Trends like open networking andÂ adoption of the Linux operating system by network equipment vendorsÂ require network administrators and engineers to have a basic knowledge of Linux-based command-line utilities.
When I worked full-time as a network engineer, my Linux skills helped me with the tasks of design, implementation, and support of enterprise networks. I was able to efficiently collect information needed to do network design, verify routing and availability during configuration changes, and grab troubleshooting data necessary to quickly fix outages that were impacting users and business operations. Here is a list of some of the command-line utilities I recommend to network engineers.
Nmap is the network security scanner of choice. It can give you useful information about whatâs running on network hosts. Itâs also so famous that it has been featured in many movies. With Nmap you can, for example, scan and identify open and filtered TCP/IP ports, check what operating system is running on a remote host, and perform a ping sweep on an IP subnet or range.
List open ports on a host
Knowing which TCP/IP ports of a host are listening for incoming connections is crucial, especially when youâre hardening a server or locking down network equipment. Nmap allows you to quickly verify that; just run the Nmap command followed by the hostname or fully qualified domain name.
In this example, we have host 10.1.10.1 with MAC address C4:04:12:BE:1A:2C and open ports 80 and 443.
Some useful options are:
-OÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Enable operating system detection
-pÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Port range (e.g. -p22-123)
-sPÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Ping sweep of a subnet (e.g. 192.168.0.0/24) or range of hosts
Ping sweep on a IPv4 subnet
Ping sweeps are great for creating an inventory list of hosts in a network. Use this technique with caution and donât simply scan the entire 10.0.0.0/8 subnet. Rather, go subnet per subnet (e.g. 10.1.1.0/24). I used this option many times while replacing the routers at large sites. I would create an IP inventory list before and after my configuration change to make sure that all the hosts would see the new gateways and could reach the outside world.
Real-time ping sweeps
Do you want a real-time ping sweep of a subnet? The following bash script will continuously execute a ping sweep to subnet 192.168.1.0/24 every five seconds. To exit the command, just hit CTRL-C.
while [ `clear` ]; do nmap -sP 192.168.1.0/24; sleep 5; done
Tcpdump is the tool that you want to use to analyze traffic sourced or destined to your own host or to capture traffic between two or more endpoints (also called sniffing). To sniff traffic, you will need to connect the host running tcpdump to a SPAN port (also called port mirroring), a hub (if you can still find one), or a network tap. This will allow you to intercept and process all captured traffic with tcpdump. Just execute the command with the -i option to select what interface to use (eth0), and the command will print all traffic captured:
tcpdump -i eth0
Tcpdump is a great utility to troubleshoot network and application issues. For example, atÂ remote sites connected with IPsec tunnels back to the main site, I was often ableÂ to figure out why some applications would make it through the tunnel and some wouldnât.Â Specifically, I noticed that applications using the entire IP payload and also enabling the DF (don't fragment) setting, would fail.
The root cause was that the addition of the IPsec header, required by the VPN tunnel,Â would cause the overall packet to be larger than the maximum transmission unit (MTU) allowed to pass through the tunnel. As result, the router was discarding these oversized packets and sending back ICMP packets with the âCan'tÂ Fragment ErrorâÂ code. ThisÂ isÂ something I discovered while listening to the wire with tcpdump.
Here are some basic options that you should know about when using tcpdump:
tcpdump src 192.168.0.1
Capture all traffic from host 192.168.0.1
tcpdump dst 192.168.0.1
Capture all traffic destined to host 192.168.0.1
Capture all ICMP traffic
tcpdump src port 80
Capture all traffic sourced from port 80
tcpdump dst port 80
Capture all traffic destined to port 80
Use iperf Â to assess the bandwidth available between two computers. You can choose between TCP or UDP traffic and set the destination port, bandwidth rate (if UDP is selected), DSCP marking, and TCP window size. The UDP iperf test can also be used to generate multicast traffic and test your PIM infrastructure.
Iâve used iperf many times to troubleshoot bandwidth issues, verify whether the ISP would honor the DSCP marking, and estimate the jitter value of VoIP traffic.
Hping3 is a utility command very similar to ping, with the difference that it can use TCP, UDP, and RAW-IP as transport protocols. Hping3 allows you to not only test whether a specific TCP/IP port is open, but also measure the round-trip time. For example, if you want to test whether google.com has port 80 open and measure the round-trip time, you can type:
Here are the options I used:
-SÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Set the SYN tcp flag
-VÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Enable verbose output and display more information about the replies
-pÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Set the TCP/IP destination port
Netcat (nc) is the network engineerâs Swiss Army knife. If you want to be the MacGyver of your network, you must know the basics of netcat. If you use it in client mode, itâs similar to telnet; you can create a TCP connection to a specific port and send anything that you type. You can also use it to open a TCP/IP port and read from standard input. That makes it an easy way to transfer files between two computers. Another use case is testing whether your firewall is blocking certain traffic. For example, execute netcat in server mode on a host behind your firewall and then execute netcat in client mode from outside the firewall. If you can read on the server whatever you type on the client, then the firewall is not filtering the connection.
nc -l -p 1234
This executes netcat in server mode on port 1234 and waits for incoming connections
nc destination_host 1234
This executes netcat in client mode and connects to TCP port 1234 on remote host destination_host
You can also use netcat with pipe commands. For example, you can compress a file before sending it to the remote host with netcat:
tar cfp - /some/dir | compress -c | nc -w 3 othermachine 1234
I hope this blog post provided some useful Linux tricks that will make your life easier. If you have other Linux command line utilities in your toolbox, please feel free to share them in the comment section below.