Shulou(Shulou.com)06/01 Report--

This article introduces what are the specific Linux network commands, the content is very detailed, interested friends can use for reference, I hope it can be helpful to you.

Looking at hundreds of kali linux commands, I was lost in thought. There are so many professional network commands that there are thousands of them if you want to list them. Individuals are not penetration testers, and most of the functions are only superficial. So this article is a very simple technical summary, focusing only on some Linux commands commonly used in the work.

Due to the popularity of nio, the problem of ck10k has become a thing of the past. Now any server can support hundreds of thousands of connections. So let's figure out how many resources are required for 1 million of the connections.

First of all, each connection is a file handle, so you need to support the number of file descriptors, and each socket takes up memory between 15k-20k, so that only maintaining the corresponding socket requires 20 gigabytes of memory, while broadcasting a 1KB message takes up 1000m of bandwidth!

View the connection of the current system

How do you see how many connections there are in the current system? You can use netstat in conjunction with awk for statistics. The following script counts the number of tcp connections in each state

# netstat-antp | awk'{a [$6] + +} END {for (x in a) print x direction a [x]} 'LISTEN 41 CLOSE_WAIT 24 ESTABLISHED 150 Foreign 1 TIME_WAIT 92

But if you execute this command on a server with tens of thousands of connections, you may have to wait a long time. So, we have a second-generation network state statistics tool: netstat = > ss.

# ss-s Total: 191 (kernel 220) TCP: 5056 (estab 42, closed 5000, orphaned 3, synrecv 0, timewait 5000 Unip 0), ports 3469.

Netstat belongs to the net-tools toolset, while ss belongs to iproute. The command corresponds to the following, and it's time to say Bye to net-tools.

Ss command

Basic use

Let's take a look at the use of ss in terms of usage scenarios.

View the tcp connection that the system is listening to

Ss-atr ss-atn # ip only

View all connections in the system

Ss-alt

View the process pid listening on port 444

Ss-ltp | grep 444

See which ports are occupied by process 555

Ss-ltp | grep 555

Show all UDP connections

Ss-u-a

View TCP sockets and use the-ta option

View UDP sockets and use the-ua option

View RAW sockets and use the-wa option

View UNIX sockets and use the-xa option

All connections to an IP

Ss dst 10.66.224.130 ss dst 10.66.224.130:http ss dst 10.66.224.130:smtp ss dst 10.66.224.130:443

Show all HTTP connections

Ss dport =: http

Check the top 10 IP addresses that connect to this computer

Netstat-antp | awk'{print $4}'| cut-d':'- F1 | sort | uniq-c | sort-n-K1-r | head-n 10Recv-Q and Send-Q

Note the execution results of ss, and let's explain Recv-Q and Send-Q.

These two values represent different meanings in the LISTEN and ESTAB states, respectively. In general, a normal application should have both values of 0 (except for backlog). The higher the value, the more serious the problem.

LISTEN statu

Recv-Q: indicates how many connections established have not been accept. For example, Nginx is slow to accept new connections.

Send-Q: represents the listen backlog value

ESTAB statu

Recv-Q: how much data in the kernel (bytes) has not been read by the application, resulting in a certain degree of blocking

Send-Q: indicates how much (bytes) data in the sending queue in the kernel does not receive ack, and the receiving and processing capacity of the peer is not strong.

View network traffic

View traffic

There are many tools to look at network traffic, but I like sar best. Sar is the most fully functional monitoring software on linux. As shown in the figure, network traffic can be refreshed every second using sar-n DEV 1.

Watch cat / proc/net/dev view the IP that accounts for the largest amount of traffic

Sometimes we find that the network bandwidth is very high, but we can't tell where the traffic is coming from. At this point, iftop can help. As shown in the figure, it is easy to find out which host the traffic comes from.

When you are not sure about the source of the private network traffic, such as someone is under pressure testing, the api call is unreasonable, you can find him through this method.

Grab the bag

Tcpdump

When we need to determine whether there is traffic, or debug a difficult netty application problem, we can make a further judgment by grabbing the packet. On Linux, you can grab data through the tcpdump command, and then use Wireshark for analysis.

Tcpdump-I eth0-nn-S0-v port 80

-I specify the network card to grab the packet.

-n, like ss, means that the domain name is not resolved

-nn two n indicates that the port is also a number, otherwise it is resolved to the service name.

-s sets the length of the grab bag. 0 means no limit.

-v display detailed output when grabbing packets, and-vv and-vvv are more detailed in turn.

1) add the-An option to print the ascii and-X print the hex code.

Tcpdump-A-S0 port 80

2) grab the related packets of a specific IP

Tcpdump-I eth0 host 10.10.1.1 tcpdump-I eth0 dst 10.10.1.20

3) the-w parameter writes the crawled package to a file

Tcpdump-I eth0-S0-w test.pcap

4) tcpdump supports expressions, and there are more complex examples, such as crawling get,post requests (non-https) in the system.

Tcpdump-s 0-v-n-l | egrep-I "POST / | GET / | Host:"

See synonyms at more

Https://hackertarget.com/tcpdump-examples/

You can view the captured data by using wireshark.

HTTP grabs the bag

The package grabbing tool uses itself as an agent to capture the communication between your browser and the server, and provides the functions of modification, replay, and batch execution. It is a sharp weapon to find problems, analyze protocols, and attack sites. The three commonly used ones are as follows:

Burpsuite (cross-platform)

Fiddle2 (Win)

Charles (Mac)

Traffic replication

You may need to recreate the real traffic of your production environment HTTP in the development environment or rehearsal environment, so that you can use the traffic replication feature.

There are three tools to choose from, and individuals prefer Gor.

Gor

TCPReplay

TCPCopy

Problem with too many connections

According to TCP/IP, socket contains about 10 connection states. What we usually encounter in our work, except for the denial of service attacks against SYN, if there are any anomalies, it is likely to be the problem of TIME_WAIT and CLOSE_WAIT.

TIME_WAIT can generally be solved by optimizing kernel parameters; CLOSE_WAIT is generally caused by unreasonable programming and should be paid more attention to by developers.

TIME_WAIT

TIME_WAIT is the state maintained by the party who actively closes the connection, such as nginx and crawler servers. A large number of connections in the time_wait state often occur. TCP usually waits for 2MS after actively closing the connection, and then shuts down the connection completely. Because HTTP uses the TCP protocol, there is a large backlog of TIME_WAIT stateful connections on these frequently switched servers.

Some systems can see the following information through dmesg.

_ _ ratelimit: 2170 callbacks suppressed TCP: time wait bucket table overflow

From the ss-s command, you can see that there are already 2w timewait.

Ss-s Total: 174( kernel 1999) TCP: 20047 (estab 32, closed 20000, orphaned 4, synrecv 0, timewait 20000Maple 0), ports 10785

The sysctl command sets these parameters and adds them to the / etc/sysctl.conf file if you want the reboot to take effect.

# modify the threshold net.ipv4.tcp_max_tw_buckets = 50000 # means enable fast recycling of TIME-WAIT sockets in TCP connection net.ipv4.tcp_tw_reuse = 1 # enable fast recycling of timewait. This must be turned on. It is off by default. Net.ipv4.tcp_tw_recycle= 1 # modifies the default TIMEOUT time of the system, which defaults to 60s net.ipv4.tcp_fin_timeout = 10

To test the parameters, you can use commands such as sysctl-w net.ipv4.tcp_tw_reuse = 1. If it is written to a file, it takes effect using sysctl-p.

CLOSE_WAIT

CLOSE_WAIT is usually caused by the active shutdown of the opposite end and our failure to deal with it correctly. To put it bluntly, there is a problem with the writing of the program, which is a relatively harmful one.

Let's take a typical case of "csdn homophonic Taro".

The code is a usage snippet that uses HttpClient. In this code, you clean up the connection resources by calling in.close (). Unfortunately, there is a judgment in the code: connections with non-200state return null directly. In this case, the in doesn't even have a chance to assign a value, and of course it can't be closed, and then a connection leak occurs.

Therefore, the correct way to shut down HttpClient is to use its api:abort ().

Other common commands

Application softwar

# download file wget-c $url # download whole site wget-r-p-np-k $url # send network connection (commonly used) curl-XGET $url # transfer file scp sftp # data image backup rsync

Detection tool

# Connectivity Inspection ping google.com # to Peer Route Inspection tracepath google.com # Domain name Detection dig google.com nslookup google.com # Network scanning tool nmap # stress Test iperf # Omni-directional Monitoring tool (good stuff) nmon

Configuration tool

# stop a network card ifdown # open a network card ifup # Multi-function management tool ethtool

Pressure testing

Wrk ab webbench http_load

Multi-function tool

# remote login telnet ssh nc # Firewall iptables-L

In addition to the basic tools, many of the network commands mentioned in this article are not pre-installed and need to be installed using yum.

What are the specific Linux network commands to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.