NetHogs: monitor per process network traffic

NetHogs shows the real-time network bandwidth usage on an interface by process. It is a useful tool for those situations when you want to know – who is using all my bandwidth? Currently NetHogs supports the following:

  • Shows TCP download and upload speed per process
  • Supports both IPv4 and IPv6
  • Supports both Ethernet and PPP

NetHogs has to be run with root privileges and target interface name as parameter. If no interface name is provided, NetHogs tries eth0. Example usage:

$ sudo nethogs wlan0

Default refresh rate is update per second. It can be controlled by using the -d option:

-d seconds

There are some interactive controls to change the display or quit:

m : cycle between display modes (kb/s, kb, b, mb)
r : sort by 'received'
s : sort by 'sent'
q : quit

Webpage: NetHogs

Speed test from console

cool_penguin_smallPeople often visit websites like to check their network speed. As these kind of websites tend to use a flash based interface one can’t use these services without having flash installed. speedtest-cli can run the tests from the console using as the server.

To install and run on Ubuntu:

$ git clone
$ python speedtest-cli/ install

As you can see, the utility is written in Python. It has some handy cmdline options. For help on the options:

$ speedtest-cli -h

Webpage: speedtest-cli

trickle: manage bandwidth usage on Linux

cool_penguin_smallEveryone encounters this common situation – one of the processes using the whole bandwidth and others starving appearing slow. trickle is the solution on Linux. It is a network bandwidth manager. Before going into the usage we’ll discuss the requirements for trickle:

  • The program you want to monitor should be dynamically linked to glibc (the shared library). The reason is that trickle is a userspace application that uses the loader preloading technique. Essentially it provides a new socket interface and the original one is masked. To know whether your program meets the requirement use ldd.
    $ ldd /usr/bin/axel|grep => /lib/x86_64-linux-gnu/ (0x00007ff552ce1000)

    So yes, axel can be a candidate if it meets the next requirement.

  • The program must use the TCP protocol. To check that, use netstat after running the program.
    $ netstat -pa|grep axel
    tcp 0 0 alpinecurrant.cano:http ESTABLISHED 10966/axel

    axel does use TCP! axel is fit for being used with trickle.

Trickle can be used in 2 modes – as a standalone utility for each program or as a daemon that can handle multiple programs fired with trickle.

  • As a standalone program
    trickle -u 128 -d 64 myprogram

    where u denotes upload limit and d denotes download limit in KB/s.

  • As a daemon
    trickled -u 512 -d 256

    sets the cumulative limit for all the programs run using trickle.

trickle can be used by non-root users. You can run your favourite terminal session using trickle and all programs (matching trickle’s criteria) run from the terminal will be monitored by trickle.

trickle is available in the default repositories on many distros, including Ubuntu.

Webpage: trickle

Xiaopan OS: another hacker distro

xiaopan_compXiaopan OS is another hacker distro packed with advanced tools to perform all types of wireless network hacks. Currently version 5.0 is cooking and the developers are looking for feature requests if you are looking for anything specific that may add value to the OS. Xiaopan OS is based on Tiny Core Linux. The small ISO can be booted from a VM or installed on a USB. Features at a glance:

  • Run in Parallels Desktop / VMware / VirtualBox
  • Compatible with Yumi Boot / LiLi USB Creator
  • Run on Live CD
  • Packages include: Minidwep, Aircrack, Inflator, Reaver, Feeding Bottle, Wifite
  • 70mb ISO
  • Based on TinyCore Linux
  • Recommended minimum requirements: Pentium 2 or better, 128mb of ram + some swap
  • Recommended: Wireless USB card that supports monitor mode and injection
  • Windows / Linux / Mac Compatible

Note: As per the info alert in the Xiaopan forums, using the promo code XIAOPAN during checkout will save you around $99 when you buy a powerful Reaver Pro device (worth $199) which can detect WiFi vulnerabilities very fast. Not sure how long the promo code will be valid.

Webpage: Xiaopan OS

[Courtesy: Jester Raiin]

Pyrit: crack WPA/WPA2-PSK

pyrit_compPyrit is a powerful brute-force utility to crack WPA/WPA2-PSK authentication. It can use massive databases to start the attack and can give results relatively faster than common cracking methods. It uses a single MySQL server as database. So it can use this extra space to reduce the time to compute. Quoting from the author: “WPA/WPA2-PSK assigns every participating party the same pre shared key. This master key is derived from a password which the administrating user has to pre-configure e.g. on his laptop and the Access Point. When the laptop creates a connection to the Access Point, a new session key is derived from the master key to encrypt and authenticate following traffic. The “shortcut” of using a single master key instead of per-user keys eases deployment of WPA/WPA2-protected networks for home and small-office use at the cost of making the protocol vulnerable to brute-force-attacks against its key negotiation phase; it allows to ultimately reveal the password that protects the network.”. Pyrit is the strongest attack against the widely used WPA/WPA2-PSK authentication protocols at the time of writing.

To install on Ubuntu:

$ sudo apt-get install pyrit

Disclaimer: Pyrit should be used for educational and experimental purposes only and not to snoop on others or invade someone’s privacy.

Pyrit blog
Usage: Tutorial
Webpage: Pyrit

FireSSH: SSH from Firefox

firefoxFireSSH is a cool Firefox extension that you can use to connect to a remote SSH server directly from your browser. It runs wherever Firefox runs. Quite handy when you want to stay anonymous (e.g. behind a proxy) and don’t want to connect to external servers using a desktop client which may reveal your online identity.

For Google Chrome a similar extension is Secure Shell.

Webpage: FireSSH

Kill TCP connections

cool_penguin_smallThere are times when you want to kill TCP connections forcibly because of reasons like network lag, possible intrusion detected from any IP etc. Try tcpkill. It supports various options and kills the connections by sniffing the traffic. For example, to kill all connections to FICS immediately, I run:

$ sudo tcpkill -i wlan0 host

While tcpkill uses a passive approach, the killcx Perl utility uses an active approach – it successfully spoofs a SYN packet on behalf of the client and sends it to the server. The server than replays with a valid TCP packet revealing the ACK and SEQ numbers. As soon as this this is on a wire the killcx sniffs this up and sent RST to kill the active session.

tcpspy: track network connections

tux_compIt is possible to track back network connections established by a particular process on Linux using netstat, lsof or combination of other commands. But in order to track connections directly by executable file name and live try tcpspy. It is very powerful and available in synaptic on Ubuntu. Tcpspy can log connections based on pre-defined rules and can run as a daemon.

To install on Ubuntu:

$ sudo apt-get install tcpspy

The man page explains the various switches it accepts. However, the simplest way to log established connections by processes run by a specific user in the terminal is:

$ tcpspy -dpU username

Webpage: tcpspy

macchanger: change your MAC address

There are several occasions you may want to change (spoof) your MAC address, one of them being the need to download files repeatedly from various file servers which try to limit the usage based on your IP/MAC etc. The easiest way to do this is to use macchanger on Ubuntu. It also has a GUI interface available which you can use if you are not comfortable with the cmdline options.

To install on Ubuntu:

$ sudo apt-get install macchanger

To set a random MAC,

  1. Turn off the network interface (wireless, ethernet etc.) from NetworkManager
  2. Set a random MAC address and fake that it is the burned-in-address:
    $ macchanger -Ab wlan0
    -A: set random vendor MAC of any kind
    -b: fake burned-in-address
  3. Reset to original hardware value:
    $ macchanger -p
  4. Turn on the network interface

Webpage: macchanger