SS comand

Introduction

• ss is one another utility to investigate sockets
• The third: default is to dump only TCP sockets, rather than all of the types

2 Basic Usage

• ss -t : -a dumps all TCP sockets
• ss -u : -a dumps all UDP sockets
• ss -w : -a dumps all RAW sockets
• ss -x : -a dumps all UNIX sockets

3 State Fileter

ss state bucket

State       Recv-Q Send-Q                               Local Address:Port                                   Peer Address:Port

TIME-WAIT   0      0                                 ::ffff:127.0.0.1:https                              ::ffff:127.0.0.1:48207

TIME-WAIT   0      0                                 ::ffff:127.0.0.1:https                              ::ffff:127.0.0.1:48211

TIME-WAIT   0      0                                 ::ffff:127.0.0.1:https                              ::ffff:127.0.0.1:48209

TIME-WAIT   0      0                                 ::ffff:127.0.0.1:https                              ::ffff:127.0.0.1:48215

TIME-WAIT   0      0                                 ::ffff:127.0.0.1:https                              ::ffff:127.0.0.1:48208

More detail

• All standard TCP states: established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait,last-ack, listen and closing.
• all - for all the states
• connected - all the states except for listen and closed
• synchronized - all the connected states except for syn-sent
• bucket - states, which are maintained as minisockets, i.e. time-wait and syn-recv.
• big - opposite to bucket

From: PIC LInk , tcp-timewait

4 Addreess filter

 ss   -a  dst 192.168.168.0/24

State       Recv-Q Send-Q    Local Address:Port        Peer Address:Port

ESTAB       0      0         ::ffff:127.0.0.1:ssh    ::ffff:192.168.168.140:63563

ESTAB       0      52        ::ffff:127.0.0.1:ssh    ::ffff:192.168.168.140:52859

More detail

• dst ADDRESS_PATTERN - matches remote address and port
• src ADDRESS_PATTERN - matches local address and port
• dport RELOP PORT - compares remote port to a number
• sport RELOP PORT - compares local port to a number

5  Name address

 ss -ar   dst 192.168.168.0/24

ate       Recv-Q Send-Q                               Local Address:Port                                   Peer Address:Port

ESTAB       0      0                            localhost.localdomain:ssh                          who:63563

ESTAB       0      52                           localhost.localdomain:ssh                            who:52859

6.  Process -p

ss  -p  -a  dst 192.168.168.0/24

State       Recv-Q Send-Q    Local Address:Port       Peer Address:Port

ESTAB       0      0      ::ffff:127.0.0.1:ssh      ::ffff:192.168.168.140:63563  users:(("sshd",4219,3))

ESTAB       0      52   ::ffff:127.0.0.1:ssh      ::ffff:192.168.168.140:52859    users:(("sshd",31086,3))

7. Look time -o

ate       Recv-Q Send-Q                               Local Address:Port                                   Peer Address:Port

ESTAB       0      0     ::ffff:127.0.0.1:ssh       ::ffff:IP:63563    timer:(keepalive,18min,0)

ESTAB       0      52      ::ffff:127.0.0.1:ssh    ::ffff:IP:52859    timer:(on,420ms,0)

8. Sumaary -s

Reference

Look ss linux-investigate-sockets-network-connections

tcpdump For Network Packet Analyzer

Introduction:  It will by time to capture the package

Format: 

tcpdump [options] [filter express]

Option : Ref tcpdump example

．-n：以數字顯示，不對 IP 作反解，但仍顯示服務名稱。
．-nn：直接以 IP 及 port number 顯示，而非主機名與服務名稱。
．-p：不要以 promiscuous mode 執行。
．-t：不要顯示 timestamp。
．-i：指令要監控的網路介面，如 eth0、lo、any 等。
．-e：使用資料連接層 (OSI 第二層) 的 MAC 封包資料來顯示。
．-c：監聽的封包數，如果沒有這個參數，tcpdump 會持續不斷的監聽，直到使用者輸入 [ctrl]-c 為止。
．-q：僅列出較為簡短的封包資訊，每一行的內容比較精簡。
．-s：抓比較長的 data 做一筆記錄。
．-v：輸出一個稍微詳細的資訊，例如在 IP 封包中可以包括 ttl 和服務類型的資訊。
．-A：封包的內容以 ASCII 顯示，通常用來捉取 WWW 的網頁封包資料。
．-X：可以列出十六進位 (hex) 以及 ASCII 的封包內容，對於監聽封包內容很有用。
．-w：如果你要將監聽所得的封包資料儲存下來，用這個參數就對了！後面接檔名。
．-r：從後面接的檔案將封包資料讀出來。那個『檔案』是已經存在的檔案，並且這個『檔案』是由 -w 所製作出來的。

Expression:

(Protocol ) (port) (host)
protocol: tcp, udp, icmp
port: number, ssh
host:  host IP or net CIDR

addrest: src, dst



 #tcpdump  -t  -nn -i eth0  "tcp port https and src  host 192.168.70.2"



Exampl2:
Capture ICMP Package




Reference:
tcpdump-6up.pdf
Chinese_Exaplaination
Good example tcpdump

lsof list open file

FROM lsof-command-examples

Introduction:
By default One file per line is displayed. Most of the columns are self explanatory. We will explain the details about couple of cryptic columns (FD and TYPE).

FD – Represents the file descriptor. Some of the values of FDs are,

• cwd – Current Working Directory
• txt – Text file
• mem – Memory mapped file
• mmap – Memory mapped device
• NUMBER – Represent the actual file descriptor. The character after the number i.e ‘1u’, represents the mode in which the file is opened. r for read, w for write, u for read and write.

TYPE – Specifies the type of the file. Some of the values of TYPEs are,

• REG – Regular File
• DIR – Directory
• FIFO – First In First Out
• CHR – Character special file

Docker reference

Simple :

1 slide Chinese docker-61214768

Setting NAT And host only netwoking

1.  In virtual box create two interface, first is host-only (eht0), second is NAT (eht1)


2. In kali, edit the /etc/network/interfaces

auto eth1
iface eth1 inet dhcp

3. restart the networking 
/etc/init.d/networking restart


linux-network-config.html
linux-network-set-example-2011
3
ubuntu-dhcp-ip.html

Ptt 使用

1. Google 新增plugin

2. 加入已知看板
    按下小 s  在上方輸入 看版
    a. 買賣 forsale



3. 加入我的最愛
   於我的最愛內,     按下小 i 輸入
   



REF
Popular Board

Centos 7 mininal install in VM

Problem: setting the Network

If you should connection network Just following the aricle
how-to-setup-network-after-rhelcentos-7-minimal-installation/



If you should ssh connection, try
nstall-centos-7-minimal-in-virtualbox