Network Troubleshooting Part II

This is a simple topic and the most useful tool in my opinion is the ifup/ifdowncommand.
ifup or ifdown is a easier way of turning up ports or turning them down… depending on what you are trying to do. Now, each ifup/ifdown requires a port to be specified like eth0 or wlan0.

Next lets look at starting, stoping, restarting and checking the status of networks in Debian/Ubuntu and then RHEL/CentOS based systems.
its real simple, to start the network services simply type the following
# /etc/init.d/network start – this will start the network services
# /etc/init.d/network stop – this will stop all network services
# /etc/init.d/network status – used to check the network status
# /etc/init.d/network restart – used to restart all network services

Now, for RHEL/CentOS systems its a little different. Most of the modern RHEL based OS’s uses systemctl. lets not get into what it is right now. What you need to know is how to start, stop, get the status and restart the networking services.
# service network start – this command is used to start the network services
# service network stop – this will halt all network services
# service network status – used to check the network status
#service network restart – will restart all network services


Now that we have gotten those basic commands out of the way lets dig deeper into some useful tools.  Nmap is an incredibly useful tool.  I used it daily, in fact it helps me see what ports are up, detecting what OS is on a machine, or if a host is up and communicating on a network among many things. Oh and sometimes it sets off out IDS and drives internal help desk nuts. Keep in mind that this is for gathering information on a target or targets… depending on if you scan on IP address or a while subnet.

A few things to remember, are that you can scan a whole subnet simply my doing the following # nmap 192.168.1.1-255 or you can scan a specific amount of IP addresses like so, #nmap 192.168.1.1-20.

Here are a few commands that I use after setting up a new network on our systems.
Stealth Scan or Syn Scan- which is the most basic and popular scan used. Aside from it being so popular and the most commonly used command in nmap, you remain quite and safe. With little chance of DOSing the target.
# nmap -sS -p- -Pn <ipaddress>

  • We use the “-Pn” switch to skip the host discovery phase and scan all the addresses.
  • We use the “-p-” to tell Nmap to scan all the ports not just the default 1000.

UDP Scan – used to scan UDP ports.
# nmap -sU <ipaddress>

TCP Connect Scan – This will attempt to complete the three-way handshake on each port specified  in the nmap command. As stated above, we will tell nmap to scan all the ports not just the default ports.
# nmap -sTV -p- -Pn <ipaddress>

Fingerpring scan – this is used for gathering information on what OS they are running and additional services.
# nmap -A <Ipaddress>


Netstat  or Network Statistic is a tool that displays network connections for TCP, both incoming and outgoing. It can also display routing tables, network interfaces and network protocol statistics.

netstat <options> | less

adding the ” | less” will help when checking the output on this command.

lets look at the options:

  • -n : will display numerical ports and numbers
  • -r : to display the routing table
  • -p : displays the PID
  • -i : displays a list of network interfaces
  • -l : displays listening ports
  • -t : limit to TCP traffic
  • -u : limit to UDP traffic

If you know what wireshark is, odds are you have heard of tcpdump. Its an old but common packer sniffing tool used on a lot of linux and Unix systems. Using it is fairly easy and straight forward. Understand the output may take some practice.

tcpdump <options>
thats it really, some options you add may need specifications but other than that its straight forward.

Lets look at a few options you can add to tcpdump

  • -a : numerical address output and port
  • -A : will display ASCII ( Text) output
  • -v : verbose mode will produce more output ( more information)
    • -vv : for more information
    • -vvv : for even more information
  • -i : for an interface. like eth0 or wlan0
  • -c for a packet count
  • -n : will show no host names, only IP addresses ( basically, no DNS)
  • -e : will show mac addresses
  • -tttt : for a time stamp

here is an example:

#tcpdump -c10 -ae -i eth0 -tttt
it will count 10 packets then stop, show you the address and port, mac address and time stamp on the packets coming and going from eth0.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s