Useful commands for network monitoring
Ping (Unix/Windows)
Traceroute (Unix/Windows)
Arp (Unix/Windows)
Curl and wget (Unix/ Windows)
Netstat (Unix/Windows)
Whois (Unix/ Windows)
SSH (Unix/Linux/Windows)
TCPDump (Unix/Linux/Windows)
Ngrep (Unix/Linux/Windows)
NMAP (Unix/Windows)
Netcat (Windows/Unix)
Lsof (Unix/Windows)
IPtraf (Linux)
Ping (Unix/Window):
Ping is very basic and important command. Ping sends an ICMP ECHO_REQUEST packet to the specified host. If the host responds, you get an ICMP packet back. You can “ping” an IP address to see if a machine is alive. If there is no response, you know something is wrong. It’s also used to check the “speed” or latency time for said network connection. It’s a command that exists on all OS’s that support TCP/IP and it’s one of those basics you should know. Following is the ping examle.
$ ping HostName/IP Address
$ ping google.com
$ ping 192.168.182.132
You can specify the count of ECHO_REQUEST packets to be sent while ping a host. For this we can use parameter '-c' as following.
$ ping -c 4 192.168.182.132
PING 192.168.182.132 (192.168.182.132) 56(84) bytes of data.
64 bytes from 192.168.182.132: icmp_req=1 ttl=64 time=0.281 ms
64 bytes from 192.168.182.132: icmp_req=2 ttl=64 time=0.495 ms
64 bytes from 192.168.182.132: icmp_req=3 ttl=64 time=0.459 ms
64 bytes from 192.168.182.132: icmp_req=4 ttl=64 time=0.250 ms
--- 192.168.182.132 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.250/0.371/0.495/0.107 ms
Traceroute (Unix/Windows):
Traceroute command is a very useful network diagnostic tool. Traceroute displays each host that a packet travels through(devices, switches, routers, computers) as it tries to reach its destination. In case of trouble it can give us an idea at which point problem is there while moving packets to its destination.
Traceroute (Unix):
~$ traceroute 192.168.182.132
traceroute to 192.168.182.132 (192.168.182.132), 30 hops max, 60 byte packets
1 ubuntu.local (192.168.182.132) 0.302 ms 0.316 ms 0.304 ms
tracert( Window ):
C:\Users\Mukesh.Kumar>tracert google.com
Tracing route to google.com [216.58.220.46]
over a maximum of 30 hops:
1 * * * Request timed out.
2 48 ms 56 ms 49 ms 10.210.0.82
3 55 ms 23 ms 41 ms 10.210.0.86
4 25 ms 26 ms 29 ms 125.17.150.37
5 62 ms 42 ms 38 ms 182.79.234.221
6 49 ms * 59 ms 72.14.242.178
7 56 ms 46 ms 34 ms 66.249.94.73
8 44 ms 36 ms * 209.85.255.43
9 57 ms 50 ms 29 ms maa03s18-in-f14.1e100.net [216.58.220.46]
Trace complete.
Note : The Unix "traceroute" uses UDP datagrams rather than ICMP to perform a similar function link ping.
Arp (Unix/Windows) :
Using the arp command allows you to display and modify the Address Resolution Protocol (ARP) cache. An ARP cache is a simple mapping of IP addresses to MAC addresses.
Example:
C:\Users\Mukesh.Kumar>arp -a 192.168.182.132
Interface: 192.168.182.1 --- 0x1e
Internet Address Physical Address Type
192.168.182.132 00-0c-29-08-b7-93 dynamic
Wget and curl (Unix/ Windows):
This command allow to download files or entire webpage.both are command line tools that can download contents from FTP, HTTP and HTTPS
both can send HTTP POST requests
both support HTTP cookies
both are designed to work without user interaction, like from within scripts
both are fully open source and free software
both support metalink
Note : curl supports FTP, FTPS, Gopher, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT,
LDAP, LDAPS, FILE, POP3, IMAP, SMB/CIFS, SMTP, RTMP and RTSP.
Wget only supports HTTP, HTTPS and FTP
Netstat (Unix/Windows):
Netstat prints information about the Linux networking subsystem. By default, netstat displays a list of open sockets. If you don't specify any address families, then the active sockets of all configured address families will be printed. The type of information printed is controlled by the first argument,as follows:
Netstat( Unix ):
--route , -r
Display the kernel routing tables. See the description in route(8) for details. netstat -r and route -e produce the same output.
--groups , -g
Display multicast group membership information for IPv4 and IPv6.
--interfaces, -i
Display a table of all network interfaces.
--masquerade , -M
Display a list of masqueraded connections.
--statistics , -s
Display summary statistics for each protocol.
'
Whois (Unix/ Windows) :
Network command used to consult domain data. Mainly data like the domain owner, it’s expire time, configured registries, contact data, etc. are consulted. It’s very recommendable to use it to contact domain administrators or for service migration instances, such as email or webpage migrations.
In order to use ‘whois’ on Windows, you should download the software linked on the following URL: https://technet.microsoft.com/en-us/sysinternals/whois.aspx
You can also consult them using services such as https://www.whois.net/ on your browser.
SSH (Unix/Linux/Windows):
SSH, or Secure Shell, is a protocol used to securely log onto remote systems. It is the most common way to access remote Linux and Unix-like servers.
$ ssh remote-host
If remote user name is diffrence then you can use username also
$ ssh user-name@remote-host
If you wish to execute a command on remote system, you can specify it after the host-name.
$ ssh remote_host command_to_run
$ ssh mukesh@ubuntu-server.com ls
Note : To use SSH on Windows we recommend using Putty. http://www.putty.org/
TCPDump (Unix/Linux/Windows):
tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. It is available under most of the Linux/Unix based operating systems. tcpdump also gives us a option to save captured packets in a file for future analysis. It saves the file in a pcap format, that can be viewed by tcpdump command or a open source GUI based tool called Wireshark (Network Protocol Analyzier) that reads tcpdump pcap format files.
Ngrep (Unix/Linux/Windows):
This takes the potency of the ‘grep’ command to the Net. It’s basically a tcpdump with text subchain filters in real time. It’s an HTTP, SMTP, DNS and other protocol communication packets filter. It has a very powerful filtering system over regular expressions and it’s usually used to process files generated by tcpdump, Wireshark, etc.
NMAP (Unix/Windows):
The Nmap aka Network Mapper is an open source and a very versatile tool for Linux system/network administrators. Nmap is used for exploring networks, perform security scans, network audit and finding open ports on remote machine. It scans for Live hosts, Operating systems, packet filters and open ports running on remote hosts.
Netcat (Windows/Unix):
Netcat or nc is a networking utility for debugging and investigating the network.
This utility can be used for creating TCP/UDP connections and investigating them. The biggest use of this utility is in the scripts where we need to deal with TCP/UDP sockets.
Lsof (Unix/Windows):
It’s a tool that’s useful for identifying which files a process is using or keeping open. In the case of Unix environments, a file is also a network connection, so it’s useful to know which ports are open during a specific running process, something which can prove to be extremely useful in some cases.
It can also be used to know how many files a single process has open. It doesn’t have anything to do with the network, but we’re sure it’ll be useful for you anyway. Lsof is one of those tools you should know about.
IPtraf (Linux):
A specialized network command which obtains traffic statistics. It has an ncurses interface (text) to analyze the traffic that goes through an interface in real time. Very useful if you see anomalies on your device and you need to see and inspect the traffic coming through it.