Linux Network Monitoring

Introduction

This lab focuses on network monitoring in Linux using the netstat command-line tool. Network monitoring is essential for system administrators to understand the connections, services, and traffic patterns on their systems.

Throughout this lab, you will learn how to use the netstat utility to display active network connections, listening services, and network interface statistics. These skills are fundamental for troubleshooting network issues, monitoring system performance, and ensuring network security.

By the end of this lab, you will be able to effectively use netstat to gain insights into network activities on a Linux system, which is a valuable skill for any system administrator or IT professional.

Understanding Network Connections with netstat

The netstat command is a powerful network utility that displays network connections, routing tables, interface statistics, and more. In this step, you will learn how to use netstat to view active network connections.

First, let's navigate to the project directory where we'll be working:

cd /home/labex/project

What is netstat?

The netstat (network statistics) command displays various network-related information such as network connections, routing tables, interface statistics, and more. It's a valuable tool for understanding your system's network activities.

Viewing Active Connections

Let's run the netstat command with specific options to display active TCP connections:

netstat -nat > connections.txt

In this command:

• -n displays addresses and port numbers in numerical form rather than resolving them to hostnames or service names
• -a shows all sockets (both listening and non-listening)
• -t displays only TCP connections
• > connections.txt redirects the output to a file named connections.txt

Now let's view the contents of the file we created:

cat connections.txt

The output should look similar to this:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN

Understanding the Output

• Proto: The protocol used (TCP in this case)
• Recv-Q: The count of bytes not copied by the user program connected to this socket
• Send-Q: The count of bytes not acknowledged by the remote host
• Local Address: The address and port number of the local end of the socket
• Foreign Address: The address and port number of the remote end of the socket
• State: The state of the socket (LISTEN, ESTABLISHED, etc.)

The LISTEN state indicates that the service is running and waiting for incoming connections on that specific port.

Monitoring Listening Services

In this step, you will learn how to identify which services are listening for connections on your system. This information is crucial for security auditing and troubleshooting network-related issues.

Identifying Listening Services

Let's use the netstat command to specifically look for services that are in the LISTEN state:

netstat -natu | grep LISTEN > listening_services.txt

In this command:

• -n displays numerical addresses
• -a shows all sockets
• -t includes TCP connections
• -u includes UDP connections
• | grep LISTEN filters the output to show only lines containing "LISTEN"
• > listening_services.txt saves the output to a file

Now let's examine the contents of the file:

cat listening_services.txt

You should see output similar to this:

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN

Understanding Listening Services

Each line in the output represents a service that is currently accepting connections:

• Services listening on 0.0.0.0 are accepting connections from any network interface
• Services listening on 127.0.0.1 are only accepting connections from the local machine
• Services listening on ::: are IPv6 addresses accepting connections from any network interface

The port numbers (like 22 for SSH or 631 for CUPS printing service) identify which service is listening. For example:

• Port 22: SSH service
• Port 80: HTTP (web) service
• Port 443: HTTPS service
• Port 631: CUPS printing service

This information helps you understand which services are exposed on your system, which is valuable for security assessments and troubleshooting.

Analyzing Network Interface Statistics

In this step, you will learn how to view statistics for your network interfaces. These statistics provide valuable information about the performance and usage of your network interfaces.

Viewing Interface Statistics

Let's use netstat to display statistics for all network interfaces:

netstat -i > interface_stats.txt

In this command:

• -i displays a table of all network interfaces
• > interface_stats.txt saves the output to a file

Now let's examine the contents of the file:

cat interface_stats.txt

You should see output similar to this:

Kernel Interface table
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0      1500   123456      0      0 0        98765      0      0      0 BMRU
lo       65536     789      0      0 0          789      0      0      0 LRU

Understanding Network Interface Statistics

The output provides important statistics about each network interface:

• Iface: The name of the network interface

  • eth0: Typically the first Ethernet interface
  • lo: The loopback interface used for local connections

• MTU: Maximum Transmission Unit - the largest packet size that can be transmitted

  • Standard Ethernet typically uses 1500 bytes
  • The loopback interface typically has a larger MTU (65536)

• RX-OK: Number of packets received without errors

• RX-ERR: Number of packets received with errors

• RX-DRP: Number of received packets dropped

• RX-OVR: Number of received packet overruns

• TX-OK: Number of packets transmitted without errors

• TX-ERR: Number of packets transmitted with errors

• TX-DRP: Number of transmitted packets dropped

• TX-OVR: Number of transmitted packet overruns

• Flg: Flags indicating the interface status

  • B: Broadcast address set
  • M: Multicast enabled
  • R: Interface is running
  • U: Interface is up

These statistics help you monitor network performance and identify potential issues, such as packet loss or transmission errors.

Additional Network Statistics Commands

For a more comprehensive view of network statistics, you can also use:

netstat -s | head -20 > protocol_stats.txt

This command displays protocol statistics for TCP, UDP, IP, ICMP, and other protocols. We're using head -20 to limit the output to the first 20 lines for readability.

Let's view this file:

cat protocol_stats.txt

This provides detailed statistics about how each protocol is performing, helping you identify potential network issues at the protocol level.

Summary

In this lab, you have learned how to use the netstat command to monitor various aspects of network activity on a Linux system. The key skills you have acquired include:

1. Viewing active network connections to understand what connections are established on your system.

2. Identifying listening services to determine which ports are open and potentially exposed to the network.

3. Analyzing network interface statistics to monitor the performance and health of your network interfaces.

These skills are essential for system administrators, network engineers, and security professionals who need to understand and troubleshoot network-related issues. The netstat command provides valuable insights into your system's network activities, helping you maintain optimal performance and security.

While netstat is considered legacy on many modern Linux distributions and is being replaced by tools like ss and ip, understanding netstat provides a solid foundation for network monitoring concepts that apply across all these tools.