network testing in Linux
This article grew out of the cheat sheet for himself. My job is to catch bugs online. How to check the speed in the VPN tunnel? Why the server does not ping? Or pinged, but not available. Who scored the whole channel torrents? Where do the packages go? Email client gives an incomprehensible error, what really happened? These and many other questions periodically arise from any user. Under the cut description of programs included in all modern distributions, ranging from ping to such exotic as ngrep. As well as pictures, if pictures can be called, copies of a dump from the console.
The -n switch means that you need to display IP addresses instead of domain names, this is useful if you ping by IP, then time will not be spent resolving the domain name, and if the DNS server is not available, this will pause for a few seconds. The -i switch specifies the interval between sending packets, and -s the size of the packet. The size can not be larger than the interface MTU. Using the -i and -s combination, you can load the channel to any width. -I specifies the name of the interface through which the packet will be sent, useful if you need to bypass the routing table. To display statistics, as I did after the third packet, you need to send a SIGQUIT signal to ping, this is done with Cntr + \ from the keyboard
')
traceroute shows the route to the remote host. By default, it works rather slowly, since it polls each router in the path of the packet, in turn, and three times. You see three response times next to each host, or three asterisks if it does not respond. But traceroute can be accelerated. The -N switch shows how many steps of the package path, they are called hopes, find in 1 cycle, and -q is the number of requests that will be sent to the host. The -A key shows the autonomous system number. Autonomous system - a block of IP networks allocated to one operator.
Will lead to such a screen.
mtr is a mixture of ping with treysroute. You can clearly see where the channel sinks. In the debian-shaped distributions, the console version is installed from the mtr-tiny package.
Sometimes it is useful to take a deeper look at what is happening on the network. What packages come and go. For example, to make sure that the packets still leave, and are not blocked by the firewall.
This is what happens when a team
Tcpdump is running in the next terminal
Decipher the output. From the host 10.94.171.10 port 41440 to 10.0.1.1 port 53 went request A records for the address ya.ru. Port 53 is the DNS protocol. The next line is the DNS server response at 10.0.1.1.
Despite the name, tcpdump knows a lot of network protocols. The -i switch indicates which interface we will listen to, -n do not request DNS names for IP addresses. Further in the command line there is a description of which packages we will catch. Here I will not describe the filtering commands - there are a lot of them, I’ll dwell only on the possibilities. And so you can choose from which and to which host the packet goes, from which and to which port and even to a range of ports. You can group filters with parentheses and logical words and, or, not. Choose protocols icmp, arp, tcp, udp details in man.
Despite all the power, sometimes the capabilities of tcpdump are not enough, for example, to see what happens inside packages, this is especially true for text protocols such as smtp, imap, SIP, and so on. This is where ngrep comes to the rescue.
For example, to catch packets going from / to port 5060, in which the word NOTIFY is present
The -W byline switch formats the output by line breaks inside a package. This is very convenient for mail protocols or SIP, as in the example. The packet filter string is formed in the same way as in tcpdump. If you do not specify which substring we are looking for, then ngrep will dump all matching packages. If there is no textual information inside the packet, then it is indicated by a trellis (#)
And a few simple utilities, about which you need to know that they exist.
How to find out which entry in the routing table traffic will go to the IP address.
How to see who or what scores the channel?
For this there is a utility iptraf with an interface based on ncurses. When started without parameters, displays a menu.
In order to see the total statistics on the interface
For connection statistics
For example, you have a VPN tunnel. How to check its width? The easiest way is the iperf utility. On one host, run it with the -s switch. This will be the server that hangs on port 5001 by default. On the other hand, we start with a single parameter — the address of our server.
Utility from the net-tools package. Shows the speed of the physical link. With its help, you can catch the problem when two network cards can not automatically agree on speed and as a result there will be something like 10 Mbps half duplex. A rare problem, but still occurs.
Nmap and hping were beyond the scope of this review. Waiting for links to other useful programs. Maybe it makes sense to transfer to any suitable blog?
ping
rt94:~# ping -n -i 0.2 -s 512 -I eth0 ya.ru
PING ya.ru (93.158.134.8) from 10.0.94.2 eth0: 512(540) bytes of data.
520 bytes from 93.158.134.8: icmp_seq=1 ttl=59 time=17.5 ms
520 bytes from 93.158.134.8: icmp_seq=2 ttl=59 time=15.0 ms
520 bytes from 93.158.134.8: icmp_seq=3 ttl=59 time=14.7 ms
3/3 packets, 0% loss, min/avg/ewma/max = 14.757/15.777/16.899/17.512 ms
520 bytes from 93.158.134.8: icmp_seq=4 ttl=59 time=14.7 ms
^C
The -n switch means that you need to display IP addresses instead of domain names, this is useful if you ping by IP, then time will not be spent resolving the domain name, and if the DNS server is not available, this will pause for a few seconds. The -i switch specifies the interval between sending packets, and -s the size of the packet. The size can not be larger than the interface MTU. Using the -i and -s combination, you can load the channel to any width. -I specifies the name of the interface through which the packet will be sent, useful if you need to bypass the routing table. To display statistics, as I did after the third packet, you need to send a SIGQUIT signal to ping, this is done with Cntr + \ from the keyboard
')
traceroute
rt94:~#traceroute -N 16 -q 1 -A ya.ru
traceroute to ya.ru (77.88.21.8), 30 hops max, 60 byte packets
1 10.94.171.1 (10.94.171.1) [AS65534] 1.402 ms
2 1.32.108.213.hl.ru (213.108.32.1) [AS47333] 1.618 ms
3 94.122.dsl.westcall.net (195.177.122.94) [AS20485/AS25408] 2.859 ms
4 b0-152.mrouter.r.westcall.net (84.52.109.161) [AS25408] 3.021 ms
5 GW-Yandex.retn.net (87.245.250.102) [AS9002] 3.266 ms
6 aluminium-vlan901.yandex.net (77.88.56.111) [AS13238] 14.037 ms
7 gallium-vlan901.yandex.net (77.88.56.126) [AS13238] 16.517 ms
8 hummer-vlan2.yandex.net (87.250.228.136) [AS13238] 16.443 ms
9 ya.ru (77.88.21.8) [AS13238] 15.809 ms
traceroute shows the route to the remote host. By default, it works rather slowly, since it polls each router in the path of the packet, in turn, and three times. You see three response times next to each host, or three asterisks if it does not respond. But traceroute can be accelerated. The -N switch shows how many steps of the package path, they are called hopes, find in 1 cycle, and -q is the number of requests that will be sent to the host. The -A key shows the autonomous system number. Autonomous system - a block of IP networks allocated to one operator.
mtr
rt94:~#mtr ya.ruWill lead to such a screen.
mtr is a mixture of ping with treysroute. You can clearly see where the channel sinks. In the debian-shaped distributions, the console version is installed from the mtr-tiny package.
tcpdump
Sometimes it is useful to take a deeper look at what is happening on the network. What packages come and go. For example, to make sure that the packets still leave, and are not blocked by the firewall.
This is what happens when a team
%nslookup ya.ruTcpdump is running in the next terminal
%sudo tcpdump -ni eth1 udp and port 53 and host 10.0.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
13:09:39.038766 IP 10.94.171.10.41440 > 10.0.1.1.53: 24708+ A? ya.ru. (23)
13:09:39.040403 IP 10.0.1.1.53 > 10.94.171.10.41440: 24708 3/2/0 A 77.88.21.8,[|domain]
Decipher the output. From the host 10.94.171.10 port 41440 to 10.0.1.1 port 53 went request A records for the address ya.ru. Port 53 is the DNS protocol. The next line is the DNS server response at 10.0.1.1.
Despite the name, tcpdump knows a lot of network protocols. The -i switch indicates which interface we will listen to, -n do not request DNS names for IP addresses. Further in the command line there is a description of which packages we will catch. Here I will not describe the filtering commands - there are a lot of them, I’ll dwell only on the possibilities. And so you can choose from which and to which host the packet goes, from which and to which port and even to a range of ports. You can group filters with parentheses and logical words and, or, not. Choose protocols icmp, arp, tcp, udp details in man.
ngrep
Despite all the power, sometimes the capabilities of tcpdump are not enough, for example, to see what happens inside packages, this is especially true for text protocols such as smtp, imap, SIP, and so on. This is where ngrep comes to the rescue.
For example, to catch packets going from / to port 5060, in which the word NOTIFY is present
rt94:~#ngrep -W byline -d eth0 NOTIFY port 5060
interface: eth0 (213.108.32.94/255.255.255.255)
filter: (ip or ip6) and ( port 5060 )
match: NOTIFY
#
U 213.108.33.128:5060 -> 85.114.2.44:5060
NOTIFY sip:85.114.2.44 SIP/2.0.
Via: SIP/2.0/UDP 192.168.1.2:5060;branch=z9hG4bK-2c32804.
From: 8126221842 <sip:0090315@85.114.2.44>;tag=4751f3b994a4aca8o0.
To: <sip:85.114.2.44>.
Call-ID: a85b76bd-dc9f6574@192.168.1.2.
CSeq: 22858 NOTIFY.
Max-Forwards: 70.
Event: keep-alive.
User-Agent: Linksys/PAP2T-5.1.6(LS).
Content-Length: 0.
The -W byline switch formats the output by line breaks inside a package. This is very convenient for mail protocols or SIP, as in the example. The packet filter string is formed in the same way as in tcpdump. If you do not specify which substring we are looking for, then ngrep will dump all matching packages. If there is no textual information inside the packet, then it is indicated by a trellis (#)
And a few simple utilities, about which you need to know that they exist.
How to find out which entry in the routing table traffic will go to the IP address.
rt94:~# ip route get 10.94.171.10
10.94.171.10 dev eth1.173 src 10.94.171.1
cache mtu 1500 advmss 1460 hoplimit 64
How to see who or what scores the channel?
For this there is a utility iptraf with an interface based on ncurses. When started without parameters, displays a menu.
In order to see the total statistics on the interface
iptraf -d eth0For connection statistics
iptraf -i eth0For example, you have a VPN tunnel. How to check its width? The easiest way is the iperf utility. On one host, run it with the -s switch. This will be the server that hangs on port 5001 by default. On the other hand, we start with a single parameter — the address of our server.
mii-tool
rt94:~# mii-tool eth0
eth0: negotiated 100baseTx-FD flow-control, link ok
Utility from the net-tools package. Shows the speed of the physical link. With its help, you can catch the problem when two network cards can not automatically agree on speed and as a result there will be something like 10 Mbps half duplex. A rare problem, but still occurs.
Nmap and hping were beyond the scope of this review. Waiting for links to other useful programs. Maybe it makes sense to transfer to any suitable blog?
Source: https://habr.com/ru/post/87472/
All Articles