Monitoring Network Basics In Linux Environment
Examining and Monitoring a Network
Even if you’re not the system administrator, it’s often helpful to examine the performance and operation of a network.
ping—Send a Special Packet to a Network Host
The most basic network command is ping. The ping command sends a spe- cial network packet called an IMCP ECHO_REQUEST to a specified host. Most network devices receiving this packet will reply to it, allowing the net- work connection to be verified.
Note: It is possible to configure most network devices (including Linux hosts) to ignore these packets. This is usually done for security reasons, to partially obscure a host from a potential attacker. It is also common for firewalls to be configured to block IMCP traffic.
For example, to see if we can reach http://www.linuxcommand.org/, we can use ping like this:
$ ping linuxcommand.org
Once started, ping continues to send packets at a specified interval
(default is 1 second) until it is interrupted:
$ ping linuxcommand.org
PING linuxcommand.org (22.214.171.124) 56(84) bytes of data.
64 bytes from vhost.sourceforge.net (126.96.36.199): icmp_seq=1 ttl=43 time=10 7 ms 64 bytes from vhost.sourceforge.net (188.8.131.52): icmp_seq=2 ttl=43 time=10 8 ms 64 bytes from vhost.sourceforge.net (184.108.40.206): icmp_seq=3 ttl=43 time=10 6 ms 64 bytes from vhost.sourceforge.net (220.127.116.11): icmp_seq=4 ttl=43 time=10 6 ms 64 bytes from vhost.sourceforge.net (18.104.22.168): icmp_seq=5 ttl=43 time=10 5 ms 64 bytes from vhost.sourceforge.net (22.214.171.124): icmp_seq=6 ttl=43 time=10 7 ms --- linuxcommand.org ping statistics --- 6 packets transmitted, 6 received, 0% packet loss, time 6010ms rtt min/avg/max/mdev = 105.647/107.052/108.118/0.824 ms
After it is interrupted (in this case after the sixth packet) by the pressing of CTRL-C, ping prints performance statistics. A properly performing network will exhibit zero percent packet loss. A successful ping will indicate that the elements of the network (its interface cards, cabling, routing, and gateways) are in generally good working order.
traceroute—Trace the Path of a Network Packet
The traceroute program (some systems use the similar tracepath program instead) displays a listing of all the “hops” network traffic takes to get from the local system to a specified host. For example, to see the route taken to reach http://www.slashdot.org/, we would do this:
$ traceroute slashdot.org
The output looks like this:
traceroute to slashdot.org (126.96.36.199), 30 hops max, 40 byte packets 1 ipcop.localdomain (192.168.1.1) 1.066 ms 1.366 ms 1.720 ms 2 * * * 3 ge-4-13-ur01.rockville.md.bad.comcast.net (188.8.131.52) 14.622 ms 14.885 ms 15.169 ms 4 po-30-ur02.rockville.md.bad.comcast.net (184.108.40.206) 17.634 ms 17.626 ms 17.899 ms 5 po-60-ur03.rockville.md.bad.comcast.net (220.127.116.11) 15.992 ms 15.983 ms 16.256 ms 6 po-30-ar01.howardcounty.md.bad.comcast.net (18.104.22.168) 22.835 ms 14.23 3 ms 14.405 ms 7 po-10-ar02.whitemarsh.md.bad.comcast.net (22.214.171.124) 16.154 ms 13.600 ms 18.867 ms 8 te-0-3-0-1-cr01.philadelphia.pa.ibone.comcast.net (126.96.36.199) 21.951 ms 21.073 ms 21.557 ms 9 pos-0-8-0-0-cr01.newyork.ny.ibone.comcast.net (188.8.131.52) 22.917 ms 21 .884 ms 22.126 ms 10 184.108.40.206 (220.127.116.11) 43.110 ms 21.248 ms 21.264 ms 11 cr1-pos-0-7-3-1.newyork.savvis.net (18.104.22.168) 21.857 ms cr2-pos-0-0- 3-1.newyork.savvis.net (22.214.171.124) 19.556 ms cr1-pos-0-7-3-1.newyork.sav vis.net (126.96.36.199) 19.634 ms 12 cr2-pos-0-7-3-0.chicago.savvis.net (188.8.131.52) 41.586 ms 42.843 ms cr2-tengig-0-0-2-0.chicago.savvis.net (184.108.40.206) 43.115 ms 13 hr2-tengigabitethernet-12-1.elkgrovech3.savvis.net (220.127.116.11) 44.21 5 ms 41.833 ms 45.658 ms 14 csr1-ve241.elkgrovech3.savvis.net (18.104.22.168) 46.840 ms 43.372 ms 4 7.041 ms 15 22.214.171.124 (126.96.36.199) 56.137 ms 55.887 ms 52.810 ms 16 slashdot.org (188.8.131.52) 42.727 ms 42.016 ms 41.437 ms
In the output, we can see that connecting from our test system to http:// www.slashdot.org/ requires traversing 16 routers. For routers that provide identifying information, we see their hostnames, IP addresses, and perform- ance data, which include three samples of round-trip time from the local system to the router. For routers that do not provide identifying information (because of router configuration, network congestion, firewalls, etc.), we see asterisks as in the line for hop number two.
netstat—Examine Network Settings and Statistics
The netstat program is used to examine various network settings and statis- tics. Through the use of its many options, we can look at a variety of features in our network setup. Using the -ie option, we can examine the network interfaces in our system:
$ netstat -ie
eth0 Link encap:Ethernet HWaddr 00:1d:09:9b:99:67 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::21d:9ff:fe9b:9967/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:238488 errors:0 dropped:0 overruns:0 frame:0 TX packets:403217 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:153098921 (146.0 MB) TX bytes:261035246 (248.9 MB) Memory:fdfc0000-fdfe0000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2208 errors:0 dropped:0 overruns:0 frame:0 TX packets:2208 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:111490 (108.8 KB) TX bytes:111490 (108.8 KB)
In the example above, we see that our test system has two network inter- faces. The first, called eth0, is the Ethernet interface; the second, called lo, is the loopback interface, a virtual interface that the system uses to “talk to itself.”
When performing causal network diagnostics, the important things to look for are the presence of the word UP at the beginning of the fourth line for each interface, indicating that the network interface is enabled, and the presence of a valid IP address in the inet addr field on the second line. For systems using Dynamic Host Configuration Protocol (DHCP), a valid IP address in this field will verify that the DHCP is working.
Using the -r option will display the kernel’s network routing table. This shows how the network is configured to send packets from network to network:
$ netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
In this simple example, we see a typical routing table for a client machine on a local area network (LAN) behind a firewall/router. The first line of the listing shows the destination 192.168.1.0. IP addresses that end in zero refer to networks rather than individual hosts, so this destination means any host on the LAN. The next field, Gateway, is the name or IP address of the gateway (router) used to go from the current host to the destination network. An asterisk in this field indicates that no gateway is needed.
The last line contains the destination default. This means any traffic destined for a network that is not otherwise listed in the table. In our example, we see that the gateway is defined as a router with the address of 192.168.1.1, which presumably knows what to do with the destination traffic.
The netstat program has many options, and we have looked at only a couple. Check out the netstat man page for a complete list.