IP_adress to an IP address we want to gain information about.
On the other hand if we need to learn if our computer established a connection with a specific IP address, we will use:
ss src IP_adress
We change the IP_adress to an IP address we want to gain information about.
More about this tool can be learned from the official source:
man ss
ss -h
Tcpdump tool
With the help of tcpdump tool we are able to track and note IP packets TCP in the network in real time. Many settings and filters are available, from which you can gain pretty specific information from the network communication. Thanks to these properties is tcpdump tool very popular among the server administrators, that deploy to detect network problems.
Tcpdumb is used with administrator rights, that is why it requires the sudo at the beginning. To follow the network communication on the specific network device, first we need to check what devices are available:
sudo tcpdump -D
This command will list the network devices from which one will have a name any. It is a virtual network device via which the network communication for all network devices goes trough. To get the overview about the network communication, we will track this device:
sudo tcpdump -i any
A record of all network communication will start, that can be ended by Ctrl + C. For better orientation we will reduce the number of records to ten (-c 10) and we will forbid the translation of IP addresses and ports (-nn):
sudo tcpdump -i any -c 10 -nn
It could happen that we will record a communication only at the specific port (port 80 – HTTP) or from a specific source (src IP_adress). In that case we will add a filter at the end:
sudo tcpdump -i any -c 10 -nn port 80 and src IP_adress
We change the IP_adress to an IP address we want to gain information about.
Or we can track even multiple IP addresses:
sudo tcpdump -i any -c 10 -nn port 80 and (src IP_adress_1 or src IP_adress_2)
We change the IP_adress_1 and IP_adress_2to an IP addresses we want to gain information about.
And with the setting -A we can even display and record the content of the transferred packets.
sudo tcpdump -i any -c 10 -nn -A port 80
Common standard is to record the findings to a file .pcap (here webserver.pcap) with the help of setting -w:
sudo tcpdump -i any -c 10 -nn -A -w webserver.pcap port 80
Such record can be planned to repeatedly write down in the future via cron tool (odkaz na cron nastavení v Linux procesech kb).
More about this tool can be learned from the official source:
man tcpdump
tcpdump -h
Dig tool
Dig (Domain Information Groper) replaces older predecessors nslookup or host and serves for writing down information about DNS records type A (IP address), TXT (text notes), MX (mail exchanges), NS (nameservers) and so on. All types of DNS records are written dow for a domain active24.cz via command:
dig active24.cz any
If we need only IP of the domain, we can ask for a short version of the DNS record (+short) type A:
dig active24.cz a +short
More about this tool can be learned from the official source:
man dig
dig -h
W tool
One-character tool w serves for writing down the list of currently connected users. It is a combination of tools who, uptime and ps -a, so the time of login and usage of system are also displayed:
w
More about this tool can be learned from the official source:
man w
w --help
Last tool
Tool to list lastly connected user is last. By this command we can list for example ten last logged in users:
last -n 10
In accordance to lastly logged user it is useful to check system records in the last successful logins (first line), and also check the list of users (second line) and groups (third line):
sudo less /var/log/auth.log | grep Accepted
less /etc/passwd
less /etc/group
More about the tool last can be learned from the official source:
man last
last -h
Summary
We have introduced the network tools from the iproute2 (ip, ss), that are continuously replacing older and slower versions from the net-tools package (ipconfig, route, arp, iptunnetl, nameif, ifrename, ipmaddr or netstat). We have dived into the deep network communication with tool tcpdump. We have also showed you how and when to use simple tools ping, tracepath, last, dig and w.