A comprehensive guide to essential Linux networking commands used for monitoring connections, SMB access, DNS enumeration, IP configuration, MAC spoofing, packet control, and network troubleshooting. Ideal for cybersecurity professionals, penetration testers, and system administrators.

networking.md

Essential Linux Network Commands for Cyber Security & System Administration

Note: A few tools are deprecated on modern Linux (e.g., ifconfig, route, netstat). I include them, but I also include the modern ip replacements.

---

1) Monitor connections / sockets

ss (modern replacement for netstat)

• Show TCP sockets with process info

  ss -tp

  What it does: Lists TCP sockets and shows the owning process (-p) and TCP info (-t). Useful to see which program is connected to where.

• Show listening TCP/UDP ports with processes

  ss -tulpn

  What it does: Shows listening sockets:

  • -t TCP, -u UDP, -l listening, -p process, -n numeric (no DNS).

• Watch changes live

  watch -n 1 'ss -tulpn'

  What it does: Re-runs the command every 1 second.

netstat (older)

• All TCP connections

  netstat -ant

  What it does: -a all, -n numeric, -t TCP.

• All UDP sockets

  netstat -anu

  What it does: -u UDP.

• Listening ports with PID/program

  sudo netstat -tulpn

  What it does: Shows listeners and the PID/program name (needs root for full info).

lsof (map ports to processes)

• Show network sockets

  sudo lsof -i

  What it does: Lists processes using network sockets.

• Only established connections

  sudo lsof -i -n -P | grep ESTABLISHED

  What it does: -n -P avoids DNS and service-name lookups (faster, clearer).

• Who is using a specific port

  sudo lsof -i :443

---

2) IP addressing, interfaces, routes (legacy + modern)

Legacy: ifconfig (deprecated but still common)

• Set IP + netmask (CIDR-like usage depends on distro)

  sudo ifconfig eth0 192.168.1.10 netmask 255.255.255.0 up

  What it does: Assigns an IPv4 address and netmask to eth0.

• Create a “virtual/alias” interface (old style)

  sudo ifconfig eth0:1 192.168.1.11 netmask 255.255.255.0 up

  What it does: Adds an additional IP using the legacy alias format. (Modern systems use ip addr add instead.)

• Change MTU

  sudo ifconfig eth0 mtu 1400

  What it does: Sets maximum packet size for that interface.

• Change MAC address (old style)

  sudo ifconfig eth0 hw ether 00:11:22:33:44:55

  What it does: Spoofs the MAC (usually requires interface down first).

Legacy: route (deprecated)

• Add default gateway

  sudo route add default gw 192.168.1.1 eth0

  What it does: Sets the default route via the gateway.

Modern: ip (recommended)

• Show interfaces and IPs

  ip addr

• Bring interface up/down

  sudo ip link set dev eth0 up
  sudo ip link set dev eth0 down

• Add IP address (“hidden interface” in your note = additional address on same interface)

  sudo ip addr add 192.168.1.11/24 dev eth0

  What it does: Adds a second IP to the same NIC (this is the modern replacement for eth0:1).

• Show routes

  ip route

• Add default route

  sudo ip route add default via 192.168.1.1 dev eth0

• Change MTU

  sudo ip link set dev eth0 mtu 1400

• Change MAC

  sudo ip link set dev eth0 down
  sudo ip link set dev eth0 address 00:11:22:33:44:55
  sudo ip link set dev eth0 up

---

3) MAC changing tools

• Using an environment variable

  export MAC="00:11:22:33:44:55"

  What it does: Only stores a value in your shell variable; it does not change the MAC by itself.

• macchanger

  sudo macchanger -m 00:11:22:33:44:55 eth0

  What it does: Sets the MAC to a chosen value. Useful options:

  sudo macchanger -r eth0   # random MAC
  sudo macchanger -s eth0   # show current MAC

---

4) Wireless scanning

• Scan Wi‑Fi networks (legacy)

  sudo iwlist wlan0 scan

  What it does: Lists nearby APs, channels, signal, encryption, etc.

Important modern additions

• Show wireless device status

  iw dev

• Scan (modern)

  sudo iw dev wlan0 scan | less

• NetworkManager CLI (common on desktops)

  nmcli dev wifi list

---

5) Simple listeners and quick servers

Netcat

• Listen on a TCP port

  nc -lvnp 4444

  What it does: Opens a TCP listener:
  • -l listen, -v verbose, -n numeric, -p local port.

Python web server

• Serve current directory over HTTP

  python3 -m http.server 8000

  What it does: Starts a basic HTTP server on port 8000.

---

6) DNS / name resolution / zone transfer

• Reverse DNS lookup

  dig -x 8.8.8.8

  What it does: Finds PTR record (hostname) for an IP.

• Resolve an IP/host

  host 8.8.8.8
  host example.com

• Query SRV records

  host -t SRV _service._tcp.example.com

  What it does: Finds service discovery records (common in AD, SIP, etc.).

• Attempt DNS zone transfer (AXFR)

  dig @ns1.example.com example.com AXFR

  or

  host -l example.com ns1.example.com

  What it does: Tries to transfer all DNS records from a nameserver (usually blocked unless misconfigured).

---

7) SMB / Windows shares

Accessing shares

• Linux file manager style URL

  smb://IP_OR_HOST/SHARE
  

  What it does: URI used by GUI tools (Nautilus, etc.).

Mount SMB share to a folder

• Mount a Windows share

  sudo mount -t cifs //192.168.1.50/share /mnt/share -o username=user

  Common options:
  • -o username=user,password=pass,domain=DOMAIN
  • -o vers=3.0 (sometimes needed)

Connect with smbclient

• Interactive SMB client

  smbclient //192.168.1.50/share -U user

  What it does: FTP-like shell to list/get/put files.

• List shares on a host

  smbclient -L //192.168.1.50 -U user

Your original smbclient -0 ... was likely meant to be -U for username.

---

8) NFS / showmount

• List NFS exports

  showmount -e 192.168.1.60

  What it does: Shows exported NFS directories.

• Mount NFS export

  sudo mkdir -p /site_backups
  sudo mount -t nfs 192.168.1.60:/ /site_backups

  What it does: Mounts the remote NFS export locally.

---

9) Logs / DHCP info

• DHCP-related messages (depends on distro)

  grep -i dhcp /var/log/messages

  What it does: Searches classic syslog for DHCP entries.

Important modern addition (systemd-based distros)

journalctl -u NetworkManager | grep -i dhcp
journalctl -u systemd-networkd | grep -i dhcp

---

10) Blocking/killing connections

• Kill TCP connections matching a filter

  sudo tcpkill host 192.168.1.20 and port 80

  What it does: Sniffs traffic and injects TCP RST packets to tear down matching connections.

Important additions

• Firewall (common)
  • nftables/iptables/ufw are the standard approaches to block traffic more cleanly than tcpkill.

---

11) IP forwarding (routing)

• Enable IPv4 forwarding (temporary until reboot)

  echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

  What it does: Lets the machine route packets between interfaces.

Important addition

• Check current value

  cat /proc/sys/net/ipv4/ip_forward

---

12) DNS resolver configuration

• Add/override DNS server (temporary on many systems)

  echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf

  What it does: Sets DNS resolver.
  Note: On many distros, /etc/resolv.conf is managed automatically and may be overwritten (systemd-resolved/NetworkManager).

Important modern additions

• systemd-resolved status:

  resolvectl status

• set DNS for a connection (NetworkManager):

  nmcli con mod "CONNECTION_NAME" ipv4.dns "1.1.1.1 8.8.8.8"
  nmcli con up "CONNECTION_NAME"

---

13) VPN / IPsec states

• Show XFRM (IPsec) states

  ip xfrm state list

  What it does: Displays active IPsec security associations.

Important related command

ip xfrm policy list

---

Important commands

A) Connectivity & troubleshooting

• Ping

  ping -c 4 8.8.8.8

• Path tracing

  traceroute example.com

  or modern:

  mtr example.com

• Test port reachability

  nc -vz 192.168.1.10 22

• HTTP request / headers

  curl -I https://example.com

B) Packet capture

• tcpdump

  sudo tcpdump -i eth0
  sudo tcpdump -i eth0 host 192.168.1.20 and port 53

• Wireshark (GUI): deep inspection.

C) ARP / neighbor table

• See L2 neighbors

  ip neigh

• ARP scan (if installed)

  sudo arp-scan --localnet

D) DNS query utility

• nslookup (older but still used)

  nslookup example.com

---