Skip to content

Network tools

tcpdump

Options:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
-i any : Listen on all interfaces just to see if youre seeing any traffic.
-n  : Dont resolve hostnames.
-nn : Dont resolve hostnames or port names.
-X  : Show the packets contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes.
     Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.

Examples:

1
2
tcpdump -i any  
tcpdump -i eth0

Basic communication

1
# tcpdump -nS

Basic communication (very verbose)

1
# tcpdump -nnvvS

A deeper look at the traffic # adds -X for payload but doesn’t grab any more of the packet

1
# tcpdump -nnvvXS

Heavy packet viewing # the final “s” increases the snaplength, grabbing the whole packet

1
# tcpdump -nnvvXSs 1514

To look for traffic based on IP address

1
# tcpdump host 1.2.3.4

To find traffic from only a source or destination

1
2
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6

To capture an entire network using CIDR notation

1
2
# tcpdump net 1.2.3.0/24
# tcpdump icmp

To see only traffic to or from a certain port

1
2
# tcpdump port 3389
# tcpdump port 3389 and port 22

To filter to multiple ports to specific host

1
sudo tcpdump '(port 80 or port 443) and host 52.8.3.4'

To filter based on the source or destination port

1
2
# tcpdump src port 1025
# tcpdump dst port 389

To filter by src/dst, port, protocol

1
2
# tcpdump src port 1025 and tcp
# tcpdump udp and src port 53and

To see traffic to any port in a range

1
# tcpdump portrange 21-23

Capture all Port 80 Traffic to a File

1
# tcpdump -s 1514 port 80 -w capture_file

Read Captured Traffic back into tcpdump

1
# tcpdump -r capture_file

TCP traffic from 10.5.2.3 destined for port 3389

1
# tcpdump -nnvvS and src 10.5.2.3 and dst port 3389

Traffic originating from the 192.168 network headed for the 10 or 172.16 networks

1
# tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Traffic originating from Mars or Pluto that isn’t to the SSH port

1
# tcpdump -vv src mars and not dst port 22

Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (correct)

1
# tcpdump ‘src 10.0.2.4 and (dst port 3389 or 22)’

netcat

For scanning ports 1-1000:

1
2
netcat -z -v example.com 1-1000
netcat -z -v -v 1.1.1.1 1-1000   # use IP address instead of dos name

To listen on a particular port

1
netcat -l 4444

To connect from another system to port 4444

1
netcat example.com 4444

To send files through netcat:

1
netcat example.com < testfile

iperf

server process:

To start the server in port 9999
$ iperf -s -p 9999

To start the server in daemon mode
$ iperf3 -s -D  

Client commands

To run a 30 second test, giving results every 1 second:
$ iperf3 -c <dst-ip> -i 1 -t 30 

Run a test from remotehost to localhost
$ iperf3 -c <dst-ip> -i 1 -t 20 -R 

Run a test with 4 parallel streams, and with a 32M TCP buffer
$ iperf3 -c <dst-ip> -w 32M -P 4

Run a 200 Mbps UDP test:
$ iperf3 -c <dst-ip> -u -i 1 -b 200M

Output the results in JSON format using the -J
$ iperf3 -c <dst-ip> -J 

nmap

Scan a specific port instead of all common ports:
nmap -p port_number remote_host

Scan for every TCP and UDP open port:
sudo nmap -n -PN -sT -sU -p- remote_host

dig

dig netflix.com +nocomments +noquestion +noauthority +noadditional +nostats

The above command can be replaced by:
$ dig netflix.com +noall +answer

To query MX records:
dig netflix.com  MX +noall +answer
dig -t MX netflix.com +noall +answer

To query the nameserver
dig -t NS netflix.com +noall +answer


To view all record types:
dig netflix.com ANY +noall +answer

To view the short output (displays only IP addresses)
dig jeeva.asuscomm.com +short
147.92.89.53

To do reverse lookup 
dig -x 199.232.41.10
dig -x 147.92.89.53 +short

To use a specific Name server
dig @nameserver netflix.com


Bulk dns query:
cat /tmp/names.txt
netflix.com
prod.netflix.com
corp.netflix.com

dig -f /tmp/names.txt +noall +short


Default dig options: $HOME/.digrc
cat $HOME/.digrc
+noall +answer

Speedtest

Use the official CLI provided by ookla instead of the unofficial speedtest-cli one.

## If migrating from prior bintray install instructions please first...
sudo rm /etc/apt/sources.list.d/speedtest.list
sudo apt-get update
sudo apt-get remove speedtest

## Other non-official binaries will conflict with Speedtest CLI
# Example how to remove using apt-get
sudo apt-get remove speedtest-cli
sudo apt-get install curl
curl -s https://packagecloud.io/install/repositories/ookla/speedtest-cli/script.deb.sh | sudo bash
sudo apt-get install speedtest