Network advanced tutorial and checklist

Summary of TCP Transaction Steps

Network commands

Capture packets and analyze general

Capture packets and analyze a ssh session

Capture packets and analyze a amqp session

How to check if network is exhausted?

Summary of TCP Transaction Steps

  1. Connection Establishment (Three-Way Handshake):
  • Client → Server: Send SYN (request to connect).
  • Server → Client: Send SYN-ACK (acknowledge SYN and request).
  • Client → Server: Send ACK (acknowledge SYN-ACK).
  1. Data Transfer:
  • Client ↔ Server: Send and acknowledge data segments.
  • Server → Client: Send ACK for received segments.
  • Client ↔ Server: Retransmit lost segments as needed.
  1. Connection Termination (Four-Way Handshake):
  • Client → Server: Send FIN (request to terminate).
  • Server → Client: Send ACK (acknowledge FIN).
  • Server → Client: Send FIN (request to terminate).
  • Client → Server: Send ACK (acknowledge FIN).

This flow ensures reliable communication in TCP transactions.

Network commands

Test-NetConnection and tnc

Yes, your statement is correct.

When using Test-NetConnection in PowerShell to check a remote connection to a specific port, the command will return True (indicating success) only if both of the following conditions are met:

  1. The port is open (not blocked by a firewall, router, or security rule).
  2. An application/service is actively listening on that port on the target machine.

If the port is open but no application is listening, the connection will fail (return False), as the remote system does not respond to the connection attempt.

Example of Using Test-NetConnection (ps1)

Test-NetConnection -ComputerName "remote-server" -Port 80

Do you need more details

Test-NetConnection -ComputerName "remote-server" -Port 80 -InformationLevel Detailed

Example of using the alias tnc (ps1)

tnc: This is an alias for Test-NetConnection. PowerShell allows users to create shorter, more convenient commands for frequently used cmdlets. Using tnc is simply a shorthand way to execute the same functionality as Test-NetConnection, making it quicker for users familiar with the alias.

tnc remote-server -port 3389

The Windows PowerShell cmdlet Test-NetConnection is a versatile tool for network diagnostics. It’s not directly mirrored in Linux, but its functionalities can be achieved using a combination of other commands.

ping, nc and telnet (bash)

# Windows: Test-NetConnection google.com

Linux: ping -c 4 google.com

# ping is the fundamental network utility to test reachability.
# c 4 sends 4 ICMP (ping) packets and then stops. Omit this for continuous pinging.

# Windows: Test-NetConnection google.com -Port 443

Linux: nc -zv google.com 443
Linux: telnet google.com 443

# nc (netcat) is a versatile tool for making network connections. 
# -z means "zero-I/O mode" (don't send any data)
# -v means "verbose". 
# It tries to connect to the specified host and port, and exits.

# telnet is another option, though often deprecated in favor of nc due to security concerns (it transmits passwords in plain text).

netstat (cmd, ps1, bash)

netstat is a command-line utility used to display network connections, routing tables, and listening ports on a computer. It shows details like the protocol, local and foreign addresses, and status of each connection. This helps diagnose network problems by identifying active connections, open ports, and listening services. netstat is available on various operating systems (e.g., Linux, macOS, and Windows) and its functionality and syntax may vary slightly across platforms.

Example of of using netstat check port (ps1 or cmd)

netstat -ano: This command lists all active connections and listening ports, along with their associated process IDs (PIDs).

  • -a shows all connections and listening ports.
  • -n displays addresses and port numbers in numerical form (avoiding DNS resolution).
  • -o includes the process ID associated with each connection.
netstat -ano | findstr ":1801 "
  TCP    0.0.0.0:1801         0.0.0.0:0              LISTENING       1234

Meaning: This indicates that there are no active connections or listening applications on port 1801.

(no output)

Connection refused

Meaning: If you see a connection in the TIME_WAIT state, it means that a connection was recently closed on that port, but no application is currently listening for new connections. This may indicate that the service crashed or was stopped.

TCP    192.168.1.2:1801     192.168.1.3:54321      TIME_WAIT       0

LISTENING but Unresponsive

Meaning: While the output indicates that there is an application listening on port 1801, if you try to connect to the port and experience timeouts or connection failures, it may suggest that the application is unresponsive or malfunctioning. You can further investigate this by checking the application associated with PID 5678.

TCP    0.0.0.0:1801         0.0.0.0:0              LISTENING       5678

Multiple Entries with Different States

Meaning: If you see multiple states such as CLOSE_WAIT, this may indicate that the application is not properly closing connections. An application in CLOSE_WAIT may have issues managing its connections, which can lead to resource exhaustion.

TCP    0.0.0.0:1801         0.0.0.0:0              LISTENING       5678
TCP    192.168.1.2:1801     192.168.1.3:54321      ESTABLISHED     5678
TCP    192.168.1.2:1801     192.168.1.4:12345      CLOSE_WAIT      5678

Common SYN States

SYN_SENT: This state indicates that a connection request has been sent to the server, and the client is waiting for a response (SYN-ACK). It means that an application on your machine is trying to connect to a service on port 1801 but has not yet completed the connection.


SYN_RECEIVED: This state means that your machine has received a SYN request from a client and has sent back a SYN-ACK in response. The connection is still being established, and the final ACK from the client is awaited.

SYN_SENT

TCP    192.168.1.2:54321     192.168.1.3:1801      SYN_SENT       0

Meaning: In this example, the local machine at 192.168.1.2 is trying to establish a connection from port 54321 to 192.168.1.3 on port 1801, but it has not yet completed the connection.

SYN_RECEIVED

TCP    192.168.1.3:1801      192.168.1.2:54321     SYN_RECEIVED   5678

Meaning: This indicates that the server at 192.168.1.3 has received a SYN request from the client at 192.168.1.2 and is waiting for the final ACK from the client to complete the connection.

SYN states in the output of netstat indicate new connection attempts and can be useful for diagnosing network issues.

A large number of SYN_SENT connections without corresponding SYN_RECEIVED or established connections may indicate problems such as a firewall blocking traffic, a service not running on the target port, or network congestion. Monitoring and analyzing these states can help in troubleshooting connectivity issues effectively.

Capture packets and analyze general

Open an elevated Command Prompt or PowerShell.
Start a trace with:

# netsh trace start persistent=yes capture=yes report=disabled tracefile=c:\trace.etl

netsh trace start capture=yes report=disabled tracefile=c:\trace.etl

Reproduce the network issue or desired connection to generate TCP traffic.

Stop the trace:

netsh trace stop

Convert or view the resulting ETL file. ETL files can be opened in tools like Microsoft Network Monitor, Microsoft Message Analyzer, or Windows Performance Analyzer (though for the last two, you’d need older or specialized tools).

Downloaded tool

Releases · microsoft/etl2pcapng

Moved file and tool to and renamed to localhost…

Etl2pcapng.exe trace.etl trace.pcapng

Ran above command

got

View content by localhost

Wireshark file open

Example filter port

Capture packets and analyze a ssh session

What are the most useful filters for analysing an ssh session with wireshark, can we check for filter with protocol also? (vicuna)

Lets now practice what we know and test it with a Linux server in Azure.

We already have ssh enabled on the VM.

How to check that

Scenario Vm is not running

Scenario Vm is running

Scenario Vm is running but port is blocked

Scenario Vm is running and port is open

Capture packets and analyze a amqp session

What are the most useful filters for analysing an amqp session with wireshark, can we check for filter with protocol also? (vicuna)

tbd

How to check if network is exhausted?

https://github.com/spawnmarvel/quickguides/tree/main/network_monitor

Example Capture wireshark smb

Example below but make a better and shorter one

Scroll to Top