Network.md

Network

Network interfaces

On Unix-like systems

• eth0: This is the name usually given to the first wired (Ethernet) network interface. If you're connected via a network cable, this is likely the interface you're using.
• wlp2s0: This typically refers to a wireless (Wi-Fi) network interface. The naming can vary depending on the hardware, but interfaces starting with wl are usually wireless.
• lo: This is the loopback interface, which is a virtual interface used for local communication within your machine. It doesn't communicate with the outside world and is mainly used for testing or services running locally.
• ens3: ?

tcpdump -D to list all interfaces available.

On Windows

Interfaces are referred to by their "friendly names":

• "Wi-Fi"
• "Ethernet"
• "Local Area Connection"

Refering to interfaces on Windows:

• You must first list all interfaces with: windump -D (you must be root to use windump. For example, run your terminal as administrator).
• To output something like:

1.\Device\NPF_{GUID} (Ethernet)
2.\Device\NPF_{GUID} (Wi-Fi)
3.\Device\NPF_{GUID} (Loopback)

• You'd then use the interface index seen from above (e.g.: "1" for Ethernet) or its full name (e.g.: \Device\NPF_{GUID}).
• Then windump -i 2 for Wi-Fi for example according to the interfaces schematic from above.

Connection observations

To check on potential connection drops: ping 8.8.8.8 will perpetually ping google DNS (ping -t 8.8.8.8 on Windows).

IP/Ports form and norms

Port numbers range from 0 to 65535

On the same machine

127.0.0.x or localhost;

LAN

The organizations that distribute IP addresses to the world reserve a range of IP addresses for private networks.

• Class A: 10.0.0.0 – 10.255.255.255 (16,777,216 IP addresses)
• Class B: 172.16.0.0 – 172.31.255.255 (1,048,576 IP addresses)
• Class C: 192.168.0.0 – 192.168.255.255 (65,536 IP addresses) (often used by home routers)

Public

The rest of the IPs are for public use.

• Class A: 1.0.0.0 - 9.255.255.255 and 11.0.0.0 - 126.255.255.255
• Class B: 128.0.0.0 - 171.255.255.255 and 173.0.0.0 - 191.255.255.255
• Class C: 192.0.0.0 - 195.255.255.255 and 197.0.0.0 - 223.255.255.255
• Class D: 224.0.0.0 - 247.255.255.255 (multicast addresses)
• Class E: 248.0.0.0 - 255.255.255.254 (experimental use)

IPv6

• Public range:
  • Global Unicast: 2000::/3 (which includes addresses from 2000:: to 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
• Reserved:
  • Link-Local: fe80::/10
  • Unique Local: fc00::/7
  • Multicast: ff00::/8

Famous addresses

Those are addresses commonly used for network tests and maintenance.

addr	desc
208.67.222.222 and 208.67.220.220	OpenDNS
1.1.1.1 and 1.0.0.1	Cloudflare DNS
8.8.8.8 and 8.8.4.4	Google DNS

Some norms (pcap tools ?)

Those are names, references and qualifiers definitions and/or helps that will help you get a better grasp on network technologies and understandings.

Qualifiers (TODO: are those common among pcap tools ?):

• proto would be used in case of refering to a protocol by its number.
  For example proto 17 would refer to udp, then both tcpdump -n udp and tcpdump -n proto 17 produce the same result.
• host used to refer typically to a specific host. For instance: tcpdump -n host 192.168.1.185.
• net instead is for range of IPs. For instance: To dump only packets related to 10.10.0.0/16, tcpdump -n net 10.10.
• port used to refer to a specific port. For instance: tcpdump -n port 23.
• portrange for range of ports. For instance: tcpdump -n portrange 110-150.
• src used to refer to the source of a packet. For instance: tcpdump -n src host 192.168.1.185 to capture packet from IP 192.168.1.185.
• dst used to refer to the destination of a packet. For instance: tcpdump -n dst port 80 to capture packet that are going to port 80.

tcpdump

• To save packets for later analysis: tcpdump -n -w data.pcap.
• You can read such a pcap formated file with for example: tcpdump -r data.pcap.
• For long period capture, use a file rotation. To create up to ten 200MB files (with name format: file.pcap0, file.pcap1, ...) use: tcpdump -n -W 10 -C 200 -w /tmp/file.pcap. The older files is overwritten once max files is reached.
• As tcpdump does not have option to stop itself after a given time, you can use timeout. For instance: timeout 300 tcpdump -n -w data.pcap.

Logic

Filters can be combined using the and (as &&), or (as ||), and not (as !) operators.
Here some examples:

• tcpdump -n src 192.168.1.185 and tcp port 80
• tcpdump -n 'host 192.168.1.185 and (tcp port 80 or tcp port 443)'
• tcpdump -n src 192.168.1.185 and not dst port 22

nc (netcat)

"Netcat" is cat for "net".
As such, by default nc is not outputing anything if there is no error or nothing to be shown, similarly as when "catting" an empty file.
cat this where this is an empty file will not output anything.
cat that where that does not exist will output an error.
nc -z foo 80 where foo is listening to 80 will not output anything.
nc -z foo 53 where foo is not listening to 53 will output an error.

-z: Specifies that nc should just scan for listening daemons, without sending any data to them. -u: UDP mode. -p: Specifies the port to use. Depending on the system or version of netcat this option would not be necessary or not present, then just specify the port as next parameter. -e: -l: Listen mode (server mode). -k: Forces nc to stay listening for another connection after its current connection is completed. It is an error to use this option without the -l option. It is an error to use this option in conjunction with the –e option. -L: Persistent listener. Linger on close - wait for messages to be sent after network descriptor is closed up to specified timeout in seconds. -wN: To define timeout value. -v: Verbose mode, output more inforamtions. -n: No hostname resolution DNS (directly IPs).

Some netcat examples

Sending the smallest amount of HTTP request using netcat to check for connection:
echo -e "GET / HTTP/1.0\r\n\r\n" | nc localhost 8000

Simple client/server use:

nc -l -p 8000 # Server party.
nc localhost 8000 # Client party.

Remote shell:

nc -l -p 8000 -e cmd.exe # Server party.
nc localhost 8000 # Client party.

Wireshark

There is two different filters with two different syntaxes:

• /capture/ (doc): Is used to select which packets should be saved to disk while capturing and use the BPF syntax. High rates of capture.
• /display/ (doc): Is taking advantage of the full dissection of all packets while able to change the view of capture.

A quick explanation here.

"tcp port 8080 is /capture/ filter, but tcp.port == 8080 is /display/ filter."

HTTP

You can use netcat to debug HTTP requests and responses:

nc example.com 80 <<EOF
GET /path HTTP/1.1
Host: example.com
Connection: close

EOF

(Make sure to include two blank lines after the headers to indicate the end of the request).

Response example:

HTTP/1.0 200 OK
Server: BaseHTTP/0.6 Python/3.12.7
Date: Fri, 18 Apr 2025 00:10:10 GMT
Content-type: text/plain

pong

Domains as tools

• https://example.org/ or https://example.com/
• httpbin.org: This is a simple HTTP request and response service. You can use it to test various HTTP methods (GET, POST, PUT, DELETE, etc.) and see the responses.
• jsonplaceholder.typicode.com: This is a fake online REST API for testing and prototyping. It provides various endpoints for testing CRUD operations.
• reqres.in: This is a hosted REST-API ready to respond to your AJAX requests. It provides a set of endpoints for testing.
• mocky.io: This service allows you to create custom mock responses for testing. You can create a mock response and get a unique URL to test against.
• httpstat.us: This service provides HTTP status codes for testing. Example: https://httpstat.us/200 for a successful response, or https://httpstat.us/404 for a not found response.

Discovery

Discover a domain's records including A, AAAA, MX, TXT, and more (DNS servers, firewalls and such will monitor dig activity):

• dig ANY <domain>
• dig +noall +answer <domain>
• dig ANY +nostats +nocomments +nocmd <domain>
• To force dig using TCP: dig example.com ANY +tcp
• Abusive use of the dig command may lead to DNS servers to block you from using it (as it may resembles a denial-of-service (DoS) attack or just being considered used excessively).
  Software like BIND (Berkeley Internet Name Domain) or dnsmasq can be used to create a local DNS server would allow you to continue experiment without risk of being blocked or overloading external servers.

Discover the IPs of a local network:

• arp -a to display IPs with corresponding MAC addresses and sometimes computer names (display result may differ on Windows and Linux).
• ip neigh
• nmap -sP 192.168.1.0/24 (replace with your network's IP range).
• "Angry IP Scanner"
• Your box or network provider may give you valid informations too, often accessible at 192.168.1.1 on a web browser.
• On Android or iOS: "Fing" or "Network Analyzer".
• Also ping could help find out the availability of an IP with ping 192.168.1.10 (change to the IP you want to ping).

Discover the programs that are using a designated port:

• netstat -aon | findstr :80 on Windows. Although it seems it also catch like 8000.
• sudo lsof -i :80 on Linux.

Telemetry addresses

Those are domains and addresses that are known to be accessed by systems while doing nothing (e.g.: supposedly just started OS).

To show activity report you can use tcpdump -i any (or in place of any you could put eth0 or wlp2s0).

addr	Seen on	desc
x.1.168.192.in-addr-arpa	Mint 21.2 Mate 64-bit
mdns.mcast.net	Mint 21.2 Mate 64-bit

Strange IPs that might be attackers

|addr|Seen on|desc| |92.255.57.58.42006|My static site hellfar.fr via port 443||

TODOs

• nmap

• Wireshark

• Fiddler

• Microsoft Network Monitor

• traceroute

• ip addr show: To show Network interfaces as well as their respected IPs.

• route -n for showing the routing table.

DNS resolution commands:

• dig

• nslookup

• Meaning of:

  • "reverse DNS resolution"
  • "reverse proxy"

• Network pairing architecture:

  • "client-server architecture":
    • Centralized Server: There is a central server that manages and coordinates the communication between clients.
    • Client Requests: Clients initiate requests to the server, which then processes the requests and sends back responses.
    • Indirect Communication: Clients do not communicate directly with each other. Instead, all communication between clients goes through the central server.
    • Scalability: The client-server model allows for scalability, as the server can handle multiple clients simultaneously.
    • Separation of Concerns: The client and server have distinct roles and responsibilities, which allows for better organization and management of the system.
    • Examples of client-server architectures include web browsing (where the client is the web browser and the server is the web server), email (where the client is the email client and the server is the email server), and many other networked applications and services.
  • "peer-to-peer (P2P) architecture":
    • Decentralized Communication: Clients communicate directly with each other, without going through a central server.
    • Matchmaking Server: The server's role is limited to helping clients find and connect with each other, but it does not participate in the actual communication.
    • Direct Peer-to-Peer Communication: Once the clients are connected, they communicate directly with each other, without the server being involved in the ongoing communication.
    • Scalability: Peer-to-peer architectures can be highly scalable, as the load is distributed among the clients rather than being centralized on a single server.
    • Resilience: Peer-to-peer architectures are more resilient to failures, as the loss of a single client does not bring down the entire system.
    • Examples of peer-to-peer architectures include file-sharing applications (e.g., BitTorrent), voice over IP (VoIP) services (e.g., Skype), and some types of distributed computing and storage systems.
  • "Hybrid Architecture":
    • This is a combination of client-server and peer-to-peer architectures.
    • Some communication happens through a central server, while other communication happens directly between peers.
    • This allows for the benefits of both centralized and decentralized approaches.
  • "Broker Architecture":
    • This is similar to the client-server model, but the server is called a "broker".
    • The broker acts as an intermediary, routing messages and coordinating communication between clients.
    • Clients do not communicate directly with each other, but rather through the broker.
  • "Event-Driven Architecture":
    • In this architecture, components communicate by generating and responding to events.
    • There is no direct communication between components; instead, they subscribe to and publish events.
    • This allows for loose coupling and asynchronous communication between components.
  • "Service-Oriented Architecture (SOA)":
    • This is an architectural style where functionality is provided as independent services.
    • Services communicate with each other through well-defined interfaces, often using standard protocols like HTTP.
    • This allows for modularity, reusability, and flexibility in system design.
  • "Microservices Architecture":
    • This is a variant of the SOA approach, where the system is composed of small, independent, and loosely coupled services.
    • Each service is responsible for a specific business capability and can be developed, deployed, and scaled independently.
    • This architecture promotes scalability, flexibility, and resilience in complex systems.

References

Tcpdump Command in Linux