Sunday, December 25, 2011

20 Iptables Examples For New SysAdmins


Linux comes with a host based firewall called Netfilter. According to the official project site:
netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6. I strongly recommend that you first read our quick tutorial that explains how to configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux. This post list most common iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders.

IPTABLES Rules Example

  • Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. Do not type commands on remote system as it will disconnect your access.
  • For demonstration purpose I've used RHEL 6.x, but the following command should work with any modern Linux distro.
  • This is NOT a tutorial on how to set iptables. See tutorial here. It is a quick cheat sheet to common iptables commands.

#1: Displaying the Status of Your Firewall

Type the following command as root:
# iptables -L -n -v
Sample outputs:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Above output indicates that the firewall is not active. The following sample shows an active firewall:
# iptables -L -n -v
Sample outputs:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
  394 43586 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   93 17292 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    1   142 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
    0     0 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT 425 packets, 113K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain wanin (1 references)
 pkts bytes target     prot opt in     out     source               destination
Chain wanout (1 references)
 pkts bytes target     prot opt in     out     source               destination
Where,
  • -L : List rules.
  • -v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
  • -n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.

#1.1: To inspect firewall with line numbers, enter:

# iptables -n -L -v --line-numbers
Sample outputs:
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
3    TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
5    wanin      all  --  0.0.0.0/0            0.0.0.0/0
6    wanout     all  --  0.0.0.0/0            0.0.0.0/0
7    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Chain wanin (1 references)
num  target     prot opt source               destination
Chain wanout (1 references)
num  target     prot opt source               destination
You can use line numbers to delete or insert new rules into the firewall.

#1.2: To display INPUT or OUTPUT chain rules, enter:

# iptables -L INPUT -n -v
# iptables -L OUTPUT -n -v --line-numbers

#2: Stop / Start / Restart the Firewall

If you are using CentOS / RHEL / Fedora Linux, enter:
# service iptables stop
# service iptables start
# service iptables restart

You can use the iptables command itself to stop the firewall and delete all rules:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT

Where,
  • -F : Deleting (flushing) all the rules.
  • -X : Delete chain.
  • -t table_name : Select table (called nat or mangle) and delete/flush rules.
  • -P : Set the default policy (such as DROP, REJECT, or ACCEPT).

#3: Delete Firewall Rules

To display line number along with other information for existing rules, enter:
# iptables -L INPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1

You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:
# iptables -D INPUT 4
OR find source IP 202.54.1.1 and delete from rule:
# iptables -D INPUT -s 202.54.1.1 -j DROP
Where,
  • -D : Delete one or more rules from the selected chain

#4: Insert Firewall Rules

To insert one or more rules in the selected chain as the given rule number use the following syntax. First find out line numbers, enter:
# iptables -L INPUT -n --line-numbers
Sample outputs:
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  202.54.1.1           0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED 
To insert rule between 1 and 2, enter:
# iptables -I INPUT 2 -s 202.54.1.2 -j DROP
To view updated rules, enter:
# iptables -L INPUT -n --line-numbers
Sample outputs:
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  202.54.1.1           0.0.0.0/0
2    DROP       all  --  202.54.1.2           0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED

#5: Save Firewall Rules

To save firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables save
In this example, drop an IP and save firewall rules:
# iptables -A INPUT -s 202.5.4.1 -j DROP
# service iptables save

For all other distros use the iptables-save command:
# iptables-save > /root/my.active.firewall.rules
# cat /root/my.active.firewall.rules

#6: Restore Firewall Rules

To restore firewall rules form a file called /root/my.active.firewall.rules, enter:
# iptables-restore < /root/my.active.firewall.rules
To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables restart

#7: Set the Default Firewall Policies

To drop all traffic:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# iptables -L -v -n
#### you will not able to connect anywhere as all traffic is dropped ###
# ping cyberciti.biz
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2

#7.1: Only Block Incoming Traffic

To drop all incoming / forwarded packets, but allow outgoing traffic, enter:
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -L -v -n
### *** now ping and wget should work *** ###
# ping cyberciti.biz
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2

#8:Drop Private Network Address On Public Interface

IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:
# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

#8.1: IPv4 Address Ranges For Private Networks (make sure you block them on public interface)

  • 10.0.0.0/8 -j (A)
  • 172.16.0.0/12 (B)
  • 192.168.0.0/16 (C)
  • 224.0.0.0/4 (MULTICAST D)
  • 240.0.0.0/5 (E)
  • 127.0.0.0/8 (LOOPBACK)

#9: Blocking an IP Address (BLOCK IP)

To block an attackers ip address called 1.2.3.4, enter:
# iptables -A INPUT -s 1.2.3.4 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -j DROP

#10: Block Incoming Port Requests (BLOCK PORT)

To block all service requests on port 80, enter:
# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

To block port 80 only for an ip address 1.2.3.4, enter:
# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

#11: Block Outgoing IP Address

To block outgoing traffic to a particular host or domain such as cyberciti.biz, enter:
# host -t a cyberciti.biz
Sample outputs:
cyberciti.biz has address 75.126.153.206
Note down its ip address and type the following to block all outgoing traffic to 75.126.153.206:
# iptables -A OUTPUT -d 75.126.153.206 -j DROP
You can use a subnet as follows:
# iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
# iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP

#11.1: Example - Block Facebook.com Domain

First, find out all ip address of facebook.com, enter:
# host -t a www.facebook.com
Sample outputs:
www.facebook.com has address 69.171.228.40
Find CIDR for 69.171.228.40, enter:
# whois 69.171.228.40 | grep CIDR
Sample outputs:
CIDR:           69.171.224.0/19
To prevent outgoing access to www.facebook.com, enter:
# iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP
You can also use domain name, enter:
# iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
# iptables -A OUTPUT -p tcp -d facebook.com -j DROP

From the iptables man page:
... specifying any name to be resolved with a remote query such as DNS (e.g., facebook.com is a really bad idea), a network IP address (with /mask), or a plain IP address ...

#12: Log and Drop Packets

Type the following to log and block IP spoofing on public interface called eth1
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

By default everything is logged to /var/log/messages file.
# tail -f /var/log/messages
# grep --color 'IP SPOOF' /var/log/messages

#13: Log and Drop Packets with Limited Number of Log Entries

The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries .
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

#14: Drop or Accept Traffic From Mac Address

Use the following syntax:
# iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
## *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT

#15: Block or Allow ICMP Ping Request

Type the following command to block ICMP ping requests:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

Ping responses can also be limited to certain networks or hosts:
# iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
The following only accepts limited type of ICMP requests:
### ** assumed that default INPUT policy set to DROP ** #############
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
## ** all our server to respond to pings ** ##
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#16: Open Range of Ports

Use the following syntax to open a range of ports:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT

#17: Open Range of IP Addresses

Use the following syntax to open a range of IP address:
## only accept connection to tcp port 80 (Apache) if ip is between 192.168.1.100 and 192.168.1.200 ##
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT

## nat example ##
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25

#17: Established Connections and Restaring The Firewall

When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:
IPTABLES_MODULES_UNLOAD = no

#18: Help Iptables Flooding My Server Screen

Use the crit log level to send messages to a log file instead of console:
iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port 80 -j LOG --log-level crit

#19: Block or Open Common Ports

The following shows syntax for opening and closing common TCP and UDP ports:
 
Replace ACCEPT with DROP to block port:
## open port ssh tcp port 22 ##
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
 
## open cups (printing service) udp/tcp port 631 for LAN users ##
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
 
## allow time sync via NTP for lan users (open udp port 123) ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT
 
## open tcp port 25 (smtp) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
 
# open dns server ports for all ##
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
 
## open http/https (Apache) server port to all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
## open tcp port 110 (pop3) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
 
## open tcp port 143 (imap) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
 
## open access to Samba file server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
 
## open access to proxy server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT
 
## open access to mysql server for lan users only ##
iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
 

#20: Restrict the Number of Parallel Connections To a Server Per Client IP

You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter:
# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
Set HTTP requests to 20:
# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
Where,
  1. --connlimit-above 3 : Match if the number of existing connections is above 3.
  2. --connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.

#21: HowTO: Use iptables Like a Pro

For more information about iptables, please see the manual page by typing man iptables from the command line:
$ man iptables
You can see the help using the following syntax too:
# iptables -h
To see help with specific commands and targets, enter:
# iptables -j DROP -h

#21.1: Testing Your Firewall

Find out if ports are open or not, enter:
# netstat -tulpn
Find out if tcp port 80 open or not, enter:
# netstat -tulpn | grep :80
If port 80 is not open, start the Apache, enter:
# service httpd start
Make sure iptables allowing access to the port 80:
# iptables -L INPUT -v -n | grep 80
Otherwise open port 80 using the iptables for all users:
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# service iptables save

Use the telnet command to see if firewall allows to connect to port 80:
$ telnet www.cyberciti.biz 80
Sample outputs:
Trying 75.126.153.206...
Connected to www.cyberciti.biz.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
You can use nmap to probe your own server using the following syntax:
$ nmap -sS -p 80 www.cyberciti.biz
Sample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-13 13:19 IST
Interesting ports on www.cyberciti.biz (75.126.153.206):
PORT   STATE SERVICE
80/tcp open  http
Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds
I also recommend you install and use sniffer such as tcpdupm and ngrep to test your firewall settings.

Conclusion:

This post only list basic rules for new Linux users. You can create and build more complex rules. This requires good understanding of TCP/IP, Linux kernel tuning via sysctl.conf, and good knowledge of your own setup. Stay tuned for next topics:
  • Stateful packet inspection.
  • Using connection tracking helpers.
  • Network address translation.
  • Layer 2 filtering.
  • Firewall testing tools.
  • Dealing with VPNs, DNS, Web, Proxy, and other protocols.

tcpdump fu


Packet capture is one of the most fundamental and powerful ways to do network analysis. You can learn virtually anything about what is going on within a network by intercepting and examining the raw data that crosses it. Modern network analysis tools are able to capture, interpret and describe this network traffic in a human-friendly manner.
tcpdump is one of the original packet capture (or "sniffing") tools that provide these analysis capabilities, and even though it now shares the field with many other utilities, it remains one of the most powerful and flexible.
If you think that tcpdump has been made obsolete by GUI tools like Wireshark, think again. Wireshark is a great application; it's just not the right tool for the job in every situation. As a refined, universal, lightweight command-line utility—much like cat, less and hexdump—tcpdump satisfies a different type of need.
One of tcpdump's greatest strengths is its convenience. It uses a "one-off-command" approach that lends itself to quick, on-the-spot answers. It works through an SSH session, doesn't need X and is more likely to be there when you need it. And, because it uses standard command-line conventions (such as writing to STDOUT, which can be redirected), tcpdump can be used in all sorts of creative, interesting and extremely useful ways.
In this article, I introduce some of the basics of packet capture and provide a breakdown of tcpdump syntax and usage. I show how to use tcpdump to zero in on specific packets and reveal the useful information they contain. I provide some real-world examples of how tcpdump can help put the details of what's happening on your network at your fingertips, and why tcpdump is still a must-have in any admin's toolbox.

Essential Concepts

Before you can begin to master tcpdump, you should understand some of the fundamentals that apply to using all packet sniffers:
  • Packet capturing is passive—it doesn't transmit or alter network traffic.
  • You can capture only the packets that your system receives. On a typical switched network, that excludes unicast traffic between other hosts (packets not sent to or from your machine).
  • You can capture only packets addressed to your system, unless the network interface is in promiscuous mode.
It is assumed that you're interested in seeing more than just your local traffic, so tcpdump turns on promiscuous mode automatically (which requires root privileges). But, in order for your network card to receive the packets in the first place, you still have to be where the traffic is, so to speak.

Anatomy of a tcpdump Command

A tcpdump command consists of two parts: a set of options followed by a filter expression (Figure 1).
Figure 1. Example tcpdump Command
The expression identifies which packets to capture, and the options define, in part, how those packets are displayed as well as other aspects of program behavior.

Options

tcpdump options follow the standard command-line flag/switch syntax conventions. Some flags accept a parameter, such as -i to specify the capture interface, while others are standalone switches and can be clustered, such as -v to increase verbosity and -n to turn off name resolution.
The man page for tcpdump lists all available options, but here are a few of the noteworthy ones:
  • -i interface: interface to listen on.
  • -v, -vv, -vvv: more verbose.
  • -q: less verbose.
  • -e: print link-level (Ethernet) headers.
  • -N: display relative hostnames.
  • -t: don't print timestamps.
  • -n: disable name lookups.
  • -s0 (or -s 0): use the max "snaplen"—capture full packets (default in recent versions of tcpdump).
None of these are required. User-supplied options simply modify the default program behavior, which is to capture from the first interface, and then print descriptions of matching packets on the screen in a single-line format.

Filter Expression

The filter expression is the Boolean (true or false) criteria for "matching" packets. All packets that do not match the expression are ignored.
The filter expression syntax is robust and flexible. It consists primarily of keywords called primitives, which represent various packet-matching qualifiers, such as protocol, address, port and direction. These can be chained together with and/or, grouped and nested with parentheses, and negated with not to achieve virtually any criteria.
Because the primitives have friendly names and do a lot of the heavy lifting, filter expressions are generally self-explanatory and easy to read and construct. The syntax is fully described in the pcap-filter man page, but here are a few example filter expressions:
  • tcp
  • port 25 and not host 10.0.0.3
  • icmp or arp or udp
  • vlan 3 and ether src host aa:bb:cc:dd:ee:ff
  • arp or udp port 53
  • icmp and \(dst host mrorange or dst host mrbrown\)
Like the options, filter expressions are not required. An empty filter expression simply matches all packets.

Understanding tcpdump Output

How much sense the output makes depends on how well you understand the protocols in question. tcpdump tailors its output to match the protocol(s) of the given packet.
For example, ARP packets are displayed like this when tcpdump is called with -t and -n (timestamps and name lookups turned off):

arp who-has 10.0.0.1 tell 10.0.0.2
arp reply 10.0.0.1 is-at 00:01:02:03:04:05

ARP is a simple protocol used to resolve IPs into MAC addresses. As you can see above, tcpdump describes these packets in a correspondingly simple format. DNS packets, on the other hand, are displayed completely different:

IP 10.0.0.2.50435 > 10.0.0.1.53: 19+ A? linuxjournal.com. (34)
IP 10.0.0.1.53 > 10.0.0.2.50435: 19 1/0/0 A 76.74.252.198 (50)

This may seem cryptic at first, but it makes more sense when you understand how protocol layers work. DNS is a more complicated protocol than ARP to begin with, but it also operates on a higher layer. This means it runs over top of other lower-level protocols, which also are displayed in the output.
Unlike ARP, which is a non-routable, layer-3 protocol, DNS is an Internet-wide protocol. It relies on UDP and IP to carry and route it across the Internet, which makes it a layer-5 protocol (UDP is layer-4, and IP is layer-3).
The underlying UDP/IP information, consisting of the source and destination IP/port, is displayed on the left side of the colon, followed by the remaining DNS-specific information on the right.
Even though this DNS information still is displayed in a highly condensed format, you should be able to recognize the essential elements if you know the basics of DNS. The first packet is a query for linuxjournal.com, and the second packet is an answer, giving the address 76.74.252.198. These are the kind of packets that are generated from simple DNS lookups.
See the "OUTPUT FORMAT" section of the tcpdump man page for complete descriptions of all the supported protocol-specific output formats. Some protocols are better served than others by their output format, but I've found that tcpdump does a pretty good job in general of showing the most useful information about a given protocol.

Capture Files

In addition to its normal behavior of printing packet descriptions to the screen, tcpdump also supports a mode of operation where it writes packets to a file instead. This mode is activated when the -w option is used to specify an output capture file.
When writing to a file, tcpdump uses a completely different format from when it writes to the screen. When writing to the screen, formatted text descriptions of packets are printed. When writing to a file, the raw packets are recorded as is, without analysis.
Instead of doing a live capture, tcpdump also can read from an existing capture file as input with the -r option. Because tcpdump capture files use the universally supported "pcap" format, they also can be opened by other applications, including Wireshark.
This gives you the option to capture packets with tcpdump on one host, but perform analysis on a different host by transferring and loading the capture file. This lets you use Wireshark on your local workstation without having to attach it to the network and location you need to capture from.

Analyzing TCP-Based Application Protocols

tcpdump is a packet-based analyzer, and it works great for connectionless, packet-based protocols like IP, UDP, DHCP, DNS and ICMP. However, it cannot directly analyze "connection-oriented" protocols, such as HTTP, SMTP and IMAP, because they work completely different.
They do not have the concept of "packets". Instead, they operate over the stream-based connections of TCP, which provide an abstracted communications layer. These application protocols are really more like interactive console programs than packet-based network protocols.
TCP transparently handles all of the underlying details required to provide these reliable, end-to-end, session-style connections. This includes encapsulating the stream-based data into packets (called segments) that can be sent across the network. All of these details are hidden below the application layer.
In order to capture TCP-based application protocols, an extra step is needed beyond capturing packets. Because each TCP segment is only a slice of application data, it can't be used individually to obtain any meaningful information. You first must reassemble TCP sessions (or flows) from the combined sets of individual segments/packets. The application protocol data is contained directly within the sessions.
tcpdump doesn't have an option to assemble TCP sessions from packets directly, but you can "fake" it by using what I call "the tcpdump strings trick".

The tcpdump Strings Trick

Usually when I'm capturing traffic, it's just for the purpose of casual analysis. The data doesn't need to be perfect if it shows me what I'm looking for and helps me gain some insight.
In these cases, speed and convenience reign supreme. The following trick is along these lines and is one of my favorite tcpdump techniques. It works because:
  1. TCP segments usually are sent in chronological order.
  2. Text-based application protocols produce TCP segments with text payloads.
  3. The data surrounding the text payloads, such as packet headers, is usually not text.
  4. The UNIX command strings filters out binary data from streams preserving only text (printable characters).
  5. When tcpdump is called with -w - it prints raw packets to STDOUT.
Put it all together, and you get a command that dumps real-time HTTP session data:

tcpdump -l -s0 -w - tcp dst port 80 | strings

The -l option above turns on line buffering, which makes sure data gets printed to the screen right away.
What is happening here is tcpdump is printing the raw, binary data to the screen. This uses a twist on the -w option where the special filename - writes to STDOUT instead of a file. Normally, doing this would display all kinds of gibberish, but that's where the strings command comes in—it allows only data recognized as text through to the screen.
There are few caveats to be aware of. First, data from multiple sessions received simultaneously is displayed simultaneously, clobbering your output. The more refined you make the filter expression, the less of a problem this will be. You also should run separate commands (in separate shells) for the client and server side of a session:

tcpdump -l -s0 -w - tcp dst port 80 | strings
tcpdump -l -s0 -w - tcp src port 80 | strings

Also, you should expect to see a few gibberish characters here and there whenever a sequence of binary data also happens to look like text characters. You can cut down on this by increasing min-len (see the strings man page).
This trick works just as well for other text-based protocols.

HTTP and SMTP Analysis

Using the strings trick in the previous section, you can capture HTTP data even though tcpdump doesn't actually understand anything about it. You then can "analyze" it further in any number of ways.
If you wanted to see all the Web sites being accessed by "davepc" in real time, for example, you could run this command on the firewall (assume the internal interface is eth1):

tcpdump -i eth1 -l -s0 -w - host davepc and port 80 \
  | strings | grep 'GET\|Host'

In this example, I'm using a simple grep command to display only lines with GET or Host. These strings show up in HTTP requests and together show the URLs being accessed.
This works just as well for SMTP. You could run this on your mail server to watch e-mail senders and recipients:

tcpdump -l -s0 -w - tcp dst port 25 | strings \
  | grep -i 'MAIL FROM\|RCPT TO'

These are just a few silly examples to illustrate what's possible. You obviously could take it beyond grep. You could go as far as to write a Perl script to do all sorts of sophisticated things. You probably wouldn't take that too far, however, because at that point, there are better tools that actually are designed to do that sort of thing.
The real value of tcpdump is the ability to do these kinds of things interactively and on a whim. It's the power to look inside any aspect of your network whenever you want without a lot of effort.

Debugging Routes and VPN Links

tcpdump is really handy when debugging VPNs and other network connections by showing where packets are showing up and where they aren't. Let's say you've set up a standard routable network-to-network VPN between 10.0.50.0/24 and 192.168.5.0/24 (Figure 2).
illustration of a standard routable network-to-network VPN Figure 2. Example VPN Topology
If it's operating properly, hosts from either network should be able to ping one another. However, if you are not getting replies when pinging host D from host A, for instance, you can use tcpdump to zero in on exactly where the breakdown is occurring:

tcpdump -tn icmp and host 10.0.50.2

In this example, during a ping from 10.0.50.2 to 192.168.5.38, each round trip should show up as a pair of packets like the following, regardless of from which of the four systems the tcpdump command is run:

IP 10.0.50.2 > 192.168.5.38: ICMP echo request, 
 ↪id 46687, seq 1, length 64
IP 192.168.5.38 > 10.0.50.2: ICMP echo reply, 
 ↪id 46687, seq 1, length 64

If the request packets make it to host C (the remote gateway) but not to D, this indicates that the VPN itself is working, but there could be a routing problem. If host D receives the request but doesn't generate a reply, it probably has ICMP blocked. If it does generate a reply but it doesn't make it back to C, then D might not have the right gateway configured to get back to 10.0.50.0/24.
Using tcpdump, you can follow the ping through all eight possible points of failure as it makes its way across the network and back again.

Conclusion

I hope this article has piqued your interest in tcpdump and given you some new ideas. Hopefully, you also enjoyed the examples that barely scratch the surface of what's possible.
Besides its many built-in features and options, as I showed in several examples, tcpdump can be used as a packet-data conduit by piping into other commands to expand the possibilities further—even if you do manage to exhaust its extensive "advertised" capabilities. The ways to use tcpdump are limited only by your imagination.
tcpdump also is an incredible learning tool. There is no better way to learn how networks and protocols work than from watching their actual packets.
Don't forget to check out the tcpdump and pcap-filter man pages for additional details and information.

The tcpdump/libpcap Legacy

tcpdump has been the de facto packet capture tool for the past 25 years. It really did spawn the whole genre of network utilities based on sniffing and analyzing packets. Prior to tcpdump, packet capture had such high processing demands that it was largely impractical. tcpdump introduced some key innovations and optimizations that helped make packet capture more viable, both for regular systems and for networks with a lot of traffic.
The utilities that came along afterward not only followed tcpdump's lead, but also directly incorporated its packet capture functionality. This was possible because very early on, tcpdump's authors decided to move the packet capture code into a separate portable library called libpcap.
Wireshark, ntop, snort, iftop, ngrep and hundreds of other applications and utilities available today are all based on libpcap. Even most packet capture applications for Windows are based on a port of libpcap called WinPcap.

Resources

tcpdump and libpcap: http://www.tcpdump.org
Wireshark: http://www.wireshark.org
TCP/IP Model: http://en.wikipedia.org/wiki/TCP/IP_model

الطب النبوي والتهاب الجيوب الأنفية



بقلم: د. هشام بدر الدين المشد 
دكتوراه أنف وأذن وحنجرة


التهابات الجيوب الأنفية منتشرة ويعانى منها كثير من الناس رجالا ونساء؛ كبارا وصغارا، وأكثر أعراضها انتشارا هو الصداع الذي قد يحيل حياة المريض إلى جحيم لا يطاق، ليس هذا فحسب إنما تكمن خطورتها الحقيقية فيما قد تسببه من مضاعفات قد تذهب بالبصر إذا لم يُحسَن علاجها في الوقت المناسب، ولكي نتفهم حجم المشكلة وطبيعتها وكيفية الوقاية منها وعلاجها سنناقش في هذا البحث الجوانب العلمية المتعلقة بالتعرف على التركيب التشريحي للجيوب الأنفية ووظائفها وأسباب الأمراض التي تحدث فيها ومضاعفاتها وكيفية تشخيصها وعلاجها في الطب الحديث، ثم نقدم العلاج النبوي لهذه الظاهرة المرضية، ثم نبين وجه الإعجاز العلمي في الوصفة النبوية لهذا المرض العضال. 
  
أولا: التحقيق العلمي


ما هي الجيوب الأنفية؟ 
بداية يجب أن نصحح التسمية، فالترجمة الصحيحة للكلمة هى الجيوب الجار أنفية، وهذه التسمية تعطى تصوراً حقيقياً عن ماهية هذه الجيوب وطبيعتها، فهي مجموعة من التجاويف في عظمة الجمجمة محيطة بالأنف من الناحيتين اليمنى واليسرى ومبطنة بغشاء مخاطي يشبه إلى حد بعيد ذلك الذى يبطن الأنف نفسه، ويفرز هذا الغشاء إفرازات تساعدها على القيام بالوظائف التي تناط بها وتْصّرف هذه الإفرازات عن طريق ثقوب دقيقة جداً إلى تجويف الأنف ثم إلى البلعوم الأنفي حيث تستقر بعد ذلك في المعدة، وهذه التجاويف هي: 
1- الجيب جار الأنفي الوجني (79%): يوجد أسفل العين، ومتوسط حجمه في البالغين 15 مم3. 
2- الجيب جار الأنفي الجبهي (41%): يوجد فوق العين وتحت المخ، ومتوسط حجمه في البالغين 7مم3. 
3- الجيب جار الأنفي الغربالي (93%): يوجد بين العينين وهو مجموعة من الجيوب الصغيرة (7-15مم). 
4- الجيب جار الأنفي الوتدي (22%): يوجد خلف الأنف وتحت الغدة الصنوبرية، ومتوسط حجمه 7مم3.

وظائف الجيوب الأنفية:

وللجيوب الأنفية عدة وظائف نذكر منها: 
1- ترطيب وتدفئة وتنقية هواء الشهيق: وحتى ندرك مدى أهمية وعظمة هذه الوظيفة علينا أن نعرف أن الأنف وما يجاورها من الجيوب الأنفية تؤدي هذه الوظيفة لكمية الهواء المستنشق يوميا، وهى كمية هائلة تصل إلى (10000-20000 لتر يوميا).


وهى تقوم بذلك بواسطة: 
الغشاء المخاطي: وهو يفرز نوعين من السائل المخاطي في طبقتين أحدهما لزجة وتوجد على السطح ونظراً للزوجتها فإن الجراثيم وذرات الغبار تلتصق بها، أما الطبقة الثانية فهي أقل لزوجة وتوجد تحت الأولى وتعمل كالسير الذى ينقل الحقائب، حيث تقوم بنقل الطبقة العليا بما تحويه من جراثيم وغبار إلى الأنف خلال فتحاتها الدقيقة جداً ثم إلى البلعوم بسرعة 1سم في الدقيقة، وهذه الطبقة تحتوى على إنزيمات تستطيع أن تقضى على كثير من البكتريا والفيروسات والباقي يتم التعامل معه بعد ذلك عندما يْبلع إلى المعدة. وكمية السائل المخاطي التي تفرز في اليوم تبلغ 1000 مم3.


الأهداب: وهى شعيرات بالغة الدقة وتعمل في دأب ونشاط ولا تمل، إذ تتحرك في اتجاهين: 
الأولى: حركة قوية وفعالة في اتجاه فتحات الجيوب الأنفية. 
والثانية: حركة ضعيفة وأقل فعالية في الاتجاه المضاد، وهى تتحرك 700 حركه في الدقيقة.

والجفاف من أهم العوامل التي تعوق هذه الحركة ومن ثم فهو يساعد على حدوث الالتهابات.
شبكة معقدة جدا من الشعيرات الدموية والأوردة والشرايين الصغيرة: وتتغير كمية الدم المندفعة في هذه الشبكة زيادة ونقصانا حسب الاختلاف في درجات الحرارة بين الجسم والجو الخارجى. فإذا كان الهواء الخارجى شديد البرودة، فإن كمية الدم المندفعة إلى هذه الشبكة تزداد لتتمكن من تدفئة الهواء الداخل إلى الرئتين والعكس صحيح.
وهناك ما يعرف بالدورة الأنفية وهي تحدث بآلية معينة بحيث تتمدد الأوعية الدموية في الغشاء المخاطي بإحدى فتحتى الأنف فيندفع الدم فيها وينتفخ الغشاء المخاطي وبالتالى يقل الفراغ المتاح لمجرى النفس فتقل كميته وسرعته مما يتيح له فرصة أطول لاكتساب كمية أكبر من حرارة الغشاء المخاطى فترتفع درجة حرارة الهواء الداخل من هذه الفتحة، ويحدث العكس تماما في الفتحة الأخرى، حيث تنقبض الأوعية الدموية فينكمش الغشاء المخاطي فيزيد فراغ مجرى النفس فتندفع كمية كبيرة من الهواء بسرعة وبذلك لا تكتسب نفس الحرارة التي اكتسبتها الجهة الأخرى، وعندما يتقابل الهواء من الناحيتين في البلعوم الأنفي يختلطان بحيث تكون درجة حرارة هذا الخليط ملائمة تماما لدرجة حرارة الجسم، وتحدث هذه الدورة بالتبادل بين الناحيتين فتتمدد اليمنى وتنقبض اليسرى في وقت معين ثم ينعكس الوضع في الدورة التالية وهكذا.
وهى عملية بالغة التعقيد ويتحكم فيها عديد من العوامل وحتى نُبسط الأمور فيمكن تشبيهها بما يحدث في خلاط صنبور المياه، فإذا أردت ماءً ساخناً تفتح صنبور الماء الساخن بدرجة كبيرة وصنبور الماء البارد بدرجة أقل، وبتحكمك في درجة فتح الصنبورين تستطيع التحكم في درجة حرارة الماء.
2- تخفيف وزن الجمجمة: لو تخيلت هذه التجاويف مصمتة فكم سيكون وزن الجمجمة؟
3- تحسين نغمة الصوت: وهذا ما نلمسه عادة فيمن يصاب بأدوار البرد والزكام من تغير في نغمة صوته نتيجة لعدم قيام الجيوب الأنفية بهذا الدور آنذاك نظرا لانسدادها بفعل الالتهاب.

أساس المشكلة: 
تبدأ مشاكل الجيوب الأنفية بانسداد فتحة جيب أو أكثر من الجيوب الأنفية، وذلك يؤدى إلى تقليل أو توقف التهوية وكذلك تصريف الإفرازات من الجيب الأنفي وهذا يؤدي بدوره إلى تراكم هذه الإفرازات، مما يؤدي إلى تلف الأهداب والخلايا الحاملة لها، وهذا يهيئ الظروف لنشاط الميكروبات المرضية وتحول الميكروبات غير الضارة إلى ضارة، وهذه تؤدى إلى التهابات وتورم في الغشاء المخاطى، مما يؤدى بدوره إلى مزيد من انسداد الفتحات، وهكذا تبدأ الدائرة المفرغة.


التشخيص: 
تنقسم التهابات الجيوب الأنفية إلى التهابات حادة وأخرى مزمنة.


أولا: الالتهابات الحادة وتنقسم أعراضها إلى: 
أعراض عامة: مثل الحمى والصداع وفقدان الشهية.


أعراض موضعية: 
1- انسداد الأنف. 
2- إفرازات مخاطية. 
3- اعتلال حاسة الشم. 
4- آلام في المنطقة السطحية المغطية للجيب أو الجيوب الأنفية المصابة، كآلام تحت العين في حالات التهاب الجيب الأنفي الوجني، وآلام في الجبهة في حالة التهاب الجيب الأنفي الجبهي، وآلام بين العينين عند التهاب الجيب الأنفي الغربالي، وآلام خلف العينين ومؤخرة الرأس في حالة التهاب الجيب الأنفي الوتدي.

ومما يجدر الإشارة إليه هنا أن الصداع في حالة التهابات الجيوب الأنفية يبدأ عادة في الصباح بعد الاستيقاظ من النوم ثم يأخذ في التحسن تدريجيا خلال 3 أو 4 ساعات بعد ذلك.
والعلامات التي قد تصاحب هذا الالتهاب عبارة عن تورم واحمرار في الجلد المغطى للجيب أو الجيوب الانفية المصابة.

ثانيا: الالتهابات المزمنة وتنقسم أعراضها أيضا إلى: 
أعراض عامة: مثل الصداع والآلام الروماتيزمية والتهابات في الأذن الوسطى والبلعوم والحنجرة.

أعراض موضعية: تشبه إلى حد بعيد تلك التي توجد في حالة الالتهاب الحاد إلا أنها أقل في حدتها ولكن مدتها أطول.
وأما العلامات التي تميز الالتهاب المزمن فأهمها احتقان الغشاء المخاطي للأنف ووجود إفرازات خلف أنفية يحس بها المريض في حلقه.
أما أهم الفحوصات التي تؤكد التشخيص وتساعد كذلك في تحديد العلاج فأهمها الأشعة المقطعية.

المضاعفات: 
وتنقسم إلى مضاعفات بالجمجمة، وداخل الجمجمة، وخارج الجمجمة. 
- مضاعفات بالجمجمة: التهاب أو خُرّاج بعظام الجمجمة أو ناصور. 
- مضاعفات خارج الجمجمة: التهابات بالعين وضمور بالعصب البصري مما قد يؤدى إلى العمى. 
- مضاعفات داخل الجمجمة: التهاب بالأغشية المحيطة بالمخ وخُرّاج بالمخ.


العلاج الطبي: 
أ) علاج دوائي: مضاد حيوى (يستحسن أن يكون حسب مزرعة للحساسية)، مضاد للهستامين، قابض للأوعية الدموية وغسول للأنف.

ب) علاج جراحي: باستخدام الميكروسكوب أو المنظار الجراحي، وغسول للأنف قبل وبعد العملية فهو يستخدم كعلاج من المرض وكذلك كوقاية لعودته مرة أخرى، حيث يعمل على إزالة الإفرازات أولا بأول وكذلك يرطب الأهداب ويحميها من الجفاف الذى يعتبر من أهم أسباب الالتهابات.

وتكمن أهمية الغسول في نقطتين أساسيتين: 
أ) التنظيف والإزالة: 
1- للغبار والجراثيم التي يتعرض لها الأنف من الخارج، وهذا ما أثبتته دراسات علمية كثيرة منها على سبيل المثال رسالة الماجستير التي أجريت في طب الإسكندرية وخلصت إلى أن نمو الجراثيم الممرضة في المزارع التي أخذت من أنوف المتوضئين كان أقل كثيرا من مثيلاتها التي أخذت من غير المتوضئين.

2-  للإفرازات التي يتم إفرازها من الغشاء المخاطي للأنف،
3- وهناك طريقة أخرى للتنظيف لا تقل أهمية عما سبق، وهى إزالة مسببات الحساسية (الأنتيجينات) مثل حبوب اللقاح، بل إن هناك نظرية تفسر كثرة الإفرازات المائية كعرض من أعراض الحساسية على أنها نوع من التنظيف الذاتي للأنف حتى تتخلص من هذه المسببات فتقل بذلك فرصة تلامسها للغشاء المخاطى، ومن ثم تقل حدة التفاعلات وبالتالى حدة أعراض الحساسية الأخرى كالحكة والعطس وانسداد الأنف.

ب) ترطيب الأهداب: 
والمحافظة على ليونتها وبذلك تعمل في بيئة مثالية حيث إن الجفاف من أشد أعداء هذه الأهداب.


وحتى يؤدى الغسول دوره كما ينبغى يجب ان تتوفر له صفتان اساسيتان: 
1- الاستمرارية: وذلك لأن الأنف يتعرض بصفة مستمرة للأتربة والميكروبات وكذلك الإفرازات التي تفرز من الأنف، فكما ان هذه الاشياء لا تتوقف، فيجب كذلك أن يكون الغسول باستمرار.

2- الغسول العميق: حتى يصل إلى ثنايا التجويف الانفي العميقة وبذلك يتمكن الغسول من تنظيف هذه المناطق الداخلية.
وأقصى ما طمحوا له في ذلك أن يستعمل المريض الغسول بصفة مستمرة كفرشة الأسنان، اى مرة أو مرتين يوميا على الأكثر.
ونظرا لأهمية هذا الموضوع فقد أنشأوا له عدة مواقع على الشبكة العنكبوتية العالمية (انترنت) تتحدث كلها عن أهمية الغسول وكيفيته.
وستجد بثبت المراجع عدة مصادر أجنبية كلها تتحدث عن أهمية الغسول في العلاج الدوائي أو الجراحي، وتبعا لنوع الالتهاب فإنهم يضيفون بعض الإضافات إلى الغسول مثل كلوريد الصوديوم (ملح الطعام) أو كربونات الصوديوم أو مضادات الفطريات وذلك تبعا لنوع الميكروب المسبب للمرض ولكن تبقى العلة من استخدام الغسول ثابتة باستمرار وهى التنظيف والترطيب وبالشرطين المذكورين وهما الاستمرارية وأن يصل الغسول إلى عمق الأنف.
ولكن لأنهم لا يعرفون الهدى النبوي فقد تحيروا في ابتكار أجهزة عديدة تقوم بعملية الغسول وإيصاله إلى عمق تجويف الأنف وكذلك للجيوب الأنفية، وبالرغم من أن بعضها يقوم بهذه العملية بكفاءة فإن العيب الرئيسى يبقى وهو صعوبة استخدامها على المدى الطويل وتكرار ذلك حيث إن تكرار الغسيل واستمراريته هو الضمان الوحيد لعدم التهاب الجيوب من الأصل وكذلك لعدم تكرار الالتهاب بعد العلاج والعيب الثاني لهذه الأجهزة هو ارتفاع ثمنها.

 ثانيا: العلاج النبوي 
تكمن عبقرية الحل النبوي في كفاءته وفاعليته في العلاج وكذلك الوقاية، ثم أيضا بسبب سهولة استخدامه وسهولة تكراره، وأهم من ذلك أنه ربما يكون بدون تكلفة على الإطلاق بل يثاب من يفعله بنيه.

والحديث الذى جاء بالحل رواه الخمسة ابن ماجة والنسائي وأحمد والترمذي وابن داود وصححه الترمذي وقال حديثٌ حسنٌ صحيح.
عَنْ عَاصِمِ بْنِ لَقِيطِ بْنِ صَبْرَةَ عَنْ أَبِيهِ لَقِيطِ بْنِ صَبْرَةَ قَالَ: قُلْتُ يَا رَسُولَ اللَّهِ أَخْبِرْنِي عَنْ الْوُضُوءِ قَالَ أَسْبِغْ الْوُضُوءَ وَخَلِّلْ بَيْنَ الْأَصَابِعِ وَبَالِغْ فِي الِاسْتِنْشَاقِ إِلَّا أَنْ تَكُونَ صَائِمًا.
(أَسْبِغْ الْوُضُوء): بِفَتْحِ الْهَمْزَة، أَيْ أَبْلِغْ مَوَاضِعه، وَأَوْفِ كُلّ عُضْو حَقّه وَتَمِّمْهُ وأكمله، كمية وكيفية بالتثليث والدلك وتطويل الغرة ولا تَتْرُك شَيْئًا مِنْ فَرَائِضه وَسُنَنه.
(وَخَلِّلْ بَيْن الْأَصَابِع): التَّخْلِيل: تَفْرِيق أَصَابِع الْيَدَيْنِ وَالرِّجْلَيْنِ فِي الْوُضُوء، وَأَصْله مِنْ إِدْخَال شَيْء فِي خِلال شَيْء وَهُوَ وَسَطه.
قَالَ الْجَوْهَرِيّ: وَالتَّخْلِيل: اِتِّخَاذ الْخَلّ وَتَخْلِيل اللِّحْيَة وَالأصَابِع فِي الْوُضُوء، فَإِذَا فَعَلَ ذَلِكَ قَالَ: تَخَلَّلْت.
ويوضع الشاهد في الحديث قوله؟ (وبالغ في الاستنشاق): بإيصال الماء إلى باطن الأنف بل إلى البلعوم حيث فٌهم ذلك من الجزء الأخير من الحديث (إلا أن تكون صائماً).

ثالثا: وجه الإعجاز في الحديث 
هو اختيار الرسول؟ المبالغة في الاستنشاق بالذات، فبرغم من أمره ؟ بالإسباغ في أعضاء الوضوء كلها إلا أنه اختص الأنف بمزيد عناية واهتمام، ولأنه ؟ أوتى مجامع الكلم، فقد اختار كلمة واحدة شملت كل الصفات اللازمة في الغسول، فالمبالغة تعنى الكثرة الكمية والنوعية. فالمبالغة الكمية تعني كثرة عدد الغسلات، أى الاستمرارية التي أشرنا لها في صفات الغسول الفعال، بالإضافة إلى ترغيبه ؟ في أحاديث كثيرة في أن يظل المسلم على طهارة باستمرار.

وأما المبالغة النوعية فتعنى المبالغة في إيصال الماء إلى داخل عمق تجويف الأنف حتى تصل إلى البلعوم في غير نهار الصيام.
ثم إن هذه الكلمة بالذات «المبالغة» تسترعى الانتباه، فما بال رسول الوسطية والاعتدال يدعو إلى المبالغة؟، فأمر الدين كله مبنى على التوسط والقصد، في الأكل (كلوا واشربوا ولا تسرفوا)، وفى الإنفاق (ولا تجعل يدك مغلولة إلى عنقك ولا تبسطها كل البسط)، بل حتى وفى العبادات (ألا إني أصوم وأفطر وأقوم وأنام وأتزوج النساء، فمن رغب عن سنتى فليس منى)، فما الذي دعا المعصوم والذى لا ينطق عن الهوى صلوات ربى وتسليماته عليه أن يعدل عن هذا المنهج الثابت المطرد إلى المبالغة؟، فلابد أن ذلك لسبب مهم وحكمة بالغة.
فقد رأينا أن الشق العلمي في الموضوع، وهو أهمية غسول الأنف في علاج التهابات الجيوب الأنفية والوقاية منها، حقيقة علمية مؤكدة بالمراجع العلمية، فكثرة غسول الأنف لابد أن يؤدى إلى تنظيفها وإزالة الإفرازات والجراثيم منها ومن ثم حمايتها من الالتهابات.
أما الشق الشرعي، فهو دلالة الألفاظ الواضحة في هذا الحديث العظيم فليس أدق ولا أبلغ من كلمة المصطفى ؟ (وبالغ في الاستنشاق) لتحقيق ما يصبوا إليه العلماء في الوقاية والعلاج من الالتهابات المزمنة للجيوب الأنفية.
فالحمد لله الذي هدانا لهذا وما كنا لنهتدي لولا أن هدانا الله.
فوصيتي لكم أيها المتوضئون
أن بالغـوا في الاستنـشـاق وقاية..
وبالغوا في الاستنشاق شفاء..
وأهم من كل ذلك..
بالغوا في الاستنشاق سنة واقتداء..
المصدر: موقع الهيئة العالمية للإعجاز العلمى فى القرآن والسنة

Troubleshooting faulty network connectivity, part 2: Essential network commands


In my previous article describing the troubleshooting steps for faulty TCP/IP connections, I mentioned several commands such as ping, traceroute, and ipconfig that could assist you in pinpointing problematic network components. These commands and several others like them are commonly referred to as TCP/IP utilities because they are tools that let you perform diagnostics and queries on the network which you are examining.
To compliment Part 1 of this two-part series, Part 2 is a reference list of the TCP/IP utilities which will describe the intended uses and options for each. These tools natively run in command line interface (CLI) environments (or in Linux and Unix, “shell prompts”), but as several entries in this blog show, there are a great many graphical utilities available that let you use the TCP/IP utilities (and view their output) in graphical format. In this article, however, I will stick with the default CLI usage and functionality.
When working in a CLI environment in Windows, I prefer to use Windows PowerShell as opposed to the default Windows command prompt (cmd.exe).
Remember: the best way to learn and understand these tools is to practice and experiment with them. Also bear in mind that knowledge of these commands is essential during ethical hacking efforts.

Jump to:

Arp

The arp command lets you view and manage the Address Resolution Protocol (ARP) cache. In other words, arp displays and modifies the IP address-to-MAC address translation tables used by the ARP protocol. In order for the arp command to be meaningful and helpful, you need to first understand the purpose of the Address Resolution Protocol. As DNS translates between host names and IP addresses, ARP translates between MAC addresses (Layer 2) and IP addresses (Layer 3). When a host attempts to communicate with another host on the same subnet, it must first know the destination host’s MAC address. If there is no entry in the sending host’s ARP cache for the destination MAC address, ARP sends out a broadcast (to all hosts in the subnet) asking the host with the target IP address to send back its MAC address. These IP-to-MAC mappings build up in the ARP cache which the arp command lets you view and modify.
Be aware that the ARP cache is a tempting target for hackers. It can be vulnerable to cache poisoning attacks in which false entries are inserted into the ARP cache, causing the compromised host to unknowingly send data (often unencrypted) to the attacker.
The default arp command syntax in Windows is:
arp -s inet_addr eth_addr [if_addr]
arp -d inet_addr [if_addr]
arp -a [inet_addr] [-N if_addr] [-v]

Arp command switches (Windows)

Description

arp -a or arp -g Displays both the IP and MAC addresses in the ARP cache for all network interfaces using ARP.
arp -d [inet_addr]
Deletes all entries from the ARP cache which causes ARP queries for local network hosts to be re-processed. For example, arp -d 10.57.10.32.
arp -N [if_addr]
Displays the ARP entries for the network interface specified by [if_addr]. Used in conjunction with -a or -g. For example: arp -a -N 192.168.20.15, where 192.168.20.15 is the IP address of your (or one of your) network interfaces.
arp -s Adds a static (“permanent”) entry to the ARP cache. This command is a countermeasure to ARP spoofing attacks. For example, this command adds a static entry: arp -s 157.55.85.212 00-aa-00-62-c6-09.
arp -v Displays current ARP entries in verbose mode. All invalid entries and entries on the loopback interface will be shown. Used in conjunction with arp -a or arp -g.
[eth_addr] Specifies a physical (MAC) address.
[if_addr] If present, this specifies the Internet address of the interface on your computer whose address translation table should be modified. Useful if your computer has multiple network interfaces. If not present, the first applicable interface will be used.
[inet_addr] Specifies an IP address entry in the ARP cache. Used in conjunction with -a or -g. For example, the command arp -a 192.168.10.20 will query the cache to display the MAC address of host 192.168. 10.20.
.
The default arp command syntax in Linux is as follows:
arp [-evn] [-H type] [-i if] -a [hostname]
arp [-v] [-i if] -d hostname [pub]
arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]
arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub
arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub
arp [-vnD] [-H type] [-i if] -f [filename]
Each complete entry in the ARP cache will be marked with the C (complete) flag. Permanent entries are marked with M (perManent) and published entries have the P (publish) flag.

Arp command switches (Linux)

Description

arp -a [hostname] or –all [hostname]
Shows the entries of the specified hosts. If the [hostname] parameter is not used, all entries will be displayed.
arp -d [ip_addr] or –delete [ip_addr]
Removes the ARP cache entry for the specified host. arp -d * will delete all hosts in the cache (note the space between -d and *).
arp -D or –use-device
Uses the hardware address associated with the specified interface.
arp -e Shows the entries in default (Linux) style.
arp -f [filename] or –file [filename]
Similar to the -s option, only this time the address info is taken from file that [filename] set up. The name of the data file is very often /etc/ethers, but this is not official. If no [filename] is specified, /etc/ethers is used as default.
arp -H or –hw-type [type] or -t [type]
When setting or reading the ARP cache, this optional parameter tells arp which class of entries it should check for. The default value of this parameter is ether (i.e. hardware code 0×01 for IEEE 802.3 10Mbps Ethernet).
arp -i [int] or –device [int]
Selects an interface. When dumping the ARP cache only entries matching the specified interface will be printed. For example, arp -i eth0 -s 10.21.31.41 A321.ABCF.321A creates a static ARP entry associating IP address 10.21.31.41 with MAC address A321.ABCF.321A on eth0.
arp -n or –numeric
Shows IP addresses instead of trying to determine domain names.
arp -s [hostname] [hw_addr] or –set [hostname]
Manually creates a static ARP address mapping entry for host [hostname] with the hardware address set to [hw_addr].
arp -v Uses verbose mode to provide more details.

Hostname

If you are unsure of the host name of the computer you are working on, the hostname command will display it. In Linux and Unix you can use hostname to configure the host name and associated options.

Hostname command (Windows)

Description

hostname Prints the name of the current host where the name is the host name portion of the full computer name.
.
The hostname command syntax in Linux is as follows:
hostname [-v] [-a] [-d] [-f] [-A] [-i] [-I] [--all-ip-addresses] [--long] [-s] [-y]
hostname [-v] [-b] [-F filename] [--file filename] [hostname]
hostname [-v] [-h] [-V]

Hostname command switches (Linux)

Description

hostname [hostname] Sets the host name.
hostname -a or –alias Displays the alias name of the host (if used).
hostname -A or –all-fqdns Displays all FQDNs of the machine. This option enumerates all configured network addresses on all configured network interfaces, and translates them to DNS domain names. Addresses that cannot be translated (i.e. because they do not have an appropriate reverse DNS entry) are skipped.
hostname -b or –boot Always set a hostname; this allows the file specified by -F to be non-existant or empty, in which case the default hostname localhost will be used if none is yet set.
hostname -d or –domain
Displays the DNS domain name.
hostname -f or –fqdn or –long
Displays the fully qualified domain name.
hostname -F [file] or –file [file]
Consults [file] for host name.
hostname -h or –help
Displays a help message.
hostname -i or–ip-addresses Displays the host IP address.
hostname -I or –all-ip-addresses Displays all network addresses of the host. This option enumerates all configured addresses on all network interfaces except the loopback interface and IPv6 link-local addresses. Unlike option -i, this option does not depend on name resolution.
hostname -s or –short
Trims domain information from the display output.
hostname -v or –verbose
Verbose mode
hostname -V or –version Displays the version information and then exits.
hostname -y or –yp or -nis [domain name] Displays the NIS domain name or sets a new NIS domain name with [domain name].

Ifconfig

The ifconfig command displays and configures the parameters for host network interfaces (e.g., IP address, subnet mask and default gateway) on Linux and Unix. Its Windows counterpart is ipconfig. When used without arguments, ifconfig displays the current configurations for all network interfaces (such as your NIC, wireless adapter, and loopback). Interface names are numbered starting at zero: eth0, eth1, wlan0, wlan1, etc.
The standard ifconfig command syntax is as follows:
ifconfig [interface or address_family type] options | address …

Ifconfig command switches

Description

ifconfig
Displays details on all network interfaces.
ifconfig [interface]
The name of the interface. This is usually a driver name followed by a unit number; for example, eth0 for the first Ethernet interface. Eth0 will usually be a PC’s primary network interface card (NIC).
ifconfig [address_family]
To enable the interpretation of differing naming schemes used by various protocols, [address_family] is used for decoding and displaying all protocol addresses. Currently supported address families include inet (TCP/IP, default), inet6 (IPv6), ax25 (AMPR Packet Radio), ddp (Appletalk Phase 2), ipx (Novell IPX) and netrom (AMPR Packet radio).
ifconfig [interface] add [address/prefixlength]
Add an IPv6 address to the [interface].
ifconfig [interface] address [address] Assigns the specified IP [address] to the specified [interface].
ifconfig [interface] allmulti or -allmulti Enables or disables all-multicast mode If selected, all multicast packets on the network will be received by the interface. This enables or disables the sending of incoming frames to the kernel’s network layer.
ifconfig [interface] arp or -arp Enables or disables the use of the ARP protocol on this [interface].
ifconfig [interface] broadcast [address] Specifies the address to use to use for broadcast transmissions. By default, the broadcast address for a subnet is the IP address with all ones in the host portion of the subnet address (i.e., a.b.c.255 for a /24 subnet).
ifconfig [interface] del [address/prefixlength] Remove an IPv6 address from the [interface].
ifconfig [interface] down Disables the [interface].
ifconfig [interface] hw [class] [address] Sets the hardware (MAC) address of this [interface], if the device driver supports this operation. The keyword must be followed by the name of the hardware class and the printable ASCII equivalent of the hardware address. Hardware classes currently supported include ether (Ethernet), ax25 (AMPR AX.25), ARCnet and netrom (AMPR NET/ROM).
ifconfig [interface] io_addr [address] Sets the start [address] in I/O space for this device.
ifconfig [interface] irq [address] Sets the interrupt line used by the network interface.
ifconfig [interface] mem_start [address] Sets the start address for shared memory of the interface.
ifconfig [interface] media [type] Sets physical port or medium type. Examples of [type] are 10baseT, 10base2, and AUI. A [type] value of auto will tell the interface driver to automatically determine the media type (driver support for this command varies).
ifconfig [interface] mtu [n] Sets the Maximum Transfer Unit (MTU) of an interface to [n].
ifconfig [interface] multicast Sets the multicast flag on the interface (should not normally be needed as the drivers set the flag correctly themselves).
ifconfig [interface] netmask [mask_address]
Sets the IP subnet mask for this interface. This value defaults to the standard Class A, B, or C subnet masks (based on the interface IP address) but can be changed with this command.
ifconfig [interface] pointopoint or -pointopoint
Enables or disables point-to-point mode on this interface
ifconfig [interface] promisc or -promisc
Enables or disables promiscuous mode on the interface.
ifconfig [interface] txquelen [n] Sets the transmit queue length on the interface. Smaller values are recommended for connections with high latency (i.e., dial-up modems, ISDN, etc).
ifconfig [interface] tunnel [address] Creates a Simple Internet Transition (IPv6-inIPv4) device which tunnels to the IPv4 [address] provided.
ifconfig [interface] up Activates (enables) the interface.
.
For example, this command sets the IP address, subnet mask, and broadcast address for eth0:
ifconfig eth0 192.168.10.25 netmask 255.255.255.0 broadcast 192.168.10.255

Ipconfig

Ipconfig can display current TCP/IP network configuration values, update or release Dynamic Host Configuration Protocol (DHCP) allocated leases, and display, register, or flush Domain Name System (DNS) names. Its Linux/Unix counterpart is ifconfig.

ipconfig command switches

Description

ipconfig Displays details on the active network interface.
ipconfig /all Displays more details on both active and inactive network interfaces, including MAC address, DHCP server IP address, DNS server address(es), WINS server address(es), and whether or not NetBIOS Over TCP/IP is enabled.
ipconfig /allcompartments and /allcompartments /all Shows information or detailed information (all) about all network compartments.
ipconfig /displaydns Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries. Similar to arp -a.
ipconfig /flushdns Flushes (deletes) the contents of the DNS client resolver cache. Similar to arp -d.
ipconfig /registerdns Initiates dynamic registration for the DNS names and IP addresses that are configured at a computer.
ipconfig /release and /release6 [adapter]
Releases (deletes) the dynamic (from DHCP) IPv4 or IPv6 parameters of all network interfaces (if no specific adapter name is specified. For example, ipconfig /release LO* releases only those interfaces starting with ‘Lo’).
ipconfig /renew and /renew6 [adapter] Initiates communication with a DHCP server and renews the dynamic IPv4 or IPv6 parameters of all or some network interfaces. For example, ipconfig /renew LO* renews all interfaces starting with ‘Lo’.
ipconfig /setclassid and /setclassid6 [adapter]
Modifies the DHCP or DHCPv6 class id. Classes can be vendor-defined or user-defined and are implemented by the DHCP administrator when certain clients need different default gateway or DNS server parameters.
ipconfig /showclassid and /showclassid6 [adapter] Displays the DHCP or DHCPv6 class id.

Nbtstat

Nbtstat is a Windows tool used to troubleshoot NetBIOS over TCP/IP name resolution problems. NetBIOS over TCP/IP is a networking protocol that allows legacy computer applications relying on the NetBIOS to be used on modern TCP/IP networks. Therefore, it is unlikely that NetBIOS over TCP/IP will be utilized within your network nowadays.
Nbtstat can check the state of current NetBIOS over TCP/IP (NetBT) connections, view and update the NetBIOS name cache, and determine the names registered with Windows Internet Name Service (WINS). If you are interested, nbtstat output is described on TechNet.
Do not confuse this command with netstat.
The standard nbtstat command syntax is:
nbtstat [ [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ]

nbtstat command switches

Description

nbtstat -a [remote name]
Returns the NetBIOS name table and MAC address of the address card for the computer name specified.
nbtstat -A [remote IP address]
Lists the same information as nbtstat -a when given the target’s IP address.
nbtstat -c Displays the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses.
nbtstat -n Displays the NetBIOS name table of the local computer. The status of ‘registered’ indicates that the name is registered either by broadcast or with a WINS server.
nbtstat -r Lists names resolved by broadcast and via WINS.
nbtstat -R Purges and reloads the remote cache name table.
nbtstat -RR Releases and then refreshes NetBIOS names for the local computer that is registered with WINS servers.
nbtstat -s Displays NetBIOS client and server sessions, attempting to convert the destination IP address to a name.
nbtstat -S Displays NetBIOS client and server sessions, listing the remote computers by destination IP address only.
[interval] Redisplays selected statistics, pausing every [interval] seconds between each display. Press Ctrl+C to stop redisplaying statistics.

Netstat

The netstat command displays the TCP/IP protocol statistics and active connections on the computer on which it was executed. Netstat is particularly useful when you suspect that there may be unauthorized connections to your computer (such as when a possible malware has occurred).Two popular graphical viewers for netstat are TCPEye and CurrPorts.
Netstat can be used to detect SYN floods that may be affecting a host. If you run a netstat command such as netstat -n -p TCP and you see many connections in the SYN_RECV state, you know some anomaly is occurring.
Do not confuse this command with nbtstat.
The standard netstat command syntax in Windows is:
netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]

Netstat command switches (Windows)

Description

netstat Shows the active connections for all outbound TCP/IP connections.
netstat -a Displays a more comprehensive list of active connections and the ports on which the computer is listening (includes UDP).
netstat -b Displays the executable involved in creating each connection or listening port.
netstat -e Displays Ethernet-related statistics.
netstat -f Displays Fully Qualified Domain Names (FQDN) for foreign addresses. With this option you can check if your PC is connected to suspicious websites.
netstat -n Displays active TCP connections; addresses and port numbers are expressed numerically; no attempt is made to determine host names.
netstat -o Displays the owning process ID (PID) associated with each connection. You can look up a PID with the Windows Task Manager.
netstat -p [proto]
Displays connection details for only a certain protocol, where [proto] can be TCP, UDP, TCPv6, or UDPv6. With the additional -s option, [proto] can be IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
netstat -r Displays the host’s routing table.
netstat -s Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.
netstat -t Displays the current connection offload state.
[interval] Specifies the length of time in seconds to wait before displaying fresh statistics.
.

Netstat command switches (Linux)

Description

netstat -a or –all
Shows both listening and non-listening sockets.
netstat -A [family] or –protocol=[family]
Specifies the address families for which connections are to be shown. [family] is a comma separated list of address family keywords like inet, unix, ipx, ax25, netrom, and ddp. This has the same effect as using the –inet, –unix (-x), –ipx, –ax25, –netrom, and –ddp options.
netstat -c or –continuous Configures netstat to refresh the displayed information every second until stopped.
netstat -C Prints routing information from the route cache.
netstat -e or –extend Displays an increased level of detail. Can be entered as twice (as –ee) for maximum details.
netstat -F Prints routing information from the forward information database (FIB).
netstat -g or –groups Displays multicast group membership information for IPv4 and IPv6.
netstat -i or –interface=[name]
Displays a table of all network interfaces, or the specified [name].
netstat -l or –listening
Shows only listening sockets (which are omitted by netstat be default).
netstat -M or –masquerade Displays a list of masqueraded connections (connections being altered by Network Address Translation).
netstat -n or –numeric
Show numerical addresses instead of trying to determine symbolic host, port or user names (skips DNS translation).
netstat –numeric-hosts Shows numerical host addresses but does not affect the resolution of port or user names.
netstat –numeric ports Shows numerical port numbers but does not affect the resolution of host or user names.
netstat –numeric-users Shows numerical user IDs but does not affect the resolution of host or port names.
netstat -N or –symbolic Displays the symbolic host, port, or user names instead of numerical representations. Netstat does this by default.
netstat -o or –timers Includes information related to networking timers.
netstat -p or –program Shows the process ID (PID) and name of the program to which each socket belongs.
netstat -r or –route
Shows the kernel routing tables.
netstat -s or –statistics
Displays summary statistics for each protocol.
netstat -t or –tcp
Filters results to display TCP only.
netstat -T or –notrim Stops trimming long addresses.
netstat -u or –udp
Filters results to display UDP only.
netstat -v or –verbose
Produces verbose output.
netstat -w or –raw Filter results to display raw sockets only.
netstat -Z or –context
Prints the SELinux context if SELinux is enabled. On hosts running SELinux, all processes and files are labeled in a way that represents security-relevant information. This information is called the SELinux context.
.
Some common netstat commands are: netstat -natp, netstat -t -listening, netstat -ntu, netstat -nap, netstat -ntulp, netstat -rne, and netstat -anp | grep [port_number]. Using the table above you can figure out what each of these commands does.

Nslookup, Dig, and Host

NSlookup (“name server lookup”) is a DNS query tool. This means that nslookup checks DNS records, domain host aliases, domain host services, and operating system information by querying DNS servers. Nslookup can also be used to perform DNS zone transfers and is useful when performing network footprinting during ethical hacking efforts. It has two modes: interactive and noninteractive. Interactive mode queries DNS servers for details about various hosts and domains. Noninteractive mode prints only the name and requested information for a host or domain.
Although it is still available by default on Windows and Linux/Unix, nslookup has been deprecated and further use is discouraged. It has effectively been replaced by its successors, the dig (Domain Information Groper) and host utilities. Unlike nslookup, they are not available natively on Windows and must be installed manually. There is a host command in Windows PowerShell but that is something different. You can install the Windows versions of dig and host by extracting them from BIND for Windows available here.
Dig is basically an improved version of nslookup. Host enables quick lookups of DNS server information and is used to find 1) the IP address of a given domain name and 2) the domain name of a given IP address.

Nslookup command switches (Windows)

Description

C:\>nslookup Enters interactive mode; prompt changes from C:> to >.
C:\>nslookup – [DNSserver]
Enters interactive mode using a particular DNS server.
C:\>nslookup [hostname] or [IPaddress] Queries DNS for the IP address of a particular host or vice versa.
C:\>nslookup [hostname or IPaddress] [DNSserver] Queries DNS for the IP address of a particular host (or vice versa) using a particular DNS server.
C:>nslookup -type=[type] Queries for a particular type of DNS records, where [type] can be: A, ANY, CNAME, GID, HINFO, MB, MG, MINFO, MR, MX, NS, PTR, SOA, TXT, UID, UINFO, WKS. DNS record types are described here and here.
C:>nslookup -type=MX [example.com] Queries for email records for domain example.com
>exit Exits interactive mode (back to noninteractive mode).
>finger Connects with the finger server on the current computer.
>help Displays a short summary of subcommands.
>ls [example.com] Lists information for a DNS domain.
>ls -a [example.com] Lists canonical names and aliases.
>ls -d [example.com] Lists all DNS records for example.com. Can be used to launch a zone transfer when connected to the SOA for a DNS zone. These transfers can be blocked in the DNS properties of the server.
>ls -t [type] [example.com] Lists records of the given RFC record [type] (e.g., A ,CNAME, MX, NS, PTR, etc.)
>lserver Changes the default server to the specified DNS domain.
>root Changes the default server to the server for the root of the DNS domain name space.
>server Changes the default server to the specified DNS domain.
>set Changes configuration settings that affect how lookups function.
>set all Prints the current values of the configuration settings.
>set class=X Changes the query class. The class specifies the protocol group of the information.
>set [no]d2 Turns exhaustive Debugging Mode on or off. All fields of every packet are printed.
>set [no]debug Turns Debugging Mode on or off.
>set [no]defname Appends the default DNS domain name to a single component lookup request. A single component is a component that contains no periods.
>set domain=NAME Changes the default DNS domain name to the name specified.
>set ignore Ignores packet truncation errors.
>set ixfrver=X Current version to use in IXFR transfer request.
>set [no]msxfr Use MS fast zone transfer.
>set port Changes the default TCP/UDP DNS name server port to the value specified.
>set querytype=X Changes the resource record type for the query.
>set [no]recurse Tells the DNS name server to query other servers if it does not have the information.
>set retry=X Sets the number of retries to X.
>set root=NAME Changes the name of the root server used for queries.
>set [no]search Appends the DNS domain names in the DNS domain search list to the request until an answer is received. This applies when the set and the lookup request contain at least one period, but do not end with a trailing period.
>set srchlist=N1[/N2/.../N6] Changes the default DNS domain name to N1 and search list.
>set timeout=X Changes the initial number of seconds to wait for a reply to a request.
>set type=X Changes the resource record type for the query.
>set [no]vc Specifies to use or not use a virtual circuit when sending requests to the server.
>set view Sorts and lists the output of the previous ls subcommand or commands.
>view Sorts and lists the output of the previous ls subcommand or commands.
.
The default nslookup command syntax in Linux is:
nslookup [-option] [name | -] [server]

Nslookup command switches (Linux)

Description

$ nslookup
Enters interactive mode; prompt changes from $ to >.
$ nslookup [hostname or IP address] Queries DNS for the IP address of a particular host or vice versa.
>exit Exits nslookup.
>host [server] Looks up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.
>server [domain] or lserver [domain] Changes the default server to [domain]; lserver uses the initial server to look up information about [domain], while server uses the current default server. If an authoritative answer can’t be found, the names of servers that might have the answer are returned.
>set This command is used to change state information that affects the lookups.
>set all Prints the current values of the frequently used options to set. Information about the current default server and host is also printed.
>set class=[value] Changes the query class to [value].
>set class=IN Changes the query class to the Internet class.
>set class=CH Changes the query class to the Chaos class.
>set class=HS Changes the query class to the Hesiod class.
>set class=ANY Changes the query class to wildcard.
>set debug or nodebug Turn on or off the display of the full response packet and any intermediate response packets when searching.
(Default = nodebug; abbreviation = [no]deb)
>set d2 or nod2 Turns debugging mode on or off. This displays more about what nslookup is doing.
(Default = nod2)
>set domain=[name] Sets the search list to [name].
>set search or nosearch If the lookup request contains at least one period but doesn’t end with a trailing period, appends the domain names in the domain search list to the request until an answer is received.
(Default = search)
>set port=[value] Changes the default TCP/UDP name server port to [value].
(Default = 53; abbreviation = po)
>set querytype=[value] Changes the type of the information query.
(Default = A; abbreviations = q, ty)
>set type=[value] Changes the type of the information query.
(Default = A; abbreviations = q, ty)
>set recurse or no recurse Tells the DNS server to query other servers if it does not have the information.
(Default = recurse; abbreviation = [no]rec)
>set retry=[number] Sets the [number] of retries to attempt.
>set timeout=[number] Changes the initial timeout interval for waiting for a reply to number seconds.
>set vc or novc Always use a virtual circuit when sending requests to the server.
(Default = novc)
>set fail or nofail Tries the next nameserver if a DNS server responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response.
(Default = nofail).
.
The standard dig command syntax is as follows:
dig [@server] [options] [name] [type] [class] [+queryopt...]

Dig command switches

Description

dig Displays the DNS root servers and the the IP address of your host’s DNS server.
@[server]
The name or IP address of the DNS server to query. If no [server] argument is provided, dig consults /etc/resolv.conf and queries the DNS server(s) listed there. The reply from the DNS server that responds is displayed in the command output.
[name] The domain name to query.
[type] Indicates which type of query is required, such as ANY, A, MX, SIG, etc. If no [type] argument is supplied, dig will perform a lookup for an A record.
dig -b [address] Sets the source IP address of the DNS query to [address]. This must be a valid address on one of the host’s network interfaces or “0.0.0.0″ or “::”. An optional port may be specified by appending “#”.
dig -c [class] Sets the query [class] (described in the nslookup for Linux options above). Default is IN (Internet).
dig -f [filename] Configures dig to process the list of lookup requests in file specified.
dig -h Prints a brief summary of dig’s command-line arguments and options.
dig -k [TSIG_key_file] Signs the DNS queries sent by dig and their responses using transaction signatures (TSIG).
dig -m Enables memory usage debugging.
dig -p [portnumber] Configures the port number for dig to query. Of course, the default port is 53 for DNS.
dig -q [name] Sets the query name to the [name] parameter value specified.
dig -t [type] Sets the [type] of query to be performed. Default is A.
dig -x [addr] Used for reverse lookups (IP address to host name, rather than vice versa).
dig -y [hmac:]name:key] Signs DNS queries by specifying the TSIG key itself on the command line. hmac is the type of the TSIG, default HMAC-MD5, [name] is the name of the TSIG key and [key] is the actual key. The key is a base-64 encoded string, typically generated by dnssec-keygen.
dig +aaflag or +noaaflag A synonym for +[no]aaonly.
dig +aaonly or +noaaonly Sets or removes the “aa” flag in the query.
dig +additional or +noadditional Displays or does not display the additional section of a reply. The default is to display it.
dig +adflag or +noadflag
Set or removes the AD (authentic data) bit in the query. This requests the DNS server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server. AD=1 indicates that all records have been validated as secure and the answer is not from an OPT-OUT range. AD=0 indicates that some part of the answer was insecure or not validated.
dig +all or +noall
Sets or clears all display flags.
dig +answer or +noanswer Displays or does not display the answer section of a reply. The default is to display it.
dig +authority or +noauthority
Displays or does not display the authority section of a reply. The default is to display it.
dig +besteffort or +nobesteffort
Attempts to display the contents of messages which are malformed. The default is to not display malformed answers.
dig +bufsize=[B] Sets the UDP message buffer size advertised using EDNS0 to [B] bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause an EDNS query to be sent.
dig +edns=# or +noedns Specifies the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent. +noedns clears the remembered EDNS version.
dig +cdflag or +nocdflag
Sets or removes the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
dig +cl or +nocl
Display or does not display the CLASS when printing the record.
dig +cmd or +nocmd
Toggles or untoggles the printing of the initial comment in the output identifying the version of dig and the query options that have been applied. This comment is printed by default.
dig +comments or +nocomments
Toggle or untoggles the display of comment lines in the output. The default is to print comments.
dig +defname or +nodefname
Deprecated; treated as a synonym for +[no]search.
dig +domainname=[somename] Set the search list to contain the single domain [somename], as if specified in a domain directive in /etc/resolv.conf, and enable search list processing as if the +search option were given.
dig +dnssec or +nodnssec
Requests DNSSEC records be sent or not sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
dig +fail or +nofail
Try or do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.
dig +identify or +noidentify
Shows or does not show the IP address and port number that supplied the answer when the +short option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
dig +ignore or +noignore
Ignores or does not ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
dig +multiline or +nomultiline
Prints or does not print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the dig output.
dig +ndots=[D] Sets the number of dots that have to appear in name to [D] for it to be considered absolute. The default value is that defined using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf.
dig +nsid or +nonsid
Include or exclude an EDNS name server ID request when sending a query.
dig +nssearch or +nonssearch
When this option is set, dig attempts to 1) find the authoritative name servers for the zone containing the name being looked up and 2) display the SOA record that each name server has for the zone.
dig +onesoa or +noonesoa
Print only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records.
dig +qr or +noqr
Prints or does not print the query as it is sent. By default, the query is not printed.
dig +question or +noquestion
Prints or does not print the question section of a query when an answer is returned. The default is to print the question section as a comment.
dig +retry=[T] Sets the number of times to retry UDP queries to server to [T] instead of the default, 2. Unlike +tries, this does not include the initial query.
dig +search or +nosearch
Uses or does not use the search list defined by the searchlist or domain directive in resolv.conf (if any). The search list is not used by default.
dig +short or +noshort
Provides or does not provide a terse (brief) answer. The default is to print the answer in a verbose form.
dig +showsearch or +noshowsearch Performs or does not perform a search showing intermediate results.
dig +sigchase or +nosigchase
Chases or does not chase DNSSEC signature chains. Requires dig be compiled with -DDIG_SIGCHASE.
dig +stats or +nostats
This query option toggles or untoggles the printing of statistics; i.e., when the query was made, the size of the reply, and so on. The default behavior is to print the query statistics.
dig +tcp or +notcp
Uses or does not use TCP when querying name servers. The default behavior is to use UDP unless an AXFR (full) or IXFR (incremental) query is requested, in which case a TCP connection is used.
dig +time=[T] Sets the timeout for a query to [T] seconds. The default timeout is 5 seconds. An attempt to set [T] to less than 1 will result in a query timeout of 1 second being applied.
dig +ttlid or +nottlid
Displays or does not display the TTL when printing the record.
dig +topdown or +notopdown
When chasing DNSSEC signature chains, performs or does not perform a top-down validation. Requires dig be compiled with -DDIG_SIGCHASE.
dig +trace or +notrace
Toggle or untoggles tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, dig makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup
dig +tries=[T] Sets the number of times to try UDP queries to server to [T] instead of the default, 3. If [T] is less than or equal to zero, the number of tries is silently rounded up to 1.
dig +trusted-key=#### Specifies a file containing trusted keys to be used with +sigchase. Each DNSKEY record must be on its own line. If not specified, dig will look for /etc/trusted-key.key, then trusted-key.key in the current directory. Requires dig be compiled with -DDIG_SIGCHASE.
dig +vc or +novc
Uses or does not use TCP when querying name servers. This alternate syntax to +[no]tcp is provided for backwards compatibility. The “vc” stands for virtual circuit.
.
The standard host command syntax is as follows:
host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

Host command switches

Description

host -a
Equivalent to setting the -v option and asking host to make a query of [type] ANY.
host -c [class] Specifies the DNS query class (described in the nslookup for Linux options above). Default is IN (Internet).
host -C [zone_name] Attempts to display the SOA records for [zone_name] from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone.
host -d or -v Enables verbose output.
host -i Specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC 1886. The default is to use IP6.ARPA.
host -l [zone_name] Enables list mode which makes host perform a zone transfer for [zone_name]. Transfer the zone printing out the NS, PTR and address records (A/AAAA). If combined with -a all records will be printed.
host -m [zone_name] Used to set the memory usage debugging flags [record], [usage] and [trace].
host -N [name] Sets the number of dots that have to be in name for it to be considered absolute. The default value is that defined using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf.
host -r [name] Specifies non-recursive queries. Setting this option clears the RD (recursion desired) bit in the query which host makes. This should mean that the name server receiving the query will not attempt to resolve [name]. The -r option enables host to mimic the behavior of a DNS server by making non-recursive queries and expecting to receive answers to those queries that are usually referrals to other DNS servers.
host -R [number] Changes the number of UDP retries for a lookup.
host -s Used to set the memory usage debugging flags [record], [usage] and [trace].
host -t [type] Selects the DNS query type, where [type] can be CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query [type] is specified, host automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records, but if the -C option was given, queries will be made for SOA records, and if [name] is a dotted-decimal IPv4 address or colon-delimited IPv6 address, host will query for PTR records.
host -T
Makes host use a TCP connection when querying a DNS server.
host -w Configures host to effectively wait forever for a reply.
host -W [wait] Makes host wait for [wait] seconds.
host -4 Forces host to only use IPv4 query transport.
host -6 Forces host to only use IPv6 query transport.

PathPing

PathPing is a Windows utility that combines features from ping and tracert. PathPing sends packets to each router (hop) on the way to a destination over a period of time, and then computes the packets lost and the performance statistics for each hop. Like tracert, PathPing can identify problematic network hosts. The destination can be specified by DNS name or IP address.
You can download a neat little PathPing desktop gadget (for Windows Vista or 7) from TechRepublic here. You’ll have to rename the PathPing.zip file to PathPing.gadget.
Two PathPing switches are apparently no longer supported on Windows 7: -R (RSVP test) and -T (Layer Two tag).
The standard PathPing command syntax is:
pathping [-g host-list] [-h max_hops] [-i address] [-n] [-p period] [-q num_queries] [-w timeout] [-4] [-6] target_name

PathPing command switches

Description

pathping -g Loose source route along host list.
pathping -h [number]
Maximum [number] of hops to search for target.
pathping -i [address]
Use the specified source [address].
pathping -n Do not resolve addresses to hostnames.
pathping -p [milliseconds]
Wait period [milliseconds] between pings.
pathping -q [number]
[Number] of queries per hop.
pathping -w [milliseconds]
Wait timeout in [milliseconds] for each reply.
pathping -4 Force using IPv4.
pathping -6 Force using IPv4.

Ping

The ping (Packet InterNet Groper) command is arguably the most useful networking troubleshooting utility; it is definitely the simplest and most used. Ping tests the online status of a host on an IP network and measures the total round-trip time (in milliseconds) for packets sent from the source host to a destination host and back. Ping does this by sending Internet Control Message Protocol (ICMP) packets (usually). ICMP is a protocol that works with IP to provide error checking and reporting functionality. Ping sends ICMP echo requests to a remote host. If the host is able to respond, it replies with echo reply.
When you ping a destination name, the replies will tell you the host’s IP address, the number of bytes sent, round-trip time, and the packets’ Time to Live (TTL). When you ping a destination IP address, it responds with all the above except for the host name (unless you provide the -a switch). Ping doesn’t just test connectivity – it can also verify that TCP/IP is installed correctly and that DNS name resolution is working properly (see Part 1 of this blog post).
Standard ICMP pings do not utilize port numbers or use TCP or UDP; ICMP is a Layer 3 (Network layer) protocol. TCP and UDP operate at Layer 4, the Transport layer.
The ping command can be misused in a variety of denial of service attacks, such as the Ping of Death, Smurf attack, and Ping flood.
In Windows the ping command follows this standard syntax:
ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v ToS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name

Ping command switches (Windows)

Description

ping -a Specifies that reverse name resolution is performed on the destination IP address.
ping -f Specifies that Echo Request messages are sent with the ‘Don’t Fragment’ flag in the IP header set to 1 (available on IPv4 only).
ping -i [TTL] Specifies the value of the TTL field in the IP header for Echo Request messages sent. The default is the default TTL value for the host. The maximum [TTL] is 255.
ping -j [hostlist] Specifies that the Echo Request messages use the Loose Source Route option in the IP header with the set of intermediate destinations specified in [HostList] (available on IPv4 only). With loose source routing, successive intermediate destinations can be separated by one or multiple routers. The maximum number of addresses or names in the host list is 9. The host list is a series of IP addresses (in dotted decimal notation) separated by spaces.
ping -k [hostlist] Specifies that the Echo Request messages use the Strict Source Route option in the IP header with the set of intermediate destinations specified in [HostList] (available on IPv4 only). With strict source routing, the next intermediate destination must be directly reachable (it must be a neighbor on an interface of the router). The maximum number of addresses or names in the host list is 9. The host list is a series of IP addresses (in dotted decimal notation) separated by spaces.
ping -l [size] Specifies the length, in bytes, of the Data field in the Echo Request messages sent. The default size is 32. The maximum size is 65,527.
ping -n [count] Specifies the number of Echo Request messages sent. The default is 4.
ping -r [count] Specifies that the Record Route option in the IP header is used to record the path taken by the Echo Request message and corresponding Echo Reply message (available on IPv4 only). Each hop in the path uses an entry in the Record Route option. If possible, specify a [count] that is equal to or greater than the number of hops between the source and destination. The [count] must be a minimum of 1 and a maximum of 9.
ping -R Specifies that the round-trip path is traced (IPv6 only).
ping -s [count] Specifies that the Internet Timestamp option in the IP header is used to record the time of arrival for the Echo Request message and corresponding Echo Reply message for each hop. The [count] must be a minimum of 1 and a maximum of 4. This is required for link-local destination addresses.
ping -S [SrcAddr]
Specifies the source address to use (IPv6 only).
ping -t Specifies that ping continue sending Echo Request messages to the destination until interrupted. To interrupt and display statistics, press CTRL+BREAK. To interrupt and quit ping, press CTRL+C.
ping -v [ToS] Specifies the value of the Type of Service [ToS] field in the IP header for Echo Request messages sent (available on IPv4 only). The default is 0. [ToS] is specified as a decimal value from 0 through 255.
ping -w [timeout] Specifies the amount of time, in milliseconds, to wait for the Echo Reply message that corresponds to a given Echo Request message to be received. If the Echo Reply message is not received within the time-out, the “Request timed out” error message is displayed. The default [timeout] is 4000 (4 seconds).
ping -4 Specifies that IPv4 is used to ping. This parameter is not required to identify the target host with an IPv4 address. It is only required to identify the target host by name.
ping -6 Specifies that IPv6 is used to ping. This parameter is not required to identify the target host with an IPv6 address. It is only required to identify the target host by name.
.

Ping command switches (Linux)

Description

ping -a
Audible ping.
ping -A Adaptive ping (interpacket interval adapts to round-trip time).
ping -b
For pinging a broadcast address.
ping -B Does not allow ping to change the source address of probes. The address is bound to the one selected when ping starts.
ping -c [count] [deadline] Stops after sending [count] ECHO_REQUEST packets. With [deadline] option, ping waits for [count] ECHO_REPLY packets, until the timeout expires.
ping -d Sets the SO_DEBUG option on the socket being used. Essentially, this socket option is not used by Linux kernel.
ping -D Prints the timestamp (Unix time + microseconds, as in gettimeofday) before each line.
ping -f For every ECHO_REQUEST sent, a period (.) is printed, while for every ECHO_REPLY received a backspace is printed. This provides a rapid display of how many packets are being dropped.
ping -F Only for ping6. Allocates and sets a 20-bit flow label on ECHO_REQUEST packets. If the value is zero, the kernel allocates a random flow label.
ping -i [interval] Wait [interval] seconds between sending each packet. The default is to wait for one second between each packet normally, or not to wait in flood mode (-f).
ping -I [interface] Sets the source address to the specified interface, whether numeric IP address or name of device. When pinging IPv6 link-local addresses this option is required.
ping -l [preload] Sends [preload] number of packets and does not wait for replies. Only the super-user may select a [preload] of more than 3.
ping -L Suppress loopback of multicast packets (only applies if the ping destination is a multicast address).
ping -m Uses [mark] to tag the packets going out.
ping -M [hint] Selects path MTU discovery strategy. [Hint] may be either do (prohibit fragmentation, even local one), want (do PMTU discovery, fragment locally when packet size is large), or dont (do not set DF flag).
ping -n
Specifies numeric output only. No attempt is made to look up symbolic names for IP addresses.
ping ->N Sends ICMPv6 Node Information Queries (RFC 4620), instead of Echo Request.
ping -p [pattern] Specifies up to 16 pad bytes (in hex) to fill out the packet you send. For example, -p ff will cause the sent packet to be filled with all ones.
ping -q Quiet output. Nothing is displayed except the summary lines at command startup time and when finished.
ping -Q [tos] Sets Quality of Service-related bits in ICMP datagrams. [Tos] can be either decimal or hex number.
ping -r Bypasses the normal routing tables and sends directly to a host on an attached interface. If the host is not on a directly attached network, an error is returned.
ping -R Records the route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route buffer on returned packets. Note that the IP header is only large enough for nine
such routes. Many hosts ignore or discard this option.
ping -s [packet_size] Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.
ping -S [sndbuf] Set the socket send buffer. If not specified, it is selected to buffer not more than one packet.
ping -t [TTL] Sets the IP TTL to [TTL] seconds.
ping -T [timestamp] [opt] Sets special IP timestamp options. [Timestamp] option may be either tsonly (only timestamps), tsandaddr (timestamps and addresses) or tsprespec host1…
ping -U Prints full user-to-user latency (the old behavior).
ping -v Verbose command output.
ping -V Shows version and exits.
ping -w [deadline] Specifies a deadline (or timeout), in seconds, before ping exits regardless of how many packets have been sent or received.
ping -W [timeout] Time to wait for a response, in seconds. The option affects only timeout in absense of any responses, otherwise ping waits for two RTTs.

Route

Route enables the manipulation and viewing of a computer’s routing table. In other words, it lets you add or remove entries in the routing table.
In Windows the route command follows this syntax:
route [-f] [-p] [-4 or -6][Command [Destination] [mask Netmask] [Gateway] [metric Metric]] [if Interface]]

Route command switches (Windows)

Description

route -f Clears the routing tables of all gateway entries. If this is used in conjunction with one of the commands, the tables are cleared prior to running the command.
route -p
When used with the ADD command, makes a route persistent across boots of the system. By default, routes are not preserved when the system is restarted.
route -4
Force using IPv4.
route -6
Force using IPv6.
route ADD Adds a route.
route CHANGE Modifies an existing route.
route DELETE Deletes a route.
route PRINT Prints a route
.
A route command example in Windows would be:
route add 10.41.0.0 mask 255.255.0.0 10.27.0.1 (adds a persistent route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0 and the next hop address of 10.27.0.1).
The standard route command syntax in Linux is as follows:
route [options] [add or del] [-net or -host] address [modifiers]

Route command switches (Linux)

Description

route Displays the host’s routing tables.
route -A [family] [add] or route –[family] [add]
Uses the specified address family with add or del. Valid families are inet (DARPA Internet), inet6 (IPv6), ax25 (AMPR AX.25), netrom (AMPR NET/ROM), ipx (Novell IPX), ddp (Appletalk DDP), and x25 (CCITT X.25).
route -C or –cache
Operates on the kernel’s routing cache instead of the forwarding information base (FIB) routing table.
route -e or -ee Uses the netstat-r format to display the routing table. -ee will generate a very long line with all parameters from the routing table.
route -F or –fib Operates on the kernel’s Forwarding Information Base (FIB) routing table (default behavior).
route -h or –help Prints the help message.
route -n Shows numerical IP addresses and bypass host name resolution.
route -v or –verbose Enables verbose command output.
route -V or –version Dispays the version of net-tools and the route command.
route add or del Adds or delete a route in the routing table.
route [add or del] dev [interface] Associates a route with a specific device. If dev [interface] is the last option on the command line, the word dev may be omitted.
route [add or del] [default] gw [gw] Routes packets through the specified gateway.
route [add or del] -host Specifies that the target is a host (not a network).
route [add or del] -irtt [I] Sets the initial round trip time (IRTT) for TCP connections over this route to [I] milliseconds (1-12000). This is typically only used on AX.25 networks. If omitted the RFC 1122 default of 300ms is used.
route [add or del] -net Specifies that the target is a network (not a host).
route [add or del] [-host or -net] netmask [mask] Sets the subnet [mask].
route [add or del] metric [n] Sets the metric field in the routing table (used by routing daemons) to the value of [n].
route [add or del] mod, dyn, or reinstate Install a dynamic or modified route. These flags are for diagnostic purposes, and are generally only set by routing daemons.
route [add or del] mss [bytes] Sets the TCP Maximum Segment Size (MSS) for connections over this route to the number of [bytes] specified.
route [add or del] reject
Installs a blocking route, which will force a route lookup to fail. This is used to mask out networks before using the default route. This is not intended to provide firewall functionality.
route [add or del] window [W] Set the TCP window size for connections over this route to the value of [W] bytes. This is typically only used on AX.25 networks and with drivers unable to handle back-to-back frames.
.
These examples should clarify the syntax of the route command.
route add -net 127.0.0.0
Adds the normal loopback entry, using netmask 255.0.0.0 (class A net, determined from the destination address) and associated with the “lo” device (assuming this device was previously set up correctly with ifconfig).
route add -net 192.56.76.0 netmask 255.255.255.0 dev eth0
Adds a route to the network 192.56.76.x via “eth0″. The Class C netmask modifier is not really necessary here because 192.* is a Class C IP address. The word “dev” can be omitted here.
route add default gw 192.168.100.1 dev eth0
Adds a default route (which will be used if no other route matches). All packets using this route will be gatewayed through 192.168.100.1 for interface eth0. The word “dev” can be omitted here.

Telnet

Telnet is a network protocol that allows for connections and user sessions on remote hosts. It is called a ‘terminal emulator’ because it lets you work on a remote host as if you were seated in front of it and using its monitor, keyboard, and mouse. A computer terminal is defined as “an electronic or electromechanical hardware device that is used for entering data into, and displaying data from, a computer or a computing system.” The input and output devices described above create a terminal environment, and telnet lets you mimic that environment on another computer (also referred to as “getting a shell” on the remote host).
Any information security professional worth his salt will tell you that using telnet is not recommended as all logins, passwords and commands are transferred in clear text. An attacker may eavesdrop on a telnet session and obtain the credentials and sensitive data of other users. The Secure Shell (SSH) protocol has effectively replaced telnet; however, in closed, restricted networks where there is zero chance of an attacker performing packet sniffing, telnet can be used. You should still make efforts to phase telnet out and replace it with SSH. SSH is such an important and useful protocol that it will be covered in a forthcoming article on this website. Until then you can learn more about SSH and its uses here.
This page supposedly lists free telnet servers that you can connect to and practice on.
By running a telnet connection to the open ports on a host, you can view the banners that reveal which service is answering on those specific ports. Many email, FTP, and web servers will respond to telnet connection requests with the name and version of their email, FTP, and web software (such as Exchange, IIS, etc). If you want to grab the banner of a web server, type:
telnet 80, followed by: HEAD/HTTP/1.0.
Telnet is not installed by default on Windows Vista, 7, or 2008. To learn how to get telnet running on these operating systems, use the instructions located on TechNet.
The standard telnet command syntax in Windows is:
telnet [-a][-eescape_char][-flog_file][-luser_name][-tterm]host [port]
(where host specifies the NetBIOS name, fully qualified domain name, or IP address of the host with which you want to create a telnet connection, and port specifies the TCP port on which you want to create a telnet connection. The default telnet port is 23).

Telnet command switches (Windows)

Description

telnet [servername] [portnumber] Starts the telnet client and attempts to initiate a session with [servername] on [portnumber]. If no [portnumber] is provided, the default port 23 is used.
telnet -a
Instructs telnet.exe to log on to the host using the credentials of the user who is currently logged on to the client.
telnet -e [escape_char] Specifies an escape character, which displays the telnet command prompt. The default escape character is Ctrl+].
telnet -f [log_file] Creates a client-side log file and turns on client-side logging for the current session. The [log_file] parameter must consist of a path and file name.
telnet -l [user_name] Instructs telnet.exe to log on to the host using the user account that is specified in [user_name]. The user account specified in [user_name] must have Telnet logon rights on the host.
telnet -t [term] Specifies the terminal type. The default terminal type is ANSI. Other valid terminal types include VT52, VT100, and VTNT.
close or c Closes an existing Telnet connection.
display Use the display command to view the current settings for the telnet client. The display command lists the current operating parameters. If you are in a telnet session (connected to a telnet server), to modify the parameters, press CTRL+]. This escapes from the telnet session. (To return to the Telnet session, press ENTER.)
display WILL AUTH Enables NTLM authentication.
display WONT AUTH Indicates that NTLM authentication is disabled, and that user IDs and passwords will be sent in plaintext.
display WILL TERM TYPE
display WONT TERM TYPE
display LOCALECHO off
display LOCALECHO off
enter Go to the connected session (if it exists).
open or o Establish a telnet connection with a host computer or remote server. For example, o telnet.org 44 will attempt to connect your computer to telnet.org using port 44.
quit or q Exit telnet.
send Sends commands to the telnet server.
send ao Abort output command.
send ayt “Are you there?” command.
send brk Sends a break signal.
send esc Sends the current escape character.
send ip Interrupts the current process.
send synch Performs the telnet synch operation.
set Set the terminal type for the connection, turn on local echo, set authentication to NTLM, set the escape character, and set up logging.
set bsasdel Backspace will be sent as delete.
set crlf Sets new-line mode; causes the RETURN key to send the combination of carriage return and line feed: 0x0D, 0x0A. When turned off, it sends only the carriage return character, 0x0D.
set delasbs Delete will be sent as backspace.
set escape [character] Specifies the [character] that will switch from telnet session mode to the telnet command mode. While in telnet command mode, press ENTER to return to telnet session mode.
set localecho
Turns on local echo. All characters typed will be displayed on the local console. Remote Telnet servers usually send each character typed back, so setting this option could result in duplicate characters displayed for each one typed.
set logfile [name] Specifies the [name] of the file to which the telnet log is written for this session. If you do not specify the path of the file, it is created in your current directory. Specifying a log file also turns on logging. The log file must be on your local computer.
set logging Turns on logging for this session. If no log file is set, an error message is displayed.
set mode {console | stream} Changes the mode of operation from console mode to stream mode. Setting the mode to stream turns off the ANSI or other escape commands that attempt to control cursor placement or clearing the screen. Setting the mode to console causes Telnet server to include ANSI or other escape commands to control cursor positioning within a fixed window of x rows and y columns. Stream mode is useful when you do not want the Telnet client to emulate a terminal. The output is sent as if there is no terminal window with x rows and y columns. Some applications that use telnet for file transfer fail to work correctly when console mode is enabled.
set ntlm Turns on NTLM authentication.
set term {ansi | vt100 | vt52 | vtnt} Specifies the type of terminal you want telnet client to emulate. You should use the VT100 terminal type if you are running normal command-line applications.
status Determines whether the computer running the telnet client is connected.
unset Turns off an option previously set by using the set command
.
The standard telnet command syntax in Linux is:
telnet [-l user] [-a] host-name [port]
telnet [-8EFKLacdfrx] [-X authtype] [-b hostalias] [-e escapechar] [-k realm] [-l user] [-n tracefile] [host [port]]

Telnet command switches (Linux)

Description

telnet Enters telnet command mode (prompt becomes telnet>).
telnet -a Attemps automatic login to the remote host.
telnet -b [hostalias] Uses bind to bind the local socket to an aliased address (see ifconfig –alias) or to the address of an interface different from the one selected by connect.
telnet -c Disables the reading of the user’s .telnetrc file. The .telnetrc file contains the setup information for a telnet session. It is a hidden file in your home directory and must be readable by the user logging in.
telnet -d Enables debugging at the socket level.
telnet -e [escape_char] Sets the initial telnet escape character to [escapechar]. If [escapechar] is omitted, then there will be no escape character.
telnet -E Stops any character from being recognized as an escape character.
telnet -f If Kerberos V5 authentication is being used, allows the local credentials to be forwarded to the remote host.
telnet -F If Kerberos V5 authentication is being used, allows the local credentials to be forwarded to the remote host, including any credentials that have already been forwarded into the local environment.
telnet -k [realm] If Kerberos authentication is being used, requests that telnet obtain tickets for the remote host in realm [realm] instead of the remote host’s realm.
telnet -K Prevents automatic login to the remote host.
telnet -l [user] When connecting to the remote host, if the remote host understands the ENVIRON option, then [user] will be sent as the value for the variable USER. This option implies the -a option and may also be used with the open command.
telnet -L Specifies an 8-bit data path on output. This causes the BINARY option to be negotiated on output.
telnet -n [trace_file] Opens [trace_file] for recording the trace information.
telnet -r Specifies a user interface similar to rlogin. In this mode, the escape character is set to the tilde (~) character, unless modified by the -e option.
telnet -x Enables encryption of the data stream, if possible.
telnet -X [auth_type]
Disables the [auth_type] type of authentication.
telnet> close Ends the session and closes the current connection.
telnet> display Displays the telnet operating parameters.
telnet> environ Changes the environment variables. Possibilities include:
.
define
: defines an environment variable.
export: marks an environment variable for automatic export.
list: lists the current environment variables.
send: sends an environment variable.
undefine: undefines an environment variable.
unexport: don’t mark an environment variable for automatic export.
?: prints help information.
telnet> logout Forcibly logs out the remote user and closes the connection.
telnet> mode [mode] Tries to enter line or character mode where [mode] is one of the following:
.
character: disables LINEMODE option (or disables obsolete line-by-line mode).
line: enables LINEMODE option (or enables obsolete line-by-line mode). These two require the LINEMODE option to be enabled.
isig: enables signal trapping.
-isig: disables signal trapping.
edit: enables character editing.
-edit: disables character editing.
softtabs: enables tab expansion.
-softtabs: disables character editing
litecho: enables literal character echo.
-litecho: disables literal character echo.
?: prints help information.
telnet> open [port]
Connects to a host.
telnet> quit Exits telnet.
telnet> send Transmits special characters as defined below.
.
abort: sends Telnet ‘Abort Process’.
ao
: sends Telnet Abort output.
ayt: sends Telnet ‘Are You There’.
brk: sends Telnet Break.
ec: sends Telnet Erase Character.
el: sends Telnet Erase Line.
eof: sends Telnet End of File Character.
eor: sends Telnet ‘End of Record’.
escape: sends current escape character.
ga: sends Telnet ‘Go Ahead’ sequence.
getstatus: sends request for STATUS.
ip: sends Telnet Interrupt Process.
nop: sends Telnet ‘No operation’.
susp: sends Telnet ‘Suspend Process’.
synch: performs Telnet ‘Synch operation’.
?: displays send options.
telnet> set Sets operating parameters as described below.
.
debug
: enables debugging.
echo: character to toggle local echoing on/off.
escape: character to escape back to telnet command mode.
netdata: enables printing of hexadecimal network data (debugging).
options: enables viewing of options processing (debugging).
prettydump: enables output of “netdata” to user readable format (debugging).
rlogin: rlogin escape character.
termdata: enables (debugging) toggle printing of hexadecimal terminal data.
tracefile: the file to write trace information to.
?: display help information.
.
The following need ‘localchars’ to be toggled ‘true’:
.
eof: character to cause an EOF.
flushoutput: character to cause an Abort Output.
interrupt: character to cause an Interrupt Process.
quit: character to cause an Abort process.
.
The following are for local editing in linemode:
.
autoflush
: enables flushing of output when sending interrupt characters.
autosynch
: enables automatic sending of interrupt characters in urgent mode.
crlf: enables sending carriage returns as telnet
crmod: enables mapping of received carriage returns.
erase: character to use to erase a character.
forw1: alternate end of line character.
forw2: alternate end of line character.
inbinary: enables receiving of binary data.
kill: character to use to erase a line.
lnext: character to use for literal next.
localchars: enables local recognition of certain control characters.
outbinary: enables sending of binary data.
reprint: character to use for line reprint.
start: character to use for XON.
stop: character to use for XOFF.
skiprc: enable don’t read ~/.telnetrc file.
susp: character to cause a Suspend Process.
worderase: character to use to erase a word.
telnet> slc Changes the state of special charaters as follows:
.
check
: Verify remote special character definitions.
export: Use local special character definitions.
import: Use remote special character definitions.
?: Print help information.
telnet> status Prints connection status information.
telnet> toggle Toggles operating parameters as follows:
.
autoflush: toggle flushing of output when sending interrupt characters.
autosynch: toggle automatic sending of interrupt characters in urgent mode.
binary: toggle sending and receiving of binary data.
crlf: toggle sending carriage returns as telnet .
crmod: toggle mapping of received carriage returns.
debug: toggle debugging.
inbinary: toggle receiving of binary data.
localchars: toggle local recognition of certain control characters.
netdata: toggle printing of hexadecimal network data (debugging).
options: toggle viewing of options processing (debugging).
outbinary: toggle sending of binary data.
prettydump: toggle output of “netdata” to user readable format (debugging).
skiprc: toggle don’t read ~/.telnetrc file.
termdata: toggle (debugging) toggle printing of hexadecimal terminal data.
telnet> unset Unsets operating parameters; the opposite of telnet> set.
telnet> z Suspends a telnet session.
telnet> ! Invokes a subshell.
telnet> ? Prints the help message.

Traceroute and Tracert

Traceroute (tracert in Windows) is a network diagnostic tool for displaying the route (path) of packets and measuring their transit delays across an IP network. Traceroute works by increasing the TTL value of each successive set of packets sent. The first set of packets has a hop limit value of 1, so they are not forwarded by the first router. The next set has a hop limit value of 2, so that the second router will send the error reply. This continues until the destination host receives the packets and returns an ICMP Echo Reply message. In other words, the TTL value on each packet increments by one after each hop is reached. Then the packet returns, ensuring that the response comes back explicitly from that hop (its name and IP address are also displayed). Traceroute uses the returned ICMP messages to produce a list of routers that the packets have traversed. The timestamp values returned for each router along the path are the delay (latency) values measured in milliseconds for each packet.
The traceroute/tracert tool will time out (indicated in the command output by an asterisk) when it encounters a firewall or a packet-filtering router.
Traceroute in Linux and Unix uses UDP by default, while tracert in Windows uses ICMP.
The standard tracert command syntax is:
tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name

Tracert command switches

Description

tracert [destination]
Traces the path to the host or IP address named [destination].
tracert -d
Prevents tracert from attempting to resolve the IP addresses of intermediate routers to their names (which can speed up the display of tracert results).
tracert -h [MaxHops]
Specifies the maximum number of hops in the path to search for the target (destination). The default is 30 hops.
tracert -j [HostList] Specifies that Echo Request messages use the Loose Source Route option in the IP header with the set of intermediate destinations specified in [HostList]. With loose source routing, successive intermediate destinations can be separated by one or multiple routers. The maximum number of addresses or names in the host list is 9. The [HostList] is a series of IP addresses (in dotted decimal notation) separated by spaces.
tracert -w [timeout]
Specifies the amount of time in milliseconds to wait for the ICMP Time Exceeded or Echo Reply message corresponding to a given Echo Request message to be received. If not received within the time-out, an asterisk (*) is displayed. The default time-out is 4000 (4 seconds).
tracert -R
Trace round-trip path (IPv6-only).
tracert -S [srcaddr]
Source address to use (IPv6-only).
tracert -4 Force using IPv4.
tracert -6 Force using IPv6.
.

Traceroute command switches

Description

traceroute -A Performs autonomous system (AS) path lookups in routing registries and prints results directly after the corresponding addresses.
traceroute –back Prints the number of backward hops when it seems different than the forward direction. This number is guessed in the assumption that remote hops send reply packets with the initial TTL set to either 64, 128, or 255 (which seems a common practice). It is printed as a negative value in a form of ‘-NUM’ .
traceroute -d Enables socket level debugging (when the Linux kernel supports it).
traceroute -e Shows the ICMP extensions (RFC 4884). The general form is CLASS/TYPE, followed by a hexadecimal dump.
traceroute -f [N] Sets the initial TTL to [N] hops.
traceroute -F Sets the ‘don’t fragment’ bit.
traceroute –fwmark=[mark] Sets the firewall [mark] for outgoing packets (since Linux kernel version 2.6.25). Firewall marks are described here.
traceroute -g [gw_addr] Tells traceroute to add an IP source routing option to the outgoing packet that tells the network to route the packet through the specified [gw_addr] (most routers disable source routing for security reasons). In general, several gateways are allowed (comma separated).
traceroute –help Prints the help message.
traceroute -i [interface] Specifies the [interface] through which traceroute should send packets. By default, the interface is selected according to the routing table.
traceroute -I [raw or dgram]
Uses ICMP ECHO for probes insteaf of UDP. Options are [raw] sockets or [dgram] ICMP sockets.
traceroute -m [max_ttl] Specifies the maximum number of hops (i.e., the max TTL value). The default is 30.
traceroute -M [method] Uses the specified [method] for traceroute operations. Default traditional UDP method has the name default; ICMP (-I) and TCP (-T) have names icmp and tcp, respectively. Method-specific options can be passed by -O.
traceroute –mtu Discovers the maximum transmission unit (MTU) along the path being traced. Implies -F -N 1.
traceroute -n Shows numerical IP addresses and bypasses attempts at host name resolution.
traceroute -N [num_probes] Specifies the number of probe packets sent out simultaneously. Sending several probes concurrently can speed up traceroute. The default value is 16. Note that if you use ICMP probes, some routers and hosts can use ICMP rate throttling.
traceroute -O [option] Specifies some method-specific [option]. Several options are separated by commas (or they use several -O on the command line).
traceroute -p [port] Sets the destination base UDP port number to [port]; default is 33434. For ICMP tracing, specifies the initial ICMP sequence value (incremented by each probe). For TCP, specifies just the (constant) destination port to connect to.
traceroute -P [proto] Uses the raw packet of the specified protocol for tracerouting. The default protocol is 253 (RFC 3692).
traceroute -q [num_queries] Sets the number of probe packets per hop. The default is 3.
traceroute -r Bypasses the normal routing tables and sends directly to a host on an attached network. If the host is not on a directly attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it.
traceroute raw -P [proto] Sends raw packets of protocol [proto] (no protocol-specific headers are used, just the IP header only). Implies -N 1.
traceroute -s [src_addr] Specifies an alternative source address for the outgoing traceroute packets.
traceroute –sport=[port] Chooses the source port to use. Implies -N 1.
traceroute -t [ToS] Set the Type of Service [ToS] and Precedence value (0-255 decimal). Useful values are 16 (low delay) and 8 (high throughput). For IPv6, -t sets the Traffic Control value.
traceroute -T [opt] Uses the TCP protocol for traceroute probes. Available options are: syn, ack, fin, rst, psh, urg, ece, and cwr. If these options don’t make sense to you, you should read my article on Nmap.
traceroute -T ecn Sends SYN packets with TCP flags ECE and CWR (for Explicit Congestion Notification, RFC 3168).
traceroute -T flags=[num] Sets the flags field in the TCP header to [num].
traceroute -T info Prints the TCP flags of the final TCP replies when the target host is reached. Determines whether an application is listening the port.
traceroute -T mss=[num] Uses the value of [num] for maximum segment TCP header option (when SYN).
traceroute -T sack, timestamps, window_scaling Uses the corresponding TCP header option in the outgoing probe packet.
traceroute -T sysctl Uses current sysctl (/proc/sys/net/*) setting for the TCP header options above and ECN. Always set by default, if nothing else is specified.
traceroute tcpconn An initial implementation of the TCP method simply using the connect call, which does a full TCP session opening. Not recommended for normal use because a destination application is always affected.
traceroute -U Uses UDP datagrams with a constant destination port (default 53, DNS). Like the -T (TCP) option, this can be intended to bypass firewall as well.
traceroute -UL coverage=[num]
Uses UDP Lite datagrams for probes (with a constant destination port, 53) where [num] determines the checksum coverage sent. See here for reference.
traceroute -V
Prints the version of traceroute.
traceroute -w [wait_time] Sets the time (in seconds) to wait for a response to a probe (the default is 5 seconds).
traceroute -z [sendwait] Sets the minimal time interval between probes (default is 0). If the value is more than 10, then it specifies a number in milliseconds, otherwise it is a number of seconds. Useful when some routers use rate-limiting for ICMP messages.
traceroute -4 or -6 Explicitly forced IPv4 or IPv6. By default, the program will try to resolve the name given, and choose the appropriate protocol automatically. If resolving a host name returns both IPv4 and IPv6 addresses, traceroute will use IPv4.

Whois

whois is a domain name query tool. Some of the information it provides on domain names includes: registered address, technical and DNS contacts, contact email addresses, contact phone number, and the expiration date of the domain name registration.
Whois commands are commonly executed from network query-oriented websites, as described here. However, you can run whois from a command line interface as well. Whois is easily available in Linux and Unix (may be available as jwhois), but must be installed manually on Windows. Note that the version of whois published by Marco d’Itri of linux.it uses very different options from the standard whois/jwhois.

Whois command switches (Windows)

Description

whois [domainname] [whois.server] Performs a whois query on [domainname] using the whois server specified.
.

Whois command switches (Linux)

Description

whois -a or –raw
Disables reformatting of the query.
whois -c [file] or –config=[file]
Uses [file] as a configuration file instead of jwhois.conf.
whois -d or –disable-cache
Disables reading from (and writing to) the cache.
whois -f or –force-lookup
Forces a query to be made to a host even if a current object is available from the cache.
whois -h [host] or –host=[host]
Overrides any hosts in the configuration file and queries [host] directly.
whois –help
Prints the help message.
whois -i or –display-redirections
Displays every step in a redirection (the default is to display only the last answer).
whois -n or -no-redirect
Disables redirection from one server to another.
whois -p [port] or –port=[port] [host]
Specifies a port number to use when querying a host. For example, whois –port=9103 10.20.30.31 forces a test on this host’s port 9103
whois -r or –rwhois
Forces the query to use the rwhois protocoll instead of HTTP or whois.
whois –rwhois-display=[display]
Asks receiving rwhois servers to display the results in the specified [display] instead of the default dump display.
whois –rwhois-limit=[limit]
Asks receiving rwhois servers to limit their responses to [limit] matches.
whois -s or –no-whoisservers
Disables the built-in support for whois-servers.net.
whois -v or –verbose
Outputs verbose debugging information while running. You can increase the verbosity by giving several verbose commands to jwhois, such as -vv.
whois –version
Displays the version, authors and licensing information of whois.