Linux network monitoring basics

Linux

Examining and Monitoring a Network

 

Even if you’re not the system administrator, it’s often  helpful to examine the performance and operation of a network.

 

ping—Send a Special Packet to a Network Host

 

The most basic network  command is ping. The ping command sends a spe- cial network packet called an IMCP ECHO_REQUEST to a specified host. Most network  devices receiving this packet will reply to it, allowing the net- work connection to be verified.

 

Note: It is possible to configure most network devices (including Linux hosts) to ignore these packets. This is usually done for security reasons, to partially obscure a host from a potential attacker. It is also common for firewalls to be configured to block IMCP traffic.

For example, to see if we can reach  http://www.linuxcommand.org/, we can use ping like this:

 

$  ping  linuxcommand.org

 

Once  started, ping continues to send packets at a specified  interval

(default is 1 second) until it is interrupted:

 

$  ping  linuxcommand.org

PING  linuxcommand.org  (66.35.250.210) 56(84)  bytes  of data.

 

64 bytes from  vhost.sourceforge.net  (66.35.250.210):  icmp_seq=1  ttl=43  time=10

7 ms

64 bytes from  vhost.sourceforge.net  (66.35.250.210):  icmp_seq=2  ttl=43  time=10

8 ms

64 bytes from  vhost.sourceforge.net  (66.35.250.210):  icmp_seq=3  ttl=43  time=10

6 ms

64 bytes from  vhost.sourceforge.net  (66.35.250.210):  icmp_seq=4  ttl=43  time=10

6 ms

64 bytes from  vhost.sourceforge.net  (66.35.250.210):  icmp_seq=5  ttl=43  time=10

5 ms

64 bytes from  vhost.sourceforge.net  (66.35.250.210):  icmp_seq=6  ttl=43  time=10

7 ms

 

--- linuxcommand.org  ping  statistics ---

6 packets  transmitted,  6  received, 0%  packet  loss, time  6010ms rtt min/avg/max/mdev  = 105.647/107.052/108.118/0.824  ms

 

After it is interrupted (in this case after the sixth packet) by the pressing of CTRL-C, ping prints  performance statistics. A properly performing network will exhibit  zero percent packet  loss. A successful ping will indicate that the elements of the network  (its interface cards, cabling,  routing, and gateways) are in generally  good working order.

 

traceroute—Trace the Path of a Network Packet

 

The traceroute program (some  systems use the similar tracepath program instead) displays a listing of all the “hops” network  traffic takes to get from the local system to a specified  host. For example, to see the route taken  to reach  http://www.slashdot.org/, we would do this:

 

$  traceroute  slashdot.org

 

The output looks like this:

 

traceroute  to  slashdot.org  (216.34.181.45),  30  hops max,  40  byte packets

1   ipcop.localdomain  (192.168.1.1)    1.066  ms    1.366   ms   1.720  ms

2   *  * *

3   ge-4-13-ur01.rockville.md.bad.comcast.net  (68.87.130.9)    14.622  ms   14.885

ms   15.169   ms

4   po-30-ur02.rockville.md.bad.comcast.net  (68.87.129.154)    17.634  ms   17.626

ms   17.899   ms

5   po-60-ur03.rockville.md.bad.comcast.net  (68.87.129.158)    15.992  ms   15.983 ms   16.256   ms

6   po-30-ar01.howardcounty.md.bad.comcast.net  (68.87.136.5)    22.835  ms   14.23

3 ms   14.405  ms

7   po-10-ar02.whitemarsh.md.bad.comcast.net  (68.87.129.34)    16.154  ms   13.600 ms   18.867   ms

8   te-0-3-0-1-cr01.philadelphia.pa.ibone.comcast.net  (68.86.90.77)    21.951   ms

21.073  ms    21.557  ms

9   pos-0-8-0-0-cr01.newyork.ny.ibone.comcast.net  (68.86.85.10)    22.917  ms   21

.884 ms   22.126   ms

10   204.70.144.1 (204.70.144.1)   43.110  ms   21.248  ms    21.264  ms

11   cr1-pos-0-7-3-1.newyork.savvis.net  (204.70.195.93)    21.857  ms cr2-pos-0-0-

3-1.newyork.savvis.net (204.70.204.238)    19.556  ms cr1-pos-0-7-3-1.newyork.sav vis.net (204.70.195.93)    19.634  ms

12   cr2-pos-0-7-3-0.chicago.savvis.net  (204.70.192.109)    41.586  ms   42.843  ms cr2-tengig-0-0-2-0.chicago.savvis.net  (204.70.196.242)    43.115  ms

13   hr2-tengigabitethernet-12-1.elkgrovech3.savvis.net  (204.70.195.122)    44.21

5 ms   41.833  ms    45.658   ms

14   csr1-ve241.elkgrovech3.savvis.net  (216.64.194.42)    46.840  ms   43.372  ms    4

7.041 ms

15   64.27.160.194  (64.27.160.194)    56.137  ms   55.887 ms   52.810  ms

16   slashdot.org  (216.34.181.45)   42.727   ms    42.016  ms   41.437  ms

 

In the output, we can see that connecting from our test system to http:// www.slashdot.org/ requires traversing  16 routers. For routers that  provide identifying information, we see their  hostnames, IP addresses,  and perform- ance data, which include three samples of round-trip time from the local system to the router. For routers that do not provide  identifying information (because of router configuration, network  congestion, firewalls, etc.),  we see asterisks as in the line for hop  number two.

 

netstat—Examine Network Settings and Statistics

 

The netstat program is used to examine various network  settings and statis- tics. Through the use of its many options, we can look at a variety of features in our network  setup.  Using the -ie option, we can examine the network interfaces in our system:

 

$  netstat -ie

eth0        Link  encap:Ethernet    HWaddr  00:1d:09:9b:99:67

inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0 inet6  addr:  fe80::21d:9ff:fe9b:9967/64  Scope:Link

UP  BROADCAST RUNNING  MULTICAST     MTU:1500    Metric:1

RX  packets:238488 errors:0 dropped:0  overruns:0  frame:0

TX  packets:403217 errors:0 dropped:0  overruns:0  carrier:0

collisions:0  txqueuelen:100

RX  bytes:153098921  (146.0 MB)     TX  bytes:261035246  (248.9 MB)

Memory:fdfc0000-fdfe0000

 

lo            Link  encap:Local  Loopback

inet addr:127.0.0.1    Mask:255.0.0.0 inet6  addr:  ::1/128  Scope:Host

UP  LOOPBACK  RUNNING     MTU:16436    Metric:1

RX  packets:2208 errors:0  dropped:0 overruns:0  frame:0

TX  packets:2208 errors:0  dropped:0 overruns:0  carrier:0 collisions:0  txqueuelen:0

RX  bytes:111490  (108.8 KB)    TX  bytes:111490 (108.8  KB)

 

In the example above, we see that our test system has two network  inter- faces. The first, called eth0, is the Ethernet interface; the second,  called lo, is the loopback interface, a virtual interface that the system uses to “talk to itself.”

When performing causal network  diagnostics, the important things to look for are the presence of the word UP at the beginning of the fourth line for each interface, indicating that the network  interface is enabled, and the presence of a valid IP address  in the inet addr field on the second  line. For systems using Dynamic Host Configuration Protocol (DHCP), a valid IP address in this field will verify that the DHCP is working.

Using the -r option will display the kernel’s network  routing table. This shows how the network  is configured to send packets from network to network:

 

$  netstat -r

Kernel  IP  routing  table

Destination    Gateway                Genmask                Flags       MSS  Window    irtt Iface

192.168.1.0   *                      255.255.255.0 U                   0 0                   0  eth0     default

192.168.1.1 0.0.0.0                UG                 0 0                   0 eth0

 

In this simple example, we see a typical routing table for a client machine on a local area network  (LAN) behind a firewall/router. The first line of the listing shows the destination 192.168.1.0. IP addresses  that end in zero refer to networks rather than  individual  hosts, so this destination means any host on the LAN. The next field, Gateway, is the name  or IP address of the gateway (router) used to go from the current host to the destination network.  An asterisk in this field indicates that no gateway is needed.

The last line contains the destination default. This means any traffic destined for a network that is not otherwise listed in the table. In our example, we see that the gateway is defined as a router with the address  of 192.168.1.1, which presumably knows what to do with the destination traffic.

The netstat program has many options, and we have looked  at only a couple.  Check out the netstat man page for a complete list.

 

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

Leave a Reply