Linux networking monitoring tools work on all networks– Linux, BSD, Mac, Unix, and Windows.
Monitoring traffic on your network is only as important as the data and computers you want to protect. Understanding how to do basic network troubleshooting will save you both in wasted time and money. Every Linux operating system comes with a number of command line tools to help you diagnose a network problem. In addition, there are any number of open source tools available to help you track down pesky network issues.
Knowing a few simple commands and when to use them will help you get started as a network diagnostic technician. We’ll use Ubuntu 10.04 desktop as our test platform, although all of these work in other distros as well.
Good Old Ping
If you’re uncomfortable using the Linux command line from a terminal, you might as well stop reading at this point or at least skip to the other applications. In reality, there’s nothing to be afraid of when it comes to the Linux command line, especially when it comes to diagnosing a network problem. Most commands simply display information that can help you determine what’s happening. Some will require root permissions or at least the ability to issue the sudo command.
First and foremost is the ifconfig command. Typing this at a command prompt will display information about all known network devices. In the example below you can see eth0, lo and wlan0. These correspond to a wired Ethernet device (assigned address 192.168.1.2), the lo or loopback connection, and a wireless Ethernet device (address 192.168.1.102). It also shows the mac address of the device (HWaddr) and some statistics about the traffic. This should be your first command if you’re having network troubles to see if you have a valid IP address and if you see any traffic counts or errors.
The ping command should be your second tool of choice to determine if your computer is communicating with the outside world. Issuing a ping command to a known address (like 184.108.40.206) will quickly show if you have connectivity or not. It will also show you the time it took for the ping command to complete. Typical ping times for a DSL-type connection should be somewhere around 50 ms.
After the first two you should probably use the route command. This will show a list of IP addresses including the Destination and Gateway addresses connected to each interface along with some additional information including a Flags column. This column will have the letter G on the line associated with your default gateway. You can use this address in a ping command to determine if your machine has connectivity with the gateway.
EtherApe is available for download from the Ubuntu Software Center. It uses GNOME and libpcap to present a graphical map of all network traffic seen by the selected interface. After installation you should see the EtherApe icon under the Applications / System Tools menu. When we ran it this way, it wasn’t able to open any of the network devices as this requires root access. We were able to get it to run from the command line using sudo as follows:
$ sudo etherape
Once you have the program running it should start displaying a graphical representation of the traffic seen on the default Ethernet interface. You can select a specific device if your computer has multiple Ethernet interfaces using the Capture / Interfaces menu. EtherApe also has the ability to view data from a saved pcap file and show traffic by protocol.
Nmap is a widely used security scanner tool originally released in 1997. It uses a variety of special packets to probe a network for any number of purposes including creating an IP map of addresses, determining the operating system of a specific target IP address and probing a range of IP ports at a specific address. One of the most basic issues is to do what’s called a ping sweep, meaning a series of ping commands to determine what addresses have computers attached to them. This can be accomplished with the following command:
$ nmap -sP 192.168.1.1-255
There are a number of graphical applications available from the Ubuntu Software Center that use nmap as the engine and then display the results in a more user-friendly way. These include NmapSI4, which uses a Qt4 interface, and Zenmap.
Capturing network traffic for further analysis is the primary function of tcpdump. Actually, the packet capturing is accomplished by libpcap while the actual presentation and analysis is done with tcpdump. Raw Ethernet data is stored in the pcap file format for further examination. This same file format is used by other packet analysis tools such as Wireshark.
A typical tcpdump command to capture basic traffic would be:
$ sudo tcpdump nS
The sudo is required to gain access to the default Ethernet device. This command will display basic information including time, source and destination addresses and packet type. It will continue displaying information in the terminal until you press control-C. Tcpdump is the best and fastest way to capture network traffic to a file. A typical command to accomplish this would be:
$ sudo tcpdump s w pktfile.pcap
Wireshark, formerly known as Ethereal, has become the tool of choice for many, if not most, network professionals. (Ubuntu users will find it in the Ubuntu Software Center under the Internet tab.) As with some of the other tools, we had to launch Wireshark from the command line using sudo to get it to see the available Ethernet devices. Once launched you should see a list of available interfaces on the left-hand side of the main window. Selecting one of the available interfaces or the virtual interface that collects packets from all Ethernet devices will bring up the protocol display page.
Wireshark provides a wealth of information about the captured traffic along with tools to filter and display based on any number of criteria including source or destination address, protocol, or error status. The Wireshark homepage has links to video tutorials, white papers and sample data to help get you started in network sleuthing.
Linux is an ideal platform to learn network troubleshooting techniques. It offers a wide array of command line and GUI tools to analyze and visualize your network traffic.