Nslookup

Linux
basic
commands
nslookup
dig
traceroute
tracepath
mtr
tcpdump
nslookup is a network administration tool for
querying the Domain Name System (DNS) to
obtain domain name or IP address mapping or
any other specific DNS record.
It is also used to troubleshoot DNS related
problems.nslookup can operate on both
“Interactive mode” and “Non-Interactive mode”.
Interactive mode allows the user to query the
DNS-Server about various host, and domains.
Non-Interactive mode allows the user to query
the information for a host or domain.
nslookup, which stands for "name server lookup",
finds information about a named domain.
nslookup is a program used to query Internet
domain name servers for information.
nslookup has two modes: interactive and non-
interactive. ...
nslookup makes use of the configuration file
/etc/nsresolv.
When troubleshooting DNS issues, it is useful
to have access to Domain Name System
(DNS) records of a website. All mainstream
operating systems have tools that enable
users to query a web server and receive
important information such as IP addresses
and other pieces of domain-related
information.
nslookup Options
nslookup Option Description
-domain=[domain-name] Change the default DNS name.
-debug Show debugging information.
-port=[port-number] Specify the port for queries. The default
port number is 53.
-timeout=[seconds] Specify the time allowed for the server to
respond.
-type=a View information about the DNS A address records.
-type=anyView all available records.
-type=hinfo View hardware-related information about the host.
-type=mx View Mail Exchange server information.
-type=ns View Name Server records.
-type=ptr View Pointer records. Used in reverse DNS lookups.
-type=soaView Start of Authority records.
nslookup – Simple Example
nslookup followed by the domain name will
display the “A Record” ( IP Address ) of the
domain.
$ nslookup redhat.com
Server: 192.168.19.2
Address: 192.168.19.2#53
Non-authoritative answer:
Name: redhat.com
Address: 209.132.183.181
In the above output, server refers to the IP
address of the DNS server. Then the below
section provides the “A Record” ( IP Address ) of
the domain “redhat.com”.
The default output of nslookup command is less
cluttered than the default output of dig command.
Query the MX Record using -query=mx
MX ( Mail Exchange ) record maps a domain
name to a list of mail exchange servers for
that domain. The MX record tells that all the
mails sent to “@redhat.com” should be routed
to the Mail server in that domain.
$ nslookup -query=mx redhat.com
Server: 192.168.19.2
Address: 192.168.19.2#53
redhat.com mail exchanger = 10 mx2.redhat.com.
redhat.com mail exchanger = 5 mx1.redhat.com.
Authoritative answers can be found from:
mx2.redhat.com internet address = 66.187.233.33
mx1.redhat.com internet address = 209.132.183.28
In the above example, we have 2 MX records
for the domain “redhat.com”. The number ( 5,
10 ), associated with the MX records tells the
preference of mail server. Lower the number,
higher the preference. So when a mail is sent
to “@redhat.com”, first preference will be
“mx1.redhat.com”, then “mx2.redhat.com”.
Authoritative Answer vs Non-Authoritative
Answer
You may also noticed the keyword
“Authoritative Answer” and “Non-
Authoritative Answer” in the above output.
Any answer that originates from the DNS
Server which has the complete zone file
information available for the domain is
said to be authoritative answer.
In many cases, DNS servers will not have the
complete zone file information available for a
given domain. Instead, it maintains a cache
file which has the results of all queries
performed in the past for which it has gotten
authoritative response. When a DNS query is
given, it searches the cache file, and return
the information available as “Non-Authoritative
Answer”.
Query the NS Record using -query=ns
NS ( Name Server ) record maps a domain
name to a list of DNS servers authoritative
for that domain. It will output the name
serves which are associated with the given
domain.
nslookup -type=ns redhat.com
Server: 192.168.19.2
Address: 192.168.19.2#53
redhat.com nameserver = ns4.redhat.com.
ns4.redhat.com internet address = 209.132.188.218
Query the SOA Record using -query=soa
SOA record ( start of authority ), provides the
authoritative information about the domain, the
e-mail address of the domain admin, the
domain serial number, etc…
$ nslookup -type=soa redhat.com
Server: 192.168.19.2
Address: 192.168.19.2#53
redhat.com
origin = ns1.redhat.com
mail addr = noc.redhat.com
serial = 2012071601
refresh = 300
retry = 180
expire = 604800
minimum = 14400
mail addr – specifies the mail address of the domain admin
( noc@redhat.com )
serial – sort of revision numbering system. The standard
convention is to use “YYYYMMYYNN” format. ( 2012-07-16. 01
will be incremented, if more than one edit has taken place on a
same day )
refresh – specifies ( in seconds ), when the secondary DNS will
poll the primary to see if the serial number has been increased.
If increased, secondary will make a new request to copy the
new zone file.
retry – specifies the interval to re-connect with the Primary DNS
expire – specifies the time that the secondary DNS will keep
the cached zone file as valid
minimum – specifies the time that the secondary DNS should
cache the zone file
View available DNS records using -query=any
We can also view all the available DNS
records using -query=any option.
$ nslookup -type=any google.com
Server: 192.168.19.2
Address: 192.168.19.2#53
Name: google.com
Address: 173.194.35.7
Name: google.com
Address: 173.194.35.8
google.com nameserver = ns1.google.com.
google.com nameserver = ns2.google.com.
google.com
origin = ns1.google.com
mail addr = dns-admin.google.com
serial = 2012071701
refresh = 7200
retry = 1800
expire = 1209600
minimum = 300
google.com mail exchanger = 20 alt1.aspmx.l.google.com.
ns4.google.com internet address = 216.239.38.10
ns3.google.com internet address = 216.239.36.10
Reverse DNS lookup
You can also do the reverse DNS look-up by
providing the IP Address as argument to
nslookup.
$ nslookup 209.132.183.181
Server: 192.168.19.2
Address: 192.168.19.2#53
181.183.132.209.in-addr.arpa name = origin-
www2.redhat.com.
Using Specific DNS server
Instead of using default DNS server’s for querying, you can
also specify a particular name server to resolve the domain
name.
$ nslookup redhat.com ns1.redhat.com
Server: 209.132.186.218
Address: 209.132.186.218#53
Name: redhat.com
Address: 209.132.183.181
In the above command, we have used the ns1.redhat.com
as the DNS server. Here you may notice that, we don’t get
any “Non-authoritative answer:” header, since
ns1.redhat.com has all the zone information of redhat.com
Change the port number to connect with
By default DNS servers uses the port number 53.
If for any reasons, the port number got changed,
then we can specify the port number using -port
option
$ nslookup -port 56 redhat.com
Change timeout interval to wait for a reply
You can change the default timeout to wait for a
reply using -timeout option.
$ nslookup -timeout=10 redhat.com
Enabling debug mode using -debug
You can turn on/off the debugging using -debug option in the
command line
$ nslookup -debug redhat.com
Server: 192.168.19.2
Address: 192.168.19.2#53
------------
QUESTIONS:
redhat.com, type = A, class = IN
ANSWERS:
-> redhat.com
internet address = 209.132.183.181
ttl = 5
AUTHORITY RECORDS:
ADDITIONAL RECORDS:
------------
dig
Dig (Domain Information Groper) is a
command-line utility that performs DNS lookup
by querying name servers and displaying the
result to you. The Dig command is another
powerful tool similar to nslookup for diagnosing
DNS-related problems.
dig command stands for Domain Information
Groper. It is used for retrieving information
about DNS name servers. It is basically used
by network administrators. It is used for
verifying and troubleshooting DNS problems
and to perform DNS lookups.
The dig command in Linux is used to gather DNS
information. It stands for Domain Information
Groper, and it collects data about Domain Name
Servers. The dig command is helpful for
troubleshooting DNS problems, but is also used
to display DNS information.
The dig command, allows you to query information
about various DNS records, including host
addresses, mail exchanges, and name servers. It
is the most commonly used tool among system
administrators for troubleshooting DNS problems
because of its flexibility and ease of use.
Dig is a DNS lookup utility. If it’s not installed on
your system, you can find it as part of dnsutils on
Debian-based package managers and bind-utils
on Fedora, CentOS, and Arch.
The dig command is used to query DNS servers;
it is more flexible than the deprecated nslookup
command. When invoked with just the -h option, it
displays a list of options for the command. If you
use it without any options or arguments, it will
search for the root server.
Dig is part of the BIND domain name server
software suite. dig command replaces older
tools such as nslookup and the host. dig tool is
available in major Linux distributions.
Install Dig on system
Ubuntu/Debian
apt-get install dnsutils
RHEL/Centos
yum install bind-utils
Verify Install
dig -v
The standard arguments are:
server: The server to query. If no server is supplied, dig
will check the name servers listed in /etc/resolv.conf. The
address may be an IPv4 dotted address or an IPv6
colon-delimited address. It may also be a hostname,
which dig will resolve (through the name servers in
/etc/resolv.conf).
name: The domain name to look up.
type: The type of query to perform, such as A, ANY, MX,
SIG, and so forth. The default is A, but you may use any
valid BIND9 query type.
seshadri@seshadri:~$ dig
; <<>> DiG 9.16.1-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6208
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 86291 IN NS a.root-servers.net.
. 86291 IN NS b.root-servers.net.
. 86291 IN NS c.root-servers.net.
. 86291 IN NS d.root-servers.net.
;; Query time: 103 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Aug 27 05:41:41 IST 2022
;; MSG SIZE rcvd: 239
dig www.google.com
The above command causes dig to look up the "A"
record for the domain name google.com. Dig
command reads the /etc/resolv.conf file and
querying the DNS servers listed there. The
response from the DNS server is what dig
displays.
Let us understand the output of the commands
Lines beginning with ; are comments not part of the
information.
The first line tells us the version of the dig (9.16.1) command.
Next, dig shows the header of the response it received from
the DNS server.
Next comes the question section, which simply tells us the
query, which in this case is a query for the "A" record of
google.com. The IN means this is an Internet lookup (in the
Internet class).
The answer section tells us that google.com has the IP
address 172.217.166.78.
Lastly, there are some stats about the query. You can turn off
these stats using the +nostats option.
dig www.google.com +short
Query Domain “A” Record with +short
By default, dig is quite verbose. One way to cut
down the output is to use the +short option. which
will drastically cut the output as shown below.
seshadri@seshadri:~$ dig www.google.com +short
142.250.183.4
seshadri@seshadri:~$
By default, dig looks for the "A" record of the
domain specified, but you can specify other
records also. The MX or Mail eXchange record
tells mail servers how to route the email for the
domain. Likewise TTL, SOA, etc.
Querying MX Record for Domain
dig www.google.com MX
dig www.google.com SOA
Only answer section
dig google.com +nocomments +noquestion
+noauthority +noadditional +nostats
Querying ALL DNS Records Types
dig google.com ANY +noall +answer
DNS Reverse Look-up
dig -x 72.30.38.140 +short
traceroute
traceroute command in Linux prints the
route that a packet takes to reach the host.
This command is useful when you want to
know about the route and about all the hops
that a packet takes.
Traceroute is a crucial tool in network
diagnostics. Together with other Linux
commands such as ping, ip, and netstat (or
the newer alternative ss), Traceroute
identifies the path packets take from source
to destination. The tool is universally
available for Linux, Windows, and macOS.
traceroute is a command used in network
troubleshooting for mapping the path packets
travel through the network. The tool aids in the
discovery of possible routes of information from
source to destination. Additionally, the command
also helps calculate the transfer times between
points. When applied to network troubleshooting,
traceroute helps locate where traffic slows down
between the source and destination.
How Does Traceroute Work?
The protocol sends ICMP (Internet Control Message
Protocol) packets to every router transferring between
the source and destination. When you run a traceroute,
the output displays:
The IP address of the router that successfully received
the packet.
The travel latency, or the amount of time it took to get a
response for each of the three probes.
Traceroute acts as a series of ping commands. While
ping requests a response from the destination,
traceroute gathers the intermediate information as well.
To gather the information available between the source and
destination, a traceroute lowers the packet's TTL (time to live) to
a minimum (1). When a router receives the information, it
decrements the TTL value to 0, indicating it should send
information back to the source. The source gathers the
intermediate router information, resets the TTL value to 1, and
increments it.
Diagram of the traceroute iterations path
This way, the packet reaches the next router in the network. The
iterative process repeats until the final package reaches the
destination IP. Then, traceroute recognizes the destination IP
and outputs all the intermediate information gathered.
The command sends out three probes by default for each TTL
value and prints out the round-trip time for each packet.
command with the following options
Option Description
–help Information about the command.
-d This command enables debugging on Linux.
-F Forbid fragmentation.
-e Show ICMP extensions.
-A AS lookups enable for each hop.
-V Show version.
-U Use a particular UDP port. The default value is 53.
-UL Use the UDPLITE for the query.
-P protocol Send packets of a specified IP protocol.
-I Use the ICMP echo for the requests.
-T Use the TCP SYN for the requests.
-4 Use only IPv4 addresses
-6 Use only IPv6 addresses
By default, a traceroute is 30 hops for a packet size of
60 bytes for IPv4 and 80 bytes for IPv6.
On Ubuntu, the traceroute command is not available by
default. Install the tool using the apt package manager.
sudo apt install traceroute
sudo yum install traceroute -y & sudo dnf install
traceroute -y
$ traceroute --version
In the terminal, run a traceroute with
traceroute [options] <hostname or IP>
[packet length]
$ traceroute google.com
By default, a traceroute sends UDP packets. Add the
option -I for ICMP probe packets:
traceroute -I <hostname or IP>
Include the -n option to hide the device names for a
cleaner output:
traceroute -In <hostname or IP>
seshadri@seshadri:~$ traceroute google.com
traceroute to google.com (172.217.160.174), 30 hops max, 60 byte packets
1 _gateway (192.168.0.1) 12.630 ms 12.894 ms 12.840 ms
2 ***
3 116.119.72.70 (116.119.72.70) 33.668 ms 36.311 ms 39.184 ms
4 182.79.177.69 (182.79.177.69) 52.479 ms 116.119.94.32 (116.119.94.32) 61.268 ms *
5 ***
6 ***
7 ***
8 ***
9 * 209.85.251.242 (209.85.251.242) 72.647 ms 142.250.212.2 (142.250.212.2) 72.593
ms
10 172.253.68.121 (172.253.68.121) 72.537 ms * *
11 * * *
12 * bom05s12-in-f14.1e100.net (172.217.160.174) 77.259 ms *
tracepath
The tracepath and traceroute terminal programs are
crucial in network diagnostics. Both commands map
the network and display possible packet routes and
transit delays from a source to a destination. However,
there is a difference between the available options and
which users can use each command.
Differences between Tracepath vs. Traceroute
The main difference between tracepath and
traceroute is in the available options and user
privileges. With default options, the two
commands are similar.
Tracepath traces the path to a specified destination
using UDP packets. Without any options, the command
outputs:
TTL (Time To Live) round-trip time for a packet.
MTU (Maximum Transmission Units) or the largest
packet that tracepath can send over the network.
The resolved domain name when possible.
Traceroute maps the network path to a designated
destination. Without any options, the command sends
UDP packets and prints:
The TTL round-trip time for three packets.
Maximum hop number and packet size in bytes.
IP address and resolved domain name when possible.
However, traceroute offers many advanced options to
select from, such as choosing between ICMP and TCP
transfer protocols and more. Some options require
superuser (sudo) privileges because the command
works directly with raw packets.
traceroute command and tracepath command are similar.
But it doesn’t require root privileges. System of traceroute
installed by default in Ubuntu but you may have to
download traceroute on Ubuntu system.
The network path of the specified destination by traces
and reports each hop along the path. When you have a
slow network then tracepath will show you where your
network is weak.
Options Descriptions
No option When tracepath command is given with no option in the
parameter, then it will simply display the syntax of tracepath.
Option with destination We can trace a path to the destination
using tracepath
Option -n When tracepath is given by option n, it prints the IP
addresses in the output.
Option -b The option b, will print hostname and IP Addresses in
the output.
Option -l this option for tracepath will allow to set the packet
length initially to pktlen.
Option -mOption m will allow to set the number of maximum hops
or TTLs to maximum instead of 30.
Option -p:Option p with tracepath command will allow to set
destination port to be used.
tracepath <options> <destination IP or domain name>
seshadri@seshadri:~$ tracepath www.google.com
1?: [LOCALHOST] pmtu 1500
1: _gateway 2.325ms asymm 35
1: _gateway 2.245ms asymm 35
2: no reply
3: 116.119.72.70 67.616ms asymm 4
4: 116.119.57.199 100.881ms asymm 6
5: no reply
6: no reply
26: no reply
27: no reply
28: no reply
29: no reply
30: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500
mtr
The mtr command is a combination of ping and

traceroute commands. It is a network diagnostic tool that
continuously sends packets showing ping time for each
hop. It also displays network problems of the entire route
taken by the network packets.
Once you run mtr, it probes the network
connection between the local system and a
remote host that you have specified. It first
establishes the address of each network hop
(bridges, routers and gateways etc.) between
the hosts, it then pings (sends a sequence
ICMP ECHO requests to) each one to
determine the quality of the link to each
machine.
In addition to the hops along the network
path, MTR shows constantly updating
information about the latency and packet
loss along the route to the destination. This
helps in troubleshooting network issues by
allowing you to see what’s happening
along the path in real-time.
This tool comes pre-installed on most
Linux distributions and is fairly easy to
use. If mtr not installed, you can install it
on your respective Linux distributions
using your default package manager.
As a network administrator, you must know
how to use the mtr command and the flags
that you can use to customize the output in
order to perform productive network
diagnostics. Since mtr is a command-line
program, we will use it in the Ubuntu
command line, the terminal. You can open
the terminal application using either the
System Dash or the key combination Ctrl
+Alt+t.
mtr [options] hostname
-F, --filename FILE read hostname(s) from a file
-4 use IPv4 only
-6 use IPv6 only
-u, --udp use UDP instead of ICMP echo
-T, --tcp use TCP instead of ICMP echo
-I, --interface NAME use named network interface
-a, --address ADDRESS bind the outgoing socket to ADDRESS
-f, --first-ttl NUMBER set what TTL to start
-m, --max-ttl NUMBER maximum number of hops
-U, --max-unknown NUMBER maximum unknown host
-P, --port PORT target port number for TCP, SCTP, or UDP
-L, --localport LOCALPORT source port number for UDP
-s, --psize PACKETSIZE set the packet size used for probing
-B, --bitpattern NUMBER set bit pattern to use in payload
-i, --interval SECONDS ICMP echo request interval
-G, --gracetime SECONDS number of seconds to wait for responses
-Q, --tos NUMBER type of service field in IP header
-e, --mpls display information from ICMP extensions
-Z, --timeout SECONDS seconds to keep probe sockets open
-M, --mark MARK mark each sent packet
-r, --report output using report mode
-w, --report-wide output wide report
-c, --report-cycles COUNT set the number of pings sent
-j, --json output json
-x, --xml output xml
-C, --csv output comma separated values
-l, --raw output raw format
-p, --split split output
-t, --curses use curses terminal interface
--displaymode MODE select initial display mode
-n, --no-dns do not resolve host names
-b, --show-ips show IP numbers and host names
-o, --order FIELDS select output fields
-y, --ipinfo NUMBER select IP information in output
-z, --aslookup display AS number
-h, --help display this help and exit
-v, --version output version information and exit
mtr [OPTION]HOSTNAME [PACKETSIZE]
mtr: We can use the mtr keyword in the syntax or
command. It will take the argument as an option and
hostname. It will provide the end-to-end reachability
status from the source machine to the destination
machine.
OPTION: We can provide the different flags as options
that are compatible with the mtr command
HOSTNAME: As per the requirement, we can pass the
hostname or the IP address.
PACKETSIZE: As per the requirement or network
topology, we can specify the packet size.
seshadri@seshadri:~$ mtr --csv google.com
Mtr_Version,Start_Time,Status,Host,Hop,Ip,Loss%,Snt, ,Last,Avg,Best,Wrst,StDev,
MTR.0.93,1661733434,OK,google.com,1,_gateway,0.00,10,0,2.08,3.11,1.97,11.26,2.87
MTR.0.93,1661733434,OK,google.com,2,nsg-static-217.125.75.182-
airtel.com,0.00,10,0,7.76,8.77,7.76,9.69,0.73
MTR.0.93,1661733434,OK,google.com,3,116.119.72.71,0.00,10,0,17.97,25.32,17.97,78.16,18.60
MTR.0.93,1661733434,OK,google.com,4,116.119.72.70,0.00,10,0,20.47,35.49,18.14,101.94,29.89
MTR.0.93,1661733434,OK,google.com,5,182.79.142.222,60.00,10,6,35.87,58.24,35.87,79.05,23.83
MTR.0.93,1661733434,OK,google.com,6,142.250.169.206,0.00,10,0,33.51,41.11,32.70,78.89,15.65
MTR.0.93,1661733434,OK,google.com,7,209.85.251.159,0.00,10,0,33.42,54.82,31.50,80.68,23.54
MTR.0.93,1661733434,OK,google.com,8,108.170.253.122,0.00,10,0,34.36,45.56,31.67,79.34,20.97
MTR.0.93,1661733434,OK,google.com,9,142.251.49.232,0.00,10,0,42.57,59.46,40.18,79.25,19.52
MTR.0.93,1661733434,OK,google.com,10,172.253.68.120,0.00,10,0,47.74,65.49,42.50,79.46,17.38
MTR.0.93,1661733434,OK,google.com,11,108.170.248.161,0.00,10,0,41.02,58.70,41.02,78.57,18.2
9
MTR.0.93,1661733434,OK,google.com,12,142.250.227.73,0.00,10,0,43.13,54.46,43.13,79.21,13.54
MTR.0.93,1661733434,OK,google.com,13,bom12s07-in-
f14.1e100.net,0.00,10,0,42.21,57.29,41.03,87.04,20.57
%Loss: packet loss percentage at each machine
Snt: Number of sent packets
Last: The round trip time for the last traceroute packet
Avg: The average round trip time for all probes
Best: Shortest round trip time of a packet to a particular host
Wrst: Longest round trip time of a packet to a host
StDev: Standard deviation of latencies
The Snt to Wrst columns measure latencies in
milliseconds, but only the Avg column matters the
most. The only downside for generating reports
for network quality is that it utilizes a lot of
network traffic that degrades network
performance.
Packet Loss
The MTR report generates a percentage of packet loss
field at each hop to indicate a problem. However, service
providers have a common practice of rate-limit MTR ICMP
packets that give an illusion of packet loss, which isn’t true.
To identify if the packet loss is actually due to rate-limiting
or not, note the packet loss of the subsequent hop. As in
the screenshot above, for –o flag example, we observe a
packet loss of 16.7% at hop 5 and 6. If there is no packet
loss at the next device, then it results due to rate-limiting.
In another scenario, if the reports represent different
amounts of loss at the starting subsequent hops and the
later few devices show the same packet loss percentage,
then the loss at the initial machines is due to both factors:
rate-limiting and actual loss. Hence, when MTR reports
different packet loss at various hops, trust the loss at the
later hops.
Network Latency
The latency of a network increases with the number of
hops between two endpoints. However, latency also
depends on the network connection quality between the
local and remote machines. For instance, dial-up
connections show higher latency than cable modems.
It’s also important to note that network
latency does not imply an inefficient route.
Irrespective of the high network latency at
various nodes, packets can reach the
destination and return to the source with zero
loss.
Understanding the basics of MTR is necessary to grab
and figure out the most common network connectivity
issues, such as improper configuration of
ISP/residential router and destination host network,
timeouts, and ICMP rate limiting. The article builds a
ground for a beginner user to understand the usage
and working of MTR. It also shows how to generate
MTR reports and perform analysis to identify rate-
limiting related packet loss issues and analyze network
latency.
tcpdump
tcpdump is a most powerful and widely used command-
line packets sniffer or package analyzer tool which is
used to capture or filter TCP/IP packets that received or
transferred over a network on a specific interface. It is
available under most of the Linux/Unix based operating
systems. tcpdump also gives us an option to save
captured packets in a file for future analysis. It saves the
file in a pcap format, that can be viewed by tcpdump
command or an open source GUI based tool called
Wireshark (Network Protocol Analyzer) that reads
tcpdump pcap format files.
One of the most common uses of tcpdump
is to determine whether you are getting
basic two-way communication. Lack of
communication could be due to the
following:
Bad routing
Faulty cables, interfaces of devices in the packet flow
The server not listening on the port because the software
isn’t installed or started
A network device in the packet path is blocking traffic;
common culprits are firewalls, routers with access control
lists and even your Linux box running iptables.
tcpdump is a packet sniffing and packet analyzing tool
for a System Administrator to troubleshoot connectivity
issues in Linux. It is used to capture, filter, and analyze
network traffic such as TCP/IP packets going through
your system. It is many times used as a security tool as
well. It saves the captured information in a pcap file,
these pcap files can then be opened through Wireshark
or through the command tool itself.
tcpdump is a most powerful and widely used
command-line packets sniffer or package analyzer
tool which is used to capture or filter TCP/IP
packets that are received or transferred over a
network on a specific interface.
Tcpdump command options
-i : Listen on the specified interface.
-n: Don’t resolve hostnames. We can use -nn to don’t resolve
hostnames or port names.
-t: Print human-readable timestamp on each dump line, -tttt: Give
maximally human-readable timestamp output.
-X: Show the packet’s contents in both hex and ascii.
-v, -vv, -vvv: Increase the amount of packet information you get back.
-c N: Only get N number of packets and then stop.
-s: Define the snaplength (size) of the capture in bytes. Use -s0 to get
everything, unless you are intentionally capturing less.
-S: Print absolute TCP sequence numbers.
-q: Show less protocol information.
-w : Write the raw packets to file rather
-C file_size(M)
-G rotate_seconds
seshadri@seshadri:~$ tcpdump --help
tcpdump version 4.9.3
libpcap version 1.9.1 (with TPACKET_V3)
OpenSSL 1.1.1f 31 Mar 2020
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count
]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-
command ]
[ -Z user ] [ expression ]
The general syntax for the tcpdump command is as
follows:
tcpdump [options] [expression]
The command options allow you to control the behavior
of the command.
The filter expression defines which packets will be
captured.
Only root or user with sudo privileges can run tcpdump. If
you try to run the command as an unprivileged user,
you’ll get an error saying: “You don’t have permission to
capture on that device”.
Get packets from all interfaces
To get the network packets from all
network interfaces, run the following
command,
$ tcpdump -i any
Capture Packets from Specific Interface
The command screen will scroll up until you interrupt and
when we execute the tcpdump command it will captures
from all the interfaces, however with -i switch only
capture from the desired interface.
# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for
full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture
size 65535 bytes
11:33:31.976358 IP 172.16.25.126.ssh >
172.16.25.125.apwi-rxspooler: Flags [P.], seq
3500440357:3500440553, ack 3652628334, win 18760,
length 196
Capture Only N Number of Packets
seshadri@seshadri:~$ sudo tcpdump -c 4 -i wlo1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
06:31:16.760519 IP PAproxy.48928 > ec2-54-201-62-10.us-west-
2.compute.amazonaws.com.https: Flags [.], ack 2519231671, win 8188, options
[nop,nop,TS val 700926241 ecr 615535639], length 0
06:31:16.760577 IP PAproxy.40400 > bs.yandex.ru.https: Flags [.], ack
4253005925, win 501, options [nop,nop,TS val 244952726 ecr 3077302113],
length 0
06:31:16.762699 IP PAproxy.53031 > dns.google.domain: 35828+ [1au] PTR?
10.62.201.54.in-addr.arpa. (54)
06:31:16.919714 IP dns.google.domain > PAproxy.53031: 35828 1/0/1 PTR
ec2-54-201-62-10.us-west-2.compute.amazonaws.com. (116)
4 packets captured
11 packets received by filter
0 packets dropped by kernel
Print Captured Packets in ASCII
seshadri@seshadri:~$ sudo tcpdump -A -c 4 -i wlo1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
06:32:17.956661 ARP, Request who-has 192.168.0.200 tell PAproxy, length 28
............./..............
06:32:17.958498 IP PAproxy.52957 > dns.google.domain: 62369+ [1au] PTR?
200.0.168.192.in-addr.arpa. (55)
E..S.L@.@..............5.?.P.............200.0.168.192.in-addr.arpa.......)........
06:32:18.956644 ARP, Request who-has 192.168.0.201 tell PAproxy, length 28
............./..............
06:32:18.958095 IP dns.google.domain > PAproxy.52957: 62369 NXDomain 0/0/1
(55)
E..SE...x.0V.........5...?...............200.0.168.192.in-addr.arpa.......)........
4 packets captured
Display Available Interfaces
seshadri@seshadri:~$ sudo tcpdump -D
1.wlo1 [Up, Running]
2.lo [Up, Running, Loopback]
3.any (Pseudo-device that captures on all interfaces) [Up,
Running]
4.virbr0 [Up]
5.docker0 [Up]
6.enxd0374585b058 [Up]
7.bluetooth-monitor (Bluetooth Linux Monitor) [none]
8.nflog (Linux netfilter log (NFLOG) interface) [none]
9.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none
10.bluetooth0 (Bluetooth adapter number 0) [none]
11.virbr0-nic [none]
Capture and Save Packets in a File
seshadri@seshadri:~$ sudo tcpdump -c 4 -w tcp.pcap -i
wlo1
tcpdump: listening on wlo1, link-type EN10MB
(Ethernet), capture size 262144 bytes
4 packets captured
Capture Packet from Specific Port
tcpdump -i eth0 port 22
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
size 65535 bytes
10:37:49.056927 IP 192.168.0.2.ssh > 192.168.0.1.nokia-
ann-ch1: Flags [P.], seq 3364204694:3364204890, ack
4193655445, win 20904, length 196
10:37:49.196436 IP 192.168.0.2.ssh > 192.168.0.1.nokia-
ann-ch1: Flags [P.], seq 4294967244:196, ack 1, win
20904, length 248
10:37:49.196615 IP 192.168.0.1.nokia-ann-ch1 >
192.168.0.2.ssh: Flags [.], ack 196, win 64491, length 0
Capture Packets from source IP
To capture packets from source IP, say you want to
capture packets for 192.168.0.2, use the command as
follows.
# tcpdump -i eth0 src 192.168.0.2
protocol decode
size 65535 bytes
10:49:15.746474 IP 192.168.0.2.ssh > 192.168.0.1.nokia-
ann-ch1: Flags [P.], seq 3364578842:3364579038, ack
4193668445, win 20904, length 196
10:49:15.748554 IP 192.168.0.2.56200 >
b.resolvers.Level3.net.domain: 11289+ PTR? 1.0
Capture Packets from destination IP
To capture packets from destination IP, say you want to
capture packets for 50.116.66.139, use the command as
follows.
# tcpdump -i eth0 dst 50.116.66.139
protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size
65535 bytes
10:55:01.798591 IP 192.168.0.2.59896 > 50.116.66.139.http:
Flags [.], ack 2480401451, win 318, options [nop,nop,TS val
7955710 ecr 804759402], length 0
10:55:05.527476 IP 192.168.0.2.59894 > 50.116.66.139.http:
Flags [F.], seq 2521556029,
Filter tcpdump traffic
One of the best features of tcpdump is that we can filter
out exactly the traffic we want to see. Without filtering out
traffic by adapter (as seen above), port number, and
packet protocol, the amount of captured traffic can quickly
become overwhelming and nearly impossible to sift
through.
Despite the name tcpdump, we can use the tool to filter
out all kinds of traffic, not just TCP. For example, use the
following syntax to filter out traffic that uses UDP.
# tcpdump -n udp
# tcpdump -n icmp
# tcpdump -n port 80
# tcpdump -n src host 10.10.150.20
# tcpdump -n dst port 22
seshadri@seshadri:~$ sudo tcpdump -ttttnnvvS -i wlo1
tcpdump: listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
2022-08-29 06:50:09.816408 IP (tos 0x0, ttl 64, id 48819, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.8.48674 > 54.179.16.223.443: Flags [.], cksum 0xc09c (correct), seq 1179112676, ack
3410177535, win 501, options [nop,nop,TS val 921146773 ecr 2264237098], length 0
2022-08-29 06:50:09.848237 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.201 tell
192.168.0.8, length 28
192.168.0.8.50024 > 18.176.115.106.443: Flags [.], cksum 0x3389 (correct), seq 1095044392, ack
54.179.16.223.443 > 192.168.0.8.48674: Flags [.], cksum 0xc1b7 (correct), seq 3410177535, ack
2022-08-29 06:50:10.806378 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.200 tell
192.168.0.8, length 28
18.176.115.106.443 > 192.168.0.8.50024: Flags [.], cksum 0x3434 (correct), seq 2326054978, ack
138.199.14.80.80 > 192.168.0.8.40727: Flags [.], cksum 0x3a2d (correct), seq 3391246405, ack
192.168.0.8.40727 > 138.199.14.80.80: Flags [.], cksum 0xb2e7 (correct), seq 3954104662, ack
3391246406, win 501, options [nop,nop,TS v

Nslookup

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nslookup

Uploaded by

Copyright:

Available Formats

Linux

The mtr command is a combination of ping and

You might also like