Intermediate ⏱ 60-75 Minutes Prereq: Module 08

Linux Networking

Move from theory to practice. Learn to inspect connections, scan ports, trace packets, and troubleshoot broken networks using the Linux command line.

1. Understanding Network Interfaces

Before you can attack or defend a network, you need to know who you are on that network. Every device has network interfaces (virtual or physical cards).

ip a 1: lo: <LOOPBACK,UP> inet 127.0.0.1/8 2: eth0: <BROADCAST,UP> inet 192.168.1.55/24 brd 192.168.1.255

eth0 / wlan0

Your physical connection. eth0 is usually wired, wlan0 is Wi-Fi.

lo (Loopback)

The "Home" address (127.0.0.1). Traffic sent here stays inside your computer.

Your App
OS Kernel
Interface (eth0)
Router

🛡️ Security Mindset

Attackers first check ip a to see what subnet they are on. If they see multiple interfaces, the machine might be a bridge to another network.

2. IP Address & Routing

Having an IP is useless if your computer doesn't know where to send traffic. The Routing Table is the map your computer follows.

ip route default via 192.168.1.1 dev eth0 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.55
  • Default via 192.168.1.1: This is your Gateway (usually your Router). If your computer doesn't know where an IP is, it sends it here.
  • 192.168.1.0/24: This says "computers with these IPs are right next to me (Local LAN)."
Launch IP Config Simulator

✅ Quick Check

  • What command shows the routing table? (Answer: ip route or route -n)
  • If the "default" line is missing, can you reach the internet? (Answer: No)

3. Checking Connectivity (Ping)

The "Hello World" of networking. Ping sends an ICMP Echo Request. If the other computer is alive and willing, it sends a Reply.

ping -c 3 8.8.8.8 64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=14.2 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=12.1 ms

Troubleshooting Logic

  • Ping 127.0.0.1: Is my network card working?
  • Ping 192.168.1.1 (Gateway): Am I connected to the router?
  • Ping 8.8.8.8 (Google): Do I have internet?
  • Ping google.com: Is my DNS working?

🛡️ Security Mindset

Firewalls often block ICMP (Ping) to hide servers. Just because a server doesn't ping, doesn't mean it's offline.

4. DNS Investigation

Computers speak numbers (IPs); humans speak names (google.com). Tools like nslookup and dig ask the DNS server for the IP address.

dig google.com ;; ANSWER SECTION: google.com. 183 IN A 142.250.190.46

Common Record Types:

  • A Record: The IPv4 address.
  • MX Record: The Mail server (where emails go).
  • AAAA Record: The IPv6 address.

During a security assessment, checking DNS records (Reconnaissance) is often the very first step to map out a target's infrastructure.

5. Port & Connection Analysis

If the IP is the house address, ports are the doors. You need to know which doors are open and what services are listening.

Use ss (Socket Statistics) or the legacy netstat.

ss -tuln Netid State Local Address:Port tcp LISTEN 0.0.0.0:80 (Web Server) tcp LISTEN 0.0.0.0:22 (SSH)

-tuln Flags

t: TCP
u: UDP
l: Listening sockets only
n: Numeric (Show 80, not 'http')

Why it matters

If you see a port listening that you didn't install (like port 6667), you might have malware.

6. Tracing the Path

When you connect to a server, your packet hops through many routers. traceroute shows you every hop along the way.

traceroute google.com 1 192.168.1.1 (Home Router) 2.1 ms 2 10.50.2.1 (ISP Hub) 15.4 ms ... 12 142.250.190.46 (Google) 25.1 ms

It works by manipulating the TTL (Time To Live) of a packet. It intentionally causes the packet to "die" at hop 1, then hop 2, then hop 3, forcing each router to send back an error message identifying itself.

7. Packet Capture (Traffic Inspection)

Sometimes commands tell you everything looks fine, but it still doesn't work. This is when you use tcpdump to look at the actual raw data flying through the wire.

sudo tcpdump -i eth0 port 80 IP 192.168.1.55.5342 > 142.250.1.1.80: Flags [S], seq 12345... IP 142.250.1.1.80 > 192.168.1.55.5342: Flags [S.], seq 98765...

🛡️ Security Mindset

This is the "X-Ray" of networking. Security analysts use this to see exactly what malware is sending out, or why a firewall is dropping a connection.

8. Nmap Essentials

While ss checks your ports, nmap checks remote ports. It is the industry standard for network mapping and scanning.

nmap -A 192.168.1.105 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2 80/tcp open http Apache httpd 2.4

⚠️ Warning

Scanning networks you do not own is illegal in many jurisdictions. Only scan your own labs or networks where you have explicit permission.

Launch Nmap Simulator

9. Real Troubleshooting Flow

Internet down? Don't guess. Follow the data path.

1. ip a Do I have an IP address? (If no: DHCP issue)
2. ip route Do I have a default gateway?
3. ping gateway Can I talk to the router? (If no: Layer 2/Switch issue)
4. ping 8.8.8.8 Can I reach the internet? (If no: ISP/Router issue)
5. ping google.com Does the name resolve? (If no: DNS issue)

📌 Recap

  • ip a: Show interfaces and IP.
  • ip route: Show gateway and routing table.
  • ping: Test connectivity (ICMP).
  • ss -tuln: Check local listening ports.
  • dig / nslookup: Query DNS records.
  • tcpdump: Capture raw packets.
  • nmap: Scan remote systems.
← Previous Module
Next: Web Tech
Next Module →