Part One of Introduction to Tiger Terminal began with shell basics (
kill, using nano (the pico replacement), and followed with Part Two, which took a look at external volumes, using
rsync. Here, in Part Three, we'll look at some helpful commands that you can use to view information about your network.
Mac OS X put a GUI wrapper around a set of network command line utilities and called this app Network Utility. It resides in /Applications/Utilities. (You can use the Shift-Command-U key combination to quickly open the Utilities folder from the Finder.) Let's take a quick look at the GUI front end:
Each of the tabs along the top of the Network Utility.app has a command line equivalent. Why would you want to use the command line to run these tools instead of just using the GUI version? As we've seen in previous examples, the command line offers more options and flexibility for gleaning information. We'll see this in the examples that follow. As with all commands that we use, remember to check out the man pages for detailed definitions, examples, and optional flags.
Figure 1: Network Utility.app
On most Unix systems,
ifconfig (interface configure) is used to make the Ethernet card or other interface (Airport, for example) accessible to the network layer by assigning an IP address and activating the interface. Let's look at how we can get information about our system's interfaces by running
ifconfig with the
-a flag (which tells
ifconfig to include all the interfaces on our system in the output):
Figure 2: ifconfig -a
Sheesh, so what does this actually tell us? The first device listed is lo0, which is the loopback device (the virtual net device representing the local host net interface, lo) which is set to 127.0.0.1. The Ethernet card is indicated by en0 (which is turned off, in my case) and the active Airport card is en1. Since my Airport connection is active, we see a lot of information about it: the first line tells me that my Airport status is "UP", the third line tells me that it has an Internet ("inet") address of 10.0.1.5 with a valid Subnet Mask ("netmask") of 0xffffff00 which is the same as 255.255.255.0 and that it has a valid broadcast address of 10.0.1.255. The last line describes my FireWire interface (fw0). The other two lines describe interfaces that are outside the scope of this article: gif0, the IPv6 generic tunnel interface, and stf0 ("6to4"), which tunnels IPv6 traffic over IPv4.
Next, let's look at
netstat which, as the name implies, will output a variety of statistics about our network. We'll run
netstat with the
-r option, which will list the contents of the IP routing table (Be patient!):
Figure 3: netstat -r
-n option will avoid hostname lookup (In other words, the
-n option tells
netstat not to convert addresses and port numbers to names.) and will speed up the execution of the command by quite a bit. The syntax would then be
netstat -r -n. Another useful
netstat flag is
-a which displays all open connections on the host. The implication here is that by looking at this output, you can monitor how data goes in and out of your machine. Unexpected listening processes might indicate that your system has been compromised. This is particularly useful if you're running a server and engaging in best practices by keeping a close eye on your system!
To see how many packets are moving through my active network interface (my Airport card, in this case) and how many errors are occurring, I'd run
netstat -I en1 -w 5 where
-I en1 indicates my active interface and
-w 5 tells
netstat to update ("wait") the display every five seconds. You can quit the command by using the key combination, control-Z (^Z):
Figure 4: netstat -I en1 -w 5
We'll just touch on this one, since it's a legacy protocol, but many educational institutions still support it. Typing
appletalk at the shell prompt will give you a list of what the
appletalk command can do. For example,
appletalk -n will give you this:
Figure 5: appletalk -n
Other useful commands include
appletalk -h, which checks the default zone,
appletalk -z, which shows the zone list, and
appletalk -s, which shows appletalk statistics and error counts. You can also startup (
appletalk -u for single port mode, for instance) and shut down appletalk (
appletalk -d) from the CLI.
ping command is used to see if a machine is alive and operating, if network connections are intact, how many hops lie between two computers and the amount of time it takes for the ICMP ECHO_REQUEST packet to make the loop. It can also test out name resolution. (If the packet bounces when sent to the IP address, but not to the name, then the system is having problems matching the name to the address.)
The command syntax is
ping host where
host is an IP address or domain name. Here, I'm sending a
ping command from my 12" Powerbook (with IP 10.0.1.3) to my son's Mac Mini (with IP 10.0.1.4) on my home network:
Figure 6: ping 10.0.1.4
The packets are sent in a series and the "time=" tells you how long it takes to get a response. By default, the
ping command keeps sending packets until you stop the command by using the key combination Control-C (^C). After you stop the
ping command, you'll see the output of
ping statistics: how many packets were transmitted, how many were received, percent packet loss, and round-trip times.
You can decide how many packets you want to send by using the
-c (count) option, like this:
Figure 7: ping -c 6 samsmacmini.local
In this case, instead of the IP address, I used the domain name of my son's computer (samsmacmini.local), which you can see comes directly from the Sharing pref pane:
Figure 8: Sharing pref pane
nslookup (name server lookup) are tools that directly query the DNS service.
nslookup checks the DNS server set in your Network preferences and then looks up the IP address for the domain name you specify. However,
nslookup is considered a flawed tool and, in fact, if you run
nslookup on www.apple.com, you'll get this message:
Figure 9: nslookup www.apple.com
Trying to pull up the man pages for
nslookup from the terminal will produce this: "No manual entry for
nslookup." And if you try to run it from the lookup tab in the Network Utility.app, you'll see:
Figure 10: lookup in Network Utility.app
In Tiger, the checkbox "use dig instead of nslookup" is gone because we see that
dig has officially replaced
nslookup in the Network Utility.app. Let's take a brief look at what information
dig gives us and also look at a companion tool,
dig apple.com at the command line will return the domain IP address, its name servers, and their IP addresses:
Figure 11: dig apple.com
If you just want to return the IP address for the domain you're querying, you would run
Figure 12: host www.apple.com
If you have an IP address and you want to find out what name that translates into, you can use a
dig -x to reverse search and find out that it's apple.com:
Figure 13: dig -x 22.214.171.124
traceroute is a TCP/IP utility that records the route through the Internet between a client machine and a specified destination computer. It reports the IP addresses of all the routers in between, and calculates and displays the amount of time each hop took. This is useful in diagnosing where a network problem might be happening. Here is an example of running
traceroute between my computer and my university server, www.uchsc.edu:
Figure 14: traceroute www.uchsc.edu
Note that I'm connected from home via VPN (virtual private network).
Now, let's use
whois to find out more information about www.apple.com:
tiger12:~ norburym$ whois apple.com Whois Server Version 1.3 [...] Domain Name: APPLE.COM Registrar: EMARKMONITOR INC. DBA MARKMONITOR Whois Server: whois.markmonitor.com Referral URL: http://www.markmonitor.com Name Server: NSERVER2.APPLE.COM Name Server: NSERVER.EURO.APPLE.COM Name Server: NSERVER.APPLE.COM Name Server: NSERVER.ASIA.APPLE.COM Name Server: NSERVER3.APPLE.COM Name Server: NSERVER4.APPLE.COM Status: REGISTRAR-LOCK Updated Date: 20-may-2004 Creation Date: 19-feb-1987 Expiration Date: 20-feb-2007 >>> Last update of whois database: Thu, 30 Jun 2005 04:15:05 EDT <<< [...] Registrant: Apple Computer, Inc. (DOM-417477) 1 Infinite Loop Cupertino, CA 95014 US Domain Name: apple.com Registrar Name: Markmonitor.com Registrar Whois: whois.markmonitor.com Registrar Homepage: http://www.markmonitor.com Administrative Contact: Kenneth Eddings (KE557) (NIC-14211601) Apple Computer, Inc. 1 Infinite Loop M/S 60-DR Cupertino CA 95014 US email@example.com +1.4089744286 Fax- - Technical Contact, Zone Contact: NOC Apple (NA4189-ORG) (NIC-14211609) Apple Computer, Inc. 1 Infinite Loop M/S 60-DR Cupertino CA 95014 US Apple-NOC@APPLE.COM +1.4089961010 Fax- +1.4089741560 Created on..............: 1987-Feb-19. Expires on..............: 2007-Feb-20. Record last updated on..: 2004-May-20 12:16:06. Domain servers in listed order: NSERVER.APPLE.COM NSERVER2.APPLE.COM NSERVER.EURO.APPLE.COM NSERVER3.APPLE.COM NSERVER4.APPLE.COM NSERVER.ASIA.APPLE.COM
whois command queries the Network Information Center (NIC) database to display a registration record's matching name. It returns who owns the domain name, contact information, what their name servers are, and creation and expiration dates.
finger protocol is used to return basic information on users who have accounts on a specific host. Information returned is often minimal. Here is what
finger returns for my login to my local machine:
Figure 15: finger norburym
finger service runs on port 79, which is often blocked due to past problems with the protocol; in the late '80s a worm exploited an error in the
finger daemon and the protocol was also used by crackers to get detailed information about server users.
In the Network Utility.app, Apple includes a port scan tool. Port scanning can be very helpful in determining what vulnerabilities exist on your system (or systems, if you manage client and server machines). It can also help you check whether a computer on your network is available for remote connections like
sftp, which we looked at in Part Two of this series. The command line equivalent of the GUI port scan utility is called
and it's hidden inside the package contents of the Network Utility.app. The path to
and the syntax of the command is:
stroke host start_port end_port
Remember how we dealt with spaces in file names in Part Two of this series? Network Utility.app has a space in the file name so we use a backslash character immediately before the space to make it command line friendly. We can also use another shortcut that we learned in Part One of this series: navigating to the location of the file in the GUI and dragging the file directly to the waiting command line. In this case, we open the Utilities folder in the Applications folder, we control click (or right click with a two button mouse) on the Network Utility.app icon and choose Show Package Contents from the menu that appears. A new window will open, with a folder called Contents. Open the Contents folder and open the Resources folder. You'll see this:
Figure 16: /Applications/Utilities/Network\ Utility.app/Contents/Resources
stroke application icon directly to your terminal window. The path will fill in for you. Now, you simply need to add the rest of the command syntax in the format of
host start_port end_port:
Figure 17: complete stroke command
In this example, I'm using my host machine (10.0.1.5) and am asking to scan ports between 1 and 3000. The output lists the port number and the service running on that port. Another way to check for open ports is to use the
netstat -a command, which is easily accessed via the CLI:
Figure 18: netstat -a
This is just a partial screenshot of the output of
netstat -a. The interesting bits are the states listed as LISTEN or ESTABLISHED. In this example, several services are running:
svrloc (server location), and
afpovertcp (AppleShare over TCP). My mail.app connection is also open.
That covers the CLI equivalents of the Network Utility.app. Mac OS X comes with a very neat GUI front end to some of the most useful tools for keeping an eye on your network. However, I hope I've shown how you can get more power and flexibility from the command line. There are lots of other tools out there (
tcpdump just to name two) and mastering some of the common ones will give way to further exploration.
Mary Norbury-Glaser is the IT director at a University of Colorado affiliate center. She has over 15 years of experience in cross-platform systems administration in the education sector. She loves fast cars and geocaching.
Return to the Mac DevCenter
Copyright © 2009 O'Reilly Media, Inc.