The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

All information submitted is secure.

My developerWorks:

My notifications:

Sign out

Select a language:

UNIX network analysis

Understanding your UNIX system network configuration

Martin Brown (mc@mcslp.com), Professional writer, Freelance

Martin Brown has been a professional writer for over eight years. He is the author of numerous books and articles across a range of topics. His expertise spans myriad development languages and platforms -- Perl, Python, Java, JavaScript, Basic, Pascal, Modula-2, C, C++, Rebol, Gawk, Shellscript, Windows, Solaris, Linux, BeOS, Mac OS/X and more -- as well as Web programming, systems management and integration. Martin is a regular contributor to ServerWatch.com, LinuxToday.com and IBM developerWorks, and a regular blogger at Computerworld, The Apple Blog and other sites, as well as a Subject Matter Expert (SME) for Microsoft. He can be contacted through his Web site at http://www.mcslp.com.

Summary: You can find out a lot about your network by using a variety of different tools. I you want to understand the layout of your network, where packets are going, and what people are doing, then you need to use a variety of different tools that can help you to build up a picture of your network and what is going on. This tutorial examines techniques for monitoring the traffic and content of your UNIX® network and how to read and diagnose problems on your network.

Date: 05 May 2009
Level: Intermediate
PDF: A4 and Letter (61 KB | 22 pages)Get Adobe® Reader®

Activity: 39164 views
Comments:

Understanding networks on the host

The first step to understanding your network better is to understand the network configuration of the machine you are currently using. This will give you a number of frames of reference, such as the IP address of the current host, the DNS configuration, and what other machines you can connect to and communicate with.

Finding configuration information

Determining the current configuration of the machine you are working on gives you the base information about your environment. Your first task is to determine the IP address and network mask for the current machine. By using these two values, you can determine the address of your machine and what other machines you can connect to directly on your network (for instance, without the use of a router).

Before you determine the IP address, get the hostname for the system by using the hostname command (see Listing 1).

Listing 1. Getting the hostname


$  hostname
sulaco

The ifconfig command will display the current configuration information for all your configured network devices when you use the -a option. For example, Listing 2 shows the output from the ifconfig command on a Solaris machine.

Listing 2. Output from ipconfig on Solaris


$ ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000 
pcn0: flags=201004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4,CoS> 
mtu 1500 index 2
        inet 192.168.1.25 netmask fffffc00 broadcast 192.168.3.255
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
        inet6 ::1/128 
pcn0: flags=202004841<UP,RUNNING,MULTICAST,DHCP,IPv6,CoS> mtu 1500 index 2
        inet6 fe80::20c:29ff:fe7f:dc5/10

You can see from this output that there is a loopback device, lo0, with the normal address of 127.0.0.1 for localhost. You can also see that the same device also has an equivalent IPv6 address.

The pcn0 device is configured with a network address of 192.168.1.25, and with a netmask of fffffc00, equivalent to 255.255.252.0. You can also see that in this case the address was set using DHCP (from the list of DHCP flags).

The netmask is particularly important, because with the netmask alone you can tell the size (in terms of registered IP addresses) of your immediate network. In this case, 255.255.252.0 equates to four class C addresses, because 256 (the maximum number of hosts) minus 252 (the number of masked hosts) equals four.

By combining the netmask with the configured IP address, you can guess the range of the IP addresses in the local network. Because IP blocks are usually split by whole groups and in sequence, you can tell that the IP address span of the network is 192.168.0.0 through 192.168.3.255. You can determine this because with a netmask of four class C addresses you would normally split the entire range (192.168.0.0-192.168.255.255) into equal blocks -- with the address prefix of 192.168.1.x it must be in the first block of four addresses.

Different operating systems output the information (and the detail) in different ways. Listing 3 shows the output from a Linux® system.

Listing 3. Output on a Linux system


eth0      Link encap:Ethernet  HWaddr 00:1d:60:1b:9a:2d  
          inet addr:192.168.0.2  Bcast:192.168.3.255  Mask:255.255.252.0
          inet6 addr: fe80::21d:60ff:fe1b:9a2d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2371085881 errors:36 dropped:0 overruns:0 frame:36
          TX packets:2861233776 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:913269364222 (850.5 GiB)  TX bytes:3093820025338 (2.8 TiB)
          Interrupt:23 Base address:0x4000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:279755697 errors:0 dropped:0 overruns:0 frame:0
          TX packets:279755697 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:388038389807 (361.3 GiB)  TX bytes:388038389807 (361.3 GiB)

Listing 4 shows the output from a Mac OS X™ system.

Listing 4. Output from a Mac OS X system


lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    inet 127.0.0.1 netmask 0xff000000 
    inet6 ::1 prefixlen 128 
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet 192.168.0.101 netmask 0xfffffc00 broadcast 192.168.3.255
    ether 00:16:cb:a0:3b:cb 
    media: autoselect (1000baseT <full-duplex,flow-control>) status: active
    supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP 
<full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP 
<full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX 
<full-duplex> 100baseTX <full-duplex,hw-loopback> 100baseTX 
<full-duplex,flow-control> 1000baseT <full-duplex> 1000baseT 
<full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control> none
fw0: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 2030
    lladdr 00:17:f2:ff:fe:7b:84:d6 
    media: autoselect <full-duplex> status: inactive
    supported media: autoselect <full-duplex>
en1: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
    ether 00:17:f2:9b:3d:38 
    media: autoselect (<unknown type>)
    supported media: autoselect
en5: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    inet6 fe80::21c:42ff:fe00:8%en5 prefixlen 64 scopeid 0x7 
    inet 10.211.55.2 netmask 0xffffff00 broadcast 10.211.55.255
    ether 00:1c:42:00:00:08 
    media: autoselect status: active
    supported media: autoselect
en6: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    inet6 fe80::21c:42ff:fe00:9%en6 prefixlen 64 scopeid 0x8 
    inet 10.37.129.2 netmask 0xffffff00 broadcast 10.37.129.255
    ether 00:1c:42:00:00:09 
    media: autoselect status: active
    supported media: autoselect

In all cases, you can generally find the Internet address and netmask of the connected network devices. Obviously, if you have multiple network devices then you will get the information for each device in the output, and it may be that you can reach a wide range of different networks and systems from just one machine.

Finding name resolution services

Your next step in determining the configuration of the current machine should relate to the configuration of the name service system that will convert name and domain names on your system into an IP address when you access a service on another machine.

The configuration of this on most machines is through the /etc/nsswitch.conf file, which contains a list of different naming services (hosts, users, and more) and the order in which the different services (DNS, NIS, or local files) should be used for resolution. You can see an example of this in Listing 5.

Listing 5. Resolving the name service system


passwd:     files
group:      files
hosts:      files dns 
ipnodes:    files dns
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
netgroup:   files
automount:  files
aliases:    files
services:   files
printers:   user files
auth_attr:  files
prof_attr:  files
project:    files
tnrhtp:     files
tnrhdb:     files

In Listing 5, for example, the hostname information is resolved first by looking at the local files on the system (for example, /etc/hosts) and then the domain name system (DNS).

If the DNS has been configured, then the /etc/resolv.conf file will tell you which machines are being used to convert names into IP addresses. A sample of the file is shown here in Listing 6.

Listing 6. Which machines are being used to convert names into IP addresses


domain example.pri
nameserver 192.168.0.2
nameserver 192.168.0.3

This information can be useful if you want to query these machines directly for information. You can use tools such as dig and nslookup to extract information about the name service and resolution of names and IP addresses.

Checking routes

Hosts outside of your network (that is, beyond the scope of your network mask in comparison to your current IP address) are sent to a router to be forwarded on to another machine. Routers can be used at all levels of your network, including between departments, different physical sites, and to public and external sites such as the Internet.

The netstat command can tell you which machines or routers are contacted when your machine wants to communicate with machines outside the 'local' network. For example, Listing 7, below, is from a Solaris machine.

Listing 7. netstat command


$ netstat -r

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface 
-------------------- -------------------- ----- ----- ---------- --------- 
default              voyager.example.pri  UG        1        139 pcn0      
192.168.0.0          solaris2.example.pri U         1        447 pcn0      
solaris2             solaris2             UH        1         35 lo0       

Routing Table: IPv6
  Destination/Mask            Gateway                   Flags Ref   Use    If   
--------------------------- --------------------------- ----- --- ------- ----- 
fe80::/10                   fe80::20c:29ff:fe7f:dc5     U       1       0 pcn0  
solaris2                    solaris2                    UH      1       0 lo0

The default route shows the gateway (router) used to route packets that are either outside of the current network, or that are not already covered by another route for a specific IP address or IP address range.

Because you might need to determine this information in a situation where your current nameservice is not working, or not returning the right information, you can also specify the -n option to show the information using IP addresses instead of names.

Checking supported services

The netstat command can also be used to determine what services are being shared and exposed on the current host. This includes all network services, including DNS, NFS, Web services, and other information. The information displayed is based upon the ports that are open and in the 'listening' state waiting for client connections, or ports that are already open and communicating with a client.

This information can prove invaluable, both to determine if a service is running, and as part of a standard security check to determine whether a machine is sharing or exposing itself to more risk than is necessary.

You can see an example of the output in Listing 8, here using -a to display all the open ports and services, both established (open) and listening for new connections. By default, netstat also shows the open UNIX domain sockets, which are only accessible to the current machine. For brevity these have been removed from the output.

Listing 8. Output using -a


$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:imaps                 *:*                     LISTEN     
tcp        0      0 *:nfs                   *:*                     LISTEN     
tcp        0      0 *:vmware-authd          *:*                     LISTEN     
tcp        0      0 localhost:10024         *:*                     LISTEN     
tcp        0      0 localhost:10025         *:*                     LISTEN     
tcp        0      0 *:mysql                 *:*                     LISTEN     
tcp        0      0 *:imap                  *:*                     LISTEN     
tcp        0      0 localhost:783           *:*                     LISTEN     
tcp        0      0 *:sunrpc                *:*                     LISTEN     
tcp        0      0 bear.example.pri:http     *:*                     LISTEN     
tcp        0      0 *:cisco-sccp            *:*                     LISTEN     
tcp        0      0 *:47506                 *:*                     LISTEN     
tcp        0      0 *:34452                 *:*                     LISTEN     
tcp        0      0 172.16.217.1:domain     *:*                     LISTEN     
tcp        0      0 192.168.92.1:domain     *:*                     LISTEN     
tcp        0      0 bear.example.pri:domain   *:*                     LISTEN     
tcp        0      0 localhost:domain        *:*                     LISTEN     
tcp        0      0 *:53941                 *:*                     LISTEN     
tcp        0      0 *:3128                  *:*                     LISTEN     
tcp        0      0 localhost:rndc          *:*                     LISTEN     
tcp        0      0 *:smtp                  *:*                     LISTEN     
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65452  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65459  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65412  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65417  ESTABLISHED
tcp        0      0 bear.example.pri:mysq   bear.example.pri:35475    TIME_WAIT  
tcp        0      0 bear.example.pri:http   sulaco.example.p:49603  FIN_WAIT2  
tcp        0      0 bear.example.pri:nfs    sulaco.example.p:49552  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65433  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65431  ESTABLISHED
tcp        1      0 bear.example.pri:nfs    sulaco.example.p:51900  CLOSE_WAIT 
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65415  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65475  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65472  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65429  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65430  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65438  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65443  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65418  ESTABLISHED
tcp        0      0 bear.example.pri:nfs    narcissus.exampl:62968 ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65448  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65423  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65468  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65445  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65476  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65453  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65456  ESTABLISHED
tcp        1      0 bear.example.pri:nfs    sulaco.example.p:59172  CLOSE_WAIT 
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65416  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65439  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65441  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65446  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65470  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65450  ESTABLISHED
tcp        0      0 bear.example.pri:nfs    sulaco.example.p:65320  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65465  ESTABLISHED
tcp        0      0 bear.example.pri:36230  solaris2.vmbear.mcs:ssh ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65421  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65464  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65474  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:64955  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65473  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65461  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65454  ESTABLISHED
tcp        0      0 bear.example.pri:http   sulaco.example.p:49608  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65471  ESTABLISHED
tcp        0      0 localhost:50123         localhost:ssh           ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65420  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65466  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65463  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65451  ESTABLISHED
tcp        0      0 bear.example.pri:35471  bear.example.pri:mysql    TIME_WAIT  
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65457  ESTABLISHED
tcp        1      0 bear.example.pri:nfs    sulaco.example.p:53877  CLOSE_WAIT 
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65432  ESTABLISHED
tcp        0      0 bear.example.pri:mysql  bear.example.pri:35470    TIME_WAIT  
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65467  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65414  ESTABLISHED
tcp        0      0 bear.example.pri:50112  bear.example.pri:imap     TIME_WAIT  
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65462  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65460  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65469  ESTABLISHED
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65422  ESTABLISHED
tcp        0      0 bear.example.pri:50110  bear.example.pri:imap     TIME_WAIT  
tcp        0      0 bear.example.pri:50111  bear.example.pri:imap     TIME_WAIT  
tcp        0      0 bear.example.pri:imap   sulaco.example.p:65442  ESTABLISHED
tcp6       0      0 [::]:imaps              [::]:*                  LISTEN     
tcp6       0      0 [::]:11211              [::]:*                  LISTEN     
tcp6       0      0 [::]:imap               [::]:*                  LISTEN     
tcp6       0      0 [::]:cisco-sccp         [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:rndc          [::]:*                  LISTEN     
tcp6       0      0 [::]:https              [::]:*                  LISTEN     
tcp6       0      0 bear.example.pri:ssh    sulaco.example.p:52786  ESTABLISHED
tcp6       0      0 bear.example.pri:ssh    sulaco.example.p:56220  ESTABLISHED
tcp6       0      0 bear.example.pri:ssh    sulaco.example.p:63895  ESTABLISHED
tcp6       0      0 localhost:ssh           localhost:50123         ESTABLISHED
tcp6       0      0 bear.example.pri:ssh    sulaco.example.p:60914  ESTABLISHED
tcp6       0      0 bear.example.pri:ssh    sulaco.example.p:64669  ESTABLISHED
tcp6       0      0 bear.example.pri:ssh    sulaco.example.p:56053  ESTABLISHED
tcp6       0      0 bear.example.pri:ssh    sulaco.example.p:52268  ESTABLISHED
tcp6       0      0 bear.example.pri:ssh    sulaco.example.p:49528  ESTABLISHED
tcp6       0      0 bear.example.pri:ssh    sulaco.example.p:65408  ESTABLISHED
udp        0      0 *:nfs                   *:*                                
udp        0      0 *:42498                 *:*                                
udp        0      0 *:54680                 *:*                                
udp        0      0 172.16.217.1:domain     *:*                                
udp        0      0 192.168.92.1:domain     *:*                                
udp        0      0 bear.example.p:domain   *:*                                
udp        0      0 localhost:domain        *:*                                
udp        0      0 *:45495                 *:*                                
udp        0      0 *:icpv2                 *:*                                
udp        0      0 *:bootps                *:*                                
udp        0      0 *:964                   *:*                                
udp        0      0 *:11211                 *:*                                
udp        0      0 *:sunrpc                *:*                                
udp        0      0 *:50042                 *:*                                
raw        0      0 *:icmp                  *:*                     7

As you can see from this output, the machine is quite busy. The third column shows the hostname and port, separated by a colon, for each open connection or listening connection. If the TCP or UDP service number matches a known port number (as defined within the /etc/services file), then the service name is displayed in the output. For the host, either the hosts name, an alternative IP address, or the '*' symbol is displayed. The asterisk indicates that the service and ports are open and listening on all IP addresses.

For example, you can tell from this output that the machine is configured to support NFS, and has open (established) connections, as shown in Listing 9.

Listing 9. Machine is configured to support NFS


$ netstat -a|grep nfs
tcp        0      0 *:nfs                *:*                     LISTEN     
tcp        1      0 bear.example.pri:nfs sulaco.example.p:51900  CLOSE_WAIT 
tcp        0      0 bear.example.pri:nfs narcissus.example.p:62968 ESTABLISHED
tcp        1      0 bear.example.pri:nfs sulaco.example.p:59172  CLOSE_WAIT 
tcp        0      0 bear.example.pri:nfs sulaco.example.p:65320  ESTABLISHED
tcp        1      0 bear.example.pri:nfs sulaco.example.p:53877  CLOSE_WAIT 
udp        0      0 *:nfs                   *:*

It is also possible using this output to see which machines are currently communicating with this machine. For example, you can extract a list of the machines connected to this one by looking at the fifth column, and then sorting and removing duplicates from the list (see Lisiting 10).

Listing 10. Extracting a list of connected machines


$ netstat -a|egrep 'tcp|udp'|grep ESTABLISHED|awk '{ print $5; }'|cut -d: -f1|sort|uniq
localhost
narcissus.mcslp.p
nautilus.wireless
polarbear.wireles
solaris2.vmbear.mcs
sulaco.mcslp.pri

This can be useful when you suspect there is a user or computer connected to the machine that you do not recognize or don't expect.

To find out about these other machines, you need to start looking at the other computers within your network.

Comments