6. How to get insight into a network
Here we go beyond the network basics and learn how to use commands that automatically probe your local network.
New commands here are: “nmap”, “telnet host portnumber”, “host”, “ssh”
6.1. Before we start
Read the previous chapter on networking basics.
make sure you have the ssh daemon installed:
$ sudo apt-get install openssh-server
hook up to wired and try these things, then do the same with wireless
6.2. interfaces: the network devices our packets go through to get out
$ ifconfig: what network interfaces do we have?
(in some situations you might have to run “/sbin/ifconfig” if /sbin is not in your PATH variable). Here is a typical output, with some analysis:
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:57375 errors:0 dropped:0 overruns:0 frame:0
TX packets:57375 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6169244 (5.8 MiB) TX bytes:6169244 (5.8 MiB)
“lo” is the loopback interface. It comes up with the ip address 127.0.0.1 (or sometimes something else with 127.). It is usually associated with the hostname “localhost” (which you can find in /etc/hosts). It is a “loopback” which means that if you do something like “ssh localhost” or “ssh 127.0.0.1” and log in to your machine. It will act as if it had gone across a network, but the bits just looped around in memory instead of going onto the ethernet or wifi.
You won’t use “lo” much, but things like testing ssh without a full network can be useful.
Then we have eth0 (or wlan0 or eth1 or wlan1 and so forth):
eth0 Link encap:Ethernet HWaddr 00:50:56:99:32:AC
inet addr:199.26.172.57 Bcast:199.26.172.255 Mask:255.255.255.0
inet6 addr: 2607:f678:1010::57/64 Scope:Global
inet6 addr: 2607:f678:1010:0:250:56ff:fe99:32ac/64 Scope:Global
inet6 addr: fe80::250:56ff:fe99:32ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:260178293 errors:0 dropped:0 overruns:0 frame:0
TX packets:159601748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:94489408893 (88.0 GiB) TX bytes:109967564533 (102.4 GiB)
This is where you start to see what your network looks like. The first thing to look at the “inet addr”. In a typical home network it will be 10.x.x.x or 192.168.x.x. To better understand these “special ranges” you can look at the “Reserved IP addresses” article in wikipedia:
https://en.wikipedia.org/wiki/Reserved_IP_addresses
A lot of gadgets that offer a local private network (like an “access point” or a home DSL/cable-modem router) give out addresses of the 192.168.x.x or 10.x.x.x types.
At this time I ignore the “inet6 addr” field: I have not yet studied up on ipv6 addresses and for a bit longer the topic can be ignored.
If the “inet addr” field is not there for any ethX or wlanX interface then you have not been offered a dynamic IP address by a DHCP server.
This is usually a problem: the aforementioned home routers all have DHCP by default and something could be broken. But sometimes it just means that the network admin wants you to set up the interface by hand, possibly with a static ip address.
Once you see if you have a 10.x.x.x or 192.168.x.x address you can explore the various other things installed on that network. All the various hosts will have addresses that start with the same thing and look like your address.
6.3. routing: how to get from here to a remote host
$ route
if “route” is taking too long then you might have a problem resolving host names (problem with DNS). In that case interrupt it with control-C and run:
$ route -n
which will quickly return the way your network traffic is routed to the outside world. You can also use the route command to create special routes for some of your traffic.
The first thing to do is see where the “default” route (0.0.0.0) goes. The typical DHCP configuration will set all this up for you and it will look like this:
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 100 0 0 eth0
which means that all your outgoing traffic will go through 192.168.0.1 which (in a typical home situation) is the address of your DSL/cable modem modem.
You can read that output, in English, as: “default traffic is routed through device eth0 and is sent through gateway 192.168.0.1”.
Routing becomes especially interesting when you have a tunnel of some sort, like a VPN. There are several ways of configuring it, but often the VPN shows up as a new interface called “ppp0”, which you would notice by typing “ifconfig”. When you have a VPN tunnel the routing table might look like this:
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.56 0.0.0.0 UG 100 0 0 ppp0
192.168.0.0 192.168.0.1 0.0.0.0 UG 100 0 0 eth0
192.168.0.57 192.168.0.1 0.0.0.0 UG 100 0 0 eth0
[FIXME: just made this up; must get from real VPN situation at home]
You can read this as: “Default traffic now goes through the ppp0 device (this is a “virtual” device) over to the other end of the tunnel, which then sends it out to the net. Local traffic to my private subnet 192.168.x.x will still go through the eth0 device.”
6.4. changing routes: choosing special routes to reach some hosts or nets
Let’s say that your VPN takes you into a remote network that has your same private subnet 192.168.x.x
This becomes “interesting”: if you want to get to 192.168.0.180 on the remote subnet, it won’t! It will go to 192.168.0.180 on your own subnet. This is unfortunate, but you can get around it by adding a special route for 192.168.0.180:
$ sudo route add -host 192.168.0.180 dev ppp0
Let’s also say that you are unhappy with all your traffic going through the ppp0 interface – it’s kind of slow, so you decide to route your traffic to youtube and netflix through eth0 so it goes straight through instead of hopping to the VPN server in between:
$ sudo route add -host youtube.com dev eth0
$ sudo route add -host netflix.com dev eth0
You could also reclaim all of your default traffic as going through eth0 and only use ppp0 for traffic into your company’s internal network:
$ sudo route add -net default dev eth0
Of course you should run “route” or “route -n” after each of these modifications so that you can see what happened.
6.5. traceroute: what gateways do you pass going from here to there?
Do you ever wonder where your packets hop between your computer and a google query? Try this:
$ traceroute --resolve-hostnames google.com
traceroute to google.com (142.250.72.46), 64 hops max
1 192.168.1.1 (_gateway) 1.623ms 1.071ms 1.350ms
2 100.92.207.66 (100.92.207.66) 10.993ms 11.768ms 11.244ms
3 96.216.21.185 (96.216.21.185) 9.811ms 12.140ms 11.907ms
4 162.151.13.129 (be-2-ar01.albuquerque.nm.albuq.comcast.net) 13.574ms 18.082ms 12.507ms
5 162.151.13.129 (be-2-ar01.albuquerque.nm.albuq.comcast.net) 11.996ms 11.389ms 10.800ms
6 96.110.44.29 (be-36841-cs04.1601milehigh.co.ibone.comcast.net) 20.337ms 23.803ms 19.478ms
7 96.110.44.25 (be-36831-cs03.1601milehigh.co.ibone.comcast.net) 20.549ms 20.737ms 21.852ms
8 50.248.118.30 (50.248.118.30) 20.104ms 23.102ms 19.036ms
9 50.248.118.30 (50.248.118.30) 29.428ms 19.661ms 21.525ms
10 172.253.75.177 (172.253.75.177) 21.970ms 21.151ms 21.952ms
11 209.85.142.171 (209.85.142.171) 21.089ms 21.041ms 22.310ms
12 142.250.72.46 (den16s08-in-f14.1e100.net) 21.356ms 19.599ms 20.845ms
This shows that from where I was logged in (web3.rdrop.com) the packets went through a variety of hops to then get from my host to the google search server. It also tells you the delay associated with each hop, measured in milliseconds.
Traceroute is wonderful when it works, but some network managers turn it off because it can give outsiders insight into their internal network, so sometimes it will not work.
6.6. ping: see if a host is alive
You can find out if a host is up and how fast the network is to it with “ping”:
$ ping google.com
PING google.com (142.250.72.14) 56(84) bytes of data.
64 bytes from den08s06-in-f14.1e100.net (142.250.72.14): icmp_seq=1 ttl=114 time=19.1 ms
64 bytes from den08s06-in-f14.1e100.net (142.250.72.14): icmp_seq=2 ttl=114 time=19.0 ms
64 bytes from den08s06-in-f14.1e100.net (142.250.72.14): icmp_seq=3 ttl=114 time=19.2 ms
64 bytes from den08s06-in-f14.1e100.net (142.250.72.14): icmp_seq=4 ttl=114 time=18.9 ms
[...]
Sometimes network managers turn off the ability to ping through their gateways.
6.7. nmap: what hosts are on this network? and what services do they offer?
nmap has many options and can do just about anything to scout out a network. Here I will show you how to answer the question:
“What hosts are on this network and what services are they offering?”
First note that a “service” is something like “outgoing mail” (smtp) or “email access” (imap) or “incoming logins” (ssh) or “web server” (http) or “remote desktop” (rdp, ms-term-serv).
Each service is associated with a port on the host that offers that service. The English language narrative is, for example: “to read your email with IMAP you connect to port 993 of host host 192.168.122.1”.
So here is one of the most basic nmap invocations which (thanks to the /24 on the command line) will search the range of hosts 192.168.122.0 to 192.168.122.255:
$ sudo nmap -sn 192.168.1.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-12 07:24 MDT
Nmap scan report for _gateway (192.168.1.1)
Host is up (0.00022s latency).
MAC Address: B0:95:75:45:A2:21 (Tp-link Technologies)
Nmap scan report for sarastro (192.168.1.174)
Host is up (0.00045s latency).
MAC Address: DC:4A:3E:98:23:5A (Hewlett Packard)
Nmap scan report for 192.168.1.206
Host is up (0.083s latency).
MAC Address: EE:91:79:EA:B7:36 (Unknown)
Nmap scan report for magicflute-wifi (192.168.1.220)
Host is up (0.081s latency).
MAC Address: D8:FC:93:81:B4:2E (Intel Corporate)
Nmap scan report for 192.168.1.234
Host is up (0.080s latency).
MAC Address: F8:5E:A0:8D:9E:B0 (Unknown)
Nmap scan report for dongiovanni (192.168.1.142)
Host is up.
Nmap scan report for dongiovanni (192.168.1.215)
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 2.43 seconds
$ nmap 192.168.1.0/24
Starting Nmap 5.51 ( http://nmap.org ) at 2016-08-30 10:13 MDT
Nmap scan report for mozart (192.168.122.1)
Host is up (0.0036s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
143/tcp open imap
993/tcp open imaps
3389/tcp open ms-term-serv
Nmap scan report for c6b (192.168.122.33)
Host is up (0.0042s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
Nmap scan report for c6r (192.168.122.210)
Host is up (0.0033s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.94 seconds
This is a mouthful but is easy to read. You see that 192.168.122.1 is offering (among others) ssh, SMTP, IMAP and RDP services on ports 22, 25, 993 and 3389 respectively.
6.8. nmap: a script to make a visual map
You can write a program to parse the output of nmap on a network and generate a visual map of the network.
Let us start with a simple version. Download the
map_network_utils.py program and try running it.
This program, when run on a typical home router, generates the file
netmap__192.168.0.1_24.svg shown in
Figure 6.8.1 First example of a graph generated from nmap’s output on a typical home router situation.
There is a great wealth of possibilities to make these graphs more attracive and more interesting. For example you can use nmap and pnscan to get more information and then study the graphviz gallery at https://graphviz.org/gallery/ to look for interesting visualization options. Please contact me if you would like to work on such a project.
A further exercise would be to write a program which dynamically scans the network at certain intervals, and uses a graphical interface to show the network topology.
6.9. pnscan: looking at open ports
$ sudo pnscan 192.168.1.211 1:90
192.168.1.211 : 22 : TXT : SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1\r\n
192.168.1.211 : 25 : TXT : 220 magicflute.galassi.org ESMTP Postfix (Ubuntu)\r\n
192.168.1.211 : 25 : TXT : 220 magicflute.galassi.org ESMTP Postfix (Ubuntu)\r\n
192.168.1.211 : 22 : TXT : SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1\r\n
$ sudo pnscan 192.168.1.0/24 1:90
192.168.1.1 : 22 : TXT : SSH-2.0-dropbear_2011.54\r\n
192.168.1.1 : 22 : TXT : SSH-2.0-dropbear_2011.54\r\n
192.168.1.134 : 22 : TXT : SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1\r\n
192.168.1.174 : 22 : TXT : SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3\r\n
192.168.1.198 : 22 : TXT : SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1\r\n
192.168.1.211 : 22 : TXT : SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1\r\n
192.168.1.211 : 25 : TXT : 220 magicflute.galassi.org ESMTP Postfix (Ubuntu)\r\n
Now try it with more ports, like 1:1024
6.10. telnet: an ancient command with an interesting modern use
The original ARPAnet had three applications in the early 1970s: email, telnet (log in to a remote machine), and ftp (file transfer protocol).
telnet is no longer used to log in to hosts because it does not encrypt passwords or the data stream (use ssh instead), but it turns out to be very useful to understand and debug services. You can telnet into a specific port on a host and even try typing protocol strings at it:
$ telnet 192.168.122.1 imap ## or telnet 192.168.122.1 143
Trying 192.168.122.1...
Connected to 192.168.122.1.
Escape character is '^]'.
OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
Note that one almost always uses the “imaps” port (993) because it encrypts passwords and text, but it is harder or impossible to type valid IMAP protocol strings when the server is expecting encrypted information!
$ telnet 192.168.122.1 imaps ## or telnet 192.168.122.1 993
Trying 192.168.122.1...
Connected to 192.168.122.1.
Escape character is '^]'.
This can be done for all the ports, but there will only be a few protocols with which you can have a meaningful conversation typing protocol strings at it. All in all it’s mostly a way of checking that those services are working well.
And for some fun: in the old days lots of servers were set up to
respond to a telnet command. Early weather servers, creative “ascii
art” animations, interactive games, … were available by running
telnet hostname.
Most of those are now gone or hard to access from most points, but
some are still around. The site telehack.com has collected
several of the classic telnet-served animations and games.
Try:
$ telnet telehack.com
You will be prompted with a list of games and animations. You can try
just typing pong, but for an amazing display try typing
starwars.
/~\
And don't let me catch |oo )
you following me _\=/_
begging for help. # / _ \ #
\\//|/.\|\\//
\/ \_/ \/
|\ /|
\_ _/
| | |
| | |
[]|[]
| | |
\____________________________________/_]_[_\______________________
6.11. host: the Domain Name System
We think of hosts on a network as having names, but the routing system
uses their ip address to get to them. The “domain name service” (DNS)
translates from name to ip address. This is also sometimes called
“resolving a name”. Each host has to know who offers it “name
service”. This is usually set up when you connect to DHCP. The file
/etc/resolv.conf gets created with information on what your name
servers are:
$ cat /etc/resolv.conf
search rdrop.com
nameserver 69.59.192.61
nameserver 69.59.192.62
This means that when you connect to “google.com”, the computer will ask host 69.59.192.61 what google.com’s IP address is, and then the connection can proceed.
Note that nowadays the /etc/resolv.conf file tends to look more
complicated: it is created dynamically when you connect to a network,
using information returned by your network’s router. But it should
still specify which nameservers your system is using.
There is a command called “host” which queries the nameserver and tells you what it found about a given hostname. Try the following:
$ host google.com
$ host gmail.com
$ host rdrop.com
$ host mit.edu
Note that this also tells you which host will handle email going to that domain: this is usually a dedicated machine. Email was an early internet service, so there is a special DNS record for that, called the “MX record” (MX stands for “mail exchange[r]”).
6.12. ssh: logging in to another computer
ssh is a candidate for “most amazing program ever written” in the small category. It allows you to log in to a remote host, encrypting all traffic. It also allows you to use the “agent” mechanism so that you don’t have to use a password every time. It then lets you tunnel connections to certain ports through the ssh connection, and there the fun gets out of hand. There is also a way of tunneling your web traffic through an ssh connection.
Here are some simple examples, keeping in mind that you need to log in to a host that is running the ssh service (port 22).
- $ telnet 192.168.122.1 22
verifies that someone is indeed listening on ssh’s port 22.
- $ ssh localhost
logs in to this host with the loopback interface
[FIXME: unfinished set of examples]