Other network tools: Difference between revisions
Jump to navigation
Jump to search
m (→nmap notes) |
|||
| Line 117: | Line 117: | ||
You can ignore IP ranges with -z | You can ignore IP ranges with -z | ||
=Reports and statistics= | =Reports and statistics= | ||
Revision as of 14:43, 20 June 2024
|
For other network related things, see:
|
✎ This article/section is a stub — some half-sorted notes, not necessarily checked, not necessarily correct. Feel free to ignore, or tell me about it.
Medium level tools
Download tools
You probably already know wget or curl. In that context, lftp is also interesting.
- wget is a HTTP and FTP downloader, with some neat features geared towards those protocols
- curl is like wget, with a different feature set and supporting some more protocols
- lftp is a useful (mass) downloading tool that does HTTP, FTP, SFTP, and others
See also this comparison table
Low-level tools
Pings and port scans
✎ This article/section is a stub — some half-sorted notes, not necessarily checked, not necessarily correct. Feel free to ignore, or tell me about it.
Watching traffic
Speed per established connection:
- jnettop (connections, speeds)
- iftop (connections, speeds) - graphical feedback of speeds
- tcptrack (connections, speeds)
- iptraf (per connection / interface / protocol / MAC)
Speed per program:
- nethogs (speeds per program; by default only TCP)
Speed totals (per interface):
- bmon (speed per interface, and shows traffic shaping aggregates)
- nload (graphs)
- vnStat (also summarizes per day, etc.; collects via background service)
- iptraf (per connection / interface / protocol / MAC)
- ibmonitor (speed per interface)
- (slurm(verify))
Connections:
- ssldump lets you notice SSL traffic (and decrypt it, given the right keys)
- netstat (lists current connections) (see also its mention on Linux_admin_notes_-_health_and_statistics#Networking)
Packet-level
- tcpdump takes packets from the network stack, and (with default options) gives you a short description. Also allows you to filter, write packets to the tcpdump file format (various utilities can read this). See also tcpdump notes.
- Wireshark (previousy ethereal)[1], which still exists but isn't being developed anymore) is similar but has a GUI, some more filter options (a different filter system), and more advanced packet decoding.
- tcpflow: instead of storing packets, this stores TCP connection interchanges in whole, each each in a separate file (or optionally only to screen). Doesn't write a standard file format, but is useful to snoop on protocols at application layer
- (can be useful to split interchanges from a tcpdump file)
Content-geared:
- ngrep greps packets for contents. Can e.g. be used as a content-aware tcpdump alternative, in a pipe, or to filter tcpdump files after the fact.
- driftnet picks out images from HTTP transfers and either saves them or displays them in X.
- chaosreader interprets packet log files and snoops out files, emails, etc. from the common protocols that carry them (HTTP, FTP, SMTP)
- dsniff is like chaosreader, but a little lower-level.
arpwatch
✎ This article/section is a stub — some half-sorted notes, not necessarily checked, not necessarily correct. Feel free to ignore, or tell me about it.
Arpwatch is a service that mails the admin when observed ARP packets give new or interesting information, in particular:
- "new station" when it sees a MAC we hadn't seen before
- "new activity" when it sees a (MAC,IP) pair that we know, but hadn't seen for half a year(verify)
- so also when you change or add an IP to an interface(verify)
- "changed ethernet address" -
- "flip flop" - address changed from the most recently seen address to the one before that (of rememembered addresses)
- "reused old ethernet address" - address changed to the third-or-more (of rememembered addresses)
- bogons for any IP address that isn't in our the monitored interface's (first?) subnet
- you can disable this with -N
- you can add networks you expect traffic from with -n
It indirectly helps detect address reuse, ARP spoofing.
It stores MAC and IPs that we have seen (up to half a year?), to support those.
(By default listens on a single interface, the first one it finds. It seems arpwatch services may be configured to launch one per interface?)
You can ignore IP ranges with -z
Reports and statistics
✎ This article/section is a stub — some half-sorted notes, not necessarily checked, not necessarily correct. Feel free to ignore, or tell me about it.
System/traffic reports
- darkstat (standalone: snoops off interface, reports via embedded web server and simple graphs)
- ntop does traffic analyses and rrd-style graphs (host-focused)
- RRDTool-related utilities, including:
See also this list
Availability/health monitoring
Log analysis
- awstats (web, mail, ftp, streaming, some others)
- webalizer (web)
- analog (web)
- calamaris (web proxies)
(See also Web log analysis notes)
Lower level tools
✎ This article/section is a stub — some half-sorted notes, not necessarily checked, not necessarily correct. Feel free to ignore, or tell me about it.
(relatively lower, or very-specific-purpose)
Utilities
- traceroute [2]
- lft ('layer four traceroute') [3]
- arping [4]
- mtr [5]
- bing
- dnstracer
- nmap [6]
netcat
There are two distinct things called netcat
The idea is the same but some behaviour differs, e.g. when things are output.
(Note that nc is sometimes symlink to mc, the midnight commander, because it's an imitation of norton commander)
Uses of netcat include talking to your web server:
# the -e is there so that \n gets interpreted as a newline echo -e 'GET / HTTP/1.0\n' | netcat localhost 80
The utility can also create a listening (-l) TCP server (default) or UDP server (-u option) on a port, say 1111 (-p 1111):
netcat -l -p 1111 netcat -l -u -p 1111
These will echo what they get. Since this uses stdin/stdout, this can be used for simple network pipes.
netcat servers can be useful to see whether connections are getting through, and see what's happening on them (try a lot of verbosity through -vv), which can be useful e.g. in protocol testing and testing whether your firewall is being overly protective.
You can do some basic port scanning, for example with a one-second timeout after connect, port 10-500)
netcat -v -w 1 localhost -z 10-500
things like netcat
Variations on netcat include:
- socat [9]
- generalized in that it can connect to a file, pipe, device, socket (Unix, IP4, IP6, raw, UDP, TCP), SSL, and some proxies
- and can relate between these
- http://freshmeat.sourceforge.net/projects/socat/
- nmap's ncat
- pnetcat - python implementation of netcat
- the /dev/tcp device, see e.g. [10]
More specialized
- cryptcat
- adds (twofish) encryption, so that you can transfer data without it being easily snoopable(verify)
- http://cryptcat.sourceforge.net/
- netcopy & netsend - plain file sending
- packet sender
- hping
Dead homepage?
- sbd
- sometimes noted to be a trojan, mostly because it allows remote execution
- http://www.cycom.se/dl/sbd
- emcast (sort of a multicast netcat)
Packet creation
- scapy [11]
- SendIP [12]
Speed limit/stress testing
IP-to-location lookup
hostip
Looks interesting and detailed, though it seems that you'll have to your own indexing.
Maxmind GeoIP
Has decent-resolution free (requires attribution) data sets, GeoLite:
There are better-resolution versions for pay.
Caching options:
- None: GEOIP_STANDARD: reads everything from disk
- Index only: GEOIP_INDEX_CACHE: index stored in memory, record read form disk: faster than standard, less memory usage than full. Often the smart choice for the more detailed datasets (like city)
- Full: GEOIP_MEMORY_CACHE: Everything is loaded once and ket in memory and GEOIP_CHECK_CACHE same, but check the filesystem whether the db has changed and reload if so
IP2Location
Seems annoyingly paid-for.