Intermediate ⏱ 60-75 Minutes Prereq: Module 08

Linux Networking

Move from theory to practice. Learn to inspect connections, scan ports, trace packets, and troubleshoot broken networks using the Linux command line.

1. Understanding Network Interfaces

Before you can attack or defend a network, you need to know who you are on that network. Every device has network interfaces (virtual or physical cards).

ip a 1: lo: <LOOPBACK,UP> inet 127.0.0.1/8 2: eth0: <BROADCAST,UP> inet 192.168.1.55/24 brd 192.168.1.255

eth0 / wlan0

Your physical connection. eth0 is usually wired, wlan0 is Wi-Fi.

lo (Loopback)

The "Home" address (127.0.0.1). Traffic sent here stays inside your computer.

Your App
OS Kernel
Interface (eth0)
Router

🛡️ Security Mindset

Attackers first check ip a to see what subnet they are on. If they see multiple interfaces, the machine might be a bridge to another network.

2. IP Address & Routing

Having an IP is useless if your computer doesn't know where to send traffic. The Routing Table is the map your computer follows.

ip route default via 192.168.1.1 dev eth0 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.55
  • Default via 192.168.1.1: This is your Gateway (usually your Router). If your computer doesn't know where an IP is, it sends it here.
  • 192.168.1.0/24: This says "computers with these IPs are right next to me (Local LAN)."

Checking ARP (Layer 2)

Routing happens at Layer 3, but delivery happens at Layer 2 (MAC). Use ip neigh to see the MAC addresses of devices you are currently talking to.

ip neigh 192.168.1.1 dev eth0 lladdr 00:11:22:33:44:55 REACHABLE 192.168.1.105 dev eth0 lladdr aa:bb:cc:dd:ee:ff STALE
Launch IP Config Simulator

3. Checking Connectivity (Ping)

The "Hello World" of networking. Ping sends an ICMP Echo Request. If the other computer is alive and willing, it sends a Reply.

ping -c 3 8.8.8.8 64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=14.2 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=12.1 ms

Troubleshooting Logic

  • Ping 127.0.0.1: Is my network card working?
  • Ping 192.168.1.1 (Gateway): Am I connected to the router?
  • Ping 8.8.8.8 (Google): Do I have internet?
  • Ping google.com: Is my DNS working?

4. DNS Investigation

Computers speak numbers (IPs); humans speak names (google.com). Tools like nslookup and dig ask the DNS server for the IP address.

dig google.com ;; ANSWER SECTION: google.com. 183 IN A 142.250.190.46

During a security assessment, checking DNS records (Reconnaissance) is often the very first step to map out a target's infrastructure.

5. Port & Connection Analysis

If the IP is the house address, ports are the doors. You need to know which doors are open and what services are listening.

Use ss (Socket Statistics) to inspect the network stack.

ss -tuln Netid State Local Address:Port tcp LISTEN 0.0.0.0:80 (Web Server) tcp LISTEN 0.0.0.0:22 (SSH)

-tuln Flags

t: TCP
u: UDP
l: Listening sockets only
n: Numeric (Show 80, not 'http')

Connection States

LISTEN: Waiting for incoming connections.
ESTABLISHED: Active data exchange between client and server.

Viewing Active Connections

To see exactly which process is talking to the internet, use the extended options:

sudo ss -antp ESTAB 0 0 192.168.1.55:44322 142.250.1.1:443 users:(("firefox",pid=1234,fd=5))

This shows active TCP connections and the process (PID) using them. Essential for finding malware calling home.

6. Tracing the Path

When you connect to a server, your packet hops through many routers. traceroute shows you every hop along the way.

traceroute google.com 1 192.168.1.1 (Home Router) 2.1 ms 2 10.50.2.1 (ISP Hub) 15.4 ms ... 12 142.250.190.46 (Google) 25.1 ms

7. Packet Capture (Traffic Inspection)

Sometimes commands tell you everything looks fine, but it still doesn't work. This is when you use tcpdump to look at the actual raw data flying through the wire.

sudo tcpdump -i eth0 port 80 IP 192.168.1.55.5342 > 142.250.1.1.80: Flags [S], seq 12345... IP 142.250.1.1.80 > 192.168.1.55.5342: Flags [S.], seq 98765...

The Flags field shows TCP handshake progression: [S] = SYN, [S.] = SYN-ACK, [.] = ACK.

⚠️ Root Required

Packet capture requires root privileges (sudo) because it accesses raw network interfaces.

🛡️ Security Mindset

This is the "X-Ray" of networking. Security analysts use this to see exactly what malware is sending out, or why a firewall is dropping a connection.

8. Nmap Essentials

While ss checks your ports, nmap checks remote ports. It is the industry standard for network mapping and scanning.

nmap -A 192.168.1.105 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2 80/tcp open http Apache httpd 2.4

⚠️ Warning

Scanning networks you do not own is illegal in many jurisdictions. Only scan your own labs or networks where you have explicit permission.

Launch Nmap Simulator

9. Real Troubleshooting Flow

Internet down? Don't guess. Follow the data path.

1. ip a Do I have an IP address? (If no: DHCP issue)
2. ip route Do I have a default gateway?
3. ping gateway Can I talk to the router? (If no: Layer 2/Switch issue)
4. ping 8.8.8.8 Can I reach the internet? (If no: ISP/Router issue)
5. ping google.com Does the name resolve? (If no: DNS issue)

📌 Recap

  • ip a: Show interfaces and IP.
  • ip route: Show gateway and routing table.
  • ip neigh: Show ARP cache (Layer 2).
  • ping: Test connectivity (ICMP).
  • ss -tuln / -antp: Check listening ports and active connections.
  • tcpdump: Capture raw packets.
  • nmap: Scan remote systems.
← Previous Module
Next: Wireshark
Module 10 →