Shulou(Shulou.com)06/01 Report--

Editor to share with you what the commonly used network sniffing tools in Linux are, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

In a computer network, data is exposed because packet transmission cannot be hidden, so let's use whois, dig, nmcli, and nmap to sniff the network.

Please be careful not to run nmap on a network that does not belong to you, as this may be considered a malicious attack by others.

Streamlined and detailed domain name information query

You may have noticed that we used the usual old-fashioned whois command to query domain name information, but now we don't seem to provide the same level of detail as in the past. We use this command to query the domain name description information of linux.com:

$whois linux.comDomain Name: LINUX.COMRegistry Domain ID: 4245540_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.namecheap.comRegistrar URL: http://www.namecheap.comUpdated Date: 2018-01-10T12:26:50ZCreation Date: 1994-06-02T04:00:00ZRegistry Expiry Date: 2018-06-01T04:00:00ZRegistrar: NameCheap Inc.Registrar IANA ID: 1068Registrar Abuse Contact Email: abuse@namecheap.comRegistrar Abuse Contact Phone: + 1.6613102107Domain Status: ok https://icann.org/epp#okName Server: NS5.DNSMADEEASY.COMName Server : NS6.DNSMADEEASY.COMName Server: NS7.DNSMADEEASY.COMDNSSEC: unsigned [...]

There are a lot of annoying legal statements. But where is the contact information? The site is located on the whois.namecheap.com [neiqian] site (see the third line of the output above):

$whois-h whois.namecheap.com linux.com

I won't copy it because it's too long and contains the contact information of registrants, administrators and technicians. What's going on, Lucille? There are some registries, such as .com and .net, which are streamlined registries that hold limited domain name information. For complete information, use the-h or-host parameter, which will be obtained from the registrar of the domain name.

Most top-level domain names have detailed registration information, such as .info. Try using the [neiqian] whois blockchain.info command to see.

Want to get rid of these annoying legal statements? Use the-H parameter.

DNS parsing

Use the dig command to compare the query results returned from different domain name servers to remove stale information. The domain name server records the resolution information cached everywhere, and different domain name servers have different refresh intervals. Here is a simple usage:

$dig linux.com > DiG 9.10.3-P4-Ubuntu > linux.com;; global options: + cmd;; Got answer:;;-> > HEADER#53 (127.0.1.1); WHEN: Tue Jan 16 15:17:04 PST 2018; MSG SIZE rcvd: 102

Notice the line near the end: SERVER: 127.0.1.1parser 53 (127.0.1.1), which is your default cache parser. When the address is local, the DNS service is installed on your computer. In my opinion, this is a Dnsmasq tool (a small and convenient tool for configuring DNS and DHCP), which is used for network management:

$ps ax | grep dnsmasq2842? S 0:00 / usr/sbin/dnsmasq-no-resolv-keep-in-foreground--no-hosts-bind-interfaces-pid-file=/var/run/NetworkManager/dnsmasq.pid--listen-address=127.0.1.1

By default, the dig command returns the A record, which is the domain name. IPv6 has AAAA records:

$dig linux.com AAAA [...];; ANSWER SECTION:linux.com. 60 IN AAAA 64:ff9b::9765:105linux.com. 60 IN AAAA 64:ff9b::9765:4105linux.com. 60 IN AAAA 64:ff9b::9765:8105linux.com. 60 IN AAAA 64:ff9b::9765:c105 [...]

On closer inspection, it is found that linux.com has an IPv6 address. Fine! If your network service supports IPv6, then you can use IPv6 to connect. (sadly, my mobile broadband does not provide IPv6)

Suppose you can make some DNS changes to your domain name, or the result of your query using dig is incorrect. Try using a public DNS, such as OpenNIC:

$dig @ 69.195.152.204 linux.com [...];; Query time: 231 msec;; SERVER: 69.195.152.204 linux.com 53 (69.195.152.204)

The dig response to your current query is from 69.195.152.204. You can query various services and compare the results.

Upstream domain name server

I want to know who my upstream domain name server is. To query, let me first take a look at the configuration information of / etc/resolv/conf:

$cat / etc/resolv.conf# Dynamic resolv.conf (5) file for glibc resolver (3) generated by resolvconf (8) # DO NOT EDIT THIS FILE BY HAND-- YOUR CHANGES WILL BE OVERWRITTENnameserver 127.0.1.1

Okay, but I already know. Your Linux distribution may be configured differently, and you will see your upstream server. Next, let's try the network manager command line tool nmcli:

$nmcli dev show | grep DNSIP4.DNS [1]: 192.168.1.1

Good, now we already know, in fact, it is my mobile hot spot, I can confirm. I can log in to the simple administration panel to query the upstream server. However, many user-level Internet gateways do not let you see or change these settings, so you can only try other methods.

Find the IPv4 address in your network

Which IPv4 addresses are enabled and in use on your network?

$nmap-sn 192.168.1.0/24Starting Nmap 7.01 (https://nmap.org) at 2018-01-14 14:03 PSTNmap scan report for Mobile.Hotspot (192.168.1.1) Host is up (0.011s latency). Nmap scan report for studio (192.168.1.2) Host is up (0.000071s latency). Nmap scan report for nellybly (192.168.1.3) Host is up (0.015s latency) Nmap done: 256 IP addresses (2 hosts up) scanned in 2.23 seconds

Everyone wants to scan the open ports in their local area network. The following example is looking for services and their version numbers:

$nmap-sV 192.168.1.1/24Starting Nmap 7.01 (https://nmap.org) at 2018-01-14 16:46 PSTNmap scan report for Mobile.Hotspot (192.168.1.1) Host is up (0.0071s latency) .Not shown: 997 closed portsPORT STATE SERVICE VERSION22/tcp filtered ssh53/tcp open domain dnsmasq 2.5580/tcp open http GoAhead WebServer 2.5.0Nmap scan report for studio (192.168.1.102) Host is up (0.000087s latency) .Not shown: 998 Closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux Protocol 2.0) 631/tcp open ipp CUPS 2.1Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .nmap done: 256 IP addresses (2 hosts up) scanned in 11.65 seconds

These are interesting results. Let's try to do the same from different Internet connections to see if these services are exposed to the Internet. If you have a smartphone, you have a second network. You can download applications and provide hotspots for your Linux computer. Obtain the WAN IP address from the hotspot control panel and try again:

$nmap-sV 12.34.56.78Starting Nmap 7.01 (https://nmap.org) at 2018-01-14 17:05 PSTNmap scan report for 12.34.56.78Host is up (0.0061s latency). All 1000 scanned ports on 12.34.56.78 are closed

As expected, the result was exactly what I expected. (LCTT) these services and information are not exposed on the public network. You can query these commands with a manual to learn more interesting sniffing techniques.

These are all the contents of this article entitled "what are the common network sniffing tools in Linux?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.