Linux networking
How linux supports networking

- The networking subsystem adds connectivity to the kernel (which can be compiled without it).
- It implements some abstraction layers of the OSI model :
- The kernel itself implements protocols for the transport and network layers (sockets management and traffic routing).
- The NIC driver implements protocols for the lower data link and physical layers.
- The NIC driver runs in the kernel space and interacts directly with the hardware.
- On the other hand, protocols for the upper layers are implemented in dedicated programs (http server, ssh server, etc ...).
- Those programs run in the user space and do not have direct access to the hardware.
- The abstraction used for network communication in the user space is the socket, which is associated with :
- An IP address.
- A transport layer protocol (TCP, UDP etc).
- A port number.
- The networking subsystem allows the kernel to encapsulate and transmit user space applications data over the network.
- Packets / datagrams transmission and reception are thus transparent to user space applications, whether the protocol is stateful or stateless.
- The networking subsystem is also responsible for the routing of outgoing packets / datagrams.
- The route from the source host to the destination host usually spans across multiple different networks connected by gateways.
- A packet that is passed from one network to another performs what is called a network hop.
- Routing is usually done using IP forwarding : packets are directed to their respective next-hop addresses.
- In order to enable packet routing, the kernel maintains a dedicated structure called the routing table :
# the routing table here contains next hop addresses for :
# outgoing traffic (default gateway)
# local network traffic (local subnet)
sudo route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.234.19.1 0.0.0.0 UG 0 0 0 eth0
172.234.19.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Note : the default gateway is used each time the routing table has no information about the destination.
- Syntax :
ip [ OPTIONS ] OBJECT { COMMAND | help }
. - This command operates at the data link (ARP), network (IP) and transport (TCP) layers of the OSI model.
- It is used to interact with ip addresses, network devices, routing table, etc ...
- It comes as an all-in one modern replacement for the
net-tools
package utilities (ifconfig
,netstat
, etc). -
sudo
is required when modifying any value in the networking subsystem.
# print information, state and statistics for local interfaces in JSON format
ip -j -p -s link show
# write information and state for local IPV4 addresses
ip -family inet -br address show
# write and format tcp connections kernel cache (ip addresses, most recent first, add -r for name resolution)
ip -family inet -h -br tcp_metrics show | sed -r 's/^(.+)\sage\s([0-9\.]+)sec\s.*.*source\s(.+)$/\2s \3 \1/gm' | sort -n | column -t
# write and format tcp connections kernel cache (sorted by dns names, resolution takes a lot of time on public servers ...)
ip -family inet -h -br -r tcp_metrics show | sed -r 's/^(.+)\sage\s([0-9\.]+)sec\s.*.*source\s(.+)$/\3 \1 \2s/gm' | sort | column -t
# reset tcp connections kernel cache
sudo ip tcp_metrics flush all
# print kernel routing table
ip route show
# same as the above with alternative and more explicit formatting
# one of the few examples where net-tools outperforms ip ...
sudo route -n -F
# print kernel ARP cache
ip neigh show
- Syntax :
sudo ss [options] [ FILTER ]
. - This command displays statistics and informations about sockets.
- IPC sockets are included by default in the output.
-
sudo
is required for displaying informations about processes accessing the socket.
# print all listening/established tcp connections + name resolution + process information
sudo ss -p -r --tcp state established
sudo ss -p -r --tcp state listening
# prints statistics on system socket usage
ss -s
# list all established ssh connections
ss -at '( dport = :22 or sport = :22 )'
- Syntax :
mtr [options] DESTINATION_HOST
. - This command is an interesting alternative to
traceroute
:- Like
traceroute
, it outputs the address / hostname of each network hop between source and destination. - Additionally, it sends regulare ICMP
ping
requests to each network hop to assess route reliability at each stage. - It is to be noted though that the gateways that have a firewall blocking incoming ICMP traffic will not reply.
- Like
# use ipv4 only, show ip and hostname, show AS (autonomous system) country code
# print sent, received and dropped packets + average rtt for each network hop
mtr -4 -b -y 2 -o "S R D A" google.com
-
Important : unauthorized port scanning of random targets may get you into trouble.
-
Syntax :
nmap [Scan Type...] [Options] {target specification}
. -
nmap
(network mapper) is a powerful and versatile port scanner that can be used for a variety of purposes. -
It operates at the network layer level by sending raw IP packets.
-
sudo
is required for certain types of scanning methods so it's best to always use it. -
When executed,
nmap
performs the following sequence of actions :-
Host discovery : finds online hosts among the specified target(s) by performing customizable probes.
-
Port scanning : scans online hosts for open ports using the specified options.
-
Service detection : queries open ports to determine which services they are running (using nmap-service-probes).
-
OS detection : determine which OS the host is running with TCP/IP stack fingerprinting (using nmap-os-db).
-
Scan results output : most noticeably the list of ports numbers, protocols, service names and states.
port state description open an application is listening for connections/packets filtered a firewall is blocking the port (can't tell if it is open/closed) closed no application is listening unfiltered respond to probes, but can't tell if it is open/closed
-
-
nmap
use cases samples :
# print the ip supported protocol on the local machine
sudo nmap -sO localhost
# performs host discovery and name resolution on a CIDR address range
sudo nmap -sL 192.168.1.0/24
# scan with OS detection, version detection, script scanning and traceroute
sudo nmap -A 192.168.1.10
# skip host discovery, scan the 50 most used TCP ports, list open ports only
# probe for services running behind open ports, specify probe level
# guess the OS the target is running, perform name resolution, verbose
sudo nmap \
-Pn \
-sS --top-ports 50 --open \
-sV --version-intensity 5 \
-O --osscan-guess \
-R \
-v \
192.168.1.10
# performs name resolution against the latest 50 entries in the tcp connections kernel
# cache, useful for public servers where said cache contains thousands of entries ...
ip -family inet -h -br tcp_metrics show | \
sed -r 's/^(.+)\sage\s([0-9\.]+)sec\s.*.*source\s(.+)$/\2 \1/gm' | \
sort -n | \
sed -r 's/^.+\s(.+)$/\1/gm' | \
head -n 50 | \
sudo nmap -sL -sn -iL /dev/stdin
# prints informations about nmap scripts from the 'fuzzer' category
nmap --script-help=fuzzer
# list interfaces and routes
sudo nmap --iflist
# runs all the default scripts against a target host
nmap -sC 192.168.1.10
-
nmap
also implements a scripting engine in order to further customize each step of the scan. - Scripts are written in the lua language and classified depending on their purpose.
- The publicly available scripts can be downloaded from a dedicated repository.