Linux basic command introduction 6: Network

Time:2019-11-14

This article will talk about network related commands. The author assumes that the reader has the basic knowledge of TCP / IP protocol stack. For related commands and their output, only its basic usage and general description are introduced, and the specific protocol will not be explained in detail.

Nowadays, the network is undoubtedly very important. Linux system provides a wealth of network test and management commands. Let’s see them together.

1、pingSend TCMP echo request message and wait for TCMP echo response.

ping [OPTIONS]... destination

The goal heredestinationCan be destination IP address or domain / host name

option-cSpecify the number of times to send the request message. When Ping has no option, it will send the request message until it is terminated manually by default in Linux.

[[email protected] ~]# ping -c 3 www.baidu.com
PING www.a.shifen.com (61.135.169.121) 56(84) bytes of data.
64 bytes from 61.135.169.121: icmp_seq=1 ttl=52 time=1.35 ms
64 bytes from 61.135.169.121: icmp_seq=2 ttl=52 time=1.32 ms
64 bytes from 61.135.169.121: icmp_seq=3 ttl=52 time=1.22 ms

--- www.a.shifen.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.225/1.303/1.359/0.064 ms

First, the ping program sends a request to the domain name server (DNS) to resolve the domain namewww.baidu.comThe IP address of.DNSReturn an alias of the domain namewww.a.shifen.comAnd the corresponding IP address61.135.169.121。 After that, the ping program starts to send request message to this address, and sends one every 1s. Ping receives TCMP echo response and displays the result on the terminal, including ICMP ﹣ SEQ, TTL and time of packet round-trip. Finally, the summary information is given, including the total message sending and receiving situation, total time, minimum, average, maximum and average deviation of round-trip time (the larger the network is, the more unstable the network is).

[[email protected] ~]# ping www.a.com
ping: unknown host www.a.com

When the destination domain name fails to resolve the IP address, an unknown host error will be reported

[[email protected] ~]# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^Press Ctrl + C here to terminate the process manually
--- 192.168.0.1 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 4999ms

No ICMP echo message will be received when the destination IP address is not routed

[[email protected] ~]# ping -c2 10.0.1.2
PING 10.0.1.2 (10.0.1.2) 56(84) bytes of data.
From 10.0.1.254 icmp_seq=1 Destination Host Unreachable
From 10.0.1.254 icmp_seq=2 Destination Host Unreachable

--- 10.0.1.2 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms
pipe 2

The destination host unreachable error is displayed when the destination IP route is unreachable.
ICMPEcho response also includes request time out and other types.

2、hostnameDisplay or set system host name

hostname [OPTIONS]... [NAME]

Direct command executionhostnameThe host name is displayed:

[[email protected] temp]# hostname
centos7
[[email protected] temp]#

This hostname is returned by the gethostname (2) function of the system.
You can execute commands byhostname NAMETo change the host name temporarily:

[[email protected] temp]# hostname NAME
[[email protected] temp]# hostname
NAME

This temporary modification is actually to modify one of the Linux kernelhostname, which is stored in the/proc/sys/kernel/hostnameMedium. If you need to make permanent changes, you need to modify the configuration file/etc/sysconfig/network, centos7 needs to be modified/etc/hostname。 Note that if the hostname in the configuration file islocalhostorlocalhost.localdomainThe system will obtain the IP address of the network interface and use this address to find out/etc/hostsThe corresponding host name in the file, and then set it to the finalhostname

3、hostDNS query

host name

hostCommand through profile/etc/resolv.confDNS server query specified innameIP address of:

[[email protected] temp]# host www.baidu.com
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com has address 61.135.169.121
www.a.shifen.com has address 61.135.169.125

4、digDNS query

digandhostThe syntax of the commands is consistent, but more details and options are provided:

[[email protected] ~]# dig www.baidu.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22125
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.baidu.com.                 IN      A

;; ANSWER SECTION:
www.baidu.com.          113     IN      CNAME   www.a.shifen.com.
www.a.shifen.com.       113     IN      A       61.135.169.125
www.a.shifen.com.       113     IN      A       61.135.169.121

;; Query time: 2 msec
;; SERVER: 223.5.5.5#53(223.5.5.5)
; when: April 10 12:31:20 CST 2016
;; MSG SIZE  rcvd: 90

[[email protected] ~]#

If only a record of domain name is queried and displayed in short format:

[[email protected] ~]# dig www.baidu.com A +short
www.a.shifen.com.
61.135.169.125
61.135.169.121
[[email protected] ~]# 

Or:

[[email protected] ~]# dig +nocmd www.baidu.com A +noall +answer     
www.baidu.com.          252     IN      CNAME   www.a.shifen.com.
www.a.shifen.com.       252     IN      A       61.135.169.125
www.a.shifen.com.       252     IN      A       61.135.169.121

It can also be used.@serverTo specify the DNS server:

[[email protected] ~]# dig +noall +answer www.baidu.com A @8.8.8.8
www.baidu.com.          21      IN      CNAME   www.a.shifen.com.
www.a.shifen.com.       263     IN      A       61.135.169.125
www.a.shifen.com.       263     IN      A       61.135.169.121

More commands and options

5、tracerouteortracepathRoute tracking

[[email protected] ~]# tracepath www.baidu.com
 1?: [LOCALHOST]                                         pmtu 1500
 1:  10.0.1.103                                            0.396ms 
 1:  10.0.1.103                                            0.350ms 
 2:  210.51.161.1                                          1.187ms asymm  3 
 3:  210.51.161.1                                          8.186ms 
 4:  210.51.175.81                                         1.117ms 
 5:  61.148.142.61                                         8.554ms asymm 12 
 6:  61.148.147.13                                         1.694ms asymm 12 
 7:  123.126.8.117                                         3.934ms asymm 10 
 8:  61.148.155.46                                         2.703ms asymm 10
 ....

Only part of the output is listed here, indicating the route traced to the destination address, and each hop returns.

6、ifconfigConfigure network interface

Display the information of all network interfaces when the command has no parameters:

[[email protected] ~]# ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.20.71.254  netmask 255.255.255.0  broadcast 172.20.71.255
        inet6 fe80::250:56ff:fea4:fe34  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:a4:fe:34  txqueuelen 1000  (Ethernet)
        RX packets 11996157  bytes 775368588 (739.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12  bytes 888 (888.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.1.254  netmask 255.255.255.0  broadcast 10.0.1.255
        inet6 fe80::250:56ff:fea4:a09  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:a4:0a:09  txqueuelen 1000  (Ethernet)
        RX packets 20941185  bytes 1307830447 (1.2 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 147552  bytes 11833605 (11.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[[email protected] ~]#

Two network cards are shown in this exampleens32andens33And loopbackloThe information includes MTU, IP address, mask, MAC address, transmission and reception data, etc.
option-sShow condensed information:

[[email protected] ~]# ifconfig -s ens32
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
ens32     1500 11996951      0      0 0            12      0      0      0 BMRU

For example, add a new address 10.0.1.4 to ens33:

[[email protected] ~]# ifconfig ens33:0 10.0.1.4/24 up
[[email protected] ~]# ifconfig ens33:0   
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.1.4  netmask 255.255.255.0  broadcast 10.0.1.255
        ether 00:50:56:a4:0a:09  txqueuelen 1000  (Ethernet)

In command/24Mask indicating the address of the interface,upIndicates that this interface is enabled. Note that if the IP address has been used, it will still be set successfully, but there may be conflicts when this address is accessed.
Disable an interface:

[[email protected] ~]# ifconfig ens33:0 down

If you need to permanently add or modify the address of the current interface, it is better to edit the network card configuration file directly/etc/sysconfig/network-scripts/ifcfg-ens33(replace other systems with corresponding documents)IPADDRField and restart the networksystemctl restart networkorservice network restartTake effect.

7、arpandarping

commandarpDisplay system ARP cache, commandarpingSend ARP request to neighbor host.

[[email protected] ~]# arp -a
? (10.0.1.1) at 68:8f:84:01:f1:ff [ether] on ens33
? (10.0.1.102) at 00:50:56:a4:18:9a [ether] on ens33
? (10.0.1.254) at 00:50:56:a4:a9:16 [ether] on ens33
? (10.0.1.10) at 00:50:56:a4:d2:e4 [ether] on ens33
? (10.0.1.104) at 00:50:56:a4:37:a7 [ether] on ens33

?Indicates the unknown domain name, and the last network card name indicates the network interface corresponding to the ARP table item
If an address is found to be unstable, arping can be used to test whether the address is a MAC address conflict:

[[email protected] ~]# arping 10.0.1.252 -I ens33
ARPING 10.0.1.252 from 10.0.1.254 ens33
Unicast reply from 10.0.1.252 [00:50:56:A4:65:71]  0.843ms
Unicast reply from 10.0.1.252 [00:50:56:A4:0A:09]  1.034ms

The MAC addresses in the two returned messages are different, indicating that two network cards are configured with the same IP address. option-ISpecifies the network interface to send ARP requests.
If you have just changed the IP address of the network card, but the ARP table entry of the upstream device (such as the switch) is still old, you can use thearpingTo force a refresh:

[[email protected] ~]# arping -c3 -I ens33 -s 10.0.1.254 10.0.1.1
ARPING 10.0.1.1 from 10.0.1.254 ens33
Unicast reply from 10.0.1.1 [68:8F:84:01:F1:FF]  19.466ms
Unicast reply from 10.0.1.1 [68:8F:84:01:F1:FF]  2.358ms
Unicast reply from 10.0.1.1 [68:8F:84:01:F1:FF]  24.305ms
Sent 3 probes (1 broadcast(s))
Received 3 response(s)

-cSpecify the number of ARP requests sent,-sSpecify the source address, and the last IP indicates the sending destination (here is the gateway address).

8、routeShow or change routing table

[[email protected] ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 ens33
link-local      0.0.0.0         255.255.0.0     U     1002   0        0 ens32
link-local      0.0.0.0         255.255.0.0     U     1003   0        0 ens33
172.20.71.0     0.0.0.0         255.255.255.0   U     0      0        0 ens32
192.168.78.0    10.0.1.104      255.255.255.0   UG    0      0        0 ens33

amongDestinationRepresents the destination network segment or target host;GatewayRepresents the gateway address;GenmaskIndicates the mask of the destination network segment;FlagsIndicates the route flag: u indicates that the route is up enabled and G indicates gateway;MetricRepresents the target distance, usually expressed by hops;RefIndicates the number of references to the route;UseIndicates the route lookup count;IfaceIndicates the exit of this route.
option-nIndicates that the destination network segment is displayed in digital form
optionaddanddelIndicates to add or remove a route.
option-netandnetmaskIndicates the specified destination segment and mask.
optiongwIndicates the specified gateway.
optiondev IFIndicates the specified exit network card

If a route to 192.56.76. X is added, its exit is ens32:

route add -net 192.56.76.0 netmask 255.255.255.0 dev ens32

If a default route is added, it indicates that its gateway is 10.0.1.1

route add default gw 10.0.1.1

If a route to 172.20.70.0 is added, the gateway is 10.0.1.2

route add -net 172.20.70.0/24 gw 10.0.1.2

If you delete the default route

route del default

9、telnetProvide remote login function

Because telnet protocol uses clear text transmission, it is not applicable in the environment requiring secure login. Now it is commonly used for port testing of network services:

[[email protected] ~]# telnet 10.0.1.251 80
Trying 10.0.1.251...
Connected to 10.0.1.251.
Escape character is '^]'.
^]Click Ctrl +] or press Ctrl + C to exit.
telnet> quit
Connection closed.

Port 80 of the other side is open and allows communication.
When the opposite port is not open:

[[email protected] ~]# telnet 10.0.1.251 81
Trying 10.0.1.251...
telnet: connect to address 10.0.1.251: No route to host

When the peer rejects the connection:

[[email protected] ~]# telnet 10.0.1.251 8085
Trying 10.0.1.251...
telnet: connect to address 10.0.1.251: Connection refused

10、sshRemote login program

ssh [OPTIONS]... [[email protected]]hostname [command]

sshThe full name of is secure shell, which provides secure and encrypted communication between insecure network hosts, aiming to replace other remote login protocols.

[[email protected] ~]# ssh 10.0.1.253
The authenticity of host '10.0.1.253 (10.0.1.253)' can't be established.
ECDSA key fingerprint is 96:bd:a3:a7:87:09:1b:53:44:4c:9b:b9:5f:b2:97:89.
Are you sure you want to continue connecting (yes / no)? Yes
Warning: Permanently added '10.0.1.253' (ECDSA) to the list of known hosts.
Root @ 10.0.1.253's password: enter password here
Last login: Fri Nov 11 09:04:01 2016 from 192.168.78.137
[root @ idc-v-71253 ~], logged in

When ordersshWhen directly following the host IP, the default user is usedrootLog in. If it is the first time to log in, you need to confirm to add the authentication key of the host. When you enter yes, it will be on the local machine/root/.ssh/known_hostsA record of the host is added in. The next time you log in, you do not need to confirm again. Then we need to enter the user password. After verification, we get a shell of the target host, and we can execute commands in this shell.
Type in the new shellexitYou can return to the original shell.
If you need to log in to a host frequently, but do not want to enter a password every time, you can set password free login:

[[email protected] ~]# ssh-keygen -t rsa       
Generating public/private rsa key pair.
Enter file in which to save the key (/ root /. SSH / idrsa): ාenter
Enter passphrase (empty for no passphrase): (enter)
Enter same passphrase again: Enter
Your identification has been saved in / root /. SSH / ID ﹐ RSA. ﹐ private key
Your public key has been saved in / root /. SSH / ID ﹐ rsa.pub. ﹐ public key
The key fingerprint is:
be:c3:d0:02:50:35:35:fe:60:d6:2f:26:96:f0:e1:e6 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|   ...o.o        |
|  .    o o       |
|   .  . * .      |
|    .  * = .     |
|     . .S + .    |
|      o=.o .     |
|       +E        |
|        o.       |
|        ..       |
+-----------------+
[[email protected] ~]# 
[[email protected] ~]# ssh-copy-id 10.0.1.253
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '10.0.1.253'"
and check to make sure that only the key(s) you wanted were added.

[[email protected] ~]#

Which commandssh-keygenUsed to generate public key and private key, options-tIndicates the key type. Use command afterssh-copy-idSend the public key to the target host, where you need to enter the target host user password. Then you can log in without password:

[[email protected] ~]# ssh 10.0.1.253
Last login: Fri Nov 11 11:08:37 2016 from 10.0.1.254
[[email protected] ~]# 

You can also execute commands remotely through SSH:

[[email protected] ~]# ssh 10.0.1.252 "hostname"
Root @ 10.0.1.252's password:
Idc-v-71252 - display command results
[root @ centos7 ~] (do not log in)

Or manually copy the public key to the target host:

[[email protected] ~]# cat /root/.ssh/id_rsa.pub | ssh 10.0.1.252 "cat - >> /root/.ssh/authorized_keys"
Root @ 10.0.1.252's password:
[root @ centos7 ~] (SSH 10.0.1.252) password free login
Last login: Thu Nov 10 14:42:11 2016 from 192.168.78.135
[[email protected] ~]#

option-pSpecify port for login:

[[email protected] temp]# ssh -p22 10.0.1.252
Last login: Fri Nov 11 11:44:31 2016 from 10.0.1.254
[[email protected] ~]# 

Port setting in server configuration file/etc/ssh/sshd_configThe default port number is 22. If you want to change#Port 22Remove the comment and change 22 to the required port, then restart the sshd serviceservice sshd restartorsystemctl restart sshd
If you need to use another user to log in to the system, executessh [email protected]
We can usetarCommand integrationsshAnd pipes, backing up local (remote) files to remote (local):

Tar ZC / home / temp | SSH user @ host "tar XZ" ා local temp directory backup to remote
SSH user @ host "tar CZ / home / temp" | tar XZ ා remote temp directory backup to local

option-L [bind_address:]port:host:hostportSet local port forwarding

[[email protected] ~]# ssh -L 2222:10.0.1.252:22 10.0.1.253
Last login: Mon Nov 14 10:34:43 2016 from 10.0.1.254
[root @ idc-v-71253 ~] ාාාාා񖓿ා񖓿񖓿񖓿񖓿设设设设设设.

This command means to bind the local port2222, and send all data sent to this port through the intermediate host10.0.1.253Forward to target host10.0.1.252Of22Port, if usedsshIf you log in to port 2222 of this computer, you are actually logging in to the host10.0.1.252

[[email protected] ~]# ssh -p 2222 127.0.0.1
Last login: Mon Nov 14 10:34:56 2016 from 10.0.1.253
[[email protected] ~]# 

The default binding here is the local loopback127.0.0.1, if bound to another address, set according to the syntaxbind_address
option-NIndicates that the command is not executed, which is only useful when setting port forwarding
Because of the above port forwarding commandssh -L 2222:10.0.1.252:22 10.0.1.253It will log in to the intermediate host, and the port forwarding will be terminated after exiting-NOption will not log in, and it will be a good choice to set port forwarding with shell background execution (note that password free login is required for intermediate host):

[[email protected] ~]# ssh -N -L 2222:10.0.1.252:22 10.0.1.253 &
[1] 12432
[[email protected] ~]#

Last symbol of command&Indicates that this command will be executed in the background. In the returned information[1]Indicates the background command number,12432Represents the PID of the command. (shell background commands will be described in later articles)
option-R [bind_address:]port:host:hostportSet remote port forwarding
If we are in10.0.1.253Implementation:

ssh -R 2222:10.0.1.252:22 10.0.1.254

Then in10.0.1.254Login:

[[email protected] ~]# ssh -p 2222 localhost
Last login: Mon Nov 14 10:40:44 2016 from 10.0.1.253
[[email protected] ~]#

The meaning here is to make the remote host10.0.1.254(relative to 10.0.1.253) listening port2222, and then forward all data sent to this port to the target host10.0.1.252Port22。 And then on10.0.1.254Log in to the local2222Port, actually through the intermediate host10.0.1.253Log in to the target host10.0.1.252
option-o OPTIONSpecify the profile (for example/etc/ssh/sshd_configInternal options
To avoid typing the first time you log inyesConfirm, can be added-o StrictHostKeyChecking=no

11、scpRemote copy files

scp [OPTIONS]... [[[email protected]]host1:]file1 ... [[[email protected]]host2:]file2

scpCommand passedsshThe protocol transmits data encrypted, andsshSimilar to logging in, you need to enter the remote host user password.
If the remote host10.0.1.251Copy the file / root / a.txt to the local current directory:

[[email protected] ~]# scp [email protected]:/root/a.txt ./
[email protected]'s password: 
a.txt                                       100%  125     0.1KB/s   00:00    
[[email protected] ~]# 

The command displays the transmission status (transmission percentage, size, speed, time).
Copying a local file to a remote location is nothing more than swapping the source and destination locations.
option-PSpecify the remote connection port (SSH service port),-o ssh_optionUse the SSH option.
option-l limitTransmission speed limit,limitThe unit is kbit / s.
And commandcpSimilar, options-rRepresents a replication directory,-pIndicates the retention time of file permission, etc

12、netstatPrint network information

option-aDisplay all port information:

[[email protected] ~]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
tcp        0     52 10.0.1.254:ssh   192.168.78.143:49583    ESTABLISHED
tcp6       0      0 [::]:commplex-main      [::]:*                  LISTEN     
tcp6       0      0 [::]:4243               [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     
raw6       0      0 [::]:ipv6-icmp          [::]:*                  7          
raw6       0      0 [::]:ipv6-icmp          [::]:*                  7          
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     12807    /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     12815    /run/lvm/lvmpolld.socket
unix  2      [ ]         DGRAM                    12818    /run/systemd/shutdownd
unix  2      [ ACC ]     STREAM     LISTENING     16403    /var/run/dbus/system_bus_socket
....

Only part of the information is shown here
option-tShow TCP connection information
option-nDisplay IP address without domain name conversion
option-pDisplay PID and program name

[[email protected] ~]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1358/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2162/master         
tcp        0     52 10.0.1.254:22           192.168.78.143:49583    ESTABLISHED 12044/sshd: [email protected] 
tcp6       0      0 :::5000                 :::*                    LISTEN      17222/docker-proxy  
tcp6       0      0 :::4243                 :::*                    LISTEN      16983/docker        
tcp6       0      0 :::22                   :::*                    LISTEN      1358/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      2162/master         
[[email protected] ~]# 

amongProtoPresentation protocol (including TCP, UDP, etc.);Recv-QandSend-QIndicates the receiving and sending queues, which are generally 0. If it is not 0, it indicates that there is data waiting to be processed in the local receiving or sending cache;Local AddressandForeign AddressLocal address and remote address respectively;StateIndicates the connection state, corresponding to various connection states of TCP;PID/Program nameRepresents the process number and program name.
option-lIndicates only the status isLISTENConnection

[[email protected] ~]# netstat -ntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp6       0      0 :::5000                 :::*                    LISTEN     
tcp6       0      0 :::4243                 :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN     
[[email protected] ~]#

option-uIndicates that UDP connection information is displayed
option-rShow route information

[[email protected] ~]# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.0.1.103      0.0.0.0         UG        0 0          0 ens33
10.0.1.0        0.0.0.0         255.255.255.0   U         0 0          0 ens33
172.20.71.0     0.0.0.0         255.255.255.0   U         0 0          0 ens32
192.168.78.0    10.0.1.104      255.255.255.0   UG        0 0          0 ens33

option-iDisplay interface information

[[email protected] ~]# netstat -i
Kernel Interface table
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
ens32     1500 13196107      0     77 0          3246      0      0      0 BMRU
ens33     1500 25312388      0     88 0       2516050      0      0      0 BMRU
lo       65536  2503589      0      0 0       2503589      0      0      0 LRU

13、tcpdumpNetwork packet capturing tool

commandtcpdumpCapture a network interface conformance expressionexpressionAnd print out the description information of the package content.
option-iSpecify network card:

[[email protected] ~]# tcpdump -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes
15:41:59.121948 IP 10.0.1.108.3693 > 239.100.1.1.websm: UDP, length 58
15:41:59.122191 IP 10.0.1.109.35673 > 239.100.1.1.websm: UDP, length 57
15:41:59.128282 IP 10.0.1.253.ssh > 192.168.78.143.51694: Flags [P.], seq 749565300:749565496, ack 3522345564, win 255, length 196
15:41:59.134127 IP 192.168.78.143.51694 > 10.0.1.253.ssh: Flags [.], ack 196, win 3977, length 0
15:41:59.140319 ARP, Request who-has 10.0.1.31 tell 10.0.1.102, length 46
15:41:59.168328 ARP, Request who-has 10.0.1.37 tell 10.0.1.102, length 46
15:41:59.262235 ARP, Request who-has 192.168.10.150 tell 192.168.10.151, length 46
15:41:59.622090 IP 10.0.1.108.3693 > 239.100.1.1.websm: UDP, length 58
15:41:59.622178 IP 10.0.1.109.35673 > 239.100.1.1.websm: UDP, length 57
....

After starting the command, it is displayed that you can use the-vor-vvShow more details and start capturing packets from the ens33. The output shows the header information of each packet sent or received (including ARP, IP, TCP, UDP, etc.). This command does not specifyexpression, so all packets are captured by default.
If you need to capture packets and then analyze them through other programs, such as Wireshark, you can use the option-w fileWrite data to a file, using the options-s 0Specifies that the packet size that can be captured is 65535 bytes to avoid the packet being truncated and unable to be analyzed.
In the real environment, the amount of packets flowing through the network card is huge. You can use expressions to filter packets. For each packet, you need to filter through expressions. Only when the value of the expression is true, it will be output.
expressionCan contain conditions specified by one or more keywords, and can useand(or&&)、or(or||)、not(or!And brackets()Represents the logical relationship between keywords. You can use the><Represents a comparison and can be calculated. The keywords include:
typeType keywords, such ashostnetportandportrange, indicating host, network segment, port number and port segment respectively.
directionDirection keywords, such assrcdstRepresent source and destination respectively.
protoAgreement keywords, such asfddiarpiptcpudpEtc. respectively represent various network protocols.
Due to the limited space, the following example will only describe the function of options and expressions, and will not explain the output content any more:

tcpdump -i ens33 dst host 10.0.1.251 
#Monitor all packets sent from port ens33 to host 10.0.1.251. The host can also be the host name
tcpdump -i eth0 host ! 211.161.223.70 and ! 211.161.223.71 and dst port 80 
#Listen to port eth0, grab packets not from or to hosts 211.161.223.70 and 211.161.223.71, and the target port is 80
tcpdump tcp port 23 host 210.27.48.1 
#Get the telnet packets received or sent by the host 210.27.48.1
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) and src net (183.60.190 or 122.13.220)' -s0 -i eth0 -w ipdump
#The grab source or destination port is 80, and the source network is (183.60.190.0/24 or 122.13.220.0 / 24), and contains data, rather than TCP packets without data such as syn, fin and ACK only, which are written to the file ipdump
#Note that expressions here are enclosed in single quotes to avoid syntax errors caused by special characters being parsed by the shell
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and ! src and dst net 10.0.0'
#Only the start and end packets (syn and fin tags) of TCP are printed, and the source and target network segments are not 10.0.0.0/24
tcpdump 'gateway 10.0.1.1 and ip[2:2] > 576' 
#Indicates to grab IP packets sent to gateway 10.0.1.1 and larger than 576 bytes

There are many network related commands, which will be introduced in the next article.