Networking How To

How to upgrade wpa_supplicant

Default wpa_supplicant in Ubuntu 16.04 is 2.4 and does not support some of the latest encryption protocols (like TLS 1.1)
To upgrade it:
Get wpa_supplicant 2.6 from
Unzip. configure with

cat > wpa_supplicant/.config << "EOF"
CFLAGS += -I/usr/include/libnl3


cd wpa_supplicant && make BINDIR=/sbin LIBDIR=/lib

Stop wpa_supplicant service

sudo systemctl stop wpa_supplicant.service

Copy to /sbin (preserving the existing stuff)

sudo install -bv -m755 wpa_{cli,passphrase,supplicant} /sbin/

start the wpa_supplicant service back up

sudo systemctl start wpa_supplicant.service

restart network-manager service

systemctl restart network-manager.service

Verify the version


How to run scripts when connected to a specific network

Use NetworkManager's dispatch capabilities (works in KDE and Gnome). As root create a script in /etc/NetworkManager/dispatcher.d, say ""



if [ "$IF" = "eth0" -o "$IF" = "wlan0" ] && [ "$STATUS" = "up" ]; then
       if [ -n "`/sbin/ip addr show $IF to $NETMASK`" ]; then
                if [ -n "`arp -a $ROUTERIP | grep $ROUTERMAC`" ]; then
                        /bin/su user -c "/home/user/bin/"
                        exit $?

Make it root runnable

chmod 755

An restart your network manager

sudo service network-manager restart

The sample script above verifies that it is connected to a correct router by using router's hard-coded MAC. You could also check for a host answering on a port:

nc -z -w 3 $HOST $PORT 
if [[ $? -eq 0 ]]; then ...

Or check a wireless SSID:

SSID=$(/sbin/iwconfig $IFACE | sed -r -n '/SSID/{s/.*SSID:"([^"]+)".*/\1/g;p;q}' )


SSID=`iwconfig $IFACE | awk -F\" '{print $2}'`

How to list active network connections

If you need to know what program has what connection open:

lsof -i


lsof -i -P -n

for no network and port resolution

To look at a specific port

lsof -i :80

Same thing, no process information:

netstat --ip


netstat -an --ip

How to list all open tcp-udp connection and corresponding processes

sudo netstat -punta

How to list and explore samba shares

 smbclient --list=//server.corp.dom/ --user=xxxx --workgroup=domain
 smbclient //server.corp.dom/f$ --user=xxxx --workgroup=domain

How to terminate an open TCP or UDP connection

for end connections use tcpkill from the dsniff package

sudo tcpkill -i lo:0 ip

For pass through connections use

apt-get install cutter
cutter {IP-address} {Port}

Examples: Cut all connections from to server

# cutter

Cut all ssh connection from to server

# cutter 22

Cut all ssh connection from to ssh server

# cutter 22

How to enable an serving of X11 to any client

If client connections are rejected, run following on the server (cygwin)

xhost + 

You could add this line to c:\cygwin\usr\X11R6\bin\startx.bat Note that this means anyone can connect to your X server, so use with caution.

How to clear DNS cache

networkmanager envokes dnsmasq that does not cashe entries by default (verify by grep dnsmasq /var/log/syslog and look for the startup)

sudo /etc/init.d/dns-clean start

should help. If not, try ncsd:

sudo aptitude install nscd
sudo /etc/init.d/nscd restart

sudo /etc/init.d/dns-clean restart

or use:

sudo /etc/init.d/networking force-reload

Also, clear all private data in your browser (check "delete entire cache" )

How to Renew DHCP lease

sudo dhclient -v -r wlan0
sudo dhclient -v wlan0

or with network manager

nmcli con - to get a list of connections
nmcli con down id 'con-1'
nmcli con up id 'con-1'

How to restart networking

(may not have effect on already connected interfaces)
sudo /etc/init.d/networking restart
sudo systemctl restart networking.service

How to open all communication from a port on CentOs or RHEL

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="" accept'

How to open multiple ports on CentOs or RHEL

firewall-cmd --zone=public --add-port=9060/tcp --add-port=9043/tcp --add-port=...

Firewalld detailed how-to

How to see the actual dns resolver behind dnsmasq

nmcli device show

How to clear dns cache

if you are running dnsmasq (ps -ef for it)
use qdbus to call on org.freedesktop.NetworkManager.dnsmasq.ClearCache()

How to connect to hidden WiFi on Kubuntu

right click on the network/wifi icon, go into settings(kde-nm-settings), create a new wifi network, put ssid then check "hidden network".
right click on the newly created item and select connect.

If it does not connect after a while of trying and you see the following in syslog
wpa_supplicant[1084]: wlan0: Failed to initiate AP scan
wpa_supplicant[1084]: wlan0: Reject scan trigger since one is

Then restart wpa_supplicant and try again
sudo pkill wpa_supplicant
sudo kill $(pidof wpa_supplicant)

You can also try the command line networkmanager:
nmcli -p connection up ifname wlan0 ap HIDDEN-SSID

another trick
issue a connect command and while the hidden-ssid is showing click on it in the kde panel

How to limit apt speed

For temporary limits, add the -o flag to your apt-get command:
sudo apt-get -o Acquire::http::Dl-Limit=25 install <package>
For permanent throttling, create the file /etc/apt/apt.conf.d/75lowerspeed and save the following in it:

   Queue-mode "access";
      Dl-Limit "25";

How to test network speed

sudo apt-get install iperf Start iperf in the server mode on a computer you want to communicate with.
iperf -s
You might need to temporarily disable ufw or open the TCP port 5001. Run iperf as a client on the computer you want to test the speed.
iperf -c <address of the ipeft server>

How to configure wireless wifi to auto connect at startup, before user login

Encode the WPA key into HEX:
sudo wpa_passphrase <Your Wifi Network SSID>  <Your Wifi WPA/WPA2 password>

Set the static IP:
sudo gedit /etc/network/interfaces

The add the following:
# The wifi network interface
auto wlan0
iface wlan0 inet static
   wpa-ssid <Your Wifi Network SSID>
   wpa-psk <Your HEX encoded Wifi WPA password>


How to log network traffic on Ubuntu

Setup kubuntu's rsyslogd to capture network events. Edit

sudo vi /etc/rsyslogd.conf


$ModLoad imudp
$UDPServerRun 514

Create the capture rule to send all network events to a specific log file. It has to be the first rule:

sudo vi /etc/rsyslog.d/5-networklogs.conf

Configure similar to this:

if $fromhost-ip startswith '' then {
       action(type="omfile" file="/var/log/network.log")

Open the syslog port on the firewall:

sudo ufw allow from to any port 514 proto udp

Restart syslogd:

sudo service rsyslog restart

Finally configure your router or another network log source to forward syslogs to the server.

How to restrict outgoing access for a program

Three ways:

  1. Run under a different user and configure iptables to refuse connections for this user

iptables -A OUTPUT -m owner --uid-owner ${blocked_user_uid} -j DROP

  1. Add grsecurity to the kernel and configure iptables for the specific executable

role your_regular_user u
   subject /path/to/untrusted/program
       connect disabled

  1. Stub out the connect() function for the program with LD_PRELOAD:
#include <errno.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
int connect(int sockfd, struct sockaddr const* addr, socklen_t addrlen) {
    printf("connection refused\n");
    errno = ECONNREFUSED;
    return -1;


gcc -fPIC -shared -Wl,-soname,refuse_connect refuse_connect.c -o

Run the program with the stub

LD_PRELOAD="./" ./program

How to configure UFW to allow NFS network sharing

First, fix the NFS port from the default floating one. Edit /etc/default/nfs-kernel-server

sudo vi /etc/default/nfs-kernel-server





where 13335 is just a randomly selected port. Then restart NFSd

sudo service nfs-kernel-server restart

Now configure the UFW to accept incoming connections on fixed port and ports 111 and 2049:

sudo ufw allow from to any port 111
sudo ufw allow from to any port 2049
sudo ufw allow from to any port 13325

How to configure UFW to allow SANED scanner connections

Instruct sane daemon to use fixed data ports:

sudo vi /etc/sane.d/saned.conf


data_portrange = 40000 - 40100

Restart saned

sudo service saned restart

Open up the data and server ports on your firewall

sudo ufw allow proto tcp from to any port 6566
sudo ufw allow proto tcp from to any port 40000:40100

Now, for the xsane client to find it edit

sudo vi /etc/sane.d/net.conf

and add your scanner server name or ip address

How to force dyndns updates for uptick

Configure it to be done once a month, at 4:45am every 14th day:

sudo crontab -e
45 04 14 * * /usr/sbin/ddclient --force --syslog

How to specify a public DNS server

For a temporary override just edit /etc/resolv.conf and set it to whatever you want. It will be active until the connection is reset or you run

sudo resolvconf -u

For a more permanent solution you can try either one of the following (I've not had success with the first two):

  • Statically add nameserver addresses via the Network Manager. Click on the network indicator -> Edit Connections... -> Edit... -> Wired -> Additional DNS servers.
  • Add the following to /etc/dhcp/dhclient.conf:

prepend domain-name-servers x.x.x.x, y.y.y.y;

  • Edit or create a /etc/resolvconf/resolv.conf.d/tail (or head) and add them there.
  • add the following to /etc/network/interfaces:

auto eth0
iface eth0 inet static
   . . .

How to get a list of apps listening on network ports

For a quick list run
sudo ufw show listening
For a full list
sudo lsof -i -an | grep -E '(LIST|UDP)'
Note that the following command, recommended in the lsof FAQ may or may not work depending on your distro:
sudo lsof -i -stcp:listen -sudp:idle

How to enable UFW (Ubuntu's uncomplicated firewall) on boot

sudo vi /etc/ufw/ufw.conf 
Enabled = yes

How to make wireshark capture traffic as non-root user

sudo dpkg-reconfigure wireshark-common 
sudo usermod -a -G wireshark $USER
Logout and login back

How to analyze Wireshark PCAP capture

First feed it through the latest version (>= 0.7.4) of ettercap
ettercap -Tqr ''<capture>''
If you know what you are looking for use grep on the package contents
ettercap -Tr ''<capture>'' | grep ''<text>''
Then get Xplico and give it a whirl. You could als try chaosreader, but it is a bit old.

How to convert NETTL network capture to PCAP format

Use the -T (encapsulation) option on editcap tool that comes with wireshark:
editcap <in_file> <out_file> -T ether
The file format (-F option) defaults to libpcap, so there is no need to specify it

How to log traffic coming through a dd-wrt router

Add the rules in the backward fasion (stack or FILO or starting from the last)

  • do the logging
iptables -I FORWARD 1 -j LOG --log-level 2 --log-tcp-sequence --log-tcp-options --log-ip-options --log-prefix "FORWARD "
iptables -I INPUT   1 -j LOG --log-level 2 --log-tcp-sequence --log-tcp-options --log-ip-options --log-prefix "INPUT "
iptables -I OUTPUT  1 -j LOG --log-level 2 --log-tcp-sequence --log-tcp-options --log-ip-options --log-prefix "OUTPUT "
  • ignore logging the logging messages and the corresponding dns resolution
iptables -I OUTPUT 1 -j ACCEPT -s  -d -p UDP --sport 53
iptables -I INPUT  1 -j ACCEPT -s -d  -p UDP --dport 53
iptables -I OUTPUT 1 -j ACCEPT -s  -d -p UDP --dport 514
  • ignore ssh traffic
iptables -I OUTPUT 1 -j ACCEPT -s  -d -p TCP --sport 22
iptables -I INPUT  1 -j ACCEPT -s -d  -p TCP --dport 22

How to set up wireshark display filter to cut out noise

not (ip.addr==noisyip || arp || ipx || eigrp || loop || cdp || stp || smb || nbns || dcerpc || nbss || dns)

How to see OpenRG firewall events in real time

Print current firewall events to console user terminal to connect to the router run
Wireless Broadband Router> log lev_on 6

How To Reconfigure OpenRG router from console

user terminal to connect to the router

Wireless Broadband Router> conf print /
Wireless Broadband Router> conf print /fw/rule/loc_srv/2/services/0/trigger/0/protocol
Wireless Broadband Router> conf set /fw/rule/loc_srv/2/services/0/trigger/0/protocol 6
Wireless Broadband Router> conf reconf 1

How To Open UFW for incoming syslog

sudo ufw allow proto udp from to port 514

How To Poke a hole in dd-wrt

iptables -I INPUT -p udp --dport 1194 -d doorknob -j ACCEPT

How to adjust Windows XP firewall for Cisco VPN

echo Setting ICMP (PING).....
REM **ICMP (PING):  Allow outbound source quench, inbound echo request, outbound time exceeded
netsh firewall set icmpsetting type = 4 mode = enable
netsh firewall set icmpsetting type = 8 mode = enable
netsh firewall set icmpsetting type = 11 mode = enable

echo Setting File and Print Sharing.....
REM **WINDOWS AUTHENTICATION PORT SETTINGS:  Open File and Print Sharing ports to the 22 subnet
netsh firewall set service type = FILEANDPRINT mode = ENABLE scope = CUSTOM addresses = profile = ALL

echo Setting Cisco VPN Client.....
netsh firewall set portopening protocol = UDP port = 500 name = CiscoVPN(ISAKMP) mode = ENABLE profile = ALL scope = CUSTOM addresses =,,,,,,,,

netsh firewall set portopening protocol = UDP port = 62515 name = CiscoVPN mode = ENABLE profile = ALL scope = CUSTOM addresses =,,,,,,,,

netsh firewall set allowedprogram program = "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" name = CiscoVPN2 mode = ENABLE profile = ALL scope = CUSTOM addresses =,,,,,,,,

echo Setting Symantec Antivirus.....
REM **SYMANTEC MANAGED ANTIVIRUS PORT SETTINGS:  Opens a port to allow communication with Symantec Antivirus Server
netsh firewall set portopening protocol = UDP port = 38293 name = SymantecManagedAVUDP38293 mode = ENABLE profile = ALL scope = CUSTOM addresses =,,,,,,

How to configure cisco vpn and outpost firewall

And here's a little more elegant way to manually remove the vsdatant driver:

1.) go to the device manager
2.) make the hidden devices visible (view --> show hidden devices)
3.) search for the "vsdatant" entry in the non-PNP-section
4.) right click the entry and choose "uninstall"

If I do find a way to automate this whole process then I'll post it here - just to add another variant in addition to the batch-method of dianneg (which is also fine).

How to run OpenVPN on WRT54G

  • Download and install. may need to additional libraries

iptables -A FORWARD -j logaccept -p udp --dport 443

  • change the logging to go to /tmp/somethhing instead of stdout
  • add routing on wrtg and client
  • solve the issue of loosing default gateway

iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
/jffs/usr/sbin/openvpn --dev tap0 --tls-server --key /jffs/usr/etc/homewall.key --cert /jffs/usr/etc/homewall.crt --dh /jffs/usr/etc/dh1024.pem --ca /jffs/usr/etc/ca.crt --comp-lzo --port 443 --proto tcp-server --verb 3 --daemon

How to test MPU with ping

ping -f -l 1500 someip

play with the -l value until you are satisfied

@HowTo @Networking