Site Feed

Friday, October 28, 2011

Advanced Linux Networking Tools

Some of the more common tools for advanced networking include: tcpdump, netstat, wireshark, and tshark.

A previous article covered Basic Linux Networking Tools.

Discover Switch Information

Now for the advanced stuff. We use tcpdump, and write it to a file pkt.cap. Then we use tshark to read the file.

How to check the router to which the linux host is connected.

# tcpdump -nvi eth0 -c 1 -s 1500 -w pkt.cap ether proto 0xaa and ether dst 01:00:0c:cc:cc:cc and ether\[20\] \=\= 0x20 and ether\[21\] \=\= 0x00
# tshark -V -r pkt.cap

# tcpdump -nvi eth0 -c 1 -s 1500 -w pkt.cap ether proto 0xaa and ether dst 01:00:0c:cc:cc:cc and ether\[20\] \=\= 0x20 and ether\[21\] \=\= 0x00;tshark -V -r pkt.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
1 packets captured
1 packets received by filter
0 packets dropped by kernel
Running as user "root" and group "root". This could be dangerous.
Frame 1 (416 bytes on wire, 416 bytes captured)
Arrival Time: Aug 26, 2011 12:49:00.909559000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 416 bytes
Capture Length: 416 bytes
[Frame is marked: False]
[Protocols in frame: eth:llc:cdp:data]
IEEE 802.3 Ethernet
Destination: CDP/VTP/DTP/PAgP/UDLD (01:00:0c:cc:cc:cc)
Address: CDP/VTP/DTP/PAgP/UDLD (01:00:0c:cc:cc:cc)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:27:0c:b0:5d:87 (00:27:0c:b0:5d:87)
Address: 00:27:0c:b0:5d:87 (00:27:0c:b0:5d:87)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Length: 402
Logical-Link Control
DSAP: SNAP (0xaa)
IG Bit: Individual
SSAP: SNAP (0xaa)
CR Bit: Command
Control field: U, func=UI (0x03)
000. 00.. = Command: Unnumbered Information (0x00)
.... ..11 = Frame type: Unnumbered frame (0x03)
Organization Code: Cisco (0x00000c)
PID: CDP (0x2000)
Cisco Discovery Protocol
Version: 2
TTL: 180 seconds
Checksum: 0xde0a [correct]
[Good: True]
[Bad : False]
Device ID:
Type: Device ID (0x0001)
Length: 33
Device ID:
Software Version
Type: Software version (0x0005)
Length: 190
Software Version: Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 09-Mar-09 18:10 by gereddy
Platform: cisco WS-C2960G-24TC-L
Type: Platform (0x0006)
Length: 26
Platform: cisco WS-C2960G-24TC-L
Type: Addresses (0x0002)
Length: 17
Number of addresses: 1
IP address:
Protocol type: NLPID
Protocol length: 1
Protocol: IP
Address length: 4
IP address:
Port ID: GigabitEthernet0/7
Type: Port ID (0x0003)
Length: 22
Sent through Interface: GigabitEthernet0/7
Type: Capabilities (0x0004)
Length: 8
Capabilities: 0x00000028
.... .... .... .... .... .... .... ...0 = Not a Router
.... .... .... .... .... .... .... ..0. = Not a Transparent Bridge
.... .... .... .... .... .... .... .0.. = Not a Source Route Bridge
.... .... .... .... .... .... .... 1... = Is a Switch
.... .... .... .... .... .... ...0 .... = Not a Host
.... .... .... .... .... .... ..1. .... = Is IGMP capable
.... .... .... .... .... .... .0.. .... = Not a Repeater
Protocol Hello: Cluster Management
Type: Protocol Hello (0x0008)
Length: 36
OUI: 0x00000C (Cisco)
Protocol ID: 0x0112 (Cluster Management)
Cluster Master IP:
Version?: 0x01
Sub Version?: 0x02
Status?: 0x21
Cluster Commander MAC: 00:00:00:00:00:00
Switch's MAC: 00:27:0c:b0:5d:80
Management VLAN: 0
VTP Management Domain:
Type: VTP Management Domain (0x0009)
Length: 4
VTP Management Domain:
Native VLAN: 205
Type: Native VLAN (0x000a)
Length: 6
Native VLAN: 205
Duplex: Full
Type: Duplex (0x000b)
Length: 5
Duplex: Full
Trust Bitmap: 0x00
Type: Trust Bitmap (0x0012)
Length: 5
Trust Bitmap: 00
Untrusted port CoS: 0x00
Type: Untrusted Port CoS (0x0013)
Length: 5
Untrusted port CoS: 00
Management Addresses
Type: Management Address (0x0016)
Length: 17
Number of addresses: 1
IP address:
Protocol type: NLPID
Protocol length: 1
Protocol: IP
Address length: 4
IP address:
Power Available: 0 mW, 4294967295 mW
Type: Power Available (0x001a)
Length: 16
Request-ID: 0
Management-ID: 1
Power Available: 0 mW
Power Available: 4294967295 mW


Another valuable tool is netstat

netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

To find out what port a service, such as sshd is listening on, use something like this:

# netstat -alp |grep ssh

tcp 0 0 *:ssh *:* LISTEN 3002/sshd

unix 2 [ ACC ] STREAM LISTENING 27251 4387/ssh-agent /tmp/ssh-tOqWgf4348/agent.4348

Note that some of these commands require root, or sudo. If you are not logged in as root, use sudo in front of the command. Also, most of the utilities are found in /sbin, or /usr/sbin.

Network Drivers

Another advanced topic is network drivers. The last time I checked, discussed /etc/modules.conf, but in newer versions of redhat variants the file has changed to /etc/modprobe.conf or /etc/modprobe.d/modprobe.conf.dist. Any of those files should have basically the same information:

alias eth0 module_name
options module_name option1=value1 option2=value2 ...

It may look something like this:

alias eth0 e1000


alias eth0 tg3

depending on the type of network card or module that is installed on the system.

Other Advanced Networking Topics

There are more topics to be covered, such as how to configure multiple NICs, how to use network configuration utilities, other tools, such as nmap, and configuration for other linux distributions.

For more advanced networking tips, check out

For more basic networking info, see this article:

No comments: