2023 - April


Network Management

The command line offers a wealth of network management commands. Here are some of my favorites.

nmcli

NetworkManager has a command line interface (CLI).

Get status:

$ nmcli general status STATE CONNECTIVITY WIFI-HW WIFI WWAN-HW WWAN connected full enabled enabled enabled enabled

Get connections:

$ nmcli connection show NAME UUID TYPE DEVICE Wired connection 1 39738cc4-2a3b-3990-8c49-b4d0355116c3 ethernet eth0

Get devices:

$ nmcli device DEVICE TYPE STATE CONNECTION eth0 ethernet connected Wired connection 1 usb0 ethernet unmanaged -- usb1 ethernet unmanaged -- lo loopback unmanaged --

Get configuration file names (notice they are in /etc and /run):

$ nmcli -f TYPE,FILENAME,NAME conn TYPE FILENAME NAME ethernet /etc/NetworkManager/system-connections/eno1.nmconnection eno1 loopback /run/NetworkManager/system-connections/lo.nmconnection lo bridge /etc/NetworkManager/system-connections/virbr0.nmconnection virbr0 vlan /etc/NetworkManager/system-connections/vlan1.nmconnection vlan1 tun /run/NetworkManager/system-connections/vnet3.nmconnection vnet3 ethernet /etc/NetworkManager/system-connections/Wired connection 2.nmconnection Wired connection 2

Show device details

$ nmcli device show eth0 GENERAL.DEVICE: eth0 GENERAL.TYPE: ethernet GENERAL.HWADDR: 53:21:B9:C6:B6:FE GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: Wired connection 1 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/4 WIRED-PROPERTIES.CARRIER: on IP4.ADDRESS[1]: 192.168.1.9/24 IP4.GATEWAY: 192.168.1.1 IP4.ROUTE[1]: dst = 0.0.0.0/0, nh = 192.168.1.1, mt = 100 IP4.ROUTE[2]: dst = 192.168.10.0/24, nh = 0.0.0.0, mt = 100 IP4.DNS[1]: 192.168.10.1 IP6.ADDRESS[1]: fe80::cc1a:6ba2:c43:1b58/64 IP6.GATEWAY: -- IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 100 IP6.ROUTE[2]: dst = ff00::/8, nh = ::, mt = 256, table=255

Check the radio:

$ nmcli radio WIFI-HW WIFI WWAN-HW WWAN enabled enabled enabled enabled

Show available WiFi SSID signals:

$ nmcli device wifi list SSID MODE CHAN RATE SIGNAL BARS SECURITY MY_WIRELESS_NET Infra 11 54 Mbit/s 100 ▂▄▆█ WPA1 WPA2 ANOTHER_WIRELLESS_NET Infra 52 54 Mbit/s 100 ▂▄▆█ WPA1 WPA2 YET_ANOTHER_WIR_NET Infra 6 54 Mbit/s 55 ▂▄__ WPA2

Even get the WiFi password~

$ nmcli device wifi show-password

Connect to WiFi:

$ nmcli device wifi connect MY_WIRELESS_NET password 8ehdxhre5kkhb6g6 Device 'wlp5s0' successfully activated with 'a7c8fbf5-3e7d-456c-921b-d739de0e3c79'.

Reference: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-configuring_ip_networking_with_nmcli

ip

ip will show / manipulate routing, network devices, interfaces and tunnels

  • To show the IP addresses assigned to an interface on your server:
# ip address show
  • To assign an IP to an interface, for example, enps03:
# ip address add 192.168.1.254/24 dev enps03
  • To delete an IP on an interface:
# ip address del 192.168.1.254/24 dev enps03
  • Alter the status of the interface by bringing the interface eth0 online:
# ip link set eth0 up
  • Alter the status of the interface by bringing the interface eth0 offline:
# ip link set eth0 down
  • Alter the status of the interface by changing the MTU of eth0:
# ip link set eth0 mtu 9000
  • Alter the status of the interface by enabling promiscuous mode for eth0:
# ip link set eth0 promisc on
  • Add a default route (for all addresses) via the local gateway 192.168.1.254 that can be reached on device eth0:
# ip route add default via 192.168.1.254 dev eth0
  • Add a route to 192.168.1.0/24 via the gateway at 192.168.1.254:
# ip route add 192.168.1.0/24 via 192.168.1.254
  • Add a route to 192.168.1.0/24 that can be reached on device eth0:
# ip route add 192.168.1.0/24 dev eth0
  • Delete the route for 192.168.1.0/24 via the gateway at 192.168.1.254:
# ip route delete 192.168.1.0/24 via 192.168.1.254
  • Display the route taken for IP 10.10.1.4:
# ip route get 10.10.1.4

Reference:

ss

Show Socket program ss shows which ports are open, their status, and what programs are attached to them locally.

Sockets:

$ sudo ss -ntrp State Recv-Q Send-Q Local Address:Port Peer Address:Port Process ...

Who is listening

$ sudo ss -lntup | less Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess ...

Reference: https://www.man7.org/linux/man-pages/man8/ss.8.html

connmanctl

First found on the BeagleBoneBlack and PocketBeagle SBC devices, this was the way to manage WiFi, USB and Ethernet connections. It does not seem to be used on the BeagleBone AI [1].

The configuration files live in /var/lib/connman/ and the control program for changing them is connmanctl.

  • WiFi

Here is an example run of connmanctl to set up a new WiFi connection [2] called MyWifi on an access point/router.

$ sudo connmanctl⏎ connmanctl> scan wifi⏎ Scan completed for wifi connmanctl> services⏎ MyWifi wifi_1234567890_1234567890123456_managed_psk connmanctl> agent on⏎ Agent registered connmanctl> connect wifi_1234567890_1234567890123456_managed_psk⏎ Agent RequestInput wifi_1234567890_1234567890123456_managed_psk Passphrase = [ Type=psk, Requirement=mandatory, Alternates=[ WPS ] ] WPS = [ Type=wpspin, Requirement=alternate ] Passphrase? MySecretPassphrase⏎ Connected wifi_1234567890_1234567890123456_managed_psk connmanctl> quit⏎ $
  • Ethernet

Configure fixed IP address on wired ethernet port

Check settings before

$ sudo cat /var/lib/connman/ethernet_5051a9a6bafe_cable/settings [ethernet_5051a9a6bafe_cable] Name=Wired AutoConnect=true Modified=2023-03-13T22:49:38.241177Z IPv4.method=manual IPv4.DHCP.LastAddress=192.168.1.29 IPv6.method=auto IPv6.privacy=disabled IPv4.netmask_prefixlen=16 IPv4.local_address=192.168.1.99 IPv4.gateway=192.168.1.1 IPv6.DHCP.DUID=0001000126b5d99b5051a9a6bafe

Change fixed IP address from 99 to 9

# ip address mask nameserver $ sudo connmanctl config ethernet_5051a9a6bafe_cable ipv4 manual 192.168.1.9 255.255.0.0 192.168.1.1;

Check settings after

$ sudo cat /var/lib/connman/ethernet_5051a9a6bafe_cable/settings [ethernet_5051a9a6bafe_cable] Name=Wired AutoConnect=true Modified=2023-03-13T22:55:28.241177Z IPv4.method=manual IPv4.DHCP.LastAddress=192.168.1.29 IPv6.method=auto IPv6.privacy=disabled IPv4.netmask_prefixlen=16 IPv4.local_address=192.168.1.9 IPv4.gateway=192.168.1.1 IPv6.DHCP.DUID=0001000126b5d99b5051a9a6bafe

You can see all the devices here, and turn on Tethering (incoming connections):

$ sudo cat /var/lib/connman/settings [global] OfflineMode=false [Wired] Enable=true Tethering=false [WiFi] Enable=true Tethering=false [Gadget] Enable=false Tethering=false [P2P] Enable=false Tethering=false [Bluetooth] Enable=true Tethering=false

For wifi configuration, BeagleBone-AI-64, BeagleBonePlay (or later) moved from connman -> systemd-network, so wifi is now configured thru wpa_supplicant-wlan0.conf

You can use

$ sudo wpa_cli -i wlan0…

Reference:

  1. bbai-tether-system
  2. https://gist.github.com/kylemanna/6930087

firewalld

The Server Setup section of this book covers how to set up a firewall to protect your system network.

networkd

The Feburary 2023 Blog covers networkd manipulation using netplan.

tcpdump

Here is a super useful program for tracing what is happening on your network.

For instance, you can watch a certain port for activity. In this example we watch port 81 (which is a web server).

$ sudo tcpdump -i eth0 -a port 81 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 16:04:37.901252 IP 192.168.1.4.65088 > www.example.com.81: Flags [SEW], seq 1319586290, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 582966262 ecr 0,sackOK,eol], length 0 16:04:37.901392 IP www.example.com.81 > 192.168.1.4.65088: Flags [S.E], seq 2476571858, ack 1319586291, win 65160, options [mss 1460,sackOK,TS val 1494679242 ecr 582966262,nop,wscale 7], length 0 16:04:37.901630 IP 192.168.1.4.65088 > www.example.com.81: Flags [.], ack 1, win 2058, options [nop,nop,TS val 582966264 ecr 1494679242], length 0 16:04:37.904531 IP 192.168.1.4.65088 > www.example.com.81: Flags [P.], seq 1:638, ack 1, win 2058, options [nop,nop,TS val 582966267 ecr 1494679242], length 637 16:04:37.904562 IP www.example.com.81 > 192.168.1.4.65088: Flags [.], ack 638, win 505, options [nop,nop,TS val 1494679245 ecr 582966267], length 0 16:04:37.905443 IP www.example.com.81 > 192.168.1.4.65088: Flags [P.], seq 1:257, ack 638, win 505, options [nop,nop,TS val 1494679246 ecr 582966267], length 256 16:04:37.905634 IP 192.168.1.4.65088 > www.example.com.81: Flags [.], ack 257, win 2054, options [nop,nop,TS val 582966268 ecr 1494679246], length 0 16:04:37.906243 IP 192.168.1.4.65088 > www.example.com.81: Flags [P.], seq 638:718, ack 257, win 2054, options [nop,nop,TS val 582966268 ecr 1494679246], length 80 16:04:37.906258 IP www.example.com.81 > 192.168.1.4.65088: Flags [.], ack 718, win 505, options [nop,nop,TS val 1494679247 ecr 582966268], length 0 16:04:37.906445 IP 192.168.1.4.65088 > www.example.com.81: Flags [.], seq 718:2166, ack 257, win 2054, options [nop,nop,TS val 582966268 ecr 1494679246], length 1448 16:04:37.906465 IP www.example.com.81 > 192.168.1.4.65088: Flags [.], ack 2166, win 501, options [nop,nop,TS val 1494679247 ecr 582966268], length 0 16:04:37.906508 IP 192.168.1.4.65088 > www.example.com.81: Flags [P.], seq 2166:5653, ack 257, win 2054, options [nop,nop,TS val 582966268 ecr 1494679246], length 3487 16:04:37.906532 IP www.example.com.81 > 192.168.1.4.65088: Flags [.], ack 5653, win 480, options [nop,nop,TS val 1494679247 ecr 582966268], length 0 16:04:37.906582 IP www.example.com.81 > 192.168.1.4.65088: Flags [P.], seq 257:528, ack 5653, win 480, options [nop,nop,TS val 1494679247 ecr 582966268], length 271 16:04:37.906701 IP 192.168.1.4.65088 > www.example.com.81: Flags [.], ack 528, win 2050, options [nop,nop,TS val 582966269 ecr 1494679247], length 0 16:04:37.906871 IP www.example.com.81 > 192.168.1.4.65088: Flags [P.], seq 528:732, ack 5653, win 501, options [nop,nop,TS val 1494679248 ecr 582966269], length 204 16:04:37.907007 IP 192.168.1.4.65088 > www.example.com.81: Flags [.], ack 732, win 2047, options [nop,nop,TS val 582966269 ecr 1494679248], length 0 ^C 17 packets captured 17 packets received by filter 0 packets dropped by kernel

arp-scan

arp-scan is a local network scanner capable of displaying known hosts by their IP address, MAC address, and manufacturer ID.

$ arp-scan --interface=eth0 192.168.0.0/24 Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.4 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.0.1 00:c0:9f:09:b8:db QUANTA COMPUTER, INC. 192.168.0.3 00:02:b3:bb:66:98 Intel Corporation 192.168.0.5 00:02:a5:90:c3:e6 Compaq Computer Corporation 192.168.0.6 00:c0:9f:0b:91:d1 QUANTA COMPUTER, INC. 192.168.0.12 00:02:b3:46:0d:4c Intel Corporation 192.168.0.13 00:02:a5:de:c2:17 Compaq Computer Corporation 192.168.0.87 00:0b:db:b2:fa:60 Dell ESG PCBA Test 192.168.0.90 00:02:b3:06:d7:9b Intel Corporation 192.168.0.105 00:13:72:09:ad:76 Dell Inc. 192.168.0.153 00:10:db:26:4d:52 Juniper Networks, Inc. 192.168.0.191 00:01:e6:57:8b:68 Hewlett-Packard Company 192.168.0.251 00:04:27:6a:5d:a1 Cisco Systems, Inc. 192.168.0.196 00:30:c1:5e:58:7d HEWLETT-PACKARD 13 packets received by filter, 0 packets dropped by kernel Ending arp-scan: 256 hosts scanned in 3.386 seconds (75.61 hosts/sec). 13 responded

Reference: https://linux.die.net/man/1/arp-scan

vnstat

To display the amount of network traffic for each day of the last week:

$ vnstat -d 7 eth01 / daily day rx | tx | total | avg. rate ------------------------+-------------+-------------+--------------- 2023-04-16 9.66 GiB | 3.69 GiB | 13.35 GiB | 1.33 Mbit/s 2023-04-17 13.17 GiB | 6.03 GiB | 19.20 GiB | 1.91 Mbit/s 2023-04-18 11.38 GiB | 5.31 GiB | 16.68 GiB | 1.66 Mbit/s 2023-04-19 14.79 GiB | 5.15 GiB | 19.94 GiB | 1.98 Mbit/s 2023-04-20 12.26 GiB | 2.40 GiB | 14.65 GiB | 1.46 Mbit/s 2023-04-21 14.26 GiB | 3.42 GiB | 17.68 GiB | 1.76 Mbit/s 2023-04-22 12.08 GiB | 1.64 GiB | 13.72 GiB | 1.98 Mbit/s ------------------------+-------------+-------------+--------------- estimated 17.57 GiB | 2.39 GiB | 19.96 GiB |

For the last two months:

$ vnstat rx / tx / total / estimated eth01: 2023-03 334.51 GiB / 94.16 GiB / 428.67 GiB 2023-04 242.84 GiB / 57.62 GiB / 300.47 GiB / 415.63 GiB yesterday 14.26 GiB / 3.42 GiB / 17.68 GiB today 12.08 GiB / 1.64 GiB / 13.72 GiB / 19.96 GiB tun01: 2023-03 0 B / 48.57 KiB / 48.57 KiB 2023-04 0 B / 26.12 KiB / 26.12 KiB / -- yesterday 0 B / 1.08 KiB / 1.08 KiB today 0 B / 816 B / 816 B / -- vlan101: 2023-03 304.72 GiB / 50.54 GiB / 355.26 GiB 2023-04 220.68 GiB / 25.76 GiB / 246.44 GiB / 340.90 GiB yesterday 13.13 GiB / 1.27 GiB / 14.40 GiB today 11.28 GiB / 972.62 MiB / 12.23 GiB / 17.79 GiB wlp0s31e4: 2023-03 0 B / 0 B / 0 B 2023-04 0 B / 0 B / 0 B / -- yesterday 0 B / 0 B / 0 B today 0 B / 0 B / 0 B / --

nethogs

To find out which program is demanding the most of your network right now, try nethogs.

NetHogs version 0.8.6-3 PID USER PROGRAM DEV SENT RECEIVED 828 monit /usr/bin/monit eth01 10.038 215.140 KB/sec ? root 192.168.1.3:40120-192.168.1.50:80 0.396 8.211 KB/sec ? root 192.168.1.3:40160-192.168.1.60:80 0.358 8.167 KB/sec 2925 www-da.. nginx: worker process eth01 2.048 1.875 KB/sec 1815892 root /usr/bin/docker-proxy docker 0.284 1.661 KB/sec 1815663 root python3 eth01 0.299 0.332 KB/sec 4287 bob sshd: bob@pts/0 eth01 0.506 0.116 KB/sec ? root 192.168.1.4:40000-192.168.1.2:57392 0.000 0.000 KB/sec ? root 192.168.1.4:45308-192.168.1.5:80 0.000 0.000 KB/sec TOTAL 13.929 235.501 KB/sec

Conclusion

This was a short list, hoping to provide an introduction to managing your network from the command line.

Hope this helps,
-- Don



April - Network Management - Linux in the House - https://linux-in-the-house.org Creative Commons License