Linux: Introduction To Different Troubleshooting Tools

Internet Control Message Protocol (ICMP)

It is a network layer protocol in the TCP/IP suite that is used to send updates or error messages. These messages are incredibly useful for troubleshooting networking difficulties. A simple IP header is used to send ICMP packets. It is not designed entirely for common users. The protocol’s primary audience is network administrators, who can use it to troubleshoot internet connections.

ICMP uses IP to transmit messages that include IP header. These messages are made up of four components. These will be described further below.

• Type: It is used to categorize ICMP messages. The first eight bytes of a message reflect the message’s type. Type offers a brief explanation for why the message was received. Let’s take a look at some of the most popular ICMP types:
  • Type 0: It is Echo reply.
  • Type 3: It refers to the destination being unreachable.
  • Type 5: redirect. 
  • Type 8: Echo requests to see whether a potential destination is available.
  • Type 11: It indicates that the time limit has been exceeded.
• Code: It is used as a sub-category of ICMP messages. Let’s consider the type 3 situation which refers unreachable destination. There are 16 codes or sub-types in this category which is for various possible reasons behind this unreachable destination.
  • Code 0: indicates that the network is unreachable.
  • Code 1: indicates that the host is unreachable 
  • Etc etc… 
• Checksum: It ensures the integrity of the messages. 
• Variable: It is a variable part of the messages depending on the type or code of the messages.

PING

It is one of the most popular buildings on ICMP which is used to check whether a packet can reach its destination. The working method is pretty simple. It communicates with the destination host by delivering ICMP echo request (Type 8) packets and waiting for an ICMP echo reply (Type 0). When a host carries out the request packet and receives a reply from the destination, the ping is successful. Let’s run the command below to examine it.

$ ping -c 5 enablegeek.com

In the terminal output, it is visible that 64 bytes were sent to enablegeek.com (104.21.43.216). There is also some additional information about the trip. The flag ‘-c’ denotes the count after it will stop sending the packet to the destination. 

The sequence number of packets transmitted is displayed in the icmp_seq field. There were a total of 5 packets we transmitted, and 5 packets were received back. If a sequence of packets is missing, there are problems with the connection.

The term “ttl” refers to time to live and is connected to the hop count. There will be a reduction in ttl if the packet makes a hop to another router. The packet will be erased when the ttl reaches zero (0). We don’t want our packets to travel eternally, which is one of the key reasons for ttl. That is why the packet has a lifespan assigned to it.

Finally, the time represents the total time the packet has taken to make a round trip from you to your destination.

Sockets and Ports

We have talked about data transmission through the ports before. So, what is it a port? A port is used to identify which should send or receive data. You can view the list of ports in the /etc/services file. Let’s look into it.

$ sudo vi /etc/services

Snippet of output:

tcpmux          1/tcp                           # TCP port service multiplexer
echo            7/tcp
echo            7/udp
discard         9/tcp           sink null
discard         9/udp           sink null
systat          11/tcp          users
daytime         13/tcp
daytime         13/udp
netstat         15/tcp
qotd            17/tcp          quote

Now, let’s talk about the socket. It is an interface that combines an IP address and a port and enables software to transmit and receive data. A distinct socket is necessary for each connection between a host and a destination. One of the cool tools for analyzing the ports and sockets is netstat. Run the command below.

$ netstat -a 

It displays a list of connections. You may also use the ‘-t‘ option to see only the tcp connection. As you can see, the terminal displays large amounts of data. Furthermore, a brief explanation of their outputs is provided.

• Proto: It indicates the type of protocol, TCP or UDP.
• Recv-Q: Data now located in the waiting list but will be received later.
• Send-Q: Data now located in the waiting list but will be sent later.
• Local address: hosts that are connected locally. 
• Foreign address: hosts that connected remotely. 
• State: It indicates the state of the socket. There are few types of state possible for a socket. These are listed below.
  • LISTEN: For a TCP connection, destination has to listen before it can make connection. This state refers that socket now is searching for incoming connections.   
  • ESTABLISHED: It indicates that socket has an established connection.
  • SYN_SENT: Socket is trying to establish a connection. 
  • CLOSE_WAIT: It indicates that the remote host has shutdown and the socket is now ready to close.
  • TIME_WAIT: After close, the socket is waiting to process any remaining network packets.

Analysis of Data Packet

We have talked about data packets countless times. I believe it is now appropriate that we look into it. We will simply seek for the bare minimum of it, though. Tcpdump and wireshark are two well-known tools in Linux for data packet analysis. I’ll solely be discussing tcpdump. I encourage readers to seek up wireshark as well. 

The first step is to install the package. Run the command below to install it.

$ sudo apt update 
$ sudo apt install tcpdump

As we have tcpdump on our machine, we can look into the data packets that are received at the network interface. First the check the available network interface by running the command below.

$ ls /sys/class/net

As you can see, I have two interfaces on my system. Your output may vary with mine. Well, check the data packet at wlo1 interface. You can run the command in similar way.

$ sudo tcpdump -i wlo1

snippet of output:

17:51:31.596888 IP 104.18.29.213.https > ohid-pc.57428: Flags [P.], seq 120:180, ack 1, win 8, length 60

It displays a lengthy list of data. Here, I’ve merely inserted one packet. Let’s now examine what the terminal displays. The process’s timestamp (17:51:31.596888) appears first. The IP, which contains the protocol data, comes next. Following that, two addresses are provided: the source address (104.18.29.213.https) and the destination address (ohid-pc.57428). Data then begins and finishes at the seq point. The size of the package is the last consideration.

You can store the output from tcpdump into a file for having a better look. It can be accomplished by the following command.

$ sudo tcpdump -w /dir/file.txt