Showing posts with label Networking Tools. Show all posts
Showing posts with label Networking Tools. Show all posts

Tuesday, 8 August 2023

Elastic Stack for Network and Security Engineers

In recent years network engineers turned from CLI jockeys into a hybrid between an application developer and a networking expert… what acronym-loving people call NetDevOps. In practice, a NetDevOps engineer should be able to:
  • manage and troubleshoot networks;
  • helps to troubleshoot any information system issue (including “slow” applications);
  • automate networking tasks;
  • monitor network and application performance;
  • continue auditing the infrastructure, eventually using (partial) automation to make it less time-consuming;
and do everything else not covered by other IT teams.

To get there, NetDevOps started to learn Linux, Python, and automation frameworks. In this article, we’ll add log management to the mix.

Log management is the ability to collect any event from information systems and get them automatically analyzed to help NetDevOps react faster to information system issues.

There are many commercial or open-source log management platforms; I would mention:

Each one of these has a different focus: Graylog was born as a log management solution, Elastic Stack is a Big Data solution, and InfluxDB is a time-series database.

We won’t go into discussing the pros and cons of these products. There are already plenty of blog posts doing that.

I chose to work with Elastic Stack because of its:flexibility: I’m able to inject logs from almost any device I encountered;
scalability: I can manage hundreds or thousands of log messages per seconds without any issue;
integration: I’m able to build a very robust solution that includes other open-source components.
vision: I honestly like where Elastic company is going, and I agree with its vision.

Wednesday, 19 February 2020

Wireshark Series: Part 3- TCP and UDP


• Transmission Control Protocol (TCP):

○ TCP makes sure that the data goes to destination in a reliable manner
○ TCP sends data b/w ports which range from 0 to 65535
§ Ports from 1- 1023 are called Standard Ports. These can be Port 80 for HTTP
§ Ports 1024- 65535 are called ephimeral ports. These are randomly selected when a device needs to find an open port. Both the destination and the client need to know what port the other one is listening on to be able to transmit data between them
○ TCP communications start with a handshake to ensure both source and destination are up and ready to communicate. It checks the open port and send the sequence number so that the data is sent reliably.
○ To establish a TCP session the sending and receiving TCP applications us a process called the three way handshake.
STEP 1 - The sender send a SYN packet to begin establishment of the session. It waits
STEP 2 - The receiver replies with an ACK packet to acknowledge the SYN that it received and also sends a SYN packet.
STEP 3 - The sender sends an ACK to acknowledge receipt of the SYN from the receiver.
The connection is now set up and data transfer can commence.
○ Now to terminate a connection you can do it the graceful way which is a four way process. Lets assume that the sender is finished with data transmission and now wants to end the session, similar to logging off an application.
STEP 1 - The sender sends a FIN packet and waits for a reply
STEP 2 - The receiver send and ACK packet
STEP 3 - The receiver also sends a FIN packet
STEP 4 - The sender sends an ACK packet and the session is closed.
○ You can also do an abrupt termination by just sending a RST packet from either sender or transmitter and the session ends abruptly. For example if you are using telnet CTRL-D will send a RST to close the session.
○ In Wireshark,
§

§
§ First, we see Source Port which was used to transmit the packet
§ Second, we have Destination Port to where the packet will be transmitted
§ Next, we have the Sequence Number  makes sure that none of the TCP segments are missing and it shows the current segement no.
§ Acknowledgement Number is the sequence number of the next packet
§ Flags are after this and they can be:
□ URG for Urgent
□ PSH for push
□ RST for Reset. If the connection is halted all of a sudden by accident, then TCP  will reset the connection and stop all communications
□ SYN
□ FIN for finished
(Here, we have a FIN, ACK packet going on, so we know that this is a packet that includes acknowledgement. Also, because FIN=1, it means that it is also a finishing packet)
§ Below Flag, we have the Window Size. Window Size is the size of the TCP receiver buffer (in bytes).
§ After that, we have the Checksum

• User datagram Protocol (UDP):
○ It is a connectionless protocol used for faster transmissions
○ It does not have a start handshake and a cutoff handshake like TCP. Because of this, it helps other protocols transfer data at a much faster pace
○ In Wireshark,
§
§ It is a super small packet
○ It has 4 parts:
§ Source Port (here: 33233)
§ Destination port (here: 59329)
§ Length (in bytes)
§ Checksum


Wednesday, 12 February 2020

WireShark Series: Part 2- ARP and IP

• Address Resolution Protocol (ARP):
○ First, inorder to send TCP/IP , the computer first sends out an ARP request
○ It means, the computer wants to send to another IP address but it doesnt know the MAC address. The other computer will respond back by telling its MAC address
○ ARP is sent as an broadcast.
○ ARP format is as below:

§ Hardware Type: Ethernet is type 1
§ Protocol Type: This could be IPv4 which will be listed as 0X0800
§ Hardware Address Length: This could be like a number 6 for Ethernet
§ Protocol Address Length: This is number 4 for IPv4 
§ Operation: Tells the operation that the sender is doing. 1 stands for ARP request and 2 stands for ARP reply
§ Then , we have senders hardware address and the protocol address
§ Lastly, we have target's hardware and protocol address
○ In Wireshark, 

§ We will see that the MAC address listed under Target MAC is bunch of zeros  since the sender doesnt know the MAC and is asking for it using ARP request (1)
○ ARP helps to resolve the MAC address so that we can then go onto next layer
○ It is a Layer 2 protocol. But, it has Layer 3 information(IP address)
○ Each device has an ARP table and both the source and destination will add each other to its ARP table entry
• Internet Protocol:
○ We can denote the IP and net mask using cidr notation also. (cidr= classless interdomain routing notation)
○ For eg., 192.168.0.1  with netmaskof 255.255.0.0 can be represented using cidr notation as 192.168.0.1 /16
○ In Wireshark,
§ Use the IPv4 Packet Format that we saw previously

§ IP version is 4
§ IP header length is 20 (here, no padding + option)
§ Total length is 40 (header +data)
§ ID is the ID number for the actual packet (here: 18242). So, we know exactly which packet we are using
§ Flag will be used if the packet is part of a larger sequence of packets
§ Here, Don't Fragment = 1 means no other fragments.
§ TTL (Time to Live ) here is 128. It is used to prevent the packet from looping around and around on the internet
§ Protocol for this packet is TCP
§ Then we have Source IP, Destination IP and any Options
○ The fragment size depends upon the MTU (Maximum transmission Unit of the layer-2 protocol). For eg., if we use ethernet, the maximum packet size is 1500 bytes. So, the IP fragmentation would occur if the IP packet was over 1500.
§ In above example, we see that More is set to 0 since there are no fragments along with it. Also, in a series, if this was the last packet even then this value will be zero as it is the last packet and no more packets are after this
§ The Fragment Offset gives details about where the fragment falls in the series

Tuesday, 4 February 2020

WireShark Series: Part 1- Getting Started, Filters, Expressions, Graphs

  • We can get already available captures using Tools -> Sample captures

  • To see the OSI Layers, goto Statistics -> Protocol hierarchy
    • Here, we see the protocols and based on the protocols we can tell the layers
    • If any error is there in any protocol, we can find out
    • Frame (Physical), then Ethernet (Datalink), then Internet Protocol (Network), then TCP (Transport), then SSL (session) and HTTP (application layer)

  • Wireshark Filters
    • Capture -> Filters
    • These will filter only those specific packets

  • BPF Filters
    • Capture -> Capture Options
    • Next to "Capture Filters" , we will have "Compile Selected BPFs"
    • BPFs stand for "Berkeley Packet Filte Syntax"
    • It is the expression that is used for filtering

  • Expressions
    • We need a qualifier and an ID
    • For eg: wlan.address ==b4:52:7e:62:6c:4d . Here, the first part is the qualifier and the second part is the ID
    • Operators can be && or || or just !
      • && means AND
      • || means OR
      • means not equal to
    • Qualifiers can either be:
      •  TYPE which would be like HOSTNET or PORT. These identify what the ID refer to. 
      • DIR which would be direction which tells whether the transfer is going to or from the ID. This can be either the source SRC or destination DST
      • PROTO which is the protocol. This could be either HTTP, TCP, UDP, FTP. This is a particular protocol specifically that the ID is also repeating again
    • A cheat sheet that tells all the different expressions that we can use. They also display operators as well as logic
packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
  • For eg,
ip.src == 10.73.31.59 && tcp.port == 80
  • Here, ip qualifier tells it's type is IP address
  • src tells about the direction and it's Source
  • 10.73.31.59 tells us that it is the ID. So, we know that we are looking for a source that equals this IP address
  • && tells us that we also include the next expression while filtering
  • TCP is the type and the port tells us the port ID 80

  • Expressions Examples
    • ip addresses 
      • ip.src == 96.17.148.161 means we are looking for source Ip address as given
      • ip.src_host == 96.17.148.161 gives the same o/p as above and means we are looking for source hosts that have the IP address given
      • ip.addr == 96.17.148.161 means we are looking for IP address given that not only includes sources but also includes destinations
      • ip.dst == 96.17.148.161 or ip.dst_host == 96.17.148.161 means we are looking for destination ip address as given
      • For IPv6 addresses, we need to use ipv6.addr == ...
      • We can also packet capture using DNS host names, you can type ip.host == nameofthehost.
      •  Now try ip.addr == 192.168.1.0/24 and this will show anything on that network within that range.
      • We can also filter by qualifier protocols using ip or http or udp directly. If we want to search by more than one protocol at a time, we can use &&. For eg, udp && http . Ot we can use udp || http
      • ip.dst != 10.73.31.59 gives ip address not equal to given one
    • We can also use the "expression" box next to the filter box to get the options possible directly and we can choose from that if we dont remember the syntax
    • We can also use the "save" button next to the filter box to make a bookmark of the filter and use it instead of having to type it out again
    • Instad of using the "save" option, we can also save the command as a permanent filter using Edit -> New Filter. Thusm, we can directly type the newfiltername in the filter box whenever we want to use that filter
    • We can also filter by the packet sizes using frame.len <= 128 and we will get packets less than or equal to 128


  • TCP Streams and Objects
    • If we visit many sites and don't know which packet is for what in the list, then right-click on the desired packet and click "Follow TCP Stream"

  • Decode As:
    • If we right click on desired packet and select "Decode As", we can convert it to any desired format.
    • For eg, TCP on the transport layer can be decoded to any user-specified protocol from the options

  • Name Resolutions:
    • Capture -> Options
    • Name Resolutions doesnt always work and needs network to be online and correctly configured
    • Resolve  MAC address means Wireshark will resolve the layer-2 or layer-2 mac address
    • Resolve network address means wireshark will  try to resolve IP address into a understandable DNS name
    • Resolve Transport Layer Name means that wireshark will try to convert a port number into whatever that port stands for. For eg, port 80 means HTTP

  • Graphs
    • Flow Graphs:
      • Statistics -> Flow Graph
      • We can choose whether we want all packets or displayed packets (ie. the packets that are shown after using a filter)
      • Then , we get a graph
      • We will see different time stamps and comments about each and every single packet in the middle under the green area with analysis of source and destination

  • This can help to visualize each and every packet flow during the packet capture. Also, we can find from which and to which ip address a specific packet has benn sent and also see the details using the comment

Thursday, 24 October 2019

Awesome Tcpdump Hack for Arista EOS to send to Wireshark

These below commands allow anyone to live stream the packet info to wireshark application on their Mac without having to capture on their device and then copy to mac...


To send tcpdump directly to wireshark:
ssh root@mt701 "tcpdump -s 0 -Un -w - -i vlan100" | wireshark -k -i -

The above command will:
- Tcpdump on the Arista EOS device mt701
- Capture packets of vlan100 (change to your desired interface)
- Pipe the output to Wireshark application on your Mac/Desktop


Tcpdump on a different VRF-"dhcpvrf"
ssh root@mc327 "ip netns exec ns-dhcpvrf tcpdump -i vlan10 port 67 or port 68 " | wireshark -k -i -

The main command telling the VRF info is: "ip netns exec ns-dhcpvrf tcpdump -i vlan2 port 67 or port 68"

The above command will:
- Tcpdump on the Arista EOS device mc327
- Capture packets on VRF "dhcpvrf" (change name to your desired vrf name)
- Capture packets of vlan2 (change to your desired interface)
- Capture packets on Port 67 or Port 68 only
- Pipe the output to Wireshark application on your Mac/Desktop

Wednesday, 1 August 2018

Linux Networking Utilities for Arista EOS- Part 2

Linux Networking Utilities for Arista EOS 

LINUX NETWORKING UTILITIES:

.

ip netns: (Linux Namespaces or VRF)

  • A network namespace is logically another copy of the network stack, with its own routes, firewall rules, and network devices.
  • By default a process inherits its network namespace from its parent. Initially all the processes share the same default network namespace from the init process.
  • NOTE: If a VRF was created in EOS, then, in order to access then via Linux; append ‘ns-’ to the VRF name.
  • NOTE: If a namespace was created in Linux, then, it won’t show up in EOS.
  • So, always create a VRF in EOS and use it in Linux by appending ‘ns-’ to the VRF name
  • 1. ip netns list - show all of the named network namespaces
  • This command displays all of the network namespaces in /var/run/netns
  • Note that the VRF named ‘tmod’ when viewed in Linux has the name ‘ns-tmod’

[admin@ck338 ~]$ ip netns list

ns-newvrf

ns-tmod

ns-trident

ns-arad

default

  • 2. ip netns add NAME - create a new named network namespace
  • If NAME is available in /var/run/netns/ this command creates a new network namespace and assigns NAME.

[admin@ck338 ~]$ sudo ip netns add testvrf

[admin@ck338 ~]$ ip netns list

testvrf

ns-newvrf

ns-tmod

ns-trident

ns-arad

default

  • 3. ip [-all] netns delete [ NAME ] - delete the name of a network namespace(s)
  • If NAME is present in /var/run/netns it is umounted and the mount point is removed.
  • If -all option was specified then all the network namespace names will be removed.

[admin@ck338 ~]$ sudo ip netns delete testvrf

  • 4. Assigning Interfaces to network namespace (VRF)
  • Bring up the loopback interface in the vpn network namespace.
  • [IMP] 5. Accessing interface in another VRF or namespace via Linux:
  • ip [-all] netns exec [ NAME ] [cmd]
  • If we want to run a command on any VRF, then, use this command. For example, if you want to do tcpdump via Linux on an interface in another VRF
  • If -all option was specified then cmd will be executed synchronously on the each named network namespace even if cmd fails on some of them.
  • ip netns exec ns-tmod ip addr list will show only the related interfaces and addresses, and will not show any interfaces or addresses from the global namespace.

[admin@ck338 ~]$ sudo ip netns exec ns-tmod ip addr list

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default

    link/ipip 0.0.0.0 brd 0.0.0.0

[admin@ck338 ~]$

  • Another useful command that this can be used with is for tcpdump and piping it to Wireshark:
  • The below command does packet capture on interface Vlan10 (which is in VRF dhcpvrf) only on port 67 and port 68 (since dhcp control messages use these ports)
  • ip netns exec ns-dhcpvrf tcpdump -i vlan10 port 67 or port 68
  • Now, in order to view the tcpdump on Wireshark:

ssh root@mc327 "ip netns exec ns-dhcpvrf tcpdump -i vlan10 port 67 or port 68 " | wireshark -k -i -

Tcpdump:

The various flags that can be used with tcpdump are:

  • -i <interface>
  • # tcpdump -i eth0
  • -i any
  • Listen on all interfaces just to see if you’re seeing any traffic.
  • # tcpdump -i any
  • -c <count> -i <interface>
  • Used to capture a specified number of packets
  • # tcpdump -c 5 -i eth0
  • -D
  • Used to display all available iinterfaces for tcpdump
  • # tcpdump -D
  • -e [useful]
  • To get ethernet header as well
  • Should be used if filtering packets based on L2 headers or for L2-only packets
  • -w [useful]
  • Used to capture and save packets in a pcap file
  • # tcpdump -w 0001.pcap -i eth0
  • -r
  • Used to read captured packets file
  • # tcpdump -r 0001.pcap
  • -n
  • Usually when we do tcpdump, the IP address is replaced with the DNS address
  • In order to get the IP address, use -n flag. It will ignore the hostname and print out IP address itself
  • # tcpdump -n -i eth0
  • [useful] To filter packets based on type of packet:
  • To capture packets based on TCP port, run the following command with option tcp.
  • # tcpdump -i eth0 tcp
  • Similarly, replace tcp with icmp to check for ping packets only
  • Similarly, replace with ether for checking only LLDP or LACP packets. You can increase further filtering by adding destination address so that only LLDP or LACP packets destined to me shows up:
  • tcpdump -nevvvi et1 ether dst host 01:80:c2:00:00:0e
  • The -n -e -vvv -i flags are used in above to get advanced tuning
  • dst host is used to filter based on destination mac address
  • Other types that can be used are: fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp
  • [useful] To capture based on port, src ip, dst ip:
  • Similarly, for packets on particular port: # tcpdump -i eth0 port 22
  • Similarly, for packets from particular source IP: # tcpdump -i eth0 src 192.168.0.2
  • Similarly, for packets from a particular destination IP: # tcpdump -i eth0 dst 50.116.66.139
  • [useful] -v, -vv, -vvv:
  • To select amount of packet information in verbose mode

resolv.conf:

  • resolv.conf is the name of a computer file used in various operating systems to configure the system's Domain Name System (DNS) resolver.
  • The file is a plain-text file usually created by the network administrator or by applications that manage the configuration tasks of the system.
  • The file resolv.conf typically contains directives that specify the default search domains; used for completing a given query name to a fully qualified domain name when no domain suffix is supplied. It also contains a list of IP addresses of nameservers available for resolution. An example file is:

search example.com local.lan
nameserver 127.0.0.1
nameserver 172.16.1.254
nameserver 172.16.2.254
nameserver 192.168.137.
2

  • resolv.conf is usually located in the /etc directory of the file system.
  • The file is either maintained manually, or when DHCP is used, it is usually updated with the utility resolvconf.

Monday, 30 July 2018

Linux Networking Utilities for Arista EOS- Part 1

Linux Networking Utilities for Arista EOS 

LINUX NETWORKING UTILITIES:

.

Ifconfig:

  • ifconfig in short “interface configuration” utility for system/network administration in Unix/Linux operating systems to configure, manage and query network interface parameters via command line interface or in a system configuration scripts.
  • The “ifconfig” command is used for displaying current network configuration information, setting up an ip address, netmask or broadcast address to an network interface, creating an alias for network interface, setting up hardware address and enable or disable network interfaces.
  • 1. View All Network Setting
  • The “ifconfig” command with no arguments will display all the active interfaces details. The ifconfig command also used to check the assigned IP address of an server.

[root@tecmint ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0B:CD:1C:18:5A
inet addr:172.16.25.126  Bcast:172.16.25.63  Mask:255.255.255.224
inet6 addr: fe80::20b:cdff:fe1c:185a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:2341604 errors:0 dropped:0 overruns:0 frame:0
TX packets:2217673 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:293460932 (279.8 MiB)  TX bytes:1042006549 (993.7 MiB)
Interrupt:185 Memory:f7fe0000-f7ff0000
lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING  MTU:16436  Metric:1
RX packets:5019066 errors:0 dropped:0 overruns:0 frame:0
TX packets:5019066 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2174522634 (2.0 GiB)  TX bytes:2174522634 (2.0 GiB)
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.1.1  P-t-P:10.1.1.2  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

  • 2. Display Information of All Network Interfaces
  • The following ifconfig command with -a argument will display information of all active or inactive network interfaces on server. It displays the results for eth0, lo, sit0 and tun0.

[root@tecmint ~]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:0B:CD:1C:18:5A
inet addr:172.16.25.126  Bcast:172.16.25.63  Mask:255.255.255.224
inet6 addr: fe80::20b:cdff:fe1c:185a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:2344927 errors:0 dropped:0 overruns:0 frame:0
TX packets:2220777 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:293839516 (280.2 MiB)  TX bytes:1043722206 (995.3 MiB)
Interrupt:185 Memory:f7fe0000-f7ff0000
lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING  MTU:16436  Metric:1
RX packets:5022927 errors:0 dropped:0 overruns:0 frame:0
TX packets:5022927 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2175739488 (2.0 GiB)  TX bytes:2175739488 (2.0 GiB)
sit0      Link encap:IPv6-in-IPv4
NOARP  MTU:1480  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.1.1  P-t-P:10.1.1.2  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

  • 3. View Network Settings of Specific Interface
  • Using interface name (eth0) as an argument with “ifconfig” command will display details of specific network interface.

[root@tecmint ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0B:CD:1C:18:5A
inet addr:172.16.25.126  Bcast:172.16.25.63  Mask:255.255.255.224
inet6 addr: fe80::20b:cdff:fe1c:185a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:2345583 errors:0 dropped:0 overruns:0 frame:0
TX packets:2221421 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:293912265 (280.2 MiB)  TX bytes:1044100408 (995.7 MiB)
Interrupt:185 Memory:f7fe0000-f7ff0000

  • 4. How to Enable an Network Interface
  • The “up” or “ifup” flag with interface name (eth0) activates an network interface, if it is not in active state and allowing to send and receive information. For example, “ifconfig eth0 up” or “ifup eth0” will activate the eth0interface.

[root@tecmint ~]# ifconfig eth0 up
OR
[root@tecmint ~]# ifup eth0

  • 5. How to Disable an Network Interface
  • The “down” or “ifdown” flag with interface name (eth0) deactivates the specified network interface. For example, “ifconfig eth0 down” or “ifdown eth0” command deactivates the eth0 interface, if it is in active state.

[root@tecmint ~]# ifconfig eth0 down
OR
[root@tecmint ~]# ifdown eth0

  • 6. How to Assign a IP Address to Network Interface
  • To assign an IP address to an specific interface, use the following command with an interface name (eth0) and ip address that you want to set. For example, “ifconfig eth0 172.16.25.125” will set the IP address to interface eth0.

[root@tecmint ~]# ifconfig eth0 172.16.25.125

  • 7. How to Assign a Netmask to Network Interface
  • Using the “ifconfig” command with “netmask” argument and interface name as (eth0) allows you to define an netmask to an given interface. For example, “ifconfig eth0 netmask 255.255.255.224” will set the network mask to an given interface eth0.

[root@tecmint ~]# ifconfig eth0 netmask 255.255.255.224

  • 8. How to Assign a Broadcast to Network Interface
  • Using the “broadcast” argument with an interface name will set the broadcast address for the given interface. For example, “ifconfig eth0 broadcast 172.16.25.63” command sets the broadcast address to an interface eth0.

[root@tecmint ~]# ifconfig eth0 broadcast 172.16.25.63

  • 9. How to Assign a IP, Netmask and Broadcast to Network Interface
  • To assign an IP address, Netmask address and Broadcast address all at once using “ifconfig” command with all arguments as given below.

[root@tecmint ~]# ifconfig eth0 172.16.25.125 netmask 255.255.255.224 broadcast 172.16.25.63

  • 10. How to Change MTU for an Network Interface
  • The “mtu” argument set the maximum transmission unit to an interface. The MTU allows you to set the limit size of packets that are transmitted on an interface. The MTU able to handle maximum number of octets to an interface in one single transaction. For example, “ifconfig eth0 mtu 1000” will set the maximum transmission unit to given set (i.e. 1000). Not all network interfaces supports MTU settings.

[root@tecmint ~]# ifconfig eth0 mtu 1000

  • 11. How to Enable Promiscuous Mode
  • What happens in normal mode, when a packet received by a network card, it verifies that the packet belongs to itself. If not, it drops the packet normally, but in the promiscuous mode is used to accept all the packets that flows through the network card.
  • Most of the today’s network tools uses the promiscuous mode to capture and analyze the packets that flows through the network interface. To set the promiscuous mode, use the following command.

[root@tecmint ~]# ifconfig eth0 promisc

  • 12. How to Disable Promiscuous Mode
  • To disable promiscuous mode, use the “-promisc” switch that drops back the network interface in normal mode.

[root@tecmint ~]# ifconfig eth0 -promisc

  • 13. How to Add New Alias to Network Interface
  • The ifconfig utility allows you to configure additional network interfaces using alias feature. To add alias network interface of eth0, use the following command. Please note that alias network address in same sub-net mask. For example, if your eth0 network ip address is 172.16.25.125, then alias ip address must be 172.16.25.127.

[root@tecmint ~]# ifconfig eth0:0 172.16.25.127

  • Next, verify the newly created alias network interface address, by using “ifconfig eth0:0” command.

[root@tecmint ~]# ifconfig eth0:0
eth0:0    Link encap:Ethernet  HWaddr 00:01:6C:99:14:68
inet addr:172.16.25.123  Bcast:172.16.25.63  Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
Interrupt:17

  • 14. How to Remove Alias to Network Interface
  • If you no longer required an alias network interface or you incorrectly configured it, you can remove it by using the following command.

[root@tecmint ~]# ifconfig eth0:0 down

  • 15. How to Change the MAC address of Network Interface
  • To change the MAC (Media Access Control) address of an eth0 network interface, use the following command with argument “hw ether“. For example, see below.

[root@tecmint ~]# ifconfig eth0 hw ether AA:BB:CC:DD:EE:FF