Device -- Device -- Device -- Device
         |
    Single cable

    Device
       |
Device-Switch-Device
       |
    Device

Device -> Device
  ^          |
  |          v
Device <- Device

Device ---- Device
  |  \    /  |
  |   \  /   |
  |    \/    |
  |    /\    |
  |   /  \   |
  |  /    \  |
Device ---- Device

Application Data
    |
    v
[Transport Header | Data]  <- Segment/Datagram
    |
    v
[Network Header | Transport Header | Data]  <- Packet
    |
    v
[Data Link Header | Network Header | Transport Header | Data | Trailer]  <- Frame
    |
    v
Bits on wire

1. Browser creates HTTP GET request
2. TCP adds port numbers and sequence numbers
3. IP adds source and destination IP addresses
4. Ethernet adds source and destination MAC addresses
5. Frame travels to switch
6. Switch reads MAC address and forwards
7. Frame reaches router
8. Router strips Ethernet header
9. Router reads IP address
10. Router adds new Ethernet header for next hop
11. Process repeats until reaching destination
12. Destination strips all headers
13. Browser receives HTTP response

7. Application  - What users see
6. Presentation - Data formatting
5. Session      - Connection management
4. Transport    - End-to-end delivery
3. Network      - Routing between networks
2. Data Link    - Local network communication
1. Physical     - Actual transmission medium

# Check link status
ip link show eth0

# Check for errors
ip -s link show eth0

# Check cable with ethtool
ethtool eth0

# Look for:
# - Link detected: yes/no
# - Speed: 1000Mb/s
# - Duplex: Full

Preamble (7 bytes): 10101010... (synchronization)
SFD (1 byte): 10101011 (start frame delimiter)
Destination MAC (6 bytes): Where's this going
Source MAC (6 bytes): Where's this from
Type/Length (2 bytes): Protocol type or frame length
Payload (46-1500 bytes): Actual data
FCS (4 bytes): Frame check sequence (CRC)

Version (4 bits): 4 for IPv4
IHL (4 bits): Header length (minimum 5)
DSCP (6 bits): QoS marking
ECN (2 bits): Congestion notification
Total Length (16 bits): Entire packet size
Identification (16 bits): Fragment ID
Flags (3 bits): DF (Don't Fragment) , MF (More Fragments)
Fragment Offset (13 bits): Fragment position
TTL (8 bits): Time to live (hop count)
Protocol (8 bits): Upper layer (6=TCP , 17=UDP , 1=ICMP)
Header Checksum (16 bits): Error detection
Source IP (32 bits): Sender address
Destination IP (32 bits): Receiver address
Options (variable): Rarely used

Source Port (16 bits)
Destination Port (16 bits)
Sequence Number (32 bits)
Acknowledgment Number (32 bits)
Data Offset (4 bits)
Reserved (3 bits)
Flags (9 bits): NS CWR ECE URG ACK PSH RST SYN FIN
Window Size (16 bits)
Checksum (16 bits)
Urgent Pointer (16 bits)
Options (variable)

Source Port (16 bits)
Destination Port (16 bits)
Length (16 bits)
Checksum (16 bits)

Application     (OSI 5,6,7)
Transport       (OSI 4)
Internet        (OSI 3)
Network Access  (OSI 1,2)

Application: Data
Transport: [TCP/UDP Header | Data] = Segment/Datagram
Network: [IP Header | Segment] = Packet
Data Link: [Ethernet Header | Packet | Trailer] = Frame
Physical: Bits

Physical: Bits
Data Link: Strip Ethernet header/trailer
Network: Strip IP header
Transport: Strip TCP/UDP header
Application: Data

T568B Pinout:
Pin 1: White/Orange
Pin 2: Orange
Pin 3: White/Green
Pin 4: Blue
Pin 5: White/Blue
Pin 6: Green
Pin 7: White/Brown
Pin 8: Brown

# Check cable with ethtool
ethtool eth0

# Look for:
# Speed: 1000Mb/s
# Duplex: Full
# Link detected: yes

# Check for errors
ip -s link show eth0
# Look for errors , dropped packets

Frame Control (2 bytes):
  Protocol Version (2 bits): Always 0
  Type (2 bits): Management, Control, Data
  Subtype (4 bits): Specific frame type
  To DS (1 bit): Going to distribution system
  From DS (1 bit): Coming from distribution system
  More Fragments (1 bit): More fragments follow
  Retry (1 bit): Retransmission
  Power Management (1 bit): Power save mode
  More Data (1 bit): More data buffered
  Protected Frame (1 bit): Encrypted
  Order (1 bit): Strictly ordered

Duration/ID (2 bytes): NAV or association ID
Address 1 (6 bytes): Receiver address
Address 2 (6 bytes): Transmitter address
Address 3 (6 bytes): Filtering address
Sequence Control (2 bytes): Fragment and sequence numbers
Address 4 (6 bytes): Optional (WDS)
QoS Control (2 bytes): Optional (QoS)
HT Control (4 bytes): Optional (802.11n+)
Frame Body (0-2304 bytes): Actual data
FCS (4 bytes): Frame check sequence

Beacons sent every 100ms (default)

Contains:
- Timestamp: Synchronization
- Beacon Interval: Time between beacons
- Capability Info: AP capabilities
- SSID: Network name
- Supported Rates: Data rates
- Channel: Current channel
- TIM: Traffic indication map
- Country Info: Regulatory domain
- Power Constraint: Max transmit power
- ERP Info: 802.11g protection
- RSN Info: Security capabilities

Channel 1: 2.412 GHz (center)
Channel 2: 2.417 GHz
Channel 3: 2.422 GHz
...
Channel 11: 2.462 GHz (US)
Channel 13: 2.472 GHz (Europe)
Channel 14: 2.484 GHz (Japan only)

Each channel is 20 MHz wide
Channels overlap (5 MHz spacing)
Non-overlapping: 1, 6, 11 (US)
Non-overlapping: 1, 5, 9, 13 (Europe)

UNII-1: 36, 40, 44, 48 (indoor)
UNII-2: 52, 56, 60, 64 (DFS required)
UNII-2 Extended: 100-144 (DFS required)
UNII-3: 149, 153, 157, 161, 165 (outdoor)

20 MHz, 40 MHz, 80 MHz, 160 MHz widths
No overlap issues
DFS: Dynamic Frequency Selection (radar avoidance)

802.11n: Up to 4x4 MIMO
802.11ac: Up to 8x8 MIMO
802.11ax: Up to 8x8 MIMO

Spatial streams increase throughput
Each stream is independent data path

Example:
2x2 MIMO = 2 transmit, 2 receive antennas
Can send 2 independent streams
Doubles throughput

802.11ac Wave 2 and 802.11ax

Downlink MU-MIMO (802.11ac):
- AP sends to multiple clients simultaneously
- Up to 4 clients at once
- Requires beamforming

Uplink MU-MIMO (802.11ax):
- Multiple clients send to AP simultaneously
- More efficient spectrum use

802.11ax only

Divides channel into Resource Units (RUs)
Multiple clients share same channel simultaneously
More efficient for small packets

Example 20 MHz channel:
- Can be divided into 9 RUs
- Each RU assigned to different client
- Reduces latency for IoT devices

Explicit Beamforming (802.11ac/ax):
- AP measures channel to each client
- Adjusts phase and amplitude per antenna
- Focuses signal toward client
- Increases range and throughput

Implicit Beamforming (802.11n):
- Uses channel reciprocity
- Less accurate

OFDMA: Multiple clients per channel
1024-QAM: Higher modulation
Target Wake Time: Battery savings
BSS Coloring: Interference reduction
Spatial Reuse: Overlapping BSS efficiency
Uplink MU-MIMO: Simultaneous uploads

# Show available networks
nmcli device wifi list

# Scan with iw
iw dev wlan0 scan

# Show current connection
iw dev wlan0 link

# Show channel info
iw dev wlan0 info

# Monitor mode (packet capture)
ip link set wlan0 down
iw dev wlan0 set monitor none
ip link set wlan0 up

# Capture WiFi packets
tcpdump -i wlan0 -w wifi_capture.pcap

# Or with airodump-ng
airodump-ng wlan0

1. Listen to medium (carrier sense)
2. If busy, wait
3. If idle, wait random backoff time (DIFS)
4. If still idle after backoff, transmit
5. Wait for ACK
6. If no ACK, collision occurred
7. Double backoff window and retry

SIFS (Short IFS): 10 μs
- Highest priority
- Used for ACK, CTS, poll responses

PIFS (PCF IFS): 30 μs
- Medium priority
- Used by AP in PCF mode

DIFS (DCF IFS): 50 μs
- Normal priority
- Used for data frames

EIFS (Extended IFS): 364 μs
- Lowest priority
- Used after error

Backoff Time = Random(0, CW) × Slot Time

CW (Contention Window):
- Starts at CWmin (15 for 802.11b)
- Doubles after each collision
- Up to CWmax (1023)
- Resets to CWmin after successful transmission

Slot Time:
- 20 μs for 802.11b
- 9 μs for 802.11a/g/n/ac

Used for hidden node problem

Process:
1. Station sends RTS to AP
2. AP responds with CTS
3. All stations hear CTS
4. All stations set NAV (Network Allocation Vector)
5. Original station transmits data
6. AP sends ACK

RTS/CTS adds overhead
Only used for large frames (configurable threshold)

Station A <-> AP <-> Station B

A and B can't hear each other
Both try to transmit to AP
Collisions occur at AP

RTS/CTS solves this:
- A sends RTS
- AP sends CTS (B hears this)
- B waits
- A transmits

Station A <-> Station B <-> Station C <-> Station D

B wants to send to A
C wants to send to D
C hears B's transmission
C waits unnecessarily (A and D don't interfere)

No perfect solution
CSMA/CA is conservative

Virtual carrier sense
Duration field in frame header
Tells other stations how long medium is busy

Example:
Frame has Duration = 500 μs
All stations set NAV timer to 500 μs
Stations wait 500 μs before attempting transmission

# Install iperf3
apt install iperf3

# Server
iperf3 -s

# Client (TCP)
iperf3 -c 192.168.1.100

# Client (UDP with bandwidth limit)
iperf3 -c 192.168.1.100 -u -b 100M

# Show detailed stats
iperf3 -c 192.168.1.100 -i 1 -t 30

Released: 1997
Encryption: RC4 stream cipher
Key Size: 40-bit or 104-bit
IV: 24-bit (too small)

How it works:
1. Shared key (PSK)
2. 24-bit IV prepended to key
3. RC4 keystream generated
4. XOR with plaintext
5. IV sent in clear with ciphertext

Fatal flaws:
- IV too small (repeats after ~5000 packets)
- IV reuse reveals keystream
- No integrity protection
- Weak key scheduling

Attack:
- Capture 40,000-100,000 packets
- Use aircrack-ng
- Crack key in minutes

# Put card in monitor mode
airmon-ng start wlan0

# Capture packets
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Speed up with packet injection (optional)
aireplay-ng -3 -b AA:BB:CC:DD:EE:FF -h YOUR:MAC:HERE wlan0mon

# Crack (need 40k+ IVs)
aircrack-ng capture-01.cap

Released: 2003 (WEP replacement)
Encryption: TKIP (Temporal Key Integrity Protocol)
Key Size: 128-bit
Authentication: PSK or 802.1X

TKIP improvements:
- Per-packet key mixing
- 48-bit IV (extended)
- Message Integrity Check (MIC)
- Key rotation

Still vulnerable:
- TKIP has weaknesses
- Deprecated in 2012

Released: 2004
Encryption: CCMP (AES-based)
Key Size: 128-bit
Authentication: PSK or 802.1X

CCMP (Counter Mode with CBC-MAC Protocol):
- AES encryption
- CTR mode for confidentiality
- CBC-MAC for integrity
- 48-bit packet number
- Strong security

Two modes:
1. WPA2-Personal (PSK)
   - Pre-shared key
   - 4-way handshake
   - Vulnerable to offline dictionary attack

2. WPA2-Enterprise (802.1X)
   - RADIUS authentication
   - Per-user credentials
   - Much more secure

Purpose: Derive session keys without transmitting them

Process:
1. AP sends ANonce (random number)
2. Client generates SNonce
3. Both derive PTK (Pairwise Transient Key)
   PTK = PRF(PMK, ANonce, SNonce, AP MAC, Client MAC)
4. Client sends SNonce + MIC
5. AP verifies MIC
6. AP sends GTK (Group Temporal Key) + MIC
7. Client sends ACK

Keys:
- PMK: Pairwise Master Key (from PSK or 802.1X)
- PTK: Pairwise Transient Key (session key)
- GTK: Group Temporal Key (multicast/broadcast)

# Capture handshake
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Deauth client to force reconnect (captures handshake)
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c CLIENT:MAC:HERE wlan0mon

# Crack with dictionary
aircrack-ng -w wordlist.txt capture-01.cap

# Or use hashcat (faster)
hccapx capture-01.cap
hashcat -m 2500 capture.hccapx wordlist.txt

# Or use John the Ripper
john --wordlist=wordlist.txt --format=wpapsk capture.hccap

Encryption: CCMP or GCMP-256
Key Size: 128-bit or 192-bit
Authentication: SAE (Simultaneous Authentication of Equals)

SAE (Dragonfly):
- Replaces PSK 4-way handshake
- Forward secrecy
- Resistant to offline dictionary attacks
- Even if password is weak

Improvements:
- Protected Management Frames (mandatory)
- Individualized data encryption
- 192-bit security suite (WPA3-Enterprise)
- Easy Connect (QR code provisioning)

SAE Process:
1. Commit: Exchange commitments
2. Confirm: Verify commitments
3. Derive PMK from password + commitments
4. No handshake capture = no offline attack

Dragonblood attacks (2019):
- Downgrade attacks
- Side-channel leaks
- Denial of service

Mitigations:
- Firmware updates
- Disable transition mode
- Use strong passwords anyway

Components:
- Supplicant: Client device
- Authenticator: Access point
- Authentication Server: RADIUS

EAP (Extensible Authentication Protocol):
- EAP-TLS: Certificate-based (most secure)
- EAP-TTLS: Tunneled TLS
- PEAP: Protected EAP
- EAP-FAST: Flexible Authentication via Secure Tunneling

Process:
1. Client associates with AP
2. AP blocks all traffic except 802.1X
3. Client sends EAP identity
4. AP forwards to RADIUS
5. RADIUS challenges client
6. Client responds with credentials
7. RADIUS accepts or rejects
8. AP allows or denies access

# Install FreeRADIUS
apt install freeradius

# Configure /etc/freeradius/3.0/clients.conf
client ap {
    ipaddr = 192.168.1.1
    secret = shared_secret
}

# Configure /etc/freeradius/3.0/users
user1 Cleartext-Password := "password1"
    Reply-Message = "Welcome"

# Start RADIUS
systemctl start freeradius

# Configure hostapd for WPA2-Enterprise
# /etc/hostapd/hostapd.conf
interface=wlan0
ssid=SecureNetwork
hw_mode=g
channel=6
wpa=2
wpa_key_mgmt=WPA-EAP
auth_algs=1
ieee8021x=1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=shared_secret

Passive:
- Packet sniffing
- Handshake capture
- Traffic analysis

Active:
- Deauthentication
- Evil twin AP
- MITM attacks
- Rogue AP

WEP: Trivial to crack
WPA/WPA2-PSK: Dictionary attack on handshake
WPA2-Enterprise: Much harder (need valid credentials)
WPA3: Resistant to offline attacks

1. Use WPA3 (or WPA2-Enterprise)
2. Strong, unique passwords (20+ characters)
3. Hide SSID (security through obscurity, minimal benefit)
4. MAC filtering (easily bypassed, minimal benefit)
5. Disable WPS (vulnerable to brute force)
6. Use 802.1X for enterprise
7. Separate guest network
8. Monitor for rogue APs
9. Use VPN over WiFi
10. Keep firmware updated

# Show all interfaces
ip link show

# Show specific interface
ip link show eth0

# Show MAC address table (switches)
# On Linux bridge:
bridge fdb show

# Change MAC address (spoofing)
ip link set dev eth0 address aa:bb:cc:dd:ee:ff

Preamble (7 bytes): 10101010... (sync)
SFD (1 byte): 10101011 (start frame delimiter)
Destination MAC (6 bytes): Where to
Source MAC (6 bytes): Where from
EtherType (2 bytes): Protocol type
Payload (46-1500 bytes): Data
FCS (4 bytes): Frame Check Sequence (CRC32)

# Show MTU
ip link show eth0

# Change MTU
ip link set dev eth0 mtu 9000

# Test MTU with ping
ping -M do -s 1472 8.8.8.8
# -M do: Don't fragment
# -s 1472: 1500 - 20 (IP) - 8 (ICMP) = 1472

1. Host needs to send to 192.168.1.100
2. Checks ARP cache
3. If not in cache, broadcasts ARP request
4. "Who has 192.168.1.100? Tell 192.168.1.50"
5. Device with 192.168.1.100 responds
6. "192.168.1.100 is at AA:BB:CC:DD:EE:FF"
7. Requesting host caches the mapping
8. Communication proceeds

Hardware Type (2 bytes): 1 for Ethernet
Protocol Type (2 bytes): 0x0800 for IPv4
Hardware Address Length (1 byte): 6 for MAC
Protocol Address Length (1 byte): 4 for IPv4
Operation (2 bytes): 1=Request , 2=Reply
Sender Hardware Address (6 bytes): Sender MAC
Sender Protocol Address (4 bytes): Sender IP
Target Hardware Address (6 bytes): Target MAC (00:00:00:00:00:00 in request)
Target Protocol Address (4 bytes): Target IP

# View ARP cache
ip neigh show
# or
arp -n

# Add static ARP entry
ip neigh add 192.168.1.100 lladdr aa:bb:cc:dd:ee:ff dev eth0

# Delete ARP entry
ip neigh del 192.168.1.100 dev eth0

# Flush ARP cache
ip neigh flush all

Port    MAC Address         Age (seconds)
1       AA:BB:CC:DD:EE:FF   60
2       11:22:33:44:55:66   45
3       AA:11:BB:22:CC:33   120

# Show MAC address table
bridge fdb show

# Show with interface
bridge fdb show dev eth0

# Add static entry
bridge fdb add aa:bb:cc:dd:ee:ff dev eth0

# Load 8021q module
modprobe 8021q

# Create VLAN interface
ip link add link eth0 name eth0.10 type vlan id 10

# Bring up interface
ip link set dev eth0.10 up

# Assign IP address
ip addr add 192.168.10.1/24 dev eth0.10

# Delete VLAN interface
ip link delete eth0.10

# Show VLAN interfaces
ip -d link show

# /etc/network/interfaces
auto eth0.10
iface eth0.10 inet static
    address 192.168.10.1
    netmask 255.255.255.0
    vlan-raw-device eth0

Standard Ethernet Frame:
[Dest MAC | Source MAC | EtherType | Data | FCS]

802.1Q Tagged Frame:
[Dest MAC | Source MAC | 802.1Q Tag | EtherType | Data | FCS]

802.1Q Tag (4 bytes):
TPID (2 bytes): 0x8100
TCI (2 bytes):
  Priority (3 bits): QoS
  CFI (1 bit): Canonical Format Indicator
  VLAN ID (12 bits): 0-4095

# Create bridge
ip link add name br0 type bridge
ip link set dev br0 up

# Enable VLAN filtering
ip link set dev br0 type bridge vlan_filtering 1

# Add interface to bridge
ip link set dev eth0 master br0

# Configure as trunk (allow VLANs 10,20,30)
bridge vlan add dev eth0 vid 10
bridge vlan add dev eth0 vid 20
bridge vlan add dev eth0 vid 30

# Set native VLAN (PVID)
bridge vlan add dev eth0 vid 99 pvid untagged

# Show VLAN configuration
bridge vlan show

Priority (16 bits): Default 32768
MAC Address (48 bits): Switch MAC

Lower bridge ID wins

# Create bridge
ip link add name br0 type bridge

# Enable STP
ip link set dev br0 type bridge stp_state 1

# Set bridge priority (lower wins)
ip link set dev br0 type bridge priority 4096

# Add interfaces
ip link set dev eth0 master br0
ip link set dev eth1 master br0

# Show STP status
bridge link show

# Show detailed STP info
cat /sys/class/net/br0/bridge/stp_state

# Install bonding module
modprobe bonding

# Create bond interface
ip link add bond0 type bond mode 802.3ad

# Set LACP rate (slow=30s , fast=1s)
echo fast > /sys/class/net/bond0/bonding/lacp_rate

# Add slaves
ip link set dev eth0 master bond0
ip link set dev eth1 master bond0

# Bring up interfaces
ip link set dev eth0 up
ip link set dev eth1 up
ip link set dev bond0 up

# Assign IP
ip addr add 192.168.1.10/24 dev bond0

# Show bond status
cat /proc/net/bonding/bond0

# /etc/network/interfaces
auto bond0
iface bond0 inet static
    address 192.168.1.10
    netmask 255.255.255.0
    bond-mode 802.3ad
    bond-miimon 100
    bond-lacp-rate fast
    bond-slaves eth0 eth1

192     .  168     .  1       .  100
11000000.10101000.00000001.01100100

IP:      192.168.1.100
Mask:    255.255.255.0
Network: 192.168.1.0
Host:    0.0.0.100

# Show IP addresses
ip addr show

# Add IP address
ip addr add 192.168.1.100/24 dev eth0

# Delete IP address
ip addr del 192.168.1.100/24 dev eth0

# Bring interface up
ip link set dev eth0 up

# Bring interface down
ip link set dev eth0 down

# Show routing table
ip route show

# Add default gateway
ip route add default via 192.168.1.1

# Add static route
ip route add 10.0.0.0/8 via 192.168.1.254

# /etc/network/interfaces
auto eth0
iface eth0 inet static
    address 192.168.1.100
    netmask 255.255.255.0
    gateway 192.168.1.1
    dns-nameservers 8.8.8.8 8.8.4.4

Class A: 10.0.0.0/8        (10.0.0.0 - 10.255.255.255)
Class B: 172.16.0.0/12     (172.16.0.0 - 172.31.255.255)
Class C: 192.168.0.0/16    (192.168.0.0 - 192.168.255.255)

255.255.255.0 = /24 = 11111111.11111111.11111111.00000000
255.255.255.128 = /25 = 11111111.11111111.11111111.10000000
255.255.255.192 = /26 = 11111111.11111111.11111111.11000000

Network: 192.168.1.0/24
Requirement: 4 subnets

Borrow 2 bits from host portion (2^2 = 4 subnets)
New mask: /26 (255.255.255.192)

Subnet 1: 192.168.1.0/26    (192.168.1.0 - 192.168.1.63)
Subnet 2: 192.168.1.64/26   (192.168.1.64 - 192.168.1.127)
Subnet 3: 192.168.1.128/26  (192.168.1.128 - 192.168.1.191)
Subnet 4: 192.168.1.192/26  (192.168.1.192 - 192.168.1.255)

Each subnet has 62 usable hosts (64 - 2)

Network: 10.0.0.0/8
Requirement: 100 subnets

Borrow 7 bits (2^7 = 128 subnets)
New mask: /15 (255.254.0.0)

Subnet 1: 10.0.0.0/15
Subnet 2: 10.2.0.0/15
Subnet 3: 10.4.0.0/15
...

Each subnet has 131,070 usable hosts

/24 = 256 addresses (254 usable)
/25 = 128 addresses (126 usable)
/26 = 64 addresses (62 usable)
/27 = 32 addresses (30 usable)
/28 = 16 addresses (14 usable)
/29 = 8 addresses (6 usable)
/30 = 4 addresses (2 usable) - point-to-point links
/31 = 2 addresses (2 usable) - RFC 3021 point-to-point
/32 = 1 address (host route)

1. Determine required subnets or hosts
2. Calculate bits needed (2^n >= requirement)
3. Borrow bits from host portion
4. Calculate new mask
5. Calculate subnet ranges

# Using ipcalc
ipcalc 192.168.1.0/24

# Using sipcalc
sipcalc 192.168.1.0/26

# Manual calculation
# Network: 192.168.1.64/26
# Mask: 255.255.255.192
# Wildcard: 0.0.0.63
# Network: 192.168.1.64
# Broadcast: 192.168.1.127
# First host: 192.168.1.65
# Last host: 192.168.1.126
# Hosts: 62

Network: 172.16.0.0/16
Requirements:
- 1 subnet with 500 hosts
- 2 subnets with 100 hosts each
- 3 subnets with 50 hosts each
- 4 subnets with 10 hosts each

Solution:
1. Largest first: 500 hosts needs /23 (510 usable)
   172.16.0.0/23

2. Next: 100 hosts needs /25 (126 usable)
   172.16.2.0/25
   172.16.2.128/25

3. Next: 50 hosts needs /26 (62 usable)
   172.16.3.0/26
   172.16.3.64/26
   172.16.3.128/26

4. Smallest: 10 hosts needs /28 (14 usable)
   172.16.3.192/28
   172.16.3.208/28
   172.16.3.224/28
   172.16.3.240/28

Combine multiple routes into one:

Routes:
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

Summary: 192.168.0.0/22

How:
192.168.0.0 = 11000000.10101000.00000000.00000000
192.168.3.0 = 11000000.10101000.00000011.00000000
                                    ^^
Common bits: 22
Summary: 192.168.0.0/22

8 groups of 4 hex digits
2001:0db8:85a3:0000:0000:8a2e:0370:7334

Shortening rules:
1. Leading zeros can be omitted
   2001:db8:85a3:0:0:8a2e:370:7334

2. Consecutive zero groups replaced with ::
   2001:db8:85a3::8a2e:370:7334

3. :: can only be used once

/64 is standard for LANs
/48 is typical allocation for sites
/32 is typical allocation for ISPs
/128 is single host

# Show IPv6 addresses
ip -6 addr show

# Add IPv6 address
ip -6 addr add 2001:db8::1/64 dev eth0

# Add IPv6 default route
ip -6 route add default via 2001:db8::1

# Enable IPv6 forwarding
sysctl -w net.ipv6.conf.all.forwarding=1

# Disable IPv6
sysctl -w net.ipv6.conf.all.disable_ipv6=1

# Show IPv6 neighbors (like ARP)
ip -6 neigh show

# /etc/network/interfaces
iface eth0 inet6 static
    address 2001:db8::100
    netmask 64
    gateway 2001:db8::1

IP Header (20 bytes)
ICMP Header:
  Type (1 byte): Message type
  Code (1 byte): Message subtype
  Checksum (2 bytes): Error detection
  Rest of Header (4 bytes): Varies by type
ICMP Data (variable): Depends on type

Type 0: Echo Reply (ping response)
  Code 0: Echo reply

Type 3: Destination Unreachable
  Code 0: Network unreachable
  Code 1: Host unreachable
  Code 2: Protocol unreachable
  Code 3: Port unreachable
  Code 4: Fragmentation needed but DF set
  Code 5: Source route failed
  Code 6: Destination network unknown
  Code 7: Destination host unknown
  Code 9: Network administratively prohibited
  Code 10: Host administratively prohibited
  Code 13: Communication administratively prohibited

Type 4: Source Quench (deprecated)
  Code 0: Congestion control

Type 5: Redirect
  Code 0: Redirect for network
  Code 1: Redirect for host
  Code 2: Redirect for TOS and network
  Code 3: Redirect for TOS and host

Type 8: Echo Request (ping)
  Code 0: Echo request

Type 9: Router Advertisement
  Code 0: Router advertisement

Type 10: Router Solicitation
  Code 0: Router discovery

Type 11: Time Exceeded
  Code 0: TTL expired in transit
  Code 1: Fragment reassembly time exceeded

Type 12: Parameter Problem
  Code 0: Pointer indicates error
  Code 1: Missing required option
  Code 2: Bad length

Type 13: Timestamp Request
  Code 0: Timestamp

Type 14: Timestamp Reply
  Code 0: Timestamp reply

Type 30: Traceroute
  Code 0: Information request

Type: 8 (request) or 0 (reply)
Code: 0
Checksum: 16-bit checksum
Identifier: 16-bit ID (matches request to reply)
Sequence Number: 16-bit sequence (increments per ping)
Data: Variable (usually timestamp + padding)

Type: 3
Code: Specific reason (0-15)
Checksum: 16-bit checksum
Unused: 4 bytes (must be zero)
Data: IP header + first 8 bytes of original datagram

Type: 11
Code: 0 (TTL) or 1 (fragment)
Checksum: 16-bit checksum
Unused: 4 bytes (must be zero)
Data: IP header + first 8 bytes of original datagram

Many firewalls block ICMP
Some allow Echo Request/Reply only
Some rate-limit ICMP
Blocking all ICMP breaks PMTUD

1. Send packet with DF (Don't Fragment) flag
2. If packet too large for link
3. Router drops packet
4. Router sends ICMP Type 3 Code 4
5. Includes MTU of next hop
6. Sender reduces packet size
7. Repeat until packet gets through

# Capture all ICMP
tcpdump -i eth0 icmp

# Capture specific ICMP type
tcpdump -i eth0 'icmp[0] == 8'  # Echo Request
tcpdump -i eth0 'icmp[0] == 0'  # Echo Reply
tcpdump -i eth0 'icmp[0] == 11' # Time Exceeded

# Show ICMP details
tcpdump -i eth0 -vv icmp

1. Application creates ICMP Echo Request
   - Type: 8
   - Code: 0
   - Identifier: Process ID (usually)
   - Sequence: Starts at 1, increments
   - Data: Timestamp + padding (usually 56 bytes)

2. Kernel adds IP header
   - Source IP: Your IP
   - Destination IP: Target IP
   - Protocol: 1 (ICMP)
   - TTL: 64 (Linux default)

3. Packet sent to network

4. Each router decrements TTL
   - If TTL reaches 0, router drops packet
   - Router sends ICMP Time Exceeded

5. Packet reaches destination

6. Destination creates ICMP Echo Reply
   - Type: 0
   - Code: 0
   - Same Identifier
   - Same Sequence
   - Same Data (echoed back)

7. Reply travels back

8. Source receives reply

9. Calculate RTT (Round Trip Time)
   RTT = Current Time - Timestamp in Data

10. Display result

Ethernet Header (14 bytes)
IP Header (20 bytes):
  Source IP: 192.168.1.100
  Dest IP: 8.8.8.8
  Protocol: 1 (ICMP)
  TTL: 64
ICMP Header (8 bytes):
  Type: 8 (Echo Request)
  Code: 0
  Checksum: Calculated
  Identifier: 12345 (example)
  Sequence: 1
ICMP Data (56 bytes default):
  Timestamp: Current time
  Padding: Fill to desired size

Total: 98 bytes (14 + 20 + 8 + 56)

# Basic ping
ping 8.8.8.8

# Count (-c)
ping -c 4 8.8.8.8
# Sends exactly 4 packets then stops

# Interval (-i)
ping -i 0.2 8.8.8.8
# 200ms between packets (default 1s)
# Requires root for <0.2s

# Packet size (-s)
ping -s 1000 8.8.8.8
# 1000 bytes of data (total packet larger)

# Timeout (-W)
ping -W 2 8.8.8.8
# Wait 2 seconds for reply

# TTL (-t)
ping -t 10 8.8.8.8
# Set TTL to 10 hops

# Don't fragment (-M do)
ping -M do -s 1472 8.8.8.8
# Test MTU (1472 + 20 IP + 8 ICMP = 1500)

# Flood ping (-f) [requires root]
ping -f 8.8.8.8
# Send packets as fast as possible
# Shows . for sent, backspace for received

# Quiet (-q)
ping -q -c 100 8.8.8.8
# Only show summary

# Verbose (-v)
ping -v 8.8.8.8
# Show all ICMP packets (not just Echo)

# Specific interface (-I)
ping -I eth0 8.8.8.8
# Send from specific interface

# Numeric output (-n)
ping -n 8.8.8.8
# Don't resolve hostnames

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 10.123/15.456/20.789/4.321 ms

Explanation:
- Transmitted: Packets sent
- Received: Replies received
- Packet loss: (Transmitted - Received) / Transmitted
- Time: Total time for test
- RTT min: Fastest reply
- RTT avg: Average reply time
- RTT max: Slowest reply
- mdev: Standard deviation (jitter)

Reply from 8.8.8.8: icmp_seq=1 ttl=118 time=10.5 ms
- Reply received successfully
- Sequence number 1
- TTL 118 (started at ~128, crossed ~10 hops)
- Round trip time 10.5ms

Request timeout for icmp_seq=1
- No reply received
- Packet lost or filtered
- Could be firewall blocking

Destination Host Unreachable
- Router can't reach destination
- ICMP Type 3 Code 1
- Network problem

Network is unreachable
- No route to destination
- ICMP Type 3 Code 0
- Routing problem

From 192.168.1.1: Redirect Host
- Router telling you to use different gateway
- ICMP Type 5

# Ping entire subnet
for i in {1..254}; do
    ping -c 1 -W 1 192.168.1.$i | grep "64 bytes" &
done

# Or with fping
fping -a -g 192.168.1.0/24

# Or with nmap
nmap -sn 192.168.1.0/24

1. Firewall blocks ICMP
2. Host is down
3. Network unreachable
4. Routing problem
5. ICMP rate limiting
6. Wrong IP address
7. Network congestion

1. UDP (default on Linux)
2. ICMP (Windows default)
3. TCP (modern alternative)

Process:
1. Send UDP packet to high port (33434+)
2. Set TTL = 1
3. First router decrements TTL to 0
4. Router drops packet
5. Router sends ICMP Time Exceeded (Type 11 Code 0)
6. Record router IP and RTT
7. Increment TTL to 2
8. Second router decrements to 0
9. Second router sends ICMP Time Exceeded
10. Record second router
11. Repeat until destination reached
12. Destination sends ICMP Port Unreachable (Type 3 Code 3)
13. Done

Why high port?
- Unlikely to be open
- Triggers Port Unreachable
- Signals we reached destination

Process:
1. Send ICMP Echo Request
2. Set TTL = 1
3. First router decrements TTL to 0
4. Router sends ICMP Time Exceeded
5. Record router
6. Increment TTL
7. Repeat until destination
8. Destination sends ICMP Echo Reply
9. Done

Advantage:
- More likely to work through firewalls
- Same as ping

Disadvantage:
- Some routers don't respond to ICMP

Process:
1. Send TCP SYN packet
2. Set TTL = 1
3. Router decrements TTL to 0
4. Router sends ICMP Time Exceeded
5. Record router
6. Increment TTL
7. Repeat until destination
8. Destination sends TCP SYN-ACK or RST
9. Done

Advantage:
- Works when UDP/ICMP blocked
- Can target specific port

Disadvantage:
- Requires root
- More complex

Hop 1 (TTL=1):
IP Header:
  Source: 192.168.1.100
  Dest: 8.8.8.8
  TTL: 1
  Protocol: 17 (UDP)
UDP Header:
  Source Port: Random
  Dest Port: 33434
  Data: Timestamp

Router 1 Response:
IP Header:
  Source: 192.168.1.1 (router)
  Dest: 192.168.1.100 (you)
  Protocol: 1 (ICMP)
ICMP Header:
  Type: 11 (Time Exceeded)
  Code: 0 (TTL expired)
ICMP Data:
  Original IP header
  First 8 bytes of UDP packet

# Basic traceroute
traceroute 8.8.8.8

# ICMP mode (-I)
traceroute -I 8.8.8.8

# TCP mode (-T)
traceroute -T -p 80 8.8.8.8

# UDP mode (-U) [default]
traceroute -U 8.8.8.8

# Max hops (-m)
traceroute -m 15 8.8.8.8
# Stop after 15 hops

# Queries per hop (-q)
traceroute -q 1 8.8.8.8
# Send 1 probe per hop (default 3)

# Wait time (-w)
traceroute -w 2 8.8.8.8
# Wait 2 seconds for response

# Packet size (-s)
traceroute -s 100 8.8.8.8
# Use 100 byte packets

# Don't resolve names (-n)
traceroute -n 8.8.8.8
# Show IPs only

# Source address (-s)
traceroute -s 192.168.1.100 8.8.8.8
# Use specific source IP

# Interface (-i)
traceroute -i eth0 8.8.8.8
# Use specific interface

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  1.234 ms  1.456 ms  1.678 ms
 2  10.0.0.1 (10.0.0.1)  5.123 ms  5.234 ms  5.345 ms
 3  * * *
 4  8.8.8.8 (8.8.8.8)  10.123 ms  10.234 ms  10.345 ms

Explanation:
- Hop 1: First router at 192.168.1.1
  - 3 probes sent
  - RTT: 1.234ms, 1.456ms, 1.678ms
- Hop 2: Second router at 10.0.0.1
  - RTT: ~5ms
- Hop 3: No response (* * *)
  - Router doesn't respond to ICMP
  - Or firewall blocks
  - Packet still forwarded
- Hop 4: Destination reached
  - RTT: ~10ms

* * *
- No response
- Timeout
- Router doesn't send ICMP Time Exceeded
- Or firewall blocks

!H
- Host unreachable
- ICMP Type 3 Code 1

!N
- Network unreachable
- ICMP Type 3 Code 0

!P
- Protocol unreachable
- ICMP Type 3 Code 2

!S
- Source route failed
- ICMP Type 3 Code 5

!F
- Fragmentation needed
- ICMP Type 3 Code 4

!X
- Communication administratively prohibited
- ICMP Type 3 Code 13

# Better than traceroute
mtr 8.8.8.8

# Shows:
# - All hops
# - Packet loss per hop
# - Average latency
# - Best/worst/stddev
# - Real-time updates

# Report mode
mtr -r -c 100 8.8.8.8

# TCP mode
mtr -T -P 443 8.8.8.8

# No DNS
mtr -n 8.8.8.8

1. Find where packets are dropped
2. Identify slow hops
3. Discover network path
4. Troubleshoot routing
5. Measure latency per hop
6. Detect routing loops
7. Map network topology

1. Asymmetric routing
   - Forward path != return path
   - Shows only forward path

2. Load balancing
   - Different packets take different paths
   - Results inconsistent

3. ICMP rate limiting
   - Routers limit ICMP responses
   - Causes false timeouts

4. Firewalls
   - Block ICMP or UDP
   - Shows * * *

5. MPLS networks
   - Hide internal hops
   - Show only edge routers

1. Check if destination is directly connected
2. Check routing table for specific route
3. Check for network route
4. Use default route
5. If no route, drop packet and send ICMP unreachable

Destination     Gateway         Genmask         Flags   Metric  Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG      0       eth0
10.0.0.0        192.168.1.254   255.0.0.0       UG      0       eth0
192.168.1.0     0.0.0.0         255.255.255.0   U       0       eth0

Connected: 0
Static: 1
EIGRP: 90
OSPF: 110
RIP: 120
External EIGRP: 170
Unknown: 255

# Show routing table
ip route show

# Show with more detail
ip route show table all

# Show specific route
ip route get 8.8.8.8

# Show routing cache
ip route show cache

# Add route to network
ip route add 10.0.0.0/8 via 192.168.1.254

# Add default route
ip route add default via 192.168.1.1

# Add route with metric
ip route add 10.0.0.0/8 via 192.168.1.254 metric 10

# Add route via interface
ip route add 10.0.0.0/8 dev eth1

# Delete route
ip route del 10.0.0.0/8

# Replace route
ip route replace 10.0.0.0/8 via 192.168.1.253

# Debian/Ubuntu: /etc/network/interfaces
auto eth0
iface eth0 inet static
    address 192.168.1.100
    netmask 255.255.255.0
    gateway 192.168.1.1
    up ip route add 10.0.0.0/8 via 192.168.1.254

# RHEL/CentOS: /etc/sysconfig/network-scripts/route-eth0
10.0.0.0/8 via 192.168.1.254

# Primary route (AD 1)
ip route add 10.0.0.0/8 via 192.168.1.254

# Backup route (higher metric acts like higher AD)
ip route add 10.0.0.0/8 via 192.168.1.253 metric 10

# Install FRR
apt install frr

# Enable RIP daemon
sed -i 's/ripd=no/ripd=yes/' /etc/frr/daemons

# Start FRR
systemctl start frr

# Configure RIP
vtysh
configure terminal
router rip
 version 2
 network 192.168.1.0/24
 network 10.0.0.0/8
 passive-interface eth0
 exit
exit
write memory

# Enable OSPF daemon
sed -i 's/ospfd=no/ospfd=yes/' /etc/frr/daemons
systemctl restart frr

# Configure OSPF
vtysh
configure terminal
router ospf
 ospf router-id 1.1.1.1
 network 192.168.1.0/24 area 0
 network 10.0.0.0/8 area 1
 passive-interface eth0
 exit
exit
write memory

# Show OSPF neighbors
show ip ospf neighbor

# Show OSPF database
show ip ospf database

# Show OSPF routes
show ip route ospf

Cost = Reference Bandwidth / Interface Bandwidth

Default reference: 100 Mbps
Gigabit interface: 100/1000 = 1
Fast Ethernet: 100/100 = 1

# Configure interface authentication
interface eth0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 MyPassword

Metric = [K1*Bandwidth + (K2*Bandwidth)/(256-Load) + K3*Delay] * [K5/(Reliability+K4)]

Default: K1=1, K2=0, K3=1, K4=0, K5=0
Simplified: Bandwidth + Delay

# Enable EIGRP daemon
sed -i 's/eigrpd=no/eigrpd=yes/' /etc/frr/daemons
systemctl restart frr

# Configure EIGRP
vtysh
configure terminal
router eigrp 100
 network 192.168.1.0/24
 network 10.0.0.0/8
 passive-interface eth0
 eigrp router-id 1.1.1.1
 exit
exit
write memory

# Show EIGRP neighbors
show ip eigrp neighbors

# Show EIGRP topology
show ip eigrp topology

# Show EIGRP routes
show ip route eigrp

1. Highest Weight
2. Highest Local Preference
3. Locally originated
4. Shortest AS Path
5. Lowest Origin
6. Lowest MED
7. eBGP over iBGP
8. Lowest IGP metric to next hop
9. Oldest route
10. Lowest router ID

# Enable BGP daemon
sed -i 's/bgpd=no/bgpd=yes/' /etc/frr/daemons
systemctl restart frr

# Configure BGP
vtysh
configure terminal
router bgp 65001
 bgp router-id 1.1.1.1
 neighbor 10.0.0.1 remote-as 65002
 network 192.168.1.0/24
 exit
exit
write memory

# Show BGP summary
show ip bgp summary

# Show BGP table
show ip bgp

# Show specific route
show ip bgp 8.8.8.8

# Redistribute OSPF into RIP
router rip
 redistribute ospf metric 5

# Redistribute RIP into OSPF
router ospf
 redistribute rip metric 100 metric-type 1

# Redistribute connected routes
router ospf
 redistribute connected

# Create route map
route-map OSPF-TO-RIP permit 10
 match ip address prefix-list ALLOWED
 set metric 5

# Apply to redistribution
router rip
 redistribute ospf route-map OSPF-TO-RIP

# Create routing table
echo "200 custom" >> /etc/iproute2/rt_tables

# Add rule based on source
ip rule add from 192.168.1.0/24 table custom

# Add routes to custom table
ip route add default via 10.0.0.1 table custom

# Add rule based on fwmark
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j MARK --set-mark 1
ip rule add fwmark 1 table custom

# Show rules
ip rule show

# Show specific table
ip route show table custom

# Route based on destination port
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 2
ip rule add fwmark 2 table web_traffic
ip route add default via 10.0.0.2 table web_traffic

# Route based on protocol
ip rule add ipproto tcp table tcp_traffic

Source Port (16 bits): 0-65535
Destination Port (16 bits): 0-65535
Sequence Number (32 bits): Byte position in stream
Acknowledgment Number (32 bits): Next expected byte
Data Offset (4 bits): Header length in 32-bit words
Reserved (3 bits): Must be zero
Flags (9 bits): NS CWR ECE URG ACK PSH RST SYN FIN
Window Size (16 bits): Receive window (flow control)
Checksum (16 bits): Error detection
Urgent Pointer (16 bits): Urgent data offset
Options (variable): MSS, Window Scale, SACK, Timestamps

# Capture TCP traffic
tcpdump -i eth0 'tcp' -w tcp_capture.pcap

# Show TCP connections
ss -tan

# Show TCP statistics
ss -s

# Show specific connection
ss -tan dst 8.8.8.8

# Show TCP with process info
ss -tanp

# Netstat alternative
netstat -tan

Client -> Server: SYN
  Seq = X (random ISN)
  Flags: SYN

Server -> Client: SYN-ACK
  Seq = Y (server's ISN)
  Ack = X + 1
  Flags: SYN, ACK

Client -> Server: ACK
  Seq = X + 1
  Ack = Y + 1
  Flags: ACK

Connection ESTABLISHED

# Capture SYN packets
tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'

# Capture SYN-ACK
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'

# Watch handshake in Wireshark
# Filter: tcp.flags.syn==1 or tcp.flags.syn==1 && tcp.flags.ack==1

# Enable SYN cookies
sysctl -w net.ipv4.tcp_syncookies=1

# Make permanent
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf

Sender can send multiple packets before ACK
Window slides forward as ACKs received

Example with window size 3:
Send packets 1, 2, 3
Receive ACK for 1
Send packet 4
Receive ACK for 2
Send packet 5
...

# Enable window scaling
sysctl -w net.ipv4.tcp_window_scaling=1

# Set max window size
sysctl -w net.core.rmem_max=134217728  # 128MB
sysctl -w net.core.wmem_max=134217728

# Show current settings
sysctl net.ipv4.tcp_rmem
sysctl net.ipv4.tcp_wmem

# Set TCP buffer sizes (min, default, max)
sysctl -w net.ipv4.tcp_rmem="4096 87380 16777216"
sysctl -w net.ipv4.tcp_wmem="4096 65536 16777216"

Start with small congestion window (cwnd)
Double cwnd for each ACK
Continue until threshold reached
Then switch to congestion avoidance

Increase cwnd linearly
Add 1 MSS per RTT
Continue until packet loss detected

Receive 3 duplicate ACKs
Immediately retransmit lost packet
Don't wait for timeout

After fast retransmit
Reduce cwnd by half
Continue with congestion avoidance

# Show available algorithms
sysctl net.ipv4.tcp_available_congestion_control

# Show current algorithm
sysctl net.ipv4.tcp_congestion_control

# Set algorithm
sysctl -w net.ipv4.tcp_congestion_control=bbr

# Common algorithms:
# - reno: Classic algorithm
# - cubic: Default on Linux (better for high-speed networks)
# - bbr: Google's algorithm (best for varying conditions)

# Enable selective acknowledgments
sysctl -w net.ipv4.tcp_sack=1

# Enable timestamps
sysctl -w net.ipv4.tcp_timestamps=1

# Increase max SYN backlog
sysctl -w net.ipv4.tcp_max_syn_backlog=8192

# Reduce FIN timeout
sysctl -w net.ipv4.tcp_fin_timeout=30

# Enable TCP fast open
sysctl -w net.ipv4.tcp_fastopen=3

Source Port (16 bits): 0-65535
Destination Port (16 bits): 0-65535
Length (16 bits): Header + data length
Checksum (16 bits): Error detection (optional in IPv4)
Data (variable): Payload

# Show UDP connections
ss -uan

# Capture UDP traffic
tcpdump -i eth0 'udp'

# Send UDP packet with netcat
echo "test" | nc -u 192.168.1.100 5000

# Listen on UDP port
nc -ul 5000

# Limit UDP packets with iptables
iptables -A INPUT -p udp -m limit --limit 100/s -j ACCEPT
iptables -A INPUT -p udp -j DROP

20/21: FTP (data/control)
22: SSH
23: Telnet
25: SMTP
53: DNS
67/68: DHCP (server/client)
80: HTTP
110: POP3
143: IMAP
161/162: SNMP
443: HTTPS
445: SMB
3306: MySQL
3389: RDP
5432: PostgreSQL
5900: VNC
6379: Redis
8080: HTTP alternate
27017: MongoDB

# Show listening ports
ss -tuln

# Check if port is open
nc -zv 192.168.1.100 80

# Scan ports with nmap
nmap -p 1-1000 192.168.1.100

# Check what's using a port
lsof -i :80
# or
fuser 80/tcp

# iptables
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# firewalld
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --reload

# ufw
ufw allow 80/tcp

1. Discover: Client broadcasts "I need an IP"
2. Offer: Server offers IP address
3. Request: Client requests offered IP
4. Acknowledge: Server confirms assignment

# Install ISC DHCP server
apt install isc-dhcp-server

# Configure /etc/dhcp/dhcpd.conf
subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.100 192.168.1.200;
    option routers 192.168.1.1;
    option domain-name-servers 8.8.8.8, 8.8.4.4;
    option domain-name "example.local";
    default-lease-time 86400;
    max-lease-time 172800;
}

# Static assignment
host server1 {
    hardware ethernet aa:bb:cc:dd:ee:ff;
    fixed-address 192.168.1.50;
}

# Start DHCP server
systemctl start isc-dhcp-server
systemctl enable isc-dhcp-server

# Check leases
cat /var/lib/dhcp/dhcpd.leases

# Request IP address
dhclient eth0

# Release IP address
dhclient -r eth0

# Show lease info
cat /var/lib/dhcp/dhclient.leases

# Install relay
apt install isc-dhcp-relay

# Configure /etc/default/isc-dhcp-relay
SERVERS="192.168.1.10"
INTERFACES="eth0 eth1"

# Start relay
systemctl start isc-dhcp-relay

Root servers (.)
  |
TLD servers (.com, .org, .net)
  |
Authoritative servers (example.com)
  |
Subdomains (www.example.com)

A: IPv4 address
AAAA: IPv6 address
CNAME: Canonical name (alias)
MX: Mail exchange
NS: Name server
PTR: Pointer (reverse DNS)
SOA: Start of authority
TXT: Text records
SRV: Service locator
CAA: Certificate authority authorization

# Install BIND
apt install bind9 bind9utils

# Configure /etc/bind/named.conf.options
options {
    directory "/var/cache/bind";
    forwarders {
        8.8.8.8;
        8.8.4.4;
    };
    dnssec-validation auto;
    listen-on { any; };
    allow-query { any; };
};

# Create zone file /etc/bind/db.example.com
$TTL 86400
@   IN  SOA ns1.example.com. admin.example.com. (
        2024010101  ; Serial
        3600        ; Refresh
        1800        ; Retry
        604800      ; Expire
        86400 )     ; Minimum TTL

@       IN  NS  ns1.example.com.
ns1     IN  A   192.168.1.10
www     IN  A   192.168.1.20
mail    IN  A   192.168.1.30
@       IN  MX  10 mail.example.com.

# Add zone to /etc/bind/named.conf.local
zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
};

# Start BIND
systemctl start bind9
systemctl enable bind9

# Check configuration
named-checkconf
named-checkzone example.com /etc/bind/db.example.com

# Query DNS
dig example.com
dig @8.8.8.8 example.com

# Specific record type
dig example.com MX
dig example.com AAAA

# Reverse DNS
dig -x 8.8.8.8

# Trace query path
dig +trace example.com

# nslookup (legacy)
nslookup example.com

# host command
host example.com

# Install dnsmasq (lightweight DNS cache)
apt install dnsmasq

# Configure /etc/dnsmasq.conf
server=8.8.8.8
server=8.8.4.4
cache-size=1000

# Start dnsmasq
systemctl start dnsmasq

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

# Basic NAT (masquerade)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# NAT with specific source
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# Static NAT (SNAT)
iptables -t nat -A POSTROUTING -s 192.168.1.100 -j SNAT --to-source 203.0.113.10

# Port forwarding (DNAT)
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.20:80

# Save rules
iptables-save > /etc/iptables/rules.v4

# Show NAT table
iptables -t nat -L -n -v

# Show connection tracking
conntrack -L

# Show NAT statistics
cat /proc/net/nf_conntrack

# Install chrony (modern NTP)
apt install chrony

# Configure /etc/chrony/chrony.conf
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

# Allow clients
allow 192.168.1.0/24

# Start chrony
systemctl start chronyd
systemctl enable chronyd

# Check status
chronyc tracking
chronyc sources

# Sync time immediately
chronyc makestep

# Set time manually
timedatectl set-time "2024-01-01 12:00:00"

# Set timezone
timedatectl set-timezone America/New_York

# Install SNMP daemon
apt install snmpd

# Configure /etc/snmp/snmpd.conf
# SNMPv2c
rocommunity public 192.168.1.0/24
rwcommunity private 192.168.1.10

# SNMPv3
createUser monitor SHA myAuthPass AES myPrivPass
rouser monitor priv

# Start SNMP
systemctl start snmpd
systemctl enable snmpd

# Install tools
apt install snmp

# Query device (SNMPv2c)
snmpwalk -v2c -c public 192.168.1.1

# Query specific OID
snmpget -v2c -c public 192.168.1.1 1.3.6.1.2.1.1.1.0

# SNMPv3
snmpwalk -v3 -u monitor -l authPriv -a SHA -A myAuthPass -x AES -X myPrivPass 192.168.1.1

0: kernel
1: user
2: mail
3: daemon
4: auth
5: syslog
6: lpr
7: news
16-23: local0-local7

0: Emergency
1: Alert
2: Critical
3: Error
4: Warning
5: Notice
6: Informational
7: Debug

# Install rsyslog
apt install rsyslog

# Configure /etc/rsyslog.conf
# Enable UDP reception
module(load="imudp")
input(type="imudp" port="514")

# Enable TCP reception
module(load="imtcp")
input(type="imtcp" port="514")

# Template for remote logs
$template RemoteLogs,"/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs

# Start rsyslog
systemctl restart rsyslog

# Configure client /etc/rsyslog.conf
*.* @192.168.1.10:514  # UDP
*.* @@192.168.1.10:514 # TCP

# Test logging
logger -p local0.info "Test message"

GET: Retrieve resource
POST: Submit data
PUT: Update/create resource
DELETE: Remove resource
HEAD: Get headers only
OPTIONS: Get supported methods
PATCH: Partial update

1xx: Informational
2xx: Success (200 OK, 201 Created)
3xx: Redirection (301 Moved, 302 Found, 304 Not Modified)
4xx: Client Error (400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found)
5xx: Server Error (500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable)

# Simple request with curl
curl http://example.com

# Show headers
curl -I http://example.com

# POST data
curl -X POST -d "param1=value1" http://example.com/api

# Custom headers
curl -H "Authorization: Bearer token" http://example.com/api

# Save response
curl -o output.html http://example.com

# Follow redirects
curl -L http://example.com

# Show request/response
curl -v http://example.com

# Check certificate
openssl s_client -connect example.com:443

# Show certificate details
openssl s_client -connect example.com:443 | openssl x509 -text

# Test specific TLS version
openssl s_client -connect example.com:443 -tls1_2

# Install vsftpd
apt install vsftpd

# Configure /etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
pasv_min_port=40000
pasv_max_port=40100

# Start vsftpd
systemctl start vsftpd
systemctl enable vsftpd

# Connect to FTP server
ftp 192.168.1.100

# Commands:
# ls - list files
# cd - change directory
# get - download file
# put - upload file
# mget - download multiple
# mput - upload multiple
# binary - set binary mode
# ascii - set ASCII mode
# bye - disconnect

# Connect to SFTP server
sftp user@192.168.1.100

# Same commands as FTP
# Plus: chmod, chown, mkdir, rmdir

# Install OpenSSH server
apt install openssh-server

# Configure /etc/ssh/sshd_config
Port 22
PermitRootLogin no
PasswordAuthentication yes
PubkeyAuthentication yes
X11Forwarding no
AllowUsers user1 user2

# Start SSH
systemctl start sshd
systemctl enable sshd

# Connect to server
ssh user@192.168.1.100

# Specific port
ssh -p 2222 user@192.168.1.100

# Execute command
ssh user@192.168.1.100 'ls -la'

# Copy files (SCP)
scp file.txt user@192.168.1.100:/tmp/
scp user@192.168.1.100:/tmp/file.txt ./

# Recursive copy
scp -r directory/ user@192.168.1.100:/tmp/

# Generate key pair
ssh-keygen -t ed25519 -C "your_email@example.com"

# Copy public key to server
ssh-copy-id user@192.168.1.100

# Or manually
cat ~/.ssh/id_ed25519.pub | ssh user@192.168.1.100 'cat >> ~/.ssh/authorized_keys'

# Disable password authentication
# /etc/ssh/sshd_config
PasswordAuthentication no

# Local port forwarding
ssh -L 8080:localhost:80 user@192.168.1.100

# Remote port forwarding
ssh -R 8080:localhost:80 user@192.168.1.100

# Dynamic port forwarding (SOCKS proxy)
ssh -D 1080 user@192.168.1.100

# Connect to server
telnet 192.168.1.100

# Specific port (useful for testing)
telnet 192.168.1.100 80

# Test SMTP
telnet mail.example.com 25

# Test SMTP
telnet mail.example.com 25
EHLO example.com
MAIL FROM:<sender@example.com>
RCPT TO:<recipient@example.com>
DATA
Subject: Test
Test message
.
QUIT

# Test POP3
telnet mail.example.com 110
USER username
PASS password
LIST
RETR 1
QUIT

# Test IMAP
telnet mail.example.com 143
A1 LOGIN username password
A2 LIST "" "*"
A3 SELECT INBOX
A4 FETCH 1 BODY[]
A5 LOGOUT

# Install Samba
apt install samba

# Configure /etc/samba/smb.conf
[share]
    path = /srv/samba/share
    browseable = yes
    read only = no
    guest ok = no
    valid users = user1

# Create Samba user
smbpasswd -a user1

# Start Samba
systemctl start smbd
systemctl enable smbd

# Mount SMB share
mount -t cifs //192.168.1.100/share /mnt -o username=user1

# Install NFS server
apt install nfs-kernel-server

# Configure /etc/exports
/srv/nfs 192.168.1.0/24(rw,sync,no_subtree_check)

# Export shares
exportfs -a

# Start NFS
systemctl start nfs-kernel-server

# Mount NFS share
mount -t nfs 192.168.1.100:/srv/nfs /mnt

# Block specific IP
iptables -A INPUT -s 192.168.1.50 -j DROP

# Allow specific IP
iptables -A INPUT -s 192.168.1.100 -j ACCEPT

# Block specific port
iptables -A INPUT -p tcp --dport 23 -j DROP

# Allow SSH from specific network
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT

# Default deny
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# List rules
iptables -L -n -v

# Flush all rules
iptables -F

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Drop everything else
iptables -P INPUT DROP

# Save rules
iptables-save > /etc/iptables/rules.v4

# Create table
nft add table inet filter

# Create chains
nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }
nft add chain inet filter output { type filter hook output priority 0 \; policy accept \; }

# Add rules
nft add rule inet filter input ct state established,related accept
nft add rule inet filter input iif lo accept
nft add rule inet filter input tcp dport 22 accept
nft add rule inet filter input tcp dport { 80, 443 } accept

# List rules
nft list ruleset

# Save rules
nft list ruleset > /etc/nftables.conf

# Install OpenVPN
apt install openvpn easy-rsa

# Setup PKI
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh

# Server config /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun

# Start OpenVPN
systemctl start openvpn@server
systemctl enable openvpn@server

# Install WireGuard
apt install wireguard

# Generate keys
wg genkey | tee privatekey | wg pubkey > publickey

# Server config /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_private_key>

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

# Start WireGuard
wg-quick up wg0
systemctl enable wg-quick@wg0

# Install StrongSwan
apt install strongswan

# Configure /etc/ipsec.conf
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn site-to-site
    left=203.0.113.1
    leftsubnet=192.168.1.0/24
    right=203.0.113.2
    rightsubnet=192.168.2.0/24
    ike=aes256-sha2_256-modp1024!
    esp=aes256-sha2_256!
    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
    auto=start

# Configure /etc/ipsec.secrets
203.0.113.1 203.0.113.2 : PSK "your_pre_shared_key"

# Start IPSec
ipsec start
ipsec status

# Self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/ssl/private/server.key \
  -out /etc/ssl/certs/server.crt

# Certificate signing request
openssl req -new -newkey rsa:2048 -nodes \
  -keyout server.key -out server.csr

# View certificate
openssl x509 -in server.crt -text -noout

# Test connection
openssl s_client -connect example.com:443

# Test specific version
openssl s_client -connect example.com:443 -tls1_2

# Check certificate expiration
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

VLAN 10: Management (192.168.10.0/24)
VLAN 20: Servers (192.168.20.0/24)
VLAN 30: Workstations (192.168.30.0/24)
VLAN 40: Guest WiFi (192.168.40.0/24)
VLAN 50: IoT devices (192.168.50.0/24)

Firewall rules:
- Management can access everything
- Servers can't initiate to workstations
- Workstations can access servers
- Guest WiFi internet only
- IoT devices isolated

# Limit MAC addresses on bridge port
# Using ebtables
ebtables -A FORWARD -i eth0 -s ! aa:bb:cc:dd:ee:ff -j DROP

# Using tc (traffic control)
# Mark HTTP traffic
iptables -t mangle -A POSTROUTING -p tcp --dport 80 -j DSCP --set-dscp 10

# Mark VoIP traffic
iptables -t mangle -A POSTROUTING -p udp --dport 5060 -j DSCP --set-dscp 46

# HTB (Hierarchical Token Bucket)
tc qdisc add dev eth0 root handle 1: htb default 30

# Create classes
tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 50mbit ceil 100mbit prio 1
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 30mbit ceil 100mbit prio 2
tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20mbit ceil 100mbit prio 3

# Add filters
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dport 80 0xffff flowid 1:20

# Limit bandwidth to 10mbit
tc qdisc add dev eth0 root tbf rate 10mbit burst 32kbit latency 400ms

# Per-IP shaping
tc qdisc add dev eth0 root handle 1: htb
tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 10mbit
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 192.168.1.100 flowid 1:10

# Enable multicast routing
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.mc_forwarding=1

# Install multicast routing daemon
apt install smcroute

# Configure /etc/smcroute.conf
mgroup from eth0 group 239.1.1.1
mroute from eth0 group 239.1.1.1 to eth1

# Start smcroute
systemctl start smcroute

# Send multicast
echo "test" | socat - UDP4-DATAGRAM:239.1.1.1:5000

# Receive multicast
socat UDP4-RECVFROM:5000,ip-add-membership=239.1.1.1:eth0,fork -

# Enable IPv6
sysctl -w net.ipv6.conf.all.disable_ipv6=0

# Configure both
ip addr add 192.168.1.100/24 dev eth0
ip addr add 2001:db8::100/64 dev eth0

# Both routes
ip route add default via 192.168.1.1
ip -6 route add default via 2001:db8::1

---
- name: Configure network devices
  hosts: switches
  tasks:
    - name: Configure VLANs
      ios_vlan:
        vlan_id: 10
        name: Management
        state: present

from netmiko import ConnectHandler

device = {
    'device_type': 'cisco_ios',
    'host': '192.168.1.1',
    'username': 'admin',
    'password': 'password',
}

connection = ConnectHandler(**device)
output = connection.send_command('show ip interface brief')
print(output)
connection.disconnect()

# Install keepalived
apt install keepalived

# Configure /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass secret
    }
    virtual_ipaddress {
        192.168.1.100
    }
}

# Start keepalived
systemctl start keepalived

# Show interfaces
ip link show

# Bring up
ip link set dev eth0 up

# Bring down
ip link set dev eth0 down

# Set MTU
ip link set dev eth0 mtu 9000

# Set MAC
ip link set dev eth0 address aa:bb:cc:dd:ee:ff

# Add IP
ip addr add 192.168.1.100/24 dev eth0

# Delete IP
ip addr del 192.168.1.100/24 dev eth0

# Show IPs
ip addr show

# /etc/netplan/01-netcfg.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses:
        - 192.168.1.100/24
      gateway4: 192.168.1.1
      nameservers:
        addresses: [8.8.8.8, 8.8.4.4]

# Apply
netplan apply

# Show routes
ip route show

# Show specific route
ip route get 8.8.8.8

# Add default route
ip route add default via 192.168.1.1

# Add network route
ip route add 10.0.0.0/8 via 192.168.1.254

# Add with metric
ip route add 10.0.0.0/8 via 192.168.1.254 metric 100

# Create bridge
ip link add name br0 type bridge

# Add interfaces
ip link set dev eth0 master br0
ip link set dev eth1 master br0

# Bring up
ip link set dev br0 up

# Show bridge
bridge link show

# Load module
modprobe 8021q

# Create VLAN
ip link add link eth0 name eth0.10 type vlan id 10

# Configure IP
ip addr add 192.168.10.1/24 dev eth0.10

# Bring up
ip link set dev eth0.10 up

# Load module
modprobe bonding

# Create bond
ip link add bond0 type bond mode 802.3ad

# Add slaves
ip link set dev eth0 master bond0
ip link set dev eth1 master bond0

# Configure
ip addr add 192.168.1.10/24 dev bond0
ip link set dev bond0 up

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow established
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop everything else
iptables -P INPUT DROP

# Create namespace
ip netns add ns1

# Add interface to namespace
ip link set dev veth1 netns ns1

# Configure in namespace
ip netns exec ns1 ip addr add 10.0.0.1/24 dev veth1
ip netns exec ns1 ip link set dev veth1 up

# Execute command in namespace
ip netns exec ns1 ping 10.0.0.2

# Basic ping
ping 8.8.8.8

# Count
ping -c 4 8.8.8.8

# Interval
ping -i 0.2 8.8.8.8

# Packet size
ping -s 1000 8.8.8.8

# Don't fragment
ping -M do -s 1472 8.8.8.8

# Flood ping (root)
ping -f 8.8.8.8

# Traceroute
traceroute 8.8.8.8

# UDP (default)
traceroute -U 8.8.8.8

# ICMP
traceroute -I 8.8.8.8

# TCP
traceroute -T -p 80 8.8.8.8

# MTR (better traceroute)
mtr 8.8.8.8

# Show all connections
ss -tan

# Show listening ports
ss -tuln

# Show with process
ss -tanp

# Show statistics
ss -s

# netstat (legacy)
netstat -tan
netstat -tuln

# Show everything
ip addr
ip link
ip route
ip neigh

# Detailed info
ip -s link show eth0
ip -d link show

# IPv6
ip -6 addr
ip -6 route

# Capture on interface
tcpdump -i eth0

# Write to file
tcpdump -i eth0 -w capture.pcap

# Read from file
tcpdump -r capture.pcap

# Specific host
tcpdump -i eth0 host 192.168.1.100

# Specific port
tcpdump -i eth0 port 80

# Complex filter
tcpdump -i eth0 'tcp port 80 and host 192.168.1.100'

ip.addr == 192.168.1.100
tcp.port == 80
http.request.method == "POST"
dns.qry.name contains "example"

# Ping scan
nmap -sn 192.168.1.0/24

# Port scan
nmap 192.168.1.100

# Specific ports
nmap -p 80,443 192.168.1.100

# Service detection
nmap -sV 192.168.1.100

# OS detection
nmap -O 192.168.1.100

# Aggressive scan
nmap -A 192.168.1.100

# Listen on port
nc -l 5000

# Connect to port
nc 192.168.1.100 5000

# Port scan
nc -zv 192.168.1.100 1-1000

# Transfer file
# Receiver
nc -l 5000 > file.txt
# Sender
nc 192.168.1.100 5000 < file.txt

1. Define the problem
2. Gather information
3. Analyze information
4. Eliminate possibilities
5. Formulate hypothesis
6. Test hypothesis
7. Solve problem
8. Document solution

Start at Layer 1 and work up:
1. Physical: Cable plugged in?
2. Data Link: Link up? MAC address correct?
3. Network: IP configured? Route exists?
4. Transport: Port open? Firewall blocking?
5. Session/Presentation: Encryption working?
6. Application: Service running? Config correct?

# Tcpdump - command line packet analyzer
tcpdump -i eth0 -w capture.pcap
tcpdump -i eth0 host 192.168.1.100
tcpdump -i eth0 port 80
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0'

# Capture with rotation (avoid huge files)
tcpdump -i eth0 -w capture_%Y%m%d_%H%M%S.pcap -G 3600 -C 100

# Capture specific protocols
tcpdump -i eth0 -w dns_traffic.pcap udp port 53
tcpdump -i eth0 -w http_traffic.pcap tcp port 80

# Capture with timestamps
tcpdump -i eth0 -w capture.pcap -tttt

# Wireshark - GUI packet analyzer
wireshark &
# Capture filters: host 192.168.1.1 and port 80
# Display filters: http.request.method == "POST"

# Capture on multiple interfaces
tcpdump -i any -w all_interfaces.pcap

# Capture with snaplen (packet size limit)
tcpdump -i eth0 -s 65535 -w full_packets.pcap
tcpdump -i eth0 -s 96 -w headers_only.pcap

# Capture with buffer size
tcpdump -i eth0 -B 4096 -w capture.pcap

# Capture in promiscuous mode
tcpdump -i eth0 -p -w capture.pcap

# HTTP/HTTPS traffic analysis
tshark -r capture.pcap -Y "http.request or http.response"
tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.request.uri

# DNS queries for C2 detection
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort | uniq

# SMB traffic for lateral movement
tshark -r capture.pcap -Y "smb or smb2"

# RDP/VNC for remote access
tshark -r capture.pcap -Y "rdp or vnc"

Unusual outbound connections:
- Connections to unknown IPs
- High ports (>1024) outbound
- Non-standard protocols

Large data transfers:
- Sudden spike in outbound traffic
- Transfers to unknown destinations
- Compressed/encrypted data exfiltration

Beaconing patterns:
- Regular small packets at fixed intervals
- C2 communication patterns
- Heartbeat traffic

Anomalous protocol usage:
- HTTP on non-standard ports
- DNS tunneling (large TXT records)
- ICMP tunneling (data in ping packets)

# Extract HTTP objects
tshark -r capture.pcap --export-objects http,http_objects/

# Extract files from SMB
tshark -r capture.pcap --export-objects smb,smb_files/

# Extract credentials
tshark -r capture.pcap -Y "http.authorization" -T fields -e http.authorization

# Follow TCP streams
tshark -r capture.pcap -z follow,tcp,ascii,0

# Extract timestamps from PCAP
tshark -r capture.pcap -T fields -e frame.time_epoch -e ip.src -e ip.dst -e tcp.port > timeline.csv

# Sort by time
sort -n timeline.csv > sorted_timeline.csv

# Analyze with timeline tools
# Use Plaso, Timesketch, or custom scripts

# Group by connection
tshark -r capture.pcap -q -z conv,tcp
tshark -r capture.pcap -q -z conv,udp

Match network events with system logs:
- Correlate connection times with process creation
- Link IP addresses with user activity
- Match file transfers with file system changes
- Correlate DNS queries with process network activity

1. Identify initial compromise
   - First unusual connection
   - Exploit delivery
   - Payload download

2. Track lateral movement
   - SMB connections between hosts
   - RDP sessions
   - Admin share access

3. Document data exfiltration
   - Large outbound transfers
   - Compression/encryption
   - Staging locations

4. Identify persistence mechanisms
   - Beaconing patterns
   - Scheduled connections
   - C2 communication

import socket

# TCP client
def tcp_client(host, port):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((host, port))

    # Send HTTP request
    request = b'GET / HTTP/1.1\r\nHost: ' + host.encode() + b'\r\n\r\n'
    sock.send(request)

    # Receive response
    response = sock.recv(4096)
    print(response.decode())
    sock.close()

# UDP client
def udp_client(host, port, message):
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.sendto(message.encode(), (host, port))
    data, addr = sock.recvfrom(4096)
    print(f'Received: {data.decode()} from {addr}')
    sock.close()

# TCP server
def tcp_server(host, port):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.bind((host, port))
    sock.listen(5)
    print(f'Server listening on {host}:{port}')

    while True:
        client, addr = sock.accept()
        print(f'Connection from {addr}')
        data = client.recv(1024)
        client.send(b'HTTP/1.1 200 OK\r\n\r\nHello World')
        client.close()

import socket
import threading
from queue import Queue

def port_scan(target, port):
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(1)
        result = sock.connect_ex((target, port))
        if result == 0:
            try:
                service = socket.getservbyport(port)
            except:
                service = "unknown"
            print(f'Port {port}: OPEN ({service})')
        sock.close()
    except:
        pass

def threader(target, q):
    while True:
        worker = q.get()
        port_scan(target, worker)
        q.task_done()

def scan_host(target, start_port=1, end_port=1024, threads=30):
    q = Queue()

    for x in range(threads):
        t = threading.Thread(target=lambda: threader(target, q))
        t.daemon = True
        t.start()

    for port in range(start_port, end_port + 1):
        q.put(port)

    q.join()

# Usage
scan_host('192.168.1.1', 1, 1024)

import socket
import struct

def sniff_packets(interface='0.0.0.0'):
    # Create raw socket
    sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IP)
    sock.bind((interface, 0))
    sock.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)

    # Enable promiscuous mode (Windows)
    sock.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)

    try:
        while True:
            packet = sock.recvfrom(65565)[0]

            # Parse IP header
            ip_header = packet[0:20]
            iph = struct.unpack('!BBHHHBBH4s4s', ip_header)

            version_ihl = iph[0]
            version = version_ihl >> 4
            ihl = version_ihl & 0xF
            iph_length = ihl * 4

            ttl = iph[5]
            protocol = iph[6]
            s_addr = socket.inet_ntoa(iph[8])
            d_addr = socket.inet_ntoa(iph[9])

            protocol_map = {1: 'ICMP', 6: 'TCP', 17: 'UDP'}
            protocol_name = protocol_map.get(protocol, str(protocol))

            print(f'{protocol_name}: {s_addr} → {d_addr} (TTL: {ttl})')

    except KeyboardInterrupt:
        sock.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)
        sock.close()

# Usage (requires admin/root)
sniff_packets()

#!/bin/bash

target=$1
start_port=$2
end_port=$3

if [ -z "$target" ] || [ -z "$start_port" ] || [ -z "$end_port" ]; then
    echo "Usage: $0 <target> <start_port> <end_port>"
    exit 1
fi

echo "Scanning $target ports $start_port-$end_port"

for ((port=start_port; port<=end_port; port++)); do
    timeout 1 bash -c "</dev/tcp/$target/$port" 2>/dev/null && echo "Port $port is OPEN"
done