Networking on Besterry — Linux & DevOps Notes

tcpdump Filters Cheatsheet for When the Network is On Fire

Fri, 08 Nov 2024 00:00:00 +0000

tcpdump has a weird little filter language (BPF syntax) that I never remember under pressure. This page is my cheatsheet.

Basic syntax

tcpdump -i <interface> -n <filter>
-n don't resolve addresses/ports
-i interface (eth0, any, lo)
-v verbose (-vv, -vvv more)
-w write to file for later wireshark
-r read from file
-c N stop after N packets
-s 0 capture full packet (not truncated)

Host and network filters

host 192.0.2.1 # to or from
src host 192.0.2.1 # from only
dst host 192.0.2.1 # to only
net 192.0.2.0/24 # subnet
src net 192.0.2.0/24 # subnet as source

Port filters

port 443 # source or dest port 443
src port 443 # source only
dst port 443 # dest only
portrange 50000-60000 # range

Protocol filters

tcp # TCP only
udp # UDP only
icmp # ICMP only
arp # ARP
tcp port 443 # combine
'tcp[tcpflags] & tcp-syn != 0' # TCP with SYN flag

TCP flag combinations

# SYN only (connection attempts)
'tcp[tcpflags] == tcp-syn'
# SYN-ACK
'tcp[tcpflags] == tcp-syn|tcp-ack'
# RST (connection resets)
'tcp[tcpflags] & tcp-rst != 0'
# FIN (connection closes)
'tcp[tcpflags] & tcp-fin != 0'

Combining filters

host 192.0.2.1 and tcp port 443
'host 192.0.2.1 and (port 80 or port 443)'
'not arp and not port 22'

Boolean operators: and, or, not (or &&, ||, !).

WireGuard vs AmneziaWG: When Obfuscation Matters

Mon, 15 Apr 2024 00:00:00 +0000

Plain WireGuard is simple and fast. AmneziaWG adds obfuscation to the handshake. When do you need which?

Plain WireGuard is enough when

You control both endpoints, no DPI is filtering your traffic, and the main concern is performance and simplicity. WireGuard shines for:

Site-to-site VPN between your own servers
Remote access to a home lab
Point-to-point tunnels on a LAN

The handshake is small, fast, and provably secure. It uses Noise framework primitives and 1 RTT.

Docker Network Debugging: nsenter and tcpdump Patterns

Wed, 20 Mar 2024 00:00:00 +0000

When a container cannot reach something, the instinct is often to exec into it and curl. But most slim containers lack curl, dig, tcpdump, or even ping. A better pattern: use nsenter from the host.

Enter the container network namespace

Get the container PID:

docker inspect -f '{{.State.Pid}}' myapp

Then:

sudo nsenter -t PID -n bash

You are now in the container network namespace, but with the host binaries. tcpdump, ip, ss, dig — all work.

Linux Networking Deep Dive: From Socket to Wire

Sat, 10 Feb 2024 00:00:00 +0000

Every time a packet leaves your Linux machine, it travels through a surprisingly long sequence of stages. Understanding this path helps enormously when debugging network issues.

The socket layer

When your application calls send() or write() on a socket, the kernel’s socket layer takes over. For a TCP socket this means handing the data to tcp_sendmsg(), which in turn enqueues it into the socket’s send buffer.

You can observe the send queue depth with ss -tipm: