Monday, June 27, 2011

Beginning networking in Ubuntu [Linux]

Since I'm trying to cover all the basics first so new users can jump right in to later topics by just reading these and the other posts I've released and *hopefully* gain and understanding of the most basic Linux commands and functions.

Each command listed below I will attempt to describe the basis for it's name, what it's acronym stands for (if necessary), the basic uses of it, a few more advanced uses of it, and any other information I (or any commentators!) see useful.


  • ifconfig --- Stands for "interface configuration," and is used to configure your network interfaces. While I post how-tos, I will often type [interface] which means that you should enter whichever network interface, without brackets, you want to use the command with.
    • Typing "ifconfig --help" brings up a help list of options you can use with your ifconfig command. I'll review and go over some useful ones here, but try checking out a bunch of them yourself since each person has their own uses and needs.
    • Pull up a terminal and type the "ifconfig" command and review what appears. For me, the interfaces "eth0," "lo," "wlan0," and "wlan0mon" come up. eth0 is my ethernet interface, wlan0 is my wireless interface, and wlan0mon is my wireless monitoring interface.
      Lets disable and enable some interfaces. My monitoring interface (meaning and interface that is being used to monitor networks, used when packet sniffing as seen in the aircrackng tutorial) isn't being used by me right now, so lets enable this one for you, then disable it to see how these commands work.
      Type "ifconfig wlan0mon up" --- it shouldn't echo back anything on the screen, but if you type "ifconfig" to review your interfaces, "wlan0mon" should be included in there! For me, it's in "promiscuous mode" which I will review later.
      Now lets disable it. Type "ifconfig wlan0mon down" and then type your "ifconfig" command again. It should be gone!
  • iwconfig --- like our ifconfig, but dealing with wireless interfaces. This command has much different commands which I will cover below.
    • Type in the "iwconfig" command and look at the results. They're like the ifconfig results. Type in "iwconfig --help" and look at all the additional options you can type.
    • First, the "ESSID" stands for the "Extended Service Set Identification (ID)" and is the alphanumeric name we give our computers to discern them from others on the network.
      • You can set the ESSID to anything, just type "iwconfig [interface] [essid]"
    • Next, the "mode" can be set to managed, ad-hoc, master, repeater, secondary, or monitor. The descriptions are taken from the "man iwconfig" file.
      • Managed --- "node (computer) connects to a network composed of many Access Points, with roaming"
      • Ad-hoc --- "network composed of only one cell and without Access Points"
      • Master --- "the node (computer) forward packets between other wireless nodes"
      • Secondary --- "the node (computer) acts as a backup master/repeater"
      • Monitor --- "the node (computer) is not associated with any cell and is passively monitor(s) all packets on the frequency)
      • Auto --- Automatic; self explanatory.
      • Examples: "iwconfig wlan0 mode monitor" or "iwconfig mon0 mode managed"
        If you have followed the installing Aircrack-ng tutorial and used the WEP/WPA cracking tutorial, you should be familiar with the "airmon-ng [interface] start" and "airmon-ng [interface] stop" commands; these change the interface from its current state to "monitor" mode, and from monitor mode to "managed" mode. You can test using these commands while using the iwconfig commands and see which one you like better.
    • Frequency --- this you shouldn't be too worried with, most interfaces work on the 2.46GHz frequency.
    • Channel --- In north America, the channel will be between 1-11 (in other countries and continents they go higher, but for now lets just worry about north America). As you work with networks and sniffing them, you will realize some networks tend to go on the same channels (1, 6, and 11, for example); to change your interface to a different channel, type "iwconfig [interface] channel [channel #], E.G. "iwconfig wlan0 channel 6" would switch my interface wlan0 to channel 6 to listen.

      You shouldn't have to use more than these commands at first, but if necessary, type "iwconfig --help" or "man iwconfig" to review the additional commands.
  • ping [options] --- I first reviewed the ping command in my quick overview of Linux commands, but I'll try to explain more in depth here why ping is one of the most important networking tools in Linux (and Windows!), and some descriptive uses of it.
    A quick explanation of how ping works is that a packet called an "ECHO_REQUEST" packet is sent to the target, and if it is received, an "ECHO_REPLY" packet is sent back to the host that is issuing the ping command. If a reply packet is not received back, that tells the computer that the request packet was never received. This is called "packet loss" which you have probably seen before.

    The basic form of using the ping command is:
    ping <ip-address or hostname>
    Try using this on your "localhost" which is the ip address "127.0.0.1"
    Pull up a new terminal and type in "ping 127.0.0.1" and review the output. Push Ctrl-z when you want it to stop pinging (ctrl-z is the EOF [end of file] command which stops most Linux operations).
    Lets go over some of ping's options:
    • -c [#] --- the "count" option. The ping command will stop after the system has pinged the amount of times the user has specified; E.G. "ping -c 3 localhost" will ping 3 times, then stop. This is very useful to ping a specific amount of times so it doesn't spam-ping and to check say just 5 pings.
      Try this by typing the above command "ping -c 3 localhost" and review the outcome.
      • ON WINDOWS, THE COUNT COMMAND IS "-n" INSTEAD OF "-c"
    • -f --- the "flood ping" option. Taken from the manual page, it is described as
      "For every ECHO_REQUEST sent, a period is printed, while for ever [sic] ECHO_REPLY received a backspace is printed. This provides a rapid display of how many packets are being dropped."
      This command adds a visual aid to pinging. The gist of what the manual page says, is that for every request sent, a period is printed, and for every reply received, one is deleted.
      So say you ping five times, and five are sent, and five are received, then no periods would appear on screen since there would be five periods and five backspaces, nullifying these periods. For every period that appears, a packet is dropped.
      If you pinged five times, five packets are sent, but only three are received, then two periods would appear, meaning two packets were dropped.
       In layman terms, each period that appears is a dropped packet.
    • -i [#] --- the "interval" option. With this option, the ping command waits the specified amount of seconds in between each ping; the default is one second in between pings if this option is not used or specified.
      In the manual, it states that "only super-users may set interval to values less than 0.2 seconds" meaning that you have to be root or use the command "sudo" (super user do) before the ping command if you wish to have a quicker interval than one every 0.2 seconds.
    • -n --- the "numeric ouput only" option. When this option is used, if you ping a hostname (such as "www.google.com" or "localhost") it only uses the IP address in the output, and does not post the hostname.
      Compare these commands: "ping -c 5 localhost" and "ping -c 5 -n localhost"
      You see how the "bytes received from *hostname* (*IP address*)" is changed to "bytes received from *IP address*? That's what this command does.
    • -q --- the "quiet mode" option. If you use this option, it does not output each "bytes received" line while running the command, but instead just outputs the summary lines at the beginning and end.
      Try running the command "ping -c 5 -q localhost" and view the output. You should see the "PING localhost (127.0.0.1) xxx bytes of data" and then the statistics of the ping.
      This command is useful if you don't care about each output and just want to see the overall summary.
    • -t [#] --- the TTL (time to live) set command. Use this command to set the "time to live" time, which is the amount of "hops." or transfers between routers, that the ping packet will take before stopping. After each "hop" (transfer) the TTL number is reduced by one (n-1), until it reaches 0 and is then discarded.
      The maximum number this can be is 255.
  • arp [options] --- The "arp" command displays the Address Resolution Protocol table, which is a list of computers that you have exchanged information with. You can manipulate the ARP cache with this command (which we will be doing eventually).
    Try issuing this command on your Linux machine with the simple command "arp" and review the output. A list of nodes (computers and routers) on your network should appear.
    The "address" is of course the IP of the computer or router.
    The "HWtype" is the type of connection (ethernet or wireless).
    The "HWaddress" is the MAC (media access control) address, or the "physical" address (which you will hear it referred to often, because this code is set to it when it is manufactured).
    Below are some arp options you can use:
    •  -a --- This option is to use the alternative "BSD" style output format and doesn't use tabs to space things.
      Compare the commands "arp" and "arp -a" and review how they look different.
    • -d --- This option (it's actually considered a "mode") deletes an ARP table entry (the manual says "a ARP" which is funny to me; correct grammar isn't the programmers highest interest).
      This command requires root privileges to run (they also spelled privilege "priveledge").
    • I will add more of these later. There aren't many more, but I will update it so we can understand all the options of arp.
I just got back from my vacation and wrote this up, I'll add MANY more tomorrow and in the following weeks, so come back to this post frequently to check it out. As always, post below any changes I need to make... I'm sure I messed something up!

[Last edited June 29th, 1:30PM]

    22 comments:

    1. On your examples for changing NIC modes with iwconfig, the second example missed out the word "mode".

      Keep up the good work btw, I like your blog :)

      ReplyDelete
    2. @Anon, ah! Thanks for that catch, I'm glad you're enjoying the blog too!

      ReplyDelete
    3. Alright got a problem with iwconfig here. It doesn't allow me to change my NICs mode.

      Error for wireless request "Set Mode" (8B06) :
      SET failed on device eth1 ; Operation not permitted.

      I realize it says eth1, but this is in fact a wireless device. Also when simply issuing the command with no options I cannot see the mode?

      Would this be a driver issue?

      ReplyDelete
    4. @Anon, what's your output when you just type "iwconfig"?

      ReplyDelete
    5. i have also ERROR
      Error for wireless request "Set Mode" (8B06) :
      SET failed on device mon0 ; Operation not permitted.
      and YES i am begginer i am trying only to understand how is working but...
      could u help?

      ReplyDelete
      Replies
      1. When do you receive this error? It seems like you typed something it didn't like.

        Delete
    6. Hi all,
      I've been try to follow this guide in order to get a interface on monitor mode for the guide Cracking WEP/WPA/2 networks with Aircrack-ng [Linux]

      Here is what I get (my ubuntu is in spanish:P):

      xxxxx@xxxxx-T61:~$ ifconfig
      eth0 Link encap:Ethernet direcciónHW 00:21:86:98:55:d3
      ACTIVO DIFUSIÓN MULTICAST MTU:1500 Métrica:1
      Paquetes RX:0 errores:0 perdidos:0 overruns:0 frame:0
      Paquetes TX:0 errores:0 perdidos:0 overruns:0 carrier:0
      colisiones:0 long.colaTX:1000
      Bytes RX:0 (0.0 B) TX bytes:0 (0.0 B)
      Interrupción:20 Memoria:fe000000-fe020000

      lo Link encap:Bucle local
      Direc. inet:127.0.0.1 Másc:255.0.0.0
      Dirección inet6: ::1/128 Alcance:Anfitrión
      ACTIVO BUCLE FUNCIONANDO MTU:16436 Métrica:1
      Paquetes RX:1212 errores:0 perdidos:0 overruns:0 frame:0
      Paquetes TX:1212 errores:0 perdidos:0 overruns:0 carrier:0
      colisiones:0 long.colaTX:0
      Bytes RX:190086 (190.0 KB) TX bytes:190086 (190.0 KB)

      wlan0 Link encap:Ethernet direcciónHW 00:13:e8:88:d7:bd
      Direc. inet:192.168.0.12 Difus.:192.168.0.255 Másc:255.255.255.0
      Dirección inet6: fe80::213:e8ff:fe88:d7bd/64 Alcance:Enlace
      ACTIVO DIFUSIÓN FUNCIONANDO MULTICAST MTU:1500 Métrica:1
      Paquetes RX:10235 errores:0 perdidos:0 overruns:0 frame:0
      Paquetes TX:10359 errores:0 perdidos:0 overruns:0 carrier:0
      colisiones:0 long.colaTX:1000
      Bytes RX:9616427 (9.6 MB) TX bytes:1718192 (1.7 MB)

      xxxxx@xxxxx-T61:~$

      And then I get this error and I couldn't figure out why:

      sansan@sansan-T61:~$ ifconfig wlan0mon up
      wlan0mon: ERROR mientras se obtenían las banderas de interfaz: No existe el dispositivo

      this is the translation for: Error while getting interface flags: no such device

      Any advice? (I'm a begginer by the why :P)

      ReplyDelete
      Replies
      1. For monitoring interfaces, you can't simply put them up with ifup, so try using the aircrack suite to start a monitoring interface.

        Delete
    7. really enjoying ur blog

      ReplyDelete