Q. How do I display summary statistics for each protocol on Linux ?
A. Using netstat command to display summary statistics for each protocol.

netstat command

netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems.

Display summary statistics using netstat

Simply use netstat -s

# netstat -s

Ouput

Ip:
    927340778 total packets received
    7 with invalid headers
    1959 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    922379597 incoming packets delivered
    1280879573 requests sent out
    27 outgoing packets dropped
    4 fragments dropped after timeout
    757 reassemblies required
    354 packets reassembled ok
    4 packet reassembles failed
    20 fragments failed
Icmp:
    36541 ICMP messages received
    124 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 26890
        timeout in transit: 348
        source quenches: 11
        echo requests: 9274
        echo replies: 1
    18720 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 9446
        echo replies: 9274
IcmpMsg:
        InType0: 1
        InType3: 26890
        InType4: 11
        InType8: 9274
        InType11: 348
        OutType0: 9274
        OutType3: 9446
Tcp:
    5916623 active connections openings
    36244722 passive connection openings
    102606 failed connection attempts
    3493764 connection resets received
    53 connections established
    918246879 segments received
    1254505238 segments send out
    22244556 segments retransmited
    0 bad segments received.
    5748855 resets sent
Udp:
    4086750 packets received
    9427 packets to unknown port received.
    0 packet receive errors
    4125646 packets sent
...

To display the statistics for only the TCP or UDP protocols, type one of the following commands

# netstat -st
# netstat -su

Ouput

IcmpMsg:
    InType0: 1
    InType3: 26890
    InType4: 11
    InType8: 9274
    InType11: 348
    OutType0: 9274
    OutType3: 9446
Tcp:
    5917335 active connections openings
    36247817 passive connection openings
    102606 failed connection attempts
    3493814 connection resets received
    29 connections established
    918349626 segments received
    1254667978 segments send out
    22246760 segments retransmited
    0 bad segments received.
    5749332 resets sent
...

To display the quick interfaces statistics, type the following command

# netstat -i

Ouput

Kernel Interface table
Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500   0 767575580      0      0      0 1120000223      0      0      0 BMRU
lo        16436   0 161102011      0      0      0 161102011      0      0      0 LRU

To display the extended interfaces statistics, type the following command

# netstat -ie

Ouput

Kernel Interface table
eth0      Link encap:Ethernet  HWaddr 00:25:90:0B:A3:E4
          inet addr:221.132.34.8  Bcast:221.132.34.95  Mask:255.255.255.224
          inet6 addr: fe80::225:90ff:fe0b:a3e4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:767588970 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1120021944 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4030025515 (3.7 GiB)  TX bytes:2208549264 (2.0 GiB)
          Interrupt:169 Memory:fb5e0000-fb600000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:161106440 errors:0 dropped:0 overruns:0 frame:0
          TX packets:161106440 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3387569934 (3.1 GiB)  TX bytes:3387569934 (3.1 GiB)

The post How Do I Display Summary Statistics For Each Protocol On Linux ? appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
Unhide (ps)
Detecting hidden processes. Implements six techniques

• Compare /proc vs /bin/ps output
•  Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
• Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
• Full PIDs space occupation (PIDs bruteforcing)
• Reverse search, verify that all thread seen by ps are also seen by the kernel ( /bin/ps output vs /proc, procfs walking and syscall )
• Quick compare /proc, procfs walking and syscall vs /bin/ps output.

Unhide-TCP
Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.

How do I install unhide

To install Unhide under CentOS/RedHat, login as root and type the following command

# yum install unhide

Sample outputs

Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package unhide.x86_64 0:0.0.20080519-1.el5.rf set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch          Version                      Repository       Size
================================================================================
Installing:
 unhide        x86_64        0.0.20080519-1.el5.rf        rpmforge        528 k

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 528 k
Is this ok [y/N]: y
Downloading Packages:
unhide-0.0.20080519-1.el5.rf.x86_64.rpm                  | 528 kB     00:02
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : unhide                                                   1/1

Installed:
  unhide.x86_64 0:0.0.20080519-1.el5.rf

Complete!

How do I use this tool

You can use it as follows:

# unhide proc | sys | brute

Example, type the following command to find hidden proc

# unhide proc
Unhide 20080519
yjesus@security-projects.com
[*]Searching for Hidden processes through /proc scanning

Example, type the following command to find the hidden TCP/UDP ports

# unhide-tcp

Sample outputs

Unhide 20080519
yjesus@security-projects.com
Starting TCP checking
Starting UDP checking

No found hidden ports using the unhide-tcp command.

The post How Do I Find Hidden Processes and Ports ? appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

The lsof command or “list open files” command in Linux is a powerful tool. In Linux and Unix everything behind the scenes are just files. This includes IP sockets, pipes, unix sockets, directories, devices, even inodes are just files. This means that lsof can actually tell you a lot of information of what is going on on your system.

Synopsis

lsof [ -?abChlnNOPRstUvVX ] [ -A A ] [ -c c ] [ +|-d d ] [ +|-D D ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ +|-L [l] ] [ -m m ] [ +|-M ] [ -o [o] ] [ -p s ] [ +|-r [t] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -- ] [names] 

Example 1: Show all opened files

Type the following command

lsof | more

Sample outputs

COMMAND     PID      USER   FD      TYPE     DEVICE      SIZE       NODE NAME
init          1      root  cwd       DIR      253,4      4096          2 /
init          1      root  rtd       DIR      253,4      4096          2 /
init          1      root  txt       REG      253,4     38652   41746599 /sbin/init
init          1      root  mem       REG      253,4    129900   16252964 /lib/ld-2.5.so
init          1      root  mem       REG      253,4   1693812   16252965 /lib/libc-2.5.so
init          1      root  mem       REG      253,4     20668   16253168 /lib/libdl-2.5.so
init          1      root  mem       REG      253,4    245376   16253222 /lib/libsepol.so.1
init          1      root  mem       REG      253,4     93508   16253815 /lib/libselinux.so.1
init          1      root   10u     FIFO       0,17                 1277 /dev/initctl
...

Example 2: Show all opened internet sockets

Using the -i flag lsof will list the internet sockets currently opened

lsof -i

Sample outputs

COMMAND     PID   USER   FD   TYPE   DEVICE SIZE NODE NAME
sshd       2537   root    3u  IPv6     5348       TCP *:rockwell-csp2 (LISTEN)
mysqld     2625  mysql   11u  IPv4     5463       TCP *:mysql (LISTEN)
httpd      2731 apache    3u  IPv6 30048993       TCP *:http (LISTEN)
...

Example 3: Shows all networking related to a given port 80

lsof -i :80

Sample outputs

COMMAND   PID   USER   FD   TYPE   DEVICE SIZE NODE NAME
httpd    2731 apache    3u  IPv6 30048993       TCP *:http (LISTEN)
httpd    2731 apache   58u  IPv6 39448263       TCP server.com:http->adsl-dynamic-pool-xxx.hcm.fpt.vn:23527 (ESTABLISHED)
httpd    2731 apache   60u  IPv6 39448302       TCP server.com:http->crawl-66-249-69-83.googlebot.com:35190 (ESTABLISHED)
httpd    2731 apache   61u  IPv6 39448336       TCP server.com:http->v16-13.opera-mini.net:37548 (ESTABLISHED)
httpd    2731 apache   62u  IPv6 39448388       TCP server.com:http->v16-13.opera-mini.net:37561 (ESTABLISHED)
httpd    2731 apache   64u  IPv6 39447543       TCP server.com:http->adsl.viettel.vn:13636 (FIN_WAIT2)

Example 4: Show all TCP/UDP connections

lsof -i TCP

Sample outputs

sshd       2537   root    3u  IPv6     5348       TCP *:rockwell-csp2 (LISTEN)
mysqld     2625  mysql   11u  IPv4     5463       TCP *:mysql (LISTEN)
httpd      2731 apache    3u  IPv6 30048993       TCP *:http (LISTEN)
...

Example 5: List open files associated with process ID

The flag +p will display all open files associated with specific process ID, example with process ID is 2625

lsof +p 2625

Sample outputs

COMMAND  PID  USER   FD   TYPE     DEVICE      SIZE     NODE NAME
mysqld  2625 mysql  cwd    DIR      253,4      4096 21495811 /var/lib/mysql
mysqld  2625 mysql  rtd    DIR      253,4      4096        2 /
mysqld  2625 mysql  txt    REG      253,4   7020300 50999198 /usr/libexec/mysqld
mysqld  2625 mysql  DEL    REG      253,4           16253135 /lib/libcrypto.so.0.9.8e.#prelink#.64u8kX
mysqld  2625 mysql  mem    REG      253,4           16252984 /lib/libm-2.5.so (path inode=16253122)
mysqld  2625 mysql  DEL    REG      253,4           50996047 /usr/lib/libgssapi_krb5.so.2.2.#prelink#.YYIHuy
mysqld  2625 mysql  mem    REG      253,4           16252990 /lib/libselinux.so.1 (path inode=16253815)
mysqld  2625 mysql  mem    REG      253,4           16256252 /lib/libsepol.so.1 (path inode=16253222)
mysqld  2625 mysql  mem    REG      253,4     50848 16253138 /lib/libnss_files-2.5.so
mysqld  2625 mysql  mem    REG      253,4           16253825 /lib/librt-2.5.so (path inode=16253220)
mysqld  2625 mysql  mem    REG      253,4           16252942 /lib/ld-2.5.so (path inode=16252964)
mysqld  2625 mysql  mem    REG      253,4           50996107 /usr/lib/libstdc++.so.6.0.8 (path inode=50989584)
mysqld  2625 mysql  mem    REG      253,4           50996061 /usr/lib/libkrb5.so.3.3 (path inode=50999803)
mysqld  2625 mysql  mem    REG      253,4           16252980 /lib/libdl-2.5.so (path inode=16253168)
...

Example 6: Show what a given user has open

The flag -u will show what a given user has open

lsof -u apache

Sample outputs

COMMAND   PID   USER   FD   TYPE     DEVICE      SIZE     NODE NAME
httpd    2731 apache  cwd    DIR      253,4      4096        2 /
httpd    2731 apache  rtd    DIR      253,4      4096        2 /
httpd    2731 apache  txt    REG      253,4   3120954 51157630 /usr/local/apache/bin/httpd
httpd    2731 apache  mem    REG      253,4    375710 51157607 /usr/local/apache/lib/libaprutil-1.so.0.3.10
httpd    2731 apache  mem    REG      253,4     45432 16253184 /lib/libcrypt-2.5.so
httpd    2731 apache  mem    REG      253,4      7748 16253849 /lib/libcom_err.so.2.1
httpd    2731 apache  mem    REG      253,4      7880 16253845 /lib/libkeyutils-1.2.so
httpd    2731 apache  mem    REG      253,4    937178 51157689 /usr/local/apache/modules/mod_security2.so
httpd    2731 apache  mem    REG      253,4    129208 16253851 /lib/libpcre.so.0.0.1
...

The post 10 lsof Command Examples appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.