Skip to content

Networks tricks


Use tcpdump to listen for ping request and reply.

$ sudo tcpdump icmp -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:53:25.737055 IP > ICMP echo request, id 1, seq 1, length 64
18:53:25.737224 IP > ICMP echo reply, id 1, seq 1, length 64

TCP connections

Add iptables rule that listen for new TCP connections.

$ sudo iptables -A INPUT -p tcp -m state --state NEW -j LOG --log-prefix "New TCP connection: " -i wlp3s0


To remove the rule from iptables, execute the same commands but replace the -A with -D.

View the log :

$ journalctl -k --grep='New TCP connection: '
Sep 26 19:04:24 arch kernel: [NEW TCP connection] IN=wlp3s0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25957

OS Information gathering

For Linux machines the ttl is often close to 64, however for Windows machines the ttl is close to 128.

$ ping localhost
PING localhost(localhost (::1)) 56 data bytes
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.058 ms
64 bytes from localhost (::1): icmp_seq=2 ttl=64 time=0.131 ms
64 bytes from localhost (::1): icmp_seq=3 ttl=64 time=0.078 ms
--- localhost ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2019ms
rtt min/avg/max/mdev = 0.058/0.089/0.131/0.030 ms