Difference between revisions of "Network Tools in Linux"

Motivation

We have learned the basics of how a network works. Now lets look at more tools that help you debug and troubleshoot network issues.

DNS Lookup

When you go to a website you do not need to remember the IP address. You use a name for that. e.g. you go to www.google.com. In order to find the associated IP address you need to lookup that name. The tools for that are: host nslookup or dig. For simple lookups I prefer host, while the other tools will give you more detailed information of how the lookup worked.

 host www.google.com
www.google.com has address 172.217.16.196
www.google.com has IPv6 address 2a00:1450:4001:817::2004

Sometimes you want to define aliases for certain hosts. Especially in your private network at home you will not want to run your own DNS system. A simple file that relates IP addresses to names will be sufficient to make your life easiser. This is the /etc/hosts file where you can add names to your IP addresses. E.g. your hosts file could look like this:

$ cat /etc/hosts
127.0.0.1	localhost
::1     localhost ip6-localhost ip6-loopback

192.168.19.27 laptop1 acer
192.168.19.101 handy lg200
192.168.19.1 netgear

In this example we have defined 3 names in the 192.168.19.0/24 network. You can add alias names after the first name. It is also good to have the name of your own computer defined. Also the loopback interface should be named localhost. In the above example we also name the IPv6 address (::1) to be localhost.

ping

Ping is a tool that sends out a special packet (ICMP Echo) to another station and receives the answer from the other side. This is useful to see if the other station is alive or if the network connection to the other side is working. Of course the other side could choose to not answer the packet or there could be a firewall in between us and the remote side that filter either request packet or the response.

Ping comes from sonar, where a short sound is sent out (a Ping) and the echo is used to find out if there is an object ahead and how far it is away. The network ping also measures the time that it takes for the response.

You can tell the ping tool how many packets it sends, in which interval and what the size of the packets should be. On Linux the default number of packets is infinity. So you need to interrupt the tool by pressing Ctrl-C.

$ ping www.google.com
PING www.google.com (172.217.16.196) 56(84) bytes of data.
64 bytes from fra16s08-in-f196.1e100.net (172.217.16.196): icmp_seq=1 ttl=53 time=16.7 ms
64 bytes from fra16s08-in-f196.1e100.net (172.217.16.196): icmp_seq=2 ttl=53 time=14.3 ms
64 bytes from fra16s08-in-f196.1e100.net (172.217.16.196): icmp_seq=3 ttl=53 time=14.4 ms
^C
--- www.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 14.304/15.130/16.672/1.091 ms

What we see above: We sent 3 packets to a google server and got 3 responses. The packets are numberd with a sequence id, so we would know if there are packets missing in between or if the packets arrived in different order. We also see the time in milliseconds for the round trip. Here about 14ms.

Here the ping also does a reverse lookup on the IP address. This can be avoided with the -n switch of ping. This should be used of you are cutoff from the network, since then the reverse lookup will not work but you want to use the ping tool to troubleshoot anyways.

Then there is the ttl value: Each time a package is forwarded from one network segment to the next the ttl counter of a package is decreased by one. The packages is sent with an initial value and if it ever gets to zero, then the package is thrown away (and the sender is notified that its packet is thrown away). Most of the time either 64 or 255 is used as a start value. In our case it was most likely 64 that was used by google in its return package. From this we can infer that the distance, measured in the number of networks in between, is abut 12 hops.

If there is package loss then the quality of the transmission is bad. On a TCP/IP Connection a station is supposed to lower its transmission rate when it encounters packet loss on a transmission the speed of a connection will rapidly drop. For details see: https://en.wikipedia.org/wiki/TCP_congestion_control

The reason for the drop of packages could be some transmission errors, e.g. on a wireless connection, or, most often, if the bandwidth of a link in between is saturated, the router has to drop packages.

It is often useful to send pings with different package sizes and see how they behave. (Sometimes small packages get through while longer ones are dropped).

traceroute

If you want to know which way your packets are taking then you can use traceroute. e.g.:

$ traceroute www.google.com
traceroute to www.google.com (172.217.22.68), 30 hops max, 60 byte packets
 1  * * *
 2  ten2-533-r01interxion.bb.funkfeuer.at (78.41.115.113)  1.758 ms  1.726 ms  1.675 ms
 3  144.208.213.177 (144.208.213.177)  2.584 ms  2.552 ms  2.510 ms
 4  ae1-0.bbr02.anx84.nue.de.anexia-it.net (144.208.208.137)  14.301 ms  14.281 ms  14.275 ms
 5  ae0-0.bbr01.anx84.nue.de.anexia-it.net (144.208.208.139)  14.237 ms  14.217 ms  14.147 ms
 6  ae2-0.bbr02.anx25.fra.de.anexia-it.net (144.208.208.141)  14.167 ms  14.047 ms  14.003 ms
 7  209.85.149.86 (209.85.149.86)  13.940 ms  13.684 ms  13.611 ms
 8  108.170.252.1 (108.170.252.1)  14.202 ms  14.967 ms  14.930 ms
 9  72.14.232.35 (72.14.232.35)  14.911 ms 72.14.232.33 (72.14.232.33)  14.863 ms 72.14.232.35 (72.14.232.35)  14.849 ms
10  fra15s17-in-f68.1e100.net (172.217.22.68)  14.833 ms  14.763 ms  13.523 ms

traceroute shows us the path that our packages are traveling. Above we see that google is 10 hops away. Traceroute also users DNS lookup to print names instead of IPs. We can turn this of with the -n switch again. We also see the time that it takes to reach the routers in between. So if a connection does not work, then we say where the issue us. In many cases there are firewalls that prevent us to see the packdets. * * * is shown for this systems.

How does traceroute work? It sends out packages like ping, but it sets a low TTL value so that the packes are thrown away by the routers. The router then informs us. This way we can learn which way outgoing packets are traveling. The TTL starts with 0 and increases by 1 for each router we want to discover. So the next time your internet is not working you can use this to find out if your line is down, your internet provider has a problem or the internet provider of the server you want to reach has issues. Be sure to use the -n option to turn of reverse-DNS lookup.

In today's Internet, package often travel different ways in each direction. Traceroute only shows the outgoing path.

ip, ifconfig, ipup, ipdown

We already learned about ifconfig and ip in the [section]

Those tools can also be used to change the configuration of your network cards. Of course, only the root user is allowed to do that, here are a few examples. To try this out you need to replace the examples with the names of your network card. Beware that you will cut off your network access. To indicate that you need to do this as root I will write # as the prompt symbol insteas of $. The name of my card here is eth7. (Naming the network interfaces eth0, eth1, ... and so on was the original way the kernel used - today's distribution use different naming schemes)

# ifconfig eth7 10.11.12.13/24
# ifconfig enp2s0f1
eth7: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 10.11.12.13  netmask 255.255.255.0  broadcast 10.11.12.255
        ether 98:29:a6:2f:4f:3e  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 125  base 0x9000