Unstructued Notes on TCP IP Networking

 OSI:- theoretical model, networking, how data packets are created and processed, used by TCP/IP. OSI open systems interconnection model. 

Physical layer: lowest, NIC, RJ45, physical medium

data link layer:-data packet is converted into bits, mac address resides

network layer:-One to another. routing, and logical addressing, IPv6, IPv4, error handling

Transport Layer:-TCP and UDP exist establish connectivity between two machines

Session Layer:-Establishes and terminates connection among computers, control session TCP/IP sessions

presentation layer:-Data formatting, description, 

application layer:- application uses the protocol to use the data

Unicasting, multicasting, broadcasting:- unicast from single user to another single user, one user multi-users, broadcast broadcast 

DNS:-Domain name system, cybersecurity.com--->it will be converted this address to the IP address done by the DNS server

What us firewall:-Hardware or software which allows or black traffic. 

Packet filtering packets. allow only packets that match an established security rule, source and destination, port numbers, and the protocols, network and transport layer

Proxy firewall work as application level, HTTP, HTTPS, ftps, filtering network traffic, 

Stateful multilayer inspection firewall, packets, network layer, transport layer, and application layer filtering. 

VPN:-VPN Server and VPN client, to secure connection with the internet, system-VPN Vlient-VPN Servier through the tunnel-VPN-VPN Client-System server to the internet -information to the vpns server-then sending back to the VPNs client-to user. 

TCP/IP connects devices with the internet, how data should be transmitted over the internet by providing end-to-end communication, it connects with NIC and works with protocols,. Transmission control protocol creates a connection.

UDP:-broadcasting sends data without acknowledgment

HTTP: HTTPS:-Hypertext transfer protocol, port 80, secure version of HTTPS uses port 443

IP deals with the routing. a compressed layer of OSI, Network, internet, 

IPCONFIG, IFCONFIG:-internet protocol configuration, for Linux and windows, know what network, how to use the gateway, subnets, 

loopback internet:-use to check NIC

DHCP: Dynamic Host Configuration Protocol handles the distribution of IP address on a network. The IP address assigned by the DHCP server is dynamic meaning that they are leased and released dynamically. TO explain it further, if you connect a PC to a network, it will get a leased IP address and if you disconnected or move the PC-it will be assigned a different one. 

ARP stands for Address Resolution Protocol are the way to translate IP address to machine address (MAC Address) or the way to find out which machine has the IP address. DHCP stands for Dynamic Host Configuration Protocol are the way to dynamically assign IP address rather than statically assign it manually one by one

FTP:-FIle transfer files, posts 20, 21 large files

SSH port:-Secure shell creates a tunnel between devices for secure communication.

Subnet mask:-Dictates the size of a network

TRACERT command is used to accomplish this test. used to troubleshoot dead connections. 

BGP Border gateway protocol

uptime in CISCO OSwithc/Router:-CLI SSH/TELNET

Ports are a transport layer (layer 4) concept. Only a transport protocol such as the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) can indicate which port a packet should go to. TCP and UDP headers have a section for indicating port numbers. 

  • Ports 20 and 21: File Transfer Protocol (FTP). FTP is for transferring files between a client and a server.
  • Port 22: Secure Shell (SSH). SSH is one of many tunneling protocols that create secure network connections.
  • Port 25: Simple Mail Transfer Protocol (SMTP). SMTP is used for email.
  • Port 53: Domain Name System (DNS). DNS is an essential process for the modern Internet; it matches human-readable domain names to machine-readable IP addresses, enabling users to load websites and applications without memorizing a long list of IP addresses.
  • Port 80: Hypertext Transfer Protocol (HTTP). HTTP is the protocol that makes the World Wide Web possible.
  • Port 123: Network Time Protocol (NTP). NTP allows computer clocks to sync with each other, a process that is essential for encryption.
  • Port 179: Border Gateway Protocol (BGP). BGP is essential for establishing efficient routes between the large networks that make up the Internet (these large networks are called autonomous systems). Autonomous systems use BGP to broadcast which IP addresses they control.
  • Port 443: HTTP Secure (HTTPS). HTTPS is the secure and encrypted version of HTTP. All HTTPS web traffic goes to port 443. Network services that use HTTPS for encryption, such as DNS over HTTPS, also connect at this port.
  • Port 500: Internet Security Association and Key Management Protocol (ISAKMP), which is part of the process of setting up secure IPsec connections.
  • Port 3389: Remote Desktop Protocol (RDP). RDP enables users to remotely connect to their desktop computers from another device.

ip

The ip command is one of the basic commands every administrator will need in daily work, from setting up new systems and assigning IPs to troubleshooting existing systems. The ip command can show address information, manipulate routing, plus display network various devices, interfaces, and tunnels.

The syntax is as follows:

ip <OPTIONS> <OBJECT> <COMMAND>

The OBJECT is the most important part of the synopsis, and the following are supported (some omitted for brevity):

address - protocol (IPv4 or IPv6) address on a device.

  • tunnel - tunnel over IP
  • route - routing table entry
  • rule - rule in routing policy database
  • vrf - manage virtual routing and forwarding devices
  • xfrm - manage IPSec policies

Here are some common use cases for the ip command.

To show the IP addresses assigned to an interface on your server:

[root@server ~]# ip address show 

To assign an IP to an interface, for example, enps03:

[root@server ~]# ip address add 192.168.1.254/24 dev enps03

To delete an IP on an interface:

[root@server ~]# ip address del 192.168.1.254/24 dev enps03

Alter the status of the interface by bringing the interface eth0 online:

[root@server ~]# ip link set eth0 up

Alter the status of the interface by bringing the interface eth0 offline:

[root@server ~]# ip link set eth0 down

Alter the status of the interface by changing the MTU of eth0:

[root@server ~]# ip link set eth0 mtu 9000

Alter the status of the interface by enabling promiscuous mode for eth0:

[root@server ~]# ip link set eth0 promisc on

Add a default route (for all addresses) via the local gateway 192.168.1.254 that can be reached on device eth0:

[root@server ~]# ip route add default via 192.168.1.254 dev eth0

Add a route to 192.168.1.0/24 via the gateway at 192.168.1.254:

[root@server ~]# ip route add 192.168.1.0/24 via 192.168.1.254

Add a route to 192.168.1.0/24 that can be reached on device eth0:

[root@server ~]# ip route add 192.168.1.0/24 dev eth0

Delete the route for 192.168.1.0/24 via the gateway at 192.168.1.254:

[root@server ~]# ip route delete 192.168.1.0/24 via 192.168.1.254

Display the route taken for IP 10.10.1.4:

[root@server ~]# ip route get 10.10.1.4

ifconfig

The ifconfig command was/is a staple in many sysadmin's tool belt for configuring and troubleshooting networks. It has since been replaced by the ip command discussed above. However, if you would like more information on it, check out our previously published article here.

mtr

MTR (Matt's traceroute) is a program with a command-line interface that serves as a network diagnostic and troubleshooting tool. This command combines the functionality of the ping and traceroute commands. Just like a traceroute, the mtr command will show the route from a computer to a specified host. mtr provides a lot of statistics about each hop, such as response time and percentage. With the mtr command, you will get more information about the route and be able to see problematic devices along the way. If you see a sudden increase in response time or packet loss, then obviously, there is a bad link somewhere.

The syntax of the command is as follows:

mtr <options> hostname/IP

Let's look at some common use cases.

The basic mtr command shows you the statistics, including each hop (hostnames) with time and loss%:

[root@server ~]# mtr google.com

Show numeric IP addresses (if you use -g, you will get IP addresses (numbers) instead of hostnames):

[root@server ~]# mtr -g google.com

Show the numeric IP addresses and hostnames, too:

[root@server ~]# mtr -b google.com

Set the number of pings that you want to send:

[root@server ~]# mtr -c 10 google.com

Get a report of the mtr command result:

[root@server ~]# mtr -r -c 10 google.com > mtr-command-google-output

or:

[root@server ~]# mtr -rw -c 10 google.com > mtr-command-google-output

Force the use of the TCP instead of the ICMP:

[root@server ~]# mtr –tcp google.com

Force the use of the UDP instead of the ICMP:

[root@server ~]# mtr –udp google.com

Set the maximum amount of hops:

[root@server ~]# mtr -m 35 216.58.223.78

Define the packet size:

[root@server ~]# mtr -r -s 50 google.com

Print to CSV output:

[root@server ~]# mtr –csv google.com

Print to XML output:

[root@server ~]# mtr –xml google.com

tcpdump

 

The tcpdump command is designed for capturing and displaying packets.

You can install tcpdump with the command below:

[root@server ~]# dnf install -y tcpdump

Before starting any capture, you need to know which interfaces tcpdump can use. You will need to use sudo or have root access in this case.

[root@server ~]# tcpdump -D

  1 eth0
  2 nflog
  3 nfqueue
  4 usbmon1
  5 any
  6 lo (Loopback)

If you want to capture traffic on eth0, you can initiate that with tcpdump -i eth0 sample output:

[root@server ~]# tcpdump -i eth0
[root@server ~]# tcpdump -i eth0 -c 10

Capture traffic to and from one host

You can filter out traffic coming from a specific host. For example, to find traffic coming from and going to 8.8.8.8, use the command:

[root@server ~]# tcpdump -i eth0 -c 10 host 8.8.8.8

For traffic coming from 8.8.8.8, use:

[root@server ~]# tcpdump -i eth0 src host 8.8.8.8

For outbound traffic going to 8.8.8.8, use:

[root@server ~]# tcpdump -i eth0 dst host 8.8.8.8

Capture traffic to and from a network

You can also capture traffic to and from a specific network using the command below:

[root@server ~]# tcpdump -i eth0 net 10.1.0.0 mask 255.255.255.0

or:

[root@server ~]# tcpdump -i eth0 net 10.1.0.0/24

You can also filter based on either source or destination.

Based on the source (traffic coming from):

[root@server ~]# tcpdump -i eth0 src net 10.1.0.0/24

Based on the destination (traffic going to):

[root@server ~]# tcpdump -i eth0 dst net 10.1.0.0/24

Capture traffic to and from port numbers

Capture only DNS port 53 traffic:

[root@server ~]# tcpdump -i eth0 port 53

For a specific host,

[root@server ~]# tcpdump -i eth0 host 8.8.8.8 and port 53

To capture only HTTPS traffic,

[root@server ~]# tcpdump -i eth0 -c 10 host www.google.com and port 443

To capture all port except port 80 and 25,

[root@server ~]# tcpdump -i eth0 port not 53 and not 25

netstat

The netstat tool for printing network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. This utility is part of the net-tool package, as is ifconfig. In the new iproute2 package, the ss tool is used to achieve the same objectives.

If netstat is not found on your system, install it with this command:

[root@server ~]# dnf install net-tools

The primary usage of netstat is without any parameters:

[root@server ~]# netstat

For advanced usage, expand the netstat command with options:

netstat <options>

Or list the options one by one:

netstat <option 1> <option 2> <option 3>

To list all ports and connections regardless of their state or protocol, use:

[root@server ~]# netstat -a

List all TCP ports by running:

[root@server ~]# netstat -at

List all UDP ports with:

[root@server ~]# netstat -au

To return a list of only listening ports for all protocols, use:

[root@server ~]# netstat -l

List all listening TCP ports with:

[root@server ~]# netstat -lt

Return only listening UDP ports by running:

[root@server ~]# netstat -lu

To list UNIX listening ports, use:

[root@server ~]# netstat -lx

Display statistics for all ports regardless of the protocol with:

[root@server ~]# netstat -s

List statistics for TCP ports only with:

[root@server ~]# netstat -st

To view the TCP connections with the PID/Program name listed, use:

[root@server ~]# netstat -tp

To find a process that is using a particular port number, run:

[root@server ~]# netstat -an | grep ‘:<port number>’

nslookup

Use the nslookup utility to query Internet name servers interactively. Use it to perform DNS queries and receive domain names or IP addresses, or any other specific DNS records.

Consider the following common examples.

To find the A record of а domain:

[root@server ~]# nslookup example.com

To check the NS records of a domain:

[root@server ~]# nslookup -type=ns example.com

To find the MX records responsible for the email exchange:

[root@server ~]# nslookup -query=mx example.com

To find all of the available DNS records of a domain:

[root@server ~]# nslookup -type=any example.com

To check the use of a specific DNS server (in this case, query using the specific nameserver ns1.nsexample.com):

[root@server ~]# nslookup example.com ns1.nsexample.com

Checking DNS A records to see the IPs of a domain is a common practice, but sometimes you need to verify if an IP address is related to a specific domain. For that purpose, you need a reverse DNS lookup. 

[root@server ~]# nslookup 10.20.30.40

ping

Ping is a tool that verifies IP-level connectivity to another TCP/IP computer by sending Internet Control Message Protocol (ICMP) Echo Request messages. The receipt of corresponding Echo Reply messages is displayed, along with round-trip times. Ping is the primary TCP/IP command used to troubleshoot connectivity, reachability, and name resolution.

Simple ping commands take only one parameter: The hostname or the host IP address that you want to verify. A simple ping example is just like below:

[root@server ~]# ping google.com
PING google.com (216.58.206.174) 56(84) bytes of data.
64 bytes from sof02s27-in-f14.1e100.net (216.58.206.174): icmp_seq=1 ttl=56 time=10.7 ms
64 bytes from sof02s27-in-f14.1e100.net (216.58.206.174): icmp_seq=2 ttl=56 time=10.2 ms
64 bytes from sof02s27-in-f14.1e100.net (216.58.206.174): icmp_seq=3 ttl=56 time=10.4 ms
64 bytes from sof02s27-in-f14.1e100.net (216.58.206.174): icmp_seq=4 ttl=56 time=10.4 ms
64 bytes from sof02s27-in-f14.1e100.net (216.58.206.174): icmp_seq=5 ttl=56 time=17.3 ms
^C
--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 10.219/11.844/17.381/2.773 ms

You need to stop the ping command by pressing CTRL+C. Otherwise, it will ping until you stop it. After every ping command, it will display a summary report with the following information:

  • Min: Minimum time that it takes to get a response from the host that has been pinged from your end.
  • Avg: Average time that it takes to get a response from the host that has been pinged from your end.
  • Max: Maximum time that it takes to get a response from the host that has been pinged from your end.

Also, you will see TTL, which stands for Time To Live. Ping uses a numerical TTL value to attempt to reach a given host computer via the route path. This is also known as the hop limit.

Normally, when you run a simple ping command without passing any additional parameters, Linux will ping that host for an infinite amount of time. If you want to ping a host ten times, use the following command:

[root@server ~]# ping -c 10 google.com

Use option -q to view only the ping statistics summary:

[root@server ~]# ping -c 10 google.com

On systems with multiple interfaces, you can specify the interface for the ping command to use. If the system has both eth0 and eth1 and I want to ping using the eth0:

[root@server ~]# ping -I eth0 google.com

Or use the address on the interface, assuming the interface as 10.233.201.45 as the IP:

[root@server ~]# ping -I 10.233.201.45 google.com

You can also ping and specify the IP version as either v4 or v6:

[root@server ~]# ping -4 google.com
[root@server ~]# ping -6 google.com

What is an ICMP Flood DDoS Attack?

An Internet Control Message Protocol (ICMP) flood DDoS attack, also known as a Ping flood attack, is a common Denial-of-Service (DoS) attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings). Normally, ICMP echo-request and echo-reply messages are used to ping a network device in order to diagnose the health and connectivity of the device and the connection between the sender and the device. By flooding the target with request packets, the network is forced to respond with an equal number of reply packets. This causes the target to become inaccessible to normal traffic.

TCP/IP Stack and responsibilities



ifconfigDisplay and manipulate route and network interfaces.
ipIt is a replacement of ifconfig command.
tracerouteNetwork troubleshooting utility.
tracepathSimilar to traceroute but doesn't require root privileges.
pingTo check connectivity between two nodes.
netstatDisplay connection information.
ssIt is a replacement of netstat.
digQuery DNS related information.
nslookupFind DNS related query.
routeShows and manipulate IP routing table.
hostPerforms DNS lookups.
arpView or add contents of the kernel's ARP table.
iwconfigUsed to configure wireless network interface.
hostnameTo identify a network name.
curl or wgetTo download a file from internet.
mtrCombines ping and tracepath into a single command.
whoisWill tell you about the website's whois.
ifplugstatusTells whether a cable is plugged in or not.
manDisplay information about all commands
uptimeShow how long system is running
usersShow username who are currently logged in
serviceCall and execute script
pkillKill a process
pmapMemory map of a process
wgetDownload file from network
ftp or sftpConnect remote ftp host
freeShow memory status
topDisplay processor activity of system
lastDisplay user's activity in the system
psDisplay about processes running on the system
Shutdown commandsShutdown and reboot system
infoDisplay information about given command
envDisplay environment variable for currently logged-in user
netstatDisplay network status
arpCheck ethernet connectivity and IP address
dfDisplay filesystem information
duDisplay usage
initAllow to change server bootup
nanoA command line editor
nslookupCheck domain name and IP information
shredDelete a file by over writing its content
catDisplay, copy or combine text files
pwd>Print path of current working directory
locateFinding files by name on system
chownChange ownership of a file
>aliasTo short a command
echoDisplay text
cmpCompare two files byte by byte
mountMount a filesystem
ifconfigDisplay configuration
traceroute>Trace existing network
sudoRun a command as a root user
routeList routing table for your server
pingCheck connection by sending packet test packet
findFind location of files/directories
usersShow current logged in user
whoSame as w but doesn't show current process
lsList all the files
tarCompress directories
grepSearch for a string in a file
suSwitch from one to another user
awkSearch lines for a given pattern

Comments

Post a Comment

Popular posts from this blog

Guidelines for Effective Academic Writing

 Here are some guidelines for effective academic writing. It is based on my own experience writing for computer science journals and conferences.  Don't use 'the' with an abbreviation. Use active tenses unless a passive is extremely necessary. Use the same form of the verb (present/past) when describing related work and be consistent with it throughout the manuscript. Don't use the before plurals. Don't use etc when including a list of items. Never use the word 'suggest' when referring to the previous work. The word 'report' could be a better option.  Don't use 's with an abbreviation, for example, SDN's capability could be written as SDN capability. Don't use the word "paradigm" use only when it makes sense. Always use "," after then, however, thus, etc. Be consistent, use the same form of "TENSE, i.e., PAST or PRESENT" in the whole section. Do not use "the", "a" ...in front of single
Read more

Protecting IT Infrastructure: Key Takeaways from the CrowdStrike Update Incident

Image
  The Microsoft outage, linked to CrowdStrike’s Falcon Sensor, led to 'Blue Screen of Death' errors and widespread service disruptions in various industries, including hospitals, banks, airlines, emergency services, and supermarkets. In the recent incident, an update to CrowdStrike's Falcon product caused significant disruptions globally. Falcon is an endpoint detection and response (EDR) solution that monitors traffic passing through systems to protect against malicious files, viruses, and malware, relying on cloud technology to secure devices on corporate networks (CrowdStrike, 2024). The problem arose when an update to the Falcon software triggered an endless loop of the Blue Screen of Death (BSOD) on many Windows machines (Microsoft, 2024). This catastrophic failure occurred because the Falcon software talks directly to the Windows kernel for greater speed and protection. The update contained a bug that led to a kernel-level error, causing the machines to crash and beco
Read more