Administering TCP/IP Networks - Network Support - Ubuntu 15.04 Server with systemd: Administration and Reference (2015)

Ubuntu 15.04 Server with systemd: Administration and Reference (2015)

Part IV. Network Support

Chapter 18. Administering TCP/IP Networks

Linux systems are configured to connect with networks that use the TCP/IP protocols. These are the same protocols used by the Internet and many local area networks (LANs). TCP/IP is a robust set of protocols designed to provide communications among systems with different operating systems and hardware. The TCP/IP protocols were developed in the 1970s as a special project of the Defense Advanced Research Projects Agency (DARPA) to enhance communications between universities and research centers. These protocols were originally developed on UNIX systems, with much of the research carried out at the University of California, Berkeley.

Linux, as a version of UNIX, benefits from much of this original focus on UNIX. Currently, the TCP/IP protocol development is managed by the Internet Engineering Task Force (IETF), which, in turn, is supervised by the Internet Society (ISOC). The ISOC oversees several groups responsible for different areas of Internet development, such as the Internet Assigned Numbers Authority (IANA), which is responsible for Internet addressing (see Table 18-1 ). Over the years, TCP/IP protocol standards and documentation have been issued in the form of Request for Comments (RFC) documents. Check the most recent RFCs for current developments at the IETF Web site at

TCP/IP Protocol Suite

The TCP/IP protocol suite consists of several different protocols, each designed for a specific task in a TCP/IP network. The three basic protocols are the Transmission Control Protocol (TCP), which handles receiving and sending out communications, the Internet Protocol (IP), which handles the actual transmissions, and the User Datagram Protocol (UDP), which also handles receiving and sending packets. The Internet Protocol (IP), which is the base protocol that all others use, handles the actual transmissions, handling the packets of data with sender and receiver information in each. The TCP protocol is designed to work with cohesive messages or data. This protocol checks received packets and sorts them into their designated order, forming the original message. For data sent out, the TCP protocol breaks the data into separate packets, designating their order. The UDP protocol, meant to work on a much more raw level, also breaks down data into packets but does not check their order. The TCP/IP protocol is designed to provide stable and reliable connections that ensure that all data is received and reorganized into its original order. UDP, on the other hand, is designed simply to send as much data as possible, with no guarantee that packets will all be received or placed in the proper order. UDP is often used for transmitting very large amounts of data of the type that can survive the loss of a few packets, for example, temporary images, video, and banners displayed on the Internet.

Other protocols provide various network and user services. The Domain Name Service (DNS) provides address resolution, the File Transfer Protocol (FTP) provides file transmission, and the Network File System (NFS) provides access to remote file systems. Table 18-2 lists the protocols in the TCP/IP suite. These protocols make use of either TCP or UDP to send and receive packets, which in turn uses the IP protocol for transmitting the packets.

In a TCP/IP network, messages are broken into small components, called datagrams, which are then transmitted through various interlocking routes and delivered to their destination computers. Once received, the datagrams are reassembled into the original message. Datagrams themselves can be broken down into smaller packets. The packet is the physical message unit actually transmitted among networks. Sending messages as small components has proven to be far more reliable and faster than sending them as one large, bulky transmission. With small components, if one is lost or damaged, only that component must be resent, whereas if any part of a large transmission is corrupted or lost, the entire message has to be resent.





Internet Society

Professional membership organization of Internet experts that oversees boards and task forces dealing with network policy issues


The Internet Engineering Steering Group

Responsible for technical management of IETF activities and the Internet standards process


Internet Assigned Numbers Authority

Responsible for Internet Protocol (IP) addresses


Internet Architecture Board

Defines the overall architecture of the Internet, providing guidance and broad direction to the IETF


Internet Engineering Task Force

Protocol engineering and development arm of the Internet

Table 18-1: TCP/IP Protocol Development Groups

The configuration of a TCP/IP network on your Linux system is implemented using a set of network configuration files (see Table 18-6 ). Many of these files can be managed using network tools on your desktop like NetworkManager. You can also use more specialized programs, such as netstat, ifconfig, Wireshark, and route. Some configuration files are easy to modify yourself using a text editor. The ifconfig utility enables you to configure your network interfaces, adding new ones and modifying others. The ifconfig and route utilities are lower-level programs that require more specific knowledge of your network to use effectively. The netstat utility provides you with information about the status of your network connections. Wireshark is a network protocol analyzer that lets you capture packets as they are transmitted across your network, selecting those you want to check.

Zero Configuration Networking: Avahi and Link Local Addressing

Zero Configuration Networking (Zeroconf) allows the setup of non-routable private networks without the need of a DHCP server or static IP addresses. A Zeroconf configuration lets users automatically connect to a network and access all network resources, such as printers, without having to perform any configuration. On Linux, Zeroconf networking is implemented by Avahi (, which includes multicast DNS (mDNS) and DNS service discovery (DNS-SD) support that automatically detects services on a network. IP addresses are determined using either IPv6 or IPv4 Link Local (IPv4LL) addressing. IPv4 Link Local addresses are assigned from the network pool. Derived from Apple’s Bonjour Zeroconf implementation, it is a free and open source version currently used by desktop tools, such as the GNOME virtual file system. Ubuntu implements full Zeroconf network support with the Avahi daemon that implements multicast DNS discover, and avahi-autoipd that provides dynamic configuration of local IPv4 addresses. Both are installed as part of the desktop configuration.




Transmission Control Protocol; places systems in direct communication


User Datagram Protocol


Internet Protocol; transmits data


Internet Control Message Protocol; status messages for IP




Routing Information Protocol; determines routing


Open Shortest Path First; determines routing

Network Addresses



Address Resolution Protocol; determines unique IP address of systems


Domain Name Service; translates hostnames into IP addresses


Reverse Address Resolution Protocol; determines addresses of systems

User Service



File Transfer Protocol; transmits files from one system to another using TCP


Trivial File Transfer Protocol; transfers files using UDP


Remote login to another system on the network


Simple Mail Transfer Protocol; transfers e-mail between systems


Remote Procedure Call; allows remote systems to communicate




Exterior Gateway Protocol; provides routing for external networks


Gateway-to-Gateway Protocol; provides routing between gateways


Interior Gateway Protocol; provides routing for internal networks

Network Service



Network File System; allows mounting of file systems on remote machines


Network Information Service; maintains user accounts across a network


Boot Protocol; starts system using boot information on server for network


Simple Network Management Protocol; provides status messages on TCP/IP configuration


Dynamic Host Configuration Protocol; automatically provides network configuration information to host systems

Table 18-2: TCP/IP Protocol Suite

Avahi support tools like avahi-browse and avahi-publish are located in the avahi-utils package. Specialized tools like SSH and Shell tools are located in the avahi-ui-tools package. The KDE Zeroconf solution is also provided using Avahi (kde-zeroconf).

IPv4 and IPv6

Traditionally, a TCP/IP address is organized into four segments, consisting of numbers separated by periods. This is called the IP address. The IP address actually represents a 32-bit integer whose binary values identify the network and host. This form of IP addressing adheres to Internet Protocol, version 4, also known as IPv4. IPv4, the kind of IP addressing described here, is still in use.

Currently, version 6 of the IP protocol called Internet Protocol, IPv6, is replacing the older IPv4 version. IPv6 expands the number of possible IP addresses by using 128 bits. It is fully compatible with systems still using IPv4. IPv6 addresses are represented differently, using a set of eight 16-bit segments, each separated from the next by a colon. Each segment is represented by a hexadecimal number. A sample address would be:


Advantages of IPv6 include the following:

IPv6 features simplified headers that allow for faster processing.

IPv6 provides support for encryption and authentication along with virtual private networks (VPN), using the integrated IPsec protocol.

One of its most significant advantages lies in extending the address space to cover 2 to the power of 128 possible hosts (billions of billions). This extends far beyond the 4.2 billion supported by IPv4.

IPv6 supports stateless autoconfiguration of addresses for hosts, bypassing the need for DHCP to configure such addresses. Addresses can be generated directly using the MAC (Media Access Control) hardware address of an interface.

IPv6 supports Quality of Service (QoS) operations, providing sufficient response times for services like multimedia and telecom tasks.

Multicast capabilities are built into the protocol, providing direct support for multimedia tasks. Multicast addressing also provides that same function as IPv4 broadcast addressing.

More robust transmissions can be ensured with anycast addressing, where packets can be directed to an anycast group of systems, only one of which needs to receive them. Multiple DNS servers supporting a given network could be designated as an anycast group, of which only one DNS server needs to receive the transmission, providing greater likelihood that the transmissions will go through.

IPv6 provides better access for mobile nodes, like PDAs, notebooks, and cell phones.

TCP/IP Network Addresses

The traditional IPv4 TCP/IP address is organized into four segments, consisting of numbers separated by periods. Part of an IP address is used for the network address, and the other part is used to identify a particular interface on a host in that network. You should realize that IP addresses are assigned to interfaces—such as Ethernet cards or modems—and not to the host computer. Usually a computer has only one interface and is accessed using only that interface’s IP address. In that regard, an IP address can be thought of as identifying a particular host system on a network, so the IP address is usually referred to as the host address.

In fact, though, a host system could have several interfaces, each with its own IP address. This is the case for computers that operate as gateways and firewalls from a local network to the Internet. One interface usually connects to a local network and another to the Internet using two Ethernet cards. Each interface (such as an Ethernet card) has its own IP address. Other Ethernet cards have their own IP addresses. If you use a modem to connect to an ISP, you would set up a Point-to-Point Protocol (PPP) interface that would also have its own IP address (usually dynamically assigned by the ISP).

IPv4 Network Addresses

The IP address is divided into two parts: one part identifies the network, and the other part identifies a particular host. The network address identifies the network of which a particular interface on a host is a part. Two methods exist for implementing the network and host parts of an IP address: the original class-based IP addressing and the current Classless Interdomain Routing (CIDR) addressing. Class-based IP addressing designates officially predetermined parts of the address for the network and host addresses, whereas CIDR addressing allows the parts to be determined dynamically using a netmask.

Class-Based IP Addressing

Originally, IP addresses were organized according to classes. On the Internet, IPc4 networks are organized into three classes depending on their size—classes A, B, and C. A class A network uses only the first segment for the network address and the remaining three for the host, allowing a great many computers to be connected to the same network. Most IP addresses reference smaller, class C, networks. For a class C network, the first three segments are used to identify the network, and only the last segment identifies the host. Altogether, this forms a unique address with which to identify any network interface on computers in a TCP/IP network. For example, in the IP address, the network part is 192.168.1 and the interface/host part is 72. The interface/host is a part of a network whose own address is

In a class C network, the first three numbers identify the network part of the IP address. This part is divided into three network numbers, each identifying a subnet. Networks on the Internet are organized into subnets, beginning with the largest and narrowing to small subnetworks. The last number is used to identify a particular computer, referred to as a host. You can think of the Internet as a series of networks with subnetworks; these subnetworks have their own subnetworks. The rightmost number identifies the host computer, and the number preceding it identifies the subnetwork of which the computer is a part. The number to the left of that identifies the network the subnetwork is part of, and so on. The Internet address references the fourth computer connected to the network identified by the number 187. Network 187 is a subnet to a larger network identified as 168. This larger network is itself a subnet of the network identified as 192. Here’s how it breaks down:

IPv4 address


Network identification


Host identification


Systems derive the network address from the host address using the netmask. You can think of an IP address as a series of 32 binary bits, some of which are used for the network and the remainder for the host. The netmask has the network set of bits set to 1s, with the host bits set to 0s (see Figure 18-1 ). In a standard class-based IP address, all the numbers in the network part of your host address are set to 255, and the host part is set to 0. This has the effect of setting all the binary bits making up the network address to 1s. This, then, is your netmask. So, the netmask for the host address is The network part, 192.168.1, has been set to 255.255.255, and the host part, 72, has been set to 0. Systems can then use your netmask to derive your network address from your host address. They can determine what part of your host address makes up your network address and what those numbers are.

For those familiar with computer programming, a bitwise AND operation on the netmask and the host address results in zeroing the host part, leaving you with the network part of the host address. You can think of the address as being implemented as a four-byte integer, with each byte corresponding to a segment of the address. In a class C address, the three network segments correspond to the first three bytes, and the host segment corresponds to the fourth byte. A netmask is designed to mask out the host part of the address, leaving the network segments alone. In the netmask for a standard class C network, the first three bytes are all 1s and the last byte consists of 0s. The 0s in the last byte mask out the host part of the address, and the 1s in the first three bytes leave the network part of the address alone. Figure 18-1 shows the bitwise operation of the netmask on the address This is a class C address to the mask, which consists of twenty-four 1s making up the first three bytes and eight 0s making up the last byte. When it is applied to the address, the network address remains (192.168.1) and the host address is masked out (4), giving you as the network address.

The netmask as used in Classless Interdomain Routing (CIDR) is much more flexible. Instead of having the size of the network address and its mask determined by the network class, it is determined by a number attached to the end of the IP address. This number simply specifies the size of the network address, how many bits in the address it takes up. For example, in an IP address whose network part takes up the first three bytes (segments), the number of bits used for that network part is 24—eight bits to a byte (segment). Instead of using a netmask to determine the network address, the number for the network size is attached to the end of the address with a slash, as shown here:

CIDR gives you the advantage of specifying networks that are any size bits, instead of only three possible segments. You could have a network whose addresses take up 14 bits, 22 bits, or even 25 bits. The host address can use whatever bits are left over. An IP address with 21 bits for the network can cover host addresses using the remaining 11 bits, 0 to 2,047.

Classless Interdomain Routing (CIDR)

The class-based organization of IP addresses is being replaced by the CIDR format. CIDR was designed for midsized networks, those between a class C, and classes with numbers of hosts greater than 256 and smaller than 65,534. A class C network–based IP address uses only one segment, an 8-bit integer, with a maximum value of 256. A class B network–based IP address uses two segments, which make up a 16-bit integer, whose maximum value is 65,534. You can think of an address as a 32-bit integer taking up four bytes, where each byte is 8 bits. Each segment conforms to one of the four bytes. A class C network uses three segments, or 24 bits, to make up its network address. A class B network, in turn, uses two segments, or 16 bits, for its address. With this scheme, allowable host and network addresses are changed an entire byte at a time, segment to segment. With CIDR addressing, you can define host and network addresses by bits, instead of whole segments. For example, you can use CIDR addressing to expand the host segment from 8 bits to 9, rather than having to jump it to a class B 16 bits (two segments).

Figure 18-1: Class-based netmask operations

CIDR addressing notation achieves this by incorporating netmask information in the IP address (the netmask is applied to an IP address to determine the network part of the address). In the CIDR notation, the number of bits making up the network address is placed after the IP address, following a slash. For example, the CIDR form of the class C IP address is

Figure 18-2 shows an example of a CIDR address and its network mask. The IP address is with a network mask of 22 bits, The network address takes up the first 22 bits of the IP address, and the remaining 10 bits are used for the host address. The host address is taking up the equivalent of a class-based IP address’s fourth segment (8 bits) and 2 bits from the third segment.

Table 18-3 lists the different IPv4 CIDR network masks available along with the maximum number of hosts. Both the short forms and the full forms of the netmasks are listed.

Figure 18-2: CIDR addressing

IPv4 CIDR Addressing

The network address for any standard class C IPv4 IP address takes up the first three segments, 24 bits. If you want to create a network with a maximum of 512 hosts, you can give them IP addresses where the network address is 23 bits and the host address takes up 9 bits (0–511). The IP address notation remains the same, however, using the four 8-bit segments. This means a given segment’s number could be used for both a network address and a host address. Segments are no longer wholly part of either the host address or the network address. Assigning a 23-bit network address and a 9-bit host address means that the number in the third segment is part of the network address and the host address - the first 7 bits for the network and the last bit for the host. In this following example, the third number, 145, is used as the end of the network address and as the beginning of the host address:

This situation complicates CIDR addressing, and in some cases the only way to represent the address is to specify two or more network addresses. Check RFC 1520 at for more details.

CIDR also allows a network administrator to take what is officially the host part of an IP address, and break it up into subnetworks with fewer hosts. This is referred to as subnetting. A given network will have its official IP network address recognized on the Internet or by a larger network. The network administrator for that network could, in turn, create several smaller networks within it using CIDR network masking. A classic example is to take a standard class C network with 254 hosts and break it up into two smaller networks, each with 64 hosts. You do this by using a CIDR netmask to take a bit from the host part of the IP address and use it for the subnetworks. Numbers within the range of the original 254 addresses whose first bit would be set to 1 would represent one subnet, and the others, whose first bit would be set to 0, would constitute the remaining network. In the network whose network address is, where the last segment is used for the hostnames, that last host segment could be further split into two subnets, each with its own hosts. For two subnets, you would use the first bit in the last 8-bit segment for the network. The remaining 7 bits could then be used for host addresses, giving you a range of 127 hosts per network. The subnet whose bit is set to 0 would have a range of 1 to 127, with a CIDR netmask of 25. The 8-bit segment for the first host would be 00000001. So, the host with the address of 1 in that network would have this IP address:

For the subnet where the first bit is 1, the first host would have an address of 129, with the CIDR netmask of 25, as shown here. The 8-bit sequence for the first host would be 10000001.

Note: A simple way to calculate the number of hosts a network can address is to take the number of bits in its host segment as a power of 2, and then subtract 2—that is, 2 to the number of host bits, minus 2. For example, an 8-bit host segment would be 2 to the power of 8, which equals 256. Subtract 2 (1 for the broadcast address, 255, and 1 for the zero value, 000) to leave you with 254 possible hosts.

Each subnet would have a set of 126 addresses, the first from 1 to 126, and the second from 129 to 254; 127 is the broadcast address for the first subnet, and 128 is the network address for the second subnet. The possible subnets and their masks that you could use are shown here:


CIDR Address

Binary Mask

First subnet network address



Second subnet network address



First subnet broadcast address



Second subnet broadcast address



First address in first subnet



First address in second subnet



Last address in first subnet



Last address in second subnet



IPv6 CIDR Addressing

IPv6 CIDR addressing works much the same as with the IPv4 method. The number of bits used for the network information is indicated by number following the address. A host (interface) address could take up much more than the 64 bits that it usually does in an IPv6 address, making the network prefix (address) section smaller than 64 bits. How many bits that the network prefix uses is indicated by the following number. In the next example the network prefix (address) uses only the first 48 bits of the IPv6 address, and the host address uses the remaining 80 bits:


You can also use a two-colon notation (::) for the compressed version:


Though you can use CIDR to subnet addresses, IPv6 also supports a subnet field that can be used for subnets.

Obtaining an IP Address

IP addresses are officially allocated by IANA, which manages all aspects of Internet addressing ( IANA oversees Internet Registries, which, in turn, maintain Internet addresses on regional and local levels. The Internet Registry for the Americas is the American Registry for Internet Numbers (ARIN), whose Web site is at These addresses are provided to users by Internet service providers (ISPs). You can obtain your own Internet address from an ISP, or if you are on a network already connected to the Internet, your network administrator can assign you one. If you are using an ISP, the ISP may temporarily assign one from a pool it has on hand with each use.

Short Form

Full Form

Maximum Number of Hosts



16,777,215 (A class)



65,535 (B class)
























255 (C class)



















Table 18-3: CIDR IPv4 Network Masks

IPv4 Reserved Addresses

Certain numbers are reserved. The numbers 127, 0, and 255 cannot be part of an official IP address. The number 127 is used to designate the network address for the loopback interface on your system. The loopback interface enables users on your system to communicate with each other, within the system, without having to route through a network connection. Its network address would be, and its IP address is For class-based IP addressing, the number 255 is a special broadcast identifier you can use to broadcast messages to all sites on a network. Using 255 for any part of the IP address references all nodes connected at that level. For example, broadcasts a message to all computers on network 192.168, all its subnetworks, and their hosts. The address broadcasts to every computer on the local network. If you use 0 for the network part of the address, the host number references a computer within your local network. For example, references the sixth computer in your local network. If you want to broadcast to all computers on your local network, you can use the number For CIDR IP addressing, the broadcast address may appear much like a normal IP address. As indicated in the preceding section, CIDR addressing allows the use of any number of bits to make up the IP address for either the network or the host part. For a broadcast address, the host part must have all its bits set to 1 (see Figure 18-3 ).

A special set of numbers is reserved for use on non-Internet Local Area Networks (LANs) (see RFC 1918). These are numbers that begin with the special network number 192.168 (for class C networks), as used in these examples. If you are setting up a LAN, such as a small business or a home network, you are free to use these numbers for your local machines. You can set up an intranet using network cards, such as Ethernet cards and Ethernet hubs, and then configure your machines with IP addresses starting from The host segment can go up to 256. If you have three machines on your home network, you could give them the addresses,, and You can implement Internet services, such as FTP, Web, and mail services, on your local machines and use any of the Internet tools to make use of those services. They all use the same TCP/IP protocols used on the Internet. For example, with FTP tools, you can transfer files among the machines on your network. With mail tools, you can send messages from one machine to another, and with a Web browser, you can access local Web sites that may be installed on a machine running its own Web servers. If you want to have one of your machines connected to the Internet or some other network, you can set it up to be a gateway machine. By convention, the gateway machine is usually given the address With a method called IP masquerading, you can have any of the non-Internet machines use a gateway to connect to the Internet.

IPv4 Private Network Addresses

Network Classes

Class A network–

Class B network

Class C network

Loopback network (for system self-communication)

Table 18-4: Non-Internet IPv4 Local Network IP Addresses

Numbers are also reserved for class A and class B non-Internet local networks. Table 18-4 lists these addresses. The possible addresses available span from 0 to 255 in the host segment of the address. For example, class B network addresses range from to, providing you a total of 32,356 possible hosts. The class C network ranges from to, providing you 256 possible subnetworks, each with 256 possible hosts. The network address is reserved for a system’s loopback interface, which allows it to communicate with itself, enabling users on the same system to send messages to each other.

Broadcast Addresses

The broadcast address allows a system to send the same message to all systems on your network at once. With IPv4 class-based IP addressing, you can easily determine the broadcast address using your host address: the broadcast address has the host part of your address set to 255. The network part remains untouched. So the broadcast address for the host address is (you combine the network part of the address with 255 in the host part). For CIDR IP addressing, you need to know the number of bits in the netmask. The remaining bits are set to 1 (see Figure 18-3 ). For example, an IP address of has a broadcast address of In this case, the first 22 bits are the network address and the last 10 bits are the host part set to the broadcast value (all 1s).

Figure 18-3: Class-based and CIDR broadcast addressing

In fact, you can think of a class C broadcast address as merely a CIDR address using 24 bits (the first three segments) for the network address, and the last 8 bits (the fourth segment) as the broadcast address. The value 255 expressed in binary terms is simply 8 bits that are all 1s. 255 is the same as 11111111.

IP Address

Broadcast Address

IP Broadcast Number

Binary Equivalent



7.255 (last 2 bits in 7)


Gateway Addresses

Some networks have a computer designated as the gateway to other networks. All connections to and from a network to other networks pass through this gateway computer. Most local networks use gateways to establish a connection to the Internet. If you are on this type of network, you must provide the gateway address. If your network does not have a connection to the Internet, or a larger network, you may not need a gateway address. The gateway address is the address of the host system providing the gateway service to the network. On many networks, this host is given a host ID of 1, so the gateway address for a network with the address 192.168.0 would be, but this is only a convention. To be sure of your gateway address, ask your network administrator.

Name Server Addresses

Many networks, including the Internet, have computers that provide a Domain Name Service (DNS) that translates the domain names of networks and hosts into IP addresses. These are known as the network’s domain name servers. The DNS makes your computer identifiable on a network, using your domain name, rather than your IP address. You can also use the domain names of other systems to reference them, so you needn’t know their IP addresses. You must know the IP addresses of any domain name servers for your network, however. You can obtain the addresses from your system administrator (often more than one address exists). Even if you are using an ISP, you must know the address of the domain name servers your ISP operates for the Internet.

IPv6 Addressing

IPv6 addressing introduces major changes into the format and method of addressing systems under the Internet Protocol (see RFC 3513 at or for more details). There are several different kinds of addressing with different fields for the network segment. The host segment has been expanded to a 64-bit address, allowing direct addressing for a far larger number of systems. Each address begins with a type field specifying the kind of address, which will then determine how its network segment is organized. These changes are designed, not only to expand the address space, but to also provide greater control over transmissions at the address level.

Note: Ubuntu is distributed with IPv6 support already enabled in the kernel. Kernel support for IPv6 is provided by the IPv6 kernel module. Kernel configuration support can be found under Device Drivers | Networking Support | Networking Options | The IPv6 Protocol.

IPv6 Address Format

An IPv6 address consists of 128 bits, up from the 32 bits used in IPv4 addresses. The first 64 bits are used for network addressing, of which the first few bits are reserved for indicating the address type. The last 64 bits are used for the interface address, known as the interface identifier field. The amount of bits used for subnetting can be adjusted with a CIDR mask, much like that in IPv4 CIDR addressing (see the preceding section).

An IPv6 address is written as eight segments representing 16 bits each (128 bits total). To represent 16-bit binary numbers more easily, hexadecimal numbers are used. Hexadecimal numbers use 16 unique numbers, instead of the 8 used in octal numbering. These are 0–9, continuing with the characters A–F.

In the next example the first four segments represent the network part of the IPv6 address, and the following four segments represent the interface (host) address:


You can cut any preceding zeros, but not trailing zeros, in any given segment. Segments with all zeros can be reduced to a single zero.


The loopback address used for localhost addressing can be written with seven preceding zeros and a 1.


Many addresses will have sequences of zeros. IPv6 supports a shorthand symbol for representing a sequence of several zeros in adjacent fields. This consists of a double colon (::). There can be only one use of the :: symbol per address.


The loopback address 0000000000000001 can be reduced to just the following:


To ease the transition from IPv4 addressing to IPv6, a form of addressing incorporating IPv4 addresses is also supported. In this case, the IPv4 address (32 bits) can be used to represent the last two segments of an IPv6 address and can be written using IPv4 notation.


IPv6 Interface Identifiers

The identifier part of the IPv6 address takes up the second 64 bits, consisting of four segments containing four hexadecimal numbers. The interface ID is a 64-bit (four-segment) Extended Unique Identifier (EUI-64) generated from a network device’s Media Access Control (MAC) address.

IPv6 Address types

There are three basic kinds of IPv6 addresses, unicast, multicast, and anycast.

A unicast address is used for a packet that is sent to a single destination.

An anycast address is used for a packet that can be sent to more than one destination.

A multicast address is used to broadcast a packet to a range of destinations.

IPv6 Addresses Format Prefixes and Reserved Addresses



Unicast global addresses


Unicast link-local addresses, used for physically connected hosts on a network, used for DHCP equivalents.


Unicast unique-local addresses, comparable to IPv4 private addresses.


Unicast loopback address (for system self-communication, localhost)


Unspecified address


Multicast addresses

Table 18-5: IPv6 Format Prefixes and Reserved Addresses

In IPv6, addressing is controlled by the format prefix that operates as a kind of address type. The format prefix is the first field of the IP address. The three major kinds of unicast network addresses are global, link-local, and unique-local. Global, unique-local, and link-local are indicated by their own format prefix (see Table 18-5 ).

Global addresses begin with the address type 3, unique-local with FE00, and link-local with FE8. Global addresses can be sent across the Internet.

Link-local addresses are used for physically connected systems on a local network. It is often used for DHCP addresses.

Unique-local can be used for any hosts on a local network. Unique-local addresses operate like IPv4 private addresses; they are used only for local access and cannot be used to transmit over the Internet.

In addition, IPv6 has two special reserved addresses. The address 0000000000000001 is reserved for the loopback address used for a system's localhost address, and the address 0000000000000000 is the unspecified address.

IPv6 Unicast Global Addresses

IPv6 global addresses currently use four fields: the format prefix, a global routing prefix, the subnet identifier, and the interface identifier. The format prefix for a unicast global address is 3 (3 bits). The global routing prefix references the network address (45 bits), and the subnet ID references a subnet within the site (16 bits).

IPv6 Unicast Local Use Addresses: Link-Local and Unique-Local Addresses

For local use, IPv6 provides both link-local and unique-local addresses. Link-local addressing is used for interfaces (hosts) that are physically connected to a network. This is usually a small local network. A link-local address uses only three fields, the format prefix FE8 (10 bits), an empty field (54 bits), and the interface identifier (host address) (64 bits). In effect, the network section is empty.

IPv6 unique-local addresses have three fields: the format prefix (10 bits), the subnet identifier (54 bits), and the interface identifier (64 bits). Except for any local subnetting, there is no network address. The unique local address has a format prefix of FC00. The unique-local addresses (also known as unique local addresses) fulfill the same function as private addresses in IPv4 (192.168.0).

IPv6 Multicast Addresses

Multicast addresses have a format prefix of FF (8 bits) with flag and scope fields to indicate whether the multicast group is permanent or temporary, and whether it is local or global in scope. A group identifier (112 bits) references the multicast group. For the scope, 2 is link-local, 5 is unique-local, and E is global. In addition to their interface identifiers, hosts will also have a group ID that can be used as a broadcast address. You use this address to broadcast to the hosts. The following example will broadcast only to those hosts on the local network (5) with the group ID 101:


To broadcast to all the hosts in a link-local scope, you would use the broadcast address:


For a unique-local scope, a local network, you would use:


IPv6 and IPv4 Coexistence Methods

In the transition from IPv4 to IPv6, many networks will find the need to support both. Some will be connected to networks that use the contrary protocol, and others will connect through other network connections that use that protocol. There are several official IETF methods for providing IPv6 and IPv4 cooperation, which fall into three main categories:

Dual-stack Allows IPv4 and IPv6 to coexist on the same networks.

Translation Enables IPv6 devices to communicate with IPv4 devices.

Tunneling: Allows transmission from one IPv6 network to another through IPv4 networks as well as allowing IPv6 hosts to operate on or through IPv4 networks.

In the dual-stack methods both IPv6 and IPv4 addresses are supported on the network. Applications and DNS servers can use either to transmit data.

Translation uses NAT tables to translate IPv6 addresses to corresponding IPv4 address and vice versa, as needed. IPv4 applications can then freely interact with IPv6 applications. IPv6-to-IPv6 transmissions are passed directly through, enabling full IPv6 functionality.

Tunneling is used when one IPv6 network needs to transmit to another through an IPv4 network that cannot handle IPv6 addresses. With tunneling, the IPv6 packet is encapsulated within an IPv4 packet, where the IPv4 network then uses the outer IPv4 addressing to pass on the packet. Several methods are used for tunneling, as shown here, as well as direct manual manipulation:

6-over-4 Used within a network to use IPv4 multicasting to implement a virtual LAN to support IPv6 hosts, without an IPv6 router (RFC 2529)

6-to-4 Used to allow IPv6 networks to connect to and through a larger IPv4 network (the Internet), using the IPv4 network address as an IPv6 network prefix (RFC 3056)

Tunnel brokers Web-based services that create tunnels (RFC 3053)

TCP/IP Configuration Files

A set of configuration files in the /etc directory, shown in Table 18-6 , are used to set up and manage your TCP/IP network. These configuration files specify such network information as host and domain names, IP addresses, and interface options. The IP addresses and domain names of other Internet hosts you want to access are entered in these files. If you configured your network during installation, you can already find that information in these files.

Identifying Hostnames: /etc/hosts

Without the unique IP address the TCP/IP network uses to identify computers, a particular computer cannot be located. Because IP addresses are difficult to use or remember, domain names are used instead. For each IP address, a domain name exists. When you use a domain name to reference a computer on the network, your system translates it into its associated IP address, which can then be used by your network to locate that computer.

Originally, every computer on the network was responsible for maintaining a list of the hostnames and their IP addresses. This list is still kept in the /etc/hosts file. When you use a domain name, your system looks up its IP address in the hosts file. The system administrator is responsible for maintaining this list. Because of the explosive growth of the Internet and the development of larger networks, the responsibility for associating domain names and IP addresses has been taken over by domain name servers. The hosts file is still used to hold the domain names and IP addresses of frequently accessed hosts, however. Your system normally checks your hosts file for the IP address of a domain name before taking the added step of accessing a name server.



Host address

IP address of your system; it has a network part to identify the network you are on and a host part to identify your own system

Network address

IP address of your network

Broadcast address

IP address for sending messages to all hosts on your network at once

Gateway address

IP address of your gateway system, if you have one (usually the network part of your host IP address with the host part set to 1)

Domain name server addresses

IP addresses of domain name servers your network uses


Used to determine the network and host parts of your IP address




Associates hostnames with IP addresses, lists domain names for remote hosts with their IP addresses


Network interfaces


Network connection startup scripts for services


Lists resolver options


Name Switch Service configuration (see Chapter 11)


Lists domain name server names, IP addresses (nameserver), and domain names where remote hosts may be located (search)


Lists protocols available on your system


Lists available network services, such as FTP and Telnet, and the ports they use

Table 18-6: TCP/IP Configuration Addresses and Files

The format of a domain name entry in the hosts file is the IP address followed by the domain name, separated by a space. You can then add aliases for the hostname. After the entry, on the same line, you can enter a comment. A comment is always preceded by a # symbol. You can already find an entry in your hosts file for localhost with the IP address; localhost is a special identification used by your computer to enable users on your system to communicate locally with each other. The domain name for the local host is localhost.localdomain. The IP address is a special reserved address used by every computer for this purpose. It identifies what is technically referred to as a loopback device. The corresponding IPV6 localhost address is ::1, which also has the domain name localhost6.localdomain6 and the name localhost6. For compatibility it is also given the names localhost as well as ip6-localhost and ip6-loopback. You should never remove the localhost and ip6-localhost or ip6-loopback entries. A sample /etc/hosts file is shown here:

/etc/hosts localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts


The /etc/resolv.conf file holds the IP addresses for your DNS servers along with domains to search. A DNS entry will begin with the term nameserver followed by the name server’s IP address. A search entry will list network domain addresses. Check this file to see if your network DNS servers have been correctly listed. If you have a router for a local network, DHCP will automatically place an entry for the router in this file and label the router's address as nameserver. The router in turn will reference your ISP's nameserver.




The /etc/network directory holds network interface information used by ifup and ifdown to start up and shut down your networking. Subdirectories for the ifup and ifdown operations, like if-up.d and if-down.d, hold configuration scripts for certain network-related services, such as multicast DNS discover with Avahi, network time update, or remote file system mounting with NFS. The subdirectories included are if-down.d,if-post-down.d, if-pre-up.d, and if-up.d.


Interfaces are defined in /etc/network/interfaces file, which usually holds only the configuration for the internal loopback interface. NetworkManager will handle all configurations for network interfaces such as your Ethernet card or wireless connection. A standard Ubuntu version defines the loopback interface, the local network interface for your computer. The auto command will automatically activate the network interface when you boot up.

auto lo
iface lo inet loopback

The /etc/network/interfaces file holds manual network configuration settings, such as those you set with Network Manager. Automatic configurations are also managed by NetworkManager. NetworkManager will run any if-up and if-down scripts in the /etc/network subdirectories.

Should you need to configure your connection manually, you could enter configuration entries directly by editing the /etc/network/interfaces file. The iface command defines the interface. Its arguments are the interface name, the protocol it uses (inet for IPv4 and inet6 for IPv6), and the connection type: static, dhcp, ppp (dial-up), or bootp. Each protocol and connection type can support different options. Check the interface’s man page for details.

The following example sets up a static IP address for the first Ethernet device, eth0, using the IPv4 protocol. The address entry specifies the IP address, along with netmask and gateway for the IP addresses for those servers:

auto eth0
iface eth0 inet static

Should you be using a DHCP server to set up your address information, you would specify dhcp:

auto eth0
iface eth0 inet dhcp

You use the auto entry to specify whether an interface should be started up with the ifup -a command. This command is run by the /etc/init.d/networking script, which is run when your system starts up and whenever you restart networking.

If you make changes, you can then restart the network services with the init networking script:

sudo /etc/init.d/networking restart


The /etc/services file lists network services available on your system, such as FTP and Telnet, and associates each with a particular port. Here, you can find out what port your Web server is checking or what port is used for your FTP server. You can give a service an alias, which you specify after the port number. You can then reference the service using the alias.


The /etc/protocols file lists the TCP/IP protocols currently supported by your system. Each entry shows the protocol number, its keyword identifier, and a brief description. See for a complete listing.

/etc/hostname and hostnamectl

The /etc/hostname file contains your hostname. You can use the hostnamectl command to display your current hostname and all information pertaining to it such as the machine ID, the kernel used, the architecture, chassis (type of computer), and the operating system (you can add thestatus option if you want). Three different kinds of hostnames are supported: static, pretty, and transient. You can set each with the hostnamectl's set-hostname command with the corresponding type. The static hostname is used to identify your computer on the network (usually a fully qualified host name). You can use the --static option to set it. The pretty hostname is a descriptive host name made available to users on the computer. This can be set by set-hostname with the --pretty option. The transient host name is one allocated by a network service such as DHCP, and can be managed with the --transient option. Without options, the set-hostname command will apply the name to all the host name types.

hostnamectl set-hostname --pretty "my computer"

The set-chassis command sets the computer type, which can be desktop, laptop, server, tablet, handset, and vm (virtual system). Without a type specified it reverts to the default for the system. The set-icon-name sets the name used by the graphical applications for the host.


Name servers are queried by resolvers. These are programs specially designed to obtain addresses from name servers. To use domain names on your system, a resolver must be set up. Your local resolver is configured with your /etc/host.conf and /etc/resolv.conf files.

Your host.conf file lists resolver options (shown in Table 18-7 ). Each option can have several fields, separated by spaces or tabs. You can use a # at the beginning of a line to enter a comment. The options tell the resolver what services to use. The order of the list is important. The resolver begins with the first option listed and moves on to the next in turn. You can find the host.conf file in your /etc directory, along with other configuration files.




Specifies sequence of name resolution methods:
hosts Checks for name in the local /etc/host file
bind Queries a DNS name server for an address
nis Uses Network Information Service protocol to obtain an address


Checks addresses of remote sites attempting to access your system; you turn it on or off with the on and off options


Confirms addresses of remote sites attempting to access your system


Checks your local host’s file; removes the domain name and checks only for the hostname; enables you to use only a hostname in your host file for an IP address


Checks your local hosts file; allows a host to have several IP addresses; you turn it on or off with the on and off options

Table 18-7: Resolver Options, host.conf

Your host.conf file will be set up already with a standard configuration for accessing most DNS services. The default host.conf file is shown here. The order option instructs your resolver first to look up names in your local /etc/hosts file, and then, if that fails, to query domain name servers. The system does not have multiple addresses.


# The "order" line is only used by old versions of the C library.
order hosts,bind
# multiple addresses
multi on

Network Interfaces and Routes: ifconfig and route

Your connection to a network is made by your system through a particular hardware interface, such as an Ethernet card or a modem. Data passing through this interface is then routed to your network. The ifconfig command configures your network interfaces, and the route command sets up network connections accordingly. If you configure an interface with a network configuration tool like Network Manager, you needn’t use ifconfig or route. However, you can configure interfaces directly using ifconfig and route, if you want. Every time you start your system, the network interfaces and their routes must be established. This is done automatically for you by NetworkManager. Interfaces and routes are set up when you start up your system by the ifup command run by the /etc/init.d/networking initialization file. The ifup command uses configuration settings in the /etc/network/interfaces file. Alternatively, you can run your own direct configuration with ifconfig and route commands.

Note: As an alternative to ifconfig and route, you can use ip. This is a tool provided by the iproute package. The syntax is much the same. Route commands use the route option, ip route. The ifconfig operations on addresses would use the addr option, ip addr.

Network Startup Script: /etc/init.d/networking

Your network interface is started up using the networking script in the /etc/init.d directory. This script will activate your network interface cards (NICs), as well as implement configuration information such as gateway, host, and name server identities. You can manually shut down and start your network interface using this script and the restart, start, or stop options, as well as NetworkManager. You can run the script with the service command. The following commands shut down and then start up your network interface:

sudo service networking stop
sudo service networking start

If you are changing network configuration, you will have to restart your network interface for the changes to take effect:

sudo service networking restart

To test if your interface is working, use the ping command with an IP address of a system on your network, such as your gateway machine. The ping command continually repeats until you stop it with a CTRL-C.



The ifconfig command takes as its arguments the name of an interface and an IP address, as well as options. The ifconfig command then assigns the IP address to the interface. Your system now knows that such an interface exists, and that it references a particular IP address. In addition, you can specify whether the IP address is a host address or a network address. You can use a domain name for the IP address, provided the domain name is listed along with its IP address in the /etc/hosts file. The syntax for the ifconfig command is as follows:

ifconfig interface -host_net_flag address options

The host_net_flag can be either -host or -net to indicate a host or network IP address. The -host flag is the default. The ifconfig command can have several options, which set different features of the interface, such as the maximum number of bytes it can transfer (mtu) or the broadcast address. The up and down options activate and deactivate the interface. In the next example, the ifconfig command configures an Ethernet interface:

ifconfig eth0




Name of the network interface, such as eth0 for the first Ethernet device or ppp0 for the first PPP device (modem)


Activates an interface; implied if IP address is specified


Deactivates an interface


Turns on or off the promiscuous mode; preceding hyphen (-) turns it off; this allows network monitoring

mtu n

Maximum number of bytes that can be sent on this interface per transmission

dstaddr address

Destination IP address on a point-to-point connection

netmask address

IP network mask; preceding hyphen (-) turns it off

broadcast address

Broadcast address; preceding hyphen (-) turns it off

point-to-point address

Point-to-point mode for interface; if address is included, it is assigned to remote system


Sets hardware address of interface


IP address assigned to interface

Table 18-8: The ifconfig Options

For a simple configuration such as this, ifconfig automatically generates a standard broadcast address and netmask. The standard broadcast address is the network address with the number 255 for the host address. For a class C network, the standard netmask is, whereas for a class A network, the standard netmask is If you are connected to a network with a particular netmask and broadcast address, however, you must specify them when you use ifconfig. The option for specifying the broadcast address is broadcast; for the network mask, it is netmask. Table 18-8 lists several ifconfig options. In the next example, ifconfig includes the netmask and broadcast address:

ifconfig eth0 broadcast netmask

Once you configure your interface, you can use ifconfig with the up option to activate it and with the down option to deactivate it. If you specify an IP address in an ifconfig operation, as in the preceding example, the up option is implied.

ifconfig eth0 up

Point-to-point interfaces such as Parallel IP (PLIP), Serial Line IP (SLIP), and Point-to-Point Protocol (PPP) require you to include the pointopoint option. A PLIP interface name is identified with the name plip with an attached number. For example, plip0 is the first PLIP interface. SLIP interfaces use slip0. PPP interfaces start with ppp0. Point-to-point interfaces are those that usually operate between only two hosts, such as two computers connected over a modem. When you specify the pointopoint option, you need to include the IP address of the host. In the next example, a PLIP interface is configured that connects the computer at IP address with one at If domain addresses were listed for these systems in /etc/hosts, those domain names could be used in place of the IP addresses.

ifconfig plip0 pointopoint

If you need to, you can also use ifconfig to configure your loopback device. The name of the loopback device is lo, and its IP address is the special address The following example shows the configuration:

ifconfig lo

The ifconfig command is useful for checking on the status of an interface. If you enter the ifconfig command along with the name of the interface, information about that interface is displayed:

ifconfig eth0

To see if your loopback interface is configured, you can use ifconfig with the loopback interface name, lo:


A packet that is part of a transmission takes a certain route to reach its destination. On a large network, packets are transmitted from one computer to another until the destination computer is reached. The route determines where the process starts and to what computer your system needs to send the packet for it to reach its destination. On small networks, routing may be static—that is, the route from one system to another is fixed. One system knows how to reach another, moving through fixed paths. On larger networks and on the Internet, however, routing is dynamic. Your system knows the first computer to send its packet off to, and then that computer takes the packet from there, passing it on to another computer, which then determines where to pass it on. For dynamic routing, your system needs to know little. Static routing, however, can become complex because you have to keep track of all the network connections.

Your routes are listed in your routing table in the /proc/net/route file. To display the routing table, enter route with no arguments (the netstat -r command will also display the routing table):

$ route
Kernel routing table
Destination Gateway Genmask Flags Metric Ref Use Iface * U 0 0 0 etho * U 0 0 0 wlan0
link-local * U 1000 0 0 etho
default UG 0 0 0 eth0

Each entry in the routing table has several fields, providing information such as the route destination and the type of interface used. The different fields are listed in Table 18-9 .

With the add argument, you can add routes either for networks with the -net option or with the -host option for IP interfaces (hosts). The -host option is the default. In addition, you can then specify several parameters for information, such as the netmask (netmask), the gateway (gw), the interface device (dev), and the default route (default). If you have more than one IP interface on your system, such as several Ethernet cards, you must specify the name of the interface using the dev parameter. If your network has a gateway host, you use the gw parameter to specify it. If your system is connected to a network, at least one entry should be in your routing table that specifies the default route. This is the route taken by a message packet when no other route entry leads to its destination. The following example is the routing of an Ethernet interface:

route add dev eth0




Destination IP address of the route


IP address or hostname of the gateway the route uses; * indicates no gateway is used


The netmask for the route


Type of route: U = up, H = host, G = gateway, D = dynamic, M = modified


Metric cost of route


Number of routes that depend on this one


TCP window for AX.25 networks


Number of times used


Type of interface this route uses

Table 18-9: Routing Table Entries

If your system has only the single Ethernet device as your IP interface, you could leave out the dev eth0 parameter:

route add

You can delete any route you establish by invoking ifconfig with the del argument and the IP address of that route, as in this example:

route del

For a gateway, you first add a route to the gateway interface, and then add a route specifying that it is a gateway. The address of the gateway interface in this example is

route add
route add default gw

If you are using the gateway to access a subnet, add the network address for that network (in this example,

route add -net gw dev eth1

To add another IP address to a different network interface on your system, use the ifconfig and route commands with the new IP address. The following command configures a second Ethernet card (eth1) with the IP address

ifconfig eth1
route add dev eth1

Tip: InfiniBand is often used as a replacement for local network connections. Check the Linux InfiniBand Project at

Monitoring Your Network: ping, netstat, tcpdump, Ettercap, Wireshark, and Nagios

Several applications are available on Linux to let you monitor your network activity. Graphical applications like EtherApe, Ettercap, and Wireshark provide detailed displays and logs to let you analyze and detect network usage patterns. Other tools like ping, netstat, and tracerouteoffer specific services. Table 18-10 lists various network information tools.

The EtherApe, Ettercap, and Wireshark tools can be accessed on the Applications | Internet menu (Applications | Internet). Tools like ping, traceroute, and netstat can be accessed from Applications | Administration | Network Tools, or they can be run individually on a command line (Terminal window). EtherApe provides a simple graphical display for your protocol activity. The Preferences dialog lets you set features like the protocol to check and the kind of traffic to report.

GNOME Network Tools: gnome-nettool

The GNOME Nettool utility (gnome-nettool) provides a GNOME interface for network information tools, like the ping and traceroute operations as well as Finger, Whois, and Lookup for querying users and hosts on the network (see Figure 18-4 ). Nettool is installed by default and is accessible from Applications | Other | Network Tools. The first tab, Devices, describes your connected network devices, including configuration and transmission information about each device, such as the hardware address and bytes transmitted. Both IPv4 and IPv6 host IP addresses are listed.

sudo apt-get install gnome-nettool

You can use the ping, finger, lookup, whois, and traceroute operations to find out status information about systems and users on your network. The ping operation is used to check if a remote system is up and running. You use finger to find out information about other users on your network, seeing if they are logged in or if they have received mail. The traceroute tool can be used to track the sequence of computer networks and systems your message passed through on its way to you. Whois will provide domain name information about a particular domain, and Lookup will provide both domain name and IP addresses. Netstat shows your network routing (addresses used) and active service (open ports and the protocols they use). Port Scan lists the ports and services they use on a given connection (address); use for your local computer.

Figure 18-4: Gnome network tool

Network Information: ping, finger, traceroute, and host

You can use the ping, finger, traceroute, and host commands to find out status information about systems and users on your network. The ping command is used to check if a remote system is up and running. You use finger to find out information about other users on your network, seeing if they are logged in or if they have received mail; host displays address information about a system on your network, giving you a system’s IP and domain name addresses; and traceroute can be used to track the sequence of computer networks and systems your message passed through on its way to you.


The ping command detects whether a system is up and running. ping takes as its argument the name of the system you want to check. If the system you want to check is down, ping issues a timeout message indicating a connection could not be made. The ping program sends a request to the host for a reply. The host then sends a reply back, and it is displayed on your screen. The ping program continually sends such a request until you stop it with a break command, by pressing CTRL-C. You see one reply after another scroll by on your screen until you stop the program. If ping cannot access a host, it issues a message saying the host is unreachable. If ping fails, it can indicate that your network connection is not working—only the particular interface, a basic configuration problem, or a bad physical connection. The ping utility uses the ICMP, discussed in Chapter 17. Networks may block these protocols as a security measure, also preventing ping from working. A ping failure may simply indicate a security precaution on the part of the queried network.

Network Information Tools



Detects whether a system is connected to the network.


Obtains information about users on the network.


Checks what users are currently online.


Obtains domain information.


Obtains network address information about a remote host.


Tracks the sequence of computer networks and hosts your message passes through.


Protocol analyzer to examine network traffic.


GNOME interface for various network tools including ping, finger, and traceroute.

mtr and xmtr

My traceroute combines both ping and traceroute operations (Traceroute on System Tools menu).


Analyze protocol activity


Sniffer program for man-in-middle attacks


Real time network status monitor


Capture and save network packets


Nagios network monitoring, nagio3 packages, /etc/nagios3 configuration directory, http://localhost/nagios3 browser access

Table 18-10: Network Tools

To use ping, enter ping and the name of the host. The next example checks to see if is up and connected to the network:

$ ping
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=48 time=609 ms
64 bytes from ( icmp_seq=2 ttl=48 time=438 ms
64 bytes from ( icmp_seq=3 ttl=48 time=568 ms
--- ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3554ms
rtt min/avg/max/mdev = 438.939/539.125/609.885/72.824 ms

You can also use ping with an IP address instead of a domain name. With an IP address, ping can try to detect the remote system directly without having to go through a domain name server to translate the domain name to an IP address. This can be helpful for situations where your network’s domain name server may be temporarily down and you want to check if a particular remote host on your network is connected.


finger and who

You can use the finger command to obtain information about other users on your network and the who command to see what users are currently online on your system. The who and w commands lists all users currently connected, along with when, how long, and where they logged in. The wcommand provides more detailed information. It has several options for specifying the level of detail. The who command is meant to operate on a local system or network; finger can operate on large networks, including the Internet, though most systems block it for security reasons.


With the host command, you can find network address information about a remote system connected to your network. The information usually consists of a system’s IP address, domain name address, domain name nicknames, and mail server. This information is obtained from your network’s domain name server. For the Internet, this includes all systems you can connect to over the Internet.

The host command is an effective way to determine a remote site’s IP address or URL. If you have only the IP address of a site, you can use host to find out its domain name. For network administration, an IP address can be helpful for making your own domain name entries in your/etc/host file. That way, you needn’t rely on a remote domain name server (DNS) for locating a site.

$ host has address mail is handled by 10

$ host domain name pointer


Internet connections are made through various routes, traveling through a series of interconnected gateway hosts. The path from one system to another could take different routes, some of which may be faster than others. For a slow connection, you can use traceroute to check the route through which you are connected to a host, monitoring the speed and the number of intervening gateway connections a route takes. The traceroute command takes as its argument the hostname or IP addresses for the system whose route you want to check. Options are available for specifying parameters like the type of service (-t) or the source host (-s). The traceroute command will return a list of hosts the route traverses, along with the times for three probes sent to each gateway. Times greater than five seconds are displayed with a asterisk, *.


You can also use the mtr or xmtr tools to perform both ping and traces (Traceroute on the System Tools menu).


Ettercap is a sniffer program designed to detect Man in the Middle attacks. In this kind of attack, packets are detected and modified in transit to let an unauthorized user access a network. You can use either its graphical interface or its command line interface. Ettercap can perform Unified sniffing on all connections, or Bridged sniffing on a connection between network interfaces. Ettercap uses plugins for specific tasks, like dos_attack to detect Denial of Service attacks and dns-spoof for DNS spoofing detection. Check the plugins Help tab, or enter ettercap -P list for a complete listing. Ettercap can be run in several modes, including a text mode, a command line cursor mode, a script mode using commands in a file, and even as a daemon logging results automatically.


Wireshark is a network protocol analyzer that lets you capture packets transmitted across your network, selecting and examining those from protocols you want to check. You can examine packets from particular transmissions, displaying the data in readable formats. You can access Wireshark from Applications | Internet | Wireshark. The Wireshark interface displays three panes: a listing of current packets, the protocol tree for the currently selected packet, a display of the selected packets contents. The first pane categorizes entries by time, source, destination, and protocol, with button headers for each. To sort a set of entries by a particular category, you click its header. For example, group entries by protocol, click the Protocol button; for destinations, click the Destination button.

Capture Options

To configure Wireshark, you select the Options entry from the Capture menu (Capture | Options). This opens an options window where you can select the network interface to watch. Here you can also select options, such as the file in which to hold your captured information and a size limit for the capture, along with a filter to screen packets. With the promiscuous mode selected, you can see all network traffic passing through that device, whereas with it off, you will see only those packets destined for that device. You can then click the start button to start Wireshark. To stop and start Wireshark, you select the Stop and Start entries on the Capture menu.

The Capture Files options lets you select a file to save your capture in. If no file is selected, then data is simply displayed in the Wireshark window. If you want to keep a continuous running snapshot of your network traffic, you can use ring buffers. These are a series of files that are used to save captured data. When they fill up, the capture begins saving again to the first file, and so on. Check "Use multiple files" to enable this option.

Limit lets you set a limit for the capture packet size.

Capture Filter lets you choose the type of protocol you want to check.

Display Options control whether packets are displayed in real time on the Wireshark window.

"Enable network name resolution" enables the display of host and domain names instead of IP addresses, if possible.

Wireshark Filters

A filter lets you select packets that match specified criteria, such as packets from a particular host. Criteria are specified using expressions supported by the Packet Capture Library and implemented by tcpdump. Wireshark filters use expressions similar to those used by the tcpdump command. Check the tcpdump Man page for detailed descriptions.

You can set up either a Search filter in the Find tab (Edit menu) to search for certain packets, or set up a Capture Filter in the Options tab (Capture menu) to select which packets to record. The filter window is the same for both. On the filter window you can select the protocol you want to search or capture. The Filter name and string will appear in the Properties segment. You can also enter your own string, setting up a new filter of your own. The string must be a filter expression.

To create a new filter, enter the name you want to give it in the Filter Name box. Then in the Filter String box, enter the filter expression, like icmp. Then click New. Your new filter will appear in the list. To change a filter, select it and change its expression in the Filter String box, then click Change.

A filter expression consists of an ID, such as the name or number of host, and a qualifier. Qualifiers come in three types: type, direction, and protocol. The type can reference the host, network, or port. The type qualifiers are host, net, and port. Direction selects either source or destination packets, or both. The source qualifier is src, and the destination qualifier is dst. With no destination qualifier, both directions are selected. Protocol lets you specify packets for a certain protocol. Protocols are represented using their lowercase names, such as icmp for ICMP. For example, the expression to list all packets coming in from a particular host would be src host hostname, where hostname is the source host. The following example will display all packets from the host:

src host

Using just host will check for all packets going out as well as coming in for that host. The port qualifier will check for packets passing through a particular port. To check for a particular protocol, you use the protocol name. For example, to check for all ICMP packets you would use the expression


There are also several special qualifiers that let you further control your selection. The gateway qualifier lets you detect packets passing through a gateway. The broadcast and multi-cast qualifiers detect packets broadcast to a network. The greater and less qualifiers can be applied to numbers such as ports or IP addresses.

You can combine expressions into a single complex Boolean expression using and, or, or not. This lets you create a more refined filter. For example, to capture only the ICMP packets coming in from host, you can use

src host and icmp


Like Wireshark, tcpdump will capture network packets, saving them in a file where you can examine them. tcpdump operates entirely from the command line. You will have to open a terminal window to run it. Using various options, you can refine your capture, specifying the kinds of packets you want. tcpdump uses a set of options to specify actions you want to take, which include limiting the size of the capture, deciding which file to save it to, and choosing any filter you want to apply to it. Check the tcpdump Man page for a complete listing of options.

The -i option lets you specify an interface to listen to.

With the -c option, you can limit the number of packets to capture.

Packets will be output to the standard output by default. To save them to a file, you can use the -w option.

You can later read a packet file using the -r option and apply a filter expression to it.

The tcpdump command takes as its argument a filter expression that you can use to refine your capture. Wireshark uses the same filter expressions as tcpdump (see the filters discussion in Wireshark).


The netstat program provides real-time information on the status of your network connections, as well as network statistics and the routing table. The netstat command has several options you can use to bring up different sorts of information about your network.

$ netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (State) User
tcp 0 0 ESTABLISHED dylan
Active UNIX domain sockets
Proto RefCnt Flags Type State Path
unix 1 [ ACC ] SOCK_STREAM LISTENING /dev/printer
unix 2 [ ] SOCK_STREAM CONNECTED /dev/log
unix 1 [ ACC ] SOCK_STREAM LISTENING /dev/nwapi
unix 2 [ ] SOCK_STREAM CONNECTED /dev/log
unix 1 [ ACC ] SOCK_STREAM LISTENING /dev/log

The netstat command with no options lists the network connections on your system. First, active TCP connections are listed, and then the active domain sockets are listed. The domain sockets contain processes used to set up communications among your system and other systems. You can use netstat with the -r option to display the routing table, and netstat with the -i option displays the uses of the different network interfaces.


Ubuntu also supports Nagios, the enterprise level network monitoring software. You can install Nagios with the nagios3 package. All dependent Nagios packages will be selected and installed, including nagios3-doc for documentation and nagios-plugins for servers like DNS, MySQL, and NTP. To install you can use apt-get, aptitude, or, from the desktop, the Synaptic Package Manager.

sudo apt-get install nagios3

Make sure that the nagios3 server is running. If not enter the following at the command line or in a terminal window to start it.

sudo service nagios3 start

When you install nagios, you will be prompted to enter an administrative password. A Debconf dialog will appear labeled "Configuring nagios3-cgi", with prompts to enter the password and repeat the password. This is the password you will use to access Nagios.

You then open your browser and access your nagios interface with the following URL.


You will be prompted to enter a user and password. Use the user nagiosadmin and the password you were prompted to enter when you installed nagios.


The Nagios Web interface is then displayed as shown in Figure 18-5 .

Using the links listed on the left sidebar you can then display different monitoring information like the service status for hosts on your network (see Figure 18-6 ). It is possible to run nagios from the command line using the lynx Web browser.

Figure 18-5: Nagios 3 network monitoring Web interface

Configuration files for nagios3 are located at /etc/nagios3, and the configuration files for different plugins are located at /etc/nagios-plugins/config. The main configuration file is nagios.cfg, an editable text file with detailed comments for each directive. The apache2.conf file sets up script aliases mapping nagios to the nagios3 directories and files. An AuthUserFile directive specifies that the Nagios Web page user and password file is /etc/nagios3/htpasswd.users.

You can later create or change the nagios user and password with the following command entered in a terminal window. You will be prompted to enter a new password twice.

sudo htpasswd -c /etc/nagios3/htpasswd.users nagiosadmin

The Nagios application and plugins are supported directly by Ubuntu as part of the main repository. Nagios also provides a remote plugin server that allows Nagios plugins to run on remote hosts. The Nagios Remote Plugin Executor server (NRPE) is part of the Universe repository. Install both the nagios-nrpe-server and the nagios-nrpe-plugin packages.

sudo apt-get install nagios-nrpe-server nagios-nrpe-plugin

The NRPE server script is nagios-nrpe-server.

sudo service nagios-nrpe-server start

The configuration files for the NRPE server are located at /etc/nagios.

Figure 18-6: Nagios 3 network monitoring Service Status