OS is Debian on both servers. I found some examples showing how to measure TCP latency with nmap: nmap --packet-trace -p 22 192.168.0.10 But I'm getting some negative results for latency. ie, it will print some output like: Host is up (-0.0023s latency) at the end. What is nmap doing? Is it measuring the time difference between SYN and SYN-ACK? If so, how is it getting a negative result sometimes? Does it require clocks to be very precisely synced between the two servers? And in addition, can I use ssh as a good TCP test server or should I use a different service? Is there another tool I can use to measure TCP latency? I don't know if I trust nmap due to the negative results for the latency measurement.

Suppose I have this situation where I wrote a program to poison the ARP cache of 2 devices (let's say A and B), both in the local network to successfully able to MITM from device M. The program runs on device M. When I enable IP forwarding with the command sysctl net.ipv4.ip_forward=1 on device M, HTTP connection from device A to B can be established without any issues, and I am able to see the traffic on device M. But, the same situation where ARP caches are poisoned after I disable the IP forwarding with the command sysctl net.ipv4.ip_forward=0 on device M, HTTP connection can't be established from device A to B. I can see the TCP SYN packet from device A on device M. In my program, after receiving the SYN packet on device M, I modify the src MAC address in the packet with M's MAC address (from A's MAC address) and dst MAC address to B's MAC address (from M's MAC address) and inject it into the network. I don't modify anything from the network layer onwards. I can see the packet at B with new src and dst MACs with TCPdump command, which means the packet gets to the B. But B doesn't respond to that packet, which I can't comprehend why. So, the question is what special does ip_forward=1 does that makes this kind of MITM situation work? To clarify, all the machines are linux. With forwarding enabled on device M, I don't need to modify the MAC addresses in the packets. I just poison the cache and things work fine from there.

For example tomcat(PID is 4739) is initiated connection to postgress(Which is another server) to retrieve data from DB because, tomcat got the request from client(curl 192.168.1.12:8088/get). In this, tomcat uses a random tcp source port to connection postgress. Now, is there any way to get these source ports that was by created tomcat PID. I used netstat -tp, but I'm not getting PID of the connection. Getting PID only I use l - Listening like netstat -tlp. I tried to read PID sockets from /proc/PID/fd and then correlated to /proc/net/tcp. But I'm not seeing anything in /proc/net/tcp. **NOTE:** The topology like below. My requests(server1)tomcat(server2)postgress(server2) **UPDATE1** netstat -tepn output Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp6 0 1 172.25.30.21:36598 xx.xx.xx.91:4343 SYN_SENT 0 42955126 9661/java tcp6 0 0 172.25.30.21:38340 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:38064 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:38282 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:37520 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:38286 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:37654 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:37906 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:38152 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:38124 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:37412 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:37374 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:38126 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:38252 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:37224 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:37800 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:37780 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:38274 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:37244 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:37880 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:38230 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:38118 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:37496 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:1099 172.25.30.21:47496 ESTABLISHED 0 42954824 4738/java tcp6 0 0 172.25.30.21:37474 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:38200 172.25.30.12:5432 TIME_WAIT 0 0 - tcp6 0 0 172.25.30.21:38102 172.25.30.12:5432 TIME_WAIT 0 0 - PID greped output veeru@localhost:~/veeru# netstat -tepn | grep 4738 tcp6 0 0 127.0.1.1:41095 127.0.0.1:45180 ESTABLISHED 0 42960213 4738/java tcp6 0 0 172.25.30.21:1099 172.25.30.21:49984 ESTABLISHED 0 42963153 4738/java

I'm using socat to route serial input over a network to allow me to control an Arduino device over a virtual COM port setup. My command to start socat is: socat /dev/serial0,b500000,raw,echo=0 TCP-LISTEN:9876,nodelay,fork& This works the first time a device connects to the :9876 port perfectly fine. However, if the connection is dropped from the other end (which is using com2tcp on Windows), any further connections will send serial up the network to the RasPi hosting socat and out the serial device, but data will not be received in from /dev/serial0. I have to kill the original socat process, wait for the port to be released, and then re-run socat. Given the RasPi operates headless, this is an annoyance I'd rather avoid. Is there any way to allow multiple, non-simultaneous connections to work in this manner? I'm assuming there's some sort of setting to put in after the echo=0, but I can't figure out which one. (Further notes: the 500000 baud rate is required, as this is the rate required for the software I'm using, called GIMX. The purpose of this setup is to allow me to connect to a game console with devices in another room, using the remote play functionality to play the game. I have this command set in /etc/rc.local to start socat on boot, as the RasPi is also used as a media player using Volumio; this is simply running in the background.) ---------------------------------------------------- EDIT: I ended up abandoning the socat/com2tcp route, and implementing an RFC2247-compliant connection. This meant that I didn't have to worry about manually setting the baud rate as necessary, and seems to work in a more stable manner to boot. I based it on the information from https://robosavvy.com/forum/viewtopic.php?t=7578 which basically gives a full overview of setting it up. Although a couple of the links are dead, it has the information needed to get a connection going. I believe the command I was looking for was "end-close", however I did not test this before having committed to the new setup.

I'm trying to ssh to a remote server. But after the ssh is successful the **connection freezes within 2-3 minutes and eventually drops**. On checking packet trace i observed my mac is randomly sending a **RST packet** to the remote server that is causing the connection to close. If this isn't already strange enough, i found that this happens if **open a file in vim** after establishing the ssh connection but if i ssh and leave the terminal as it is then the connection doesn't freeze. How can i debug this issue? How can i find why my mac is doing so? I tried to restart the ssh service on macbook but it didn't solve the issue If i do **hard reboot** of Mac then the issue is fixed PS: I have the following parameters in my ssh_config file

Host *
  ServerAliveInterval 60
  ServerAliveCountMax 30

This issue started after there was a network issue and all my ssh connections were abruptly dropped. After that when i'm trying to ssh i observer this behaviour

Consider the topology where 2 QEMU VMs running Linux Ubuntu 16.04 kernel version 4.4.0-210 have both virtio-net interfaces with TAP backends connected to the same (host) Linux bridge and an SSH connection between them. ubuntu@VM1:~$ uname -a Linux VM1 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64 x86_64 x8x ubuntu@VM1:~$ Both VMs use paravirtualized virtio-net interfaces defaulting to TX and RX checksum offloading. ubuntu@VM1:~$ ethtool -i eth0 driver: virtio_net version: 1.0.0 firmware-version: expansion-rom-version: bus-info: 0000:00:03.0 supports-statistics: no supports-test: no supports-eeprom-access: no supports-register-dump: no supports-priv-flags: no ubuntu@VM1:~$ ubuntu@VM1:~$ ethtool -k eth0 | grep -i sum rx-checksumming: on [fixed] tx-checksumming: on tx-checksum-ipv4: off [fixed] tx-checksum-ip-generic: on tx-checksum-ipv6: off [fixed] tx-checksum-fcoe-crc: off [fixed] tx-checksum-sctp: off [fixed] ubuntu@VM1:~$ ubuntu@VM2:~$ ethtool -k eth0 | grep -i sum rx-checksumming: on [fixed] tx-checksumming: on tx-checksum-ipv4: off [fixed] tx-checksum-ip-generic: on tx-checksum-ipv6: off [fixed] tx-checksum-fcoe-crc: off [fixed] tx-checksum-sctp: off [fixed] ubuntu@VM2:~$ That actually means: - kernel network stack sends out SSH/TCP packets without computing & filling the relevant TCP checksum field inside them (i.e. basically the TCP checksum inside the packets sent is either zeroed out or incorrect) - kernel network stack assumes the virtio-net interface has already checked/verified the TCP checksum for SSH/TCP received packets and is therefore allowed to skip it Hence the SSH connection works even though traveling SSH/TCP packets have an *incorrect* TCP checksum (tcpdump run inside both VM confirms this). Later, changing the topology by connecting each VM to a different linux bridge with a virtual router in the middle, suddenly the SSH connection stop working. I double checked that virtual router actually forwards TCP/SSH packets *as-is* from a bridge to the the other (in both directions), so I don't understand why the SSH connection stopped working this time. What is going on in the latter case ? Thanks.

I am using NFS client to connect to NFS cluster. I have noticed that the default behaviour when server is unavailable is to retry the TCP connections from the same source TCP port, which I have confirmed by tcpdump (many SYN packets, different seq numbers, but same source port). By default NFS uses priviledged ports (1024 and and now on each reconnect attempt will be from different TCP port. NFS client is SLES12 SP4, the same behaviour is also on Oracle Linux 7.7. NFS server is HAE cluster based on SLES12 SP4. Is this behaviour documented somewhere? Why it does use the same port every time by default but not when using noresvport?

I've come across the following DTrace one-liner on https://wiki.freebsd.org/DTrace/One-Liners :

# Summarize TCP life span in seconds:
dtrace -n 'fbt::tcp_close:entry { 
    @["TCP life span (seconds):"] = quantize((uint32_t)(ticks - args->t_starttime) / hz); 
}'

It does not work on latest FreeBSD 15.0-CURRENT anymore. It errors out with:

dtrace: invalid probe specifier fbt::tcp_close:entry {
 @["TCP life span (seconds):"] = 
    quantize((uint32_t)(ticks - args->t_starttime) / hz); 
}:
  in action list: no symbolic type information is available for kernel`ticks:
    No type information available for symbol

error text above manually wrapped/indented Any ideas why DTrace cannot find ` ticks `? It finds hz `` just fine. According to the wiki page, all the one liners were tested in the past so that is not a typo. Also, I tried including sys/kernel.h as it seems to be where ticks is declared, but that did not help (it ends up needing sys/queue.h as well and even then it does not work).

I'm writing a shell script that needs to send an 8 character string terminated with a x0d to a Sharp Aquos TV. An example is 'POWR1 \x0d' (POWR1 followed by three spaces and LF) The documentation is poor. it says protocol TCP/IP (nothing about UDP or TCP) and service: nothing: do not select telnet or SSH. In the past, for similar projects I've been able to use socat and something like: echo -e -n 'POWR1 \x0d' | socat - tcp4:192.168.1.88:10002 However, all I get is "socat E connect(3, AF=2 192.168.1.88:10002, 16): Connection refused" Anyone got any ideas

While experiencing an extremely slow download rate on one of my HTTP connections, I thought it'd be nice if I could just transfer the connection from my PC to an energy-saving home server that shares the same external IP address. The way I imagine it, I'd like to run a command that would take over the connection from a specific IP and a port, letting me pipe all incoming data that flows through it to a file without letting the original owner of the connection to close it. Are there already any tools for that?

I have an Ubuntu 10.04 server setup remotely that I setup a while back. While I recorded the username and password, I seem to have been clever and changed the usual ssh port from 22 to... something else. How do I find out what that port might be? I do have access to the server via the hosting company's back door, so I can execute whatever Unix commands are needed - but I cannot log in using a normal putty shell on my machine.

Basically I am trying to create a custom TCP Stack. As you might know I cant use eth0 because linux kernel TCP stack uses that, Due to that I need to create a tun/tap interface and use it for my Custom TCP Stack. /etc/network/interfaces: auto lo iface lo inet loopback allow-hotplug eth0 auto eth0 iface eth0 inet static address 192.168.1.152 netmask 255.255.255.0 broadcast 192.168.1.255 gateway 192.168.1.1 dns-server 192.168.1.1 allow-hotplug tap0 auto tap0 iface tap0 inet manual pre-up ip tuntap add tap0 mode tap user root pre-up ip addr add 192.168.1.153/24 dev tap0 up ip link set dev tap0 up post-up ip route del 192.168.1.0/24 dev tap0 post-up ip route add 192.168.1.152/32 dev tap0 post-down ip link del dev tap0 ifconfig inet addr:192.168.1.152 bcast:192.168.1.255 netmask 255.255.255.0 lo: inet addr:127.0.0.1 mask 255.0.0.0 tap0: inet addr: 192.168.1.153 bcast:0.0.0.0 mask 255.255.255.0 with following config I can reach wan/lan using eth0 but I cant reach not even my gateway with tap0. I would really appreciate if you could tell me what mistake am I making here?

I need to know if a process with a given PID has opened a port without using external commands. I must then use the /proc filesystem. I can read the /proc/$PID/net/tcp file for example and get information about TCP ports opened by the process. However, on a multithreaded process, the /proc/$PID/task/$TID directory will also contains a net/tcp file. My question is : do I need to go over all the threads net/tcp files, or will the port opened by threads be written into the process net/tcp file.

We have some RHEL7 Apache reverse proxies that experienced a performance degradation event. After a few hours, restarting Apache restored performance to normal levels. We are trying to determine the root cause of the outage. During said investigation, I came across the following netstat numbers that I cannot find much documentation on: * TCPRcvCoalesce * TCPAutoCorking * TCPHystartTrainCwnd Anyone can explain what these stats mean? Are they indicative of any particular issue?

I have been trying to learn tcpdump and I am using this command to attempt to monitor my network: sudo tcpdump -I -i en1 But this gives me a bunch of stuff I don't want, so I used this version to filter the packets: sudo tcpdump -I -i en1 port 80 or 443 And it gives me nothing. I know you can't use your WiFi when using monitor mode, but I still can, so I think thats a sign something is wrong. I tried it with en0, but it couldn't go into monitor mode. What am I doing wrong? I am using a MacBook Pro with OS X 10.9.3, and I would like to be able to do this with tcpdump, or any other utility that's built into OS X.

I've got a SLES machine that accumulates TCP connections in a CLOSE_WAIT state for what appears to be forever. These descriptors eventually suck up all available memory. At the moment, I've got 3037 of them, but it was much higher before a hurry-up reboot recently. What's interesting is that they're not from connections to local ports that I expect to have listening processes. They have no associated PIDs, and their timers seem to have expired. # netstat -ton | grep CLOSE_WAIT tcp 176 0 10.0.0.60:54882 10.0.0.12:31663 CLOSE_WAIT off (0.00/0/0) tcp 54 0 10.0.0.60:60957 10.0.0.12:4503 CLOSE_WAIT off (0.00/0/0) tcp 89 0 10.0.0.60:50959 10.0.0.12:3518 CLOSE_WAIT off (0.00/0/0) # netstat -tonp | grep CLOSE_WAIT tcp 89 0 10.0.0.59:45598 10.0.0.12:1998 CLOSE_WAIT - tcp 15 0 10.0.0.59:60861 10.0.0.12:1938 CLOSE_WAIT - tcp 5 0 10.0.0.59:56173 10.0.0.12:1700 CLOSE_WAIT - I'm not a black-belt when it comes to the TCP stack, or kernel networking, but the TCP config seems sane, since these values are default, per the man page: # cat /proc/sys/net/ipv4/tcp_fin_timeout 60 # cat /proc/sys/net/ipv4/tcp_keepalive_time 7200 So what gives? If the timers have expired, shouldn't the stack automatically clear this stuff out? I'm effectively giving myself a long-term DoS as these things build up.

I know how to connect 'to' a certain port using ssh.

ssh user@remotehostip -p XXX

Is there a way to establish ssh _from_ the port which my local computer will be using?

I am using iptables as firewall to filter traffic. I want to block traffic on a network interface on a certain tcp port (I'm testing on port 22). The network interface is a bridge port, so I'm using physdev module (I have tried -i option and it does not work). When I write the rule without specifying any ports, all traffic gets filtered successfully:

iptables -t mangle -A PREROUTING -m physdev --physdev-in IF_NAME -j DROP

But when I specify the port, It doesn't work:

iptables -t mangle -A PREROUTING -m physdev --physdev-in IF_NAME -p tcp -m tcp --dport 22 -j DROP

I have tried mark and connmark modules to split the rules in two, so the bridge interface and tcp port be in separate rules. No luck. Some clarifications: I'm using iptables v1.8.2 on Debian 10. I'm trying to filter traffic for a VM. I'm writing the rules on host machine. The network interface is set for the VM. If I use VM's IP instead of network interface, it works fine. Could it be that it doesn't work because the bridge is on data-link layer and tcp ports are in transport layer? I personally don't think this is a good excuse for the rule to not work. After all iptables works on different network layers. My question: 1. (first priority) Is it possible to make this rule work using iptables? if yes how, and if no why? 2. Is it possible to do so using nftables? 3. Any other solutions you want to mention?

So basically i installed an Automation Anywhere product in Amazon Linux 2, when i checked the netstat -tulnp | grep LISTEN i didn't found the Listener that's supposed to be there exist. Thus leading me to check if the service is running properly or not. I checked it using systemctl status control* i already did sudo su - if it's matter. However the response was the "unit 'module' not found" i did some digging and turns out it appears that the systemd is not recognizing the service file as it is installed in out the etc/systemd Some solution i tried are - running systemctl daemon-reload - running reboot While there is a solution i haven't tried like creating the service file inside etc/systemd i wonder if it's truly the solution or not as i am not familiar with linux. If i indeed needed to write the service file inside the etc/systemd do i just copy the service file inside the installation path and copy it in the etc/systemd path? Or is there anything i supposed to know/do beforehand?

I've measured ss --tcp --numeric --no-header --kill dst 1.2.3.0/24 on various machines (all running Ubuntu Server 22 or 24 LTS) and it consistently needs around 7-10ms to complete. Any idea where the bottleneck is or if there is a way to make it complete faster?