Linux networking overview

How linux supports networking

view on github

Networking overview

  1. Linux kernel networking subsystem

    • the networking subsystem adds connectivity capabilities to the kernel (which can be compiled without it)

    • it implements some of the the abstraction layers of the OSI model :

      • the kernel itself implements protocols for the transport and network layers (sockets management and traffic routing)
      • the NIC driver implements protocols for the lower data link and physical layers
      • the NIC driver runs in the kernel space and interacts directly with the hardware

      linux networking

    • on the other hand, the protocols for the upper layers are implemented in dedicated programs (http server, ssh server, etc ...)

    • those programs run in the user space and do not have direct access to the hardware

  2. Sockets (transport layer)

    • the abstraction used for network communication in the user space is the socket, which is associated with :
      • an IP address
      • a transport layer protocol (TCP, UDP etc)
      • a port number
    • the networking subsystem allows the kernel to encapsulate and transmit user space applications data over the network
    • as a result, packets / datagrams transmission and reception are transparent to the user space applications, whether the protocol used is stateful or stateless

  3. IP routing (network layer)

    • the networking subsystem is also responsible for the routing of outgoing packets / datagrams

    • the route from the source host to the destination host usually spans across multiple different networks connected by gateways

    • a packet that is passed from a network to another performs what is called a network hop

    • routing is usually done using IP forwarding : packets are directed to their respective next-hop addresses

    • in order to enable packet routing, the kernel maintains a dedicated structure called the routing table :

      # the routing table here contains next hop addresses for :
# outgoing traffic (default gateway)
# local network traffic (local subnet)
$ sudo route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.234.19.1    0.0.0.0         UG    0      0        0 eth0
172.234.19.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

      note : the default gateway is used each time the routing table has no information about the destination

Network utilities and commands

✔️ ip

  • syntax : ip [ OPTIONS ] OBJECT { COMMAND | help }
  • this command operates at the data link (ARP), network (IP) and transport (TCP) layers of the OSI model
  • it is used to interact with ip addresses, network devices, routing table, etc ...
  • it comes as an all-in one modern replacement for the net-tools package utilities (ifconfig, netstat ...)
  • sudo is required when modifying any value in the networking subsystem
# write information, state and statistics for local interfaces in JSON format
ip -j -p -s link show

# write information and state for local addresses
ip -family inet -br address show

# write and format tcp connections kernel cache (ip addresses, most recent first - add -r for name resolution)
ip -family inet -h -br tcp_metrics show | sed -r 's/^(.+)\sage\s([0-9\.]+)sec\s.*.*source\s(.+)$/\2s \3 \1/gm' | sort -n | column -t

# write and format tcp connections kernel cache (sorted by dns names - resolution takes a lot of time on public servers ...)
ip -family inet -h -br -r tcp_metrics show | sed -r 's/^(.+)\sage\s([0-9\.]+)sec\s.*.*source\s(.+)$/\3 \1 \2s/gm' | sort | column -t

# reset tcp connections kernel cache
sudo ip tcp_metrics flush all

# print kernel routing table
ip route show

# same as the above w/ alternative and more explicit formatting
# one of the few examples where net-tools outperforms ip ...
sudo route -n -F

# print kernel ARP cache
ip neigh show

✔️ ss

  • syntax : sudo ss [options] [ FILTER ]
  • this command displays statistics and informations about sockets
  • IPC sockets are included by default in the output
  • sudo is required for displaying informations about processes accessing the socket
# print all listening/established tcp connections + name resolution + process information
sudo ss -p -r --tcp state established
sudo ss -p -r --tcp state listening

# prints statistics on system socket usage
ss -s

# display all established ssh connections
ss -at '( dport = :22 or sport = :22 )'

✔️ mtr

  • syntax : mtr [options] HOSTNAME
  • this command is an interesting alternative to traceroute :
    • like traceroute, it will output the address and/or hostname of each network hop between the source and the destination
    • additionally, it will send regulare ICMP ping requests to each network hop so as to assess the reliability of the route at each stage
    • it is to be noted though that the gateways that have a firewall blocking incoming ICMP traffic will not reply
# use ipv4 only, show ips and hostname, show AS (autonomous system) country code
# print sent, received and dropped packets + average rtt for each network hop
mtr -4 -b -y 2 -o "S R D A" google.com

✔️ nmap

  • important note : unauthorized port scanning of random targets may get you into trouble

  • syntax : nmap [Scan Type...] [Options] {target specification}

  • nmap (network mapper) is a powerful and versatile port scanner that can be used for a variety of purposes

  • it operates at the network layer level by sending raw IP packets

  • sudo is required for certain types of scanning methods (as a result it's best to always use it ...)

  • when executed, nmap performs the following sequence of actions :

    • host discovery : finds online hosts among the specified target(s) by performing customizable probes

    • port scanning : scans online hosts for open ports using the specified options

    • service detection : queries open ports to determine which services they are running (using nmap-service-probes)

    • os detection : determine which OS the host is running with TCP/IP stack fingerprinting (using nmap-os-db)

    • outputs scan results : most noticeably the list of ports numbers, protocols, service names and states

      port state description
      open an application is listening for connections/packets
      filtered a firewall is blocking the port (can't tell if it is open/closed)
      closed no application is listening
      unfiltered respond to probes, but can't tell if it is open/closed

  • nmap use cases samples :

# print the ip supported protocol on the local machine
sudo nmap -sO localhost

# performs host discovery and name resolution on a CIDR address range
sudo nmap -sL 192.168.1.0/24

# scan with OS detection, version detection, script scanning and traceroute
sudo nmap -A 192.168.1.10

# skip host discovery, scan the 50 most used TCP ports, list open ports only
# probe for services running behind open ports, specify probe level
# guess the OS the target is running, perform name resolution, verbose
sudo nmap \
-Pn \
-sS --top-ports 50 --open \
-sV --version-intensity 5 \
-O --osscan-guess \
-R \
-v \
192.168.1.10

# performs name resolution against the latest 50 entries in the tcp connections kernel
# cache, useful for public servers where said cache contains thousands of entries ...
ip -family inet -h -br tcp_metrics show | \
sed -r 's/^(.+)\sage\s([0-9\.]+)sec\s.*.*source\s(.+)$/\2 \1/gm' | \
sort -n | \
sed -r 's/^.+\s(.+)$/\1/gm' | \
head -n 50 | \
sudo nmap -sL -sn -iL /dev/stdin

# prints informations about nmap scripts from the 'fuzzer' category
nmap --script-help=fuzzer

# list interfaces and routes
sudo nmap --iflist

# runs all the default scripts against a target host
nmap -sC 192.168.1.10
  • nmap also implements a scripting engine in order to further customize each step of the scan
  • scripts are written in the lua language and classified depending on the actions they perform
  • the publicly available scripts can be downloaded from a dedicated repository