Debianhelp.co.uk


Debian Network Tools For Administrators

We are going to see some of the network monitoring and network traffic related tools available in Debian

BWM - BandWidth Monitor

This is a very tiny bandwidth monitor (not X11). Can monitor up to 16 interfaces in the in the same time, and shows totals too.

Installing BWM in debian

#apt-get install bwm

This will complete the installation and if you want to see your network interfaces run the following command

#bwm

Output looks like below

Bandwidth Monitor 1.1.0

Iface RX(KB/sec) TX(KB/sec) Total(KB/sec)

lo 0.000 0.000 0.000
eth0 0.327 0.326 0.653
eth1 0.000 0.000 0.000

Total 0.327 0.326 0.653

Hit CTRL-C to end this madness.

If you want more options check bwm man page

Cutter - disconnect routed IP connections

Cutter will send packets to both ends of a tcp/ip connection to close the connection. It is designed to be used on a Linux router to disconnect unwanted connections.

Install Cutter in Debian

#apt-get install cutter

Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed
cutter
0 upgraded, 1 newly installed, 0 to remove and 12 not upgraded.
Need to get 10.2kB of archives.
After unpacking 65.5kB of additional disk space will be used.
Get: 1 http://mirror.ox.ac.uk stable/main cutter 1.02-1 [10.2kB]
Fetched 10.2kB in 0s (68.3kB/s)
Selecting previously deselected package cutter.
(Reading database ... 41195 files and directories currently installed.)
Unpacking cutter (from .../cutter_1.02-1_i386.deb) ...
Setting up cutter (1.02-1) ...

This will completes the installation.

Cutter usage

usage: cutter ip [ port [ ip [ port ] ] ]

Example :- cutter 200.1.2.3 22 10.10.0.45 32451

If you want more options and how to use check cutter man page

doscan - port scanner for discovering services on large networks

doscan is a tool to discover TCP services on your network. It is designed for scanning a single ports on a large network. doscan contacts many hosts in parallel, using standard TCP sockets provided by the operating system. It is possible to send strings to remote hosts, and collect the banners they return.

There are better tools for scanning many ports on a small set of hosts, for example nmap.

Install doscan in debian

#apt-get install doscan

Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed
doscan
0 upgraded, 1 newly installed, 0 to remove and 12 not upgraded.
Need to get 52.8kB of archives.
After unpacking 172kB of additional disk space will be used.
Get: 1 http://mirror.ox.ac.uk stable/main doscan 0.3.0-1 [52.8kB]
Fetched 52.8kB in 0s (253kB/s)
Selecting previously deselected package doscan.
(Reading database ... 41201 files and directories currently installed.)
Unpacking doscan (from .../doscan_0.3.0-1_i386.deb) ...
Setting up doscan (0.3.0-1) ...

This will completes the installation.

if you want to use doscan here is the examples

#doscan --banner 100 --port 13 192.0.2.1

Prints the time on the host 192.0.2.1 (if it runs a daytime server).

#doscan --banner 100 --receive '(.*)\n$' --port 22 192.0.2.0/24

Scan for SSH servers and record the banners (usually containing version information about the SSH server).

#doscan --banner 200 --receive '(.*?)\r?\n$' --port 25 192.0.2.0/24

Scan for SMTP servers and record their greeting messages. Works for FTP as well, with --port 21 instead of --port 25.

If you want more options and how to use check dosscan man page

dsniff - Various tools to sniff network traffic for cleartext insecurities

This package contains several tools to listen to and create network traffic:

* arpspoof - Send out unrequested (and possibly forged) arp replies.
* dnsspoof - forge replies to arbitrary DNS address / pointer queries
on the Local Area Network.
* dsniff - password sniffer for several protocols.
* filesnarf - saves selected files sniffed from NFS traffic.
* macof - flood the local network with random MAC addresses.
* mailsnarf - sniffs mail on the LAN and stores it in mbox format.
* msgsnarf - record selected messages from different Instant Messengers.
* sshmitm - SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
* sshow - SSH traffic analyser
* tcpkill - kills specified in-progress TCP connections.
* tcpnice - slow down specified TCP connections via "active"
traffic shaping.
* urlsnarf - output selected URLs sniffed from HTTP traffic in CLF.
* webmitm - HTTP / HTTPS monkey-in-the-middle. transparently proxies.
* webspy - sends URLs sniffed from a client to your local browser.

Install dsniff in debian

#apt-get install dsniff

Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
libnet0 libnet1 libnids1 libpcap0.8
The following NEW packages will be installed
dsniff libnet0 libnet1 libnids1 libpcap0.8
0 upgraded, 5 newly installed, 0 to remove and 12 not upgraded.
Need to get 288kB of archives.
After unpacking 885kB of additional disk space will be used.
Get: 1 http://mirror.ox.ac.uk stable/main libnet1 1.1.2.1-2 [50.5kB]
Get: 2 http://mirror.ox.ac.uk stable/main libpcap0.8 0.8.3-5 [81.8kB]
Get: 3 http://mirror.ox.ac.uk stable/main libnids1 1.20-1 [21.7kB]
Get: 4 http://mirror.ox.ac.uk stable/main libnet0 1.0.2a-7 [20.9kB]
Get: 5 http://mirror.ox.ac.uk stable/main dsniff 2.4b1-9 [113kB]
Fetched 288kB in 0s (456kB/s)
Selecting previously deselected package libnet1.
(Reading database ... 41210 files and directories currently installed.)
Unpacking libnet1 (from .../libnet1_1.1.2.1-2_i386.deb) ...
Selecting previously deselected package libpcap0.8.
Unpacking libpcap0.8 (from .../libpcap0.8_0.8.3-5_i386.deb) ...
Selecting previously deselected package libnids1.
Unpacking libnids1 (from .../libnids1_1.20-1_i386.deb) ...
Selecting previously deselected package libnet0.
Unpacking libnet0 (from .../libnet0_1.0.2a-7_i386.deb) ...
Selecting previously deselected package dsniff.
Unpacking dsniff (from .../dsniff_2.4b1-9_i386.deb) ...
Setting up libnet1 (1.1.2.1-2) ...

Setting up libpcap0.8 (0.8.3-5) ...

Setting up libnids1 (1.20-1) ...

Setting up libnet0 (1.0.2a-7) ...

Setting up dsniff (2.4b1-9) ...

this will complete the installation

If you want to know how to use and more options check dsniff man page

ethereal - network traffic analyzer

Ethereal is a network traffic analyzer, or "sniffer", for Unix and Unix-like operating systems. A sniffer is a tool used to capture packets off the wire. Ethereal decodes numerous protocols (too many to list).

This package provides ethereal (the GTK+ version)

Install ethereal in Debian

#apt-get install ethereal

Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
ethereal-common libadns1 libatk1.0-0 libgtk2.0-0 libgtk2.0-bin libgtk2.0-common libpango1.0-0 libpango1.0-common libxcursor1
Suggested packages:
ttf-kochi-gothic ttf-kochi-mincho ttf-thryomanes ttf-baekmuk ttf-arphic-gbsn00lp ttf-arphic-bsmi00lp ttf-arphic-gkai00mp ttf-arphic-bkai00mp
Recommended packages:
gksu libadns1-bin libatk1.0-data hicolor-icon-theme x-ttcidfont-conf
The following NEW packages will be installed
ethereal ethereal-common libadns1 libatk1.0-0 libgtk2.0-0 libgtk2.0-bin libgtk2.0-common libpango1.0-0 libpango1.0-common libxcursor1
0 upgraded, 10 newly installed, 0 to remove and 12 not upgraded.
Need to get 10.5MB of archives.
After unpacking 35.1MB of additional disk space will be used.
Do you want to continue [Y/n]?y

this will complete the installation

This is completely GTK interface program you can easily operate

etherwake - A little tool to send magic Wake-on-LAN packets

You can wake up WOL compliant Computers which have been powered down to sleep mode or start WOL compliant Computers with a BIOS feature.

WOL is an abbreviation for Wake-on-LAN. It is a standard that allows you to turn on a computer from another location over a network connection.

etherwake also supports WOL passwords.

Install etherwake in Debian

#apt-get install etherwake

Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed
etherwake
0 upgraded, 1 newly installed, 0 to remove and 12 not upgraded.
Need to get 8620B of archives.
After unpacking 73.7kB of additional disk space will be used.
Get: 1 http://mirror.ox.ac.uk stable/main etherwake 1.08-1 [8620B]
Fetched 8620B in 0s (59.4kB/s)
Selecting previously deselected package etherwake.
(Reading database ... 41724 files and directories currently installed.)
Unpacking etherwake (from .../etherwake_1.08-1_i386.deb) ...
Setting up etherwake (1.08-1) ...

this will complete the installation.If you want to use etherwake you need to specify the following command

#etherwake <macaddress>

Example :- etherwake 00:11:22:33:44:55

If you want to know more option on etherwake and how to use check etherwake man page

ethstats - script that quickly measures network device throughput

ethstats works by parsing the /proc/net/dev file that the Linux kernel maintains, and thus utilizes a negligible amount of CPU time. ethstats shows the throughput of each device in both megabits per second and packets per second.

Install ethstats in debian

#apt-get install ethstats

this will complete the installation.If you want to use ethstats run the following command

#ethstats

Output looks like below

total: 0.01 Mb/s In 0.00 Mb/s Out - 7.0 p/s In 5.0 p/s Out
eth0: 0.01 Mb/s In 0.00 Mb/s Out - 7.0 p/s In 5.0 p/s Out
eth1: 0.00 Mb/s In 0.00 Mb/s Out - 0.0 p/s In 0.0 p/s Out

If you want to know more option on ethstats and how to use check ethstats man page

ethstatus - Console-based ethernet statistics monitor

Ethstatus is a console-based monitoring utility for displaying statistical data of the ethernet interface on a quantity basis. It is similar to iptraf but is meant to run as a permanent console task to monitor the network load.

Install ethstatus in debian

#apt-get install ethstatus

this will complete the installation.If you want to use ethstatus you need to specify the following command

#ethstatus

output looks like below

If you want to know more option on ethstatus and how to use check ethstatus man page

ettercap - Multipurpose sniffer/interceptor/logger for switched LAN

Ettercap supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

Data injection in an established connection and filtering (substitute or drop a packet) on the fly is also possible, keeping the connection synchronized.

Many sniffing modes were implemented to give you a powerful and complete sniffing suite. It's possible to sniff in four modes: IP Based, MAC Based, ARP Based (full-duplex) and PublicARP Based (half-duplex).

It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

Install ettercap in debian

#apt-get install ettercap

After installing this try to run the following command to select the user interface to use this program

#ettercap

ftm - Frogfoot Networks Traffic Monitoring Utility

This is `ftm', a console utility used for monitoring networks using netfilter packet counters.

Install ftm in debian

#apt-get install ftm

Usage

#ftm <filename>

check man page of ftm for more options and how to use

ftpgrab - file mirroring utility

ftpgrab is a utility for maintaining FTP mirrors. In fact not unlike the "Mirror" perl program. However ftpgrab is oriented towards the smaller site which doesn't have the resources to mirror entire version trees of software.

The primary "plus point" of ftpgrab is that it can base download decisions by parsing version numbers out of filenames. For example, ftpgrab will recognize that the file "linux-2.2.2.tar.gz" is newer than "linux-2.2.1.tar.gz" based on the version string. It will then download the new version and delete the old one when it is done, thus saving you mirroring 10 kernel versions all at >10Mb each.

Install ftpgrab in debian

#apt-get install ftpgrab

check man page of ftpgrab for more options and how to use

hunt - Advanced packet sniffer and connection intrusion

Hunt is a program for intruding into a connection, watching it and resetting it.

Note that as hunt is operating on Ethernet, it is best used for connections which can be watched through it. However, it is possible to do something even for hosts on another segments or hosts that are on switched ports

Install hunt in debian

#apt-get install hunt

After installing if you want to run the program just use the following command

#hunt

this will display the following screen

/*
* hunt 1.5
* multipurpose connection intruder / sniffer for Linux
* (c) 1998-2000 by kra
*/
starting hunt
--- Main Menu --- rcvpkt 1, free/alloc 63/64 ------
l/w/r) list/watch/reset connections
u) host up tests
a) arp/simple hijack (avoids ack storm if arp used)
s) simple hijack
d) daemons rst/arp/sniff/mac
o) options
x) exit
->
select any option from this to run this program

If you want more options and how to use check hunt man page

httping - ping-like program for http-requests

httping show you how long it takes to connect to a hostname or remote url; send a request and retrieve the reply (only the headers).

Install httping in debian

#apt-get install httping

This will completes your installation.If you want to run this program type the following command

#httping -g http://www.debian.org

Output looks like below

PING www.debia.org:80 (http://www.debia.org):
connected to www.debia.org:80, seq=0 time=424.96 ms
connected to www.debia.org:80, seq=1 time=194.49 ms
connected to www.debia.org:80, seq=2 time=195.99 ms
connected to www.debia.org:80, seq=3 time=197.45 ms
connected to www.debia.org:80, seq=4 time=195.37 ms
connected to www.debia.org:80, seq=5 time=194.86 ms
--- http://www.debia.org ping statistics ---
6 connects, 6 ok, 0.00% failed
round-trip min/avg/max = 194.5/233.9/425.0 ms

If you want more options and how to use check httping man page

idswakeup - A tool for testing network intrusion detection systems.

idswakeup is a Bourne shell script invoking hping2 (required) and iwu (part of this package) to generate false alarms in order to check if a network intrusion detection system works all right.

idswakeup requires no configuration and includes many common attack simulations.

Install idswakeup in debian

#apt-get install idswakeup

If you want to use this program follow this syntax

Usage : /usr/sbin/idswakeup <src addr> <dst addr> [nb] [ttl]

If you want more options and how to use check idswakeup man page

ifmetric - Set routing metrics for a network interface

ifmetric is a Linux tool for setting the metrics of all IPv4 routes attached to a given network interface at once. This may be used to change the priority of routing IPv4 traffic over the interface. Lower metrics correlate with higher priorities

Install ifmetric in debian

#apt-get install ifmetric

If you want to use this program follow this syntax

Usage: ifmetric <iface> [metric]

If you want more options and how to use check ifmetric man page

ifplugd - A configuration daemon for ethernet devices

ifplugd is a daemon which will automatically configure your ethernet device when a cable is plugged in and automatically unconfigure it if the cable is pulled. This is useful on laptops with onboard network adapters, since it will only configure the interface when a cable is really connected.

Some features:

* May beep when the cable is unplugged, plugged, the interface configuration succeeded or failed.
* Syslog support
* small
* Multiple ethernet interface support
* Support for wireless networking. Whenever an association to an AP is detected the network is configured. Have a look on waproamd if you need a facility to configure WEP keys before AP associations succeed.
* Compatibility mode for network devices which do not support cable detection

Install ifplugd in debian

#apt-get install ifplugd

If you want to use this program follow this syntax

#ifplugd [options]

If you want more options and how to use check ifplugd man page

ifrename - Rename network interfaces based on various static criteria

Ifrename allow the user to decide what name a network interface will have. Ifrename can use a variety of selectors to specify how interface names match the network interfaces on the system, the most common selector is the interface MAC address.

Install ifrename in debian

#apt-get install ifrename

If you want to use this program follow this syntax

#ifrename [-c configfile] [-i interface] [-n newname]

If you want more options and how to use check ifrename man page

ifscheme - scheme control for network interfaces

ifscheme allows you to change network configuraton schemes or query the current scheme. It integrates with the ifup(8) command and interfaces(5). For example, you might use this program to configure a "home" scheme and a "work" scheme for a network device on a laptop. When you move between home and work, a simple command can reconfigure your networking

Install ifscheme in debian

#apt-get install ifscheme

If you want to use this program follow this syntax

#ifscheme [-v] [[-s] newscheme]

If you want more options and how to use check ifscheme man page

ifstat - InterFace STATistics Monitoring

ifstat is a tool to report network interfaces bandwith just like vmstat/iostat do for other system counters. It can monitor local interfaces by polling the kernel counters, or remote hosts interfaces using SNMP.

Install ifstat in debian

#apt-get install ifstat

If you want to use this program follow this syntax

#ifstat

Output looks like below

eth0
KB/s in KB/s out
0.20 0.22
0.20 0.20
0.20 0.20
0.20 0.20

If you want more options and how to use check ifstat man page

iftop - Display bandwidth usage on an interface

iftop does for network usage what top(1) does for CPU usage. It listens to network traffic on a named interface and displays a table of current bandwidth usage by pairs of hosts. Handy for answering the question "why is our ADSL link so slow?".

Install iftop in debian

#apt-get install iftop

If you want to use this program follow this syntax

#iftop -h | [-nNpbBP] [-i interface] [-f filter code] [-F net/mask] or #iftop

If you want more options and how to use check iftop man page

iog - Network I/O byte grapher

IOG is a network I/O byte grapher made to graph cumulative KB/MB/GB totals for hours/days and months. It is intended to be simple, fast (support thousands of hosts) and integrate well with MRTG. Data for each host is updated hourly and HTML graphs are created. It uses a data consolidation algorithm which allows for a small, non-growing database file for each host. No external graphing libs or executables are required.

Install iog in debian

#apt-get install iog

for more information check here http://www.dynw.com/iog/

ipband - daemon for subnet bandwidth monitoring with reporting via email

This is a daemon which can monitor as many different subnets (or individual hosts, by specifying a "subnet" of /32) as you'd like. The reporting facility will only be triggered when a defined bandwidth level had been exceeded for a defined time.

Information reported includes the connections which are taking up the most bandwidth (ip address and port pairs). Reporting is done via email.

Install ipband in debian

#apt-get install ipband

If you want to use this program here is one example

Example:

#ipband eth0 -f "net 10.10.0.0/16" -m 24 -a 300 -r 900

Will capture packets from/to ip addresses matching 10.10.0.0/255.255.0.0, tally traffic by the third octet,
calculate bandwidth utilization every 5 minutes and report per host traffic every 15 minutes.

If you want more options and how to use check ipband man page

iperf - Internet Protocol bandwidth measuring tool

Iperf is a modern alternative for measuring TCP and UDP bandwidth performance, allowing the tuning of various parameters and characteristics.

Features:

* Measure bandwidth, packet loss, delay jitter
* Report MSS/MTU size and observed read sizes.
* Support for TCP window size via socket buffers.
* Multi-threaded. Client and server can have multiple simultaneous
connections.
* Client can create UDP streams of specified bandwidth.
* Multicast and IPv6 capable.
* Options can be specified with K (kilo-) and M (mega-) suffices.
* Can run for specified time, rather than a set amount of data to transfer.
* Picks the best units for the size of data being reported.
* Server handles multiple connections.
* Print periodic, intermediate bandwidth, jitter, and loss reports at
specified intervals.
* Server can be run as a daemon.
* Use representative streams to test out how link layer compression affects
your achievable bandwidth.

Install iperf in debian

#apt-get install iperf

If you want to use this program follow this syntax

Usage: iperf [-s|-c host] [options]

If you want more options and how to use check iperf man page