Sep 252010
 

networkAfter ping, telnet and dig we continue to see other useful tools for network analysis done by the command line.

Traceroute

traceroute is a computer network tool used to show the route taken by packets across an Internet Protocol (IP) network. An IPv6 variant, traceroute6, is also widely available.

The traceroute tool is available on practically all Unix-like operating systems. Variants with similar functionality are also available, such as tracepath on modern Linux installations and tracert on Microsoft Windows operating systems. Windows NT-based operating systems also provide PathPing, which provides similar functionality.



Traceroute sends a sequence of Internet Control Message Protocol (ICMP) packets addressed to a destination host. Tracing the intermediate routers traversed involves control of the time-to-live (TTL) Internet Protocol parameter. Routers decrement this parameter and discard a packet when the TTL value has reached zero, returning an ICMP error message (ICMP Time Exceeded) to the sender.

Traceroute works by increasing the TTL value of each successive batch of packets sent. The first three packets sent have a time-to-live (TTL) value of one, expecting that they are not forwarded by the first router. The next three packets have a TTL value of 2, so that the second router will send the error reply. This continues until the destination host receives the packets and returns an ICMP Echo Reply message.

The traceroute utility uses the returning ICMP messages to produce a list of hosts that the packets have traversed in transit to the destination. The three timestamp values returned for each host along the path are the delay (aka latency) values, typically measured in milliseconds for each packet in the batch.

Basic use:

traceroute destionationhost

Example:

traceroute www.google.it

traceroute to www.google.it (72.14.234.104), 30 hops max, 60 byte packets

1 192.168.0.1 (192.168.0.1) 1.905 ms 5.552 ms 9.496 ms

2 * * *

3 host141-189-static.38-88-b.business.telecomitalia.it (88.38.189.141) 50.136 ms 53.519 ms 55.674 ms

4 r-bo83-vl19.opb.interbusiness.it (80.21.70.162) 58.609 ms 63.730 ms 66.937 ms

5 172.17.5.69 (172.17.5.69) 74.281 ms 76.749 ms 79.629 ms

6 172.17.8.165 (172.17.8.165) 91.052 ms 42.074 ms 42.009 ms

7 172.17.5.241 (172.17.5.241) 49.091 ms 50.790 ms 53.211 ms

8 te1-9-1-0.milano50.mil.seabone.net (93.186.128.165) 54.800 ms 56.805 ms 59.189 ms

9 te3-2.milano53.mil.seabone.net (195.22.205.227) 60.866 ms 63.446 ms 65.927 ms

10 72.14.198.233 (72.14.198.233) 68.039 ms 70.902 ms 73.316 ms

11 209.85.249.54 (209.85.249.54) 75.359 ms 78.234 ms 80.581 ms

12 72.14.232.63 (72.14.232.63) 41.714 ms 40.862 ms 41.676 ms

13 mil01s07-in-f104.1e100.net (72.14.234.104) 46.361 ms 49.293 ms 52.165 ms

Whois

WHOIS (pronounced as the phrase who is) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. The Whois protocol is documented in RFC 3912

basic usage

whois domain

Example:

whois wikipedia.com

Registrant:

Wikimedia Foundation, Inc.

149 New Montgomery Street

Third Floor

San Francisco, California 94105

United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)

Domain Name: WIKIPEDIA.COM

Created on: 12-Jan-01

Expires on: 10-Jan-15

Last Updated on: 01-Mar-06

Administrative Contact:

Admin, DNS [email protected]

Wikimedia Foundation, Inc.

149 New Montgomery Street

Third Floor

San Francisco, California 94105

United States

+1.4158396885 Fax -- +1.4158820495

Technical Contact:

Admin, DNS [email protected]

Wikimedia Foundation, Inc.

149 New Montgomery Street

Third Floor

San Francisco, California 94105

United States

+1.4158396885 Fax -- +1.4158820495

Domain servers in listed order:

NS0.WIKIMEDIA.ORG

NS1.WIKIMEDIA.ORG

NS2.WIKIMEDIA.ORG

Netstat

On computer running Gnu/Linux, netstat command display the status of open network connection.

If run without oprion show the status of active socket, an example could be:

kaos@kaos:~$ netstat

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 proxy.surfnet.iac:33297 mg-in-f125.:xmpp-client ESTABLISHED

tcp 0 0 proxy.surfnet.iac:33995 by1msg5176516.phx.:1863 ESTABLISHED

Active UNIX domain sockets (w/o servers)

Proto RefCnt Flags Type State I-Node Path

unix 3 [ ] DGRAM 13826 /dev/log

unix 2 [ ] DGRAM 5109 @/org/kernel/udev/udevd

unix 2 [ ] DGRAM 10443 @/org/freedesktop/hal/udev_event

unix 3 [ ] STREAM CONNECTED 34721 /tmp/orbit-kaos/linc-4876-0-ebf915e300c0

unix 3 [ ] STREAM CONNECTED 34720

Most common options are:

Parameters used with this command must be prefixed with a hyphen (-) rather than a slash (/).

  • -a : Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
  • -e : Displays ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.
  • -g : Displays multicast group membership information for both IPv4 and IPv6 (may only be available on newer operating systems)
  • -i : Displays network interfaces and their statistics
  • -n : Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
  • -p Linux: Process : Show which processes are using which sockets (similar to -b under Windows) (you must be root to do this)
  • -r : Displays the contents of the IP routing table. (This is equivalent to the route print command under Windows.)
  • -u : Display status of UDP Socket
  • -t : Display status of TCP Socket

Examples:

netstat -tlnp

Lists all listening ports together with the PID of the associated process
The PID will only be printed if you’re holding a root equivalent ID.

netstat -an | grep ESTABLISHED | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | awk '{ printf("%st%st",$2,$1) ; for (i = 0; i < $1; i++) {printf("*")}; print "" }'

Show an ASCII graph that count the number of establish connection on the various IP.

Output:

10.100.0.22 1 *
10.100.0.23 2 **
10.100.1.51 3 ***
120.116.18.134 1 *
87.11.50.125 4 ****

netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c

Shpw the number of connections and their state, for example:

1 CLOSE_WAIT
11 ESTABLISHED
63 LISTEN
21 TIME_WAIT

mtr

mtr combines the functionality of the traceroute and ping programs in a single network diagnostic tool.

As mtr starts, it investigates the network connection between the host mtr runs on and HOSTNAME. by sending packets with purposly low TTLs. It continues to send packets with low TTL, noting the response time of the intervening routers. This allows mtr to print the response percentage and response times of the internet route to HOSTNAME. A sudden increase in packetloss or response time is often an indication of a bad (or simply overloaded) link.

basic syntax:

mtr google.com

Output:
mtr

mtr --report --report-cycles 10 www.google.com > google_net_report.txt

Use mtr to create a text file report

The report mode of mtr produces a text formated result of the mtr run using the number of ping cycles stated by the command. This text file could then be attached to an email with ease.

Popular Posts:

Flattr this!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*