lk/networking/networking_basics.md

---
title: "Networking"
tags: [ "Documentation", "Networking", "ip" ]
---
# You

Check how your computer connects to the net:

> ip address show


```

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UP group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 84:3a:4b:ca:5c:24 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.13/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0
       valid_lft 199143sec preferred_lft 172143sec
    inet6 fe80::22:5eb9:8a3a:95b2/64 scope link 
       valid_lft forever preferred_lft forever
4: wwp0s20u4i6: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:cd:4d:28:ec:dc brd ff:ff:ff:ff:ff:ff
    inet 169.254.104.159/16 brd 169.254.255.255 scope global noprefixroute wwp0s20u4i6
       valid_lft forever preferred_lft forever
    inet6 fe80::e9d3:506c:c0a9:6679/64 scope link 
       valid_lft forever preferred_lft forever

```

That's too much output to read, so try:

> ip address show | grep inet

```

    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
    inet 192.168.0.13/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0
    inet6 fe80::22:5eb9:8a3a:95b2/64 scope link 
    inet 169.254.104.159/16 brd 169.254.255.255 scope global noprefixroute wwp0s20u4i6
    inet6 fe80::e9d3:506c:c0a9:6679/64 scope link 

```

The starting numbers tell you about the address. You just have to memorize the meanings:

| Address Prefix | Meaning |
|:---:|:---:|
| 127.X | The computer's name for itself, for when you want to ssh into your own machine |
| ::1/128 | Same thing, with ipv6 |
| 192.168.X | A small Network address, given by a DHCP server (possibly your router) |
| 169.X | The interface to the internet wasn't given an ip address, so it's made up its own |

# `arp-scan`

Look around your local Network with `arp-scan`.

> sudo arp-scan -l

```

Interface: wlp3s0, type: EN10MB, MAC: 84:3a:4b:ca:5c:24, IPv4: 192.168.0.13
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1	0c:02:27:bc:aa:a1	Technicolor CH USA Inc.
192.168.0.15	b8:27:eb:4a:cd:d9	Raspberry Pi Foundation
192.168.0.10	dc:0b:34:94:5c:c4	LG Electronics (Mobile Communications)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.937 seconds (132.16 hosts/sec). 3 responded

```

The interface here was `wlp3s0`. It starts with 'w', so it's a wifi card.  Each internet adapter has a name, called a 'MAC address' in order to identify itself to outsiders.  The first three parts of a MAC address are given by the manufacturer (like a family name), and the rest are just for that one device.

The '192.168.0.1' address ends in '.1', so it's probably a router.  The manufacturer is 'Technicolor' (`arp-scan` has identified this from the first digits of the MAC: '0c:02:27').

Next is 192.168.0.15, which is labelled as a 'raspberry pi'. Finally, the '.10' address is a mobille phone.

Mac addresses are easy to fake, so don't trust this output to keep you safe.

# `nmap`

Look around your entire Network from 192.168.0.1 to 192.168.0.255:

> sudo nmap -F 192.168.0.1/24

The `-F` means 'do this fast, by only scanning normal traffic' (ports below 1000).

```

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-09 13:52 CET
Nmap scan report for 192.168.0.1
Host is up (0.011s latency).
Not shown: 99 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 0C:02:27:BC:AA:A1 (Technicolor CH USA)

Nmap scan report for 192.168.0.10
Host is up (0.0040s latency).
All 100 scanned ports on 192.168.0.10 are closed
MAC Address: DC:0B:34:94:7C:C4 (LG Electronics (Mobile Communications))

Nmap scan report for belgradecats (192.168.0.15)
Host is up (0.0096s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
MAC Address: B8:27:EB:4A:CD:D9 (Raspberry Pi Foundation)

Nmap scan report for 192.168.0.13
Host is up (0.0000080s latency).
Not shown: 99 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 256 IP addresses (4 hosts up) scanned in 5.34 seconds

```

Network traffic is split into different types of information.  Each one gets a number called a 'port'.  Most of this information is dead, so only a few ports are used nowadays.

The first one shows port 80, so you can visit it on a web browser.  The next shows 53 (so it's handing out names of local computers) and 22 (so you can access it via ssh).

You can scan outside addresses with:

> sudo nmap facebook.com

However, when you scan something, that machine will see you, and you may set off alerts, which then have to bother whoever's looking after that address.
So if you want to try out nmap from outside, find a place you have permission to scan (like your own external IP address), or try:

> sudo nmap hack.me

The hack.me website doesn't mind people scanning.
add headers to lk 2022-01-16 18:20:39 +00:00			`---`
fix titles which are just 'basics' 2022-02-04 08:24:02 +00:00			`title: "Networking"`
			`tags: [ "Documentation", "Networking", "ip" ]`
add headers to lk 2022-01-16 18:20:39 +00:00			`---`
add network basics.md 2020-01-09 13:05:35 +00:00			`# You`

			`Check how your computer connects to the net:`

			`> ip address show`


			```

			`1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UP group default qlen 1000`
			`link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00`
			`inet 127.0.0.1/8 scope host lo`
			`valid_lft forever preferred_lft forever`
			`inet6 ::1/128 scope host`
			`valid_lft forever preferred_lft forever`
			`3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000`
			`link/ether 84:3a:4b:ca:5c:24 brd ff:ff:ff:ff:ff:ff`
			`inet 192.168.0.13/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0`
			`valid_lft 199143sec preferred_lft 172143sec`
			`inet6 fe80::22:5eb9:8a3a:95b2/64 scope link`
			`valid_lft forever preferred_lft forever`
			`4: wwp0s20u4i6: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000`
			`link/ether fa:cd:4d:28:ec:dc brd ff:ff:ff:ff:ff:ff`
			`inet 169.254.104.159/16 brd 169.254.255.255 scope global noprefixroute wwp0s20u4i6`
			`valid_lft forever preferred_lft forever`
			`inet6 fe80::e9d3:506c:c0a9:6679/64 scope link`
			`valid_lft forever preferred_lft forever`

			```

			`That's too much output to read, so try:`

			`> ip address show \| grep inet`

			```

			`inet 127.0.0.1/8 scope host lo`
			`inet6 ::1/128 scope host`
			`inet 192.168.0.13/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0`
			`inet6 fe80::22:5eb9:8a3a:95b2/64 scope link`
			`inet 169.254.104.159/16 brd 169.254.255.255 scope global noprefixroute wwp0s20u4i6`
			`inet6 fe80::e9d3:506c:c0a9:6679/64 scope link`

			```

			`The starting numbers tell you about the address. You just have to memorize the meanings:`

			`\| Address Prefix \| Meaning \|`
			`\|:---:\|:---:\|`
			`\| 127.X \| The computer's name for itself, for when you want to ssh into your own machine \|`
			`\| ::1/128 \| Same thing, with ipv6 \|`
more cleanup 2022-01-26 22:35:07 +00:00			`\| 192.168.X \| A small Network address, given by a DHCP server (possibly your router) \|`
add network basics.md 2020-01-09 13:05:35 +00:00			`\| 169.X \| The interface to the internet wasn't given an ip address, so it's made up its own \|`

			# `arp-scan`

more cleanup 2022-01-26 22:35:07 +00:00			Look around your local Network with `arp-scan`.
add network basics.md 2020-01-09 13:05:35 +00:00
			`> sudo arp-scan -l`

			```

			`Interface: wlp3s0, type: EN10MB, MAC: 84:3a:4b:ca:5c:24, IPv4: 192.168.0.13`
			`Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)`
			`192.168.0.1 0c:02:27:bc:aa:a1 Technicolor CH USA Inc.`
			`192.168.0.15 b8:27:eb:4a:cd:d9 Raspberry Pi Foundation`
			`192.168.0.10 dc:0b:34:94:5c:c4 LG Electronics (Mobile Communications)`

			`3 packets received by filter, 0 packets dropped by kernel`
			`Ending arp-scan 1.9.7: 256 hosts scanned in 1.937 seconds (132.16 hosts/sec). 3 responded`

			```

			The interface here was `wlp3s0`. It starts with 'w', so it's a wifi card. Each internet adapter has a name, called a 'MAC address' in order to identify itself to outsiders. The first three parts of a MAC address are given by the manufacturer (like a family name), and the rest are just for that one device.

			The '192.168.0.1' address ends in '.1', so it's probably a router. The manufacturer is 'Technicolor' (`arp-scan` has identified this from the first digits of the MAC: '0c:02:27').

			`Next is 192.168.0.15, which is labelled as a 'raspberry pi'. Finally, the '.10' address is a mobille phone.`

			`Mac addresses are easy to fake, so don't trust this output to keep you safe.`

			# `nmap`

more cleanup 2022-01-26 22:35:07 +00:00			`Look around your entire Network from 192.168.0.1 to 192.168.0.255:`
add network basics.md 2020-01-09 13:05:35 +00:00
			`> sudo nmap -F 192.168.0.1/24`

			The `-F` means 'do this fast, by only scanning normal traffic' (ports below 1000).

			```

			`Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-09 13:52 CET`
			`Nmap scan report for 192.168.0.1`
			`Host is up (0.011s latency).`
			`Not shown: 99 closed ports`
			`PORT STATE SERVICE`
			`80/tcp open http`
			`MAC Address: 0C:02:27:BC:AA:A1 (Technicolor CH USA)`

			`Nmap scan report for 192.168.0.10`
			`Host is up (0.0040s latency).`
			`All 100 scanned ports on 192.168.0.10 are closed`
			`MAC Address: DC:0B:34:94:7C:C4 (LG Electronics (Mobile Communications))`

			`Nmap scan report for belgradecats (192.168.0.15)`
			`Host is up (0.0096s latency).`
			`Not shown: 98 closed ports`
			`PORT STATE SERVICE`
			`22/tcp open ssh`
			`53/tcp open domain`
			`MAC Address: B8:27:EB:4A:CD:D9 (Raspberry Pi Foundation)`

			`Nmap scan report for 192.168.0.13`
			`Host is up (0.0000080s latency).`
			`Not shown: 99 closed ports`
			`PORT STATE SERVICE`
			`22/tcp open ssh`

			`Nmap done: 256 IP addresses (4 hosts up) scanned in 5.34 seconds`

			```

			`Network traffic is split into different types of information. Each one gets a number called a 'port'. Most of this information is dead, so only a few ports are used nowadays.`

			`The first one shows port 80, so you can visit it on a web browser. The next shows 53 (so it's handing out names of local computers) and 22 (so you can access it via ssh).`

			`You can scan outside addresses with:`

			`> sudo nmap facebook.com`

			`However, when you scan something, that machine will see you, and you may set off alerts, which then have to bother whoever's looking after that address.`
			`So if you want to try out nmap from outside, find a place you have permission to scan (like your own external IP address), or try:`

			`> sudo nmap hack.me`

			`The hack.me website doesn't mind people scanning.`