Andy Computer Blog: 5月 2016

2016年5月26日星期四

ICMP Protocol

Introduction:

ICMP will check the flow control, detect the remote machine,
It is on the IP layer and no port concept

It is on the IP above

It's Package format

ICMP 在溝通之中，主要是透過不同的類別( Type )與代碼( Code ) 讓機器來識別不同的連線狀況。常用的類別如下表所列﹕

類別	名稱	代表意思
0	Echo Reply	是一個回應信息。
3	Distination Unreachable	表示目的地不可到達。
4	Source Quench	當 router 負載過時﹐用來竭止來源繼續發送訊息。
5	Redirect	用來重新導向路由路徑。
8	Echo Request	請求回應訊息。
11	Time Exeeded for a Datagram	當資料封包在某些路由現象中逾時﹐告知來源該封包已被忽略忽略。

REF: chinese network_ip_icmp

Netstat For Network Statistics

Format:

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

  -a            Displays all connections and listening ports.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.

Example
A Look all content
netstat
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:6666 127.0.0.1:48858 ESTABLISHED
tcp 0 0 127.0.0.1:13666 127.0.0.1:44115 ESTABLISHED
tcp 0 0 127.0.0.1:7777 127.1.1.2:20247 ESTABLISHED

B Look TCP connection

netstat -tn | head

Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:6666 127.0.0.1:48858 ESTABLISHED
tcp 0 0 127.0.0.1:13666 127.0.0.1:44115 ESTABLISHED
tcp 0 0 127.0.0.1:7777 127.1.1.2:20247 ESTABLISHED
tcp 0 0 127.0.0.1:13666 127.0.0.1:44124 ESTABLISHED

C LOOK UDP connection

netstat -un | head

udp 0 0 127.0.0.1:53925 127.0.0.1:14756 ESTABLISHED
udp 0 0 127.0.0.1:48294 127.0.0.1:14756 ESTABLISHED
udp 0 0 127.0.0.1:50087 127.0.0.1:14756 ESTABLISHED
udp 0 0 127.0.0.1:60208 127.0.0.1:14756 ESTABLISHED

udp 0 0 127.0.0.1:46913 127.0.0.1:14756 ESTABLISHED

D: Look Process

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        1      0 ramesh-laptop.loc:47212 192.168.185.75:www        CLOSE_WAIT  2109/firefox
tcp        0      0 ramesh-laptop.loc:52750 lax:www ESTABLISHED 2109/firefox

REference
netstat-command-examples
Search IP connect

SS comand

Introduction

ss is one another utility to investigate sockets
The third: default is to dump only TCP sockets, rather than all of the types

2 Basic Usage

ss -t : -a dumps all TCP sockets
ss -u : -a dumps all UDP sockets
ss -w : -a dumps all RAW sockets
ss -x : -a dumps all UNIX sockets

3 State Fileter

ss state bucket

State Recv-Q Send-Q Local Address:Port Peer Address:Port

TIME-WAIT 0 0 ::ffff:127.0.0.1:https ::ffff:127.0.0.1:48207

TIME-WAIT 0 0 ::ffff:127.0.0.1:https ::ffff:127.0.0.1:48211

TIME-WAIT 0 0 ::ffff:127.0.0.1:https ::ffff:127.0.0.1:48209

TIME-WAIT 0 0 ::ffff:127.0.0.1:https ::ffff:127.0.0.1:48215

TIME-WAIT 0 0 ::ffff:127.0.0.1:https ::ffff:127.0.0.1:48208

More detail

All standard TCP states: established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait,last-ack, listen and closing.
all - for all the states
connected - all the states except for listen and closed
synchronized - all the connected states except for syn-sent
bucket - states, which are maintained as minisockets, i.e. time-wait and syn-recv.
big - opposite to bucket

From: PIC LInk , tcp-timewait

4 Addreess filter

ss -a dst 192.168.168.0/24

State Recv-Q Send-Q Local Address:Port Peer Address:Port

ESTAB 0 0 ::ffff:127.0.0.1:ssh ::ffff:192.168.168.140:63563

ESTAB 0 52 ::ffff:127.0.0.1:ssh ::ffff:192.168.168.140:52859

More detail

dst ADDRESS_PATTERN - matches remote address and port
src ADDRESS_PATTERN - matches local address and port
dport RELOP PORT - compares remote port to a number
sport RELOP PORT - compares local port to a number

5 Name address

ss -ar dst 192.168.168.0/24

ate Recv-Q Send-Q Local Address:Port Peer Address:Port

ESTAB 0 0 localhost.localdomain:ssh who:63563

ESTAB 0 52 localhost.localdomain:ssh who:52859

6. Process -p

ss -p -a dst 192.168.168.0/24

State Recv-Q Send-Q Local Address:Port Peer Address:Port

ESTAB 0 0 ::ffff:127.0.0.1:ssh ::ffff:192.168.168.140:63563 users:(("sshd",4219,3))

ESTAB 0 52 ::ffff:127.0.0.1:ssh ::ffff:192.168.168.140:52859 users:(("sshd",31086,3))

7. Look time -o

ate Recv-Q Send-Q Local Address:Port Peer Address:Port

ESTAB 0 0 ::ffff:127.0.0.1:ssh ::ffff:IP:63563 timer:(keepalive,18min,0)

ESTAB 0 52 ::ffff:127.0.0.1:ssh ::ffff:IP:52859 timer:(on,420ms,0)

8. Sumaary -s

Reference

Look ss linux-investigate-sockets-network-connections

tcpdump For Network Packet Analyzer

Introduction: It will by time to capture the package

Format:

tcpdump [options] [filter express]

Option : Ref tcpdump example

．-n：以數字顯示，不對 IP 作反解，但仍顯示服務名稱。
．-nn：直接以 IP 及 port number 顯示，而非主機名與服務名稱。
．-p：不要以 promiscuous mode 執行。
．-t：不要顯示 timestamp。
．-i：指令要監控的網路介面，如 eth0、lo、any 等。
．-e：使用資料連接層 (OSI 第二層) 的 MAC 封包資料來顯示。
．-c：監聽的封包數，如果沒有這個參數，tcpdump 會持續不斷的監聽，直到使用者輸入 [ctrl]-c 為止。
．-q：僅列出較為簡短的封包資訊，每一行的內容比較精簡。
．-s：抓比較長的 data 做一筆記錄。
．-v：輸出一個稍微詳細的資訊，例如在 IP 封包中可以包括 ttl 和服務類型的資訊。
．-A：封包的內容以 ASCII 顯示，通常用來捉取 WWW 的網頁封包資料。
．-X：可以列出十六進位 (hex) 以及 ASCII 的封包內容，對於監聽封包內容很有用。
．-w：如果你要將監聽所得的封包資料儲存下來，用這個參數就對了！後面接檔名。
．-r：從後面接的檔案將封包資料讀出來。那個『檔案』是已經存在的檔案，並且這個『檔案』是由 -w 所製作出來的。

Expression:

(Protocol ) (port) (host)
protocol: tcp, udp, icmp
port: number, ssh
host: host IP or net CIDR

addrest: src, dst

#tcpdump -t -nn -i eth0 "tcp port https and src host 192.168.70.2"

Exampl2:
Capture ICMP Package

Reference:
tcpdump-6up.pdf
Chinese_Exaplaination
Good example tcpdump

2016年5月25日星期三

lsof list open file

FROM lsof-command-examples

Introduction:
By default One file per line is displayed. Most of the columns are self explanatory. We will explain the details about couple of cryptic columns (FD and TYPE).

FD – Represents the file descriptor. Some of the values of FDs are,

cwd – Current Working Directory
txt – Text file
mem – Memory mapped file
mmap – Memory mapped device
NUMBER – Represent the actual file descriptor. The character after the number i.e ‘1u’, represents the mode in which the file is opened. r for read, w for write, u for read and write.

TYPE – Specifies the type of the file. Some of the values of TYPEs are,

REG – Regular File
DIR – Directory
FIFO – First In First Out
CHR – Character special file

2016年5月4日星期三

Docker reference

Simple :

1 slide Chinese docker-61214768

Setting NAT And host only netwoking

1. In virtual box create two interface, first is host-only (eht0), second is NAT (eht1)

2. In kali, edit the /etc/network/interfaces

auto eth1
iface eth1 inet dhcp

3. restart the networking
/etc/init.d/networking restart

linux-network-config.html
linux-network-set-example-2011
3
ubuntu-dhcp-ip.html

Andy Computer Blog

2016年5月26日星期四

ICMP Protocol

Netstat For Network Statistics

Format:

netstat -tn | head

netstat -un | head

SS comand

tcpdump For Network Packet Analyzer

Format:

Option : Ref tcpdump example

Expression:

2016年5月25日星期三

lsof list open file

2016年5月4日星期三

Docker reference

Setting NAT And host only netwoking

關於我自己

標籤

網誌存檔

2016年5月26日 星期四

Format:

netstat -tn | head

netstat -un | head

Format:

Option : Ref tcpdump example

Expression:

2016年5月25日 星期三

2016年5月4日 星期三

關於我自己

標籤

網誌存檔

2016年5月26日星期四

2016年5月25日星期三

2016年5月4日星期三