Network

Information

• Get IP addresses for all interfaces:

    ifconfig -a

  or:

    ip addr show

• See system’s routes:

    route

  or:

    ip route show

• See what ports and services are listening:

    netstat -tunlp

  or:

    ss -tunlp

• List all firewall rules:

    iptables -L

Scan

• Use Nmap to ping scan local network:

    nmap -sn 192.168.0.0/24

• Use ARP to show network neighbors:

    arp -a

Netcat

• Check if a port is open on a host:

    nc -vz <hostname/ip> -w 1 <port>

• Check if a range of ports are open on a host:

    nc -vz <hostname/ip> -w 1 <startport>-<endport>

• Check if specific ports are open on a host:

    nc -vz <hostname/ip> -w 1 <port1> <port2>

Tcpdump

• List interfaces on which we can listen:

    tcpdump -D

• Listen on eth0:

    tcpdump -i eth0

• Listen on any available interface:

    tcpdump -i any

• Be very verbose while capturing packets:

    tcpdump -vvv

• Be less verbose than the default when capturing packets:

    tcpdump -q

• Print data and link level header of each packet:

    tcpdump -XX

• Limit the capture to 100 packets:

    tcpdump -c 100

• Record the packets capture to a file:

    tcpdump -w capture.cap

• Display packets from a file:

    tcpdump -r capture.cap

• Capture packets to/from host:

    tcpdump -n host <hotname|ip>

• Capture packets from host on ip:

    tcpdump -n src host <ip>

• Capture packets to host on ip:

    tcpdump -n dst host <ip>

• Capture packets to network:

    tcpdump -n dst net <netip>/<mask>

• Capture packets to a specific port:

    tcpdump -n dst port 23

• Capture packets to a specific port range:

    tcpdump -n dst portrange 1-1023

• Capture only TCP packets to a specific port range:

    tcpdump -n tcp dst portrange 1-1023

• Check for DNS leaks:

    tcpdump -n -Q out 'dst port 53 or dst port 5353'

• Capture any ICMP packets:

    tcpdump -v icmp

• Capture any ARP packets:

    tcpdump -v arp

• Capture either ICMP or ARP packets:

    tcpdump -v "icmp or arp"

• Capture all ACKNOWLEDGE (ACK) packets:

    tcpdump 'tcp[13] & 16!=0'

• Capture all SYNCHRONIZE (SYN) packets:

    tcpdump 'tcp[13] & 2!=0'

• Capture all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets:

    tcpdump 'tcp[13]=18'

TShark

• Listen on eth0:

    tshark -i eth0

• Listen on any available interface:

    tshark -i any

• Record the packets capture to a file:

    tshark -w capture.cap

• Display packets from a file:

    tshark -r capture.cap

• Simple HTTP/XML traffic checks:

    tshark tcp port 80 or tcp port 443 -V -R "http.request || http.response"

• Capture DNS query and response address:

    tshark -f 'src port 53' -n -T fields -e dns.qry.name -e dns.resp.addr

• Get HTTP password:

    tshark -Y 'http.request.method == POST and tcp contains "password"'

Iperf

• Listen for connections on port 8888:

    iperf -s -p 8888

• Connect to server IP at port 8888:

    iperf -c 192.168.0.22 -p 8888

Links

• Tcpdump usage examples - rationallyPARANOID.com
• Shareolite - sharing skills: tshark examples command line protocol analyzer
• A tcpdump Primer wit Examples