Network Analysis

Use lft to trace hops in the network
sudo lft <IP:PORT>

  • If you suspect that there is a VM or docker being hosted in a different port you can use lft and check if there are differences in the results.

Find the processes associated with a port
lsof -i -n -P <port_number>
Shows TCP open connections in the Listen state
lsof -wnP -iTCP -sTCP:LISTEN
Listening ports & services
ss -tuln
Listening ports + PID
ss -tulnp | grep PID
TTL Values and OS Fingerprinting

The TTL value in the ping response is a starting value decremented by one for each hop the packet takes; Values differ between operating systems:

  • Linux/Unix -> 64

  • Windows -> 128

  • Cisco -> 255

ping -c 4 example.com

  • It sends ICMP Echo Request packets to a target and waits for ICMP Echo Reply packets in return.

Output Example
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.123 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.120 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.122 ms

  • TTL (Time to Live): The maximum number of hops a packet can traverse before being discarded.

  • Time: The round-trip time (RTT) for the packet to reach the destination and return.

Trace the network path
traceroute example.com
Monitoring Integrity of system files with tripwire
Initialize the Tripwire database
sudo tripwire --init
Check the integrity of the system
sudo tripwire --check
Generate a report
sudo tripwire --update
PreviousJDWPNexttcpdump

Last updated