Network
- 14 Feb 2024
- 1 Minute to read
- Contributors
- Print
- DarkLight
Network
- Updated on 14 Feb 2024
- 1 Minute to read
- Contributors
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
dns_resolve
Cause the sensor to do a network resolution. Mainly used for internal purposes. An error code of 0 indicates a successful command.
Platforms:
Usage:
dns_resolve [-h] domain
positional arguments:
domain domain name to resolve
Sample Output:
{
"ERROR" : 0
}
You wll also see a corresponding DNS_REQUEST event in the Sensor timeline.
Sample DNS_REQUEST Event:
{
"DNS_TYPE": 1,
"DOMAIN_NAME": "www.google.com",
"IP_ADDRESS": "142.251.116.105",
"MESSAGE_ID": 30183
}
netstat
List network connections and sockets listening.
Platforms:
Usage:
netstat [-h]
Sample Output:
{
"FRIENDLY": 0,
"NETWORK_ACTIVITY": [
{
"DESTINATION": {
"IP_ADDRESS": "0.0.0.0",
"PORT": 0
},
"PROCESS_ID": 716,
"PROTOCOL": "tcp4",
"SOURCE": {
"IP_ADDRESS": "0.0.0.0",
"PORT": 135
},
"STATE": 2
},
{
...
}
]
}
Netstat STATE fields can be mapped via the Windows MIB_TCP_STATE table, found here.
| State | Value |
|---|---|
| 1 | CLOSED |
| 2 | LISTEN |
| 3 | SYN-SENT |
| 4 | SYN-RECEIVED |
| 5 | ESTABLISHED |
| 6 | FIN-WAIT-1 |
| 7 | FIN-WAIT-2 |
| 8 | CLOSE-WAIT |
| 9 | CLOSING |
| 10 | LAST-ACK |
| 11 | TIME-WAIT |
| 12 | DELETE TCB |
pcap_ifaces
List the network interfaces available for capture on a host.
Platforms:
Usage:
pcap_ifaces [-h]
Sample Output:
{
"INTERFACE": [
{
"IPV4": [
"10.128.15.198"
],
"IPV6": [
"fe80::4001:aff:fe80:fc6"
],
"NAME": "ens4"
},
{
"IPV4": [
"127.0.0.1"
],
"IPV6": [
"::1"
],
"NAME": "lo"
},
{
"IPV4": [],
"IPV6": [],
"NAME": "any"
},
{
"IPV4": [],
"IPV6": [],
"NAME": "nflog"
},
{
"IPV4": [],
"IPV6": [],
"NAME": "nfqueue"
}
]
}
Was this article helpful?