Network

Link Layer

查看网络接口

`ip`

# 查看网络接口详细信息
ip address
ip address show ${interface}
ip -brief address

# 查看链路层接口
ip -brief link
x
# 查看路由表
ip route

# 查看arp表
ip neighbour

`ifconfig`

interface configuration command

ifconfig

# 查看所有接口
ifconfig -a

# 查看接口eth0信息
ifconfig eth0

# Disable eth0 interface
ifconfig eth0 down

# Enable eth0 interface
ifconfig eth0 up

# Assign IP address to eth0 interface
ifconfig eth0 ${ip_address}

`/sys/class/net`

ll /sys/class/net

查看arp表

`arp`

# 查看arp表
arp

# 清空arp缓存
sudo arp -a -d

Network Layer

icmp

`ping`

# echo
ping

# ping with fixed size data to check MTU
ping -c 4 -s 1600 ${target_ip}

`traceroute`

# 发现IP接力路径(route)上的各个路由器
traceroute

路由转发

`route`

# 查看路由表
route -n

# 添加路由规则
sudo route add -net ${ip_address} netmask ${netmask_address} gw ${gw_address}

# 删除路由规则
sudo route del -net ${ip_address} netmask ${netmask_address} gw ${gw_address}

`routel`

# list routes with pretty output format
routel

`routef`

# flush routes
routef

`/proc/sys/net/ipv4/ip_forward`

# 启用路由转发
echo "1" >  /proc/sys/net/ipv4/ip_forward

# 禁用路由转发
echo "0" >  /proc/sys/net/ipv4/ip_forward

Public IP

curl ifconfig.me
curl myip.ipip.net

dig +short myip.opendns.com @resolver1.opendns.com

Transport Layer

TCP

`telnet`

# tcp连接
telnet ${ip} ${port}

`nc`

# Listen on a specified port and print any data received
nc -l ${port}

# send UDP data
echo "Hello, UDP!" | nc -u ${receiver_ip} ${port}

# Connect to a certain port
nc ${ip_address} ${port}

# 扫描指定ip指定端口
nc -z -v ${ip_address} ${port}

过滤

`iptables`

IPTables

Tables: 一共5种Linux kernel tables，其中2个比较常用

filter: the default table. This holds all actions typical of a firewall.
nat: Network Address Translation (port forwarding)

Chains: 每个table会有以下默认的chains

filter: input, output, forward
nat: prerouting, postrouting, output

Rules: 过滤规则

Matches: 匹配条件
- -source: 源ip
- -sport：源端口
- -destination：目的ip
- -dport：目的端口
- -protocol：协议，all/tcp/udp/icmp
- -in-interface：入口接口
- -out-interface：出口接口
- -state：链接状态，invalid/established/new/related/untracked
Targets：匹配后对包的操作
- accept：运行包继续传输
- drop：丢弃
- reject：丢弃并返回错误
- masuerade：用于NAT

# 查看rules
iptables -vnL
iptables --list-rules

# 查看nat table的rules
iptables --list-rules -t nat

# 设置chain的默认规则
iptables -P ${chain} ${rule}

# 在chain上增加特殊规则
sudo iptables -A ${chain} -s ${ip} -j ${rule}

# 设置NAT
sudo iptables -t nat -A ${POSTROUTING} -s 192.168.0.0/24 -j ${MASQUERADE}

# 过滤指定出口 port 流量
chain=OUTPUT
iptables -A ${chain} -p tcp --sport {port} -j DROP
# 查看规则行号
iptables -L ${chain} --line-numbers
# 按行号删除规则
iptables -D ${chain} 1

抓包

`tcpdump`

TCPdump

# verbose
tcpdump -v
tcpdump -vv # more verbose

# 显示 quick output
tcpdump -q

# 显示ip而不是域名
tcpdump -n

# 查看所有网络接口
tcpdump -D

# 只查看指定接口的流量
tcpdump -i eth0

# 查看UPD或TCP流量
tcpdump udp/tcp

# 按HTTP过滤
tcpdump port http
tcpdump tcp port 80

# 按主机过滤
tcpdump host www.openmaniak.com
tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp

# 只抓取前20个包
tcpdump -c 20

# 将结果写入文件
tcpdump -w capture.log

# 显示全文
tcpdump -A

# 复杂过滤条件要加引号
tcpdump 'host 100.111.222.50 or (host 100.11.12.99 and port 443)'

examples

DNS traffic

# -n Prevents tcpdump doing reverse DNS lookups
# -s 0 Read the entire packet
tcpdump -n -s 0 udp and port 53
# reponse a/n/au means: 1) the number of answer records; 2) the number of name server records; 3) the number of additional records

reponse a/n/au means:

the number of answer records
the number of name server records
the number of additional records

tcpdump -i enp1s0 \
 not host 192.168.3.101 and not host 119.28.83.108 and not host 175.178.201.144 \
  and not arp and not llc

Wireshark

display filter

# 过滤协议类型
http # 只显示http包
tcp # 只显示tcp包

# 过滤ip地址
ip.src == 192.168.3.115  # 过滤源ip
ip.dst == 192.168.3.115  # 过滤目的地ip
ip.addr == 192.168.3.115 # 过滤源或目的ip

# 过滤端口
tcp.port == 80

# 组合条件
ip.src == 192.168.0.0/16 && ip.dst == 192.168.0.0/16
tcp.port == 25 || icmp

Examples: https://wiki.wireshark.org/DisplayFilters

语法：https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html

过滤协议类型，也可以通过 Analyze->Enable Protocols 中去掉不需要的协议

Session Layer

`ss`

# show all sockets
ss -a

# show TCP/UDP/RAW/UNIX sockets
ss {{-t|-u|-w|-x}}

# Show all TCP sockets listening on the local 8080 port
ss -lt src :8080

Presentation Layer

Application Layer

DNS

DNS record types:

Name Server records (NS)—specifies the authoritative name server for a DNS zone
IPv4 Address Mapping records (A)—a hostname and its IPv4 address
IPv6 Address records (AAAA)—a hostname and its IPv6 address
Canonical Name records (CNAME)—points a hostname to an alias
Mail eXchanger record (MX)—specifies an SMTP email server for the domain
Pointer (PTR)—reverse query

`/etc/resolv.conf`

# 查询出口DNS服务器
cat /etc/resolv.conf

`host`

# 域名查ip
host www.baidu.com

`nslookup`

# 或者nslookup
nslookup
> www.baidu.com

nslookup www.baidu.com # 查询 type A 记录
nslookup -type=NS baidu.com # 查询 type NS 记录

`dig`

dig www.baidu.com

# 指定query type
dig -t CNAME www.baidu.com
dig -t AAAA www.baidu.com

# reverse dns lookup
dig -x ${ip}

`resolvectl`

# flush dns
resolvectl flush-caches

DHCP

# Release Current Lease
sudo dhclient -r wlan0

# Renew Lease
sudo dhclient wlan0

Analyse

`lsof`

# Find the process that opened a local internet port
lsof -i :${port}

`netstat`

Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

netstat -ltnp # l=listening, t=tcp, n=numeric, p=program

# List information continuously
netstat --continuous

`iftop`

统计带宽使用量

iftop

References

ubuntu - Network Configuration

Link Layer#

查看网络接口#

ip#

ifconfig#

/sys/class/net#

查看arp表#

arp#

Network Layer#

icmp#

ping#

traceroute#

路由转发#

route#

routel#

routef#

/proc/sys/net/ipv4/ip_forward#

Public IP#

Transport Layer#

TCP#

telnet#

nc#

过滤#

iptables#

抓包#

tcpdump#

examples#

Wireshark#

display filter#

Session Layer#

ss#

Presentation Layer#

Application Layer#

DNS#

/etc/resolv.conf#

host#

nslookup#

dig#

resolvectl#

DHCP#

Analyse#

lsof#

netstat#

iftop#

References#